Static Analysis for Dynamic Assessments Greg Patton | September 2014.

Slides:



Advertisements
Similar presentations
Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?
Advertisements

Test Automation Success: Choosing the Right People & Process
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Web Vulnerability Assessments
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Key Considerations for Report Generation & Customization Richard Wzorek Director, Production IT Confidential © Almac Group 2012.
OWASP Xenotix XSS Exploit Framework
EValid Getting Started. Agenda Introduction to eValid First experience of using eValid Recording and Site Analysis in eValid.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Creating an Educational Tool for Computer Science Students Masters Project Defense Ben Stroud 1 Ben Stroud Masters Project Defense.
Penetration testing – W3AF Tool
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Static Code Analysis and Governance Effectively Using Source Code Scanners.
OWASP Bricks. Web application security learning platform. Built with PHP and MySQL. Open source and free. ‘Break the Bricks’ and learn.
Exploring the Relationship Between Web Application Development Tools and Security Matthew Finifter and David Wagner University of California, Berkeley.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
ITM352 Javascript and Dynamic Web Pages: Client Side Processing.
(C) 2013 Logrus International Practical Visualization of ITS 2.0 Categories for Real World Localization Process Part of the Multilingual Web-LT Program.
Security Scanning OWASP Education Nishi Kumar Computer based training
A Scanner Sparkly Web Application Proxy Editors and Scanners.
1 Introduction to Web Development. Web Basics The Web consists of computers on the Internet connected to each other in a specific way Used in all levels.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Contents:  1 – Introduction to the subject of web mining and techniques  2 – Overview of research conducted (both theory and practical)  3 – Software.
Building Dynamic Applications on both Office 365 and on-premise.
Online Search Marketing OMI Certification Course – Discovery Documentation.
Killer Web Content Author: Gerry McGovern. The Theory ContentA valuable asset and if managed well can deliver tremendous value During the 1980’s web focus.
The Evergreen, Background, Methodology and IT Service Management Model
Orion Project Proposal HTML Tutorial Website. Define.
JavaScript Basics Course Introduction SoftUni Team Technical Trainers Software University
I. Pribela, M. Ivanović Neum, Content Automated assessment Testovid system Test generator Module generators Conclusion.
Penetration Testing James Walden Northern Kentucky University.
Project Proposal Interface Design Website Coding Website Testing & Launching Website Maintenance.
A NDROID P ERMISSIONS D EMYSTIFIED Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, David Wagner University of California ACM CCS /09/20.
Flash & JavaScript Mariela Hristova October 19, 2004 INF 385E – Fall 2004 – School of Information.
CS266 Software Reverse Engineering (SRE) Reversing and Patching Java Bytecode Teodoro (Ted) Cipresso,
Extending HTML CPSC 120 Principles of Computer Science April 9, 2012.
09/29/ Cascade Server User's Conference 1 Cascade Server Flash & Data Integration 2009 Cascade Server User’s Conference Justin Klingman Manager,
Automatic Report Generation for WLCG/EGEE D. D. Sonvane (Gridview Team) B.A.R.C.
AutoTester & UAT Automation Framework By SSTZ-UAT.
AfterCollege Self-Service Scrape Configuration & Posting Utility Kai Hu Haiyan Wu May 14, Harney 235.
UAT Automation Framework By SSTZ-UAT. Agenda Traditional Automated Testing. UAT Automation Framework introduction. Advantage. Demo. Q&A.
PERFORMANCE ENHANCEMENT IN ASP.NET By Hassan Tariq Session #1.
AFTERCOLLEGE SELF- SERVICE SCRAPE CONFIGURATION AND POSTING UTILITY Kai Hu Haiyan Wu March 17, Cowell 416 Midterm Presentation.
Real World App Development using NEW Telerik ScreenBuilder and NEW Progress Data Source – the basics Brian C. Preece Ypsilon Software Ltd
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
LOGO TESTING Team 8: 1.Nguyễn Hoàng Khánh 2.Dương Quốc Việt 3.Trang Thế Vinh.
Welcome to the Minnesota SharePoint User Group February 13 th, 2013 SharePoint 2013 – Developers Track - Client Side Rendering.
Javascript Static Code Analyzer
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Tutorial 10 Programming with JavaScript. 2New Perspectives on HTML, XHTML, and XML, Comprehensive, 3rd Edition Objectives Learn the history of JavaScript.
Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.
Tutorial 10 Programming with JavaScript. 2New Perspectives on HTML, XHTML, and XML, Comprehensive, 3rd Edition Objectives Learn the history of JavaScript.
Continuous Delivery and Team Foundation Server 2013 Ognjen Bajić Ana Roje Ivančić Ekobit.
FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE.
Technologies For Creating Rich Internet Applications Presenter's name
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.
Objective % Select and utilize tools to design and develop websites.
Presentation by: Naga Sri Charan Pendyala
OWASP Static Analysis (SA) Track Goals, Objectives, and Track Roadmap
^ About the.
Objective % Select and utilize tools to design and develop websites.
Web Application Penetration Testing
Jose Ortiz Cosme Ozuna FOCA Pro Jose Ortiz Cosme Ozuna
Part of the Multilingual Web-LT Program
Validating Your Information Security Program (ISP 3 of 3)
OWASP Application Security Verification Standard
OWASP Application Security Verification Standard
Presentation transcript:

