The document introduces Abraham Aranguren and provides an agenda for his presentation on the Offensive Web Testing Framework (OWTF), including an overview of OWTF, installing and running OWTF, passive and semi-passive web analysis with OWTF, active web analysis with OWTF, and auxiliary plugins for search engine testing and IDs testing.
Update on progress of the 4 OWASP OWTF GSoC 2013 projects, with an intro overview about OWTF and some examples on how the OWASP Testing Guide is being covered at the moment towards the end.
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Abraham Aranguren
Introduction to the Offensive (Web, etc) Testing Framework
Demos: http://www.youtube.com/playlist?list=PL1E7A97C1BCCDEEBB&feature=plcp
Download as PDF if fonts look funny.
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques
NOTE: Use the "Download" option at the top to see the presentation as a PDF properly
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
Automating Security Testing with the OWTFJerod Brennen
When it comes to app security, scanning is good, but pen testing is better. That said, we're lucky if we can schedule (and budget for) a web app pen test once a year. Wouldn't it be swell if we could automate the security testing process so it turned up the same weaknesses in QA an attacker would likely try to exploit in Prod? Well, then. You're in luck. OWASP's Offensive Web Testing Framework (OWTF) was designed to help automate the web app pen testing process. By baking the OWTF into your own QA processes, you can benefit from the same knowledge and tools that the bad guys use to attack web apps. Better yet, you can run these tests as frequently as you like for FREE. This presentation will show you how to use the OWTF, helping you improve both the efficiency and effectiveness of your app security testing process.
Update on progress of the 4 OWASP OWTF GSoC 2013 projects, with an intro overview about OWTF and some examples on how the OWASP Testing Guide is being covered at the moment towards the end.
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Abraham Aranguren
Introduction to the Offensive (Web, etc) Testing Framework
Demos: http://www.youtube.com/playlist?list=PL1E7A97C1BCCDEEBB&feature=plcp
Download as PDF if fonts look funny.
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques
NOTE: Use the "Download" option at the top to see the presentation as a PDF properly
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
Automating Security Testing with the OWTFJerod Brennen
When it comes to app security, scanning is good, but pen testing is better. That said, we're lucky if we can schedule (and budget for) a web app pen test once a year. Wouldn't it be swell if we could automate the security testing process so it turned up the same weaknesses in QA an attacker would likely try to exploit in Prod? Well, then. You're in luck. OWASP's Offensive Web Testing Framework (OWTF) was designed to help automate the web app pen testing process. By baking the OWTF into your own QA processes, you can benefit from the same knowledge and tools that the bad guys use to attack web apps. Better yet, you can run these tests as frequently as you like for FREE. This presentation will show you how to use the OWTF, helping you improve both the efficiency and effectiveness of your app security testing process.
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications
Web browsers have become part of everyday life, and are relied upon by millions of internet citizens each day. The feature rich online world has turned the once simple web browser into a highly complex (and very often insecure) desktop application.
As browser vendors have extended functionality and support to new technologies, security researchers and hackers are continuously looking for new vulnerabilities. In this talk, Roberto and Scott will share results of their assiduous browser bug hunting. The talk will examine techniques used to discover critical and less severe vulnerabilities in some of the most popular browsers on the market.
This talk will focus heavily (but not exclusively) on the following areas:
- Memory corruption bugs;
- New approaches to DOM fuzzing;
- Old school techniques against new browser technology;
- Cross Context Scripting and injection attacks;
- SOP Bypass;
The presentation will conclude with a montage of on-stage demonstrations of previously unreleased vulnerabilities, including remote code execution, injections and other tailored browser exploits.
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalore 2nd meet up on 21 Feb 2015
Watch the screen recording of this presentation at https://vimeo.com/120481276
This talk intends to demonstrate how to improve web application security testing by combining browser automation framework and web proxy API.
The goal of this research is to bring a web proxy as close as possible to a browser to achieve a better security testing coverage, especially when dealing with complex client-side technology.
The presentation includes a montage of real case scenarios, showing how this approach can lead to the discovery of vulnerabilities which might otherwise go unnoticed.
Экспресс-анализ вредоносов / Crowdsourced Malware TriagePositive Hack Days
Ведущие: Сергей Франкофф и Шон Уилсон
Сортировка вредоносного ПО представляет собой процесс быстрого анализа потенциально опасных файлов или URL. Любая тщательно продуманная система реагирования на инциденты безопасности обладает этой важной функцией. Но что, если у вас не установлена программа реагирования на инциденты? Как быть, если вы только начали ее настраивать? А вдруг у вас нет программных средств для проведения анализа? Грамотно выбранный бесплатный онлайн-инструмент, веб-браузер и блокнот — вот все, что вам пригодится. На мастер-классе участники самостоятельно будут заниматься сортировкой вредоносного ПО. Ведущий предоставит информацию о необходимых инструментах.
From 0 to 0xdeadbeef - security mistakes that will haunt your startupDiogo Mónica
Every company has to deal with the topic of security. Depending on the product/service, security might be more or less important, but it doesn’t matter if the product is moving money or sending disappearing pictures, if the company grows, it will have to deal with security sooner or later.
