Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Penetration Testing

Published byCharles McDonald Modified over 6 years ago

Similar presentations

Presentation on theme: "Web Application Penetration Testing"— Presentation transcript:

1 Web Application Penetration Testing
Frugal Web Application Penetration Testing v BSides 2017

2 Who are we? Information Security Consultants
Web Application Penetration Testers Padawan Hackers Harshal Chandorkar Natalia Wadden

3 How did we get here? Take a ride with us…

4 Lone Soldier Penetration tests executed by vendors include:
Severity ratings Risk ratings Scope False positives Quality and POC Cost Let’s see if we can go head to head: Execute pentest Adjust ratings/risks Capture full scope Eliminate false positives Provide POCS

5 Readying the Army on a Shoestring Budget
Interest Desire to Learn Perseverance Technical Skills Assessment Training: Open-Source: FREE (e.g. DVWA, Mutillidae, metasploitable, Security Shepherd) Day-to-day technical challenges (e.g. incident handling, etc.) Hand Holding

6 Maturing the Program Inventory of your Web Applications Planning
Information Gathering Execution of Pentests Reporting Artifacts Metrics for Sr. Management

7 The Dirty Talk About Time & Money

8 Gathering Information Discovering Vulnerabilities
Security Testing Methodology Life Cycle Planning Gathering Information Discovering Vulnerabilities Reporting Findings Walkthrough Working with the project team/support team to clearly define scope and rules of engagement Obtain written approval Confirm timing and agree on a schedule

9 Gathering Information Discovering Vulnerabilities
Security Testing Methodology Life Cycle Planning Gathering Information Discovering Vulnerabilities Reporting Findings Walkthrough Collecting and examining key information Environment Walkthrough Review prior test results if available Obtain Credentials if required

10 Gathering Information Discovering Vulnerabilities
Security Testing Methodology Life Cycle Planning Gathering Information Discovering Vulnerabilities Reporting Findings Walkthrough Finding existing vulnerabilities using manual and automated techniques OWASP Top 10 Company Specific Business Logic

11 Gathering Information Discovering Vulnerabilities
Security Testing Methodology Life Cycle Planning Gathering Information Discovering Vulnerabilities Reporting Findings Walkthrough Providing high level findings, detailed report and POC evidence Portswigger Burp Logs SQL Map XSSer

12 Gathering Information Discovering Vulnerabilities
Security Testing Methodology Life Cycle Planning Gathering Information Discovering Vulnerabilities Reporting Findings Walkthrough Walkthrough where findings were found Demonstrate how bad it can be

13 Webapp Pentesting Tools
Frequently used: Portswigger BurpSuite Professional SQLMap Supplemental: XSSer Nikto OWASP Zap

14 A Few Burp Extenders That We Use
CO2 Active Scan ++ CSRF Scanner Code DX Logger++ Software Vulnerability Scanner Software Version Reporter

15 Webapp Pentest Report

16 Webapp Pentest Report

17 Sample: Webapp Pentest Framework based on OWASP Top 10
Web Methods Did the tester note the site allows basic web methods (e.g. “PUT, GET, POST, HEAD, OPTIONS, DELETE”)? Reflected Cross-site Scripting Did the tester input a payload? What was the result? Reflected? Did the tester view the source? Clickjacking/Cross Site Framing (XSF) X-Frame-Option – set to Deny or Same-Origin? HTML iframe POC create? Successfully loaded into the site? CSRF Is the token randomly generated? Did the tester note if CSRF is noted on a GET request? Did the tester create an POC HTML file to execute on the site? Was the file successfully loaded on the site?

18 Leveraging Burp Extenders With Other Free Tools

19

20 Incidents happen, but is it fair to blame us?
Understand the incident Review all evidence presented Obtain testers logs Provide proof Understand impact

21 Webapp Pentest Tracking

22 Log Extraction

23 Questions and Takeaways
Burp History Converter -> Payloads (xss | passwords | directory busters | and more...) -> CORS -> Pentest Resources (web report tracking | database | checklists) -> General reading -> General reading -> General reading and download resources -> OWASP Top Ten -> Burp Suite Support Centre -> DVWA -> Multiladae -> Metasploitable -> SANS -> Other security resources ->

24 Thank You Harshal Chandokar Natalia Wadden business.harshal@gmail.com
@harshdevx ca.linkedin.com/in/harshalchandorkar Harshal Chandokar @nataliawadden ca.linkedin.com/in/nataliawadden Natalia Wadden DVWA -> burp history converter -> payloads (xss | passwords | directory busters | and more...) -> cors -> a. b. pentest resources (web report tracking | database) -> general reading -> general reading -> general reading and download resources -> OWASP Top Ten -> Burp Suite Support Centre ->

Download ppt "Web Application Penetration Testing"

Similar presentations

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Web Vulnerability Assessments

Web Vulnerability Assessments
OWASP Xenotix XSS Exploit Framework

OWASP Xenotix XSS Exploit Framework
Vulnerability Testing Approach Prepared By: Phil Cheese Nov 2008.

Vulnerability Testing Approach Prepared By: Phil Cheese Nov 2008.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Static Analysis for Dynamic Assessments Greg Patton | September 2014.

Static Analysis for Dynamic Assessments Greg Patton | September 2014.
Static Code Analysis and Governance Effectively Using Source Code Scanners.

Static Code Analysis and Governance Effectively Using Source Code Scanners.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
The Business of Penetration Testing

The Business of Penetration Testing
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
A Scanner Sparkly Web Application Proxy Editors and Scanners.

A Scanner Sparkly Web Application Proxy Editors and Scanners.
NOWASP Mutillidae 2.3.x An open-source web pen-testing environment for security training, practice, instruction, and you Jeremy Druin Information Security.

NOWASP Mutillidae 2.3.x An open-source web pen-testing environment for security training, practice, instruction, and you Jeremy Druin Information Security.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

Similar presentations

Ads by Google