owasp wte: testing your way. · a collection of web app sec testing tools especially...
TRANSCRIPT
![Page 1: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/1.jpg)
The OWASP Foundationhttp://www.owasp.org
OWASP WTE:Testing your way.
Matt TesauroOWASP Foundation Board Member, WTE Project Lead
[email protected] President, Services for Praetorian
OWASP Dallas 2011
![Page 2: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/2.jpg)
2
Who's this Matt guy anyway?
Broad IT backgroundDeveloper, DBA, Sys Admin, Pen Tester, Application Security professional, CISSP, CEH, RHCE, Linux+
Long history with Linux and Open SourceContributor to many projectsLeader of OWASP Live CD / WTE
OWASP Foundation Board Member
VP, Services for Praetorian
![Page 3: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/3.jpg)
OWASP WTE: A History
![Page 4: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/4.jpg)
4
At all started that summer...
![Page 5: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/5.jpg)
5
•Current Release•OWASP WTE Feb 2011
•Previous Releases•OWASP WTE Beta Jan 2010•AppSecEU May 2009•AustinTerrier Feb 2009•Portugal Release Dec 2008•SoC Release Sept 2008•Beta1 and Beta2 releases during the SoC
Note: Not all of these had ISO, VirtualBox and Vmware versions
![Page 6: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/6.jpg)
6
Other fun facts
~5,094 GB of bandwidth since launch (Jul 2008)
Most downloads in 1 month = 81,607 (Mar 2009)
Overall downloads: 330,081 (as of 2009-10-05)
![Page 7: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/7.jpg)
7
![Page 8: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/8.jpg)
8
![Page 9: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/9.jpg)
9
There's a new kid in town
OWASP WTE
Web Testing Environment
![Page 10: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/10.jpg)
10
The project has grown to more than just a Live CD
VMWare installs/appliancesVirtualBox installsUSB InstallsTraining Environment....
Add in the transition to Ubuntu and the possibilities are endless (plus the 26,000+ packages in the Ubuntu repos)
![Page 11: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/11.jpg)
11
GOAL
Make application security tools and documentation easily available and easy to use
Compliment's OWASP goal to make application security visible
Design goalsEasy for users to keep updatedEasy for project lead to keep updatedEasy to produce releases (more on this later)Focused on just application security – not general pen testing
![Page 12: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/12.jpg)
What's on WTE
![Page 13: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/13.jpg)
13
![Page 14: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/14.jpg)
14
![Page 15: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/15.jpg)
15
26 “Significant” Tools Available
WapitiWeb Goat
CAL9000
JBroFuzz
DirBuster
WebSlayer
WSFuzzerWeb Scarab
OWASP Tools:
a tool for performing all types of security testing on web apps and web services
an online training environment for hands-on learning about app sec
a collection of web app sec testing tools especially encoding/decoding
a web application fuzzer for requests being made over HTTP and/or HTTPS.
a fuzzer with HTTP based SOAP services as its main target
audits the security of web apps by performing "black-box" scans
a multi threaded Java app to brute force directory and file names
A tool designed for brute-forcing web applications such as resource discovery, GET and POST fuzzing, etc
JBroFuzza web application fuzzer for requests being made over HTTP and/or HTTPS.
EnDeAn amazing collection of encoding and decoding tools as well as many other utilities
ZAP ProxyA fork of the popular but moribund Paros Proxy
![Page 16: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/16.jpg)
16
Zenmap
Paros
nmap
Wireshark
Firefox
Burp Suite
Grendel Scan
Nikto
sqlmap
SQL Brute
w3af
netcat
Httprint
Spike Proxy
Rat Proxy
Fierce Domain Scanner
Metasploit
tcpdump
Maltego CE
Other Proxies: Scanners:
Duh:
SQL-i: Others:
![Page 17: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/17.jpg)
Why is it different?
