Application Security Tools
-
Upload
lalit-kale -
Category
Technology
-
view
558 -
download
4
description
Transcript of Application Security Tools
![Page 1: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/1.jpg)
Application Security-IIISecurity Analysis ToolsLalit Kale
http://lalitkale.wordpress.com
![Page 2: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/2.jpg)
2
Overview
• OWASP Top 10 Threats• Security Analysis Tools Landscape• Attack Simulation Tools
• Defense Assisting Tools• Risk mitigation for Injection Attacks• Risk mitigation for XSS Attacks• Resources
![Page 3: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/3.jpg)
3
OWASP Top 10 Threats
• Injection• Broken Authentication and Session Management• Cross-Site Scripting (XSS)• Insecure Direct Object References• Security Misconfiguration
![Page 4: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/4.jpg)
4
OWASP Top 10 Threats
• Sensitive Data Exposure
• Missing Function Level Access Control (e.g. Failure to Restrict
URL Access)
• Cross-Site Request Forgery (CSRF)
• Using Components with Known Vulnerabilities (e.g. Security
Misconfiguration)
• Invalidated Redirects and Forwards
![Page 5: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/5.jpg)
5
Security Analysis Tools Landscape
![Page 6: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/6.jpg)
6
XSS Me
• XSS-Me is the Firefox add on used to test for reflected Cross-Site
Scripting (XSS). It does not currently test for stored XSS.
• It is only used for run-time application security testing and not
related to static code analysis.
• The tool works by submitting your HTML forms and substituting the
form value with strings that are representative of an XSS attack.
• XSS Filter Evasion Cheat Sheet:
• https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
• Devise your own attack! http://ha.ckers.org/xsscalc.html
![Page 7: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/7.jpg)
7
XSS Me
• Demo Website
http://www.testfire.net• Search for Normal string
http://www.testfire.net/search.aspx?txtSearch=test• Search for XSS induced attack
http://www.testfire.net/search.aspx?txtSearch=<script>alert(‘xss’)</script>
![Page 8: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/8.jpg)
8
SQL Inject Me
• SQL Inject -Me is the Firefox add on used to test for SQL Injection.
• It is only used for run-time application security testing.
• The tool works by submitting your HTML forms and substituting the
form value with strings that are representative of an SQL Injection
attack.
• Advanced attacks, such as blind SQL injection, may require
additional manual testing (e.g. attempting to bypass
authentication).
![Page 9: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/9.jpg)
9
SQL Inject Me
• Demo Website
http://testfire.net/bank/login.aspx
• UserName/Password: Jsmith/Demo1234, Navigate to following page after login
http://testfire.net/bank/transaction.aspx
• Observe the ‘After’ Field: • Normal Input: 01/01/2013• 01/01/2006 union select
userid,null,username+','+password,null from users--
![Page 10: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/10.jpg)
10
Hackbar
• Hackbar is the Firefox add on used to test for XSS and SQL Injection.
• It is useful while handcrafting attacks or doing penetration testing.
• Features include
• Loading URL
• Slicing URL
• Character encoding
• Executing crafted url request
![Page 11: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/11.jpg)
11
Tamper Data
• Firefox add on used to modify HTTP Request and response
• Trace and time http request/response
• Modify POST parameters
• Add HTTP Headers
• Encode/Decode strings
• Limited ability for testing XSS and SQL Injection
![Page 12: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/12.jpg)
12
Cookie Manager +
• Firefox add on used to view, Modify, create and backup and
restore cookies.
• Features includes
• Ability to filter cookies based on domain
• Option to backup and restore cookies
• Ability to change expire date on expire header of cookie
![Page 13: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/13.jpg)
13
Wappalyzer
• Firefox add-on for revealing internals of websites/web-
applications
• Analyzes DOM and HTTP Response Headers and
identifies libraries and frameworks and components
used for building websites
• Once attacker get more details about internal
components, s/he can use that information for
exploiting known vulnerabilities in those
components/libraries or frameworks or servers
![Page 14: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/14.jpg)
14
FxCop
• Static Code Analysis Tool for applications written in Microsoft .NET Framework
• Has security and security transparency Rules• Determine whether HTML output includes input parameters
• Form fields, • Query strings,• Databases and data access methods• Cookie collection• Session and application variables
![Page 15: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/15.jpg)
15
Fiddler Plugin: Ammonite
• URL: http://ammonite.ryscc.com/
• Paid Web Security Tool
• Detect Critical Vulnerabilities
• Ultimate Control: Manual and Automatic mode for testing
• Fuzz Multiple Request Formats
• Ammonite understands how to stuff faults into XML, JSON, URL Encoded, and Multi-Part POST
bodies.
