Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Vulnerability Assessments NEWDUG January, 2015.

Similar presentations

Presentation on theme: "Web Vulnerability Assessments NEWDUG January, 2015."— Presentation transcript:

1 Web Vulnerability Assessments NEWDUG January, 2015

2 Agenda About Web Vulnerability Assessments – Types – SOW – Steps Tools Demos Goals – Demonstrate Web VA, show techniques Pen-testers and Hackers use to find vulnerabilities in your sites – Provide some techniques and tools to help secure your code 2

3 John Reynders Consultant with OpenSky Corp. Seven years experience in Web Security: – Program Development – Dynamic Testing – Static Analysis – Coding Standards – Web Application Firewalls Eight years of general Information Security experience 3

4 OpenSky - An Award Winning Company Everything starts with our people. Our success comes from their expertise and dedication to always “doing the right thing” for our clients. Our people Expert resources: CRN Tech Elite 250 (2013) Quality work environment: Top Workplace (2011, 2012, 2013) Our people create top tier solutions GRC Solution Award with client Shire Pharmaceuticals: OCEG (2013) Our people and our solutions create lasting relationships and new partners Multiple growth awards: Inc 500 (2012), CRN (2011, 2012), Marcum Tech Top 40 (2011, 2012) 4

5 GRC Services  GRC Strategy  GRC Maturity Assessment  GRC Configuration and Custom Development Secure Manage Plan, Design & Migrate Datacenter & Cloud Infrastructure Services  Data Center and Cloud Integration  Network Infrastructure  Virtualization  Storage and Computing  Infrastructure Applications  End-User Computing IT Risk Management & Security Services  Assessment and Advisory  Application Secure Coding  Vulnerability Assessment and Penetration Testing  Security Program and Framework  Technology Implementation and Engineering  Mobile Device and Virtualization Security Technical Business Consulting  IT Transformation and Strategy  Technical Project Management  IT Supplier & Sourcing Management  IT Expense Management Complete Solutions for Major Enterprises 5

6 Web Vulnerability Assessments Conducted against a contract with specific terms, most often called the Statement of Work (SOW) Specify in the SOW: – System to be tested (URL) Production or Non-Prod? – Type and level of testing Level of Automated and Manual testing “Safe” Tests only? – Hours for testing Nights only? – Whitelist IP addresses in WAF, IPS? – Special Concerns? – The more information the better the assessment 6

7 Web Vulnerability Assessments Types of Application Security Testing: – Dynamic Analysis Security Testing (DAST) “Black Box” Tests actual web site for vulnerabilities Simulates what a real attacker would do – Static Analysis Security Testing (SAST) “White Box” Tests code for vulnerabilities A real attacker would likely not have access to the code, this method is a different approach to identifying potential security flaws. – Hybrid “Glass Box” Dynamic test against instrumented web server – Manual testing can occur in each type Talk covers Dynamic Testing – Some tools perform static analysis of JavaScript 7

8 “Typical” Web Assessment Steps Recon – Site components and architecture – Open ports? Hack the server Manually crawl site with an Intercepting Proxy Automated Scan of site Results verification – False positives removal Manual testing – Things tools don’t do well Business Logic Privilege Escalation etc. Reporting 8

9 Recon Visit site Site information – Netcraft, Shodan etc. Google Dorks – Files, passwords, WSDL, Admin logons etc. Port Scan – Nmap, Nessus, Qualys – May perform an infrastrucuture vulnerability scan Missing patches, configuration issues etc. Check security configuration 9

10 Configuration Checkers Microsoft Web Application Configuration Analyzer – Needs Admin on Server, Checks SQL Server too – ca/download/details.aspx?id=573 ca/download/details.aspx?id=573 Check Your Headers – SSL Labs – ASAFAWEB – 10

11 Crawl Site with Intercepting Proxies Burp* – Fiddler – Zed Attack Proxy (ZAP) – 11 * - Free and Professional versions

12 Intercepting Proxy 12 Intercepting Proxy Man-in-the-Middles all traffic Hackers and Testers can see all data transmitted Hidden Fields => NOT a security feature

13 Burp 13

14 Burp – Analyze Request & Response 14

15 Scan Site – Dynamic Scanners Acunetix – AppScan – WebInspect – dynamic-analysis-dast/ dynamic-analysis-dast/ Burp & ZAP have scanning modules 15

16 AppScan 16

17 DEMO 17

18 Resources OWASP - – Cheat Sheets – Testing Guide of_Contents of_Contents WASC - – Not updated recently but some good content The Web Application Hacker's Handbook – Handbook/dp/ Handbook/dp/

19 Contact Information Web Site: 19

Download ppt "Web Vulnerability Assessments NEWDUG January, 2015."

Similar presentations

Ads by Google