1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Dublin 2010 http://www.owasp.org OWASP Live CD: An open environment for web application security. Eoin Keary & Rahim Jina eoin.keary@owasp.org rahim.jna@owasp.org

3. OWASP Dublin 2010 3 Presentation Overview  Who are we?  What's the OWASP Live CD about?  Tools  Plugins  Examples  How can I get involved?

4. OWASP Dublin 2010 4 About us (Rahim & Eoin)  Our Varied IT Backgrounds  Software Development, Pen Testing, Application Security design & review, Code review, CISSP, CISA, Certified ASS,  Contributors to many OWASP projects  Member of OWASP Global Board  Member of Ireland chapter.

5. OWASP Dublin 2010 5 Project History and Goals  Started as a Summer of Code 2008 project  GOAL: Make application security tools and documentation easily available and easy to use  Compliment's OWASP goal to make application security visible  Design goals  Easy for users to keep updated  Easy for project lead to keep updated  Easy to produce releases (maybe quarterly)  Focused on just application security – not general pen testing

6. OWASP Dublin 2010 6 Just to be clear... !=

7. OWASP Dublin 2010 7 General goals going forward  Showcase great OWASP projects  Provide the best, freely distributable application security tools/documents in an easy to use package  Ensure that the tools provided are easy to use as possible  Continue to document how to use the tools and how the modules were created  Align the tools with the OWASP Testing Guide v3 to provide maximum coverage

8. OWASP Dublin 2010 Navigation Mount a usb key for saving your work This is automatic.

9. OWASP Dublin 2010 EY CU – Our target site!

10. OWASP Dublin 2010 10 You could also use……..

11. OWASP Dublin 2010 11 Tools

12. OWASP Dublin 2010 12 Available Tools Significant tools: Examples: OWASP WebScarab v20090122 OWASP WebGoat v5.2 OWASP CAL9000 v2.0 OWASP JBroFuzz v1.2 OWASP DirBuster v0.12 OWASP SQLiX v1.0 OWASP WSFuzzer v1.9.4 OWASP Wapiti v2.0.0-beta Paros Proxy v3.2.13 nmap & Zenmap v 4.76 Wireshark v1.0.5 tcpdump v4.0.0 Firefox 3.06 + 25 addons Burp Suite v1.2 Grendel Scan v1.0 Metasploit v3.2 (svn) w3af + GUI svn 1.0-rc1 Netcats – original + GNU Nikto v2.03 Firece Domain Scanner v1.0.3 Maltego CE v2-210 Httprint v301SQLBrute v1.0 Spike Proxy v1.4.8-4 Rat Proxy v1.53-beta

13. OWASP Dublin 2010 13 Foxy Proxy

14. OWASP Dublin 2010 FireBug: Runtime under the hood.

15. OWASP Dublin 2010 15 Special features... Firefox Add-ons there are a few

16. OWASP Dublin 2010 16 More on Tools Scanners Menu: Recon Menu:

17. OWASP Dublin 2010 SQLMap & SQLix

18. OWASP Dublin 2010 W3af: Web Application Attack Audit Framework

19. OWASP Dublin 2010 W3af The framework should work on all platforms supported by Python, particularly, w3af has been tested on Linux, Windows XP, Windows Vista and OpenBSD. Phases supported: Discovery: Discovery plugins have only one responsibility, finding new URLs, forms, and other “injection points”. Audit: Audit plugins take the injection points found by discovery plugins and send specially crafted data to all of them in order to find vulnerabilities. Exploit/Attack: Used to exploit vulnerabilities found by audit plugins.

20. OWASP Dublin 2010 W3af: Web Application Attack Audit Framework audit xsrf htaccessMethods sqli sslCertificate fileUpload mxInjection generic localFileInclude unSSL xpath osCommanding remoteFileInclude dav ssi eval buffOverflow xss xst blindSqli formatString preg_replace globalRedirect LDAPi phishingVector frontpage responseSplitting grep dotNetEventValidation pathDisclosure codeDisclosure blankBody metaTags motw privateIP directoryIndexing svnUsers ssn fileUpload strangeHTTPCode hashFind getMails httpAuthDetect wsdlGreper newline passwordProfiling domXss ajax findComments httpInBody strangeHeaders lang errorPages collectCookies strangeParameters error500 objects creditCards oracle feeds Exploit sqlmap osCommandingShell xssBeef localFileReader rfiProxy remoteFileIncludeShell davShell eval fileUploadShell sql_webshell Also…………. audit, discovery,output,mangle, bruteforce, evasion

21. OWASP Dublin 2010 W3af: integration Virtual daemon: Virtual daemon, allows you to use metasploit payloads Fast Exploit: can use tools to within w3af to perfrom exploit, example SQLMap Command Shell: Ala metasploit integration.

