2. Would you vote for this talk
as the best if...?
A. If its funny
B. If it useful to my job
C. Dude, I know you want to win
the iPad, you are down to 4 min
and 37 seconds, stop surveying
and start talking!
Tuesday, December 18, 12
10. “[RISK ASSESSMENT] INTRODUCES A
DANGEROUS FALLACY: THAT
STRUCTURED INADEQUACY IS
ALMOST AS GOOD AS ADEQUACY
AND THAT UNDERFUNDED
SECURITY EFFORTS PLUS RISK
MANAGEMENT ARE ABOUT AS
GOOD AS PROPERLY FUNDED
SECURITY WORK” - MICHAL ZALEWSKI
Tuesday, December 18, 12
15. Put your code through the Gauntlet
Tuesday, December 18, 12
16. Put your code through the Gauntlet
Your web app You
Tuesday, December 18, 12
17. Put your code through the Gauntlet
generic w3af
garmr sqlmap
fuzzers curl
sslyze nmap
Your web app You
Tuesday, December 18, 12
18. GAUNTLT ALLOWS DEV AND
OPS AND SECURITY TO
COMMUNICATE
Tuesday, December 18, 12
19. install gauntlt
$ gem install gauntlt
# download example attacks from github
# customize the example attacks
# now you can run gauntlt
$ gauntlt
# gauntlt looks for *.attack in its
# directory
Examples > https://github.com/thegauntlet/gauntlt/tree/master/examples
Tuesday, December 18, 12
20. @slow nmap.attack
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
| tcp_ping_ports | 22,25,80,443 |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open https
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
Tuesday, December 18, 12
21. running gauntlt with failing tests
wickett$ gauntlt
@slow
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
| tcp_ping_ports | 22,25,80,443 |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F www.example.com
"""
Then the output should contain:
"""
443/tcp open https
"""
1 scenario (1 failed)
5 steps (1 failed, 4 passed)
0m18.341s
Tuesday, December 18, 12
22. running gauntlt with passing tests
wickett$ gauntlt
@slow
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
| tcp_ping_ports | 22,25,80,443 |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F www.example.com
"""
Then the output should contain:
"""
443/tcp open https
"""
1 scenario (1 passed)
5 steps (5 passed)
0m18.341s
Tuesday, December 18, 12
23. Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities
Given "sqlmap" is installed
And the target URL is "http://localhost?id=1"
When I launch a "sqlmap" attack with:
"""
python <sqlmap_path> -u <target_url>
"""
Then the output should contain:
"""
sqlmap identified the following injection points
"""
Tuesday, December 18, 12
24. Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities
Given "sqlmap" is installed
setup steps
And the target URL is "http://localhost?id=1"
When I launch a "sqlmap" attack with:
"""
python <sqlmap_path> -u <target_url>
"""
Then the output should contain:
"""
sqlmap identified the following injection points
"""
Tuesday, December 18, 12
25. Feature: Run sqlmap against a target
verify
Scenario: Identify SQL injection vulnerabilities
tool
Given "sqlmap" is installed
setup steps
And the target URL is "http://localhost?id=1"
When I launch a "sqlmap" attack with:
"""
python <sqlmap_path> -u <target_url>
"""
Then the output should contain:
"""
sqlmap identified the following injection points
"""
Tuesday, December 18, 12
26. Feature: Run sqlmap against a target
verify
Scenario: Identify SQL injection vulnerabilities
tool
Given "sqlmap" is installed
setup steps
And the target URL is "http://localhost?id=1"
When I launch a "sqlmap" attack with: set
""" config
python <sqlmap_path> -u <target_url>
"""
Then the output should contain:
"""
sqlmap identified the following injection points
"""
Tuesday, December 18, 12
27. Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities
Given "sqlmap" is installed
And the target URL is "http://localhost?id=1"
When I launch a "sqlmap" attack with:
"""
python <sqlmap_path> -u <target_url>
"""
Then the output should contain:
"""
sqlmap identified the following injection points
"""
Tuesday, December 18, 12
28. Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities
Given "sqlmap" is installed
And the target URL is "http://localhost?id=1"
When I launch a "sqlmap" attack with:
"""
attack!
