Automating Security Testing with the OWTF

Slide 1

Slide 1 text

AUTOMATING SECURITY TESTING WITH THE OWTF JEROD BRENNEN

Slide 2

Slide 2 text

WHO AM I?  Jerod Brennen  Security Architect, One Identity  Alphabet Soup  ACE, CISSP, GWAPT, GWEB

Slide 3

Slide 3 text

BLOCKING AND TACKLING

Slide 4

Slide 4 text

COMPLIANCE VS. SECURITY  PCI pen testing  Internal & External  Systems & Applications  Bug bounty programs  More vulnerabilities discovered (and disclosed)  More hacking tools published to GitHub  Customer/Client expectations (requirements?)  Third party risk assessments

Slide 5

Slide 5 text

POSITIVE TESTING VS. NEGATIVE TESTING

Slide 6

Slide 6 text

WHEN SHOULD WE TEST?

Slide 7

Slide 7 text

XKCD? OR NOSTRADAMUS? (Hint: It’s totally XKCD: https://xkcd.com/1319/)

Slide 8

Slide 8 text

ENTER THE OWTF

Slide 9

Slide 9 text

BASIC STRUCTURE  Offensive Web Testing Framework  https://www.owasp.org/index.php/OWASP_OWTF  Our powers combined…  OWASP Testing Guide  PTES  NIST (SP 800-115) + OSSTMM

Slide 10

Slide 10 text

OWASP TESTING PROJECT  https://www.owasp.org/index.php/OWASP_Testing_Project  Currently at version 4  11 test categories  Over 100 unique app sec tests

Slide 11

Slide 11 text

NIST SP 800-115  Technical Guide to Information Security Testing and Assessment  http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialp ublication800-115.pdf

Slide 12

Slide 12 text

PENETRATION TESTING EXECUTION STANDARD  http://www.pentest-standard.org/  Seven (7) Phases  Pre-engagement Interactions  Intelligence Gathering  Threat Modeling  Vulnerability Analysis  Exploitation  Post Exploitation  Reporting

Slide 13

Slide 13 text

OWTF TECH SPECS  Python 2.7  PostgreSQL database backend  Runs on Linux (Kali 1.x/2.x)  Functions & options exposed via REST API

Slide 14

Slide 14 text

UNDER THE HOOD  curl (https://curl.haxx.se/)  Arachni (http://www.arachni-scanner.com/)  w3af (http://w3af.org/)  skipfish (https://github.com/spinkham/skipfish)  DirBuster (https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project)

Slide 15

Slide 15 text

A “FEW” ADDITIONAL TOOLS  CMS Explorer  DNSpider  DNS Recon  Hoppy  HTTPrint  HashCollision  O-Saft  Panoptic  SET  SSL Labs  SSL Cipher Check  WPScan  Slowloris  HTTP Traceroute  Hydra  Metagoofil  Metasploit  Nmap  Nikto

Slide 16

Slide 16 text

TEST SEPARATION BY PLUGIN  Passive : No traffic goes to the target  Semi Passive : Normal traffic to target  Active: Direct vulnerability probing

Slide 17

Slide 17 text

USING THE OWTF

Slide 18

Slide 18 text

WORKFLOW Scan (Web UI) Analyze Findings Validate (CLI) Report

Slide 19

Slide 19 text

INSTALLATION  Kali Linux  https://www.kali.org/downloads/  Bootstrap Script  wget -N https://raw.githubusercontent.com/owtf/bootstrap- script/master/bootstrap.sh; bash bootstrap.sh  Git Clone  git clone -b http://www.github.com/owtf/owtf.git  Docker  Check out https://github.com/owtf/owtf

Slide 20

Slide 20 text

OWTF DOCUMENTATION  From http://docs.owtf.org/en/viyatb-break/  Usage  Starting OWTF  Using Sessions  Managing Targets  Understanding Plugins  Analyzing Results  Managing Workers  Controlling Worklist

Slide 21

Slide 21 text

STARTING OWTF  Create your testing directory  mkdir ~/pentest; cd ~/pentest  Create a virtualenv  source ~/.bashrc; workon owtf  Start the db  ~/owtf/scripts/db_run.sh  Start OWTF  ~/owtf/owtf.py  Login  http://127.0.0.1:8009

