BruCON 2014 5by5 OWASP OWTF

BruCON 2014 5by5 OWASP OWTF

5by5 talk about OWTF at BruCON 2014, Belgium.

Demo Links:
+ UI : https://www.youtube.com/watch?v=Z3D1r755Wik
+ Botnet Mode : https://www.youtube.com/watch?v=rQc8w_DbIo4
+ wafbypasser : https://www.youtube.com/watch?v=DIxOQqr93qI

Fceda72bc3836ad605642dad24b50797?s=128

Bharadwaj Machiraju

September 26, 2014
Tweet

Transcript

  1. OWASP OWTF - Bharadwaj `tunnelshade` Machiraju

  2. I am a security tool developer (recent tool - Flashbang).

    a restless 20 year old from India. a senior at IIT (BHU), Varanasi (doing B.Tech). an employee @ _____ (Your company name can be here).
  3. Content of upcoming slides OWTF! - Why? What? How? User

    Interface Plugins & Control Inbound Proxy Transaction & URL log Notes & Ranking Advanced Filter Demo
  4. Why another Web Testing Framework?

  5. Pentester Requirements (Atleast OWTF dev team’s requirements) Automate the uncreative

    part of pentests like trying to remember how to launch tool ‘X’ or how to parse and feed the output of tool ‘X’ to tool ‘Y’. Organize the findings according to a testing guide like OWASP, NIST etc.. so as to use them as a checklist. Classify tests based on aggression levels to prepare ahead of time. Provide the ability to rank the findings to enable targeted fuzzing on seemingly risky areas. Analyse each and every HTTP transaction and make them searchable. Spider the site effectively to not miss anything. Act as a storage consisting of all useful online tools, dorks, POCs & resources. Free & Open Source (Indians love free stuff) Allow us to think and not get in our way <— XD
  6. None
  7. What is OWTF? Offensive Web Testing Framework = Test/Exploit ASAP

    Started by Abraham Aranguren First demonstrated at BerlinSides 2011 Formally, a framework which presents all the information from different tools and custom tests, in an organised and categorised way to help user concentrate on the analysis part
  8. How? Run Tools • theHarvester • Nikto • Arachni •

    w3af etc.. Run Tests directly • Crafted requests • Header searches • html body searches etc.. Knowledge Repo • POC Links • Resource Links • Test guide mappings Help User Analysis • Automated ranking • User notes • User rankings
  9. None
  10. Features

  11. Web Interface

  12. Plugin classification Plugins are separated into multiple groups and types

    for better test classification WEB - (Web related stuff) Active - Active vulnerability probing Semi Passive - Normal traffic to target Passive - No traffic to target Grep - Searches on transaction database External - Other tool inputs, POCs, resource links etc.. NET - (Somewhat like mmap scripts) AUX - (Somewhat like msfcli in metasploit)
  13. None
  14. Plugin Execution Control Plugins are executed by processes called workers

    which can be paused/resumed/ aborted/added/removed. This lets you handle deadly unwanted disturbances like internet outage, downed target etc..
  15. Inbound Proxy OWTF has its own proxy, which was benchmarked

    in the last year as fastest MiTM python proxy. This proxy enables user to use it in a browser or with any other tool. Most of the tools launched by OWTF are proxified (eg. Arachni, w3af, custom requests etc..). So all the transactions made by the scanners are logged and analysed
  16. Transaction Log The place from where you can search each

    and every transaction that happened through OWTF proxy.
  17. None
  18. URL Log OWTF scrubs the output of all tools/plugins run

    to gather as many URLs as possible. This is somewhat "cheating" but tremendously effective since it combines the results of different tools, including several tools that perform brute forcing of files and directories.
  19. Plugin Reports Plugin reports are categorised according to their test

    codes along with pentester explanations
  20. Notes & Ranking Plugin report provides you the facility to

    write down some notes and add your own analysis ranking to it. Some tool outputs are automatically ranked using an automated ranking library PTP developed for OWTF during GSoC 2014. This helps you find risky areas quickly.
  21. Advanced Filter Filtering the plugin outputs on various criteria along

    with the facility to change the mapping of test codes. Currently OWASP v3, OWASP v4, NIST are present by default. It is easy to add one yourself
  22. http://youtu.be/Z3D1r755Wik

  23. OWTF WAF-bypasser & Botnet Mode - Marios Kourtesis

  24. whoami name.surname[at]gmail[dot]com OWASP OWTF Contributor Author of Botnet Mode WAF-bypasser

  25. Botnet Mode Allows user to simulate a botnet attack. Generates

    traffic to the target by other hosts located all over the world.
  26. How does it work? Proxy-Switching Each HTTP request pass through

    a different proxy. Proxies are fetched automatically by a feature called ProxyMiner. TOR-Mode Each HTTP request will pass through tor network. After a user defined time interval, the IP address will get renewed.
  27. Botnet Mode Demo

  28. None
  29. WAF-Bypasser WAF-bypasser is a standalone project which is included into

    OWTF as a module. Analyses & tests the quality of web application firewalls. Can potentially detect WAFs security holes. During the development, a zero day was found to OWASP-CRS for Apache ModSecurity WAF module
  30. WAF-bypasser DEMO 1 WAF-bypasser DEMO 2

  31. OWTF Re-architecture - Alessandro Fanio González

  32. Who am I? 23-year-old software engineer. I work at Eleven

    Paths, a company dedicated to development of security products. OWTF Contributor since GSoC 2013.
  33. What is this presentation about? The importance of good practices

    in software development. The difficulties of building and maintaining a software project. Best practices and patterns in software development.
  34. Why software engg. presentation at a security conference? New features

    are great, but maintainability is important. We all want our tools to be used and maintained, but will you assume the cost? Sometimes it is necessary to stop and think… Can I improve my code?
  35. Important concepts Interface Component coupling SOLID principles Single Responsibility Principle

    Interface Segregation Principle Dependency Inversion Principle
  36. Previous OWTF Architecture Many responsibilities in one single object. Core-dependent

    architecture. Tightly coupled components.
  37. Implemented Architecture How do we define a component? Initialization process.

    Service Locator pattern. Split “fat” interfaces and re- assign responsibilities. Use of python’s abstract base class.
  38. Achieved Goals! Reduced coupling among modules and core of OWTF.

    Less complexity = Easier to find bugs. Reduced the impact of changes (SOLID principles). Made it easier to change implementation of a component.
  39. Contact Us Alessandro Fanio González @AlessandroFG27 alessandro.fanio.gonzalez@gmail.com Bharadwaj Machiraju @tunnelshade_

    bharadwaj.machiraju@gmail.com Marios Kourtesis marios.kourtesis@gmail.com http://owtf.org @owtfp http://github.com/owtf #owtf on freenode