Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Automating Security Testing with the OWTF

Automating Security Testing with the OWTF

When it comes to app security, scanning is good, but pen testing is better. That said, we're lucky if we can schedule (and budget for) a web app pen test once a year. Wouldn't it be swell if we could automate the security testing process so it turned up the same weaknesses in QA an attacker would likely try to exploit in Prod? Well, then. You're in luck. OWASP's Offensive Web Testing Framework (OWTF) was designed to help automate the web app pen testing process. By baking the OWTF into your own QA processes, you can benefit from the same knowledge and tools that the bad guys use to attack web apps. Better yet, you can run these tests as frequently as you like for FREE. This presentation will show you how to use the OWTF, helping you improve both the efficiency and effectiveness of your app security testing process.

Fe9f52860b1f3b28797a9754e9788c3f?s=128

slandail

March 02, 2018
Tweet

Transcript

  1. AUTOMATING SECURITY TESTING WITH THE OWTF JEROD BRENNEN

  2. WHO AM I?  Jerod Brennen  Security Architect, One

    Identity  Alphabet Soup  ACE, CISSP, GWAPT, GWEB
  3. BLOCKING AND TACKLING

  4. COMPLIANCE VS. SECURITY  PCI pen testing  Internal &

    External  Systems & Applications  Bug bounty programs  More vulnerabilities discovered (and disclosed)  More hacking tools published to GitHub  Customer/Client expectations (requirements?)  Third party risk assessments
  5. POSITIVE TESTING VS. NEGATIVE TESTING

  6. WHEN SHOULD WE TEST?

  7. XKCD? OR NOSTRADAMUS? (Hint: It’s totally XKCD: https://xkcd.com/1319/)

  8. ENTER THE OWTF

  9. BASIC STRUCTURE  Offensive Web Testing Framework  https://www.owasp.org/index.php/OWASP_OWTF 

    Our powers combined…  OWASP Testing Guide  PTES  NIST (SP 800-115) + OSSTMM
  10. OWASP TESTING PROJECT  https://www.owasp.org/index.php/OWASP_Testing_Project  Currently at version 4

     11 test categories  Over 100 unique app sec tests
  11. NIST SP 800-115  Technical Guide to Information Security Testing

    and Assessment  http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialp ublication800-115.pdf
  12. PENETRATION TESTING EXECUTION STANDARD  http://www.pentest-standard.org/  Seven (7) Phases

     Pre-engagement Interactions  Intelligence Gathering  Threat Modeling  Vulnerability Analysis  Exploitation  Post Exploitation  Reporting
  13. OWTF TECH SPECS  Python 2.7  PostgreSQL database backend

     Runs on Linux (Kali 1.x/2.x)  Functions & options exposed via REST API
  14. UNDER THE HOOD  curl (https://curl.haxx.se/)  Arachni (http://www.arachni-scanner.com/) 

    w3af (http://w3af.org/)  skipfish (https://github.com/spinkham/skipfish)  DirBuster (https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project)
  15. A “FEW” ADDITIONAL TOOLS  CMS Explorer  DNSpider 

    DNS Recon  Hoppy  HTTPrint  HashCollision  O-Saft  Panoptic  SET  SSL Labs  SSL Cipher Check  WPScan  Slowloris  HTTP Traceroute  Hydra  Metagoofil  Metasploit  Nmap  Nikto
  16. TEST SEPARATION BY PLUGIN  Passive : No traffic goes

    to the target  Semi Passive : Normal traffic to target  Active: Direct vulnerability probing
  17. USING THE OWTF

  18. WORKFLOW Scan (Web UI) Analyze Findings Validate (CLI) Report

  19. INSTALLATION  Kali Linux  https://www.kali.org/downloads/  Bootstrap Script 

    wget -N https://raw.githubusercontent.com/owtf/bootstrap- script/master/bootstrap.sh; bash bootstrap.sh  Git Clone  git clone -b <branch> http://www.github.com/owtf/owtf.git <folder-name>  Docker  Check out https://github.com/owtf/owtf
  20. OWTF DOCUMENTATION  From http://docs.owtf.org/en/viyatb-break/  Usage  Starting OWTF

