View
203
Download
0
Category
Preview:
DESCRIPTION
Part of the Web Application Security Course
Citation preview
Vulnerability Scanning and Penetration Testing
Automated security testing
Security Testing can be static or dynamic
Static tools o Scan source code o Before deployment o Find potential
holes from a list of known vectors
o Called static code analysis
o Negative testing
Dynamic tools o Scan site o After deployment o Find actual holes
from previously unknown vectors
o Called security scanning
o Positive testing
There are many penetration testers
o Burp Suite o Metasploit o OWASP ZAP o WebScarab o Paros o W3af o Peach Fuzzer o Nikto
o Watipi o CANVAS o CORE Impact o White Phosphorous o Agora o VulnDisco o Nessus
How we protect ourselves
o Choose good scanning tools o Run a vulnerability scan o Run a penetration test o Fix the holes found
Let’s look at what they do and how they work.
Nikto is a good vulnerability scanner
Many of these tools run as a proxy.
1. Run the pen tester 2. Open your browser 3. Set the browser’s proxy:
4. Browse to a site you want to test.
You can spider a site
o Allows the tool to auto-discover all pages so it can run scans on any or all.
You can examine and edit requests
You can examine responses
You can intercept requests
You can crawl an entire site.
You can run an automated scan. o Tell it which pages and it surfs to those
pages.
You can fuzz a site
Running a site and putting all kinds of nonsense in fields.
You can record and re-play sessions
Intercepting Proxy
ZAP has an active and a passive scanner
o Passive mode can be used against any site because it doesn't do any penetration.
o Active mode should only be used against sites you own (or have permission to)
Spider
Brute
o Based on OWASP
Fuzz testing
o Uses fuzzdb and JBroFuzz
Session comparison
o Allows you to
Synchronizer tokens
How to run a test
o Point your browser's proxy at ZAP o Surf the application manually o Let ZAP crawl the site with its spider o Examine the problems found in passive
mode o Turn on active scanning
Summary
o Protecting sites shouldn’t be left to common sense alone.
o Static tools scan the source code. o Dynamic tools scan the deployed site. o Penetration tests allow you to …
• Run as a proxy • Spider a site • Run automated scans • Fuzz test • Get reports of the vulnerabilities
Further study
o Fuzz testing tools: • http://bit.ly/FuzzTestingTools
o Pen testing vs. Vulnerability scanning: o http://www.tns.com/PenTestvsVScan.asp
o Burp suite repeater and intruder tutorial: o http://bit.ly/BurpRepeaterTutorial
Recommended