Upgrade to Pro — share decks privately, control downloads, hide ads and more …

BruCON 2014 5by5 OWASP OWTF

BruCON 2014 5by5 OWASP OWTF

5by5 talk about OWTF at BruCON 2014, Belgium.

Demo Links:
+ UI : https://www.youtube.com/watch?v=Z3D1r755Wik
+ Botnet Mode : https://www.youtube.com/watch?v=rQc8w_DbIo4
+ wafbypasser : https://www.youtube.com/watch?v=DIxOQqr93qI

Bharadwaj Machiraju

September 26, 2014
Tweet

More Decks by Bharadwaj Machiraju

Other Decks in Technology

Transcript

  1. I am a security tool developer (recent tool - Flashbang).

    a restless 20 year old from India. a senior at IIT (BHU), Varanasi (doing B.Tech). an employee @ _____ (Your company name can be here).
  2. Content of upcoming slides OWTF! - Why? What? How? User

    Interface Plugins & Control Inbound Proxy Transaction & URL log Notes & Ranking Advanced Filter Demo
  3. Pentester Requirements (Atleast OWTF dev team’s requirements) Automate the uncreative

    part of pentests like trying to remember how to launch tool ‘X’ or how to parse and feed the output of tool ‘X’ to tool ‘Y’. Organize the findings according to a testing guide like OWASP, NIST etc.. so as to use them as a checklist. Classify tests based on aggression levels to prepare ahead of time. Provide the ability to rank the findings to enable targeted fuzzing on seemingly risky areas. Analyse each and every HTTP transaction and make them searchable. Spider the site effectively to not miss anything. Act as a storage consisting of all useful online tools, dorks, POCs & resources. Free & Open Source (Indians love free stuff) Allow us to think and not get in our way <— XD
  4. What is OWTF? Offensive Web Testing Framework = Test/Exploit ASAP

    Started by Abraham Aranguren First demonstrated at BerlinSides 2011 Formally, a framework which presents all the information from different tools and custom tests, in an organised and categorised way to help user concentrate on the analysis part
  5. How? Run Tools • theHarvester • Nikto • Arachni •

    w3af etc.. Run Tests directly • Crafted requests • Header searches • html body searches etc.. Knowledge Repo • POC Links • Resource Links • Test guide mappings Help User Analysis • Automated ranking • User notes • User rankings
  6. Plugin classification Plugins are separated into multiple groups and types

    for better test classification WEB - (Web related stuff) Active - Active vulnerability probing Semi Passive - Normal traffic to target Passive - No traffic to target Grep - Searches on transaction database External - Other tool inputs, POCs, resource links etc.. NET - (Somewhat like mmap scripts) AUX - (Somewhat like msfcli in metasploit)
  7. Plugin Execution Control Plugins are executed by processes called workers

    which can be paused/resumed/ aborted/added/removed. This lets you handle deadly unwanted disturbances like internet outage, downed target etc..
  8. Inbound Proxy OWTF has its own proxy, which was benchmarked

    in the last year as fastest MiTM python proxy. This proxy enables user to use it in a browser or with any other tool. Most of the tools launched by OWTF are proxified (eg. Arachni, w3af, custom requests etc..). So all the transactions made by the scanners are logged and analysed
  9. Transaction Log The place from where you can search each

    and every transaction that happened through OWTF proxy.
  10. URL Log OWTF scrubs the output of all tools/plugins run

    to gather as many URLs as possible. This is somewhat "cheating" but tremendously effective since it combines the results of different tools, including several tools that perform brute forcing of files and directories.
  11. Notes & Ranking Plugin report provides you the facility to

    write down some notes and add your own analysis ranking to it. Some tool outputs are automatically ranked using an automated ranking library PTP developed for OWTF during GSoC 2014. This helps you find risky areas quickly.
  12. Advanced Filter Filtering the plugin outputs on various criteria along

    with the facility to change the mapping of test codes. Currently OWASP v3, OWASP v4, NIST are present by default. It is easy to add one yourself
  13. Botnet Mode Allows user to simulate a botnet attack. Generates

    traffic to the target by other hosts located all over the world.
  14. How does it work? Proxy-Switching Each HTTP request pass through

    a different proxy. Proxies are fetched automatically by a feature called ProxyMiner. TOR-Mode Each HTTP request will pass through tor network. After a user defined time interval, the IP address will get renewed.
  15. WAF-Bypasser WAF-bypasser is a standalone project which is included into

    OWTF as a module. Analyses & tests the quality of web application firewalls. Can potentially detect WAFs security holes. During the development, a zero day was found to OWASP-CRS for Apache ModSecurity WAF module
  16. Who am I? 23-year-old software engineer. I work at Eleven

    Paths, a company dedicated to development of security products. OWTF Contributor since GSoC 2013.
  17. What is this presentation about? The importance of good practices

    in software development. The difficulties of building and maintaining a software project. Best practices and patterns in software development.
  18. Why software engg. presentation at a security conference? New features

    are great, but maintainability is important. We all want our tools to be used and maintained, but will you assume the cost? Sometimes it is necessary to stop and think… Can I improve my code?
  19. Important concepts Interface Component coupling SOLID principles Single Responsibility Principle

    Interface Segregation Principle Dependency Inversion Principle
  20. Implemented Architecture How do we define a component? Initialization process.

    Service Locator pattern. Split “fat” interfaces and re- assign responsibilities. Use of python’s abstract base class.
  21. Achieved Goals! Reduced coupling among modules and core of OWTF.

    Less complexity = Easier to find bugs. Reduced the impact of changes (SOLID principles). Made it easier to change implementation of a component.