Unfortunately, not all security mistakes are created equal.
This talk will go over some security mistakes are several orders of magnitude harder to fix later in the lifecycle of a company, helping people prioritize their decisions when trying to keep the fine balance between security and product.
Cross Context Scripting (XCS) is a type of XSS (Cross Site Scripting) injection which occurs from an untrusted zone, typically a web page on the Internet into the context of a trusted browser zone.
XSS injection in a trusted browser zone can be 'lethal', as injected payload runs as privileged code. No SOP (Same-Origin Policy) restrictions are enforced and direct interfacing with the underlying OS is possible.
To exploit such bugs, there is no need to use ROP gadgets, spray the heap or attempt other complex techniques. At the opposite, only few elements are required for a successful exploit, such as the right injection point and a tailored exploit payload.
This presentation will examine XCS in details and will provide a demonstration of XCS exploits of both unpatched and patched vulnerabilities in Firefox, Opera, Maxthon and Avant browsers.
Abstract:
Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks. These attacks often result in significant damage against unprepared and vulnerable organisations.
The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.
In this talk, we’ll walk through utilizing one of the most popular web vulnerability testing frameworks BurpSuite. During this presentation we will cover the process of how to conduct a successful web penetration tests, while utilizing BurpSuite's features and tools (Free and Pro Version). This discussion will also cover realistic examples and a brief overview of common vulnerabilities found in web applications.
Getting the Most out of Burp Extensions. How to build a Burp extension, techniques for passive and active scanners, defining insertion points, modifying requests, and building GUI tools. This talk presents code libraries to make it easy for testers to rapidly customize Burp Suite.
We continue where we left off from Part 1. This section covers 2 main topics, debugging libraries and fuzzer design. For debugging libraries we go over PyDBG and WinAppDbg, discussing basic to intermediate examples, and when you might want to use one instead of the other. After that, fuzzer design is discussed, including goals, design choices, architecture, etc. Some code samples are shown from my fuzzer, along with a github link for those who are interested.
Demos: http://www.youtube.com/playlist?list=PL3SqEmKhsxzzUIG1oIOUw3UeK0euTSTNH
Chess is a complex game: The number of permutations is just too great to compute the best possible move during a game. This is similar to pen testing in that we also have too many vulnerabilities to find and choose from not only on a 1 by 1 basis but also how we would chain them together like a real attacker.
Chess players must analyse efficiently to beat time constraints like pentesters but unlike pentesters they have been doing this for a long time.
The purpose of this talk is to expose the techniques chess players have been using for centuries and to illustrate how we can learn from these and apply them to pen testing. The talk will behighly practical and will show how these techniques have been incorporated into OWTF, not only with screenshots but also demos.
Have you ever had to spend valuable time in the middle of a test to prepare something you could have prepared in advance? Did you ever analyse a vulnerability/attack-path in depth only to find a significantly easier to exploit vulnerability hours/days after? Pen testing is very similar to playing chess: It is easy to get carried on and waste valuable analysis time on a line of attack that is just not the best option. Maybe mistakes like this will be a bit less likely after attending this talk.
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications
Web browsers have become part of everyday life, and are relied upon by millions of internet citizens each day. The feature rich online world has turned the once simple web browser into a highly complex (and very often insecure) desktop application.
As browser vendors have extended functionality and support to new technologies, security researchers and hackers are continuously looking for new vulnerabilities. In this talk, Roberto and Scott will share results of their assiduous browser bug hunting. The talk will examine techniques used to discover critical and less severe vulnerabilities in some of the most popular browsers on the market.
This talk will focus heavily (but not exclusively) on the following areas:
- Memory corruption bugs;
- New approaches to DOM fuzzing;
- Old school techniques against new browser technology;
- Cross Context Scripting and injection attacks;
- SOP Bypass;
The presentation will conclude with a montage of on-stage demonstrations of previously unreleased vulnerabilities, including remote code execution, injections and other tailored browser exploits.
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalore 2nd meet up on 21 Feb 2015
Watch the screen recording of this presentation at https://vimeo.com/120481276
This talk intends to demonstrate how to improve web application security testing by combining browser automation framework and web proxy API.
The goal of this research is to bring a web proxy as close as possible to a browser to achieve a better security testing coverage, especially when dealing with complex client-side technology.
The presentation includes a montage of real case scenarios, showing how this approach can lead to the discovery of vulnerabilities which might otherwise go unnoticed.
Экспресс-анализ вредоносов / Crowdsourced Malware TriagePositive Hack Days
Ведущие: Сергей Франкофф и Шон Уилсон
Сортировка вредоносного ПО представляет собой процесс быстрого анализа потенциально опасных файлов или URL. Любая тщательно продуманная система реагирования на инциденты безопасности обладает этой важной функцией. Но что, если у вас не установлена программа реагирования на инциденты? Как быть, если вы только начали ее настраивать? А вдруг у вас нет программных средств для проведения анализа? Грамотно выбранный бесплатный онлайн-инструмент, веб-браузер и блокнот — вот все, что вам пригодится. На мастер-классе участники самостоятельно будут заниматься сортировкой вредоносного ПО. Ведущий предоставит информацию о необходимых инструментах.
