Transcript
Page 1: Self Made Web 2.0 Security Testing

Self-Made Web 2.0 Security TestingSven Großmann, Timo Pagel

Page 2: Self Made Web 2.0 Security Testing

Vorstellung● Sven

○ Master Student: Information Technology■ Schwerpunkt: Web-Technologien

● Timo○ Fachinformatiker (Systemintegration)○ Master Student: Information Technology

■ Schwerpunkt: IT-Sicherheit

Page 3: Self Made Web 2.0 Security Testing

Sicherheits Experte Geschäftsführer

Page 4: Self Made Web 2.0 Security Testing

Werkzeuge des White Hats

Vulnerability Scans (DAST)

Web Application Firewalls

Code Analysen (SAST)

System Härtungen

Sicherheits Schulungen

Intrusion Detection Systems

Page 5: Self Made Web 2.0 Security Testing

Werkzeuge des Black Hats

Web Application

SQL Injection

Cross Site Scripting

Security Misconfiguration

...

DAST

Page 6: Self Made Web 2.0 Security Testing

DAST-Werkzeuge● Burp (ca. 200 $)

● OWASP Zap

● w3af

● sqlmap/nosqlmap

● weitere bei sectoolmarket.com[1] http://www.sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html

Page 7: Self Made Web 2.0 Security Testing

DAST-Werkzeuge● Burp (ca. 200 $)

● OWASP Zap

● w3af

● sqlmap/nosqlmap

● weitere bei sectoolmarket.com[1] http://www.sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html

Page 8: Self Made Web 2.0 Security Testing

Ein einfacher Scan● Spider

○ Abdeckung der Seitenstruktur● Scan

○ Schwachstellen aufdecken

Page 9: Self Made Web 2.0 Security Testing

Produktivumgebung scannen?

Page 10: Self Made Web 2.0 Security Testing

FunktionsweiseProxy:

Spider/Scanner:

In Anlehnung an: https://blog.codecentric.de/files/2013/10/overview.png

Page 11: Self Made Web 2.0 Security Testing

Ein einfacher ScanDemo: OWASP Zap und WackoPicko

Page 12: Self Made Web 2.0 Security Testing

FunktionsweiseProxy:

Spider/Scanner:

AjaxSpider:

In Anlehnung an: https://blog.codecentric.de/files/2013/10/overview.png

Page 13: Self Made Web 2.0 Security Testing

OWASP Top Ten● A1 Injection● A2 Broken Authentication and Session Management● A3 Cross-Site Scripting (XSS)● A4 Insecure Direct Object References● A5 Security Misconfiguration● A6 Sensitive Data Exposure● A7 Missing Function Level Access Control● A8 Cross-Site Request Forgery (CSRF)● A9 Using Components with Known Vulnerabilities● A10 Unvalidated Redirects and Forwards

Quelle: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Page 14: Self Made Web 2.0 Security Testing

Vielen DankKontakt:

Timo Pagel: [email protected] Großmann:

Page 15: Self Made Web 2.0 Security Testing

Bild QuellenDisney Interactive: http://www.starwars.com/


Recommended