SlideShare a Scribd company logo

Automating Security Testing with the OWTF

Jerod Brennen
Jerod Brennen

When it comes to app security, scanning is good, but pen testing is better. That said, we're lucky if we can schedule (and budget for) a web app pen test once a year. Wouldn't it be swell if we could automate the security testing process so it turned up the same weaknesses in QA an attacker would likely try to exploit in Prod? Well, then. You're in luck. OWASP's Offensive Web Testing Framework (OWTF) was designed to help automate the web app pen testing process. By baking the OWTF into your own QA processes, you can benefit from the same knowledge and tools that the bad guys use to attack web apps. Better yet, you can run these tests as frequently as you like for FREE. This presentation will show you how to use the OWTF, helping you improve both the efficiency and effectiveness of your app security testing process.

Technology
1 of 42
Download to read offline
AUTOMATING SECURITY TESTING WITH THE OWTF JEROD BRENNEN
WHO AM I?  Jerod Brennen  Security Architect, One Identity  Alphabet Soup  ACE, CISSP, GWAPT, GWEB
BLOCKING AND TACKLING
COMPLIANCEVS. SECURITY  PCI pen testing  Internal & External  Systems & Applications  Bug bounty programs  More vulnerabilities discovered (and disclosed)  More hacking tools published to GitHub  Customer/Client expectations (requirements?)  Third party risk assessments
POSITIVE TESTINGVS. NEGATIVE TESTING
WHEN SHOULD WE TEST?
XKCD? OR NOSTRADAMUS? (Hint: It’s totally XKCD: https://xkcd.com/1319/)
ENTER THE OWTF
BASIC STRUCTURE  Offensive Web Testing Framework  https://www.owasp.org/index.php/OWASP_OWTF  Our powers combined…  OWASP Testing Guide  PTES  NIST (SP 800-115) + OSSTMM
OWASPTESTING PROJECT  https://www.owasp.org/index.php/OWASP_Testing_Project  Currently at version 4  11 test categories  Over 100 unique app sec tests
NIST SP 800-115  Technical Guide to Information Security Testing and Assessment  http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialp ublication800-115.pdf
PENETRATIONTESTING EXECUTION STANDARD  http://www.pentest-standard.org/  Seven (7) Phases  Pre-engagement Interactions  Intelligence Gathering  Threat Modeling  Vulnerability Analysis  Exploitation  Post Exploitation  Reporting
OWTFTECH SPECS  Python 2.7  PostgreSQL database backend  Runs on Linux (Kali 1.x/2.x)  Functions & options exposed via REST API
UNDER THE HOOD  curl (https://curl.haxx.se/)  Arachni (http://www.arachni-scanner.com/)  w3af (http://w3af.org/)  skipfish (https://github.com/spinkham/skipfish)  DirBuster (https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project)
A “FEW” ADDITIONAL TOOLS  CMS Explorer  DNSpider  DNS Recon  Hoppy  HTTPrint  HashCollision  O-Saft  Panoptic  SET  SSL Labs  SSL Cipher Check  WPScan  Slowloris  HTTP Traceroute  Hydra  Metagoofil  Metasploit  Nmap  Nikto
TEST SEPARATION BY PLUGIN  Passive : No traffic goes to the target  Semi Passive : Normal traffic to target  Active: Direct vulnerability probing
USING THE OWTF
WORKFLOW Scan (Web UI) Analyze Findings Validate (CLI) Report
INSTALLATION  Kali Linux  https://www.kali.org/downloads/  Bootstrap Script  wget -N https://raw.githubusercontent.com/owtf/bootstrap- script/master/bootstrap.sh; bash bootstrap.sh  Git Clone  git clone -b <branch> http://www.github.com/owtf/owtf.git <folder-name>  Docker  Check out https://github.com/owtf/owtf
OWTF DOCUMENTATION  From http://docs.owtf.org/en/viyatb-break/  Usage  Starting OWTF  Using Sessions  Managing Targets  Understanding Plugins  Analyzing Results  Managing Workers  Controlling Worklist
