DAST for OWASP using SonarQube, ZAP on the Broken Web App, and other tools

Practice penetration testing identifying security vulnerabilities in sample BWA app

                   

Overview

• OWASP items
• DAST (Dynamic Application Security Testing)
• vs. SAST
• OWASP Top 10
• API Security
• Test Scope
• Get sample broken app
  • Juice Shop
  • DVWA
  • BWA
• Install proxy server
  • SaaS
  • From Docker Hub
  • On private servers
• Instantiate within Google Cloud
• Browser Proxy Setup
• Install Jenkins plugin
• ZAP UI OWASP
• ZAP scripts
• Other DAST vendors
• Resources
• More on DevOps
• More on Security

There are several standards:

OWASP (Open Web Application Security Project) Top 10 - 2017 PDF: is the result of non-profit team.

OSSTMM (Open Source Security Testing Methodology Manual) v3 PDF updated every six months by the ISECOM (Institute for Security and Open Methodologies). It was developed in an open community, and subjected to peer and cross-disciplinary review. ISECOM’s PDF: Security Test Audit Report (STAR) is a standardized form to summarize results of a security or penetration test - providing precise calculations of the Attack Surface, details of what was tested and how, and indemnification for testing organization.:

1. Posture review
2. Logistics
3. Active Detection Verification
4. Visibility Audit
5. Access Verification
6. Trust Verification
7. Controls Verification
8. Process Verification
9. Configuration and Training Verification
10. Property Valiidation
11. Segregation Review
12. Exposure Verification
13. Competitve Intelligence Scouting
14. Quarantine Verification
15. Privileges Audit
16. Survivability Validation and Service Continuity
17. End Survey, Alert, and Log Review
    
    

OSSTMM five channels or operational areas:

• Human Security: The security of human interaction and communication is evaluated operationally as a means of testing
• Physical Security: The OSSTMM tests physical security defined as any tangible element of security that takes physical effort to operate
• Wireless Communications: Electronic communications, signals, and emanations are all considered wireless communications that are part of the operational security testing
• Telecommunications: Whether the telecommunication network is digital or analog, any communication conducted over telephone or network lines are tested in the OSSTMM
• Data Networks: The security testing of data networks includes electronic systems and data networks that are used for communication or interaction via cable and wired network lines
  
  

PTES (Penetration Testing Execution Standard) in 2009 defined phases of a pen-test engagement:

1. Pre-engagement Interactions
2. Intelligence Gathering
3. Threat Modeling
4. Vulnerability Analysis
5. Exploitation
6. Post Exploitation
7. Reporting
   
   

The PTES Technical Guidelines is an “oldie but goodie” because it’s from 2014.

OWASP items

These will be changed soon. YouTube videos from F5 DevCentral 2017 by John Wagnon (and Description from OWASP):

1. VIDEO: Injection Attacks (Description, blog article)

2. VIDEO: Broken Authentication (Description)

3. VIDEO: Sensitive Data Exposure (Description)

4. VIDEO: XML External Entities (XXE) (Description)

5. VIDEO: Broken Access Control (Description)

6. VIDEO: Security Misconfiguration (Description)

7. VIDEO: Cross-Site Scripting (XSS) (Description) blog

8. VIDEO: Insecure Deserialization (Description)

9. VIDEO: Using Components with Known Vulnerabilities (Description)

10. VIDEO: Insufficient Logging and Monitoring (Description)
    
    

Also: Cross-Site Request Forgery (CSRF)

There are different types of Pentration Testing:

• SAST (Static Application Security Testing)
• DAST (Dynamic Application Security Testing)
  
  

DAST (Dynamic Application Security Testing)

DAST watches application behavior while user actions are performed by automated scripts in a test environment, where various combinations of input actions are tried. This aims to expose security weaknesses.

The main targets of a DAST system involve what offer a front door to attackers: HTTP and HTML – protocols that drive the World Wide Web.

Among DAST tools: web app penetration testing tools:

A. The Zed Attack Proxy (ZAP) is offered free, and is actively maintained by hundreds of international volunteers. Use it to scan for security vulnerabilities in your web applications while you are developing and testing your applications.