From 0 to 0xdeadbeef - security mistakes that will haunt your startupDiogo Mónica
Every company has to deal with the topic of security. Depending on the product/service, security might be more or less important, but it doesn’t matter if the product is moving money or sending disappearing pictures, if the company grows, it will have to deal with security sooner or later.
Unfortunately, not all security mistakes are created equal.
This talk will go over some security mistakes are several orders of magnitude harder to fix later in the lifecycle of a company, helping people prioritize their decisions when trying to keep the fine balance between security and product.
Cross Context Scripting (XCS) is a type of XSS (Cross Site Scripting) injection which occurs from an untrusted zone, typically a web page on the Internet into the context of a trusted browser zone.
XSS injection in a trusted browser zone can be 'lethal', as injected payload runs as privileged code. No SOP (Same-Origin Policy) restrictions are enforced and direct interfacing with the underlying OS is possible.
To exploit such bugs, there is no need to use ROP gadgets, spray the heap or attempt other complex techniques. At the opposite, only few elements are required for a successful exploit, such as the right injection point and a tailored exploit payload.
This presentation will examine XCS in details and will provide a demonstration of XCS exploits of both unpatched and patched vulnerabilities in Firefox, Opera, Maxthon and Avant browsers.
Abstract:
Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks. These attacks often result in significant damage against unprepared and vulnerable organisations.
The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.
In this talk, we’ll walk through utilizing one of the most popular web vulnerability testing frameworks BurpSuite. During this presentation we will cover the process of how to conduct a successful web penetration tests, while utilizing BurpSuite's features and tools (Free and Pro Version). This discussion will also cover realistic examples and a brief overview of common vulnerabilities found in web applications.
Getting the Most out of Burp Extensions. How to build a Burp extension, techniques for passive and active scanners, defining insertion points, modifying requests, and building GUI tools. This talk presents code libraries to make it easy for testers to rapidly customize Burp Suite.
We continue where we left off from Part 1. This section covers 2 main topics, debugging libraries and fuzzer design. For debugging libraries we go over PyDBG and WinAppDbg, discussing basic to intermediate examples, and when you might want to use one instead of the other. After that, fuzzer design is discussed, including goals, design choices, architecture, etc. Some code samples are shown from my fuzzer, along with a github link for those who are interested.
Demos: http://www.youtube.com/playlist?list=PL3SqEmKhsxzzUIG1oIOUw3UeK0euTSTNH
Chess is a complex game: The number of permutations is just too great to compute the best possible move during a game. This is similar to pen testing in that we also have too many vulnerabilities to find and choose from not only on a 1 by 1 basis but also how we would chain them together like a real attacker.
Chess players must analyse efficiently to beat time constraints like pentesters but unlike pentesters they have been doing this for a long time.
The purpose of this talk is to expose the techniques chess players have been using for centuries and to illustrate how we can learn from these and apply them to pen testing. The talk will behighly practical and will show how these techniques have been incorporated into OWTF, not only with screenshots but also demos.
Have you ever had to spend valuable time in the middle of a test to prepare something you could have prepared in advance? Did you ever analyse a vulnerability/attack-path in depth only to find a significantly easier to exploit vulnerability hours/days after? Pen testing is very similar to playing chess: It is easy to get carried on and waste valuable analysis time on a line of attack that is just not the best option. Maybe mistakes like this will be a bit less likely after attending this talk.
Web security track - opening talk:
OWASP & OWASP Switzerland
Swiss Cyber Storm 3 (Rapperswil, May 2011)
Original powerpoint slides can be downloaded and re-used under following conditions:
- you're free to copy, distribute and transmit the work
- you're free to adapt the work
- if you alter, transform, or build upon this work, you may distribute the resulting work under the same or similar rights to this one
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games?
Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!
Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then?
We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?
Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
A free application security class delivered by world renowned experts: Eoin Keary and Jim Manico.
This class has been delivered to over 1000 people in 2014 alone.
Does your organisation rely on AIS tracking services? Read our whitepaper on why sole reliance on AIS tracking information could be undermining your best practice programme.
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
The presentation we created at our class is going to be presented at the Musical school on the 14th of December. All city school will participate on this holiday which is devoted to our great writer.
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts: The Underrated Web-Danger
Testing and Exploiting Backup-File Artifacts with BFAC
BFAC Homepage: https://github.com/mazen160
Blog Post: http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsAmazon Web Services
Learn more about the processes followed by Amazon engineers and discuss how you can bring them to your company by using AWS CodePipeline and AWS CodeDeploy, services inspired by Amazon's internal developer tools and DevOps culture.