STARTING OWTF  Create your testing directory  mkdir ~/pentest; cd ~/pentest  Create a virtualenv  source ~/.bashrc; workon owtf  Start the db  ~/owtf/scripts/db_run.sh  Start OWTF  ~/owtf/owtf.py  Login  http://127.0.0.1:8009
USING SESSIONS
CHOOSEYOUR WEAPON(S)  SelectTargets, then click Run  Use the Search box to filter  Plugins by Code  OWTF – 121 plugins  PTES – 16 plugins
UNDERSTANDING PLUGINS  Three (3) additional types  WEB (active, external, grep, passive, semi-passive)  NET (active, bruteforce)  AUX (se, exploit, etc.)  Spend some time skimming the OWASP Testing Guide for a better understanding of plugin mappings/identifiers
ANALYZING RESULTS  Organized by plugin + criticality  Mapping code (e.g., OWTF-CM-008)  Mapping name (e.g., HTTP Methods and XST)  Pen test context (e.g., PUT,TRACE,WebDAV)  HTTP Request & Response  Browse button takes you to output files generated during the test (if available)
SAVINGYOUR ANALYSIS  Manual ranking  Info  Low  Medium  High  Critical  Tester can add notes
ADVANCED FILTER  Status (Aborted,Aborted by User, Successful)  Plugin Group (Web)  Mapping (NIST, OWASP_V3, OWASP_V4)  OWTF Rank (-1, 1, 2, 3, 4, 5)  Plugin Type (active, external, grep, passive, semi-passive)
TRANSACTION LOG  Link  Time (Duration)  HTTP Options  HTTP Status  URL
MANAGING WORKERS  Scanner process  PID  Target  Plugin  Type  Group  Pause, resume, & abort individual workers  Maximum of one plugin per target will be running at any moment in time
MANAGING WORKLISTS  One worklist contains one or more workers  Columns  Time estimate  Target  Plugin Group  Plugin Type  Plugin Name
TEST CASES
LET’S TALKWORKFLOW (AGAIN)  Add your target  Run your plugins  Analyze the scan results  Copy commands from web UI to CLI  Run command line tools  Analyze the results from the CLI tools  Add notes via the web UI  Generate (export) your report
TEST SSL/TLS CONFIG  Filter on ssl (or tls; same results)  Four (4) tests  Output saved to /pentest_folder/owtf_review/…
TEST FOR XSS  Filter on cross site scripting (6 tests)  Also, cross site flashing  DOM-based, reflected, & stored
TEST FOR INJECTION FLAWS  Filter on injection (12 tests)  Why stop at SQLi?  SMTP  Code  Command  LDAP  XML  XPath
WHAT IF…?
A FEW FINAL COMMENTS
QUICK TIPS  You’ll need to install w3af in Kali  git clone https://github.com/andresriancho/w3af.git  git clone w3af  easy_install upgrade pip  dependencies (script in temp dir)  My UX has been a little buggy  Occasional HTTP 500 error (including first run)  Steer clear of the Default Session  Multiple runs against the same app may overwrite previous scan data  Contribute to the project!
YOUR HOMEWORK – TRIAL RUN  Study up on the OWASP Testing Guide  Identify the tests that are relevant to your app(s)  Run your first set of OWTF plugins  Validate and/or expand findings via command line  Add your comments and export your first OWTF report  Feed report findings into bug tracking system  Fix all the things!
RESOURCES  Gauntlt  http://gauntlt.org/  SamuraiWTF  http://www.samurai-wtf.org/  OWTF YouTube Channel  https://www.youtube.com/user/owtfproject  Online Passive Scanner  https://owtf.github.io/online-passive-scanner/  OWASPVulnerable Web Applications Directory Project  https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project
QUESTIONS / COMMENTS / DISCUSSION
CONTACT INFO  Email – jerod.brennen@oneidentity.com  LinkedIn - https://www.linkedin.com/in/slandail/  Twitter - https://twitter.com/slandail  GitHub - https://github.com/slandail  Speaker Deck - https://speakerdeck.com/slandail  SlideShare - https://www.slideshare.net/JerodBrennenCISSP

