OWASP Projects: beyond Top 10

Slide 1

Slide 1 text

OWASP Projects: beyond Top 10 OWASP Poland Wroclaw Meetup #5 17.02.2017

Slide 2

Slide 2 text

About us • Alexander Antukh • OWASP Poland Board Member • Head of Product Security at • @c0rdis

Slide 3

Slide 3 text

About us • Marek Puchalski • OWASP Poland member • Developer and Security Consultant at Capgemini • https://marek.puchal.ski

Slide 4

Slide 4 text

About us • Pawel Rzepa • Security Engineer in Intive • Contributor in OWASP MSTG (Mobile Security Testing Guide)

Slide 5

Slide 5 text

About us • Andrii Sygida • OWASP Poland almost member • Application security specialist at

Slide 6

Slide 6 text

About us • Daniel Ramirez • OWASP Member • Security Specialist in EY • Hands-on VA experience in the different kinds of apps.

Slide 7

Slide 7 text

Thank you for the support!

Slide 8

Slide 8 text

Motivation • Top 10 is a de-facto standard in Webappsec world • OWASP is mostly associated with it … • but there are many more! As of 2016, there are 133 different projects, which can help you whether you are on attacker’s or defender’s parts of the barricades!

Slide 9

Slide 9 text

Program for today ZAP WebGoat OWTF

Slide 10

Slide 10 text

Program for today (M)ASVS CheatSheets Cornucopia SKF Pipeline Testing Guides

Slide 11

Slide 11 text

Let the fun begin!

Slide 12

Slide 12 text

Agenda • Problem 1: efficient security training • Solution: WebGoat • Problem 2: efficient management of multiple penetration testing tasks • Solution: Offensive Web Testing Framework

Slide 13

Slide 13 text

Problem of efficient security training …and XSS allows you injecting such horrifying pop up windows!!! Security awareness trainings for developers are quite common, but reality shows they are still ineffective :(

Slide 14

Slide 14 text

Problem of efficient security training

Slide 15

Slide 15 text

What about… Finally a security training which isn’t an online course to fly through and forget! Internal course that is free and isn’t a corpo- bullshit?! Cannot believe that… …arranging internal hands- on labs for developers and testers, where they can deeply understand vulnerabilities by finding and fixing them?

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

WebGoat: few words about • A deliberately insecure Java-based application, which allows you to test common vulnerabilities • 50+ lessons • After finding a vulnerability, learn to fix it! • Easy manageable lessons via plugins • You can create your own lessons and easily customize a content and language …or .Net-based: https://www.owasp.org/index.php/ WebGoatFor.Net WebGoat: few words about • A deliberately insecure Java-based (or .Net based: https://www.owasp.org/index.php/WebGoatFor.Net) application, which allows you to test common vulnerabilities • 50+ lessons • After finding a vulnerability, learn to fix it! • Easy manageable lessons via plugins • You can create your own lessons and easily customize a content and language

Slide 18

Slide 18 text

Not only web apps… • Ruby on Rails: OWASP Rails Goat Project • PHP: OWASP WebGoatPHP • Node.js: OWASP Node_js Goat Project • Android: OWASP GoatDroid Project • iOS: OWASP iGoat Project

Slide 19

Slide 19 text

WebGoat: how to run? • Prerequisites: Java VM 1.8 • To start just follow these commands: $> wget https://github.com/WebGoat/WebGoat/releases/download /7.0.1/webgoat-container-7.0.1-war-exec.jar $> java -jar java -jar webgoat-container-7.0.1-war-exec.jar • Open in you browser: http://localhost:8080/WebGoat/ • That’s all!