Static Analysis for Dynamic Assessments Greg Patton | September 2014

Agenda Introduction Background & observations Static analysis for dynamic assessments – RIPSA tool Takeaways

Introduction Greg Patton Mobile Delivery Manager, HP Fortify on Demand Work on Fortify on Demand team Web & mobile dynamic application testing Attended first OWASP meeting on June 5, 2007 (Houston, TX)

BACKGROUND & OBSERVATIONS

Great divides Security vs. Usability Builders vs. Breakers Dynamic vs. Static

Common dynamic challenges Lack of complete security assessments – Few conduct static and dynamic assessments in concert

Common dynamic challenges Lack of complete security assessments – Few conduct static and dynamic assessments in concert Client-side false negatives – Dynamic tools and tests miss stuff

Common dynamic challenges Lack of complete security assessments – Few conduct static and dynamic assessments in concert Client-side false negatives – Dynamic tools and tests miss stuff “No source code available” – Dynamic testers rarely receive source code

A possible solution Use static tools during dynamic assessments Deeper analysis of JavaScript, HTML, XML, and other client-side files

STATIC ANALYSIS FOR DYNAMIC ASSESSMENTS

RIPSA Accepts XML from Burp – Target Site Map – Proxy History Parses and saves responses as individual files on tester’s machine Output files can be scanned with static tools and manually audited

Save Burp responses as XML

RIPSA

Evaluate XML Save files locally

Statically analyze local files

DEMO: RIPSA RESPONSE INTERPRETATION AND PREPARATION FOR STATIC ANALYSIS

#Winning Reduces potential false negatives by increasing breadth of dynamic web assessments Utilizes information from Burp Suite that dynamic testers already collect Pairs part of a static assessment with a full dynamic web assessment

#Winning Static tools – Fortify SCA, FxCop, JSHint, etc. JavaScript analysis – DOM based XSS Silverlight analysis Gather and group files –.dll files for disassembly –.pdf files for strings analysis

TAKEAWAYS

Takeaways Embrace static Use static tools and techniques to dig deeper into client-side & DOM results – Use automated static tools – Disassemble and decompile Java, Silverlight, Flash, etc.

Takeaways Embrace static Use static information to assist with content discovery. – Map application – Identify files and targets

Call to the community ZAP extensions – Save responses as local files? – Static scanning signatures? Other ideas?

Special thanks Special thanks to Sam Denard David Nester

Reach out

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.