22. OWASP Dublin 2010 22 More on Tools Proxies Menu: Metasploit Menu:

23. OWASP Dublin 2010 Fuzzing – What is? Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted. - wikipedia

24. OWASP Dublin 2010 Vectors >"> alert("XSS") & "> @import"javascript:alert('XSS')"; >"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3 a; alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)> >%22%27> '%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e' '';!--" =&{()} ")> #115;crip& #116;:a le& #114;t('X&#83 ;S'&#41> #0000118&#0000097&#0000115& #0000099&#0000114&#0000105& #0000112&#0000116&#0000058 #0000097&#0000108&#0000101& #0000114&#0000116&#0000040& #0000039&#0000088&#0000083& #0000083&#0000039&#00000 41> #x63&#x72&#x69&#x70&#x74&#x3A& #x61&#x6C&#x65&#x72&#x74&#x28 'XSS');"> 'XSS');“> Example XSS Fuzz Vectors

25. OWASP Dublin 2010 Fuzzing with Webscarab

26. OWASP Dublin 2010 BURP Proxy

27. OWASP Dublin 2010 Jbrofuzz

28. OWASP Dublin 2010 28 Documentation available  OWASP Documents  Testing Guide v2 & v3  CLASP  Top 10 for 2007 (2010 to be included)  Top 10 for Java Enterprise Edition  AppSec FAQ  Books  CLASP, Top 10 2007, Top 10 + Testing + Legal, WebGoat and Web Scarab, Guide 2.0, Code Review  Others  WASC Threat Classification, OSTTMM 3.0 & 2.2

29. OWASP Dublin 2010 29 Support Modules  OWASP Branding Module  Subversion client  JRE 6 update 6  Python 2.5.2  Ruby 1.8.1  Graphviz  tidy  GnuTLS  wget, host, dig, openssl, grep, whois

30. OWASP Dublin 2010 30 Builder vs Breaker Builder is where the ROI is But ….. breaking is really fun. Builder tools coming in future releases. (Thanks Top Gear!)

31. OWASP Dublin 2010 A little bit of code review…

32. OWASP Dublin 2010 A little bit of code review

33. OWASP Dublin 2010 A little bit on code review

34. OWASP Dublin 2010 Crawling Code HTTP REQUEST STRINGS Requests from external sources are obviously a key area of a security code review. We need to ensure that all HTTP requests received are data validated for composition, max and min length, and if the data falls with the realms of the parameter white-list. Bottom-line is this is a key area to look at and ensure security is enabled. request.accepttypes request.browser request.files request.headers request.httpmethod request.item request.querystring request.form request.cookies request.certificate request.rawurl request.servervariables request.url request.urlreferrer request.useragent request.userlanguages request.IsSecureConnection request.TotalBytes request.BinaryRead HTML OUTPUT Here we are looking for responses to the client. Responses which go unvalidated or which echo external input without data validation are key areas to examine. Many client side attacks result from poor response validation. XSS relies on this somewhat. response.write <% = HttpUtility HtmlEncode

35. OWASP Dublin 2010 Data/Input Validation of data from all untrusted sources. Authentication Session Management Authorization Cryptography (Data at rest and in transit) Error Handling /Information Leakage Logging /Auditing Secure Code Environment A little bit of code review Attack Surface Scope Business Context  Browser input  Cookies  Property files  External processes  Data feeds  Service responses  Flat files  Command line parameters  Environment variables

36. OWASP Dublin 2010 A little bit of code review

37. OWASP Dublin 2010 Tools Available: RATS (C/C++) Code Crawler (.Net/Java) LAPSE (Java) CAT.NET (.NET. VS Plugin) Free Tools AppScan DE (formally ounce) Fortify 360 Klockworkz …..Many more Commercial Tools

38. OWASP Dublin 2010 38 Website Update

39. OWASP Dublin 2010 39 OWASP Education Project  Natural ties between these projects  Already being used for training classes  Need to coordinate efforts to make sure critical pieces aren't missing from the OWASP Live CD  Training environment could be customized for a particular class thanks to the individual modules  Student gets to take the environment home  As more modules come online, even more potential for cross pollination  Builder tools/docs only expand its reach  Kiosk mode?

40. OWASP Dublin 2010 40 How can you get involved?  Join the mail list  Announcements are there – low traffic  Download an ISO or VM  Complain or praise  Suggest improvements  Submit a bug to the Google Code site  Create deb package of a tool  How I create the debs will be documented, command by command and I'll answer questions gladly  Suggest missing docs or links  Do a screencast of one of the tools being used on the OWASP Live CD

41. OWASP Dublin 2010 41 What else is out there?  LabRat v2.1 (Previous OWASP Live CD)  404 for ISO link  Samurai WTF (Web Testing Framework)  Slightly fewer tools overall  Unique to Samurai: WebShag & MoinMoin Wiki  Ubuntu based live CD, looks really nice  No.deb packages for most of the tools  Currently development release  http://samurai.intelguardians.com/  Login info is samurai / samurai  Backtrack – has some web app tools

42. OWASP Dublin 2010 42 Learn More  OWASP Site: http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project or just look on the OWASP project page (release quality) http://www.owasp.org/index.php/Category:OWASP_Project or Google “OWASP Live CD”  Download & Community Site: http://AppSecLive.org

43. OWASP Dublin 2010 43 Questions?