of 15 /15
Self-Made Web 2.0 Security Testing Sven Großmann, Timo Pagel

Self Made Web 2.0 Security Testing

Embed Size (px)

DESCRIPTION

Sicherheitstests mit OWASP ZAP

Text of Self Made Web 2.0 Security Testing

Page 1: Self Made Web 2.0 Security Testing

Self-Made Web 2.0 Security TestingSven Großmann, Timo Pagel

Page 2: Self Made Web 2.0 Security Testing

Vorstellung● Sven

○ Master Student: Information Technology■ Schwerpunkt: Web-Technologien

● Timo○ Fachinformatiker (Systemintegration)○ Master Student: Information Technology

■ Schwerpunkt: IT-Sicherheit

Page 3: Self Made Web 2.0 Security Testing

Sicherheits Experte Geschäftsführer

Page 4: Self Made Web 2.0 Security Testing

Werkzeuge des White Hats

Vulnerability Scans (DAST)

Web Application Firewalls

Code Analysen (SAST)

System Härtungen

Sicherheits Schulungen

Intrusion Detection Systems

Page 5: Self Made Web 2.0 Security Testing

Werkzeuge des Black Hats

Web Application

SQL Injection

Cross Site Scripting

Security Misconfiguration

...

DAST

Page 6: Self Made Web 2.0 Security Testing

DAST-Werkzeuge● Burp (ca. 200 $)

● OWASP Zap

● w3af

● sqlmap/nosqlmap

● weitere bei sectoolmarket.com[1] http://www.sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html

Page 7: Self Made Web 2.0 Security Testing

DAST-Werkzeuge● Burp (ca. 200 $)

● OWASP Zap

● w3af

● sqlmap/nosqlmap

● weitere bei sectoolmarket.com[1] http://www.sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html

Page 8: Self Made Web 2.0 Security Testing

Ein einfacher Scan● Spider

○ Abdeckung der Seitenstruktur● Scan

○ Schwachstellen aufdecken

Page 9: Self Made Web 2.0 Security Testing

Produktivumgebung scannen?

Page 10: Self Made Web 2.0 Security Testing

FunktionsweiseProxy:

Spider/Scanner:

In Anlehnung an: https://blog.codecentric.de/files/2013/10/overview.png

Page 11: Self Made Web 2.0 Security Testing

Ein einfacher ScanDemo: OWASP Zap und WackoPicko

Page 12: Self Made Web 2.0 Security Testing

FunktionsweiseProxy:

Spider/Scanner:

AjaxSpider:

In Anlehnung an: https://blog.codecentric.de/files/2013/10/overview.png

Page 13: Self Made Web 2.0 Security Testing

OWASP Top Ten● A1 Injection● A2 Broken Authentication and Session Management● A3 Cross-Site Scripting (XSS)● A4 Insecure Direct Object References● A5 Security Misconfiguration● A6 Sensitive Data Exposure● A7 Missing Function Level Access Control● A8 Cross-Site Request Forgery (CSRF)● A9 Using Components with Known Vulnerabilities● A10 Unvalidated Redirects and Forwards

Quelle: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Page 14: Self Made Web 2.0 Security Testing

Vielen DankKontakt:

Timo Pagel: [email protected] Großmann:

Page 15: Self Made Web 2.0 Security Testing

Bild QuellenDisney Interactive: http://www.starwars.com/