Recommended

What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permissionAbraham Aranguren
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?Ciaran McNally
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 

Recommended

What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permissionAbraham Aranguren
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?Ciaran McNally
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupFrom 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupDiogo Mónica
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack ProxyFadi Abdulwahab
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Michael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolDavid Sweigert
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedAnant Shrivastava
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0 Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
Api testing libraries using java script an overview
Api testing libraries using java script an overviewApi testing libraries using java script an overview
Api testing libraries using java script an overviewvodQA
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 

More Related Content

What's hot

From 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupFrom 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupDiogo Mónica
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Michael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolDavid Sweigert
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedAnant Shrivastava
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0 Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 

What's hot (20)

From 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupFrom 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learned
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 

Similar to Automating Security Testing with the OWTF

Api testing libraries using java script an overview
Api testing libraries using java script an overviewApi testing libraries using java script an overview
Api testing libraries using java script an overviewvodQA
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersJavan Rasokat
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Cloud infrastructure as code
Cloud infrastructure as codeCloud infrastructure as code
Cloud infrastructure as codeTomasz Cholewa
 
Planning for-high-performance-web-application
Planning for-high-performance-web-applicationPlanning for-high-performance-web-application
Planning for-high-performance-web-applicationNguyễn Duy Nhân
 
Pragmatic Parallels: Java and JavaScript
Pragmatic Parallels: Java and JavaScriptPragmatic Parallels: Java and JavaScript
Pragmatic Parallels: Java and JavaScriptdavejohnson
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Kirill Rozin - Practical Wars for Automatization
Kirill Rozin - Practical Wars for AutomatizationKirill Rozin - Practical Wars for Automatization
Kirill Rozin - Practical Wars for AutomatizationSergey Arkhipov
 
Cloud-powered Continuous Integration and Deployment architectures - Jinesh Varia
Cloud-powered Continuous Integration and Deployment architectures - Jinesh VariaCloud-powered Continuous Integration and Deployment architectures - Jinesh Varia
Cloud-powered Continuous Integration and Deployment architectures - Jinesh VariaAmazon Web Services
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP TechnologyPriyanka Aash
 
Good practices for debugging Selenium and Appium tests
Good practices for debugging Selenium and Appium testsGood practices for debugging Selenium and Appium tests
Good practices for debugging Selenium and Appium testsAbhijeet Vaikar
 
Real-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTCReal-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTCAlexandre Gouaillard
 
AWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for DevelopersAWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for DevelopersAmazon Web Services
 

Similar to Automating Security Testing with the OWTF (20)

Api testing libraries using java script an overview
Api testing libraries using java script an overviewApi testing libraries using java script an overview
Api testing libraries using java script an overview
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Cloud infrastructure as code
Cloud infrastructure as codeCloud infrastructure as code
Cloud infrastructure as code
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Planning for-high-performance-web-application
Planning for-high-performance-web-applicationPlanning for-high-performance-web-application
Planning for-high-performance-web-application
 
Pragmatic Parallels: Java and JavaScript
Pragmatic Parallels: Java and JavaScriptPragmatic Parallels: Java and JavaScript
Pragmatic Parallels: Java and JavaScript
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Kirill Rozin - Practical Wars for Automatization
Kirill Rozin - Practical Wars for AutomatizationKirill Rozin - Practical Wars for Automatization
Kirill Rozin - Practical Wars for Automatization
 
Cloud-powered Continuous Integration and Deployment architectures - Jinesh Varia
Cloud-powered Continuous Integration and Deployment architectures - Jinesh VariaCloud-powered Continuous Integration and Deployment architectures - Jinesh Varia
Cloud-powered Continuous Integration and Deployment architectures - Jinesh Varia
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
 
Good practices for debugging Selenium and Appium tests
Good practices for debugging Selenium and Appium testsGood practices for debugging Selenium and Appium tests
Good practices for debugging Selenium and Appium tests
 
Real-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTCReal-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTC
 
AWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for DevelopersAWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for Developers
 

More from Jerod Brennen

Embedding Security in the SDLC
Embedding Security in the SDLCEmbedding Security in the SDLC
Embedding Security in the SDLCJerod Brennen
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Jerod Brennen
 
