This thesis compares the performance of six open-source web vulnerability scanners: Arachni, Burp Pro, Skipfish, Vega, Wapiti, and ZAP. The researcher evaluated the scanners using three benchmark applications and analyzed their crawling coverage, vulnerability detection accuracy, speed, and usability. The results showed that no scanner detected all vulnerabilities and they struggled with features like authentication, file uploads, and multi-step processes. ZAP and Burp Pro achieved the highest scores overall, while all scanners had room for improvement in fully automating the assessment of complex web applications.
Introduction to Web Application Penetration TestingRana Khalil
Intro to web application penetration testing workshop I held in Atlanta as part of the AnitaBorg Cybersecurity Weekend on Aug. 19. The link for the event can be found here: https://community.anitab.org/event/atl-cybersecurity-day-two/
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code.
This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.
Static Analysis Security Testing for Dummies... and YouKevin Fealey
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games?
Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!
Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then?
We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?
Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.
Introduction to Web Application Penetration TestingRana Khalil
Intro to web application penetration testing workshop I held in Atlanta as part of the AnitaBorg Cybersecurity Weekend on Aug. 19. The link for the event can be found here: https://community.anitab.org/event/atl-cybersecurity-day-two/
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code.
This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.
Static Analysis Security Testing for Dummies... and YouKevin Fealey
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games?
Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!
Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then?
We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?
Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover Application Security Tools that can be helpful for analyzing security threats as well as putting up some defense . This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
What You Need to Know About Web App Security Testing in 2018Ken DeSouza
See the associated webinar via https://www.softwaretestpro.com/what-you-need-to-know-about-web-app-security-testing-in-2018/ (there is a youtube link here)
RASP (Runtime Application Self-Protection) is a new concept aiming at revolutionizing application security. This presentation is a envisioned as a guide for early adopters and technology evaluators.
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay
What is ZAP(Zed Attack Proxy)?An easy to use web application pentest tool.
Completely free and open source.
An OWASP(Open Web Application Security Project) flagship project.
Ideal for beginners.
But also used by professionals.
Becoming a framework for advanced testing.
By Karen Florykian at Automation in Action: summer conference.
Video: https://youtu.be/4fUwEvnFo_Q
TOPIC DESCRIPTION
I will share my experience of SDLC enablement on the enterprise level. In the process I will reveal pitfalls and gotchas about the building of a developer-friendly CI-enabled service using industry standard static and dynamic scanning tools, CI platforms, ReportPortal, Carrier platform and Jira integration service.
I will share my experience of SDLC enablement on enterprise level. Uncover pitfalls and gotchas about building of developer friendly CI enabled service using industry standard static and dynamic scanning tools, CI platforms, ReportPortal, Carrier platform and Jira integration service.
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24
Learn how to discover every web application you own and ascertain their risk levels through the hacker’s lens to gain a better understanding of the overall attack surface and locate the right path for remediation.
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
This paper discusses the research outcomes on implementing a runtime application patching algorithm on an insecurely-coded application to protect it against code injection vulnerabilities and other logical issues related to web applications, and will introduce the next generation web application defending technology dubbed as Runtime Application Self-Protection (RASP) that defends against web attacks by working inside your web application. RASP relies on runtime patching to inject security into web apps implicitly without introducing additional code changes. The talk concludes with the challenges in this new technology and gives you an insight on future of runtime protection.
What? Why? Who? How? Of Application Security Testing TEST Huddle
A penetration testing expert is better at pen-testing than me, but should I simply delegate application security to specialists and network firewalls? Actually no, I shouldn’t and neither should anyone else involved in the systems development lifecycle.
For years I treated security testing as something akin to black magic beyond my comprehension and penetration testers as technical wizards who could cast out evil hacking spells. Obviously that was daft, but it took some effort to see what was really happening behind the smoke and mirrors of application security, and to de-mystify it for my colleagues.
Follow the journey that led Declan O'Riordan to believe that every well-formed tester can and must have a basic understanding of what application security is, why it is important, who should be doing it, and how.