B. WebInspect from MicroFocus (formerly HP).

C. Burp Suite from Portswagger ($399/year Pro) with extensions, running on Kali Linux with FoxyProxy on Firefox, JPython, JRuby

D. Dirtbuster

E. VIDEO: ForAllSecure

vs. SAST

By contrast SAST (Static App Security Testing) tools focus on scanning application source code for vulnerabilities in coding. Static Application Security Testing (SAST) vendors include Veracode, Perforce, http://www.castsoftware.com/ and Checkmarx, which adds an agent running along the app to report to a central Security Handler, called Interactive App Security Testing (IAST).

Security tests should also cover the efficacy of Runtime Application Self-Protection (RASP) built within apps, rather than relying completely on the infrastructure Web Application Firewall (WAF).

OWASP Top 10

DAST (like ZAP) look for vulnerabilities described by the

API Security

API security has its own OWASP Top 10:

1. API1:2019 Broken Object Level Authorization

   APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object level authorization checks should be considered in every function that accesses a data source using an input from the user.

2. API2:2019 Broken User Authentication

   Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising system’s ability to identify the client/user, compromises API security overall.

3. API3:2019 Excessive Data Exposure

   Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user.

4. API4:2019 Lack of Resources & Rate Limiting

   Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.

5. API5:2019 Broken Function Level Authorization

   Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.

6. API6:2019 Mass Assignment

   Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually lead to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.

7. API7:2019 Security Misconfiguration

   Security misconfiguration is commonly a result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.

8. API8:2019 Injection

   Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

9. API9:2019 Improper Assets Management

   APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints.

10. API10:2019 Insufficient Logging & Monitoring

    Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

There is also SAN’s Top 25 Software Errors that include Insecure Interaction Between Components, Risky Resource Management, and Porous Defenses

Additionally:

• Payment Card Industry Data Security Standard (PCI DSS)
• Health Insurance Portability and Accountability Act (HIPAA)
• Motor Industry Software Reliability Association (MISRA) C/C++ coding standards

Test Scope

As a “black box” approach, DAST cannot identify non-reflective vulnerabilities (i.e – Cross-Site Scripting) that don’t generate feedback when triggered.

Get sample broken app

Several apps were created to exhibit vulnerability issues, as examples for Static Code vulnerability assessment (SAST) utilities such as GitHub CodeQL, SonarQube, Fortify, etc.. Which utility catches the most issues?

CAUTION: Do not upload it to your hosting provider’s public html folder or any Internet facing servers, as they will be compromised.

So these apps should run only inside a guest machine within VirtualBox or VMware set to NAT networking mode.

CAUTION PROTIP: If you run ZAP against a server you don’t control, you are hacking that site.

Juice Shop

Perhaps the most modern sample vulnerabler web app is Juice Shop maintained by OWSAP by volunteers at https://juice-shop.herokuapp.com/ book: “Pwning OWASP Juice Shop” at https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content referencing code at https://github.com/bkimminich/juice-shop.

DVWA

Damn Vulnerable Web Application (DVWA) at http://dvwa.co.uk with code at https://github.com/ethicalhack3r/DVWA is a PHP/MySQL web application. So use XAMPP for its Apache web server and database.

BWA

Stand-up an instance of the BWA (Broken Web Application), a collection of intentionally vulnerable web applications distributed by OWASP in a Virtual Machine (VM) file used by Virtualbox, HyperV. VMware Workstation on Windows or VMware Fusion on Mac:

1. Instantiate a server. In Sep 2017 nested VT-x is supported on GCE, according to Paul R. Nash, Group Product Manager, Google Compute Engine.

2. Within a console on the server, download:

   
   curl -O https://sourceforge.net/projects/owaspbwa/files/latest/download
   

   The OWASP_Broken_Web_Apps_VM_1.2.7z file downloaded is 1.7 GB (big!) because it contains various apps in Ruby, PHP, WordPress, etc.

   It’s briefly described at https://owaspbwa.org, which resolves to https://code.google.com/archive/p/owaspbwa/

   Note it’s from 2015.