Assess all the things
Assess all the thingsAssess all the things
Assess all the thingsJerod Brennen
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINTJerod Brennen
 
Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"Jerod Brennen
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Jerod Brennen
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development processJerod Brennen
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapJerod Brennen
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationJerod Brennen
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101Jerod Brennen
 

More from Jerod Brennen (15)

Embedding Security in the SDLC
Embedding Security in the SDLCEmbedding Security in the SDLC
Embedding Security in the SDLC
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
 
Assess all the things
Assess all the thingsAssess all the things
Assess all the things
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINT
 
Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development process
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit Gap
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and Mitigation
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Recently uploaded (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Automating Security Testing with the OWTF

  • 1. AUTOMATING SECURITY TESTING WITH THE OWTF JEROD BRENNEN
  • 2. WHO AM I?  Jerod Brennen  Security Architect, One Identity  Alphabet Soup  ACE, CISSP, GWAPT, GWEB
  • 4. COMPLIANCEVS. SECURITY  PCI pen testing  Internal & External  Systems & Applications  Bug bounty programs  More vulnerabilities discovered (and disclosed)  More hacking tools published to GitHub  Customer/Client expectations (requirements?)  Third party risk assessments
  • 7. XKCD? OR NOSTRADAMUS? (Hint: It’s totally XKCD: https://xkcd.com/1319/)
  • 9. BASIC STRUCTURE  Offensive Web Testing Framework  https://www.owasp.org/index.php/OWASP_OWTF  Our powers combined…  OWASP Testing Guide  PTES  NIST (SP 800-115) + OSSTMM
  • 10. OWASPTESTING PROJECT  https://www.owasp.org/index.php/OWASP_Testing_Project  Currently at version 4  11 test categories  Over 100 unique app sec tests
  • 11. NIST SP 800-115  Technical Guide to Information Security Testing and Assessment  http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialp ublication800-115.pdf
  • 12. PENETRATIONTESTING EXECUTION STANDARD  http://www.pentest-standard.org/  Seven (7) Phases  Pre-engagement Interactions  Intelligence Gathering  Threat Modeling  Vulnerability Analysis  Exploitation  Post Exploitation  Reporting
  • 13. OWTFTECH SPECS  Python 2.7  PostgreSQL database backend  Runs on Linux (Kali 1.x/2.x)  Functions & options exposed via REST API
  • 14. UNDER THE HOOD  curl (https://curl.haxx.se/)  Arachni (http://www.arachni-scanner.com/)  w3af (http://w3af.org/)  skipfish (https://github.com/spinkham/skipfish)  DirBuster (https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project)
  • 15. A “FEW” ADDITIONAL TOOLS  CMS Explorer  DNSpider  DNS Recon  Hoppy  HTTPrint  HashCollision  O-Saft  Panoptic  SET  SSL Labs  SSL Cipher Check  WPScan  Slowloris  HTTP Traceroute  Hydra  Metagoofil  Metasploit  Nmap  Nikto
  • 16. TEST SEPARATION BY PLUGIN  Passive : No traffic goes to the target  Semi Passive : Normal traffic to target  Active: Direct vulnerability probing
  • 19. INSTALLATION  Kali Linux  https://www.kali.org/downloads/  Bootstrap Script  wget -N https://raw.githubusercontent.com/owtf/bootstrap- script/master/bootstrap.sh; bash bootstrap.sh  Git Clone  git clone -b <branch> http://www.github.com/owtf/owtf.git <folder-name>  Docker  Check out https://github.com/owtf/owtf
  • 20. OWTF DOCUMENTATION  From http://docs.owtf.org/en/viyatb-break/  Usage  Starting OWTF  Using Sessions  Managing Targets  Understanding Plugins  Analyzing Results  Managing Workers  Controlling Worklist
