SlideShare une entreprise Scribd logo
1  sur  24
Télécharger pour lire hors ligne
Application Security-III
Security Analysis Tools
Lalit Kale
lalitkale@gmail.com
http://lalitkale.wordpress.com
Overview
• OWASP Top 10 Threats
• Security Analysis Tools Landscape
• Attack Simulation Tools
• Defense Assisting Tools
• Risk mitigation for Injection Attacks
• Risk mitigation for XSS Attacks
• Resources
2
OWASP Top 10 Threats
• Injection
• Broken Authentication and Session Management
• Cross-Site Scripting (XSS)
• Insecure Direct Object References
• Security Misconfiguration
3
OWASP Top 10 Threats
• Sensitive Data Exposure
• Missing Function Level Access Control (e.g. Failure to Restrict URL
Access)
• Cross-Site Request Forgery (CSRF)
• Using Components with Known Vulnerabilities (e.g. Security
Misconfiguration)
• Invalidated Redirects and Forwards
4
5
Security Analysis Tools Landscape
XSS Me
• XSS-Me is the Firefox add on used to test for reflected Cross-Site Scripting
(XSS). It does not currently test for stored XSS.
• It is only used for run-time application security testing and not related to
static code analysis.
• The tool works by submitting your HTML forms and substituting the form
value with strings that are representative of an XSS attack.
• XSS Filter Evasion Cheat Sheet:
• https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
• Devise your own attack! http://ha.ckers.org/xsscalc.html
6
XSS Me
• Demo Website
http://www.testfire.net
• Search for Normal string
http://www.testfire.net/search.aspx?txtSearch=test
• Search for XSS induced attack
http://www.testfire.net/search.aspx?txtSearch=<script>alert(‘xss’)</
script>
7
SQL Inject Me
• SQL Inject -Me is the Firefox add on used to test for SQL Injection.
• It is only used for run-time application security testing.
• The tool works by submitting your HTML forms and substituting the
form value with strings that are representative of an SQL Injection
attack.
• Advanced attacks, such as blind SQL injection, may require additional
manual testing (e.g. attempting to bypass authentication).
8
SQL Inject Me
• Demo Website
http://testfire.net/bank/login.aspx
• UserName/Password: Jsmith/Demo1234, Navigate to following page
after login
http://testfire.net/bank/transaction.aspx
• Observe the ‘After’ Field:
• Normal Input: 01/01/2013
• 01/01/2006 union select userid,null,username+','+password,null from
users--
9
Hackbar
• Hackbar is the Firefox add on used to test for XSS and SQL Injection.
• It is useful while handcrafting attacks or doing penetration testing.
• Features include
• Loading URL
• Slicing URL
• Character encoding
• Executing crafted url request
10
Tamper Data
• Firefox add on used to modify HTTP Request and response
• Trace and time http request/response
• Modify POST parameters
• Add HTTP Headers
• Encode/Decode strings
• Limited ability for testing XSS and SQL Injection
11
Cookie Manager +
• Firefox add on used to view, Modify, create and backup and restore cookies.
• Features includes
• Ability to filter cookies based on domain
• Option to backup and restore cookies
• Ability to change expire date on expire header of cookie
12
Wappalyzer
• Firefox add-on for revealing internals of websites/web-applications
• Analyzes DOM and HTTP Response Headers and identifies libraries
and frameworks and components used for building websites
• Once attacker get more details about internal components, s/he
can use that information for exploiting known vulnerabilities in
those components/libraries or frameworks or servers
13
FxCop
• Static Code Analysis Tool for applications written in Microsoft .NET Framework
• Has security and security transparency Rules
• Determine whether HTML output includes input parameters
• Form fields,
• Query strings,
• Databases and data access methods
• Cookie collection
• Session and application variables
14
Fiddler Plugin: Ammonite
• URL: http://ammonite.ryscc.com/
• Paid Web Security Tool
• Detect Critical Vulnerabilities
• Ultimate Control: Manual and Automatic mode for testing
• Fuzz Multiple Request Formats
