Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
www.csnc.ch
Compass Security AG
Glärnischstrasse 7
Postfach 1628
CH-8640 Rapperswil
Web Security Tools
Web Security Wargames
© Compass Security AG Slide 2www.csnc.ch
Howto analyze Web Applications
Inspection Proxies
Paros
Burp
Web Scarab
Charles Proxy
Firefox
Firebug
Tamper Data | LiveHttpHeader | SwitchProxy | Add N Cookie Editor
Internet Explorer
Fiddler
HttpAnalyze
Opera
Java Script Debugger
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
www.csnc.ch
Compass Security AG
Glärnischstrasse 7
Postfach 1628
CH-8640 Rapperswil
Inspection Proxy
© Compass Security AG Slide 4www.csnc.ch
Inspection Proxies
Introduction
HTTP/S request
modification tool
Is a HTTP proxy
Features
HTTPS traffic inspection
by terminating HTTPS
connection
On the fly request
modification based
on regular expressions
Record and replay of whole
HTTP requests
Browser
InspectionProxy
Server
Console
Request Repository
RegularExpressions
HTTP/S
HTTP/S
© Compass Security AG Slide 5www.csnc.ch
Configure Proxy in Browser
Inspection Proxy
Start browser
Configure your
Firefox by plug-in
or manually
Modify proxy settings
http 127.0.0.1:8080
https 127.0.0.1:8080
Press OK or Apply button to
activate settings
© Compass Security AG Slide 6www.csnc.ch
Proxy:Paros
Usage
Switch to the 'Trap‘ pane
Tick the 'Trap Request' checkbox to intercept requests
Change the requests parameters directly in the 'Header' or in the 'Body' text
area
Click 'Continue' to release the modified request
© Compass Security AG Slide 7www.csnc.ch
Proxy:Paros
Header Auto Replacement
Switch to the 'Filters' pane
Check the 'ReplaceRequestHeader' box
Click the 'ReplaceRequestHeader' button, insert your regular expression and
activate it
© Compass Security AG Slide 8www.csnc.ch
Proxy:Burp Suite
© Compass Security AG Slide 9www.csnc.ch
Proxy:Charles Proxy (Commercial)
© Compass Security AG Slide 10www.csnc.ch
Proxy:Web Scarab
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
www.csnc.ch
Compass Security AG
Glärnischstrasse 7
Postfach 1628
CH-8640 Rapperswil
Firefox Extensions
© Compass Security AG Slide 12www.csnc.ch
Firefox::LiveHttpHeader Plugin
© Compass Security AG Slide 13www.csnc.ch
Firefox::Tamper Plugin
© Compass Security AG Slide 14www.csnc.ch
Firefox::Firebug Plugin
© Compass Security AG Slide 15www.csnc.ch
Firefox:Cookie Editor Plugin
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
www.csnc.ch
Compass Security AG
Glärnischstrasse 7
Postfach 1628
CH-8640 Rapperswil
System Tools for Monitoring
© Compass Security AG Slide 17www.csnc.ch
HTTP Analyze (Commercial)
© Compass Security AG Slide 18www.csnc.ch
Fiddler (Free Microsoft Tool)
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
www.csnc.ch
Compass Security AG
Glärnischstrasse 7
Postfach 1628
CH-8640 Rapperswil
Web Scanner
© Compass Security AG Slide 20www.csnc.ch
Acunetix (Commercial)
© Compass Security AG Slide 21www.csnc.ch
Acunetix Firefox Plugin
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
www.csnc.ch
Compass Security AG
Glärnischstrasse 7
Postfach 1628
CH-8640 Rapperswil
Landing Page
© Compass Security AG Slide 23www.csnc.ch
What is a landing page
Hacking-Lab staff members play the role of the victim
They will click on an URL you provide
Therefore, you should have your own web server with you, a web
server on your local computer, a landing page
Please take a webserver with you
© Compass Security AG Slide 24www.csnc.ch