Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Published byRory Crookham Modified over 10 years ago

Similar presentations

Presentation on theme: "Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."— Presentation transcript:

1 Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation 6 th OWASP AppSec Conference Milan - May 2007 http://www.owasp.org/ OWASP Pantera – Dissecting Web Applications Simon Roses Femerling OWASP Pantera Project Lead Security Technologist, Microsoft pantera.proxy@gmail.com

2 6 th OWASP AppSec Conference – Milan – May 2007 Intro - Who I am?  Security Technologist at Microsoft  Former PwC, @Stake among others…  Postgraduate in E-Commerce from Harvard University and a B.S. from Suffolk University at Boston, Massachusetts.  Natural from wonderful Mallorca Island in the Mediterranean Sea. 2

3 6 th OWASP AppSec Conference – Milan – May 2007 3 Agenda  Pantera Overview  Before the Joy  Features of a Web Assessment Framework  Pantera Roadmap  Demo  Q&A

4 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Overview 4

5 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Overview (I)  Pantera is not just another “proxy” but a Web Assessment Framework  aka: Pantera – Web Assessment Studio (WAS)  Born out of necessity  Pantera Description:  Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. 5

6 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Overview (II)  Pantera works well with other proxies and is a complementary tool.  Pantera is 100% python and has been tested on:  Windows  Linux  MacOS  FreeBSD 6

7 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Overview (III)  Two main operational modes:  Cache  Project Session 7

8 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Architecture 8

9 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Workflow 9

10 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Goal  The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results. 10

11 6 th OWASP AppSec Conference – Milan – May 2007 Before the Joy 11

12 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Requirements  Python 2.4  pyOpenSSL  MySQL 5.0 (triggers)  Python MySQL Wrapper  FormBuild 12

13 6 th OWASP AppSec Conference – Milan – May 2007 Installation Myths  The installation is not the best but is not that difficult.  Pantera provides really good documentation, besides you have the mailing list.  Pantera can be installed and up and running in:  Ubuntu: 10/15 min!!  Windows 13

14 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Cons  Needs a lot of work.  Proxy engine may not understand weird data.  Performance. 14

15 6 th OWASP AppSec Conference – Milan – May 2007 Features of a Web Assessment Framework 15

16 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Features List  Session Management  Database support  Pantera Passive Analysis (PPA)  Import / Export  Spider  Data Miner  Visual Resource Icons (VRI)  Fingerprint (Cookies / Extensions)  Anti-IDS Generation  Statistics  The Snitch 16

17 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Session Management  An assessment is a project.  Manage your projects easily.  Under Project Session Mode you get the “whole enchilada”. 17

18 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Session Management 18

19 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Pantera Passive Analysis (PPA)  PPA is a passive analysis engine on the fly.  PPA checks are easy to write plug-ins.  Checks are divided into categories (16)  Forms / Authentication Forms  SSL  Email  Cookies  More than 20+ checks available. 19

20 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Pantera Passive Analysis (PPA) 20

21 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Spider  Pantera now includes a Spider. (still in infancy)  Works in both operational modes.  Uses many smart gathering techniques:  Parse robots.txt  Parse sitemap  Parse JavaScript  Request Directory Index 21

22 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Data Miner  “Get what you want”.  Allows to get any information from the project.  Emails  IE. Query ”All links with forms”  Only place in Pantera to view all links.  Easy to use and powerful. 22

23 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Data Miner 23

24 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Visual Resource Icons (VRI)  The Visual Resource Icons are an easy and convenient way of quickly identify target page attributes.  More than +10 icons:  Target page has an object. (ActiveX, Java Applet, etc.)  Target page has Authorization Forms  Target page sets a Session ID  Target page has possible attack vectors (like forms, hidden tags, URL parameters, etc.) 24

25 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Fingerprint  Pantera can fingerprint:  File Extensions: +60 files.  Session ID: +40 applications.  Fingerprints are stored in XML files.  This information is used by many other Pantera features. 25

26 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Fingerprint ASPSESSIONID.*?(;| ) ASP.NET_SessionId.*?(;| ) PD-S-SESSION- ID.*?(;| ) PD_STATEFUL.*?(;| ) WEBTRENDS_ID.*?(;| ) sessionid.*?(;| ) _sn.*?(;| ) BCSI-.*?(;| ) CFID.*?(;| ) CFTOKEN.*?(;| ) 26

27 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Statistics  Very helpful to get a quick status on the project.  Divided into 5 sections:  General Information  Pages Extension Counter  Data gathered from Application  HTTP Return Codes Information  Links Information 27

28 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – Statistics 28

29 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – The Snitch  The Snitch is a gather of information.  It can currently gather:  Comments  Scripts  Links 29

30 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Feature – The Snitch 30

31 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Roadmap 31

32 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Future Development  Keep improving proxy / scan / analysis engines.  Use of AJAX.  More Databases support.  Your feedback counts! 32

33 6 th OWASP AppSec Conference – Milan – May 2007 Maybe Pantera 2.0  Cooperative Attack Center 33

34 6 th OWASP AppSec Conference – Milan – May 2007 Pantera Resources  Official Website http://www.owasp.org/index.php/Category:OWA SP_Pantera_Web_Assessment_Studio_Project http://www.owasp.org/index.php/Category:OWA SP_Pantera_Web_Assessment_Studio_Project  Mailing list https://lists.owasp.org/mailman/listinfo/owasp- pantera https://lists.owasp.org/mailman/listinfo/owasp- pantera  Contact us pantera.proxy@gmail.com pantera.proxy@gmail.com 34

35 6 th OWASP AppSec Conference – Milan – May 2007 DEMOS ! 35

36 6 th OWASP AppSec Conference – Milan – May 2007 The End  Q&A  Important: Beer / hard liquor (Vodka/Lemon, Margaritas, Mojitos you name it…) are always welcome  Simon Roses Femerling pantera.proxy@gmail.com pantera.proxy@gmail.com 36

Download ppt "Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Testing Web Applications. Applications Architecture Client Server Architecture.

Testing Web Applications. Applications Architecture Client Server Architecture.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Software Freedom Day 2007 14th September 2007 Asia Pacific Institute of Information Technology Colombo, Sri Lanka. Nazly Ahmed Scripting The Web.

Software Freedom Day th September 2007 Asia Pacific Institute of Information Technology Colombo, Sri Lanka. Nazly Ahmed Scripting The Web.
EValid Getting Started. Agenda Introduction to eValid First experience of using eValid Recording and Site Analysis in eValid.

EValid Getting Started. Agenda Introduction to eValid First experience of using eValid Recording and Site Analysis in eValid.
Asset: Academic Survey System & Evaluation Tool Bert G. Wachsmuth Seton Hall University.

Asset: Academic Survey System & Evaluation Tool Bert G. Wachsmuth Seton Hall University.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Chapter 12 Extending Web Applications. ASP.NET 2.0, Third Edition2.

Chapter 12 Extending Web Applications. ASP.NET 2.0, Third Edition2.
Introduction to eValid Presentation Outline What is eValid? About eValid, Inc. eValid Features System Architecture eValid Functional Design Script Log.

Introduction to eValid Presentation Outline What is eValid? About eValid, Inc. eValid Features System Architecture eValid Functional Design Script Log.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google