1. Exploring the
Security Testers
Toolkit
Dan Billing – New Voice Media
@thetestdoctor | thetestdoctor.wordpress.com

2. Objectives for the day
 Introductions
 An introduction to threat modelling and an activity to
generate test ideas
 An introduction to the OWASP Top 10
 An introduction to some useful tools and how to use them
 Explore an application to discover some vulnerabilities
 Talk about threats and what they mean in context
 Talk about attacks and how they can be used in testing
 Practice some attacks
 Consolidate and challenge our thinking

3. Introduction
 Tester for 13 years, 4 years as a self employed consultant
 Worked in the private and public sector in the UK
 AOL Time Warner
 Capita
 Northgate
 UK Government
 Brightpearl
 Now a Test Engineer at New Voice Media
 @TheTestDoctor
 www.thetestdoctor.wordpress.com

4. Introductions
About you?
What do you want to get out of
the day?

5. A Security Testing Mnemonic
 EX – EXPLORE
 T – THREATS
 E – EXPERIMENT
 R – RISKS
 M – MONITOR
 IN – INTERROGATE
 A – ANALYSIS
 T – TARGETED
 E - EXPEDITED
Image courtesy of Andy
Glover @cartoontester

6. Gruyere – the cheesy web app
 Navigate your browser of choice to:
 http://google-gruyere.appspot.com/start
 Built by Google
 Deliberately vulnerable web application for training
 Don’t enter personal data into it!

7. AltoroMutual – the reliable
banking application
 Navigate your browser of choice to:
 http://altoromutual.com/
 Built by IBM (as a marketing tool for AppScan)
 Deliberately vulnerable web application for training
 Don’t enter personal data into it!

8. Explore the application
 Work in groups
 Explore the application 10-15 mins
 What can you find out?
 User scenarios?
 What can you do with the application?
 Critical assets?
 Features and functionality?
 Areas for testing?
 Feedback to the group

9. Tools of the Trade
 Browser tools
 Built in DOM tools and consoles – available in all
modern browsers
 Firebug
 Monitor errors, resources, traffic and scripts
 Add, delete and modify cookies
 Plugins e.g. Tamper Data, EditThisCookie
 OWASP Mantra
 API tools e.g The Postman, Advanced Rest Client

10. Tools of the Trade
 Proxy tools
 Fiddler
 Zed Attack Proxy,
 BurpSuite
Intercepting HTTP/HTTPS traffic
Modify requests, headers, cookies and other session data
Craft attacks and other harmful scenarios
Spider
Fuzzers
Port Scanning
CSRF

11. Tools of the Trade
 Network monitors
 Protocol and packet sniffing e.g. Wireshark
 Network mapping e.g Nmap
 Source Code Analysers
 OWASP 02 Platform
 OWASP LAPSE

12. Fiddler
 Download and Install Fiddler
 http://www.telerik.com/fiddler
 Configure your Browser
 Set the Proxy Server to 127.0.0.1
 Set the Port to 8080
 Configure Fiddler
 Install certificate if required
 Set the Local Proxy to 127.0.0.1
 Set the Port to 8080
 You may need to close and restart the browser/Fiddler

13. Zed Attack Proxy (ZAP)
 Download and install Zed Attack Proxy
 https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
 Configure your Browser
 Set the Proxy Server to 127.0.0.1
 Set the Port to 8181
 Configure Zed Attack Proxy
 Install certificate if required
 Set the Local Proxy to 127.0.0.1
 Set the Port to 8181
 You may need to close and restart the browser/ZAP

14. BurpSuite
 Download and Install Burpsuite (Free Edition)
 http://portswigger.net/burp/download.html
 Configure your Browser
 Set the Proxy Server to 127.0.0.1
 Set the Port to 8080
 Configure Burpsuite
 Install certificate if required
 Set the Local Proxy to 127.0.0.1
 Set the Port to 8282
 You may need to close and restart the browser/ZAP

15. Threat Modelling
STRIDE
 S – SPOOFING
 T – TAMPERING
 R – REPUDIATION
 I – INFORMATION DISCLOSURE
 D – DENIAL OF SERVICE
 E – ESCALATION OF PRIVILEGE

16. Spoofing
Threat action aimed to illegally
access and use another user's
credentials, such as username and
password.

17. Tampering
Threat action aimed to maliciously
change/modify persistent data,
such as persistent data in a
database, and the alteration of
data in transit between two
computers over an open network,
such as the Internet.

18. Repudiation
Threat action aimed to perform
illegal operations in a system that
lacks the ability to trace the
prohibited operations.

19. Information Disclosure
Threat action to read a file that
one was not granted access to, or
to read data in transit.

20. Denial of Service
Threat aimed to deny access to
valid users, such as by making a
web server temporarily unavailable
or unusable.

21. Escalation of Privilege
Threat aimed to gain privileged
access to resources for gaining
unauthorized access to information
or to compromise a system.

22. Threat Mind Map
 Grab some post-its
 Identify threats to your application – Gruyere or
Altoromutual
 How might they happen?
 What are the risks?
 What might be the impact?
 Mind-map them as a team on the board
 Feedback to the group

23. OWASP Top 10 2013
 1 – Injection
 2 – Broken Authentication and Session Management
 3 – Cross Site Scripting (XSS)
 4 – Insecure Direct Object References
 5 – Security Misconfiguration
 6 – Sensitive Data Exposure
 7 – Missing Function Level Access Control
 8 – Cross Site Request Forgery (CSRF)
 9 – Using Components with Known Vulnerabilities
 10 – Unvalidated Redirects and Forwards

24. SQL Injection
Exploits of a Mom – www.xkcd.com/327

25. Cross Site Scripting (XSS)
1. Sends URL containing a
hidden script
4. Browser executes script
and sends private data
2. Follows URL containing
script
3. Serves page containing
script
5. Impersonates user at
website

26. Cross Site Request Forgery (CSRF)
1. Victim browses a
malicious page with
content
2. Script or image
executed in
browser
3. Attacker can
access browser
sessions, modify
config or send
malicious content

27. Using Scanning Tools
 Practice on a training website or on a virtual
machine
 Agree with stakeholders
 Don’t use against a site you don’t have permission
to test on
 Understand risks to assets
 Schedule appropriately

28. Passive Scanning
 Explore the website under test
 Observe the behaviour of the scanning tool
 What information does it provide?
 How is the information structured?
 Any testing ideas?
 What would you test first?

29. Spidering
 Discovers more areas of your application to test
 Physically interacts with the application
 Use with caution
 What information does it provide?
 How is the information structured?
 Any testing ideas?

30. Active Scanning
 Performs physical attacks against the application
under test
 Injection
 XSS
 Cookie Poisoning
 What information does it provide?
 How is the information structured?
 Any testing ideas?
 What do we test next?

31. Fuzzing
 Inputs random, invalid or unexpected data
 Might indicate an exception that could cause
crashes, performance issues or memory leaks
 What information does it provide?
 How is the information structured?
 Any testing ideas?

32. Proxy Chaining
 All tools work differently
 They all have similar but varied features and
functions
 Linking them together will enhance your testing
 Comparison of results from different tools
 Try modifying the upstream and downstream
proxy settings

33. Extending your toolset
 Can be built into a continuous integration solution
 Scripting interfaces e.g. Python, Ruby
 API
 Reporting

34. Wrap Up
 Is there something we haven’t covered that you
want to talk about?
 Has this workshop met your expectations?
 Any questions?
 Thanks for taking part 

35. Getting in Touch
 Twitter @TheTestDoctor
 Blog thetestdoctor.wordpress.com
 www.newvoicemedia.com