python <sqlmap_path> -u <target_url>
"""
Then the output should contain:
"""
sqlmap identified the following injection points
"""
Tuesday, December 18, 12
29. Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities
Given "sqlmap" is installed
And the target URL is "http://localhost?id=1"
When I launch a "sqlmap" attack with:
"""
attack!
python <sqlmap_path> -u <target_url>
"""
env
Then the output should contain:
param
"""
sqlmap identified the following injection points
"""
Tuesday, December 18, 12
30. Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities
Given "sqlmap" is installed
And the target URL is "http://localhost?id=1"
When I launch a "sqlmap" attack with:
"""
attack!
python <sqlmap_path> -u <target_url>
"""
env
Then the output should contain: get
param config
"""
sqlmap identified the following injection points
"""
Tuesday, December 18, 12
31. Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities
Given "sqlmap" is installed
And the target URL is "http://localhost?id=1"
When I launch a "sqlmap" attack with:
"""
python <sqlmap_path> -u <target_url>
"""
Then the output should contain:
"""
sqlmap identified the following injection points
"""
Tuesday, December 18, 12
32. Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities
Given "sqlmap" is installed
And the target URL is "http://localhost?id=1"
When I launch a "sqlmap" attack with:
"""
python <sqlmap_path> -u <target_url>
"""
Then the output should contain:
"""
assert
sqlmap identified the following injection points
"""
Tuesday, December 18, 12
33. Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities
Given "sqlmap" is installed
And the target URL is "http://localhost?id=1"
When I launch a "sqlmap" attack with:
"""
python <sqlmap_path> -u <target_url>
"""
Then the output should contain:
"""
assert
sqlmap identified the following injection points
"""
needle
Tuesday, December 18, 12
34. Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities
Given "sqlmap" is installed
And the target URL is "http://localhost?id=1"
When I launch a "sqlmap" attack with:
"""
python <sqlmap_path> -u <target_url>
""" haystack
Then the output should contain:
"""
assert
sqlmap identified the following injection points
"""
needle
Tuesday, December 18, 12
35. Given /^"sqlmap" is installed$/ do
ensure_python_script_installed('sqlmap')
end
When /^I launch an? "sqlmap" attack with:$/ do |command|
sqlmap_path = path_to_python_script("sqlmap")
command.gsub!('<target_url>', target_url)
command.gsub!('<sqlmap_path>', sqlmap_path)
run command
end
Tuesday, December 18, 12
36. Given /^"sqlmap" is installed$/ do
step definition ensure_python_script_installed('sqlmap')
end
When /^I launch an? "sqlmap" attack with:$/ do |command|
sqlmap_path = path_to_python_script("sqlmap")
command.gsub!('<target_url>', target_url)
command.gsub!('<sqlmap_path>', sqlmap_path)
run command
end
Tuesday, December 18, 12
37. Given /^"sqlmap" is installed$/ do
step definition ensure_python_script_installed('sqlmap') ruby
end
When /^I launch an? "sqlmap" attack with:$/ do |command|
sqlmap_path = path_to_python_script("sqlmap")
command.gsub!('<target_url>', target_url)
command.gsub!('<sqlmap_path>', sqlmap_path)
run command
end
Tuesday, December 18, 12
38. Given /^"sqlmap" is installed$/ do
ensure_python_script_installed('sqlmap')
end
When /^I launch an? "sqlmap" attack with:$/ do |command|
sqlmap_path = path_to_python_script("sqlmap")
command.gsub!('<target_url>', target_url)
command.gsub!('<sqlmap_path>', sqlmap_path)
run command
end
Tuesday, December 18, 12
39. Given /^"sqlmap" is installed$/ do
ensure_python_script_installed('sqlmap')
end
When /^I launch an? "sqlmap" attack with:$/ do |command|
sqlmap_path = path_to_python_script("sqlmap")
step definition command.gsub!('<target_url>', target_url)
command.gsub!('<sqlmap_path>', sqlmap_path)
run command
end
Tuesday, December 18, 12
40. Given /^"sqlmap" is installed$/ do
ensure_python_script_installed('sqlmap')
end
When /^I launch an? "sqlmap" attack with:$/ do |command|
sqlmap_path = path_to_python_script("sqlmap")
step definition command.gsub!('<target_url>', target_url)
command.gsub!('<sqlmap_path>', sqlmap_path)
run command
end
execute
Tuesday, December 18, 12