Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revisionLast revisionBoth sides next revision | ||
public:secureprogramming [2014-09-11 11:30] – petrs | public:research:secprog:secureprogramming [2015-10-21 11:00] – [Vulnerable app / distro / hackme challenges] petrs | ||
---|---|---|---|
Line 2: | Line 2: | ||
* 19 deadly sins of software programming (Howard), examples, list of reasonably fresh real examples: http:// | * 19 deadly sins of software programming (Howard), examples, list of reasonably fresh real examples: http:// | ||
+ | * Mozilla secure coding guidelines: https:// | ||
+ | |||
===== Security programming courses ===== | ===== Security programming courses ===== | ||
Line 81: | Line 83: | ||
* Run cmd with Administrator privileges | * Run cmd with Administrator privileges | ||
* peach configuration.xml | * peach configuration.xml | ||
+ | * Run Peach in agent mode: //peach -a tcp// | ||
+ | * ERROR: Error, could not load platform assembly ' | ||
+ | * Solution: https:// | ||
+ | * ERROR: Could not start monitor " | ||
+ | :\Program Files\Debugging Tools for Windows (x86)\dbgeng.dll' | ||
+ | * set proper path to WinDbg (e.g., c:\Program Files (x86)\Debugging Tools for Windows\) in peach pit file | ||
+ | * <Param name=" | ||
+ | |||
+ | |||
===== Notes ===== | ===== Notes ===== | ||
Line 86: | Line 97: | ||
* Use format of https:// | * Use format of https:// | ||
* High-level metrics: platform... | * High-level metrics: platform... | ||
- | * 1st iteration | + | * Iterative process, highlight to students |
* Platform supported | * Platform supported | ||
* Properties from Andrii | * Properties from Andrii | ||
* IDE integration vs. standalone / server-based tool | * IDE integration vs. standalone / server-based tool | ||
- | * Miro - Coverity experience | + | * Coverity experience |
- | * | + | * 3 bc theses |
+ | * Use owasp tools, test against vulnerable apps, evaluate | ||
+ | * Implement personalized testing scenarios inside given framework (he Web Application Hacker' | ||
+ | * multiple scenarios, every week demonstration of progress | ||
+ | * Vulnerability scanners - Nessus, Metasploit... | ||
+ | * Metrics (owasp top 10) | ||
+ | |||
+ | A1 Injection | ||
+ | A2 Broken Authentication and Session Management | ||
+ | A3 Cross-Site Scripting (XSS) | ||
+ | A4 Insecure Direct Object References | ||
+ | A5 Security Misconfiguration | ||
+ | A6 Sensitive Data Exposure | ||
+ | A7 Missing Function Level Access Control | ||
+ | A8 Cross-Site Request Forgery (CSRF) | ||
+ | A9 Using Components with Known Vulnerabilities | ||
+ | A10 Unvalidated Redirects and Forwards | ||
==== OWASP tools ==== | ==== OWASP tools ==== | ||
+ | |||
* List of owasp tools https:// | * List of owasp tools https:// | ||
* https:// | * https:// | ||
+ | |||
+ | ==== Web security testing tool ==== | ||
* w3af framework for manipulating HTTP (fuzzers, crawlers...) http:// | * w3af framework for manipulating HTTP (fuzzers, crawlers...) http:// | ||
* free, opensource | * free, opensource | ||
Line 107: | Line 138: | ||
* Insufficient Access Control | * Insufficient Access Control | ||
* TRY | * TRY | ||
- | * AntiSamy https:// | ||
- | * API for ensuring user-supplied HTML/CSS is in compliance within an application' | ||
- | * [2014] OWASP Insecure Web App Project | ||
- | * InsecureWebApp is a web application that includes common web application vulnerabilities. It is a target for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modeling | ||
- | * [2012] Mutillidae | ||
- | * Mutillidae contains all of the vulnerabilties from the OWASP Top 10 | ||
- | * TRY | ||
- | * http:// | ||
* [2014] OWASP Mantra security testing web browser (build on Firefox) http:// | * [2014] OWASP Mantra security testing web browser (build on Firefox) http:// | ||
* TRY | * TRY | ||
