Penetration testing – W3AF Tool

Slides:

Advertisements

Similar presentations

A framework to 0wn the Web Copyright 2008 CYBSEC. All rights reserved. Andrés Riancho OWASP Poland

Advertisements

Fuzzing for logic and state issues

Testing Web Applications & Services Testing Web Applications & Web Services.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Chapter 4 Application Security Knowledge and Test Prep

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Browser Exploitation Framework (BeEF) Lab

OUCC 2015 Inspiring Innovation Presentation: Secure Web Apps via Language Security Checklists, Project Management Principles, and Cyclic App Pen Testing.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Web Application Security Assessment and Vulnerability Assessment.

Security Scanning OWASP Education Nishi Kumar Computer based training

Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE Panagiotis Loumpardias Konstantinos Chimos.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.

April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden

Approaches to Application Security – DSM

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Bacon A Penetration and Auditing Framework Hernan Gips

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

W3af S. Qi,X. Ma,Y. Zhang,B Zhao,Y Zhu EC521 Fall 2014.

Attacks Against Database By: Behnam Hossein Ami RNRN i { }

Setting Up a Local WordPress Development Environment By Gregory Young Alternative Hosting

The Microsoft Baseline Security Analyzer A practical look….

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

CakePHP is an open source web development framework. It follows Model-View- Controller and is developed using PHP. IT is the basic for user to create.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Watching Software Run Brian ChessNov 18, Success is foreseeing failure. – Henry Petroski.

An Ad Hoc Writable Rule Language for White-Box Security Scanners Author:Sebastian Schinzel Referent:Prof. Dr. Alexander del Pino Korreferent:Prof. Dr.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Applications Testing By Jamie Rougvie Supported by.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Building Secure Web Applications With ASP.Net MVC.

Mantra – Security Framework Free and Open Source Browser based Security Framework.

Mantid Manipulation and Analysis Toolkit for Instrument data.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

DenyAll Delivering Next-Generation Application Security to the Microsoft Azure Platform to Secure Cloud-Based and Hybrid Application Deployments MICROSOFT.

Web Applications on the battlefield Alain Abou Tass.

Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.

By Matt Jennings & David Spano.  History of Nmap  What is Nmap  How Nmap works  The goal of Nmap  What is Zenmap  Advantages of Zenmap  How to.

Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.

Andrés Riancho ariancho cybsec.com w3af – A framework to own the Web CanSecWest 2008 Vancouver, Canada.

Arklio Studija 2007 File: / / Page 1 Automated web application testing using Selenium

Javascript worms By Benjamin Mossé SecPro

WEB APPLICATION TESTING

Chris D Hicks Director of IT MCSE, MCP + Internet Security

Penetration Testing Karen Miller.

Yii - For the Future - Gen Web Development Platform

Myths About Web Application Security That You Need To Ignore.

Protect Microsoft Azure Apps from the Risks of Defacement, Data Leakage and Identity Theft “Microsoft Azure is the obvious platform to deploy your cloud.

Zach Garcia Keith Reiter

Open Automation Software

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

Presentation transcript:

Penetration testing – W3AF Tool Pinzariu Marian – MISS 2 George Blendea – MISS 2

W3AF – About W3AF = Web Application Attack and Audit Framework Started in 2006 as an Open Source Project Licensed under GPLv2.0 Entirely written using Python Recently the adopted development process was TDD (Test Driven Development)

W3AF – Objectives Create the biggest community of Web Application Hackers Become the best Open Source Web Application Scanner Become the best Web Application Exploitation Framework Combine static code analysis and black box testing into one framework

W3AF – Extensible with Plugins

W3AF – Vulnerability Detection (Over 200) SQL Injection Cross Site Scripting/Cross-Site Request Forgery DOM XSS Buffer Overflow Brute Force Authentication Click Jacking Cross Domain Command Injection XPath Injection … and so on

W3AF – Supported Platforms All Python supported platforms Has been tested in various Linux Distributions, Mac OSX, FreeBSD and OpenBSD Windows compatible, but not officially supported

W3AF – Ranking on sectools.org From 125 tools

W3AF – Installation

W3AF Usage – Find XSS and SQL injections 1) Set Target URL

W3AF Usage – Find XSS and SQL injections 2) Activate plugins for vulnerabilities that we want to detect

W3AF Usage – Find XSS and SQL injections 3) Save current settings (Optional)

W3AF Usage – Find XSS and SQL injections 4) Click “Play” and explore the results

Use case 1 – Full audit Contains scans for a number of vulnerabilities Xss, sqli, csrf, brute force

Use case 1 – Full audit Results are offered in tree view after scan is completed

Use case 1 – Full audit Request and location is indicated alongside the tree view

Use case 1 – Full audit The w3af UI also returns an URL map on scan completion

USE Case 2 – Brute force – Console interface The console interface is straightforward For performing a bruteforce vulnerability scan the brutefoce plugins have to be enabled Auth plugins can also be enabled for a deeper scan

USE Case 2 – Brute force – Console interface Once the target is set we can run the scan

W3AF – Comparison with other tools W3AF, Wapiti, Arachni, Websecurify, JSky

W3AF – Comparison with other tools

W3AF – Comparison with other tools

W3AF – Comparison with other tools 3/4

W3AF – Comparison with other tools Place 5/5

W3AF – Advantages/Disadvantages Advantage: very modular and flexible (python plugins are easy to integrate) Disadvantage: not mature enough (number of false negatives is still high - 2011)

Thank you for your time!