Web Vulnerability
Assessments
NEWDUG
January, 2015
Agenda
• About
• Web Vulnerability Assessments
– Types
– SOW
– Steps
• Tools
• Demos
• Goals
– Demonstrate Web VA, show techniques Pen-testers and Hackers
use to find vulnerabilities in your sites
– Provide some techniques and tools to help secure your code
2
John Reynders
• Consultant with OpenSky Corp.
• Seven years experience in Web Security:
–
–
–
–
–
Program Development
Dynamic Testing
Static Analysis
Coding Standards
Web Application Firewalls
• Eight years of general Information Security experience
3
OpenSky - An Award Winning Company
Everything starts with our people. Our success comes from their expertise and dedication
to always “doing the right thing” for our clients.
Our people
•
•
Expert resources: CRN Tech Elite 250 (2013)
Quality work environment: Top Workplace (2011, 2012, 2013)
Our people create top tier solutions
•
GRC Solution Award with client Shire Pharmaceuticals: OCEG (2013)
Our people and our solutions create lasting relationships and new partners
•
Multiple growth awards: Inc 500 (2012), CRN (2011, 2012), Marcum Tech Top 40 (2011,
2012)
4
Complete Solutions for Major Enterprises
IT Risk Management &
Security Services
Datacenter & Cloud
Infrastructure Services
 Data Center and Cloud
Integration
 Network Infrastructure
 Virtualization
 Storage and Computing
 Infrastructure Applications
 End-User Computing
Plan, Design &
Migrate
Secure
 Assessment and Advisory
 Application Secure Coding
 Vulnerability Assessment
and Penetration Testing
 Security Program and
Framework
 Technology
Implementation and
Engineering
 Mobile Device and
Virtualization Security
Manage
Technical Business Consulting




IT Transformation and Strategy
Technical Project Management
IT Supplier & Sourcing Management
IT Expense Management
GRC Services
 GRC Strategy
 GRC Maturity Assessment
 GRC Configuration and Custom
Development
5
Web Vulnerability Assessments
• Conducted against a contract with specific terms, most often
called the Statement of Work (SOW)
• Specify in the SOW:
– System to be tested (URL)
• Production or Non-Prod?
– Type and level of testing
• Level of Automated and Manual testing
• “Safe” Tests only?
– Hours for testing
• Nights only?
– Whitelist IP addresses in WAF, IPS?
– Special Concerns?
– The more information the better the assessment
6
Web Vulnerability Assessments
• Types of Application Security Testing:
– Dynamic Analysis Security Testing (DAST) “Black Box”
• Tests actual web site for vulnerabilities
• Simulates what a real attacker would do
– Static Analysis Security Testing (SAST) “White Box”
• Tests code for vulnerabilities
• A real attacker would likely not have access to the code, this method is
a different approach to identifying potential security flaws.
– Hybrid “Glass Box”
• Dynamic test against instrumented web server
– Manual testing can occur in each type
• Talk covers Dynamic Testing
– Some tools perform static analysis of JavaScript
7
“Typical” Web Assessment Steps
• Recon
– Site components and architecture
– Open ports?
• Hack the server
•
•
•
•
Manually crawl site with an Intercepting Proxy
Automated Scan of site
Results verification – False positives removal
Manual testing
– Things tools don’t do well
• Business Logic
• Privilege Escalation etc.
• Reporting
8
Recon
• Visit site
• Site information
– Netcraft, Shodan etc.
• Google Dorks
– Files, passwords, WSDL, Admin logons etc.
• Port Scan
– Nmap, Nessus, Qualys
– May perform an infrastrucuture vulnerability scan
• Missing patches, configuration issues etc.
• Check security configuration
9
Configuration Checkers
• Microsoft Web Application Configuration Analyzer
– Needs Admin on Server, Checks SQL Server too
– http://www.microsoft.com/enca/download/details.aspx?id=573
• Check Your Headers
– http://cyh.herokuapp.com/cyh
• SSL Labs
– https://www.ssllabs.com/ssltest/index.html
• ASAFAWEB
– https://asafaweb.com/
10
Crawl Site with Intercepting Proxies
• Burp*
– http://portswigger.net/
• Fiddler
– http://www.telerik.com/fiddler
• Zed Attack Proxy (ZAP)
– https://code.google.com/p/zaproxy/wiki/Downloads
* - Free and Professional versions
11
Intercepting Proxy
• Intercepting Proxy Man-in-the-Middles all traffic
• Hackers and Testers can see all data transmitted
• Hidden Fields => NOT a security feature
12
Burp
13
Burp – Analyze Request & Response
14
Scan Site – Dynamic Scanners
• Acunetix
– http://www.acunetix.com/
• AppScan
– http://www-03.ibm.com/software/products/en/appscan
• WebInspect
– http://www8.hp.com/us/en/software-solutions/webinspectdynamic-analysis-dast/
• Burp & ZAP have scanning modules
15
AppScan
16
DEMO
17
Resources
OWASP - http://www.owasp.org/
– Cheat Sheets
• https://www.owasp.org/index.php/Cheat_Sheets
– Testing Guide
• https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_
of_Contents
WASC - http://www.webappsec.org/
– Not updated recently but some good content
The Web Application Hacker's Handbook
–
http://www.amazon.com/The-Web-Application-HackersHandbook/dp/1118026470
18
Contact Information
Email: jreynders@openskycorp.com
Web Site: http://www.openskycorp.com/
19