groundspeed presentation at the owasp ny/nj
DESCRIPTION
These are the slides for the Groundspeed presentation at the OWASP NY/NJ chapter meeting on Nov 2, 2010TRANSCRIPT
![Page 1: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/1.jpg)
APPLICATION INTERFACES
OWASP NY/NJ Chapter Mee3ng – Nov 2, 2010
MANIPULATING WEB
h=p://groundspeed.wobot.org
![Page 2: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/2.jpg)
![Page 3: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/3.jpg)
User problem?
![Page 4: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/4.jpg)
User problem?
![Page 5: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/5.jpg)
The Standard Approach:
Interact with interface
Intercept and modify HTTP
Analyze response
1 2 3
![Page 6: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/6.jpg)
Advantages: single point of interception, absolute control over data
![Page 7: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/7.jpg)
Historic reason: browser used to be a closed box,
no easy way to extend
![Page 8: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/8.jpg)
The origin of input data: HTML interface (forms)
client side logic (JavaScript) the HTTP client (cookies)
![Page 9: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/9.jpg)
Question: can this information be useful for
improving the penetration test?
![Page 10: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/10.jpg)
Core question: would it be useful to look for a
different approach?
![Page 11: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/11.jpg)
http://groundspeed.wobot.org
open source Firefox add-on released in Nov 09 at AppSecDC
![Page 12: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/12.jpg)
Groundspeed goal: manipulate the webapp interface to
remove client-side limitations in order to work inside the browser
![Page 13: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/13.jpg)
Things you can do: change the type of form fields
remove size and length limitations remove JS event handlers
![Page 14: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/14.jpg)
Demo: see Groundspeed in action
![Page 15: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/15.jpg)
But wait a minute: why is this really different than
manipulating HTTP requests?
![Page 16: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/16.jpg)
#1 reason: in order to understand
information we need context
![Page 17: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/17.jpg)
Context problems: without the context we need to fill
in for what is missing
![Page 18: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/18.jpg)
Ambiguous context: if the context is not clear,
we can make mistakes
![Page 19: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/19.jpg)
Context is important!
![Page 20: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/20.jpg)
Labels are for humans: the function of the interface is to
provide context to users
![Page 21: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/21.jpg)
Parameters are for code: HTTP parameters are meant for the server side code, they can be
any arbitrary value
![Page 22: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/22.jpg)
The mapping problem: when we manipulate HTTP
requests we need to map parameter to interface label
![Page 23: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/23.jpg)
#2 reason: working at the interface reduces
the unnecessary tasks
![Page 24: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/24.jpg)
Test Friction: all this creates “test friction”, makes the test less efficient
(and more boring)
![Page 25: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/25.jpg)
Ok, but… how is this different than using
Firebug or the Web Dev Extension?
![Page 26: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/26.jpg)
Firebug and WedDev Extension: very powerful but developer tools,
when used for security will produce a lot of ‘test friction’
![Page 27: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/27.jpg)
Hammers versus screwdrivers: ‘test friction’ always appears when
you use a tool that was not designed for the job
![Page 28: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/28.jpg)
Performance load: degree of mental and physical
activity to perform a task
![Page 29: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/29.jpg)
Improved interface
![Page 30: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/30.jpg)
Conclusion #1: thinking about the nature of input
data can make our life easier
create an input testing toolbox
![Page 31: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/31.jpg)
Input data toolbox: interface layer (Groundspeed)
javascript layer (Firebug) HTTP layer (Burp)
![Page 32: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/32.jpg)
Conclusion #2: tool design should focus on user
process (not the problem)
process = user + problem + context
![Page 33: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/33.jpg)
Conclusion #3: bring the tool into the browser
or the browser into the tool
![Page 34: Groundspeed Presentation at the OWASP NY/NJ](https://reader034.vdocuments.us/reader034/viewer/2022051323/54708c47b4af9f980a8b478d/html5/thumbnails/34.jpg)
Thank you! more about groundspeed:
http://groundspeed.wobot.org
comments, questions: [email protected]