Hands-On with RailsGoatWeb Application Security Testing1About UsSecurity testing, run our testing company (ScotSTS)Heavily involved in the OWASP community, run the Scotland chapter eventsRory has presented at Scottish Ruby Conf/Scotland on Rails since 2009Marion is an avowed Microsofty (spot the number of MS products!)

2AgendaIntroduction to Web App TestingIntroduction to Burp SuiteIntroduction to RailsGoatHands-On!Looking here at the overall goals and setting out the Agenda3Introduction to Web App Testing4Warning!5Security Testing OverviewReview the security of a system or systems against an established benchmark or best practiceCarried out on a variety of levelsNetworkOSDBApplicationKey Concept Scope!Theres a number of types of security testing around which target different pieces of a solution and take different approaches

You might look at an Operating system or Database service or indeed at the low level network infrastructure in particular security critical pieces like Firewalls.

With packaged systems like Operating systems, standard testing tends to revolve around reviewing configuration options and looking for known vulnerabilities, with high-end testing focusing on discovery of new issues

Theres also what gets called penetrating testing which tends to focus on end-to-end reviews of environments and should focus more on an attacker centric view of what can be done, rather than findings all the security issues in a system.

Web application testing is more bespoke than other types of testing as youll rarely test the same application more than once (although common elements will occur based on the language/framework and packages in use)

A very important concept in every test is whats my scope are 3rd party APIs in scope (usually not) is the underlying operating system in scope etc6Testing TypesBlack-BoxAutomatedManualWhite-BoxAutomatedManualIn addition to the variations in whats being tested, there are a number of approaches that can be taken.

traditional security tests tend to take a black box view of the system, they will send HTTP requests to the server and analyse responses to understand whether an issue is present.

Automated scanners of a number of types exist. These tend to be good at getting quick coverage but have a number of drawbacks and limitations

Manual black-box testing is what the focus of this workshop and its how Id say that the majority of web app tests are currently approached.

White-box provides access to the application source and either takes a code review approach or uses the source to assist inform the black-box test.

Intuitively it would seem that a code review is the best approach to application security (after all applications are a collection of code) but this turns out not to be so simple. Modern applications make extensive use of 3rd party code so just reviewing your code wont give a complete picture. Also the complexity involved in for example following every possible code path in a rails app (with dynamic typing, monkey-patching and the like) is a serious undertaking.

Manual code review is also useful, but not really for one time reviews. Instead used as part of the development process it can help avoid certain classes of issue7Web App Testing VulnerabilitiesWide variety of things to test for, where to start.OWASP Top 10 2013. Good list of places to considerhttps://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013 Introduction to BurpMore than just a Silly NameBurp is a proxy-based web application testing toolDe-facto standard for manual web app. TestingFree and paid-for versions availableOther options are availableOWASP ZAP upcoming Open Source alternativeTelerik Fiddler Primarily windows based alternativeWhy Proxies?Intercept and modify traffic between client and serverBypass any JavaScript restrictionsAccess hidden fieldsModify headersModify cookiesBurp Tour SiteMap

Burp Tour Scope

Burp Tour Intercept

Burp Tour HTTP History

Burp Tour - Spider

Burp Tour - Scanner

Burp Tour - Intruder

Burp Tour - Repeater

Burp Tour - Sequencer

Burp Tour - Decoder

Burp Tour Options

Introduction to RailsgoatRailsgoatOWASP Project to provide a training application based on Ruby/Rails.Rails 3.2 applicationHas exercises covering the OWASP Top 10 vulnerabilitieshttp://github.com/OWASP/railsgoat SQL Injection - OverviewOne of the most serious security issues you are likely to see in web applicationsImpact can extend to the underlying operating systemHave been examples of SQLi in underlying libraries (e.g. ActiveRecord) as well as application code.

SQL Injection Blackbox Testing BasicsTest form fields, form field names, cookies, headers (basically any data that could be used in a query)Test strings single quote character can show up problems if an error is returned OR 1=1 logical true statement AND 1=0 Logical false statementStr || ing string concatenation (depends on underlying DB)+1 numerical additionObserve responsesExercise 1 SQL InjectionSet-up the proxy to interceptUpdate a user accountTry modifying the user_id parameterCommand InjectionAnother input validation/sanitization issuePossible wherever the application interfaces to the underlying systemCalls to things like system()Command Injection Black Box Testing | characterSample commands e.g. cat /etc/passwdUnderlying platform matters (different commands and paths on windows)Exercise 2 Command InjectionIntercepting proxy againTesting in the benefits upload sectionWhere to look for the created directory?Information disclosureInformation gathering is a key piece of testingBuild up a picture for later attacksInformation Gathering Black boxMainly look for known areas to get informationUsername enumerationError messages (version info/path info)Default filesExercise 3 Username enumerationEnter an incorrect usernameNow enter a correct username with an incorrect passwordCould you automate this process?What can you do with a list of usernames?Password WeaknessesPasswords are the sole authentication mechanism on almost all sitesWeak passwords cause breachesStandard part of testingPassword Weaknesses Black BoxCan be very straightforward (disclosed password policy)Still worth checkingLengthComplexityTruncation(?)Reset processExercise 4 Password StrengthEasy to testTry setting your password to some standard valuesPAbc123Password..Ties into the username enumeration from the last exerciseCross Site ScriptingVery common issue, results from user supplied input being returned to the browser without appropriate encoding/sanitization3 Main variantsReflectedStoredDOM-basedCan have quite serious impacts (see the beef project for examples)Cross-Site Scripting Black BoxInsert test strings into fields on the page>alert(lorem)