After this presentation you can stop describing security as ‘Out of Scope’ from your test plans.
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
Abstract:
Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are:
• An understanding the real value of each type of AST tool (SAST, DAST, IAST);
• How to leverage your tools for better security visibility and process efficiency;
• Steps to find the right tool for your security program;
• Keys to finding the best stage of the SDLC to implement each tool type within your security program;
• How to integrate new tools with your existing DevOps or Agile environments and processes
Additional Takeaways:
• Examine the strengths and limitations of SAST, DAST, and IAST tools
• Learn how to choose the right tools for your security program
• Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes
• Provide security visibility to developers, managers, and executives by enhancing your existing technology
• Learn to use your tools to improve the efficiency of security tasks that are currently manual
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover Application Security Tools that can be helpful for analyzing security threats as well as putting up some defense . This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
What You Need to Know About Web App Security Testing in 2018Ken DeSouza
See the associated webinar via https://www.softwaretestpro.com/what-you-need-to-know-about-web-app-security-testing-in-2018/ (there is a youtube link here)
RASP (Runtime Application Self-Protection) is a new concept aiming at revolutionizing application security. This presentation is a envisioned as a guide for early adopters and technology evaluators.
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay
What is ZAP(Zed Attack Proxy)?An easy to use web application pentest tool.
Completely free and open source.
An OWASP(Open Web Application Security Project) flagship project.
Ideal for beginners.
But also used by professionals.
Becoming a framework for advanced testing.
By Karen Florykian at Automation in Action: summer conference.
Video: https://youtu.be/4fUwEvnFo_Q
TOPIC DESCRIPTION
I will share my experience of SDLC enablement on the enterprise level. In the process I will reveal pitfalls and gotchas about the building of a developer-friendly CI-enabled service using industry standard static and dynamic scanning tools, CI platforms, ReportPortal, Carrier platform and Jira integration service.
I will share my experience of SDLC enablement on enterprise level. Uncover pitfalls and gotchas about building of developer friendly CI enabled service using industry standard static and dynamic scanning tools, CI platforms, ReportPortal, Carrier platform and Jira integration service.
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24
Learn how to discover every web application you own and ascertain their risk levels through the hacker’s lens to gain a better understanding of the overall attack surface and locate the right path for remediation.
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
This paper discusses the research outcomes on implementing a runtime application patching algorithm on an insecurely-coded application to protect it against code injection vulnerabilities and other logical issues related to web applications, and will introduce the next generation web application defending technology dubbed as Runtime Application Self-Protection (RASP) that defends against web attacks by working inside your web application. RASP relies on runtime patching to inject security into web apps implicitly without introducing additional code changes. The talk concludes with the challenges in this new technology and gives you an insight on future of runtime protection.
What? Why? Who? How? Of Application Security Testing TEST Huddle
A penetration testing expert is better at pen-testing than me, but should I simply delegate application security to specialists and network firewalls? Actually no, I shouldn’t and neither should anyone else involved in the systems development lifecycle.
For years I treated security testing as something akin to black magic beyond my comprehension and penetration testers as technical wizards who could cast out evil hacking spells. Obviously that was daft, but it took some effort to see what was really happening behind the smoke and mirrors of application security, and to de-mystify it for my colleagues.
Follow the journey that led Declan O'Riordan to believe that every well-formed tester can and must have a basic understanding of what application security is, why it is important, who should be doing it, and how.
After this presentation you can stop describing security as ‘Out of Scope’ from your test plans.
