This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover Application Security Tools that can be helpful for analyzing security threats as well as putting up some defense . This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
3. OWASP Top 10 Threats
• Injection
• Broken Authentication and Session Management
• Cross-Site Scripting (XSS)
• Insecure Direct Object References
• Security Misconfiguration
3
4. OWASP Top 10 Threats
• Sensitive Data Exposure
• Missing Function Level Access Control (e.g. Failure to Restrict URL
Access)
• Cross-Site Request Forgery (CSRF)
• Using Components with Known Vulnerabilities (e.g. Security
Misconfiguration)
• Invalidated Redirects and Forwards
4
6. XSS Me
• XSS-Me is the Firefox add on used to test for reflected Cross-Site Scripting
(XSS). It does not currently test for stored XSS.
• It is only used for run-time application security testing and not related to
static code analysis.
• The tool works by submitting your HTML forms and substituting the form
value with strings that are representative of an XSS attack.
• XSS Filter Evasion Cheat Sheet:
• https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
• Devise your own attack! http://ha.ckers.org/xsscalc.html
6
7. XSS Me
• Demo Website
http://www.testfire.net
• Search for Normal string
http://www.testfire.net/search.aspx?txtSearch=test
• Search for XSS induced attack
http://www.testfire.net/search.aspx?txtSearch=<script>alert(‘xss’)</
script>
7
8. SQL Inject Me
• SQL Inject -Me is the Firefox add on used to test for SQL Injection.
• It is only used for run-time application security testing.
• The tool works by submitting your HTML forms and substituting the
form value with strings that are representative of an SQL Injection
attack.
• Advanced attacks, such as blind SQL injection, may require additional
manual testing (e.g. attempting to bypass authentication).
8
9. SQL Inject Me
• Demo Website
http://testfire.net/bank/login.aspx
• UserName/Password: Jsmith/Demo1234, Navigate to following page
after login
http://testfire.net/bank/transaction.aspx
• Observe the ‘After’ Field:
• Normal Input: 01/01/2013
• 01/01/2006 union select userid,null,username+','+password,null from
users--
9
10. Hackbar
• Hackbar is the Firefox add on used to test for XSS and SQL Injection.
• It is useful while handcrafting attacks or doing penetration testing.
• Features include
• Loading URL
• Slicing URL
• Character encoding
• Executing crafted url request
10
11. Tamper Data
• Firefox add on used to modify HTTP Request and response
• Trace and time http request/response
• Modify POST parameters
• Add HTTP Headers
• Encode/Decode strings
• Limited ability for testing XSS and SQL Injection
11
12. Cookie Manager +
• Firefox add on used to view, Modify, create and backup and restore cookies.
• Features includes
• Ability to filter cookies based on domain
• Option to backup and restore cookies
• Ability to change expire date on expire header of cookie
12
13. Wappalyzer
• Firefox add-on for revealing internals of websites/web-applications
• Analyzes DOM and HTTP Response Headers and identifies libraries
and frameworks and components used for building websites
• Once attacker get more details about internal components, s/he
can use that information for exploiting known vulnerabilities in
those components/libraries or frameworks or servers
13
14. FxCop
• Static Code Analysis Tool for applications written in Microsoft .NET Framework
• Has security and security transparency Rules
• Determine whether HTML output includes input parameters
• Form fields,
• Query strings,
• Databases and data access methods
• Cookie collection
• Session and application variables
14
15. Fiddler Plugin: Ammonite
• URL: http://ammonite.ryscc.com/
• Paid Web Security Tool
• Detect Critical Vulnerabilities
• Ultimate Control: Manual and Automatic mode for testing
• Fuzz Multiple Request Formats
• Ammonite understands how to stuff faults into XML, JSON, URL Encoded, and Multi-Part POST bodies.
• Test All Request Sections including: cookies, headers, URL path elements (Restful apps), query string, and request
body.
• passive checks that scan responses for credit card numbers, hidden form fields, HTTP/500 errors and verbose error
messages.
• Export results as HTML Report
15
16. Fiddler Plugin: Watcher
• URL: http://websecuritytool.codeplex.com
• Free Web Security Tool
• Passively monitors traffic for 40+ checks
• Can also work offline on SAZ files from Fiddler
• Results of various checks can be exported in the form of html or
xml
• DEMO
• Live Session
• Report
16
17. AntiXSS Library
• AntiXSS provides a myriad of encoding functions for Html, XML, Url, Form,
LDAP, CSS, JScript and VBScript encoding methods.
White Lists: AntiXSS differs from the standard .NET framework encoding
by using a white list approach. All characters not on the white list will be
encoded using the correct rules for the encoding type.
Secure Globalization: An attack can be coded anywhere, and Anti-XSS now
protects against XSS attacks coded in dozens of languages.
17
18. Asafaweb
• Non invasive vulnerability scanner
• Individual effort from Security Consultant Troy Hunt
• Good for “Already in Production” project
• baseline of scans for common ASP.NET configuration related
vulnerabilities.
• Also checks for click jacking, Hash Do's patch
• DEMO
18
19. CAT.NET
• identify common variants of certain
prevailing vulnerabilities that can
give rise to common attack vectors
such as Cross-Site Scripting (XSS),
SQL Injection and XPath Injection.
• works by reading the target
assembly and all reference
assemblies used in the application --
module-by-module -- and then
analyzing all of the methods
contained within each
Binscope Binary Analyzer
• verification tool that analyzes
binaries on a project-wide level to
ensure that they have been built in
compliance MS-SDL
• inScope checks that SDL-required
compiler/linker flags are being set,
strong-named assemblies are in use,
up-to-date build tools are in place,
and the latest good ATL headers are
being used.
19
CAT.NET & Binscope Binary Analyzer
Note: Only compatible with visual studio 2005 and visual studio 2008
20. W3af.org
• W3af to identify more than 200 vulnerabilities and reduce your
site’s overall risk exposure.
• Open source python based core engine with plug-in architecture
• w3af is a Web Application Attack and Audit Framework.
20
21. Acunetix
• website analysis and vulnerability detection
• Comprehensive scanning for SQL Injection and Cross Site
• Scripting (XSS) Vulnerabilities
• Scan’s password protected areas as well automatically
• Comprehensive reports for legal and regulatory compliance
• Includes HTTP sniffer, HTTP fuzzer, Blind SQL Injector
• Detect HTTP Parameter Pollution (HPP) vulnerabilities
• Compare scans and find differences with previous scans.
• Support for CAPTCHA, Single Sign-On and Two Factor authentication
• mechanisms.
21
22. NetSparker
• The only False-positive-free web application security scanner
• Ajax/JavaScript Support
• Support Basic, Forms, NTLM, Digest, Kerberos Authentication
• Vulnerability Retest
• Also supports manual testing
• Support for well-known compliance specifications reporting like PCI, OWASP, CAPEC,
OWASP etc.
• Custom Reports
22
23. Resources
• OWASP (Open Web Application Security Project):
https://www.owasp.org
• XSS-Me
https://addons.mozilla.org/en-us/firefox/addon/xss-me/
• SQL Inject Me
• Microsoft Security
http://www.microsoft.com/security
http://www.Microsoft.com/sdl
• Wikipedia:
http://en.wikipedia.org/wiki/Threat_model
23
24. .
This presentation is shared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More information for this license is available at http://creativecommons.org/licenses/by-nc-sa/4.0/
All trademarks are the property of their respective owners. Lalit Kale makes no warranties, express, implied or statutory, as to the information in this presentation.
Lalit Kale
lalitkale@gmail.com
http://lalitkale.wordpress.com