Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Slides:



Advertisements
Similar presentations
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Advertisements

EIONET Training Beginners Zope Course Miruna Bădescu Finsiel Romania Copenhagen, 27 October 2003.
E-Commerce CMM503 – Lecture 8 Stuart Watt Room C2.
Overview Environment for Internet database connectivity
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
Testing Web Applications. Applications Architecture Client Server Architecture.
Win8 on Intel Programming Course Desktop : Sensors Cédric Andreolli Intel Software
OWASP Web Vulnerabilities and Auditing
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
EValid Getting Started. Agenda Introduction to eValid First experience of using eValid Recording and Site Analysis in eValid.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Internet Information Server (IIS)
Chapter 12 Extending Web Applications. ASP.NET 2.0, Third Edition2.
Introduction to eValid Presentation Outline What is eValid? About eValid, Inc. eValid Features System Architecture eValid Functional Design Script Log.
8/9/2015 1:47 AM SurveyCentralOverview.ppt CSC ©Copyright 2012 Online Survey Application: CSC Survey Central System Overview November 26, 2012 Supported.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SQL Server Reporting Services London Database Developer Forum Anoop Patel.
Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.
1 Web Server Concepts Dr. Awad Khalil Computer Science Department AUC.
Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
K. Jamroendararasame*, T. Matsuzaki, T. Suzuki, and T. Tokuda Department of Computer Science, Tokyo Institute of Technology, JAPAN Two Generators of Secure.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
CIS 375—Web App Dev II Microsoft’s.NET. 2 Introduction to.NET Steve Ballmer (January 2000): Steve Ballmer "Delivering an Internet-based platform of Next.
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.
JavaScript, Fourth Edition
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
 2001 Prentice Hall, Inc. All rights reserved. 1 Chapter 21 - Web Servers (IIS, PWS and Apache) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3.
1 Accelerated Web Development Course JavaScript and Client side programming Day 2 Rich Roth On The Net
Web Indexing and Searching By Florin Zidaru. Outline Web Indexing and Searching Overview Swish-e: overview and features Swish-e: set-up Swish-e: demo.
Microsoft Exchange 2000 Service Pack 2 Features Mark Barringer Support Professional Enterprise Messaging Support Microsoft Corporation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
1 Maryland ColdFusion User Group Session Management December 2001 Michael Schuler
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Grid Chemistry System Architecture Overview Akylbek Zhumabayev.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Introducing ASP.NET 2.0. Internet Technologies WWW Architecture Web Server Client Server Request Response Network HTTP TCP/IP PC/Mac/Unix + Browser (IE,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.
Implementing and Using the SIRWEB Interface Setup of the CGI script and web procfile Connecting to your database using HTML Retrieving data using the CGI.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Organisations and Data Management 1 Data Collection: Why organisations & individuals acquire data & supply data via websites 2Techniques used by organisations.
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)
7-1 Active Server and ADO Colorado Technical University IT420 Tim Peterson.
27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
1 Chapter 22 World Wide Web (HTTP) Chapter 22 World Wide Web (HTTP) Mi-Jung Choi Dept. of Computer Science and Engineering
Citrix MetaFrame Conferencing Manager 3.0 Codename – “Opal” Release Date – April 27, 2004.
PHP / MySQL Introduction
ASP.NET Module Subtitle.
E-commerce Infrastructure Web Servers / Web Clients / Web Browsers
Internet Basics and Information Literacy
Web Application Development Using PHP
Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit The OWASP Foundation OWASP Day Belgium - Sep OWASP Pantera Unleash Simon Roses Femerling OWASP Pantera Project Lead Security Technologist, Microsoft

OWASP Day – Belgium – Sep 2007 Intro - Who I am?  Security Technologist at Microsoft.  Former among others…  Postgraduate in E-Commerce from Harvard University and a B.S. from Suffolk University at Boston, Massachusetts.  Natural from wonderful Mallorca Island in the Mediterranean Sea. 2

OWASP Day – Belgium – Sep Agenda  Pantera Overview  Pantera Features  Privacy Assessments  Demo  Q&A

OWASP Day – Belgium – Sep 2007 Pantera Overview 4

OWASP Day – Belgium – Sep 2007 Pantera Overview (I)  Pantera is not just another “proxy” but a Web Assessment Framework.  aka: Pantera – Web Assessment Studio (WAS)  Analysis Framework.  Born out of necessity.  Pantera Description:  Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. 5

OWASP Day – Belgium – Sep 2007 Pantera Overview (II)  Pantera works well with other proxies and is a complementary tool.  Pantera is 100% python and has been tested on:  Windows  Linux  MacOS  FreeBSD 6

OWASP Day – Belgium – Sep 2007 Pantera Overview (III)  Two main operational modes:  Cache  Project Session 7

OWASP Day – Belgium – Sep 2007 Pantera Architecture 8

OWASP Day – Belgium – Sep 2007 Pantera Workflow 9

OWASP Day – Belgium – Sep 2007 Pantera Goal  The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results. 10

OWASP Day – Belgium – Sep 2007 Pantera Features 11

OWASP Day – Belgium – Sep 2007 Pantera Features List  Session Management  Database support  Pantera Passive Analysis (PPA)  Import / Export  Spider  Data Miner  Visual Resource Icons (VRI)  Fingerprint (Cookies / Extensions)  Anti-IDS Generation  Statistics  The Snitch 12