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
Abstract:
Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are:
• An understanding the real value of each type of AST tool (SAST, DAST, IAST);
• How to leverage your tools for better security visibility and process efficiency;
• Steps to find the right tool for your security program;
• Keys to finding the best stage of the SDLC to implement each tool type within your security program;
• How to integrate new tools with your existing DevOps or Agile environments and processes
Additional Takeaways:
• Examine the strengths and limitations of SAST, DAST, and IAST tools
• Learn how to choose the right tools for your security program
• Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes
• Provide security visibility to developers, managers, and executives by enhancing your existing technology
• Learn to use your tools to improve the efficiency of security tasks that are currently manual
Open Source Security: How to Lay the Groundwork for a Secure CultureWhiteSource
Open-source components are prevalent in approximately 97% of modern applications and dominate anywhere between 60-80% of their codebases. This is hardly surprising given how integrating open source accelerates software development and enables organizations to keep up with today's frantic release pace and standards of constantly supplying new features and improvements.
However, taking into consideration the fact that recent years have seen an upsurge in reported open-source vulnerabilities, whose details and exploits are publicly available, it's no wonder that organizations are increasingly directing focus towards ensuring that their open-source components are securely integrated into their software.
Join Guy Bar-Gil, Product Manager at WhiteSource, as he discusses:
1. The four layers of open-source security
2. How to integrate continuous security into your SDLC
3. Best practices for organizations to own and execute the security process
Open Source Security: How to Lay the Groundwork for a Secure CultureDevOps.com
Open-source components are prevalent in approximately 97% of modern applications and dominate anywhere between 60-80% of their codebases. This is hardly surprising given how integrating open source accelerates software development and enables organizations to keep up with today's frantic release pace and standards of constantly supplying new features and improvements.
However, taking into consideration the fact that recent years have seen an upsurge in reported open-source vulnerabilities, whose details and exploits are publicly available, it's no wonder that organizations are increasingly directing focus towards ensuring that their open-source components are securely integrated into their software.
Join Guy Bar-Gil, Product Manager at WhiteSource, as he discusses:
The four layers of open-source security;
How to integrate continuous security into your SDLC;
Best practices for organizations to own and execute the security process.
This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks
The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits.
Session 6 of 10
This Webinar focuses on Application Security
• Application security logging and monitoring
• Issues in current logging practices
• Resources required by developers for security logging
• Correlating and alerting from log sources
• Logging in multi-tiered architectures and disparate systems
• Application security logging requirements
Quality of software code for a given product shipped effectively translates not only to its functional quality but as well to its non functional aspects say security. Many of the issues in code can be addressed much before they reach SCM.
Functional Testing of RESTful ApplicationsNenad Bozic
Rise in popularity of the microservice architecture on one side and need to have the server which has many clients (mobile, web, machine to machine) brought both the challenge and the opportunity to better test RESTful applications on level of features. Main feature of RESTful application are exposed endpoints which enable creating test application as REST client which will view our application as blackbox. Test application can prepare input and wait for output which can be compared against expected one.
In this presentation we will give overview of types of test you can do, concentrate on blackbox testing over REST Api, touch the terms of whitebox testing and graybox testing and why later approach is useful for external dependencies outside of our control and explain why you should use tools such as Cucumber to better communicate features with business people. Presentation will walk through our experiences and how we overcame problems along the way.
In this presentation a brief justification to performance testing will be given following with some terminology and a short demo
links is provided to some recommended solutions trails /freemium
in the comments, the two demo sessions,
TruClient Lite scripting demo
StormRunner Load simple performance test
Nonfunctional Testing: Examine the Other Side of the CoinTechWell
Creating a highly available, scalable, and high-performing system requires a substantial amount of what we call nonfunctional testing. Developing nonfunctional testing skills is a must for many of today’s quality engineers (QEs). For the past several years, Balaji Arunachalam’s quality team for Intuit Core Services has experienced several highly available and disaster recovery buildup and testing challenges. Their journey includes the evolution of functional QEs into hybrid QEs who are capable of doing both functional and nonfunctional testing. Nonfunctional testing includes capacity, stability, benchmarking, FMEA/RAS, datacenter failover, and scalability testing. Balaji shares nonfunctional testing best practices, learnings, and mistakes they encountered on this journey. If you or your team is ready flip the coin and take a serious look at nonfunctional testing methods, opportunities, challenges, and solutions, this session is for you.
