Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Similar presentations


Presentation on theme: "Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit The OWASP Foundation 6 th OWASP AppSec Conference Milan - May OWASP Pantera – Dissecting Web Applications Simon Roses Femerling OWASP Pantera Project Lead Security Technologist, Microsoft

2 6 th OWASP AppSec Conference – Milan – May 2007 Intro - Who I am?  Security Technologist at Microsoft  Former among others…  Postgraduate in E-Commerce from Harvard University and a B.S. from Suffolk University at Boston, Massachusetts.  Natural from wonderful Mallorca Island in the Mediterranean Sea. 2

3 6 th OWASP AppSec Conference – Milan – May Agenda  Pantera Overview  Before the Joy  Features of a Web Assessment Framework  Pantera Roadmap  Demo  Q&A

4 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Overview 4

5 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Overview (I)  Pantera is not just another “proxy” but a Web Assessment Framework  aka: Pantera – Web Assessment Studio (WAS)  Born out of necessity  Pantera Description:  Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. 5

6 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Overview (II)  Pantera works well with other proxies and is a complementary tool.  Pantera is 100% python and has been tested on:  Windows  Linux  MacOS  FreeBSD 6

7 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Overview (III)  Two main operational modes:  Cache  Project Session 7

8 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Architecture 8

9 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Workflow 9

10 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Goal  The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results. 10

11 6 th OWASP AppSec Conference – Milan – May 2007 Before the Joy 11

12 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Requirements  Python 2.4  pyOpenSSL  MySQL 5.0 (triggers)  Python MySQL Wrapper  FormBuild 12

13 6 th OWASP AppSec Conference – Milan – May 2007 Installation Myths  The installation is not the best but is not that difficult.  Pantera provides really good documentation, besides you have the mailing list.  Pantera can be installed and up and running in:  Ubuntu: 10/15 min!!  Windows 13

14 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Cons  Needs a lot of work.  Proxy engine may not understand weird data.  Performance. 14

15 6 th OWASP AppSec Conference – Milan – May 2007 Features of a Web Assessment Framework 15

16 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Features List  Session Management  Database support  Pantera Passive Analysis (PPA)  Import / Export  Spider  Data Miner  Visual Resource Icons (VRI)  Fingerprint (Cookies / Extensions)  Anti-IDS Generation  Statistics  The Snitch 16

17 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Session Management  An assessment is a project.  Manage your projects easily.  Under Project Session Mode you get the “whole enchilada”. 17

18 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Session Management 18

19 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Pantera Passive Analysis (PPA)  PPA is a passive analysis engine on the fly.  PPA checks are easy to write plug-ins.  Checks are divided into categories (16)  Forms / Authentication Forms  SSL   Cookies  More than 20+ checks available. 19

20 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Pantera Passive Analysis (PPA) 20

21 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Spider  Pantera now includes a Spider. (still in infancy)  Works in both operational modes.  Uses many smart gathering techniques:  Parse robots.txt  Parse sitemap  Parse JavaScript  Request Directory Index 21

22 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Data Miner  “Get what you want”.  Allows to get any information from the project.  s  IE. Query ”All links with forms”  Only place in Pantera to view all links.  Easy to use and powerful. 22

23 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Data Miner 23

24 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Visual Resource Icons (VRI)  The Visual Resource Icons are an easy and convenient way of quickly identify target page attributes.  More than +10 icons:  Target page has an object. (ActiveX, Java Applet, etc.)  Target page has Authorization Forms  Target page sets a Session ID  Target page has possible attack vectors (like forms, hidden tags, URL parameters, etc.) 24

25 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Fingerprint  Pantera can fingerprint:  File Extensions: +60 files.  Session ID: +40 applications.  Fingerprints are stored in XML files.  This information is used by many other Pantera features. 25

26 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Fingerprint ASPSESSIONID.*?(;| ) ASP.NET_SessionId.*?(;| ) PD-S-SESSION- ID.*?(;| ) PD_STATEFUL.*?(;| ) WEBTRENDS_ID.*?(;| ) sessionid.*?(;| ) _sn.*?(;| ) BCSI-.*?(;| ) CFID.*?(;| ) CFTOKEN.*?(;| ) 26

27 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Statistics  Very helpful to get a quick status on the project.  Divided into 5 sections:  General Information  Pages Extension Counter  Data gathered from Application  HTTP Return Codes Information  Links Information 27

28 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Statistics 28

29 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – The Snitch  The Snitch is a gather of information.  It can currently gather:  Comments  Scripts  Links 29

30 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – The Snitch 30

31 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Roadmap 31

32 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Future Development  Keep improving proxy / scan / analysis engines.  Use of AJAX.  More Databases support.  Your feedback counts! 32

33 6 th OWASP AppSec Conference – Milan – May 2007 Maybe Pantera 2.0  Cooperative Attack Center 33

34 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Resources  Official Website SP_Pantera_Web_Assessment_Studio_Project SP_Pantera_Web_Assessment_Studio_Project  Mailing list https://lists.owasp.org/mailman/listinfo/owasp- pantera https://lists.owasp.org/mailman/listinfo/owasp- pantera  Contact us 34

35 6 th OWASP AppSec Conference – Milan – May 2007 DEMOS ! 35

36 6 th OWASP AppSec Conference – Milan – May 2007 The End  Q&A  Important: Beer / hard liquor (Vodka/Lemon, Margaritas, Mojitos you name it…) are always welcome  Simon Roses Femerling 36


Download ppt "Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."

Similar presentations


Ads by Google