Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Using Proxies To Secure Applications And More

The last Austin OWASP presentation of the year is a must see for anyone responsible for the security of a web application. It is a demonstration of the various types of proxy software and their uses. We've all heard about WebScarab, BurpSuite, RatProxy, or Paros but how familiar are you with actually using them to inspect for web security issues? Did you know that you can use RatProxy for W3C compliance validation? By the time you leave this presentation, you will be able to go back to your office and wow your co-workers with the amazing new proxy skills that you've acquired.

  • Identifiez-vous pour voir les commentaires

Using Proxies To Secure Applications And More

  1. 1. By Josh Sokol
  2. 2. # whoami <ul><li>Josh Sokol (josh.sokol@ni.com) </li></ul><ul><li>B.S. in Computer Science </li></ul><ul><li>Cisco Certified Network Associate (CCNA) </li></ul><ul><li>SANS GIAC in Web Application Security (GWAS) </li></ul><ul><li>Web Systems Engineer for National Instruments </li></ul><ul><li>Own the Web Systems “Security Practice” </li></ul>
  3. 3. Some Questions To Be Answered <ul><li>What’s this proxy thing everyone is talking about? </li></ul><ul><li>When and why should I use a proxy? </li></ul><ul><li>My company doesn’t like to spend money on security so why are you wasting my time? </li></ul><ul><li>Talk is cheap…show me how it works! </li></ul>
  4. 4. What is a Proxy? <ul><li>A process that accepts requests for some service and passes them on to the real server. </li></ul>Request Request Proxy
  5. 5. Types of Proxies <ul><li>Caching Proxy </li></ul><ul><li>Web Proxy </li></ul><ul><li>Content-filtering Web Proxy </li></ul><ul><li>Anonymizing Proxy </li></ul><ul><li>Hostile Proxy </li></ul><ul><li>Intercepting Proxy </li></ul><ul><li>Forced Proxy </li></ul><ul><li>Open Proxy </li></ul><ul><li>Reverse Proxy </li></ul>
  6. 6. <ul><li>Firefox </li></ul><ul><li>Extension: SwitchProxy </li></ul><ul><li>Tor and Privoxy </li></ul>Act I – Anonymizing Proxies
  7. 7. Anonymizing Proxies <ul><li>http://www.whatismyip.com </li></ul><ul><li>Start Tor and Privoxy </li></ul><ul><li>Select “Tor” from SwitchProxy </li></ul><ul><li>http://www.whatismyip.com </li></ul><ul><li>Am I really anonymous? </li></ul><ul><li>Kinda, but not really. My HTTP requests are being passed through the proxy, but what about DNS? Also, does my proxy know who I am? Yes! </li></ul><ul><li>Problems </li></ul><ul><li>Speed </li></ul><ul><li>False sense of security </li></ul>
  8. 8. Proxy 4 Free List <ul><li>http://www.proxy4free.com/page1.html </li></ul>
  9. 9. <ul><li>Apache </li></ul><ul><li>mod_proxy </li></ul>Act II – Reverse Proxies
  10. 10. Reverse Proxies <ul><li>ProxyRequests Off </li></ul><ul><li><Location /owasp> </li></ul><ul><li>ProxyPass http://www.owasp.org </li></ul><ul><li>ProxyPassReverse http://www.owasp.org </li></ul><ul><li>Order allow,deny </li></ul><ul><li>allow from all </li></ul><ul><li></Location> </li></ul><ul><li>http://doughboy.homeip.net/owasp </li></ul>
  11. 11. Benefits of Reverse Proxies <ul><li>Single machine acts as a gateway to the real servers in the network. </li></ul><ul><li>Use mod_cache (and mod_mem_cache) to keep static documents in memory. </li></ul><ul><li>Single point of authentication </li></ul>
  12. 12. <ul><li>Firefox </li></ul><ul><li>Extension: SwitchProxy </li></ul><ul><li>Extension: Tamper Data | Google Ratproxy | OWASP WebScarab </li></ul>Act III – Intercepting Proxies
  13. 13. Tamper Data <ul><li>Use tamperdata to view and modify HTTP/HTTPS headers and post parameters. </li></ul><ul><li>Trace and time http response/requests. </li></ul><ul><li>Security test web applications by modifying POST parameters. </li></ul>
  14. 14. Tamper Data Example <ul><li>http://www.altoromutual.com </li></ul><ul><li>Username: jsmith </li></ul><ul><li>Password: Demo1234 </li></ul>
  15. 15. Google Ratproxy <ul><li>A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments. </li></ul><ul><li>Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more. </li></ul>
  16. 16. Using Ratproxy with Cygwin <ul><li>Install Cygwin with make, gcc-core, openssl-dev, and openssl utilities. </li></ul><ul><li>Download Ratproxy. </li></ul><ul><li>Modify the make file by removing the “-Wno-pointer-sign”. </li></ul><ul><li>Download the Flare action script decompiler. </li></ul><ul><li>“ make” Ratproxy. </li></ul><ul><li>Add the Cygwin libraries to your Windows path. </li></ul>
  17. 17. Google RatProxy Example <ul><li>ratproxy.exe –v C:cygwin –w ratproxy.log –p 8282 –d yourdomain.com –lfscm </li></ul><ul><li>Tell SwitchProxy to use Ratproxy. </li></ul><ul><li>Surf! </li></ul><ul><li>sh ratproxy-report.sh ratproxy.log > report.html </li></ul>
  18. 18. OWASP WebScarab <ul><li>WebScarab is a framework for analyzing applications that communicate using the HTTP and HTTPS protocols. </li></ul><ul><li>In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. </li></ul>
  19. 19. OWASP WebScarab Example <ul><li>Start WebScarab. </li></ul><ul><li>Check the “Proxy” tab to verify port configuration. </li></ul><ul><li>Tell SwitchProxy to use WebScarab. </li></ul><ul><li>Surf http://www.altoromutual.com ! </li></ul><ul><li>Change cookie information. </li></ul><ul><li>Change GET/POST information. </li></ul>
  20. 20. OWASP WebScarab Example 2 <ul><li>Web Services </li></ul><ul><li>Google search for inurl:”?wsdl” </li></ul><ul><li>http://www.altoromutual.com/bank/ws.asmx?WSDL </li></ul><ul><li>http://www.weather.gov/forecasts/xml/SOAP_server/ndfdXMLserver.php?wsdl </li></ul><ul><li>http://terraservice.net/TerraService.asmx?WSDL </li></ul><ul><li>http://webservices.amazon.com/AWSECommerceService/AWSECommerceService.wsdl </li></ul>
  21. 21. Other Cool Features of WebScarab <ul><li>Site Spider </li></ul><ul><li>XSS/CSRF </li></ul><ul><li>Session ID Analysis </li></ul><ul><li>Fuzzer </li></ul>
  22. 22. Other FREE Proxy Software <ul><li>Paros ( http://www.parosproxy.org/ ) </li></ul><ul><ul><li>Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified. </li></ul></ul><ul><li>Burp Suite ( http://portswigger.net/suite/ ) </li></ul><ul><ul><li>Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, authentication, downstream proxies, logging, alerting and extensibility. </li></ul></ul>