  • 21. STARTING OWTF  Create your testing directory  mkdir ~/pentest; cd ~/pentest  Create a virtualenv  source ~/.bashrc; workon owtf  Start the db  ~/owtf/scripts/db_run.sh  Start OWTF  ~/owtf/owtf.py  Login  http://127.0.0.1:8009
  • 23. CHOOSEYOUR WEAPON(S)  SelectTargets, then click Run  Use the Search box to filter  Plugins by Code  OWTF – 121 plugins  PTES – 16 plugins
  • 24. UNDERSTANDING PLUGINS  Three (3) additional types  WEB (active, external, grep, passive, semi-passive)  NET (active, bruteforce)  AUX (se, exploit, etc.)  Spend some time skimming the OWASP Testing Guide for a better understanding of plugin mappings/identifiers
  • 25. ANALYZING RESULTS  Organized by plugin + criticality  Mapping code (e.g., OWTF-CM-008)  Mapping name (e.g., HTTP Methods and XST)  Pen test context (e.g., PUT,TRACE,WebDAV)  HTTP Request & Response  Browse button takes you to output files generated during the test (if available)
  • 26. SAVINGYOUR ANALYSIS  Manual ranking  Info  Low  Medium  High  Critical  Tester can add notes
  • 27. ADVANCED FILTER  Status (Aborted,Aborted by User, Successful)  Plugin Group (Web)  Mapping (NIST, OWASP_V3, OWASP_V4)  OWTF Rank (-1, 1, 2, 3, 4, 5)  Plugin Type (active, external, grep, passive, semi-passive)
  • 28. TRANSACTION LOG  Link  Time (Duration)  HTTP Options  HTTP Status  URL
  • 29. MANAGING WORKERS  Scanner process  PID  Target  Plugin  Type  Group  Pause, resume, & abort individual workers  Maximum of one plugin per target will be running at any moment in time
  • 30. MANAGING WORKLISTS  One worklist contains one or more workers  Columns  Time estimate  Target  Plugin Group  Plugin Type  Plugin Name
  • 32. LET’S TALKWORKFLOW (AGAIN)  Add your target  Run your plugins  Analyze the scan results  Copy commands from web UI to CLI  Run command line tools  Analyze the results from the CLI tools  Add notes via the web UI  Generate (export) your report
  • 33. TEST SSL/TLS CONFIG  Filter on ssl (or tls; same results)  Four (4) tests  Output saved to /pentest_folder/owtf_review/…
  • 34. TEST FOR XSS  Filter on cross site scripting (6 tests)  Also, cross site flashing  DOM-based, reflected, & stored
  • 35. TEST FOR INJECTION FLAWS  Filter on injection (12 tests)  Why stop at SQLi?  SMTP  Code  Command  LDAP  XML  XPath
  • 37. A FEW FINAL COMMENTS
  • 38. QUICK TIPS  You’ll need to install w3af in Kali  git clone https://github.com/andresriancho/w3af.git  git clone w3af  easy_install upgrade pip  dependencies (script in temp dir)  My UX has been a little buggy  Occasional HTTP 500 error (including first run)  Steer clear of the Default Session  Multiple runs against the same app may overwrite previous scan data  Contribute to the project!
  • 39. YOUR HOMEWORK – TRIAL RUN  Study up on the OWASP Testing Guide  Identify the tests that are relevant to your app(s)  Run your first set of OWTF plugins  Validate and/or expand findings via command line  Add your comments and export your first OWTF report  Feed report findings into bug tracking system  Fix all the things!
  • 40. RESOURCES  Gauntlt  http://gauntlt.org/  SamuraiWTF  http://www.samurai-wtf.org/  OWTF YouTube Channel  https://www.youtube.com/user/owtfproject  Online Passive Scanner  https://owtf.github.io/online-passive-scanner/  OWASPVulnerable Web Applications Directory Project  https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project
  • 41. QUESTIONS / COMMENTS / DISCUSSION
  • 42. CONTACT INFO  Email – jerod.brennen@oneidentity.com  LinkedIn - https://www.linkedin.com/in/slandail/  Twitter - https://twitter.com/slandail  GitHub - https://github.com/slandail  Speaker Deck - https://speakerdeck.com/slandail  SlideShare - https://www.slideshare.net/JerodBrennenCISSP