Slide 20

Slide 20 text

WebGoat: first view

Slide 21

Slide 21 text

WebGoat: lessons & labs

Slide 22

Slide 22 text

WebGoat: creating your own lesson • Plugin = lesson • Create NewLesson.java: https://www.owasp.org/index.php/ How_to_write_a_new_WebGoat_les son • Plugin is just a folder, which follows this format 

Slide 23

Slide 23 text

WebGoat: useful links • Project: https://www.owasp.org/index.php/Category:OWASP_WebGoat _Project • Documentation: https://github.com/WebGoat/WebGoat

Slide 24

Slide 24 text

Problem: how to efficiently manage outputs from many different applications? • Each pentester uses many different applications (vuln scanner, web crawler, SSL/TLS tests, session management tests) • Running each of those tests consumes time, right? • It’s easy to automate those tasks, but analysing a consolidated output is much more difficult :( • And finally you have to form a readable report from all those tests… • …oooh… :(

Slide 25

Slide 25 text

Typical penetration testing process …of course in notepad ;) (…)

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

• A goal of OWTF is to use penetration testing time as efficient as possible. It’s done by: • Running different tools (Nikto/Arachni/w3af/etc) • Running direct tests (header searches/session tests/etc) • Knowledge repository (OWASP mapping/resource links) • Helping human analysis (flag severity/manage output) • In other words OWTF provides optimal balance between automation and human analysis OWTF: Idea of the project

Slide 28

Slide 28 text

• Want to quickly start? Follow this one-liner: $> wget -N https://raw.githubusercontent.com/owtf /bootstrap-script/master/bootstrap.sh; bash bootstrap.sh OWTF: Installation

Slide 29

Slide 29 text

OWTF

Slide 30

Slide 30 text

OWTF: Set a target

Slide 31

Slide 31 text

sends normal traffic to target active vulnerability probing probing services (e.g. FTP/SMB ) assist manual testing searches on HTTP transactions test via 3rd parties (no traffic to target) Testing web apps Testing network services OWTF: Choose plugins and run!

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

OWTF: Useful links • Project: https://www.owasp.org/index.php/OWASP_OWTF • Documentation: http://docs.owtf.org/en/latest/ • Online passive scanner: https://owtf.github.io/online-passive-scanner

Slide 34

Slide 34 text

• Use OWASP WebGoat to provide efficient security trainings in your company. • Use OWASP OWTF to automate your penetration testing tasks. It allows you for easy test’s output analyse and create reports in a fast way. Summary

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

OWASP ASVS (Application Security Verification Standard)

Slide 37

Slide 37 text

SANS Institute, May 2015, State of Application Security: Closing the Gap https://www.sans.org/reading-room/whitepapers/analyst/2015-state-application-security-closing-gap-35942 Application Security Standards in use

Slide 38

Slide 38 text

OWASP Application Security Verification Standard (ASVS) is a list of application security requirements or tests that can be used by architects, developers, testers, security professionals, and even consumers to define what a secure application is. In short

Slide 39

Slide 39 text

Example requirements

Slide 40

Slide 40 text

Example requirements • Architecture and design • Input handling • Data protection • Session management • Error handling • Business logic • Configuration • Web services • 19 sections in total • Every chapter has control objective, reqs and references

Slide 41

Slide 41 text

First introduced: June 2008 ASVS v1.0: 2009 ASVS v2.0: 2014 ASVS v3.0: 2015 Current version: v3.0.1 (July 2016) History

Slide 42

Slide 42 text

Idea behind • Use as a metric - provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications • Use as guidance - provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements • Use during procurement - provide a basis for specifying application security verification requirements in contracts

Slide 43

Slide 43 text

Application Security Verification Levels • ASVS Level 3 – for applications that „shoot missiles” ;) • ASVS Level 2 – for applications that contain sensitive data • ASVS Level 1 – for all software

Slide 44

Slide 44 text

Benefits for you • Helps you to develop and maintain secure applications • Contains clear and ready-to-use high level checklists and use cases • Allows you as well as security services, vendors, and consumers to align requirements and offerings

Slide 45

Slide 45 text

More ideas • Train your developers in AppSec • Take your standard software architecture and prepare standard security solutions Open Application Standard Platform (OASP) https://oasp.github.io/

Slide 46

Slide 46 text

Projects based on ASVS • Secure Knowledge Framework - training developers in writing secure code and providing a knowledge base of secure design patterns • Zed Attack Proxy - easy to use integrated penetration testing tool for finding vulnerabilities in web applications, both automatically and manually • Cornucopia - mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