![Page 18: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/18.jpg)
18
![Page 19: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/19.jpg)
19
![Page 20: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/20.jpg)
20
![Page 21: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/21.jpg)
21
OWASP DocumentsTesting Guide v2 & v3CLASP and OpenSammTop 10 for 2010Top 10 for Java Enterprise EditionAppSec FAQBooks – tried to get all of themCLASP, Top 10 2010, Top 10 + Testing + Legal, WebGoat and Web Scarab, Guide 2.0, Code Review
OthersWASC Threat Classification, OSTTMM 3.0 & 2.2
![Page 22: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/22.jpg)
22
![Page 23: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/23.jpg)
23
![Page 24: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/24.jpg)
24
![Page 25: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/25.jpg)
25
![Page 26: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/26.jpg)
26
![Page 27: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/27.jpg)
27
![Page 28: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/28.jpg)
What is next?
![Page 29: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/29.jpg)
29
![Page 30: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/30.jpg)
30
Among the new ides for WTE are
Live CDs & Live DVDs
Virtual installs/appliances
A package repositoryCan add 1+ tool to any Debian based Linux# apt-get install owasp-wte-*
Custom remixes of any of the above
Targeted installs
WebGoat Developer Version
Wubi
USB and Kiosk version
![Page 31: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/31.jpg)
31
OWASP Education Project
Natural ties between these projectsAlready being used for training classesNeed to coordinate efforts to make sure critical pieces aren't missing from the OWASP WTE
Training environment could be customized for a particular class thanks to the individual modulesStudent gets to take the environment home
As more modules come online, even more potential for cross pollination
Builder tools/docs only expand its reach
![Page 32: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/32.jpg)
32
Builder is where the ROI is
But darn it, breaking is really fun.
Builder tools coming in future releases.
(Thanks Top Gear!)
Builder vs Breaker
![Page 33: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/33.jpg)
33
Crazy “Pie in the Sky” idea
.deb package + auto update + categories = CD profilesAllows someone to customize the OWASP WTE to their needs
Example profilesWhitebox testingBlackbox testingStatic AnalysisTarget specific (Java, .Net, ...)
Profile + VM = custom persistent environment
![Page 34: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/34.jpg)
34
Goals going forward
Showcase great OWASP projects
Provide the best, freely distributable application security tools/documents in an easy to use package
Ensure that tools provided are easy to use as possible
![Page 35: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/35.jpg)
35
Goals going forward
Continue to document how to use the tools and how the modules were created
Align the tools with the OWASP Testing Guide v3 to provide maximum coverage
Add more developer focused tools
![Page 36: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/36.jpg)
36
How can you get involved?Join the mail listAnnouncements are there – low traffic
Post on the AppSecLive.org forumsDownload an ISO or VMComplain or praise, suggest improvementsSubmit a bug to the Google Code site
Create deb package of a toolHow I create the debs will be documented, command by command and I'll answer questions gladly
Suggest missing docs or linksDo a screencast of one of the tools being used on the OWASP WTE
![Page 37: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/37.jpg)
37
Learn More...
OWASP Site http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project or just look on the OWASP project page (release quality)
http://www.owasp.org/index.php/Category:OWASP_Project
or Google “OWASP Live CD”
Download & Community Site
http://AppSecLive.org
Previously: http://mtesauro.com/livecd/
![Page 38: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/38.jpg)
A bit about OWASP
![Page 39: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/39.jpg)
39
OWASP Meritocracy
![Page 40: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/40.jpg)
40
Security Vulnerabilities
Change ControlSource Code MgmtStrategy & MetricsPolicy & ComplianceEducation & TrainingThreat AssessmentSecurity RequirementsSecure ArchitectureDesign ReviewCode ReviewRemediationHardening...
![Page 41: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/41.jpg)
41
Why do I do this?
![Page 42: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/42.jpg)
42
Questions?
http://www.sintel.org Independent film produced by the Blender Foundation using free and open software
Download it free at: Sintel
![Page 43: OWASP WTE: Testing your way. · a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer](https://reader033.vdocuments.mx/reader033/viewer/2022050719/5f7c15cd50b66108b9569533/html5/thumbnails/43.jpg)
43