• Ammonite understands how to stuff faults into XML, JSON, URL Encoded, and Multi-Part POST bodies.
• Test All Request Sections including: cookies, headers, URL path elements (Restful apps), query string, and request
body.
• passive checks that scan responses for credit card numbers, hidden form fields, HTTP/500 errors and verbose error
messages.
• Export results as HTML Report
15
Fiddler Plugin: Watcher
• URL: http://websecuritytool.codeplex.com
• Free Web Security Tool
• Passively monitors traffic for 40+ checks
• Can also work offline on SAZ files from Fiddler
• Results of various checks can be exported in the form of html or
xml
• DEMO
• Live Session
• Report
16
AntiXSS Library
• AntiXSS provides a myriad of encoding functions for Html, XML, Url, Form,
LDAP, CSS, JScript and VBScript encoding methods.
 White Lists: AntiXSS differs from the standard .NET framework encoding
by using a white list approach. All characters not on the white list will be
encoded using the correct rules for the encoding type.
 Secure Globalization: An attack can be coded anywhere, and Anti-XSS now
protects against XSS attacks coded in dozens of languages.
17
Asafaweb
• Non invasive vulnerability scanner
• Individual effort from Security Consultant Troy Hunt
• Good for “Already in Production” project
• baseline of scans for common ASP.NET configuration related
vulnerabilities.
• Also checks for click jacking, Hash Do's patch
• DEMO
18
CAT.NET
• identify common variants of certain
prevailing vulnerabilities that can
give rise to common attack vectors
such as Cross-Site Scripting (XSS),
SQL Injection and XPath Injection.
• works by reading the target
assembly and all reference
assemblies used in the application --
module-by-module -- and then
analyzing all of the methods
contained within each
Binscope Binary Analyzer
• verification tool that analyzes
binaries on a project-wide level to
ensure that they have been built in
compliance MS-SDL
• inScope checks that SDL-required
compiler/linker flags are being set,
strong-named assemblies are in use,
up-to-date build tools are in place,
and the latest good ATL headers are
being used.
19
CAT.NET & Binscope Binary Analyzer
Note: Only compatible with visual studio 2005 and visual studio 2008
W3af.org
• W3af to identify more than 200 vulnerabilities and reduce your
site’s overall risk exposure.
• Open source python based core engine with plug-in architecture
• w3af is a Web Application Attack and Audit Framework.
20
Acunetix
• website analysis and vulnerability detection
• Comprehensive scanning for SQL Injection and Cross Site
• Scripting (XSS) Vulnerabilities
• Scan’s password protected areas as well automatically
• Comprehensive reports for legal and regulatory compliance
• Includes HTTP sniffer, HTTP fuzzer, Blind SQL Injector
• Detect HTTP Parameter Pollution (HPP) vulnerabilities
• Compare scans and find differences with previous scans.
• Support for CAPTCHA, Single Sign-On and Two Factor authentication
• mechanisms.
21
NetSparker
• The only False-positive-free web application security scanner
• Ajax/JavaScript Support
• Support Basic, Forms, NTLM, Digest, Kerberos Authentication
• Vulnerability Retest
• Also supports manual testing
• Support for well-known compliance specifications reporting like PCI, OWASP, CAPEC,
OWASP etc.
• Custom Reports
22
Resources
• OWASP (Open Web Application Security Project):
https://www.owasp.org
• XSS-Me
https://addons.mozilla.org/en-us/firefox/addon/xss-me/
• SQL Inject Me
• Microsoft Security
http://www.microsoft.com/security
http://www.Microsoft.com/sdl
• Wikipedia:
http://en.wikipedia.org/wiki/Threat_model
23
.
This presentation is shared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More information for this license is available at http://creativecommons.org/licenses/by-nc-sa/4.0/
All trademarks are the property of their respective owners. Lalit Kale makes no warranties, express, implied or statutory, as to the information in this presentation.
Lalit Kale
lalitkale@gmail.com
http://lalitkale.wordpress.com

