By Josh Sokol. # whoami  Josh Sokol  B.S. in Computer Science  Cisco Certified Network Associate (CCNA)  SANS GIAC in Web Application.

Slides:



Advertisements
Similar presentations
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Advertisements

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Bradley Cowie, Barry Irwin and Richard Barnett Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
Web Application Security Assessment and Vulnerability Assessment.
1 Enabling Secure Internet Access with ISA Server.
Security Scanning OWASP Education Nishi Kumar Computer based training
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
April WebEx Intel ® Active Management Technology (AMT) LANDesk Provisioning LANDesk Server Manager.
Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING AND.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.
CSE 154 LECTURE 12: COOKIES. Including files: include include("filename"); PHP include("header.html"); include("shared-code.php"); PHP inserts the entire.
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
TELE 301 Lecture 17: FTP … 1 Overview Last Lecture –Remote Terminal Services (SSH) This Lecture –File transfer and web caching Next Lecture –Directory.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
NETWORK HARDWARE AND SOFTWARE MR ROSS UNIT 3 IT APPLICATIONS.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
Crash Course in Web Hacking
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
1 Installing and Maintaining ISA Server Planning an ISA Server Deployment Understand the current network infrastructure. Review company security.
Module 7: Advanced Application and Web Filtering.
2007cs Servers on the Web. The World-Wide Web 2007 cs CSS JS HTML Server Browser JS CSS HTML Transfer of resources using HTTP.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
Performance Testing Test Complete. Performance testing and its sub categories Performance testing is performed, to determine how fast some aspect of a.
Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)
MIS Week 5 Site:
WEB SECURITY WEEK 1 Computer Security Group University of Texas at Dallas.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
MIS Week 10 Site:
Presented by Michael Rainey South Mississippi Linux Users Group
Web and Proxy Server.
ArcGIS for Server Security: Advanced
Web Programming Language
Penetration Testing Social Engineering Attack and Web-based Exploitation CIS 6395, Incident Response Technologies Fall.
Web Application Hacker’s Toolkit
WEB APPLICATION TESTING
World Wide Web policy.
Lesson 4: Web Browsing.
LINUX ADMINISTRATION 1
Pass 1Y0-340 Citrix Certified Professional Networking Exam Citrix 1Y0-340 Exam Questions.
CompTIA Server+ Certification (Exam SK0-004)
HTML Level II (CyberAdvantage)
Webscarab, an introduction.
Lesson 4: Web Browsing.
Web Servers (IIS and Apache)
Presentation transcript:

By Josh Sokol

# whoami  Josh Sokol  B.S. in Computer Science  Cisco Certified Network Associate (CCNA)  SANS GIAC in Web Application Security (GWAS)  Web Systems Engineer for National Instruments  Own the Web Systems “Security Practice”

Some Questions To Be Answered  What’s this proxy thing everyone is talking about?  When and why should I use a proxy?  My company doesn’t like to spend money on security so why are you wasting my time?  Talk is cheap…show me how it works!

What is a Proxy?  A process that accepts requests for some service and passes them on to the real server. Request Proxy

Types of Proxies  Caching Proxy  Web Proxy  Content-filtering Web Proxy  Anonymizing Proxy  Hostile Proxy  Intercepting Proxy  Forced Proxy  Open Proxy  Reverse Proxy

Firefox Extension: SwitchProxy Tor and Privoxy Act I – Anonymizing Proxies

Anonymizing Proxies   Start Tor and Privoxy  Select “Tor” from SwitchProxy  Am I really anonymous? Kinda, but not really. My HTTP requests are being passed through the proxy, but what about DNS? Also, does my proxy know who I am? Yes! Problems Speed False sense of security

Proxy 4 Free List 

Apache mod_proxy Act II – Reverse Proxies

Reverse Proxies ProxyRequests Off ProxyPass ProxyPassReverse Order allow,deny allow from all 

Benefits of Reverse Proxies  Single machine acts as a gateway to the real servers in the network.  Use mod_cache (and mod_mem_cache) to keep static documents in memory.  Single point of authentication

Firefox Extension: SwitchProxy Extension: Tamper Data | Google Ratproxy | OWASP WebScarab Act III – Intercepting Proxies

Tamper Data  Use tamperdata to view and modify HTTP/HTTPS headers and post parameters.  Trace and time http response/requests.  Security test web applications by modifying POST parameters.

Tamper Data Example   Username: jsmith  Password: Demo1234

Google Ratproxy  A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security- relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.  Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.

Using Ratproxy with Cygwin  Install Cygwin with make, gcc-core, openssl- dev, and openssl utilities.  Download Ratproxy.  Modify the make file by removing the “-Wno- pointer-sign”.  Download the Flare action script decompiler.  “make” Ratproxy.  Add the Cygwin libraries to your Windows path.

Google RatProxy Example  ratproxy.exe –v C:\cygwin –w ratproxy.log –p 8282 –d yourdomain.com –lfscm  Tell SwitchProxy to use Ratproxy.  Surf!  sh ratproxy-report.sh ratproxy.log > report.html

OWASP WebScarab  WebScarab is a framework for analyzing applications that communicate using the HTTP and HTTPS protocols.  In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser.

OWASP WebScarab Example  Start WebScarab.  Check the “Proxy” tab to verify port configuration.  Tell SwitchProxy to use WebScarab.  Surf  Change cookie information.  Change GET/POST information.

OWASP WebScarab Example 2 Web Services  Google search for inurl:”?wsdl”  SDL SDL  rver/ndfdXMLserver.php?wsdl rver/ndfdXMLserver.php?wsdl   eService/AWSECommerceService.wsdl eService/AWSECommerceService.wsdl

Other Cool Features of WebScarab  Site Spider  XSS/CSRF  Session ID Analysis  Fuzzer

Other FREE Proxy Software  Paros (  Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.  Burp Suite (  Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, authentication, downstream proxies, logging, alerting and extensibility.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.