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-box Web Application Vulnerability Scanners
1. Why Johnny Still Can’t Pentest:
A Comparative Analysis of Open-source Black-box Web
Vulnerability Scanners
Rana Khalil
Master Thesis Defense, 20/11/2018
School of EECS
University of Ottawa
Committee:
Carlisle Adams (Supervisor)
Guy-Vincent Jourdan
Anil Somayaji (Carleton University)
1
4. Introduction
• We use websites for everything: e-commerce, online banking, social networking,
social media, etc.
• Web security has become a major concern
4
5. How to Secure a Web Application?
• A combination of techniques are used to secure web applications:
• Static code analysis
• Web application firewalls
• Secure coding practices
• Web application vulnerability scanners
• Etc.
• Focus of this research: Performing a comprehensive comparative analysis of the
performance of six chosen scanners
5
6. Previous Work
6
• Suto’s case studies [10][11]
• 2007 paper evaluated scanners in PaS mode
• 2010 paper evaluated scanners in PaS and Trained modes
• Benchmark applications:
• Web Input Vector Extractor Teaser (WIVET) created in 2009 by Tatli et al. [12]
• Web Application Vulnerability Scanner Evaluation Project (WAVSEP) created in 2010 by Chen [13]
• Doupé et al.’s work on evaluating WAVS in both PaS and Trained modes on the WackoPicko
application [15]
• Several other studies include [14], [16] and [17]
9. Tool Selection
9
• Chen’s evaluation [18]
• Consultation with professional ethical hackers
Table 2.1: Characteristics of the Scanners Evaluated
10. Benchmark Selection
10
• Benchmark applications
• WIVET - contains 56 test cases that utilize both Web 1.0 and Web 2.0 technologies
• WAVSEP - consists of a total of 1220 true positive (TP) test cases and 40 false
positive (FP) test cases covering a range of vulnerability categories
• WackoPicko - intentionally vulnerable realistic web application
• Contains 16 vulnerabilities covering several of the OWASP Top 10
• Contains crawling challenges: HTML parsing, multi-step process, infinite web site,
authentication, client-side code, etc.
11. Environment Setup
11
• Each scanner was run in two modes:
• Default - default configuration setting
• Configured
1. Maximize crawling coverage – changing
configuration
2. Maximize crawling coverage – use of proxy
3. Maximize attack vector
• WackoPicko test scans were further divided into two
subcategories:
• INITIAL – without authentication / publicly accessible
• CONFIG - valid username/password combination
• In total, each scanner was run eight times.
Note: Tests performed in a VM that was restored to its initial
state before every test run.
Table 2.2: Steps Included in Configured
Scan
12. Feature Selection
12
• Crawling coverage:
• % of passed test cases on the WIVET application
• Crawling challenges in the WackoPicko application
• Vulnerability detection accuracy:
• TP, FN and FP on the WAVSEP and WackoPicko
applications
• Speed:
• Scan time on the WAVSEP and WackoPicko appliations
• Reporting:
• Vulnerability detected
• Vulnerability location
• Exploit performed
• Usability:
• Efficiency
• Product documentation
• Community support
Crawling
Coverage
Detection
Accuracy
Speed
WIVET
WackoPicko
WAVSEP
Features Applications
Figure 2.2: Feature Measurement
13. Metric Selection
13Table 2.3 Vulnerability Scores
• Final ranking was calculated
based on the crawling coverage
and vulnerability detection on
the WackoPicko application
15. Vulnerability Detection Accuracy – FN 1/2
15
FNs in WackoPicko Reason(s)
1. Weak password - admin interface
with credentials admin/admin
• Scanners did not attempt to guess username/password
• Scanners did attempt to guess username/password but failed
2. Session id - vulnerability in the
admin interface
• Scanners did not guess the admin credentials and therefore
never reached this vulnerability
3. Parameter manipulation - userid
of sample user functionality
• Most scanners did not attempt to manipulate the userid field
• Arachni manipulated the userid field but failed to enter a
valid number
• Skipfish successfully manipulated the userid field but did not
report it as a vulnerability
16. Vulnerability Detection Accuracy – FN 2/2
16
FNs in WackoPicko Reason(s)
4. Stored SQL injection - required
registering a user
5. Directory traversal - required
photo upload
6. Multi-step stored XSS - required
completing a multi-step process
• Crawling challenges – discussed later
• Lack of detection for these types of vulnerabilities