Slide 47

Slide 47 text

Useful links • Project: https://www.owasp.org/index.php/Category:OWASP_Application_Sec urity_Verification_Standard_Project • Excel checklist: https://github.com/OWASP/ASVS/blob/master/ASVS-excel-v3.0.1.xlsx • OWASP ASVS mailing list https://lists.owasp.org/mailman/listinfo/owasp-application-security- verification-standard

Slide 48

Slide 48 text

OWASP MASVS (Mobile Application Security Verification Standard)

Slide 49

Slide 49 text

Mobile web usage overtakes desktop for first time http://www.telegraph.co.uk/technology/2016/11/01/mobile-web-usage-overtakes-desktop-for-first-time/ Current state

Slide 50

Slide 50 text

In short • There is a significant difference between security assurance of web and mobile applications • MASVS is to mobiles, what ASVS is to web • The project is work in progress (v0.9.2 is currently available)

Slide 51

Slide 51 text

Example

Slide 52

Slide 52 text

Mobile Security Verification Levels Following assurance levels are possible: L1, L1 + L2, but also L1 + R and L1 + L2 + R.

Slide 53

Slide 53 text

Requirements • Architecture, Design and Threat Modelling • Data Storage and Privacy • Cryptography • Authentication and Session Management • Network Communication • Environmental Interaction • Code Quality and Build Setting • Resiliency Against Reverse Engineering

Slide 54

Slide 54 text

Useful links • Homepage: https://www.owasp.org/index.php/OWASP_Mobile_Security_Te sting_Guide • Github: https://github.com/OWASP/owasp-masvs

Slide 55

Slide 55 text

No content

Slide 56

Slide 56 text

OWASP Cornucopia

Slide 57

Slide 57 text

OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic. Cornucopia is based on the concepts and game ideas from Microsoft SDL EoP game and OWASP Secure Coding Practices Guide. OWASP Cornucopia Ecommerce Website Edition is in the current Payment Card Industry Security Standards Council information supplement PCI DSS E-commerce Guidelines v2, January 2013 In short

Slide 58

Slide 58 text

Idea behind • Help development teams to identify application security requirements and develop security-based user stories • Aimed at first place at Agile-based methodologies • Gamification approach to threat modeling

Slide 59

Slide 59 text

Suite Rank Threat References: - Secure Coding Practices - ASVS - AppSensor project - Common Attack Pattern (CAPEC) - Software Assurance Forum for Excellence in Code (SAFECode) Cornucopia card

Slide 60

Slide 60 text

Cornucopia rules • Prepare everything (deck, cards, data flow diagram, prizes…) • Deal all the cards • Play a round – every player has to utilize one card of the selected suit. Highest played card in the suit wins and starts next round until all cards are played • Count points and define the winner • Closure: review all threats and matching security requirements https://www.owasp.org/index.php/OWASP_Cornucopia#tab=How_to_Play

Slide 61

Slide 61 text

Cornucopia rules Playing a card: • each player reads it out loud • explains how the threat could apply (or not) to his application • player gets a point for attacks that work, and the group thinks it is an actionable bug At this point we don’t think of mitigations and don’t exclude a threat just because it is believed it is already mitigated – the card should be recorded on the score sheet anyway

Slide 62

Slide 62 text

Cornucopia rules

Slide 63

Slide 63 text

Cornucopia deck • Clear who said what • Exact descriptions of threats • Actionable items • Developers know precisely what functionality is affected

Slide 64

Slide 64 text

Benefits for you • Teaching developers on how to identify and assess vulnerabilities on every sprint • Training sessions for developers • Raising awareness in application security field in your organization

Slide 65

Slide 65 text

Useful links • Project: https://www.owasp.org/index.php/OWASP_Cornucopia • Rules explained on Youtube: https://www.youtube.com/watch?v=i5Y0akWj31k • Presentation from OWASP EEE (Hungary): http://www.slideshare.net/OWASPEEE/hungary-i-play-jack- of-information-disclosure

