Time
4 hours 39 minutes
Difficulty
Beginner
CEU/CPE
5

Video Transcription

00:00
Welcome back to now. We're gonna look in less than 5.2 the dynamic application, security testing or the dash tool we've mentioned a couple of times. Let's just dive into a little bit more. Look at some of the tools and the
00:12
with capabilities are
00:14
objectives are just going to take a look at Mentioned that that some of Dad's tools
00:19
defend the use of non automated scans just saying maybe as you get Teoh larger build or more complex, that might not work with exactly the automated tools may want to do some manual testing just almost similar to a pen test and then described, Lee said. Some of the dash tools or coverage. How they
00:39
thinking that
00:39
interactive Which parts of the application stack that we mentioned
00:43
back in a previous module and then also kind of shows some of the commercial tools We're gonna focus on the open source one. But just realize that kind of the capabilities there
00:52
for scanning tools, they fall into several categories, and we have another nous STF requirement here pw 0.8 saying US test the excusable code for vulnerabilities, which is what the deaths tools do.
01:06
If you're looking at vulnerability scanning, which is quite familiar with. But there are some open source tools, these air. These are more gonna be geared towards the server or possibly the Web server. Maybe not as much of the application. But there's an exposed, which is he has open source. For some limitations,
01:25
there's open vast, which is a is a fork of the original
01:30
Um, And then there's some the Web app scanning tools, Iraq me, which is which is what you use in the demo later on and one later lessons.
01:38
And there's Nick Toe, which all can show a screenshot. Coming up here is another nice free tool from Sirte. There is a sand attack proxy, which is app. Another free tool from a WASP.
01:49
I want ah, demo that actually, in the the final phase when we're just doing a verification scan, it's different than Iraq knee. Normally we do both of the same, just obviously verifying, but I just want to show a couple of different tools and how they import into Jenkins Pipeline. So again, in the one the Last modules, what we're doing verification.
02:09
I'll show that and then a wasp as a cross site scripting tool as well. And one of things Maybe you put most people familiar with the Maybe some aren't is that end? Map is very extendable now. There's a lot of modules. It doesn't just do port scanning anymore, so there's actually
02:27
SSL. Ssh! Cipher enumeration. So you consigned. Find some vulnerabilities in your encryption that you that you're using or what's available.
02:35
There's WordPress plug ins now that'll actually check for themes. Password.
02:39
Brute Forcing plug ins. There's so many features in and map so that it might be a good automated tool to run against your your application.
02:51
There's a just a quick screen shot of nick toe. If you've never used it before,
02:54
it's good it will run against in a stack like we mentioned way back the different layers. It'll running against Web server that gives them information about APP servers methods. Sometimes it will find some of your content management modules like Drew, people
03:09
and some other ones. I get this WordPress as well.
03:13
This is open source.
03:14
It has it looks for vulnerabilities and outdated software is from your features, and I give you some information about some dangerous methods.
03:23
It'll do some credential guessing on some default password. Things like that. So you can see in the
03:29
the screen here. It gives you information about the server, the cookies. It's it. It says the anti click jacking framework are, uh,
03:38
header is it isn't in place. This one didn't find very many vulnerabilities. But if you scan against the host, you might find some some additional findings. Genital give you say. If it looks that sees, Apache says. You're running this version. This is vulnerable. You should be upgrading to the new aversion.
03:55
This is a screen of zap
03:59
just to kind of give you a gooey version. You have probably would be running this since it's This is not the automated version, but again later on. And when the last modules all show that running in the background and then importing the results directly into
04:13
Jenkins
04:14
so this skin to zap can run against that, you can actually take a look sometimes against the code. If it has Java script, it'll pull that down. Look at for any vulnerabilities
04:24
it'll against run against Web servers, APP, servers, methods again, the content management systems.
04:30
So it has an interesting way if you've never used it before. You set up a za proxy,
04:33
and then you run your browser through the proper through zap in a new browser website,
04:39
and then it pulls in all each one of the pages. It's all and then you can run. You can actually run a crawl as well, where toe act like a wet, are
04:47
crawling across your website and following links. And what it does is it creates this inventory of pages and assets within the Web server,
04:57
and then it will create that as I get as a storage. And then you run an active scan where it will actually run against each one of those assets that it found and try all the checks that it knows about to look for vulnerabilities.
05:09
You can actually edit your request. So if you're sending sees a request, you can stop and say, Let me let me fuzz it a little bit and see if I can find some errors.
05:17
It has, ah, the spider feature to where it can go, go through the website and identify assets.
05:26
So, question for you have used Nick toe before or have you zap?
