Presentation is loading. Please wait.

Presentation is loading. Please wait.

Static Analysis for Dynamic Assessments Greg Patton | September 2014.

Published byClifford Preston Modified over 9 years ago

Similar presentations

Presentation on theme: "Static Analysis for Dynamic Assessments Greg Patton | September 2014."— Presentation transcript:

1 Static Analysis for Dynamic Assessments Greg Patton | September 2014

2 Agenda Introduction Background & observations Static analysis for dynamic assessments – RIPSA tool Takeaways

3 Introduction Greg Patton Mobile Delivery Manager, HP Fortify on Demand Work on Fortify on Demand team Web & mobile dynamic application testing Attended first OWASP meeting on June 5, 2007 (Houston, TX) hacker@hp.com

4 BACKGROUND & OBSERVATIONS

5 Great divides Security vs. Usability Builders vs. Breakers Dynamic vs. Static

6 Common dynamic challenges Lack of complete security assessments – Few conduct static and dynamic assessments in concert

7 Common dynamic challenges Lack of complete security assessments – Few conduct static and dynamic assessments in concert Client-side false negatives – Dynamic tools and tests miss stuff

8 Common dynamic challenges Lack of complete security assessments – Few conduct static and dynamic assessments in concert Client-side false negatives – Dynamic tools and tests miss stuff “No source code available” – Dynamic testers rarely receive source code

9 A possible solution Use static tools during dynamic assessments Deeper analysis of JavaScript, HTML, XML, and other client-side files

10 STATIC ANALYSIS FOR DYNAMIC ASSESSMENTS

11 RIPSA Accepts XML from Burp – Target Site Map – Proxy History Parses and saves responses as individual files on tester’s machine Output files can be scanned with static tools and manually audited

12 Save Burp responses as XML

13 RIPSA

14 Evaluate XML Save files locally

15 Statically analyze local files

16 DEMO: RIPSA RESPONSE INTERPRETATION AND PREPARATION FOR STATIC ANALYSIS

17 #Winning Reduces potential false negatives by increasing breadth of dynamic web assessments Utilizes information from Burp Suite that dynamic testers already collect Pairs part of a static assessment with a full dynamic web assessment

18 #Winning Static tools – Fortify SCA, FxCop, JSHint, etc. JavaScript analysis – DOM based XSS Silverlight analysis Gather and group files –.dll files for disassembly –.pdf files for strings analysis

19 TAKEAWAYS

20 Takeaways Embrace static Use static tools and techniques to dig deeper into client-side & DOM results – Use automated static tools – Disassemble and decompile Java, Silverlight, Flash, etc.

21 Takeaways Embrace static Use static information to assist with content discovery. – Map application – Identify files and targets

22 Call to the community ZAP extensions – Save responses as local files? – Static scanning signatures? Other ideas?

23 Special thanks Special thanks to Sam Denard David Nester

24 Reach out hacker@hp.com

Download ppt "Static Analysis for Dynamic Assessments Greg Patton | September 2014."

Similar presentations

Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?

Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?
Test Automation Success: Choosing the Right People & Process

Test Automation Success: Choosing the Right People & Process
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Web Vulnerability Assessments

Web Vulnerability Assessments
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Key Considerations for Report Generation & Customization Richard Wzorek Director, Production IT Confidential © Almac Group 2012.

Key Considerations for Report Generation & Customization Richard Wzorek Director, Production IT Confidential © Almac Group 2012.
OWASP Xenotix XSS Exploit Framework

OWASP Xenotix XSS Exploit Framework
EValid Getting Started. Agenda Introduction to eValid First experience of using eValid Recording and Site Analysis in eValid.

EValid Getting Started. Agenda Introduction to eValid First experience of using eValid Recording and Site Analysis in eValid.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Creating an Educational Tool for Computer Science Students Masters Project Defense Ben Stroud 1 Ben Stroud Masters Project Defense.

Creating an Educational Tool for Computer Science Students Masters Project Defense Ben Stroud 1 Ben Stroud Masters Project Defense.
Penetration testing – W3AF Tool

Penetration testing – W3AF Tool
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Static Code Analysis and Governance Effectively Using Source Code Scanners.

Static Code Analysis and Governance Effectively Using Source Code Scanners.
OWASP Bricks. Web application security learning platform. Built with PHP and MySQL. Open source and free. ‘Break the Bricks’ and learn.

OWASP Bricks. Web application security learning platform. Built with PHP and MySQL. Open source and free. ‘Break the Bricks’ and learn.
Exploring the Relationship Between Web Application Development Tools and Security Matthew Finifter and David Wagner University of California, Berkeley.

Exploring the Relationship Between Web Application Development Tools and Security Matthew Finifter and David Wagner University of California, Berkeley.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
ITM352 Javascript and Dynamic Web Pages: Client Side Processing.

ITM352 Javascript and Dynamic Web Pages: Client Side Processing.
(C) 2013 Logrus International Practical Visualization of ITS 2.0 Categories for Real World Localization Process Part of the Multilingual Web-LT Program.

(C) 2013 Logrus International Practical Visualization of ITS 2.0 Categories for Real World Localization Process Part of the Multilingual Web-LT Program.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training

Similar presentations

Ads by Google