OWASP WebScarab NG FOSDEM 2008. The OWASP Foundation http://www.owasp.org/

Similar documents
3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Application Code Development Standards

Web Application Penetration Testing

Web attacks and security: SQL injection and cross-site scripting (XSS)

(WAPT) Web Application Penetration Testing

Early Vulnerability Detection for Supporting Secure Programming

Testing for Security

Essential IT Security Testing

Java Web Application Security

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Thick Client Application Security

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

How to Build a Trusted Application. John Dickson, CISSP

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Web Engineering Web Application Security Issues

An Introduction to Application Security in J2EE Environments

Managing Web & Application Security with OWASP bringing it all together. Tobias Gondrom (OWASP Project Leader)

Using Sprajax to Test AJAX. OWASP AppSec Seattle Oct The OWASP Foundation

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013

Adobe Systems Incorporated

What is Web Security? Motivation

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

Ethical Hacking as a Professional Penetration Testing Technique

Where every interaction matters.

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Passing PCI Compliance How to Address the Application Security Mandates

Using Free Tools To Test Web Application Security

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Strategic Information Security. Attacking and Defending Web Services

Barracuda Web Site Firewall Ensures PCI DSS Compliance

elearning for Secure Application Development

Testing the OWASP Top 10 Security Issues

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Executive Summary On IronWASP

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

OWASP Top Ten Tools and Tactics

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Sichere Software- Entwicklung für Java Entwickler

Web application security: Testing for vulnerabilities

Secure Coding in Node.js

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Secure Web Development Teaching Modules 1. Threat Assessment

Bust a cap in a web app with OWASP ZAP

IJMIE Volume 2, Issue 9 ISSN:

Web application testing

Security Testing Of (Web) Applications. Erwin Geirmaert Security Innovation

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Implementation of Web Application Firewall

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

How To Understand And Understand The Security Of A Web Browser (For Web Users)

Web Application Report

Web Application Security

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Attack Vector Detail Report Atlassian

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Security Testing and Vulnerability Management Process. e-governance

Information Security. Training

CS5008: Internet Computing

Web Applications with CA 2E and WebsydianExpress

SQuAD: Application Security Testing

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, The OWASP Foundation

MANAGED SECURITY TESTING

Pentests more than just using the proper tools

Application Security Testing

Magento Security and Vulnerabilities. Roman Stepanov

Designing and Coding Secure Systems

Intrusion detection for web applications

Real World Web Service Testing For Web Hackers

OWASP AND APPLICATION SECURITY

Building & Measuring Security in Web Applications. Fabio Cerullo Cycubix Limited 30 May Belfast

Attack and Penetration Testing 101

Integrating Web Application Security into the IT Curriculum

What Every (Software) Engineer Needs To Know About Security. -- and -- Where To Learn It

Web application security

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

Web Application Vulnerabilities

MatriXay Database Vulnerability Scanner V3.0

Web Application Security

Penetration Testing with Kali Linux

Transcription:

OWASP WebScarab NG FOSDEM 2008 Rogan Dawes, WebScarab Project Lead Senior Application Security Engineer Aspect Security rogan@dawes.za.net Copyright 2008 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org/

What is OWASP? < OWASP Open Web Application Security Project 4 Non-Profit Foundation started in 2000 4 Professionals and security experts from around the world 4 Contributing their time because this problem is so important 4 Commercial quality tools and documentation < Top Ten Most Critical Web Application Security Vulnerabilities 4 Adopted by PCI and the FTC as the standard for application security "This Ten-Most-Wanting List acutely scratches at the tip of an enormous iceberg. The underlying reality is shameful: most system and Web application software is written oblivious to security principles, software engineering, operational implications, and indeed common sense." Dr. Peter G. Neumann, Principal Scientist, SRI International Computer Science Lab, Moderator of the ACM Risks Forum, Author of "Computer-Related Risks"

OWASP Top Ten Awareness document for developers 4 Unvalidated Parameters 4 Broken Access Control 4 Broken Account and Session Management 4 Cross Site Scripting Flaws 4 Buffer Overflows 4 Command Injection Flaws 4 Error Handling Problems 4 Insecure Use of Cryptography 4 Application Denial of Service 4 Web/Application Server Misconfigurations OWASP Guide Complete details in The OWASP Guide for Building Secure Web Applications and Web Services

OWASP WebGoat <A deliberately vulnerable Web Application <A safe environment for learning about vulnerabilities exploits and fixes <DON T try this on other sites!!! 4

OWASP Local Chapters <Encourage local discussion of application security around the world <Free and open to anyone <Meet monthly or quarterly <Presentations and discussion of key application security topics 5

OWASP Conferences <Historically 2 annually 4USA (New York 2004, Washington 2005, Seattle 2006, San Jose 2007) 4Europe (London 2005, Brussels 2006, Milan 2007) <3 this year 4Australia (next week) 4Brussels (May) 4New York (October) 6

OWASP <Season> of Code <Modeled on Google s Summer of Code <Encourages existing (and new) participants to work on OWASP projects <So far, Autumn of Code, Spring of Code <Examples: 4OWASP Testing Guide 4OWASP Anti-Samy project 4OWASP WebGoat Solutions guide <More than $100,000 paid out 7

So what s the problem again? <Many organizations simply trust their developers to produce secure code if they ve even thought about it <In many cases, that trust is misplaced! 4Search engines are part of the problem J <Lack of awareness of the problem is part of the problem! 8

How can we fix it? <Education 4Documentation 4Training (WebGoat) <Code review <Pen testing 4This is where WebScarab (-NG) comes in

OWASP WebScarab <One of the flagship OWASP tools <Written in Java (my first Java program J) <Started in 2003 <Key features 4Direct access to the underlying HTTP protocol 4Intercepting proxy (including SSL) 4Session history 4Spider, Fuzzer, WebServices, Scripting (BSF) <Drawbacks 4Clunky! (What did *I* know about HIG?) 4Memory leaks 10

11

Introducing WebScarab NG 12

Improvements over -classic <User-visible 4Using Spring Rich Client Platform (HIG-friendly UI!) 4Different views of the same data now consistent! 4New ContentType editors 4Floating Proxy toolbar 4Dockable views <Under the hood 4Using a proper DB (HSQLDB) to store history 4Using Spring Framework (DB, internal wiring) 4Fewer leaks hopefully! 13

Demonstration WebScarab-NG vs WebGoat FIGHT!! 14

Weaknesses vs -classic <Many features not yet implemented 4Plugins Spider Scripting SessionID Analysis etc 4Protocol support (NTLM/certs/smart cards/pkcs#11) 4Shared Cookie jar 15

Future directions <Identity module 4Tag identity transition points (logon/logoff/timeout) 4Supports things like reverse-engineering Access Control Matrices <Random generator quality assessment 4-classic SessionIDAnalysis plugin pretty but flawed 4Inspired by Michal Zalewski s stompy <Re-implement HTTP client (currently Jakarta) 4Desire complete control over the connection to server 4Apparently whitespace matters! 16

Getting involved <Run via Java WebStart <Join the list 4owasp-webscarab@lists.owasp.org <Browse the source 4http://dawes.za.net/rogan/webscarabng/webstart/WebScarab-ng.jnlp 4http://dawes.za.net/gitweb.cgi?p=rogan/webscarabng/webscarab-ng.git;a=summary <Clone the repo 4git clone http://dawes.za.net/rogan/webscarabng/webscarab-ng.git/ 17

Questions??? 18

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information