Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:00
So this is weapons. Fact. When you actually open up the product, this is what you're going to see. You can see we talked about guided scans, basics gains, enterprise scans, things like that. All that's gonna be listened over here on the left.
00:13
There's gonna be a list of the scans I have recently run.
00:17
All right, if I want to see all the scans that I've ever run, I could just go to the manage scans. Option c, all those I could delete scans reopen them, things like that.
00:28
All right, So what we're gonna do here is we're gonna start a guided scan first.
00:34
All right? There's gonna be some options. Create a standard. Websites can quick scan thorough web scan, mobile scans, things like that. I recommend that when you run weapons back, you run it against a web application in a testing environment. All right. Weapons beckon have unpredictable results on your application,
00:54
so I would not run it against a production system.
00:57
It was You know what you're doing? You have to run it against a production system or you've tested that particular application in production previously. Did you say, even if you are I always recommend a complete scam production.
01:14
That way you can turn love, inspect up to full capabilities.
01:18
What you're really worried about is persistence and the persistence of bad data or test data in a production system that will anger your customers or the people that you are internally testing. If you start filling their database up with junk or just functionality of the application and still think about,
01:36
they have an administrative section
01:38
about Web application that allows you to add users to delete users.
01:42
Weapons duct is going to click those bosses at user's gonna delete what you tell it. Not unless you tell it not so that first time you're running a scan specifically, if you're not familiar with complete functionality of the application of likely, that is, you will do some pipe.
01:59
No,
02:00
not damaged. But you will delete the user of public confidentially that Evans is using our cause. Some kind of havoc. They're leaving leftover way, are simulating attacks. So with dynamic analysis, we are throwing an attack. Now we're trying to do it in the least harmful way,
02:15
but it is still Java script is still data that if you're right into a data baseball percent,
02:22
so
02:23
being able to take advantage of the full capabilities, the scan and then tailoring. And that, too a non persistent scan if you have to do it in production, which many people do, but they just don't start
02:35
the other thing. We'll talk about this a little bit more there. Two phases toe scan, the crawl in the audit. The crawl is much less destructive for lack of a better term than the audit. So if you are scanning a production system, run the crawl by itself first and then look at the results and make sure that
02:54
everything that weapons by found you actually want
02:58
to test. We've had numerous people where we've run weapons. Buck scans and I came in to talk to the next day, and Web inspect found portions of their website. It was not supposed to be ableto find, and as soon as it finds something, it will test it. So just because something's not supposed to be accessible,
03:16
it doesn't mean that it won't get tested.
03:19
All right,
03:22
so we're gonna go ahead and create a standard Web site scan.
03:28
All right, so you can see here.
03:30
Basically, it's going to ask us
03:32
for the start. Earl s O. This is a website I have running on my actual laptop. If I want, I can click. Verify.
03:40
All right. So that just verifies that yes, weapons, but can actually get to the website that I'm trying to test. All right,
03:47
now we quick the little arrow to go to the next step.
03:51
All right, so here is gonna ask. Alright. What type of scandal I want to run a standard scan means a Web inspect is goingto enumerate the website itself. It's going to try and find all the pages and sessions and form fields and things like that. The other option is a workflow where I can actually walk weapons back
04:11
through the website
04:12
and show it where everything is. It will still spider out from there a little bit, but it's a much more directed scan.
04:19
And then, like it said, every scan has two portions, the crawl
04:24
and the audit. By default, we're going to do them simultaneously. So Web inspectors multi threaded. I can allocate how many threads I want for the crawl on the audit. But as soon as it started the crawl and it's found some of those sessions, it's going to start auditing them.
04:41
This is the fastest way to do a scan, because I can do both at the same time.
04:45
The two reasons I would not do it this way is I'm scanning a Web site that never scanned before, and I want to be certain that I'm not gonna end up auditing part portions of this site I don't wanna audit. In that case, I would do the crawl on Lee. The other reason is for troubleshooting purposes. If I'm having a lot of problems with the scan,
05:04
it's easier to run the crawl on Lee
05:06
Single threat it. So I can really see what's going on as it's going on and then run the audit. If I run the crawl in the audit together, I think by default there are 12 or 14 different threads that it uses. It can be very difficult to keep track of exactly what's going on,
05:25
all right.
05:26
The next important piece of information is the policy. The policy dictates what types of audits are actually performed. The default is standard. This is what I would recommend if you're running a scan against the site in a testing environment,
05:42
all right, and you can see there's a description. A standard scan includes an automated crawl. The server performs checks for known and unknown vulnerability. So is checking for CW Ease and C E. V E's at the Web server, Web application server
05:59
and Web application layers. So there are some checks that it's going to run
06:02
to check my you know, Apache or Tomcat, or I ask for things like that. But the majority of the cheques, they're gonna be targeted. The actual Web application itself. All right there. Other policies. If I only wanted to check the Web application, I could choose application,
06:19
and that would eliminate the checks at the for the application server.
