I like separation of concerns and every time I can afford it I divide the team according to responsibilities.
When I cannot afford it then at the minimum I ask for documentation that addresses the particular concern in isolation.
A company risks too much if it decides to go without a BCP or DR plan. A company without a PenTest plan is risking as much or probably more. But when you see the huge amount of tools in the market and the zillions of security lists and reports you naturally get scared and probably start trying to put controls in many different tiers at the same time. The Web Tier is a good starting point, your doors have been opened there to the public so you better put some controls and yes Audit them!
PenTesting is not difficult when you know the Web protocols and most likely your developers, devops, sysadmins know them. The problem is that it is a time consuming task that demands not just knowing protocols and how to use the tools but also a lot of reading, research and community interaction. As usual certain pasion for this job is a must have for the team in charge. The fact that you know good Math will never make you a great Accountant.
I have decided to spend the long weekend testing tools to make sure I can put some guidelines in place for the security team. I know the tools we use will change but at least this is a starting point. I hope this will be useful for others starting on the PenTest arena. The site seclists.org has been my home page for some time now and I can tell you the more you read the more you realize how little you know about protecting your applications.
Here is the list of those tools I have been using so far as Web Vulnerability Scanners. Note that they complement each other. The fact that I use them all is because some of them will report issues the others won't. An extensive list of these are found in the BackTrack distro (WebSecurify is a chrome plugin though):
- SkipFish:
After running the below command (custom for $site) several warnings/errors are provided starting at output_${site}/index.html. As usual some of them are false positives but everything must be inspected. Sometimes big vulnerabilities lie on "info" level warnings:
./skipfish -S dictionaries/complete.wl -o output_${site} http://${site} - WebSecurify Chrome extension: Like Skipfish above, all messages should be inspected and analyzed. Just supply the URL in the web form to scan the app.
- Nikto:
Use the below to scan the app. Press "v" once the app starts to get verbose information:
perl nikto.pl -h $site -v output_${site}.html -p 443 - w3af: Use just the w3af-gui providing the URL.
- OWASP ZAP: Make sure from options the proxy is configured to listen to an available port. Configure a browser to use the local IP and the configured port as an http proxy for secure and insecure requests. You should get the target site listed. At that point run an "active scan" for it.
PenTest Weekend Conclusions
False positives: These are common for any of the packages. In some you will notice errors about PHP (modules.php) and ASP (members.asp) resources which do not exist as you are running a J2EE app. WebSecurify for example lists faq, terms containing vulnerabilities when in fact your application does not use at all those paths. These false positives might be related to redirections to the login form for example.No Silver Bullet: w3af was the only one detecting clickjacking threats this time. I am happy it found something as my latest usage of the tool was almost telling me I could live without it.
Proxy interceptors: Of those available in the market free like in beer the OWASP ZAP is the one that has given me better results so far.
No comments:
Post a Comment