* firefox-based browser with large number of security plugins http:// | * firefox-based browser with large number of security plugins http:// | ||
- | * [2013] OWASP Broken Web Applications Project https:// | ||
- | * application with vulnerabilities, | ||
- | * TRY | ||
* [2014] ByWaf https:// | * [2014] ByWaf https:// | ||
* web application penetration testing framework, command-line interpreter and a set of plugins | * web application penetration testing framework, command-line interpreter and a set of plugins | ||
- | * Damn Vulnerable iOS Application https:// | ||
- | * covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks) and contains several challenges that the user can try | ||
- | * OWASP Enterprise Security API https:// | ||
- | * Java, .NET, ASP, PHP, Python, JavaScript... | ||
- | * TRY | ||
- | * [2011] Hackademic Challenges https:// | ||
- | * vulnerable app, challenges | ||
- | * TRY | ||
- | * [2014] java-html-sanitizer https:// | ||
- | * fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS | ||
- | * XSS prevention sheet https:// | ||
- | * [2014] JSON Sanitizer Project https:// | ||
- | * Given JSON-like content, convert it to valid JSON. Java library | ||
* [2011, 2014?] OWASP LAPSE Project https:// | * [2011, 2014?] OWASP LAPSE Project https:// | ||
* Security Scanner for Java EE Applications | * Security Scanner for Java EE Applications | ||
Line 141: | Line 148: | ||
* TRY | * TRY | ||
* [2014] OWASP OWTF, the Offensive (Web) Testing Framework https:// | * [2014] OWASP OWTF, the Offensive (Web) Testing Framework https:// | ||
- | * [2013] OWASP Security Shepherd https:// | ||
- | * TRY | ||
- | * security teaching application, | ||
* [2014] XSS detection toolkit https:// | * [2014] XSS detection toolkit https:// | ||
* TRY | * TRY | ||
Line 152: | Line 156: | ||
* tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations | * tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations | ||
* try | * try | ||
+ | |||
+ | ==== Vulnerable app / distro / hackme challenges ==== | ||
+ | * [2014] OWASP Insecure Web App Project | ||
+ | * InsecureWebApp is a web application that includes common web application vulnerabilities. It is a target for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modeling | ||
+ | * [2012] Mutillidae | ||
+ | * Mutillidae contains all of the vulnerabilties from the OWASP Top 10 | ||
+ | * TRY | ||
+ | * http:// | ||
+ | * [2013] OWASP Broken Web Applications Project https:// | ||
+ | * application with vulnerabilities, | ||
+ | * TRY | ||
+ | * Damn Vulnerable iOS Application https:// | ||
+ | * covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks) and contains several challenges that the user can try | ||
+ | * [2011] Hackademic Challenges https:// | ||
+ | * vulnerable app, challenges: https:// | ||
+ | * TRY | ||
+ | * [2013] OWASP Security Shepherd https:// | ||
+ | * TRY: https:// | ||
+ | * security teaching application, | ||
+ | * [2015] Samurai Web Testing Framework http:// | ||
+ | * preinstalled Mutillidae, | ||
+ | |||
+ | ==== Security-supporting library ==== | ||
+ | |||
+ | * [2009] AntiSamy https:// | ||
+ | * API for ensuring user-supplied HTML/CSS is in compliance within an application' | ||
+ | * OWASP Enterprise Security API https:// | ||
+ | * Java, .NET, ASP, PHP, Python, JavaScript... | ||
+ | * TRY | ||
+ | * [2014] java-html-sanitizer https:// | ||
+ | * fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS | ||
+ | * [2014] JSON Sanitizer Project https:// | ||
+ | * Given JSON-like content, convert it to valid JSON. Java library | ||
+ | * [2015] Several Java web applications and command line applications covering different security topics: https:// | ||
+ | |||
+ | |||
+ | ==== Security processes and awareness ==== | ||
+ | * XSS prevention sheet https:// | ||
+ | |||
+ | |||
+ | |||
+ | |||