Using Free Tools To Test Web Application Security
Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing, physical security, security convergence, and incident response Over 10 years of security experience Outside of work: Co-host of the Security Justice podcast
SecureState Overview A Management Consulting Firm Specializing in Information Security Founded in September 2001 Payment Card Industry (PCI) Certified Qualified Security Assessor (QSA) Approved Scanning Vendor (ASV) Qualified Payment Application Security Company Largest dedicated security company in the Great Lakes Region Number of Employees: 47 3
The Company We The Company Keep We Keep Key Industries: Retail, Financial Services, Healthcare, Critical Infrastructure, Professional Services, Service Providers, Education, Food Service, Entertainment, and Government
SecureState Overview Audit and Compliance PCI (Payment Card Industry) ISO 27001/SAS 70 SOX, GLBA, HIPAA, TG-3, NERC/CIP etc. INFOSEC (Information System Security Risk Assessment) Profiling and Attack Web Application Security (WAS) Attack and Penetration Services (internal, external, client, physical, wireless) Wireless Audits Training Risk Management Security Program Manager (SPM) StateScan SecureTime Architecture Reviews Business Preservation Services Data Forensics/Incident Response Business Impact Analysis Advisory Services CISO Advisement Risk Management Special Projects
Importance of Assessing Web Applications Insecure web applications are the most common way attackers penetrate companies from the Internet and gain access to sensitive information As companies harden their perimeter attackers are moving to attacking web applications Vulnerabilities in web applications are the fastest growing type of vulnerability
PCI DSS 1.2 Requirement 6.6 Compliance Two options to meeting requirement 6.6 Option 1: Verify that public-facing web applications are reviewed (using either manual or automated vulnerability security assessment tools or methods), as follows: At least annually After any changes By an organization that specializes in application security Assessments may be performed by a qualified internal resource or a qualified third party So all vulnerabilities are corrected So the application is re-evaluated after the corrections Option 2: Verify that a web-application firewall is in place in front of public-facing web applications to detect and prevent web-based attacks.
Web Application Security Assessments Black Box Scanning a site with an automated tool Automated tools are prone to false positives and will not find flaws in business logic Grey Box Manually testing a site for vulnerability 80% manual 20% automated Assessor should review use case documentation to understand the business logic of the site and tailor attacks to the specific site Quality of the test relies on the experience of the tester White Box Source code review Very thorough Very resource intensive
Where Assessments Fit in SDLC
OWASP Top 10-2010 A1 Injection A2 Cross-Site Scripting (XSS) A3 Broken Authentication and Session Management A4 Insecure Direct Object References A5 Cross-Site Request Forgery (CSRF) A6 Security Misconfiguration A7 Insecure Cryptographic Storage A8 Failure to Restrict URL Access A9 Insufficient Transport Layer Protection A10 Unvalidated Redirects and Forwards
Free Web Vulnerability Scanners Grendel Scan Nikto Paros Skipfish W3AF
Commercial Web Vulnerability Scanners Acunetix Burp-Pro Cenzic Hailstorm HP WebInspect IBM Rational AppScan
Web Proxies Burp Paros WebScarab
Warning: Testing with the Newest Versions of IE and Firefox Newest versions of Firefox and IE implement client side controls to block certain attacks such as crosssite scripting Complicates testing and leads to validation problems Disable controls if possible or test with an older browser Do not use older browsers or browser with security features disabled for general web surfing
Web Application Scanning Process Set up the scanner Crawl and spider the site Run scan Validate results
Lab Setup
Connecting to the Network Connect to the wireless network SSID: SecureState Password: gobrowns
Install Paros Browse to: http://192.168.1.102/paros/ Download the version of Paros for your OS Run installer
Setting Up Paros as a Proxy: Determine Proxy Port Used by Paros Tools Options Local Proxy Note address and port Note: Default may need to be changed in using multiple proxies
Setting Up Paros as a Proxy: Configure IE to Use a Proxy Step 1
Setting Up Paros as a Proxy: Configure IE to Use a Proxy Step 2
Setting Up Paros as a Proxy: Configure IE to Use a Proxy Step 3
Setting Up Paros as a Proxy: Configure Firefox to Use a Proxy Step 1
Setting Up Paros as a Proxy: Configure Firefox to Use a Proxy Step 2
Setting Up Paros as a Proxy: Configure Firefox to Use a Proxy Step 3
Tour of Paros
Intercepting and Manipulating Data
Spidering and Crawling a Site Spidering is an automated process in which Paros follows links on a page to generate a site map By default Paros ignores links to external sites Paros uses the site map to determine which pages will be tested Very important to also manually crawl the site to ensure every page is mapped and scanned Automated spiders often miss links in JavaScript
Using Paros to Spider and Crawl
Scanning for Vulnerabilities
Reviewing the Results
Validating the Results Even the best scanner will produce false positives Very important to manually validate all scan results
A2 - Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) Occurs when attacker sends malicious link, code, email to victim Allows for execution of JavaScript in victim s browser context Allows for cross-site communications Cause No input validation of headers, cookies, query strings, form fields (visible or hidden) Possible Outcomes Session Hijacking Site Defacement Phishing through URL redirection Worms
Useful Firefox Extensions SwitchProxy NoScript Firebug Hackbar SQL Inject ME XSS ME User Agent Switcher Web Developer Toolbar
Other Useful Tools DirBuster JBroFuzz SwfScan
Where to Learn More Web Hackers Handbook OWASP: Numerous free projects, programs, and educational resources OWASP Podcast http://www.owasp.org Practice web applications: OWASP Broken Web Applications Project Collection of practice web applications in a single virtual machine http://code.google.com/p/owaspbwa/
Thank you for your time! Matthew Neely mneely@securestate.com @matthewneely Q&A
A1 Injection Flaws Injection Flaws SQL Injection is the most common injection flaw Occurs when user-supplied data is sent to interpreter as part of a command or query Attacker tricks interpreter into executing unintended commands via specially crafted input Cause User input is not properly sanitized Possible Outcomes Create, Read, Update, and/or Delete Data Command Execution Full Host Compromise