Slide 66

Slide 66 text

OWASP SKF (Security Knowledge Framework)

Slide 67

Slide 67 text

OWASP SKF is a fully open-source Python-Flask expert system web-application that uses the OWASP Application Security Verification Standard and code examples and can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3) „we decided to develop a proof of concept framework in order to create a guide system available for all developers so they can develop applications secure by design” In short http://secureby.design

Slide 68

Slide 68 text

Idea behind The 4 Core usage of SKF: • Security Requirements ASVS for development and third party vendor applications • Security knowledge reference (code examples/ knowledge base items) • Security is part of design with the pre-development functionality in SKF • Security post-development functionality in SKF for verification with the ASVS

Slide 69

Slide 69 text

Installation Super-easy! Supported ways to install it: • Automated installation with Chef • AWS by using CloudFormation • … or manually as you would do with any other Python project: sudo pip install owasp-skf https://github.com/blabla1337/skf-flask#installing

Slide 70

Slide 70 text

https://demo.securityknowledgeframework.org admin : test-skf Overview

Slide 71

Slide 71 text

SKF: Projects That’s what you start with for the very beginning

Slide 72

Slide 72 text

SKF: Pre-development stage Definition of a technology stack Adding different functionalities to the system: • Access controls / login systems • Registration • Submit forms • External XML files • File uploads • SQL commands…

Slide 73

Slide 73 text

SKF: Pre-development stage First assessment and security recommendations for selected functionality

Slide 74

Slide 74 text

SKF: Post-development stage • Double-check your app by means of pre-defined or custom checklists • ASVS-based checklists for different levels of criticality of the application are auto-generated after pre- development stage! • After providing answers to clear and simple questions, reports with failed items are ready to be downloaded and prioritized

Slide 75

Slide 75 text

SKF: Post-development stage Failed items and recommendations can be viewed in the application, or exported for further processing

Slide 76

Slide 76 text

SKF: Knowledge Base • „Use info, do not get hacked, profit!” • Multiple options of secure design patterns with examples • Gives a good understanding for developers not only about what to fix but also why to do so

Slide 77

Slide 77 text

SKF: Knowledge Base Descriptions, solutions and many different language-agnostic patterns

Slide 78

Slide 78 text

SKF: Code examples • We were talking about generic secure patterns so far • Code examples with extensive comments provide ready-to-use solutions on how to do things right! • Currently supported languages: PHP, .NET and Java (soon ☺)

Slide 79

Slide 79 text

SKF: Code examples Can be reused directly, and have extensive comments to know how and why to fix an issue

Slide 80

Slide 80 text

SKF: Improve yourself! • Cherry on top of a pie: you can easily add your use-cases and adjust it as you like! • Checklists, knowledge base and code examples must follow the markdown and appear immediately in your panel Directory/path traversal <-- name as seen in the drop-down head ------- **Example:** <-- Bold separator telling where the example starts /* Your code has to indent the 4 spaces(tab) in order for the markdown engine to know it has to interpreted this as written code */

Slide 81

Slide 81 text

Benefits for you • Guide to secure programming • Secuity by design, not implementing afterwards • Security awareness • Will inform about threats even before one wrote a single line of code • Central place for security reference • Provides information applicable for specific needs on the spot

Slide 82

Slide 82 text

Useful links • Project: http://secureby.design • Source code: https://github.com/blabla1337/skf-flask • SKF workshop (DevOpsDays 2015): https://www.owasp.org/images/5/54/Skf-design- workshop.pptx.pdf

Slide 83

Slide 83 text

No content

Slide 84

Slide 84 text

Appsec Pipeline

Slide 85

Slide 85 text

Software development lifecycle today

Slide 86

Slide 86 text

The AppSec pipeline project • Place to gather together information, techniques and tools to create your own AppSec pipeline • Right now: AppSec pipeline patterns and tools https://www.owasp.org/index.php/OWASP_AppSec_Pipeline