OWASP Day – Belgium – Sep 2007 Pantera Feature – Session Management  An assessment is a project.  Manage your projects easily.  Under Project Session Mode you get the “whole enchilada”. 13

OWASP Day – Belgium – Sep 2007 Pantera Feature – Session Management 14

OWASP Day – Belgium – Sep 2007 Pantera Feature – Pantera Passive Analysis (PPA)  PPA is a passive analysis engine on the fly.  PPA checks are easy to write plug-ins.  Checks are divided into categories (17)  Forms / Authentication Forms  SSL   Cookies  More than 20+ checks available. 15

OWASP Day – Belgium – Sep 2007 Pantera Feature – Pantera Passive Analysis (PPA) 16

OWASP Day – Belgium – Sep 2007 Pantera Feature – Spider  Pantera now includes a Spider. (still in infancy)  Works in both operational modes.  Uses many smart gathering techniques:  Parse robots.txt  Parse sitemap  Parse JavaScript  Request Directory Index 17

OWASP Day – Belgium – Sep 2007 Pantera Feature – Data Miner  “Get what you want”.  Allows to get any information from the project.  s  IE. Query ”All links with forms”  Only place in Pantera to view all links.  Easy to use and powerful. 18

OWASP Day – Belgium – Sep 2007 Pantera Feature – Data Miner 19

OWASP Day – Belgium – Sep 2007 Pantera Feature – Visual Resource Icons (VRI)  The Visual Resource Icons are an easy and convenient way of quickly identify target page attributes.  More than +10 icons:  Target page has an object. (ActiveX, Java Applet, etc.)  Target page has Authorization Forms  Target page sets a Session ID  Target page has possible attack vectors (like forms, hidden tags, URL parameters, etc.) 20

OWASP Day – Belgium – Sep 2007 Pantera Feature – Fingerprint  Pantera can fingerprint:  File Extensions: +60 files.  Session ID: +40 applications.  Fingerprints are stored in XML files.  This information is used by many other Pantera features. 21

OWASP Day – Belgium – Sep 2007 Pantera Feature – Fingerprint ASPSESSIONID.*?(;| ) ASP.NET_SessionId.*?(;| ) PD-S-SESSION- ID.*?(;| ) PD_STATEFUL.*?(;| ) WEBTRENDS_ID.*?(;| ) sessionid.*?(;| ) _sn.*?(;| ) BCSI-.*?(;| ) CFID.*?(;| ) CFTOKEN.*?(;| ) 22

OWASP Day – Belgium – Sep 2007 Pantera Feature – Statistics  Very helpful to get a quick status on the project.  Divided into 5 sections:  General Information  Pages Extension Counter  Data gathered from Application  HTTP Return Codes Information  Links Information 23

OWASP Day – Belgium – Sep 2007 Pantera Feature – Statistics 24

OWASP Day – Belgium – Sep 2007 Pantera Feature – The Snitch  The Snitch is a gather of information.  It can currently gather:  Comments  Scripts  Links 25

OWASP Day – Belgium – Sep 2007 Pantera Feature – The Snitch 26

OWASP Day – Belgium – Sep 2007 Privacy Assessments 27

OWASP Day – Belgium – Sep 2007 Privacy Assessments (I)  PII – Personally Identifiable Information  Wikipedia: “Any piece of information which can be potentially be used to uniquely identify, contact, or locate a single person.”  Full Name  Telephone Number  Address  Street Address 28

OWASP Day – Belgium – Sep 2007 Privacy Assessments (II)  Sensitive PII  Medical/health condition  Racial origin  Political, religious and philosophical views  PIN  Passwords 29

OWASP Day – Belgium – Sep 2007 Privacy Assessments (III)  Not as sexy as pen-test but necessary.  Knowledge gap:  Security consultant  Clients  Many countries require by law privacy assessments (kind of).  Spain: LSSI / LPOD 30

OWASP Day – Belgium – Sep 2007 Privacy Assesments (IV)  Some things to look for (web apps):  Disclaimer  Site contains a disclaimer page  All pages link to the disclaimer  Is the disclaimer clear?  Legal Notice  What type of data is the app collecting  How is the site managing our information  Are we advised of any changes?  Is Sensitive PII transfer secure?  Why site needs Sensitive PII? 31

OWASP Day – Belgium – Sep 2007 Pantera Privacy Analysis  Pantera now includes privacy analysis feature!  PPA Privacy Category.  Currently 3 plugins:  Looks for disclaimers links  Checks if site uses P3P  Looks for US Social Security Numbers  New Privacy Analysis Page on the UI 32

OWASP Day – Belgium – Sep 2007 DEMOS 33

OWASP Day – Belgium – Sep 2007 The End  Q&A  Important: Beer / hard liquor (Vodka Lemon, Margaritas, Mojitos, you named it…) are always welcome  Simon Roses Femerling 34

OWASP Day – Belgium – Sep 2007 Pantera Resources  Official Website SP_Pantera_Web_Assessment_Studio_Project SP_Pantera_Web_Assessment_Studio_Project  Mailing list pantera pantera  Contact us 35

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.