Contenu connexe

Tendances

Security Testing using ZAP in SFDC
Security Testing using ZAP in SFDCSecurity Testing using ZAP in SFDC
Security Testing using ZAP in SFDCThinqloud
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Security Automation using ZAP
Security Automation using ZAPSecurity Automation using ZAP
Security Automation using ZAPVaibhav Gupta
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Andrea Hauser
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Scaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkScaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkNetsparker
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingRana Khalil
 
Tw noche geek quito webappsec
Tw noche geek quito   webappsecTw noche geek quito   webappsec
Tw noche geek quito webappsecThoughtworks
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Vasan Ramadoss
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL:  Busting Buzzwords & Building BetterPlatform Security IRL:  Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 

Tendances (20)

Security Testing using ZAP in SFDC
Security Testing using ZAP in SFDCSecurity Testing using ZAP in SFDC
Security Testing using ZAP in SFDC
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Security Automation using ZAP
Security Automation using ZAPSecurity Automation using ZAP
Security Automation using ZAP
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Scaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkScaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech Talk
 
Web application security
Web application securityWeb application security
Web application security
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Tw noche geek quito webappsec
Tw noche geek quito   webappsecTw noche geek quito   webappsec
Tw noche geek quito webappsec
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL:  Busting Buzzwords & Building BetterPlatform Security IRL:  Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
 

Similaire à Application Security Tools

How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
Web Hacking Series Part 5
Web Hacking Series Part 5Web Hacking Series Part 5
Web Hacking Series Part 5Aditya Kamat
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
Detailed Developer Report.pdf
Detailed Developer Report.pdfDetailed Developer Report.pdf
Detailed Developer Report.pdfnalla14
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 

Similaire à Application Security Tools (20)

How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Web Hacking Series Part 5
Web Hacking Series Part 5Web Hacking Series Part 5
Web Hacking Series Part 5
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
Detailed Developer Report.pdf
Detailed Developer Report.pdfDetailed Developer Report.pdf
Detailed Developer Report.pdf
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
a
aa
a
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
 

Plus de Lalit Kale

Serverless microservices
Serverless microservicesServerless microservices
Serverless microservicesLalit Kale
 
Develop in ludicrous mode with azure serverless
Develop in ludicrous mode with azure serverlessDevelop in ludicrous mode with azure serverless
Develop in ludicrous mode with azure serverlessLalit Kale
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Introduction To Microservices
Introduction To MicroservicesIntroduction To Microservices
Introduction To MicroservicesLalit Kale
 
Dot net platform and dotnet core fundamentals
Dot net platform and dotnet core fundamentalsDot net platform and dotnet core fundamentals
Dot net platform and dotnet core fundamentalsLalit Kale
 
Code refactoring
Code refactoringCode refactoring
Code refactoringLalit Kale
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
Coding guidelines
Coding guidelinesCoding guidelines
Coding guidelinesLalit Kale
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelinesLalit Kale
 
State management
State managementState management
State managementLalit Kale
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net frameworkLalit Kale
 
Data normailazation
Data normailazationData normailazation
Data normailazationLalit Kale
 
Versioning guidelines for product
Versioning guidelines for productVersioning guidelines for product
Versioning guidelines for productLalit Kale
 
Bowling Game Kata by Robert C. Martin
Bowling Game Kata by Robert C. MartinBowling Game Kata by Robert C. Martin
Bowling Game Kata by Robert C. MartinLalit Kale
 
Domain Driven Design
Domain Driven DesignDomain Driven Design
Domain Driven DesignLalit Kale
 
Web 2.0 concept
Web 2.0 conceptWeb 2.0 concept
Web 2.0 conceptLalit Kale
 
Jump Start To Ooad And Design Patterns
Jump Start To Ooad And Design PatternsJump Start To Ooad And Design Patterns
Jump Start To Ooad And Design PatternsLalit Kale
 
How To Create Strategic Marketing Plan
How To Create Strategic Marketing PlanHow To Create Strategic Marketing Plan
How To Create Strategic Marketing PlanLalit Kale
 

Plus de Lalit Kale (20)

Serverless microservices
Serverless microservicesServerless microservices
Serverless microservices
 
Develop in ludicrous mode with azure serverless
Develop in ludicrous mode with azure serverlessDevelop in ludicrous mode with azure serverless
Develop in ludicrous mode with azure serverless
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Introduction To Microservices
Introduction To MicroservicesIntroduction To Microservices
Introduction To Microservices
 
