About MeSecurity Engineer in SoftServe Poland
Currently developing advanced fuzzing module in Spirent’s Cyberflood
OWASP member (OWASP Poland Chapter in Wroclaw)
AgendaProblem 1: efficient security training Solution: WebGoat Problem 2: efficient management of multiple penetration testing tasks Solution: Offensive Web Testing Framework
Problem of efficient security training
Security awareness training for developers are quite common, but reality shows they are still ineffective :(
…and XSS allows you
injecting such horrifying pop up windows!!!
What about…
…arranging internal hands-on labs for developers and testers, where they can deeply understand vulnerabilities by finding and fixing them?
Finally a security training which isn’t an online course to
fly through and forget!
Internal course that is free and
isn’t a corpo-bullshit?! Cannot
believe that…
A deliberately insecure Java-based application, which allows you to test common vulnerabilities,
50+ lessons,
After finding a vulnerability, learn to fix it!
Easy manageable lessons via plugins,
You can create your own lessons without touching code.
Few words about WebGoat
…or .Net-based: https://www.owasp.org/
index.php/WebGoatFor.Net
Only web apps? Hell no!!!Ruby on Rails: https://www.owasp.org/index.php/OWASP_Rails_Goat_Project WebGoat PHP: https://www.owasp.org/index.php/WebGoatPHP Node.js: https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project Android: https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project iOS: https://www.owasp.org/index.php/OWASP_iGoat_Project
How to run WebGoat?Prerequisites: Java VM 1.8
To start just follow these commands:
$> wget https://github.com/WebGoat/WebGoat/releases/download/7.0.1/webgoat-container-7.0.1-war-exec.jar
$> java -jar webgoat-container-7.0.1-war-exec.jar
open in you browser:
http://localhost:8080/WebGoat/
That’s all!
WebGoat Creating your own lesson
Plugin = lesson
Plugin is just a folder, which follows this format:
WebGoat Useful links
Project:
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Documentation:
https://github.com/WebGoat/WebGoat
Problem: how to efficiently manage outputs from many different
applications?
Each pentester uses many different applications (vuln scanner, web crawler, SSL/TLS tests, session management tests)
Running each of those tests consumes time, right?
It’s easy to automate those tasks, but analysing a consolidated output is much more difficult :(
And finally you have to form a readable report from all those tests…
…oooh… :(
Typical penetration testing process
<which generates lots of output>
<cpy/pst interesting parts>
…of course in notepad ;)
<creates a fancy & readable report>
(…)<runs a lot of tests>
OWTF - an ideaA goal of OWTF is to use penetration testing time as efficient as possible. It’s done by:
Running different tools (Nikto/Arachni/w3af/etc)
Running direct tests (header searches/session tests/etc)
Knowledge repository (OWASP mapping/resource links)
Helping human analysis (flag severity/manage output)
In other words OWTF provides optimal balance between automation and human analysis
OWTF: InstallationWant to quickly start? Follow this one-liner:
$> wget -N https://raw.githubusercontent.com/owtf/bootstrap-script/master/bootstrap.sh; bash bootstrap.sh
OWTF - Choose plugins and run!
sends normal traffic to target
active vulnerability probing
probing services (e.g. FTP/SMB )
assist manual testing
searches on HTTP transactions test via 3rd parties (no traffic to target)
Testing web apps
Testing network services
OWTF - Useful linksProject:
https://www.owasp.org/index.php/OWASP_OWTF
Documentation:
http://docs.owtf.org/en/latest/
Online passive scanner:
https://owtf.github.io/online-passive-scanner/
IRC channel (#owtf on Freenode)
Last but not least…There are lots of other cool open-source projects, e.g https://www.owasp.org/index.php/Category:OWASP_Project#tab=Project_Inventory
Don’t miss local initiatives focused on security like Technology Risk and Information Securityor OWASP meet ups ;)
Summary
Use OWASP WebGoat to provide efficient security trainings in your company.
Use OWASP OWTF to automate your penetration testing tasks. It allows you for easy test’s output analyse and create reports in a fast way.
Stay tuned - checkout other open-source projects and don’t miss local events!