     Using Sessions  Managing Targets  Understanding Plugins  Analyzing Results  Managing Workers  Controlling Worklist
  21. STARTING OWTF  Create your testing directory  mkdir ~/pentest;

    cd ~/pentest  Create a virtualenv  source ~/.bashrc; workon owtf  Start the db  ~/owtf/scripts/db_run.sh  Start OWTF  ~/owtf/owtf.py  Login  http://127.0.0.1:8009
  22. USING SESSIONS

  23. CHOOSE YOUR WEAPON(S)  Select Targets, then click Run 

    Use the Search box to filter  Plugins by Code  OWTF – 121 plugins  PTES – 16 plugins
  24. UNDERSTANDING PLUGINS  Three (3) additional types  WEB (active,

    external, grep, passive, semi-passive)  NET (active, bruteforce)  AUX (se, exploit, etc.)  Spend some time skimming the OWASP Testing Guide for a better understanding of plugin mappings/identifiers
  25. ANALYZING RESULTS  Organized by plugin + criticality  Mapping

    code (e.g., OWTF-CM-008)  Mapping name (e.g., HTTP Methods and XST)  Pen test context (e.g., PUT, TRACE, WebDAV)  HTTP Request & Response  Browse button takes you to output files generated during the test (if available)
  26. SAVING YOUR ANALYSIS  Manual ranking  Info  Low

     Medium  High  Critical  Tester can add notes
  27. ADVANCED FILTER  Status (Aborted, Aborted by User, Successful) 

    Plugin Group (Web)  Mapping (NIST, OWASP_V3, OWASP_V4)  OWTF Rank (-1, 1, 2, 3, 4, 5)  Plugin Type (active, external, grep, passive, semi-passive)
  28. TRANSACTION LOG  Link  Time (Duration)  HTTP Options

     HTTP Status  URL
  29. MANAGING WORKERS  Scanner process  PID  Target 

    Plugin  Type  Group  Pause, resume, & abort individual workers  Maximum of one plugin per target will be running at any moment in time
  30. MANAGING WORKLISTS  One worklist contains one or more workers

     Columns  Time estimate  Target  Plugin Group  Plugin Type  Plugin Name
  31. TEST CASES

  32. LET’S TALK WORKFLOW (AGAIN)  Add your target  Run

    your plugins  Analyze the scan results  Copy commands from web UI to CLI  Run command line tools  Analyze the results from the CLI tools  Add notes via the web UI  Generate (export) your report
  33. TEST SSL/TLS CONFIG  Filter on ssl (or tls; same

    results)  Four (4) tests  Output saved to /pentest_folder/owtf_review/…
  34. TEST FOR XSS  Filter on cross site scripting (6

    tests)  Also, cross site flashing  DOM-based, reflected, & stored
  35. TEST FOR INJECTION FLAWS  Filter on injection (12 tests)

     Why stop at SQLi?  SMTP  Code  Command  LDAP  XML  XPath
  36. WHAT IF…?

  37. A FEW FINAL COMMENTS

  38. QUICK TIPS  You’ll need to install w3af in Kali

     git clone https://github.com/andresriancho/w3af.git  git clone w3af  easy_install upgrade pip  dependencies (script in temp dir)  My UX has been a little buggy  Occasional HTTP 500 error (including first run)  Steer clear of the Default Session  Multiple runs against the same app may overwrite previous scan data  Contribute to the project!
  39. YOUR HOMEWORK – TRIAL RUN  Study up on the

    OWASP Testing Guide  Identify the tests that are relevant to your app(s)  Run your first set of OWTF plugins  Validate and/or expand findings via command line  Add your comments and export your first OWTF report  Feed report findings into bug tracking system  Fix all the things!
  40. RESOURCES  Gauntlt  http://gauntlt.org/  Samurai WTF  http://www.samurai-wtf.org/

     OWTF YouTube Channel  https://www.youtube.com/user/owtfproject  Online Passive Scanner  https://owtf.github.io/online-passive-scanner/  OWASP Vulnerable Web Applications Directory Project  https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project
  41. QUESTIONS / COMMENTS / DISCUSSION

  42. CONTACT INFO  Email – jerod.brennen@oneidentity.com  LinkedIn - https://www.linkedin.com/in/slandail/

     Twitter - https://twitter.com/slandail  GitHub - https://github.com/slandail  Speaker Deck - https://speakerdeck.com/slandail  SlideShare - https://www.slideshare.net/JerodBrennenCISSP