• Test All Request Sections including: cookies, headers, URL path elements (Restful apps), query
string, and request body.
• passive checks that scan responses for credit card numbers, hidden form fields, HTTP/500 errors
and verbose error messages.
• Export results as HTML Report
![Page 16: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/16.jpg)
16
Fiddler Plugin: Watcher
• URL: http://websecuritytool.codeplex.com• Free Web Security Tool• Passively monitors traffic for 40+ checks• Can also work offline on SAZ files from Fiddler• Results of various checks can be exported in the form of
html or xml• DEMO
• Live Session• Report
![Page 17: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/17.jpg)
17
AntiXSS Library
• AntiXSS provides a myriad of encoding functions for Html, XML, Url, Form, LDAP, CSS, JScript and VBScript encoding methods.
White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type.
Secure Globalization: An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.
![Page 18: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/18.jpg)
18
Asafaweb
• Non invasive vulnerability scanner• Individual effort from Security Consultant Troy Hunt• Good for “Already in Production” project• baseline of scans for common ASP.NET configuration
related vulnerabilities.• Also checks for click jacking, Hash Do's patch
• DEMO
![Page 19: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/19.jpg)
19
CAT.NET
• identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.
• works by reading the target assembly and all reference assemblies used in the application -- module-by-module -- and then analyzing all of the methods contained within each
Binscope Binary Analyzer
• verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance MS-SDL
• inScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date build tools are in place, and the latest good ATL headers are being used.
CAT.NET & Binscope Binary Analyzer
Note: Only compatible with visual studio 2005 and visual studio 2008
![Page 20: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/20.jpg)
20
W3af.org
• W3af to identify more than 200 vulnerabilities and reduce your site’s overall risk exposure.
• Open source python based core engine with plug-in architecture
• w3af is a Web Application Attack and Audit Framework.
![Page 21: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/21.jpg)
21
Acunetix
• website analysis and vulnerability detection• Comprehensive scanning for SQL Injection and Cross Site • Scripting (XSS) Vulnerabilities• Scan’s password protected areas as well automatically• Comprehensive reports for legal and regulatory compliance• Includes HTTP sniffer, HTTP fuzzer, Blind SQL Injector• Detect HTTP Parameter Pollution (HPP) vulnerabilities• Compare scans and find differences with previous scans.• Support for CAPTCHA, Single Sign-On and Two Factor authentication • mechanisms.
![Page 22: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/22.jpg)
22
NetSparker
• The only False-positive-free web application security scanner
• Ajax/JavaScript Support
• Support Basic, Forms, NTLM, Digest, Kerberos Authentication
• Vulnerability Retest
• Also supports manual testing
• Support for well-known compliance specifications reporting like PCI,
OWASP, CAPEC, OWASP etc.
• Custom Reports
![Page 23: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/23.jpg)
23
Resources• OWASP (Open Web Application Security Project):
https://www.owasp.org
• XSS-Me
https://addons.mozilla.org/en-us/firefox/addon/xss-me/
• SQL Inject Me
• Microsoft Security
http://www.microsoft.com/security
http://www.Microsoft.com/sdl
• Wikipedia:
http://en.wikipedia.org/wiki/Threat_model
![Page 24: Application Security Tools](https://reader034.fdocuments.net/reader034/viewer/2022051314/5549362bb4c9050f4d8b4762/html5/thumbnails/24.jpg)
.
This presentation is shared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More information for this license is available at
http://creativecommons.org/licenses/by-nc-sa/4.0/
All trademarks are the property of their respective owners. Lalit Kale makes no warranties, express, implied or statutory, as to the information in this presentation.
Lalit [email protected]
http://lalitkale.wordpress.com