2. Objectives for the day
Introductions
An introduction to threat modelling and an activity to
generate test ideas
An introduction to the OWASP Top 10
An introduction to some useful tools and how to use them
Explore an application to discover some vulnerabilities
Talk about threats and what they mean in context
Talk about attacks and how they can be used in testing
Practice some attacks
Consolidate and challenge our thinking
3. Introduction
Tester for 13 years, 4 years as a self employed consultant
Worked in the private and public sector in the UK
AOL Time Warner
Capita
Northgate
UK Government
Brightpearl
Now a Test Engineer at New Voice Media
@TheTestDoctor
www.thetestdoctor.wordpress.com
5. A Security Testing Mnemonic
EX – EXPLORE
T – THREATS
E – EXPERIMENT
R – RISKS
M – MONITOR
IN – INTERROGATE
A – ANALYSIS
T – TARGETED
E - EXPEDITED
Image courtesy of Andy
Glover @cartoontester
6. Gruyere – the cheesy web app
Navigate your browser of choice to:
http://google-gruyere.appspot.com/start
Built by Google
Deliberately vulnerable web application for training
Don’t enter personal data into it!
7. AltoroMutual – the reliable
banking application
Navigate your browser of choice to:
http://altoromutual.com/
Built by IBM (as a marketing tool for AppScan)
Deliberately vulnerable web application for training
Don’t enter personal data into it!
8. Explore the application
Work in groups
Explore the application 10-15 mins
What can you find out?
User scenarios?
What can you do with the application?
Critical assets?
Features and functionality?
Areas for testing?
Feedback to the group
9. Tools of the Trade
Browser tools
Built in DOM tools and consoles – available in all
modern browsers
Firebug
Monitor errors, resources, traffic and scripts
Add, delete and modify cookies
Plugins e.g. Tamper Data, EditThisCookie
OWASP Mantra
API tools e.g The Postman, Advanced Rest Client
10. Tools of the Trade
Proxy tools
Fiddler
Zed Attack Proxy,
BurpSuite
Intercepting HTTP/HTTPS traffic
Modify requests, headers, cookies and other session data
Craft attacks and other harmful scenarios
Spider
Fuzzers
Port Scanning
CSRF
11. Tools of the Trade
Network monitors
Protocol and packet sniffing e.g. Wireshark
Network mapping e.g Nmap
Source Code Analysers
OWASP 02 Platform
OWASP LAPSE
12. Fiddler
Download and Install Fiddler
http://www.telerik.com/fiddler
Configure your Browser
Set the Proxy Server to 127.0.0.1
Set the Port to 8080
Configure Fiddler
Install certificate if required
Set the Local Proxy to 127.0.0.1
Set the Port to 8080
You may need to close and restart the browser/Fiddler
13. Zed Attack Proxy (ZAP)
Download and install Zed Attack Proxy
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Configure your Browser
Set the Proxy Server to 127.0.0.1
Set the Port to 8181
Configure Zed Attack Proxy
Install certificate if required
Set the Local Proxy to 127.0.0.1
Set the Port to 8181
You may need to close and restart the browser/ZAP
14. BurpSuite
Download and Install Burpsuite (Free Edition)
http://portswigger.net/burp/download.html
Configure your Browser
Set the Proxy Server to 127.0.0.1
Set the Port to 8080
Configure Burpsuite
Install certificate if required
Set the Local Proxy to 127.0.0.1
Set the Port to 8282
You may need to close and restart the browser/ZAP
15. Threat Modelling
STRIDE
S – SPOOFING
T – TAMPERING
R – REPUDIATION
I – INFORMATION DISCLOSURE
D – DENIAL OF SERVICE
E – ESCALATION OF PRIVILEGE
16. Spoofing
Threat action aimed to illegally
access and use another user's
credentials, such as username and
password.
17. Tampering
Threat action aimed to maliciously
change/modify persistent data,
such as persistent data in a
database, and the alteration of
data in transit between two
computers over an open network,
such as the Internet.
18. Repudiation
Threat action aimed to perform
illegal operations in a system that
lacks the ability to trace the
prohibited operations.
20. Denial of Service
Threat aimed to deny access to
valid users, such as by making a
web server temporarily unavailable
or unusable.
21. Escalation of Privilege
Threat aimed to gain privileged
access to resources for gaining
unauthorized access to information
or to compromise a system.
22. Threat Mind Map
Grab some post-its
Identify threats to your application – Gruyere or
Altoromutual
How might they happen?
What are the risks?
What might be the impact?
Mind-map them as a team on the board
Feedback to the group
23. OWASP Top 10 2013
1 – Injection
2 – Broken Authentication and Session Management
3 – Cross Site Scripting (XSS)
4 – Insecure Direct Object References
5 – Security Misconfiguration
6 – Sensitive Data Exposure
7 – Missing Function Level Access Control
8 – Cross Site Request Forgery (CSRF)
9 – Using Components with Known Vulnerabilities
10 – Unvalidated Redirects and Forwards
25. Cross Site Scripting (XSS)
1. Sends URL containing a
hidden script
4. Browser executes script
and sends private data
2. Follows URL containing
script
3. Serves page containing
script
5. Impersonates user at
website
26. Cross Site Request Forgery (CSRF)
1. Victim browses a
malicious page with
content
2. Script or image
executed in
browser
3. Attacker can
access browser
sessions, modify
config or send
malicious content
27. Using Scanning Tools
Practice on a training website or on a virtual
machine
Agree with stakeholders
Don’t use against a site you don’t have permission
to test on
Understand risks to assets
Schedule appropriately
28. Passive Scanning
Explore the website under test
Observe the behaviour of the scanning tool
What information does it provide?
How is the information structured?
Any testing ideas?
What would you test first?
29. Spidering
Discovers more areas of your application to test
Physically interacts with the application
Use with caution
What information does it provide?
How is the information structured?
Any testing ideas?
30. Active Scanning
Performs physical attacks against the application
under test
Injection
XSS
Cookie Poisoning
What information does it provide?
How is the information structured?
Any testing ideas?
What do we test next?
31. Fuzzing
Inputs random, invalid or unexpected data
Might indicate an exception that could cause
crashes, performance issues or memory leaks
What information does it provide?
How is the information structured?
Any testing ideas?
32. Proxy Chaining
All tools work differently
They all have similar but varied features and
functions
Linking them together will enhance your testing
Comparison of results from different tools
Try modifying the upstream and downstream
proxy settings
33. Extending your toolset
Can be built into a continuous integration solution
Scripting interfaces e.g. Python, Ruby
API
Reporting
34. Wrap Up
Is there something we haven’t covered that you
want to talk about?
Has this workshop met your expectations?
Any questions?
Thanks for taking part
35. Getting in Touch
Twitter @TheTestDoctor
Blog thetestdoctor.wordpress.com
www.newvoicemedia.com