CIS 4615 meeting -*- Outline -*-

* analysis tools for detecting vulnerabilities

    Based in part on the OWASP Testing Guide
    https://www.owasp.org/index.php/OWASP_Testing_Project

** goals
------------------------------------------
    GOALS OF DYNAMIC CHECKERS (TESTING)

- Find potential vulnerabilities
   (100% precision, no false positives)
   for 


- Order warnings by severity


------------------------------------------
     ... known types of vulnerabilities

*** examples
    These all use the files from Homework 3 from Fall 2015
    found in the subdirectory hw3 here.

**** penetration testing
------------------------------------------
         PENETRATION TESTING

Hacking to see if a system is vulnerable

  - from outside
    - Look for (top N) vulnerabilities
      - scanning tools

  - from inside
    - insecure passwords
    - unencrypted communication
    - outdated software
    - Social engineering tests


Need PERMISSION from system owner!

------------------------------------------

     Q: What can happen if you don't get permission?
     Would be illegal, could go to jail...

***** ZAP tool
------------------------------------------
       EXAMPLE TOOL: OWASP'S ZAP

See https://www.owasp.org/index.php/
          OWASP_Zed_Attack_Proxy_Project

  - free, open source
  - only needs Java 7

Quick Start Attack
  - finds all web pages beneath a URL
  - attacks all of them

Manual-guided attack
  - proxy your browser via ZAP
  
Can be used in continuous integration

------------------------------------------

    There are also several commercial tools that work similarly
    including IBM's AppScan

***** Metasploit network vulnerability tool
------------------------------------------
        NETWORK VULNERABILTY TOOL

Metasploit 
  See http://www.metasploit.com/

 - can find network attacks
 - finds attacks and exploits
 - finds weak credentials
 - can simulate phishing attacks

------------------------------------------

**** web application problems
------------------------------------------
VEGA: TESTING FOR XSS, SQL INJECTION, ETC.

See https://subgraph.com/vega/

 - Automated scanner
 - Interecepting Proxy

------------------------------------------

**** SQL injection attacks
------------------------------------------
  TOOLS FOR FINDING SQL INJECTIONS

w3af: See http://w3af.org/

  - Scripting to automate finding
    vulnerabilities
  - Fuzzing engine

SQLMap: See http://sqlmap.org/
------------------------------------------


**** weak password detection
------------------------------------------
           TOOLS FOR FINDING PASSWORDS

John the Ripper:
   http://www.openwall.com/john/
------------------------------------------
**** fuzz testing
------------------------------------------
            FUZZ TESTING

Goal: look for error conditions triggered
      by 

Procedure:
   1. Generate inputs
      - at random, or
      - using "fuzz vector" of data
        (perhaps with mutation)
   2. Record what inputs lead to 

------------------------------------------
      ... program crash
      ... particular parameter values

------------------------------------------
          FUZZ TESTING TECHNIQUES

 - Recursive: replacing part of a request
   with all possible

    e.g., http://www.example.com/8302fa3b
         using all hex digits generates
 



 - Replacive: replacing part of a request
              with a fixed value

        e.g., using



------------------------------------------
        ... combinations from some set (or a random subset)

        ... 16^8 requests
             http://www.example.com/00000000
             to
             http://www.example.com/ffffffff

       ... for XSS attacks
           http://www.example.com/>"><script>alert("XSS")</script>&
           http://www.example.com/'';!--"<XSS>=&{()}
           these are called "fuzz vectors"

       You can find online or design fuzz vectors for
       format string attacks, integer overflow attacks, 
       SQL injection, command injection, etc.

       Q: Which do you think works better, random inputs or predefined vectors?
          The vectors should.

       So usually the best fuzz testers have some model
       of the kind of errors that are possible.

------------------------------------------
        WEB SERVICES FUZZ TESTING

OWASP WSFuzzer, for SOAP, see:
  https://www.owasp.org/index.php/
        Category:OWASP_WSFuzzer_Project

  - automates SOAP penetration testing

OWASP JBroFuzz, for HTTP or HTTPS, see:
  https://www.owasp.org/index.php/JBroFuzz

  - generates requests, 
    sends them,
    records responses

  - human guided:
    - selects fuzzers
    - looks at output to see what happened

------------------------------------------

*** practice
------------------------------------------
        PRACTICE WEBSITES

For penetration testing

See https://www.owasp.org/index.php/
 OWASP_Vulnerable_Web_Applications_Directory_Project/
 Pages/Online

 e.g., hackthissite.org
------------------------------------------