7. Forceful browsing: - link to a
high quality version of a picture
8. Logic flaw – coupon
management system
• Application specific vulnerabilities
• Require understanding business logic of the application
Note: WAVSEP FNs not listed
17. Vulnerability Detection Accuracy – TP 1/2
17
Table 3.1: WackoPicko Default and Configured Scan Detection Results
Name RXSS XSS Stored SQLi
Reflected
Command line
injection
File
Inclusion
File
Exposure
RXSS
behind JS
RXSS behind
Flash
Arachni INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL
Burp Pro INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL CONFIG
Skipfish INITIAL INITIAL INITIAL INITIAL INITIAL
Vega INITIAL INITIAL INITIAL INITIAL
Wapiti INITIAL INITIAL INITIAL INITIAL
ZAP INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL CONFIG
Default
Configured
• All scanners missed at least 50% of the vulnerabilities
• Running the scanners in trained mode increased the overall detection
18. 18
Figure 3.1: WAVSEP Overall TP Detection
Arachni Burp Skipfish Wapiti Vega ZAP
Default 60.16% 27.87% 4.02% 25.41% 71.31% 60.74%
Configured 60.16% 42.54% 62.62% 24.43% 71.31% 79.26%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
%ofWAVSEPTestsDetected
Key Observations:
• WAVSEP results were better than WackoPicko:
• Vulnerability categories in the application
• Integrating WAVSEP in the SDLC of the
scanner
• ZAP achieved highest score, followed by Vega and
Skipfish
• Vulnerability category detection varied with scanner
• Arachni discovered 100% of SQLi, RFI,
unvalidated redirect, but had a low detection
rate for LFI vulnerabilities
Vulnerability Detection Accuracy – TP 2/2
19. Crawling Coverage 1/2
19
Table 3.2: Account Creation
Scanner # of Accounts
Arachni 202
Burp Pro 113
Skipfish 364
Vega 117
Wapiti 0
ZAP 111
Features that scanners found difficult to crawl in WackoPicko:
• Uploading a picture
• All scanners were not able to upload a picture in Default mode
• Burp and ZAP were able to in Configured mode
• Authentication
• All scanners except for Wapiti successfully created accounts
• Multi-step processes
• All scanners were not able to complete the process in Default
mode
• Burp and ZAP were able to in Configured mode
20. Crawling Coverage 2/2
20
Figure 3.2: WIVET Results
Arachni Burp
Skipfis
h
Wapiti Vega ZAP
Default 94 50 50 50 16 42
Configured 94 50 50 50 16 78
0
10
20
30
40
50
60
70
80
90
100
%ofWIVETTestsPassed
Features that scanners found difficult to
crawl in WackoPicko:
• Infinite websites
• All scanners recognized the infinite
loop except Arachni
• Client-side code
• Flash applications
• Dynamic JavaScript
• Ajax Requests
22. Reporting Features
Features tested for:
1) List of all the vulnerabilities detected
2) Locations of all the detected vulnerabilities
3) Exploits performed to detect these vulnerabilities
All six scanners generate reports that include the above three features
22
24. Final Ranking
24
Figure 3.4: Final Ranking
Name Score
Burp Pro 26
ZAP 23
Arachni 15
Wapiti 10
Skipfish 10
Vega 8
25. Comparison to Previous Research
25
• Suto’s 2010 study showed there is no significant increase in vulnerability detection in PaS vs Trained modes
• Our results show there is a significant increase for several of the scanners
• Possible reasons for difference in conclusion – different benchmark applications and scanners were used
• Doupé et al.’s 2010 study showed that scanners had difficulty crawling through common web technologies
such as Flash applications and dynamic JavaScript measured on the WackoPicko and WIVET applications
• Our results show similar conclusion
• Doupé et al.’s study showed that scanners missed several categories of vulnerabilities such as weak
authentication, stored vulnerabilities and logic specific vulnerabilities
• Our results show similar conclusion
• Doupé et al.’s study showed that commercial scanners are not significantly better than open-source scanners
• Our results show similar conclusion
27. Conclusion
• Scanners are far from being used as PaS tools only
• Several classes of vulnerabilities were not detected
• Scanners had difficulty crawling through common web technologies such as dynamic
JavaScript and Flash applications
• Different scanners have different strengths/weaknesses
• Open-source scanner performance is comparable to commercial scanner performance and in
several cases better
27
28. References
[1] Internet Live Stats, “Internet Users.” http://www.internetlivestats.com/ internet-users/, 2018. Accessed Aug. 4, 2018.
