Automating Security Testing with the OWTF

Transcript

1. AUTOMATING SECURITY TESTING WITH THE OWTF JEROD BRENNEN

2. WHO AM I?  Jerod Brennen  Security Architect, One

   Identity  Alphabet Soup  ACE, CISSP, GWAPT, GWEB

3. BLOCKING AND TACKLING

4. COMPLIANCE VS. SECURITY  PCI pen testing  Internal &

   External  Systems & Applications  Bug bounty programs  More vulnerabilities discovered (and disclosed)  More hacking tools published to GitHub  Customer/Client expectations (requirements?)  Third party risk assessments

5. POSITIVE TESTING VS. NEGATIVE TESTING

6. WHEN SHOULD WE TEST?

7. XKCD? OR NOSTRADAMUS? (Hint: It’s totally XKCD: https://xkcd.com/1319/)

8. ENTER THE OWTF

9. BASIC STRUCTURE  Offensive Web Testing Framework  https://www.owasp.org/index.php/OWASP_OWTF 

   Our powers combined…  OWASP Testing Guide  PTES  NIST (SP 800-115) + OSSTMM

10. OWASP TESTING PROJECT  https://www.owasp.org/index.php/OWASP_Testing_Project  Currently at version 4

     11 test categories  Over 100 unique app sec tests

11. NIST SP 800-115  Technical Guide to Information Security Testing

    and Assessment  http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialp ublication800-115.pdf

12. PENETRATION TESTING EXECUTION STANDARD  http://www.pentest-standard.org/  Seven (7) Phases

     Pre-engagement Interactions  Intelligence Gathering  Threat Modeling  Vulnerability Analysis  Exploitation  Post Exploitation  Reporting

13. OWTF TECH SPECS  Python 2.7  PostgreSQL database backend

     Runs on Linux (Kali 1.x/2.x)  Functions & options exposed via REST API

14. UNDER THE HOOD  curl (https://curl.haxx.se/)  Arachni (http://www.arachni-scanner.com/) 

    w3af (http://w3af.org/)  skipfish (https://github.com/spinkham/skipfish)  DirBuster (https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project)

15. A “FEW” ADDITIONAL TOOLS  CMS Explorer  DNSpider 

    DNS Recon  Hoppy  HTTPrint  HashCollision  O-Saft  Panoptic  SET  SSL Labs  SSL Cipher Check  WPScan  Slowloris  HTTP Traceroute  Hydra  Metagoofil  Metasploit  Nmap  Nikto

16. TEST SEPARATION BY PLUGIN  Passive : No traffic goes

    to the target  Semi Passive : Normal traffic to target  Active: Direct vulnerability probing

17. USING THE OWTF

18. WORKFLOW Scan (Web UI) Analyze Findings Validate (CLI) Report

19. INSTALLATION  Kali Linux  https://www.kali.org/downloads/  Bootstrap Script 

    wget -N https://raw.githubusercontent.com/owtf/bootstrap- script/master/bootstrap.sh; bash bootstrap.sh  Git Clone  git clone -b <branch> http://www.github.com/owtf/owtf.git <folder-name>  Docker  Check out https://github.com/owtf/owtf

20. OWTF DOCUMENTATION  From http://docs.owtf.org/en/viyatb-break/  Usage  Starting OWTF

     Using Sessions  Managing Targets  Understanding Plugins  Analyzing Results  Managing Workers  Controlling Worklist

21. STARTING OWTF  Create your testing directory  mkdir ~/pentest;

    cd ~/pentest  Create a virtualenv  source ~/.bashrc; workon owtf  Start the db  ~/owtf/scripts/db_run.sh  Start OWTF  ~/owtf/owtf.py  Login  http://127.0.0.1:8009

22. USING SESSIONS

23. CHOOSE YOUR WEAPON(S)  Select Targets, then click Run 

    Use the Search box to filter  Plugins by Code  OWTF – 121 plugins  PTES – 16 plugins

24. UNDERSTANDING PLUGINS  Three (3) additional types  WEB (active,

    external, grep, passive, semi-passive)  NET (active, bruteforce)  AUX (se, exploit, etc.)  Spend some time skimming the OWASP Testing Guide for a better understanding of plugin mappings/identifiers

25. ANALYZING RESULTS  Organized by plugin + criticality  Mapping

    code (e.g., OWTF-CM-008)  Mapping name (e.g., HTTP Methods and XST)  Pen test context (e.g., PUT, TRACE, WebDAV)  HTTP Request & Response  Browse button takes you to output files generated during the test (if available)

26. SAVING YOUR ANALYSIS  Manual ranking  Info  Low

     Medium  High  Critical  Tester can add notes

27. ADVANCED FILTER  Status (Aborted, Aborted by User, Successful) 

    Plugin Group (Web)  Mapping (NIST, OWASP_V3, OWASP_V4)  OWTF Rank (-1, 1, 2, 3, 4, 5)  Plugin Type (active, external, grep, passive, semi-passive)

28. TRANSACTION LOG  Link  Time (Duration)  HTTP Options

     HTTP Status  URL

29. MANAGING WORKERS  Scanner process  PID  Target 

    Plugin  Type  Group  Pause, resume, & abort individual workers  Maximum of one plugin per target will be running at any moment in time

30. MANAGING WORKLISTS  One worklist contains one or more workers

     Columns  Time estimate  Target  Plugin Group  Plugin Type  Plugin Name

31. TEST CASES

32. LET’S TALK WORKFLOW (AGAIN)  Add your target  Run

    your plugins  Analyze the scan results  Copy commands from web UI to CLI  Run command line tools  Analyze the results from the CLI tools  Add notes via the web UI  Generate (export) your report

33. TEST SSL/TLS CONFIG  Filter on ssl (or tls; same

    results)  Four (4) tests  Output saved to /pentest_folder/owtf_review/…

34. TEST FOR XSS  Filter on cross site scripting (6

    tests)  Also, cross site flashing  DOM-based, reflected, & stored

35. TEST FOR INJECTION FLAWS  Filter on injection (12 tests)

     Why stop at SQLi?  SMTP  Code  Command  LDAP  XML  XPath

36. WHAT IF…?

37. A FEW FINAL COMMENTS

38. QUICK TIPS  You’ll need to install w3af in Kali

     git clone https://github.com/andresriancho/w3af.git  git clone w3af  easy_install upgrade pip  dependencies (script in temp dir)  My UX has been a little buggy  Occasional HTTP 500 error (including first run)  Steer clear of the Default Session  Multiple runs against the same app may overwrite previous scan data  Contribute to the project!

39. YOUR HOMEWORK – TRIAL RUN  Study up on the

    OWASP Testing Guide  Identify the tests that are relevant to your app(s)  Run your first set of OWTF plugins  Validate and/or expand findings via command line  Add your comments and export your first OWTF report  Feed report findings into bug tracking system  Fix all the things!

40. RESOURCES  Gauntlt  http://gauntlt.org/  Samurai WTF  http://www.samurai-wtf.org/

     OWTF YouTube Channel  https://www.youtube.com/user/owtfproject  Online Passive Scanner  https://owtf.github.io/online-passive-scanner/  OWASP Vulnerable Web Applications Directory Project  https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project

41. QUESTIONS / COMMENTS / DISCUSSION

42. CONTACT INFO  Email – [email protected]  LinkedIn - https://www.linkedin.com/in/slandail/

     Twitter - https://twitter.com/slandail  GitHub - https://github.com/slandail  Speaker Deck - https://speakerdeck.com/slandail  SlideShare - https://www.slideshare.net/JerodBrennenCISSP