Dot net platform and dotnet core fundamentals
Dot net platform and dotnet core fundamentalsDot net platform and dotnet core fundamentals
Dot net platform and dotnet core fundamentals
 
Code refactoring
Code refactoringCode refactoring
Code refactoring
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
 
Coding guidelines
Coding guidelinesCoding guidelines
Coding guidelines
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
 
State management
State managementState management
State management
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
 
Data normailazation
Data normailazationData normailazation
Data normailazation
 
Opps
OppsOpps
Opps
 
Versioning guidelines for product
Versioning guidelines for productVersioning guidelines for product
Versioning guidelines for product
 
Bowling Game Kata by Robert C. Martin
Bowling Game Kata by Robert C. MartinBowling Game Kata by Robert C. Martin
Bowling Game Kata by Robert C. Martin
 
Domain Driven Design
Domain Driven DesignDomain Driven Design
Domain Driven Design
 
Web 2.0 concept
Web 2.0 conceptWeb 2.0 concept
Web 2.0 concept
 
Jump Start To Ooad And Design Patterns
Jump Start To Ooad And Design PatternsJump Start To Ooad And Design Patterns
Jump Start To Ooad And Design Patterns
 
How To Create Strategic Marketing Plan
How To Create Strategic Marketing PlanHow To Create Strategic Marketing Plan
How To Create Strategic Marketing Plan
 

Dernier

UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 

Dernier (20)

UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 

Application Security Tools

  • 1. Application Security-III Security Analysis Tools Lalit Kale lalitkale@gmail.com http://lalitkale.wordpress.com
  • 2. Overview • OWASP Top 10 Threats • Security Analysis Tools Landscape • Attack Simulation Tools • Defense Assisting Tools • Risk mitigation for Injection Attacks • Risk mitigation for XSS Attacks • Resources 2
  • 3. OWASP Top 10 Threats • Injection • Broken Authentication and Session Management • Cross-Site Scripting (XSS) • Insecure Direct Object References • Security Misconfiguration 3
  • 4. OWASP Top 10 Threats • Sensitive Data Exposure • Missing Function Level Access Control (e.g. Failure to Restrict URL Access) • Cross-Site Request Forgery (CSRF) • Using Components with Known Vulnerabilities (e.g. Security Misconfiguration) • Invalidated Redirects and Forwards 4
  • 6. XSS Me • XSS-Me is the Firefox add on used to test for reflected Cross-Site Scripting (XSS). It does not currently test for stored XSS. • It is only used for run-time application security testing and not related to static code analysis. • The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack. • XSS Filter Evasion Cheat Sheet: • https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet • Devise your own attack! http://ha.ckers.org/xsscalc.html 6
  • 7. XSS Me • Demo Website http://www.testfire.net • Search for Normal string http://www.testfire.net/search.aspx?txtSearch=test • Search for XSS induced attack http://www.testfire.net/search.aspx?txtSearch=<script>alert(‘xss’)</ script> 7
  • 8. SQL Inject Me • SQL Inject -Me is the Firefox add on used to test for SQL Injection. • It is only used for run-time application security testing. • The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack. • Advanced attacks, such as blind SQL injection, may require additional manual testing (e.g. attempting to bypass authentication). 8
  • 9. SQL Inject Me • Demo Website http://testfire.net/bank/login.aspx • UserName/Password: Jsmith/Demo1234, Navigate to following page after login http://testfire.net/bank/transaction.aspx • Observe the ‘After’ Field: • Normal Input: 01/01/2013 • 01/01/2006 union select userid,null,username+','+password,null from users-- 9
  • 10. Hackbar • Hackbar is the Firefox add on used to test for XSS and SQL Injection. • It is useful while handcrafting attacks or doing penetration testing. • Features include • Loading URL • Slicing URL • Character encoding • Executing crafted url request 10
  • 11. Tamper Data • Firefox add on used to modify HTTP Request and response • Trace and time http request/response • Modify POST parameters • Add HTTP Headers • Encode/Decode strings • Limited ability for testing XSS and SQL Injection 11
  • 12. Cookie Manager + • Firefox add on used to view, Modify, create and backup and restore cookies. • Features includes • Ability to filter cookies based on domain • Option to backup and restore cookies • Ability to change expire date on expire header of cookie 12
  • 13. Wappalyzer • Firefox add-on for revealing internals of websites/web-applications • Analyzes DOM and HTTP Response Headers and identifies libraries and frameworks and components used for building websites • Once attacker get more details about internal components, s/he can use that information for exploiting known vulnerabilities in those components/libraries or frameworks or servers 13
  • 14. FxCop • Static Code Analysis Tool for applications written in Microsoft .NET Framework • Has security and security transparency Rules • Determine whether HTML output includes input parameters • Form fields, • Query strings, • Databases and data access methods • Cookie collection • Session and application variables 14
  • 15. Fiddler Plugin: Ammonite • URL: http://ammonite.ryscc.com/ • Paid Web Security Tool • Detect Critical Vulnerabilities • Ultimate Control: Manual and Automatic mode for testing • Fuzz Multiple Request Formats • Ammonite understands how to stuff faults into XML, JSON, URL Encoded, and Multi-Part POST bodies. • Test All Request Sections including: cookies, headers, URL path elements (Restful apps), query string, and request body. • passive checks that scan responses for credit card numbers, hidden form fields, HTTP/500 errors and verbose error messages. • Export results as HTML Report 15
  • 16. Fiddler Plugin: Watcher • URL: http://websecuritytool.codeplex.com • Free Web Security Tool • Passively monitors traffic for 40+ checks • Can also work offline on SAZ files from Fiddler • Results of various checks can be exported in the form of html or xml • DEMO • Live Session • Report 16
  • 17. AntiXSS Library • AntiXSS provides a myriad of encoding functions for Html, XML, Url, Form, LDAP, CSS, JScript and VBScript encoding methods.  White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type.  Secure Globalization: An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages. 17
  • 18. Asafaweb • Non invasive vulnerability scanner • Individual effort from Security Consultant Troy Hunt • Good for “Already in Production” project • baseline of scans for common ASP.NET configuration related vulnerabilities. • Also checks for click jacking, Hash Do's patch • DEMO 18
  • 19. CAT.NET • identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection. • works by reading the target assembly and all reference assemblies used in the application -- module-by-module -- and then analyzing all of the methods contained within each Binscope Binary Analyzer • verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance MS-SDL • inScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date build tools are in place, and the latest good ATL headers are being used. 19 CAT.NET & Binscope Binary Analyzer Note: Only compatible with visual studio 2005 and visual studio 2008
  • 20. W3af.org • W3af to identify more than 200 vulnerabilities and reduce your site’s overall risk exposure. • Open source python based core engine with plug-in architecture • w3af is a Web Application Attack and Audit Framework. 20
  • 21. Acunetix • website analysis and vulnerability detection • Comprehensive scanning for SQL Injection and Cross Site • Scripting (XSS) Vulnerabilities • Scan’s password protected areas as well automatically • Comprehensive reports for legal and regulatory compliance • Includes HTTP sniffer, HTTP fuzzer, Blind SQL Injector • Detect HTTP Parameter Pollution (HPP) vulnerabilities • Compare scans and find differences with previous scans. • Support for CAPTCHA, Single Sign-On and Two Factor authentication • mechanisms. 21
  • 22. NetSparker • The only False-positive-free web application security scanner • Ajax/JavaScript Support • Support Basic, Forms, NTLM, Digest, Kerberos Authentication • Vulnerability Retest • Also supports manual testing • Support for well-known compliance specifications reporting like PCI, OWASP, CAPEC, OWASP etc. • Custom Reports 22
  • 23. Resources • OWASP (Open Web Application Security Project): https://www.owasp.org • XSS-Me https://addons.mozilla.org/en-us/firefox/addon/xss-me/ • SQL Inject Me • Microsoft Security http://www.microsoft.com/security http://www.Microsoft.com/sdl • Wikipedia: http://en.wikipedia.org/wiki/Threat_model 23
  • 24. . This presentation is shared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More information for this license is available at http://creativecommons.org/licenses/by-nc-sa/4.0/ All trademarks are the property of their respective owners. Lalit Kale makes no warranties, express, implied or statutory, as to the information in this presentation. Lalit Kale lalitkale@gmail.com http://lalitkale.wordpress.com