[2] InternetLiveStats,“Total number of Websites.”http://www.internetlivestats. com/total-number-of-websites/, 2018. Accessed Aug. 4, 2018.
[3] Braga, M., “100,000 Canadian victims: What we know about the Equifax breach - and what we don’t.”
https://www.cbc.ca/news/technology/equifax-canada- breach-sin-cybersecurity-what-we-know-1.4297532, Sept. 2017. Accessed Aug. 4, 2018.
[4] Trustwave, “2018 Trustwave Global Security Report.” https://www2.trustwave. com/GlobalSecurityReport.html, 2018. Accessed Aug. 4,
2018.
[5] “The OWASP Foundation.” https://www.owasp.org/index.php/Main_Page, 2018. Accessed Aug. 3, 2018.
[6] “Category:OWASP Top Ten Project.” https://www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project#tab=Main, 2018. Accessed
Aug. 3, 2018.
[7] “OWASP Top 10 - 2017: The Ten Most Critical Web Application Security Risks.” https://www.owasp.org/images/7/72/OWASP_Top_10-
2017_%28en%29.pdf.pdf, 2018. Accessed Aug. 3, 2018.
[8] J. Jive, “XSS Vectors Cheat Sheet.” https://gist.github.com/kurobeats/9a613c9ab68914312cbb415134795b45, 2017. Accessed Aug. 3, 2018.
[9] B. Shura, R. Auger, and R. Gaucher, “Web Application Security Scanner Evaluation Criteria.”
http://projects.webappsec.org/w/page/13246986/Web% 20Application%20Security%20Scanner%20Evaluation%20Criteria, 2014. Accessed
Aug. 4, 2018.
28
29. References
[10] L. Suto, “Analyzing the Effectiveness and Coverage of Web Application Security Scanners,” Case Study, Oct. 2007.
[11] L. Suto, “Analyzing the Accuracy and Time Costs of Web Application Security Scanners,” Feb. 2010.
[12] E. I. Tatli and B. Urgun, “Web Input Vector Extractor Teaser.” https://github. com/bedirhan/wivet, 2014. Accessed Aug. 1, 2018.
[13] S. Chen, “The Web Application Vulnerability Scanner Evaluation Project.” https: //github.com/sectooladdict/wavsep, 2014. Accessed Aug.
2, 2018.
[14] D. Gupta, J. Bau, J. Mitchell, and E. Bursztein, “State of the art: Automated black- box web application vulnerability testing,” in 2010
IEEE Symposium on Security and Privacy (SP), pp. 332–345, May 2010.
[15] A. Doupé, M. Cova, and G. Vigna, “Why Johnny Can’t Pentest: An Analysis of Black-Box Web Vulnerability Scanners,” in Detection of
Intrusions and Malware, and Vulnerability Assessment (C. Kreibich and M. Jahnke, eds.), (Berlin, Heidelberg), pp. 111–131, Springer Berlin
Heidelberg, 2010.