3. Unpack the 7z file. Navigate into the folder.

4. Double-click on file OWASP Broken Web Apps.vmx to open image in Virtualbox or VMWare workstation:

   See Install video (music only, no dialog) [5:49]

5. Use it.

   Video showing version 1.1.1 [21:53] by Chuck Willis shows how to use BWA to demonstrate occurance of “Top 10” vulnerabilities described by OWASP. Mutillidae:

   

   http://www.concise-courses.com/infosec/owasp-broken-web-applications/

   https://www.youtube.com/watch?v=FOEFL8bbbCU [7:05]

   Beyond 1.0 from 2013 Chuck Willis (@chuckatsf) describes BWA origins

Install proxy server

There are several ways to obtain and instantiate a proxy server.

SaaS

QUESTION: Who are SaaS vendors operating on public cloud?

From Docker Hub

For those working on public clouds:

1. Bring up Docker
2. In a Terminal,

3. Use the Docker image provided by the OWASP organization at https://hub.docker.com/r/owasp/zap2docker-stable/

   
   docker pull owasp/zap2docker-stable
   

   docker images say it’s 1.33GB.

   Alternately, for use in CI environments:

   
   docker pull owasp/zap2docker-bare
   

   docker images say it’s 525 MB, which is a third of the stable edition.

   The images above were created based on code at: https://github.com/zaproxy/zaproxy/tree/develop/build/docker

   ZAP’s project leader is Simon Bennetts (@psilnon). His lecture on 2 Jun 2015 [59:59]: https://www.youtube.com/watch?v=_MmDWenz-6U

4. Start ZAP in with xvfb (X virtual frame buffer) which allows add-ons that use Selenium (like the Ajax Spider and DOM XSS scanner) to run in a headless environment. Firefox is also installed so can be used with these add-ons.

   Alternately: Start ZAP in headless mode with following command:

   
   docker run -u zap -p 8080:8080 -i owasp/zap2docker-bare zap.sh -daemon -host 127.0.0.1 -port 8080
   

Blogs about this:

• https://github.com/zaproxy/zaproxy/wiki/Docker

On private servers

1. Download

   wget -q -O - https://github.com/zaproxy/zaproxy/releases/download/2.4.3/ZAP_2.4.3_Linux.tar.gz

   CAUTION: Enterprise security should review this.

2. Un-tar

   tar zxf - -C /opt ln -s /opt/ZAP_2.4.3 /opt/zap

3. Since ZAP does not come with a script, this script for Debian:

   wget -q -O /etc/init.d/zap https://raw.githubusercontent.com/stelligent/zap/master/packer/roles/zap/files/zap-init.sh chmod 755 /etc/init.d/zap

Instantiate within Google Cloud

Browser Proxy Setup

In Chrome:

1. Menu > settings
2. Proxy

In Firefox:

1. Manu > Options
2. Advanced
3. Network tab
4. Connections > Settings
5. Clear “No Proxy for:” box

In Internet Explorer:

1. Tools
2. Internet options
3. Connections tab
4. Lan settings

5. Check proxy settings

6. Use http://localhost or http://127.0.0.1:8080 to reach the Proxy.

7. Automate settings:

In Firefox:

1. Menu > Add-ons (shift+command+A)
2. Click “See more Add-ins”
3. In “Search for add-ons” search box, type “foxy boxy basix”.
4. Select “FoxyProxy Standard”.
5. Click “+ Add to Firefox”.
6. Click “Add” in the pop-up.
7. Restart now.

Install Jenkins plugin

Blogs:

• https://stelligent.com/2016/04/28/automating-penetration-testing-in-a-cicd-pipeline/
• https://stelligent.com/2016/05/11/automating-penetration-testing-in-a-cicd-pipeline-part-2/

The plug-in is at:

https://wiki.jenkins.io/display/JENKINS/zap+plugin

1. ZAP is written in Java, so a Java SDK is needed to run it.

   https://github.com/zapproxy/zapproxy/wiki/

ZAP UI OWASP

The drop-down at the upper-left corner of the ZAP UI provides for 4 modes:

1. Safe mode
2. Standard mode
3. Protected mode

4. Attack mode for sites you have permission to penetrate.
   
   

5. Click Quick Start to, on the Information window, input the URL to scan, starting with https.

   The left pane Tree window provides the context history of URLs visited.

6. Run ZAP using the ‘standard’ zap.sh script.

   There is also a zap-x.sh script which first starts xvfb (X virtual frame buffer) - this allows add-ons that use Selenium (like the Ajax Spider and DOM XSS scanner) to run in a headless environment.