PyCon AU 2012 - Debugging Live Python Web ApplicationsGraham Dumpleton
Monitoring tools record the result of what happened to your web application when a problem arises, but for some classes of problems, monitoring systems are only a starting point. Sometimes it is necessary to take more intrusive steps to plan for the unexpected by embedding mechanisms that will allow you to interact with a live deployed web application and extract even more detailed information.
A quick start guide to start working with Robot Framework.
End to End flow form installation to test case automation to verifying result, using both GUI and Command Prompt options.
Where's the source, Luke? : How to find and debug the code behind PloneVincenzo Barone
Plone, being a python based CMS written as a project for the Zope application server, consist almost entirely of python modules and a number of configuration files. Python source code is loved by many in the community for its explicit readablity; however, for many experienced software developers, coming over to the Plone technology stack can be a haunting experience. It seems everything is hidden away as pickled object in the ZODB, and that layers of magic prevent one from understanding how it works and how to affect change. This presentation will explain to the novice: - how to track down the python source behind Plone - how to take advantage of rich open source tools like ctags and pdb - best practices for getting started with file system product development
Google Hacking Lab ClassNameDate This is an introducti.docxwhittemorelucilla
Google Hacking Lab
Class
Name:
Date:
This is an introduction to using search engines for penetration testing. "Google Hacking" is a valuable skill for penetration testers. Google's automated search algorithms constantly visit every IP in the world and collect information about the services that IP provides and indexes the content the IP makes available. Google hacking could be called an art. The information gathered is only limited to your ingenuity when crafting your queries. Keep in mind, the principles behind Google hacking apply to all search engines.
In this lab you will enumerate sub-domains, identify new machines, scour web servers for files that reside on directories but have been forgotten, learn about the underlying architecture of web servers, locate logon portals, and use targeted queries to locate specific file types. When clicking on links used the cached version so you visit Google's cache and not the website itself.
1. Open a browser and navigate to: google.com
2. We're going to search exclusively for Wilmu domains.
2a. Type: site:wilmu.edu
3. We received too many www.wilmu.edu returns for this search to be of use. Let's subtract some information from our query.
3a. Type: site:wilmu.edu -site:www.wilmu.edu -site:libguides.wilmu.edu
3b. What new domains did you identify?
Answer:
4. Now let's see what systems provide directory listings. Directory listings are important because there is the potential you will be able to see the entire website's file structure. Also, many webmasters forget to remove content they no longer make visible with hyperlinks. This content is valuable for various information gathering and exploitation reasons because it could be old pictures, databases, password files, etc. (Be sure to click on the cached links and not the actual links.)
4a. Type: site:umass.edu intitle:index.of
5. Another search we might do is for error or warning messages that give us an indication of the underlying infrastructure and application. Depending on the error or warning we will be able to determine if the web server is running Apache, IIS, SharePoint, WordPress, etc. To do this we would use the "or" operator. A query with the or operator for warnings or errors would look something like this: intitle:"apache status" "apache server status for" | "welcome to windows small business server 2003"
6. Let's look for applications and databases we may login to. Many organizations use Federated rights, meaning once you're logged in you may login to other systems. This is called "single sign-on" or SSO.
6a. Type: site:wilmu.edu logon | login
6b. What Portals did you find?
Answer:
7. We found some interesting portals but those are for students. Where else might a penetration tester look?
7a. Type: site:wilmu.edu faculty | staff | admin | administrator + login | logon
7b. What results did you find?
Answer:
8. We've been looking for interesting information about sub-domains, posted on websites, log ...
OWASP WebGoat and PANTERA Web Assessment Studio Project.Philippe Bogaerts
I had the pleasure to talk at Belgium OWASP chapter. Here is a copy of the introduction presentation on WEBGOAT and the PANTERA Web Assessment Studio Project
When performing security assessments or participating in bug bounties, there is generally a methodology you follow when assessing source-code or performing dynamic analysis. This involves using tools, reviewing results and understanding what you should be testing for. Reviewing modern web applications can be quite challenging, and this talk will go into details on how we can automate the boring (but necessary parts) and how to set a roadmap of what should be focused on when dealing with modern JavaScript applications.
Open Source Library System Software: Libraries Are Doing it For Themselvesloriayre
One of the great advantages of an Open Source Library System (OSLS) such as Koha or Evergreen is the ability to empower staff and optimize the user's experience by getting involved in improving the software. This is in contrast to the traditional integrated library system (ILS) model where all the software development was done by "the vendor," creating a condition of "learned helplessness" on the part of library staff. By making the transition to OSLS, you can shift the culture of your organization from "learned helplessness" to one in which everyone can contribute to enhancing their work environment.
This webinar will describe all the ways to get involved with an OSLS project -- even if you aren't a programmer. By the end of the webinar, you will understand why involving your organization in an OSLS project creates opportunities for delivering new services to customers and optimizing the work of your staff.
Another day, another buzzword in the world of software development! ‘Microservices’ is a new approach to structuring server-side software. But is it really new? In this talk I’ll walk you through the birth and ‘raison d’etre’ of microservices and tell about pro’s and con’s of the approach.