[16] K. McQuade, “Open Source Web Vulnerability Scanners: The Cost Effective Choice?,” in Conference for Information Systems Applied
Research, 2014.
[17] S. ElIdressi, N. Berbiche, F. Guerouate, and M. Sbihi, “Performance Evaluation of Web Application Security Scanners for Prevention and
Protection against Vulnerabilities,” in International Journal of Applied Engineering Research, vol. 12, pp. 11068– 11076, 2017.
[18] S. Chen, “The Prices vs. Features of Web Application Vulnerability Scanners.”
http://sectoolmarket.com/price-and-feature-comparison-of-web- application-scanners-opensource-list.html, 2016. Accessed Aug. 1, 2018.
29
30. References
[19] “Home - Arachni - Web Application Security Scanner Framework.” http://www. arachni-scanner.com/, 2017. Accessed Aug. 4, 2018.
[20] L. Kuppan, “IronWASP - Iron Web application Advanced Security testing Platform.” https://ironwasp.org/index.html, 2014. Accessed Aug.
4, 2018.
[21] “OWASP Zed Attack Proxy Project.” https://www.owasp.org/index.php/ OWASP_Zed_Attack_Proxy_Project, 2018. Accessed Aug. 4,
2018.
[22] M. Zalewski, “skipfish(1) - Linux man page.” https://linux.die.net/man/1/ skipfish. Accessed Aug. 4, 2018.
[23] N. Surribas, “Wapiti : a Free and Open-source Web-application Vulnerability Scanner.” http://wapiti.sourceforge.net/, 2018. Accessed Aug.
4, 2018.
[24] “Vega Vulnerability Scanner - Subgraph OS.” https://subgraph.com/vega/, 2014. Accessed Aug. 4, 2018.
[25] “Burp Suite Scanner | PortSwigger.” https://portswigger.net/burp, 2018. Ac- cessed Aug. 4, 2018.
[26] “AppScan - Application Security | IBM.” https://www.ibm.com/security/ application-security/appscan, 2018. Accessed Aug. 3, 2018.
[27] R. Siles and S. Bennetts, “OWASP Vulnerable Web Applications Direc- tory Project.”
https://www.owasp.org/index.php/OWASP_Vulnerable_Web_ Applications_Directory_Project, 2018. Accessed Aug. 1, 2018.
[28] A. Doupe, “WackoPicko Vulnerable Website.” https://github.com/adamdoupe/ WackoPicko, 2018. Accessed Aug. 2, 2018.
30
31. References
[29] C. Willis, “OWASP Broken Web Applications Project.” https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project,
2016. Accessed Aug. 3, 2018.
[30] A. Riancho, “WIVET - Web Input Vector Extractor Teaser.” https://hub.docker. com/r/andresriancho/wivet/, 2015. Accessed Aug. 2, 2018.
[31] “The Web Application Vulnerability Scanner Evaluation Project.” https://hub. docker.com/r/owaspvwad/wavsep/, 2016. Accessed Aug. 2,
2018.
[32] R. Khalil, “Thesis-Test-Results.” https://github.com/rkhal101/Thesis-Test- Results, 2018.
[33] “Crawler Coverage and Vulnerability Detection.” http://www.arachni-scanner. com/features/framework/crawl-coverage-vulnerability-
detection/. Accessed Aug. 4, 2018.
[34] R. Khalil, “Arachni does not maintain session across scan #986.” https://github. com/Arachni/arachni/issues/986, 2018. Accessed Aug. 4,
2018.
[35] R.Khalil,“Sitemap does not contain all crawled links #987.”https://github.com/Arachni/arachni/issues/987, 2018. Accessed Aug. 4, 2018.
[36] R. Khalil, “Run Vega on WIVET #157.” https://github.com/subgraph/Vega/ issues/157, 2018. Accessed Aug. 4, 2018.
[37] R.Khalil,“"Alerts for this node” does not display high alerts of risk type High #4899.” https://github.com/zaproxy/zaproxy/issues/4899,
2018. Accessed Aug. 4, 2018.
31