Slide 87

Slide 87 text

Example of workflow - Code written - Code committed to repository - Unit test the code - Package the code for deployment - Integration testing - Deploy code in production

Slide 88

Slide 88 text

Pipeline design patterns

Slide 89

Slide 89 text

Pipeline design patterns

Slide 90

Slide 90 text

Security tools evaluation criteria • API is the first • Pipeline position • Cloud scalable • Runs as a service • Client libraries • CI/CD plugins

Slide 91

Slide 91 text

No content

Slide 92

Slide 92 text

What is OWASP ZAP? • Webapp security testing tool • Free and open source • Written in Java → cross platform https://www.owasp.org/index.php/ZAP

Slide 93

Slide 93 text

OWASP ZAP Features • GUI, headless and REST API • Intercepting proxy • Classic and AJAX spiders • Passive and active scanning • … and of course can be extended via addons!

Slide 94

Slide 94 text

Addons

Slide 95

Slide 95 text

How can it all help me???

Slide 96

Slide 96 text

ZAP for pentests • Configure your browser to use ZAP as a proxy • Explore the application manually • Use the spider to find other content and input points • See what security issues the passive scanner has found • Use the active scanner to find vulnerabilities • Do manual pentesting

Slide 97

Slide 97 text

ZAP as a part of your appsec pipeline The baseline scan • Simple inline security control • Mass scan of big number of targets • Post release (production) control Full scan • Regular heavy asynchronous scan • More power and integration into your infrastructure and processes

Slide 98

Slide 98 text

The baseline scan • Uses Docker • Only passive scanning • Time limited spider of target • By default warns on all issues: – Missing / incorrect security headers like CSP – Cookie problems – Information / error disclosure – Missing CSRF tokens etc.

Slide 99

Slide 99 text

The baseline scan example $ docker run -t owasp/zap2docker-weekly zap-baseline.py -t https://oxdef.info ... Total of 81 URLs PASS: Cookie No HttpOnly Flag [10010] ... WARN: Web Browser XSS Protection Not Enabled [10016] x 52 https://oxdef.info ... FAIL: 0 WARN: 5 INFO: 0 IGNORE: 0 PASS: 21

Slide 100

Slide 100 text

No content

Slide 101

Slide 101 text

1 n33d m0re p0w3r! • REST API is your choice • zap.sh -daemon -host 0.0.0.0 -port 8080 • http(s)://zap////< op name>[/?] • Also available in Docker image owasp/zap2docker-* • Maps closely to the UI / code • JSON, HTML and XML formats • Clients in: Java, Python, NodeJS, .Net, PHP, Go ...

Slide 102

Slide 102 text

Simple scan using API and client in Python target = 'http://some-target.com' zap = ZAPv2() scanid = zap.spider.scan(target) while(int(zap.spider.status(scanid)) < 100): print 'Spider progress %: ' + zap.spider.status(scanid) scanid = zap.ascan.scan(target) while(int(zap.ascan.status(scanid)) < 100): print 'Scan progress %: ' + zap.ascan.status(scanid) pprint(zap.core.alerts())

Slide 103

Slide 103 text

Cheat Sheet Series

Slide 104

Slide 104 text

Cheat Sheet Series

Slide 105

Slide 105 text

Cheat Sheet Series • «The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific web application security topics» • You can browse it online or get as PDF book • Mostly fresh and actual topics https://www.owasp.org/index.php/Cheat_Sheets

Slide 106

Slide 106 text

3rd party JavaScript management The invocation of 3rd party JS code in a web application requires consideration for 3 risks in particular: • The loss of control over changes to the client application • The execution of arbitrary code on client systems • The disclosure or leakage of sensitive information to 3rd parties https://www.owasp.org/index.php/3rd_Party_Javascript_ Management_Cheat_Sheet

Slide 107

Slide 107 text

XSS Prevention RULE #3 - JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values Except for alphanumeric characters, escape all characters less than 256 with the \xHH format to prevent switching out of the data value into the script context or into another attribute. https://www.owasp.org/index.php/XSS_(Cross_Site_Scrip ting)_Prevention_Cheat_Sheet

