Web Vulnerability Assessments NEWDUG January, 2015 In order to modify the “client confidential” notice please go to View > Slide Master and delete or edit the text box Click “close slide Master” on the Slide Master tab to exit
Agenda About Web Vulnerability Assessments Tools Demos Goals Types SOW Steps Tools Demos Goals Demonstrate Web VA, show techniques Pen-testers and Hackers use to find vulnerabilities in your sites Provide some techniques and tools to help secure your code
John Reynders Consultant with OpenSky Corp. Seven years experience in Web Security: Program Development Dynamic Testing Static Analysis Coding Standards Web Application Firewalls Eight years of general Information Security experience
OpenSky - An Award Winning Company Everything starts with our people. Our success comes from their expertise and dedication to always “doing the right thing” for our clients. Our people Expert resources: CRN Tech Elite 250 (2013) Quality work environment: Top Workplace (2011, 2012, 2013) Our people create top tier solutions GRC Solution Award with client Shire Pharmaceuticals: OCEG (2013) Our people and our solutions create lasting relationships and new partners Multiple growth awards: Inc 500 (2012), CRN (2011, 2012), Marcum Tech Top 40 (2011, 2012)
Complete Solutions for Major Enterprises Secure Manage Plan, Design & Migrate IT Risk Management & Security Services Assessment and Advisory Application Secure Coding Vulnerability Assessment and Penetration Testing Security Program and Framework Technology Implementation and Engineering Mobile Device and Virtualization Security Datacenter & Cloud Infrastructure Services Data Center and Cloud Integration Network Infrastructure Virtualization Storage and Computing Infrastructure Applications End-User Computing GRC Services GRC Strategy GRC Maturity Assessment GRC Configuration and Custom Development Technical Business Consulting IT Transformation and Strategy Technical Project Management IT Supplier & Sourcing Management IT Expense Management
Web Vulnerability Assessments Conducted against a contract with specific terms, most often called the Statement of Work (SOW) Specify in the SOW: System to be tested (URL) Production or Non-Prod? Type and level of testing Level of Automated and Manual testing “Safe” Tests only? Hours for testing Nights only? Whitelist IP addresses in WAF, IPS? Special Concerns? The more information the better the assessment Additional considerations: Number of user roles, whether retesting is included, if non-prod, will travel be involved.
Web Vulnerability Assessments Types of Application Security Testing: Dynamic Analysis Security Testing (DAST) “Black Box” Tests actual web site for vulnerabilities Simulates what a real attacker would do Static Analysis Security Testing (SAST) “White Box” Tests code for vulnerabilities A real attacker would likely not have access to the code, this method is a different approach to identifying potential security flaws. Hybrid “Glass Box” Dynamic test against instrumented web server Manual testing can occur in each type Talk covers Dynamic Testing Some tools perform static analysis of JavaScript
“Typical” Web Assessment Steps Recon Site components and architecture Open ports? Hack the server Manually crawl site with an Intercepting Proxy Automated Scan of site Results verification – False positives removal Manual testing Things tools don’t do well Business Logic Privilege Escalation etc. Reporting
Recon Visit site Site information Google Dorks Port Scan Netcraft, Shodan etc. Google Dorks Files, passwords, WSDL, Admin logons etc. Port Scan Nmap, Nessus, Qualys May perform an infrastrucuture vulnerability scan Missing patches, configuration issues etc. Check security configuration
Configuration Checkers Microsoft Web Application Configuration Analyzer Needs Admin on Server, Checks SQL Server too http://www.microsoft.com/en-ca/download/details.aspx?id=573 Check Your Headers http://cyh.herokuapp.com/cyh SSL Labs https://www.ssllabs.com/ssltest/index.html ASAFAWEB https://asafaweb.com/
Crawl Site with Intercepting Proxies Burp* http://portswigger.net/ Fiddler http://www.telerik.com/fiddler Zed Attack Proxy (ZAP) https://code.google.com/p/zaproxy/wiki/Downloads * - Free and Professional versions
Intercepting Proxy Intercepting Proxy Man-in-the-Middles all traffic Hackers and Testers can see all data transmitted Hidden Fields => NOT a security feature
Burp
Burp – Analyze Request & Response
Scan Site – Dynamic Scanners Acunetix http://www.acunetix.com/ AppScan http://www-03.ibm.com/software/products/en/appscan WebInspect http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/ Burp & ZAP have scanning modules
AppScan
DEMO
Resources WASC - http://www.webappsec.org/ OWASP - http://www.owasp.org/ Cheat Sheets https://www.owasp.org/index.php/Cheat_Sheets Testing Guide https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents WASC - http://www.webappsec.org/ Not updated recently but some good content The Web Application Hacker's Handbook http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/1118026470
Web Site: http://www.openskycorp.com/ Contact Information Email: jreynders@openskycorp.com Web Site: http://www.openskycorp.com/