Slide 22

Slide 22 text

USING SESSIONS

Slide 23

Slide 23 text

CHOOSE YOUR WEAPON(S)  Select Targets, then click Run  Use the Search box to filter  Plugins by Code  OWTF – 121 plugins  PTES – 16 plugins

Slide 24

Slide 24 text

UNDERSTANDING PLUGINS  Three (3) additional types  WEB (active, external, grep, passive, semi-passive)  NET (active, bruteforce)  AUX (se, exploit, etc.)  Spend some time skimming the OWASP Testing Guide for a better understanding of plugin mappings/identifiers

Slide 25

Slide 25 text

ANALYZING RESULTS  Organized by plugin + criticality  Mapping code (e.g., OWTF-CM-008)  Mapping name (e.g., HTTP Methods and XST)  Pen test context (e.g., PUT, TRACE, WebDAV)  HTTP Request & Response  Browse button takes you to output files generated during the test (if available)

Slide 26

Slide 26 text

SAVING YOUR ANALYSIS  Manual ranking  Info  Low  Medium  High  Critical  Tester can add notes

Slide 27

Slide 27 text

ADVANCED FILTER  Status (Aborted, Aborted by User, Successful)  Plugin Group (Web)  Mapping (NIST, OWASP_V3, OWASP_V4)  OWTF Rank (-1, 1, 2, 3, 4, 5)  Plugin Type (active, external, grep, passive, semi-passive)

Slide 28

Slide 28 text

TRANSACTION LOG  Link  Time (Duration)  HTTP Options  HTTP Status  URL

Slide 29

Slide 29 text

MANAGING WORKERS  Scanner process  PID  Target  Plugin  Type  Group  Pause, resume, & abort individual workers  Maximum of one plugin per target will be running at any moment in time

Slide 30

Slide 30 text

MANAGING WORKLISTS  One worklist contains one or more workers  Columns  Time estimate  Target  Plugin Group  Plugin Type  Plugin Name

Slide 31

Slide 31 text

TEST CASES

Slide 32

Slide 32 text

LET’S TALK WORKFLOW (AGAIN)  Add your target  Run your plugins  Analyze the scan results  Copy commands from web UI to CLI  Run command line tools  Analyze the results from the CLI tools  Add notes via the web UI  Generate (export) your report

Slide 33

Slide 33 text

TEST SSL/TLS CONFIG  Filter on ssl (or tls; same results)  Four (4) tests  Output saved to /pentest_folder/owtf_review/…

Slide 34

Slide 34 text

TEST FOR XSS  Filter on cross site scripting (6 tests)  Also, cross site flashing  DOM-based, reflected, & stored

Slide 35

Slide 35 text

TEST FOR INJECTION FLAWS  Filter on injection (12 tests)  Why stop at SQLi?  SMTP  Code  Command  LDAP  XML  XPath

Slide 36

Slide 36 text

WHAT IF…?

Slide 37

Slide 37 text

A FEW FINAL COMMENTS

Slide 38

Slide 38 text

QUICK TIPS  You’ll need to install w3af in Kali  git clone https://github.com/andresriancho/w3af.git  git clone w3af  easy_install upgrade pip  dependencies (script in temp dir)  My UX has been a little buggy  Occasional HTTP 500 error (including first run)  Steer clear of the Default Session  Multiple runs against the same app may overwrite previous scan data  Contribute to the project!

Slide 39

Slide 39 text

YOUR HOMEWORK – TRIAL RUN  Study up on the OWASP Testing Guide  Identify the tests that are relevant to your app(s)  Run your first set of OWTF plugins  Validate and/or expand findings via command line  Add your comments and export your first OWTF report  Feed report findings into bug tracking system  Fix all the things!

Slide 40

Slide 40 text

RESOURCES  Gauntlt  http://gauntlt.org/  Samurai WTF  http://www.samurai-wtf.org/  OWTF YouTube Channel  https://www.youtube.com/user/owtfproject  Online Passive Scanner  https://owtf.github.io/online-passive-scanner/  OWASP Vulnerable Web Applications Directory Project  https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project

Slide 41

Slide 41 text

QUESTIONS / COMMENTS / DISCUSSION

Slide 42

Slide 42 text

CONTACT INFO  Email – [email protected]  LinkedIn - https://www.linkedin.com/in/slandail/  Twitter - https://twitter.com/slandail  GitHub - https://github.com/slandail  Speaker Deck - https://speakerdeck.com/slandail  SlideShare - https://www.slideshare.net/JerodBrennenCISSP