Slide 108

Slide 108 text

XXE Prevention Libxml2: the Enum xmlParserOption should not have the following options defined: • XML_PARSE_NOENT: Expands entities and substitutes them with replacement text • XML_PARSE_DTDLOAD: Load the external DT https://www.owasp.org/index.php/XML_External_Entity_ (XXE)_Prevention_Cheat_Sheet

Slide 109

Slide 109 text

Featured cheat sheets • Clickjacking Defense • Cross-Site Request Forgery (CSRF) Prevention • Deserialization • DOM based XSS Prevention • REST Security • Virtual Patching

Slide 110

Slide 110 text

Summary • OWASP AppSec Pipeline helps you with choosing suitable tools and building your own AppSec pipeline • OWASP ZAP is one of such tools. Using it you can make manual pentest of web app or automate web app security testing in SDL • OWASP Cheat Sheets helps you in specific areas of application security

Slide 111

Slide 111 text

No content

Slide 112

Slide 112 text

Testing Guide

Slide 113

Slide 113 text

OWASP Testing Guide Versions • V1 – December 2004 • V2 – 25th December 2005 • V3 – 15th September 2008 – Configuration Management and Authorization Testing sections • V4 – 2014 – Identity Management Testing – Error Handling – Cryptography – Client Side Testing

Slide 114

Slide 114 text

Purpose • The OWASP Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and • a "low level" penetration testing guide that describes techniques for testing most common web application and services security issues.

Slide 115

Slide 115 text

Typical Testing Guide chapter • Summary • How to test • Tools • Remediation • References Fingerprint Web Application Framework

Slide 116

Slide 116 text

Why to test • The steps that need to be undertaken to build and operate a testing program on web apps. • Effective testing program: – People – Process – Technology • Testing just the technical implementation of an application will not uncover management or operational vulnerabilities that could be present

Slide 117

Slide 117 text

When to test • Don’t test software until it has already been created and is in the deployment phase of its life cycle  ineffective and cost-prohibitive practice • One of the best methods to prevent security bugs from appearing in production applications is to improve the SDLC by including security in each of its phases

Slide 118

Slide 118 text

Example Testing guide XXE

Slide 119

Slide 119 text

Summary • Constant work in progress • Anybody is welcome to collaborate • Best practice for web penetration tests

Slide 120

Slide 120 text

OWASP Mobile Security Testing Guide

Slide 121

Slide 121 text

OWASP MSTG Leaders • MSTG was initiated by Milan Singh Thakur in 2015. The original document was hosted on Google Drive  Github • Bernhard Mueller (2016) • Sven Schleier (2016)

Slide 122

Slide 122 text

OWASP MSTG • MSTG is a manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the MASVS • MSTG is meant to provide a baseline set of test cases for black-box and white-box security tests, and to help ensure completeness and consistency of the tests

Slide 123

Slide 123 text

MSTG Structure • High-Level Guides – Mobile Platforms Overview – Security Testing Processes, Tools and Techniques • Complementary – Security Testing in the Application Development Lifecycle – Tools

Slide 124

Slide 124 text

MSTG Structure

Slide 125

Slide 125 text

Typical MSTG chapter • Summary • White-box testing / Black-box testing • Remediation • References • Tools

Slide 126

Slide 126 text

Typical MSTG chapter Practical examples of how to test it right, with tools, samples and references

Slide 127

Slide 127 text

Summary  • Constant work in progress • Anybody is welcome to collaborate • Best practice for mobile penetration tests

Slide 128

Slide 128 text

References • https://www.owasp.org/index.php/OWASP_T esting_Guide_v4_Table_of_Contents • https://github.com/OWASP/owasp-mstg

Slide 129

Slide 129 text

Foreword

Slide 130

Slide 130 text

Foreword • There are many projects happening right now (very good examples are MASVS and MSTG) • Due to a huge front of work every small help is valuable • Do something good today – contribute to OWASP Projects 

Slide 131

Slide 131 text

No content