ZAP scripts

The plugin:

1. Manage Sessions (Load or Persist)
2. Define Context (Name, Include URLs and Exclude URLs)
3. Attack Contexts (Spider Scan, AJAX Spider, Active Scan)

You can also:

1. Setup Authentication (Form Based or Script Based)
2. Run as Pre-Build as part of a Selenium Build
3. Generate Reports (.xhtml, .xml, .json)

Other DAST vendors

https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis

1. Veracode Vulnerability Scanning Tools which only scans Java, were acquired on Nov 5 2018 from Broadcom by private equity firm Thoma Bravo who also funded Compuware and Dynatrace, Solar Winds and McAfee *

2. WebInspect from MicroFocus (formerly HP), a part of the Fortify suite, which consists of Fortify the SAST product.

3. Checkmarx.com, based in Israel, offers Codebashing, a developer education platform for secure coding training.

4. Synopsys.com acquired Black Duck, Coverity, and
   Cigital SecureAssist, a lightweight IDE plugin that points out common security vulnerabilities in real time.

5. IBM AppScan

6. Parasoft

7. Tenable.io by Nessus

Resources

STAR: Daniel Miessler’s https://danielmiessler.com/projects/webappsec_testing_resources

Getting Started with OWASP Zed Attack Proxy (ZAP) for Web Application Penetration Testing 1h 40m video course 16 Feb 2017 by Mike Woolard

STAR: https://python-security.readthedocs.io/security.html

https://www.securecoding.com/blog/python-security-practices-you-should-maintain/

More on DevOps

This is one of a series on DevOps:

1. DevOps_2.0
2. ci-cd (Continuous Integration and Continuous Delivery)
3. User Stories for DevOps

4. Enterprise Software)

5. Git and GitHub vs File Archival
6. Git Commands and Statuses
7. Git Commit, Tag, Push
8. Git Utilities
9. Data Security GitHub
10. GitHub API

11. TFS vs. GitHub

12. Choices for DevOps Technologies
13. Pulumi Infrastructure as Code (IaC)
14. Java DevOps Workflow

15. Okta for SSO & MFA

16. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
17. AWS server deployment options

18. AWS Load Balancers

19. Cloud services comparisons (across vendors)
20. Cloud regions (across vendors)

21. AWS Virtual Private Cloud

22. Azure Cloud Onramp (Subscriptions, Portal GUI, CLI)
23. Azure Certifications

24. Azure Cloud

25. Azure Cloud Powershell
26. Bash Windows using Microsoft’s WSL (Windows Subsystem for Linux)

27. Azure KSQL (Kusto Query Language) for Azure Monitor, etc.

28. Azure Networking
29. Azure Storage
30. Azure Compute

31. Azure Monitoring

32. Digital Ocean

33. Cloud Foundry

34. Packer automation to build Vagrant images
35. Terraform multi-cloud provisioning automation

36. Hashicorp Vault and Consul to generate and hold secrets

37. Powershell Ecosystem
38. Powershell on MacOS

39. Powershell Desired System Configuration

40. Jenkins Server Setup
41. Jenkins Plug-ins
42. Jenkins Freestyle jobs

43. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

44. Docker (Glossary, Ecosystem, Certification)
45. Make Makefile for Docker
46. Docker Setup and run Bash shell script
47. Bash coding
48. Docker Setup
49. Dockerize apps

50. Docker Registry

51. Maven on MacOSX

52. Ansible
53. Kubernetes Operators

54. OPA (Open Policy Agent) in Rego language

55. MySQL Setup

56. Threat Modeling

57. SonarQube & SonarSource static code scan

58. API Management Microsoft

59. API Management Amazon

60. Scenarios for load
61. Chaos Engineering

More on Security

This is one of a series on Security in DevSecOps:

1. SOC2

2. CAIQ (Consensus Assessment Initiative Questionnaire) by cloud vendors

3. Git Signing
4. Hashicorp Vault

5. OPA (Open Policy Agent)

6. WebGoat known insecure PHP app and vulnerability scanners

7. Test for OWASP using ZAP on the Broken Web App

8. Encrypt all the things

9. AWS Security (certification exam)

10. AWS IAM (Identity and Access Management)

11. Cyber Security
12. Security certifications

---