Having laid the foundation, we will take a look at best-practices and patterns for building micro service architectures and combine this with a tour of current technologies and development tools.
Finally, I will take a quick look at the future and discuss some of the remaining challenges. All parts of the presentation will be accompanied by structural examples based on a real ecommerse system.
This is a basic level robot framework presentation. You can install robot framework without any problem and start your first test with this presentation.
Opendaylight is a project which promotes the Software Defined Networking.
Officially started on April -8th-2013.
The linux foundation planned an pivotal role in it, but it’s a consortium and multiple tech companies are partnered to led the SDN.
Its based on Eclipse Public License – v 1.0 (EPL).
------------------
Software defined networking is a research area which let a network to program, It also output network control applications, and those applications are to control the network
Example :
A network formed by the openflow enabled switch.
Controller Platform provides the OPEN APIs to program the network.
Controller Applications control the network based on the needs
Start guide to web scraping with Scrapy, one of best python modules to do web scraping, with Scrapy everything is more easy.
This presentation covers the key concepts of scrapy and the process of criation of spiders.
It's the first draft version and will be other versions, until the last version, if you see something that you want to be improved, give feedback and I will take that in consideration.
I also talk about some alternatives to scrapy like lxml, newspapers and others.
In the final i give you acess to the code used on this presentation, so you cant test easy and fast the concepts talked on this presentation.
I hope you like it :D
Workshop: Functional testing made easy with PHPUnit & Selenium (phpCE Poland,...Ondřej Machulda
Annotated slides for phpCE workshop on November 3, 2017.
Workshop repository: https://github.com/OndraM/selenium-workshop-phpce
The workshop covered:
- setting up local development environment (using Docker)
- practical examples of functional tests implementation
- exploring possibilities of Selenium WebDriver
- parallel test execution using Steward
- hands-on Page Object design pattern
- dealing with asynchronous elements of web-pages (AJAX, JavaScript)
- general tips & tricks how to keep a maintainable suite of functional tests in a long-term
Similar to Introducing OWASP OWTF Workshop BruCon 2012 (20)
2. Agenda
• Intro
Before we start check
OWTF Intro
Installing OWTF
Running OWTF
• Part 1: OWTF Passive + Semi-passive Web analysis
• Part 2: OWTF Active Web analysis
• Part 3: OWTF aux plugins – SE, IDs testing
• Conclusion
• Q&A
3. Before we start
If you don’t have OWTF or OWTF demos yet:
Step 1) Go to http://owtf.org (redirects to OWASP project)
Step 2) Start downloading the latest Version
This link! ☺
Download OWASP OWTF
Step 3) Start downloading the latest Demo
This link! ☺
Download OWASP OWTF DEMOs (only Firefox >= 8 required)
4. About me
• Spanish dude
• Uni: Degree, InfoSec research + honour mark
• IT: Since 2000, defensive sec as netadmin / developer
• (Offensive) InfoSec: Since 2007
• OSCP, CISSP, GWEB, CEH, MCSE, etc.
• Web App Sec and Dev/Architect
• Infosec consultant, blogger, OWTF, GIAC, BeEF
5. Pentester disadvantage
Pentesters vs Bad guys
• Pentesters have time/scope constraints != Bad guys
• Pentesters have to write a report != Bad guys
Complexity is increasing
More complexity = more time needed to test properly
Customers are rarely willing to:
“Pay for enough / reasonable testing time“
A call for efficiency:
• We must find vulns faster
• We must be more efficient
• .. or bad guys will find the vulns, not us
10. Installing OWTF
IMPORTANT: ALL in the wiki: https://github.com/7a/owtf/wiki :)
Option 1) (Easiest) From Backtrack - http://www.backtrack-linux.org
apt-get install owtf
cd /pentest/web/owtf/tools
./bt5_install.sh
cd /pentest/web/owtf/install
./install.sh
11. Installing OWTF
Option 2) Manual Install
Step 1 – Go to http://owtf.org - redirects to OWASP Project page
Step 2 – Click on Download OWASP OWTF
Step 3 – Select latest version + download
Step 4 – tar xvfz OWTF_0.15_Brucon.tar.gz
Step 5 – Check install scripts:
cd install ; sudo ./install.sh – Install libraries
cd tools ; ./bt5_install.sh, etc – Install tools
12. Missing Tools
[*] WARNING: Tool path not found for: /pentest/web/owtf/tools/restricted/ssl/ssl-
cipher-check.pl
[*] WARNING: Tool path not found for: /pentest/web/owtf/tools/restricted/arachni-
v0.3-cde
…
[*] WARNING: Tool path not found for: /pentest/web/owtf/tools/restricted/hoppy-
1.8.1
[*]
[*] WARNING!!!: 7 tools could not be found. Some suggestions:
[*] - Define where your tools are here:
/pentest/web/owtf/profiles/general/default.cfg
[*] - Use the /pentest/web/owtf/tools/bt5_install.sh script to install missing tools
Continue anyway? [y/n]
NOTE: OWTF will run with the tools you have, installing all tools is not mandatory
13. Define where tools are
Main Config file: /pentest/web/owtf/profiles/general/default.cfg
Option 1) Full path
TOOL_SET_DIR: /pentest/exploits/set
TOOL_THEHARVESTER_DIR: /pentest/enumeration/theharvester
TOOL_METAGOOFIL_DIR: /pentest/enumeration/google/metagoofil
TOOL_HTTPRINT_DIR: /pentest/enumeration/web/httprint/linux
TOOL_WAFW00F: /pentest/web/waffit/wafw00f.py
Option 2) Framework path: @@@FRAMEWORK_DIR@@@/tools/…
#TOOL_WHATWEB: @@@FRAMEWORK_DIR@@@/tools/whatweb/whatweb-
0.4.7/whatweb
TOOL_WHATWEB:
@@@FRAMEWORK_DIR@@@/tools/restricted/whatweb/whatweb-0.4.7/whatweb
15. OWTF CLI help
Call owtf without arguments to see the options available
./owtf.py
…
-l <web/net/aux>: list available plugins in the plugin group (web, net or aux)
-f: force plugin result overwrite (default is avoid overwrite)
-i <yes/no> interactive: yes (default, more control) / no (script-friendly)
-e <except plugin1,2,..> comma separated list of plugins to be ignored in the test
-o <only plugin1,2,..> comma separated list of the only plugins to be used in the test
-p (ip:)port setup an inbound proxy for manual site analysis
-x ip:port send all owtf requests using the proxy for the given ip and
port
-s Do not do anything, simply simulate how plugins would run
…
16. Listing OWTF plugins
There are many plugins to choose from you can list them like this:
./owtf.py -l web | more
…
[*] **************************************** Passive Plugins
[*] passive: Application_Discovery_____________________________(OWASP-IG-
005)________Third party discovery resources
[*] passive: HTTP_Methods_and_XST______________________________(OWASP-
CM-008)________Third party resources
[*] passive: Old_Backup_and_Unreferenced_Files_________________(OWASP-CM-
006)________Google Hacking for juicy files
…
17. Simulation mode
Simulation mode “-s”:
1) SIMULATES what OWTF will do (so it does not do it!):
2) Is useful to check the effect of a command before running it
# owtf.py -s https://accounts.google.com | more
19. Plugin Groups
OWTF defines 3 major plugin groups (-g):
• web (default) = targets are interpreted as URLs = web assessment only
• net = targets are interpreted as hosts/network ranges = traditional network
discovery and probing
• aux = targets are NOT interpreted, it is up to the plugin/resource definition to
decide what to do with the target
Example:
The following would run all web plugins against http://demo.testfire.net
./owtf.py -g web http://demo.testfire.net
21. Plugin Types (-t)
At least 48.5% (32 out of 66) of the tests in the OWASP Testing guide can be
legally* performed at least partially without permission
* Except in Spain, where visiting a page can be illegal ☺
* This is only my interpretation and not that of my employer + might not apply to your country!
22. Plugins + Plugin Types
• Only runs the passive plugins:
owtf.py -t passive https://accounts.google.com
• Only runs ALL Spiders_Robots_and_Crawlers plugins:
owtf.py -o Spiders_Robots_and_Crawlers https://accounts.google.com
• Only runs the passive Spiders_Robots_and_Crawlers plugin:
owtf.py -t passive -o Spiders_Robots_and_Crawlers https://accounts.google.com
25. Before we continue
If you don’t have OWTF or OWTF demos yet:
Step 1) Go to http://owtf.org (redirects to OWASP project)
Step 2) Start downloading the latest Demo
This link! ☺
Download OWASP OWTF DEMOs (only Firefox >= 8 required)
26. Classic Pentest Stages
1. Pre-engagement: No permission “OWTF Cheat tactics” = Start here
2. Engagement: Permission Official test start = Active Testing here
27. Context consideration:
Case 1 robots.txt Not Found
…should Google index a site like this?
Or should robots.txt exist and be like this?
User-agent: *
Disallow: /
28. Case 1 robots.txt Not Found - Semi passive
• Direct request for robots.txt
• Without visiting entries
29. Case 2 robots.txt Found – Passive
• Indirect Stats, Downloaded txt file for review, “Open All in Tabs”
30. OWTF HTML Filter challenge: Embedding of untrusted third party HTML
Defence layers:
1) HTML Filter: Open source challenge
Filter 6 unchallenged since 04/02/2012, Can you hack it? ☺
http://blog.7-a.org/2012/01/embedding-untrusted-html-xss-challenge.html
2) HTML 5 sanboxed iframe
3) Storage in another directory = cannot access OWTF Review in localStorage
31. Start reporting!: Take your notes with fancy formatting
Step 1 – Click the “Edit” link
Step 2 – Start documenting findings + Ensure preview is ok
35. Passive Plugin
Step 1- Browse output files to review the full raw tool output:
Step 2 – Review tools run by the passive Search engine discovery plugin:
Was your favourite tool not run?