05:30
I kind of think about have you used it recently? Have you could use it at one time and you found some value in it.
05:39
So
05:40
did you, if you use both, Um did you prefer one of them? If not what other tools have used?
05:46
So I kind of think about thes if you have any experience, think about how you would integrate these into your pipeline and how you would use them. You know what? What good findings? Did you did you come for or find a number? Did you see some false positives? Did you see some false positive that were specific to your application? That kind of think through this
06:05
And then have you ever run any other manual tools? Manual testing tools like birth suite and these other ones or sap in the manual mode?
06:16
So I just mentioned burp Sweet.
06:18
This is the
06:20
It's more advanced version of Zap. So it can do that. But you could do the same things looking at code, looking at the web, app, servers, methods, CMS,
06:29
there's a free version. Where have you could do the intercept where you can actually I have mentioned, intercepted a call and then edit it and try to see if you can fuzz and find some vulnerabilities that way,
06:41
it has a repeater function where you can take a method that was already called or, ah, Web call, put it into your head it or put it in tow, edit and manually edit that way continuously. Try to repeat. You can automate that as well,
06:54
and there's also add ons and extenders to it so that thes pre built modules that that others have created you can run them. So the limitation here is with the free one. You can't run
07:04
the active scam like the exact does, so it doesn't have any automated testing of vulnerabilities, all manual processing. It's still very powerful, but that's the limitation
07:17
and one of things that they can mention it that's interesting to to work or to use. If you've never done it before, it is developer tools Firefox. You can get to it. Chrome has it
07:28
edge. Everybody has it now, but it's interesting some time just to turn this on, and sometimes his browser, your app. Look for any anything interesting that's coming up. Any dead links, anything that gets blocked, maybe see if where libraries are being loaded from you may have not seen that by manually going through the code,
07:47
but by by watching it this way, it's being interesting to see
07:51
again. You might be looking at it. It'll show all the domains where it's pulled from. It should be your website, and then you'll see some JavaScript pulled from some third party play site. Maybe an ad you weren't aware of. So it's good. Always got just just last verification check just to see what's going on.
08:09
There's a final tool. Want to talk about this? A warning. It's very dangerous. Sequel map will go against your code. It's ah, open source tool that can detect the database has many methods for It'll do Boolean blind time based air union all these type of advanced sequel injection.
08:28
But one thing you have to worry about or take care of is do not run this on a production system. If it finds vulnerabilities that can drop Web shells, it can get a sequel. Interactive Uh, session on there. There's a lot of bad things that could do along with
08:43
possibly corrupting your data base,
08:46
so I would use this with caution, but it's very
08:48
if you're interested in finding sequel injection methods or sorry attacks against your your application, this can probably find it. But again, be very careful.
09:01
So some commercial tools out there again there.
09:03
There's Ness's nap Spider and APS can weapons back the Burps Week Pro, which I mentioned. There's plenty of other ones, just kind of an exit examples of them.
09:13
But I bring them up because there's, Ah, they divided Now somewhere you can have an on premise scanner and others that are only cloud based or you can pick between the two. So it's interesting would be an interesting method to use. If you have an application that you're only going to run internal, you would run the local scanner internally
09:33
and you could scan this app. So if you have a development environment that you don't want to expose out to the Internet to a cloud based on Lee Webb scanner,
09:41
that's the idea you would have to look at and way when you're selecting the correct tool.
09:48
Do the quick quiz just toe kind of wrap up the lesson.
09:52
The testing activities were designed during the delivery phase. Is this true or false?
09:58
Does this technique false. The testing activities were designed during the planning phase. At the beginning, we just execute them in the various depths, check up phases, so I know it's a little confusing, but just kind of remember that that you're not.
10:09
It's creating testing while you're working, you know, you get the phase like, Okay, let's create tests you should be doing at the beginning lately. And Larry leave
10:18
laying out all the tested wouldn't do per phase
10:24
in this lesson, we talked about dynamic, scanning, skinny and actual running application. Looked at some of the tools like that. Some of the ideas just we had a good understanding of what, what? What's out there.
10:37
The next lesson will talk about logic flows, which present gaps in the automated scanning because these tools are good at finding vulnerabilities. But they may not be good at finding logic between author our authorization to perform certain actions

Up Next

DevSecOps Fundamentals

DevSecOps certification training helps students learn to incorporate security features in every step of the development process and navigate distinct security challenges in custom software and web applications.

Instructed By

Instructor Profile Image
Philip Kulp
Instructor