Presentation is loading. Please wait.

Presentation is loading. Please wait.

Strategic Security, Inc. © Application Security is Easy Right?

Published byMyrtle Peters Modified over 9 years ago

Similar presentations

Presentation on theme: "Strategic Security, Inc. © Application Security is Easy Right?"— Presentation transcript:

1 Strategic Security, Inc. © http://www.strategicsec.com/ Application Security is Easy Right?

2 Strategic Security, Inc. © http://www.strategicsec.com/ Trying to learn App Sec I came up the old fashioned way: Help Desk PC Tech Systems Administrator Network Administrator Moved into IT Security Intrusion Analyst Penetration Tester The way nature intended….

3 Strategic Security, Inc. © http://www.strategicsec.com/ Pentesting Starting Moving Away From The Network Pentesting started shifting away from the network…. Network and Systems Web App Mobile App Cloud Mashups Source Code Easy right? Houston….

4 Strategic Security, Inc. © http://www.strategicsec.com/ I Felt Lost In The App Sec

5 Strategic Security, Inc. © http://www.strategicsec.com/ I DON’T KNOW HOW TO PROGRAM A lot of computer scientists will be familiar with programming concepts such as: Turing’s Primitives Programming Logic Data Structures and Algorithms Object Oriented Programming If you are like me then none of this stuff makes any sense to you I don’t understand any of this stuff, and don’t plan on trying I’m regular working stiff – so that means that I like: Alcohol Sports Barbequing

6 Strategic Security, Inc. © http://www.strategicsec.com/ OWASP Confused Me More OWASP Testing Guide https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

7 Strategic Security, Inc. © http://www.strategicsec.com/ I Needed Something Simple I Could Do A process to follow A methodology to use It has to be simple

8 Strategic Security, Inc. © http://www.strategicsec.com/ 3 Simple Questions 1.Is it talking to a DB? Is there parameter passing – if yes… Insert a single quote 2.Can I or someone else see what I type? Is there a forum, blog, guestbook, contact us page, feedback form, instant messenger/chat – if yes... Insert alert(‘xss’) 3.Does it reference a file? Is it talking about a file on the local file system – if yes… Insert../../../../../../etc/passwd,../../../../../../etc/passwd%00../../../../../../windows/win.ini,../../../../../../windows/win.ini%00

9 Strategic Security, Inc. © http://www.strategicsec.com/ Let’s drive Everything I’m doing today can be found at: http://pastebin.com/ka5PvLp8 I use pastebin to allow you to follow me and just copy/paste the commands I type So you can just just open up Firefox and follow along

10 Strategic Security, Inc. © http://www.strategicsec.com/ What About Tools Once you have a methodology then you can start with simple firefox addons: ShowIP https://addons.mozilla.org/en-US/firefox/addon/showip/ Server Spy https://addons.mozilla.org/en-US/firefox/addon/server-spy/ FoxyProxy https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ Tamper Data https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ Firebug https://addons.mozilla.org/en-US/firefox/addon/firebug/ A good list of web app testing add ons for Firefox: https://addons.mozilla.org/en-us/firefox/collections/adammuntner/webappsec/

11 Strategic Security, Inc. © http://www.strategicsec.com/ What About Free/Low Cost Tools Once you are comfortable with the firefox addons, then I think you can move on to the proxies: Burp Suite https://portswigger.net/burp/download.html Zap https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Fiddler http://www.telerik.com/fiddler Charles Proxy http://www.charlesproxy.com/

12 Strategic Security, Inc. © http://www.strategicsec.com/ What About Commercial Tools Once you are comfortable with the firefox addons, then I think you can move on to the proxies: IBM AppScan http://www-03.ibm.com/software/products/en/appscan HP WebInspect http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/ Acunetix https://www.acunetix.com/vulnerability-scanner/ Comparison of the scanners http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html

13 Strategic Security, Inc. © http://www.strategicsec.com/ I built one (shameless plug) Web Scanner Pro (YES IT IS FREE and cheap): http://strategicsec.com/products/webscannerpro/ You don’t need to be a Web App expert to use the product You don’t need to be a programmer to understand the reports You don’t need to be a compliance expert to demonstrate your due diligence

14 Strategic Security, Inc. © http://www.strategicsec.com/ Contact Me.... Toll Free:1-844-458-1008 Email:joe@strategicsec.com Twitter:http://twitter.com/j0emccray LinkedIn: http://www.linkedin.com/in/joemccray

Download ppt "Strategic Security, Inc. © Application Security is Easy Right?"

Similar presentations

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Web Vulnerability Assessments

Web Vulnerability Assessments
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Getting Started with XPages Presented by Jeff Byrd.

Getting Started with XPages Presented by Jeff Byrd.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or 415.514-3333 UCSF Campus VPN.

OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or UCSF Campus VPN.
Donna Thompsson For Tech Tips - Facebook: Debbie Jarrett – Ed Tech PD https://www.facebook.com/DJarrettPD

Donna Thompsson For Tech Tips - Facebook: Debbie Jarrett – Ed Tech PD
Hacking outside the box Mike Aiello. Objectives Describe jobs in “Infosec Discuss why communication is critically important to Infosec professionals.

Hacking outside the box Mike Aiello. Objectives Describe jobs in “Infosec" Discuss why communication is critically important to Infosec professionals.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 7/2/2015 5-1 Facebook is the most popular social.

IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 7/2/ Facebook is the most popular social.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Extend Your UFT for Mobile Testing & Monitoring Mobile Add-on For UFT Nov 2014.

Extend Your UFT for Mobile Testing & Monitoring Mobile Add-on For UFT Nov 2014.
OWASP Bricks. Web application security learning platform. Built with PHP and MySQL. Open source and free. ‘Break the Bricks’ and learn.

OWASP Bricks. Web application security learning platform. Built with PHP and MySQL. Open source and free. ‘Break the Bricks’ and learn.
Data Analyst Making HMIS Work for You HMI S. What I will cover today  Part I: Getting big data … fast!  Part II: Making customized forms and reports.

Data Analyst Making HMIS Work for You HMI S. What I will cover today  Part I: Getting big data … fast!  Part II: Making customized forms and reports.
How to turn on the robot How to start Bluetooth How to connect to robot How to initialize the robot How to not break the robot Sec 9-2 - Getting Started.

How to turn on the robot How to start Bluetooth How to connect to robot How to initialize the robot How to not break the robot Sec Getting Started.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Alfresco – An Open Source Content Management System - Bindu Nayar, Bhavana Mohanraj.

Alfresco – An Open Source Content Management System - Bindu Nayar, Bhavana Mohanraj.
Introdution to Computer Science ICS3U/4U.  New room!!!  Respect it  Wooden tables  No food/drink  Bathroom – one at a time  Course outline – coming.

Introdution to Computer Science ICS3U/4U.  New room!!!  Respect it  Wooden tables  No food/drink  Bathroom – one at a time  Course outline – coming.
Command School On Task In Touch Online Software for Schools Developed by Schools.

Command School On Task In Touch Online Software for Schools Developed by Schools.

Similar presentations

Ads by Google