Tell OWTF to run your tools on: owtf_dir/profiles/resources/default.cfg (backup first!)
36. Tool output can also be reviewed via clicking through the OWTF report directly:
37. The Harvester:
•Emails
•Employee Names
•Subdomains
•Hostnames
http://www.edge-security.com/theHarvester.php
38. Metadata analysis:
• TODO: Integration with FOCA when CLI callable via wine (/cc @chemaalonso ☺)
• Implemented: Integration with Metagoofil
http://www.edge-security.com/metagoofil.php
40. Inbound proxy not stable yet but all this happens automatically:
• robots.txt entries added to “Potential URLs”
• URLs found by tools are scraped + added to “Potential URLs”
During Active testing (later):
• “Potential URLs” visited + added to “Verified URLs” + Transaction log
41. All HTTP transactions logged by target in transaction log
Step 1 – Click on “Transaction Log”
Step 2 – Review transaction entries
42. Step 3 – Review raw transaction information (if desired)
43. Step 1 - Make all direct OWTF requests go through Outbound Proxy:
Passes all entry points to the tactical fuzzer for analysis later
Step 2 - Entry points can then also be analysed via tactical fuzzer:
61. Static Analyis, Fuzz, Try exploits, ..
RIPS for PHP: http://rips-scanner.sourceforge.net/
Yasca for most other (also PHP): http://www.scovetta.com/yasca.html
79. Efficient HTML content matches analysis
Step 1 - Click
Step 2 – Human Review of Unique matches
80. Efficient HTML content matches analysis
Step 1 - Click
Step 2 –Review Unique matches (click on links for sample match info)
Want to see all? then click
99. Pro Tip: When browsing the site manually ..
… look carefully at pop-ups like this:
Consider (i.e. prep the attack):
Firesheep: http://codebutler.github.com/firesheep/
SSLStrip: https://github.com/moxie0/sslstrip
100. Mario was going to report a bug to Mozilla and found another!
101. Abuse user/member public search functions:
• Search for “” (nothing) or “a”, then “b”, ..
• Download all the data using 1) + pagination (if any)
• Merge the results into a CSV-like format
• Import + save as a spreadsheet
• Show the spreadsheet to your customer
103. Analyse the username(s) they gave you to test:
• Username based on numbers?
USER12345
• Username based on public info? (i.e. names, surnames, ..)
name.surname
• Default CMS user/pass?
105. Part 1 – Remember Password: Autocomplete
Good Bad
Via 1) <form … autocomplete=“off”> <form action="/user/login"
Or Via 2) <input … autocomplete=“off”> method="post">
<input type="password" name="pass" />
106. Manual verification for password autocomplete (i.e. for the customer)
Easy “your grandma can do it” test:
1. Login
2. Logout
3. Click the browser Back button twice*
4. Can you login again –without typing the login or password- by re-
sending the login form?
Can the user re-submit the login form via the back button?
* Until the login form submission
Other sensitive fields: Pentester manual verification
• Credit card fields
• Password hint fields
• Other
107. Part 2 - Password Reset forms
Manually look at the questions / fields in the password reset form
• Does it let you specify your email address?
• Is it based on public info? (name, surname, etc)
• Does it send an email to a potentially dead email address you can
register? (i.e. hotmail.com)
109. Goal: Is Caching of sensitive info allowed?
Manual verification steps: “your grandma can do it” ☺ (need login):
1. Login
2. Logout
3. Click the browser Back button
4. Do you see logged in content or a this page has expired error / the login
page?
Manual analysis tools:
• Commands: curl –i http://target.com
• Proxy: Burp, ZAP, WebScarab, etc
• Browser Plugins:
https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
https://addons.mozilla.org/en-US/firefox/addon/firebug/
110. HTTP/1.1 headers
Good Bad
Cache-Control: no-cache Cache-control: private
HTTP/1.0 headers
Good Bad
Pragma: no-cache Pragma: private
Expires: <past date or illegal (e.g. 0)> Expires: <way too far in the future>
The world
Good Bad
https://accounts.google.com No caching headers = caching allowed
Cache-control: no-cache, no-store HTTP/1.1 200 OK
Pragma: no-cache Date: Tue, 09 Aug 2011 13:38:43 GMT
Expires: Mon, 01-Jan-1990 00:00:00 GMT Server: ….
X-Powered-By: ….
Connection: close
Content-Type: text/html; charset=UTF-8
111.
112. Repeat for Meta tags
Good Bad
<META HTTP-EQUIV="Cache-Control" <META HTTP-EQUIV="Cache-Control"
CONTENT="no-cache"> CONTENT=“private">
115. Offline Manual analysis:
• Download image and try to break it
• Are CAPTCHAs reused?
• Is a hash or token passed? (Good algorithm? Predictable?)
• Look for vulns on CAPTCHA version
CAPTCHA breaking tools
PWNtcha - captcha decoder - http://caca.zoy.org/wiki/PWNtcha
Captcha Breaker - http://churchturing.org/captcha-dist/
122. • Secure: not set= session cookie leaked= pwned
• HttpOnly: not set = cookies stealable via JS
• Domain: set properly
• Expires: set reasonably
• Path: set to the right /sub-application
• 1 session cookie that works is enough ..
