bsides 2015 intro to web app pen testing with mutillidae

Andrew Freeborn

Intro to Web App Testing with Mutillidae

BSides Iowa 201518 Apr 2015

Things to cover today

❖ What is this Mutillidae?

❖ Tools for the job

❖ Web App Pen Tester techniques

❖ Learning with Mutillidae

❖ Demo

❖ Links and QA

What is this Mutillidae?

❖ Mutillidae is an OWASP project, currently maintained by Jeremy Druin / Twitter: @webpwnized

❖ A Pen Test friendly web application

❖ Focused on OWASP Top Ten lists and testing methodologies

❖ Quick to set up and highly accessible

Tools for the job❖ Relatively newish computer (~4 years or less)

❖ VMWare Player, VirtualBox, Hyper-V, or your host OS

❖ At least 30GB of HD space if installed; 4GB of RAM

❖ Mutillidae!

❖ Optional: Samurai WTF Linux distribution (live CD or can be installed)

❖ OWASP ZAP or Burp Suite if not using Samurai WTF

Web App Pen Tester techniques

❖ Super fun to point tools at things and let it do it’s thing

❖ How do we learn techniques from doing things like that though?

❖ How can I test vulnerabilities that come up where those tools may or may not be available or work?

❖ How can I ensure that a tool works as expected and a repeated test can find the same issues as last time?

Web App Pen Tester techniques 2

❖ OWASP Testing Guide v4

❖ OWASP Top 10 2013

❖ PCI Pen Testing Guidance (March 2015)

❖ PTES

❖ NIST 800-115

Learning with Mutillidae

❖ Step 1: Tools? Check. Techniques and Procedures? Check.

❖ Step 2: We have Samurai WTF up and running on a VM

❖ Step 3: ???

❖ Step 4: PROFIT

Actually learning with Mutillidae

❖ As mentioned earlier, vulnerabilities are broken out by various subjects and categories

❖ Modeled after the OWASP Top 10s along with various extra scenarios

❖ Starts out easy and the difficulty can be increased

❖ Hints and walkthroughs are throughout the site

Demo

❖ XSS

❖ XSS 2

❖ XSS Proxy

Links and QA❖ Mutillidae: www.owasp.org/index.php/OWASP_Mutillidae_2_Project

❖ Samurai WTF: samurai.inguardians.com

❖ OWASP Testing Guide v4: www.owasp.org/index.php/OWASP_Testing_Project

❖ OWASP Top 10 2013: www.owasp.org/index.php/Top_10_2013-Top_10

❖ PCI Pen Testing Guidance: www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf

❖ PTES: www.pentest-standard.org/index.php/Main_Page

❖ NIST SP 800-115: csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

❖ 12 part series on Mutillidae: www.youtube.com/watch?v=rNkR1Joz4eU

❖ [email protected] / @maendarb

bsides 2015 intro to web app pen testing with mutillidae

Documents

mutillidae step

qa mutillidae

owasp testing guide

web app testing

mutillidae demo links

owasp zap

owasp project

gb of ram mutillidae