BruCON 2014 5by5 OWASP OWTF

Transcript

1. OWASP OWTF - Bharadwaj `tunnelshade` Machiraju

2. I am a security tool developer (recent tool - Flashbang).

   a restless 20 year old from India. a senior at IIT (BHU), Varanasi (doing B.Tech). an employee @ _____ (Your company name can be here).

3. Content of upcoming slides OWTF! - Why? What? How? User

   Interface Plugins & Control Inbound Proxy Transaction & URL log Notes & Ranking Advanced Filter Demo

4. Why another Web Testing Framework?

5. Pentester Requirements (Atleast OWTF dev team’s requirements) Automate the uncreative

   part of pentests like trying to remember how to launch tool ‘X’ or how to parse and feed the output of tool ‘X’ to tool ‘Y’. Organize the findings according to a testing guide like OWASP, NIST etc.. so as to use them as a checklist. Classify tests based on aggression levels to prepare ahead of time. Provide the ability to rank the findings to enable targeted fuzzing on seemingly risky areas. Analyse each and every HTTP transaction and make them searchable. Spider the site effectively to not miss anything. Act as a storage consisting of all useful online tools, dorks, POCs & resources. Free & Open Source (Indians love free stuff) Allow us to think and not get in our way <— XD
6. None

7. What is OWTF? Offensive Web Testing Framework = Test/Exploit ASAP

   Started by Abraham Aranguren First demonstrated at BerlinSides 2011 Formally, a framework which presents all the information from different tools and custom tests, in an organised and categorised way to help user concentrate on the analysis part

8. How? Run Tools • theHarvester • Nikto • Arachni •

   w3af etc.. Run Tests directly • Crafted requests • Header searches • html body searches etc.. Knowledge Repo • POC Links • Resource Links • Test guide mappings Help User Analysis • Automated ranking • User notes • User rankings
9. None

10. Features

11. Web Interface

12. Plugin classification Plugins are separated into multiple groups and types

    for better test classification WEB - (Web related stuff) Active - Active vulnerability probing Semi Passive - Normal traffic to target Passive - No traffic to target Grep - Searches on transaction database External - Other tool inputs, POCs, resource links etc.. NET - (Somewhat like mmap scripts) AUX - (Somewhat like msfcli in metasploit)
13. None

14. Plugin Execution Control Plugins are executed by processes called workers

    which can be paused/resumed/ aborted/added/removed. This lets you handle deadly unwanted disturbances like internet outage, downed target etc..

15. Inbound Proxy OWTF has its own proxy, which was benchmarked

    in the last year as fastest MiTM python proxy. This proxy enables user to use it in a browser or with any other tool. Most of the tools launched by OWTF are proxified (eg. Arachni, w3af, custom requests etc..). So all the transactions made by the scanners are logged and analysed

16. Transaction Log The place from where you can search each

    and every transaction that happened through OWTF proxy.
17. None

18. URL Log OWTF scrubs the output of all tools/plugins run

    to gather as many URLs as possible. This is somewhat "cheating" but tremendously effective since it combines the results of different tools, including several tools that perform brute forcing of files and directories.

19. Plugin Reports Plugin reports are categorised according to their test

    codes along with pentester explanations

20. Notes & Ranking Plugin report provides you the facility to

    write down some notes and add your own analysis ranking to it. Some tool outputs are automatically ranked using an automated ranking library PTP developed for OWTF during GSoC 2014. This helps you find risky areas quickly.

21. Advanced Filter Filtering the plugin outputs on various criteria along

    with the facility to change the mapping of test codes. Currently OWASP v3, OWASP v4, NIST are present by default. It is easy to add one yourself

22. http://youtu.be/Z3D1r755Wik

23. OWTF WAF-bypasser & Botnet Mode - Marios Kourtesis

24. whoami name.surname[at]gmail[dot]com OWASP OWTF Contributor Author of Botnet Mode WAF-bypasser

25. Botnet Mode Allows user to simulate a botnet attack. Generates

    traffic to the target by other hosts located all over the world.

26. How does it work? Proxy-Switching Each HTTP request pass through

    a different proxy. Proxies are fetched automatically by a feature called ProxyMiner. TOR-Mode Each HTTP request will pass through tor network. After a user defined time interval, the IP address will get renewed.

27. Botnet Mode Demo

28. None

29. WAF-Bypasser WAF-bypasser is a standalone project which is included into

    OWTF as a module. Analyses & tests the quality of web application firewalls. Can potentially detect WAFs security holes. During the development, a zero day was found to OWASP-CRS for Apache ModSecurity WAF module

30. WAF-bypasser DEMO 1 WAF-bypasser DEMO 2

31. OWTF Re-architecture - Alessandro Fanio González

32. Who am I? 23-year-old software engineer. I work at Eleven

    Paths, a company dedicated to development of security products. OWTF Contributor since GSoC 2013.

33. What is this presentation about? The importance of good practices

    in software development. The difficulties of building and maintaining a software project. Best practices and patterns in software development.

34. Why software engg. presentation at a security conference? New features

    are great, but maintainability is important. We all want our tools to be used and maintained, but will you assume the cost? Sometimes it is necessary to stop and think… Can I improve my code?

35. Important concepts Interface Component coupling SOLID principles Single Responsibility Principle

    Interface Segregation Principle Dependency Inversion Principle

36. Previous OWTF Architecture Many responsibilities in one single object. Core-dependent

    architecture. Tightly coupled components.

37. Implemented Architecture How do we define a component? Initialization process.

    Service Locator pattern. Split “fat” interfaces and re- assign responsibilities. Use of python’s abstract base class.

38. Achieved Goals! Reduced coupling among modules and core of OWTF.

    Less complexity = Easier to find bugs. Reduced the impact of changes (SOLID principles). Made it easier to change implementation of a component.

39. Contact Us Alessandro Fanio González @AlessandroFG27 [email protected] Bharadwaj Machiraju @tunnelshade_

    [email protected] Marios Kourtesis [email protected] http://owtf.org @owtfp http://github.com/owtf #owtf on freenode