125. Manually check when verifying credentials during pre-engagement:
Login and analyse the Session ID cookie (i.e. PHPSESSID)
Good Bad (normal + by default)
Before: 10a966616e8ed63f7a9b741f80e65e3c Before: 10a966616e8ed63f7a9b741f80e65e3c
After: Nao2mxgho6p9jisslen9v3t6o5f943h After: 10a966616e8ed63f7a9b741f80e65e3c
IMPORTANT: You can also set the session ID via JavaScript (i.e. XSS)
127. Session ID:
• In URL
• In POST
• In HTML
Example from the field:
http://target.com/xxx/xyz.function?session_num=7785
Look at unauthenticated cross-site requests:
http://other-site.com/user=3&report=4
Referer: site.com
Change ids in application: (ids you have permission for!)
http://site.com/view_doc=4
131. Review JavaScript code on the page:
<script>
document.write("Site is at: " + document.location.href + ".");
</script>
Sometimes active testing possible in your browser
(no trip to server = not an attack = not logged):
http://target.com/...#vulnerable_param=xss
http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
138. Google searches: inurl:wsdl site:example.com
Public services search:
http://seekda.com/
http://www.wsindex.org/
http://www.soapclient.com/
139. WSDL analysis
Sensitive methods in WSDL?
i.e. Download DB, Test DB, Get CC, etc.
http://www.example.com/ws/FindIP.asmx?WSDL
<wsdl:operation name="getCreditCard" parameterOrder="id">
<wsdl:input message="impl:getCreditCardRequest" name="getCreditCardRequest"/>
<wsdl:output message="impl:getCreditCardResponse" name="getCreditCardResponse"/>
</wsdl:operation>
140. Same Origin Policy (SOP) 101
1. Domain A’s page can send a request to Domain B’s page from Browser
2. BUT Domain A’s page cannot read Domain B’s page from Browser
http://www.ibm.com/developerworks/rational/library/09/rationalapplicationdeveloperportaltoolkit3/
141. • Request == Predictable Pwned “..can send a request to Domain B” (SOP)
CSRF Protection 101:
•Require long random token (99% hidden anti-CSRF token) Not predictable
•Attacker cannot read the token from Domain B (SOP) Domain B ignores request
Potentially Good Bad
Anti-CSRF token present: Verify with permission No anti-CSRF token
143. Similar to CSRF:
Is there an anti-replay token in the request?
Potentially Good Bad
Anti-CSRF token present: Verify with permission No anti-CSRF token
147. Active testing ☺
1) Trip to server = need permission
http://target.com/test.swf?xss=foo&xss2=bar
2) But … your browser is yours:
No trip to server = no permission needed
#
http://target.com/test.swf ?xss=foo&xss2=bar
Good news: Unlike DOM XSS, the # trick will always work for Flash Files
148. Some technologies allow settings that relax SOP:
• Adobe Flash (via policy file)
• Microsoft Silverlight (via policy file)
• HTML 5 Cross Origin Resource Sharing (via HTTP headers)
Cheating: Reading the policy file or HTTP headers != attack
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html
153. Workshop exercise
1) Install swtftools:
wget http://www.swftools.org/swftools-0.9.2.tar.gz
tar xvfz swftools-0.9.2.tar.gz
cd swftools-0.9.2
sh ./configure
make
make install
whereis swfdump Check that we have swfdump installed now
swfdump: /usr/local/bin/swfdump
154. Workshop exercise (continued)
2) Analyse vulnerable file:
wget http://demo.testfire.net/vulnerable.swf Download vulnerable file
swfdump -a vulnerable.swf > vulnerable.txt Disassemble flash file
grep -B1 GetVariable vulnerable.txt|tr " " "n"|grep '("'|sort –u Get FlashVars
("empty_mc")
("externalInterfaceVar")
("flash")
("font")
("fontTxtFieldExists")
("fontVar")
("getUrlBlankVar")
("getUrlJSParam")
("getUrlParentVar") Used in this example
…
155. Workshop exercise (continued)
3) Verify using the “#” trick (payload not sent to target):
http://demo.testfire.net/vulnerable.swf#?getUrlParentVar=javascript:alert(‘pwned!’)
Click on “Get URL (parent)” for example above
And you get:
XSS ☺
158. Andrew Horton’s “Clickjacking for Shells”:
http://www.morningstarsecurity.com/research/clickjacking-wordpress
Krzysztof Kotowicz’s “Something Wicked this way comes”:
http://www.slideshare.net/kkotowicz/html5-something-wicked-this-way-comes-
hackpra
https://connect.ruhr-uni-bochum.de/p3g2butmrt4/
Marcus Niemietz’s “UI Redressing and Clickjacking”:
http://www.slideshare.net/DefconRussia/marcus-niemietz-ui-redressing-and-
clickjacking-about-click-fraud-and-data-theft