Application Security-IIISecurity Analysis ToolsLalit Kale

lalitkale@gmail.com

http://lalitkale.wordpress.com

2

Overview

• OWASP Top 10 Threats• Security Analysis Tools Landscape• Attack Simulation Tools

• Defense Assisting Tools• Risk mitigation for Injection Attacks• Risk mitigation for XSS Attacks• Resources

3

OWASP Top 10 Threats

• Injection• Broken Authentication and Session Management• Cross-Site Scripting (XSS)• Insecure Direct Object References• Security Misconfiguration

4

OWASP Top 10 Threats

• Sensitive Data Exposure

• Missing Function Level Access Control (e.g. Failure to Restrict

URL Access)

• Cross-Site Request Forgery (CSRF)

• Using Components with Known Vulnerabilities (e.g. Security

Misconfiguration)

• Invalidated Redirects and Forwards

5

Security Analysis Tools Landscape

6

XSS Me

• XSS-Me is the Firefox add on used to test for reflected Cross-Site

Scripting (XSS). It does not currently test for stored XSS.

• It is only used for run-time application security testing and not

related to static code analysis.

• The tool works by submitting your HTML forms and substituting the

form value with strings that are representative of an XSS attack.

• XSS Filter Evasion Cheat Sheet:

• https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

• Devise your own attack! http://ha.ckers.org/xsscalc.html

7

XSS Me

• Demo Website

http://www.testfire.net• Search for Normal string

http://www.testfire.net/search.aspx?txtSearch=test• Search for XSS induced attack

http://www.testfire.net/search.aspx?txtSearch=<script>alert(‘xss’)</script>

8

SQL Inject Me

• SQL Inject -Me is the Firefox add on used to test for SQL Injection.

• It is only used for run-time application security testing.

• The tool works by submitting your HTML forms and substituting the

form value with strings that are representative of an SQL Injection

attack.

• Advanced attacks, such as blind SQL injection, may require

additional manual testing (e.g. attempting to bypass

authentication).

9

SQL Inject Me

• Demo Website

http://testfire.net/bank/login.aspx

• UserName/Password: Jsmith/Demo1234, Navigate to following page after login

http://testfire.net/bank/transaction.aspx

• Observe the ‘After’ Field: • Normal Input: 01/01/2013• 01/01/2006 union select

userid,null,username+','+password,null from users--

10

Hackbar

• Hackbar is the Firefox add on used to test for XSS and SQL Injection.

• It is useful while handcrafting attacks or doing penetration testing.

• Features include

• Loading URL

• Slicing URL

• Character encoding

• Executing crafted url request

11

Tamper Data

• Firefox add on used to modify HTTP Request and response

• Trace and time http request/response

• Modify POST parameters

• Add HTTP Headers

• Encode/Decode strings

• Limited ability for testing XSS and SQL Injection

12

Cookie Manager +

• Firefox add on used to view, Modify, create and backup and

restore cookies.

• Features includes

• Ability to filter cookies based on domain

• Option to backup and restore cookies

• Ability to change expire date on expire header of cookie

13

Wappalyzer

• Firefox add-on for revealing internals of websites/web-

applications

• Analyzes DOM and HTTP Response Headers and

identifies libraries and frameworks and components

used for building websites

• Once attacker get more details about internal

components, s/he can use that information for

exploiting known vulnerabilities in those

components/libraries or frameworks or servers

14

FxCop

• Static Code Analysis Tool for applications written in Microsoft .NET Framework

• Has security and security transparency Rules• Determine whether HTML output includes input parameters

• Form fields, • Query strings,• Databases and data access methods• Cookie collection• Session and application variables

15

Fiddler Plugin: Ammonite

• URL: http://ammonite.ryscc.com/

• Paid Web Security Tool

• Detect Critical Vulnerabilities

• Ultimate Control: Manual and Automatic mode for testing

• Fuzz Multiple Request Formats

• Ammonite understands how to stuff faults into XML, JSON, URL Encoded, and Multi-Part POST

bodies.

• Test All Request Sections including: cookies, headers, URL path elements (Restful apps), query

string, and request body.

• passive checks that scan responses for credit card numbers, hidden form fields, HTTP/500 errors

and verbose error messages.

• Export results as HTML Report

16

Fiddler Plugin: Watcher

• URL: http://websecuritytool.codeplex.com• Free Web Security Tool• Passively monitors traffic for 40+ checks• Can also work offline on SAZ files from Fiddler• Results of various checks can be exported in the form of

html or xml• DEMO

• Live Session• Report

17

AntiXSS Library

• AntiXSS provides a myriad of encoding functions for Html, XML, Url, Form, LDAP, CSS, JScript and VBScript encoding methods.

White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type.

Secure Globalization: An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.

18

Asafaweb

• Non invasive vulnerability scanner• Individual effort from Security Consultant Troy Hunt• Good for “Already in Production” project• baseline of scans for common ASP.NET configuration

related vulnerabilities.• Also checks for click jacking, Hash Do's patch

• DEMO

19

CAT.NET

• identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.

• works by reading the target assembly and all reference assemblies used in the application -- module-by-module -- and then analyzing all of the methods contained within each

Binscope Binary Analyzer

• verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance MS-SDL

• inScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date build tools are in place, and the latest good ATL headers are being used.

CAT.NET & Binscope Binary Analyzer

Note: Only compatible with visual studio 2005 and visual studio 2008

20

W3af.org

• W3af to identify more than 200 vulnerabilities and reduce your site’s overall risk exposure.

• Open source python based core engine with plug-in architecture

• w3af is a Web Application Attack and Audit Framework.

21

Acunetix

• website analysis and vulnerability detection• Comprehensive scanning for SQL Injection and Cross Site • Scripting (XSS) Vulnerabilities• Scan’s password protected areas as well automatically• Comprehensive reports for legal and regulatory compliance• Includes HTTP sniffer, HTTP fuzzer, Blind SQL Injector• Detect HTTP Parameter Pollution (HPP) vulnerabilities• Compare scans and find differences with previous scans.• Support for CAPTCHA, Single Sign-On and Two Factor authentication • mechanisms.

22

NetSparker

• The only False-positive-free web application security scanner

• Ajax/JavaScript Support

• Support Basic, Forms, NTLM, Digest, Kerberos Authentication

• Vulnerability Retest

• Also supports manual testing

• Support for well-known compliance specifications reporting like PCI,

OWASP, CAPEC, OWASP etc.

• Custom Reports

23

Resources• OWASP (Open Web Application Security Project):

https://www.owasp.org

• XSS-Me

https://addons.mozilla.org/en-us/firefox/addon/xss-me/

• SQL Inject Me

• Microsoft Security

http://www.microsoft.com/security

http://www.Microsoft.com/sdl

• Wikipedia:

http://en.wikipedia.org/wiki/Threat_model

.

This presentation is shared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More information for this license is available at

http://creativecommons.org/licenses/by-nc-sa/4.0/

All trademarks are the property of their respective owners. Lalit Kale makes no warranties, express, implied or statutory, as to the information in this presentation.

Lalit Kalelalitkale@gmail.com

http://lalitkale.wordpress.com