06:25
All right, if I only wanted to do critical zone highs, I could do that. Be aware. There are things that weapons back finds that are listed in the APP. Stick policy is critical cat ones and cat twos. They're not critical in high finding, so you probably want to run a standard scan.
06:44
A lot of people will also run the loss
06:46
Top 10 scans as well.
06:48
That's something that most developers are familiar with. You know the standard set of findings.
06:57
All right.
06:59
And then if you really wanted Thio really test something could always do all checks that runs off the checks. All right, so we're just going to use
07:11
the standard balls,
07:14
and then the last selection is the crawl coverage. This is how much time and effort Web inspector is going to spend finding all of my website eso. One thing that you have to think about is a human being. You know, I look at I go to a address page on a website.
07:32
I think of that. As you know, one page of one form
07:35
weapons back looks at it differently. It's sessions. So if I find in a dress page in my website that address pages probably gonna have a state drop down, that state dropped down is gonna have 50 or 60 different values. Web inspect will test each one of those so it will do a submission for Arkansas,
07:54
Arizona, Virginia,
07:56
when you select a crawl coverage that determines how many of those it chooses. So by default, I think it's 10. But I could change it, so I could say, Well, if you find a drop down. I only want to check three of the drop down values or I want to check all the drop down values.
08:11
You know, it's unlikely that the test results for Arizona would be different than Arkansas, but they might be.
08:16
It all depends on how comprehensive how you want it to be. Crawl coverage also determines laterally how much movement there is across the Web site,
08:26
and you can either set that by hand in the configuration settings, which will show you or you can just kind of choose thorough
08:35
to fall
08:35
moderate.
08:37
Quick.
08:37
All right. This also between the policy that you run on the crawl coverage is gonna have a major impact on how long it takes to run the scan. It is not uncommon for weapons. Spect scans to take hours, six hours, eight hours, 10 hours. That's something that we can control
08:56
by changing the crawl coverage and the policy.
08:58
It's probably a good idea. Have a general idea of how large the website that you're testing is before you start running the test. Ah, word of caution if you start testing websites have a lot of content in them. Ah, content management side to SharePoint site things like that.
09:16
You're probably gonna have to tinker with the scan settings or the scan will run for days
09:20
because it will find, for instance, a calendar page. And I'll check every day of every month of every year.
09:26
Or it will find a Oh, a section that was images and you might be 10,000 images in there and try and test all.
09:35
All right,
09:41
Okay,
09:41
then it's gonna ask us, All right, Do we want to run an authenticated scan or unauthenticated scan? And a nothing indicated scan means that weapon's spec will Onley scan the portion of the website it can get to without logging in the key phrase, there's it can get to not the portion of the website you think it can get to,
10:01
but do directory listing and randomly
10:05
guest pages and things like that. And if it can get into a portion of the site without logging in, even if that portion was supposed to require logging, it will still scan it. A authenticated scan is gonna ask for
10:18
privileges. We can either do that using a macro or certificates or attack or something like that, and that's going to allow it to actually log into the website.
10:31
All right,
10:31
eso I've already recorded a log in macro, which is what I'm going to use. I'll show you how to record a macro in the actual next skin that we run.
10:43
All right,
10:43
there's a profiler. The profiler is basically going to go out to the Web application and I will run this all started so you can kind of see what it does. I'm not gonna do the entire thing,
10:54
but it's gonna fingerprint the server. So it's going to try and determine what type of love application server I'm using because there's certain checks that we run that are only relevant to certain types of servers. So we know what type of server you're running. We're not gonna run those sorts of checks. It might check the SSL certificates. Is they just asked
11:11
to know whether we need to make adjustments, things like that
11:15
s so you should probably run the profiler because it gives Web inspect a better idea of what type of scan you're trying to run. And then when it does that, it will come back and actually give a suggestion that will say, Well, I profiled your site and I noticed that you're using this framework or this type of application
11:33
or something else. You know, Do you want to change your configurations?
11:37
So the site I'm testing Web expect actually has knowledge off that particular site. So it came back and said, Hey, do you want to use the can settings for this application? I don't,
11:50
uh, but that's something that it would come back and ask me.
12:05
Okay, now it's replaying my macro to validate that my log and macro actually works correctly. Now it's asking me to enhance covers. So, like I said, by default, Web Inspector is going to crawl the Web site and try and find everything that it can.
12:20
If there are certain portions of the website that I know, Web Inspector isn't going to be ableto find, or I want to make sure that it finds I can identify those right now
12:31
so I might go in here to transfer funds. All right, I might go thio, find locations. I might do a couple other things just to be sure to make sure that that actually gets tested is part of the scam.
12:52
You can also run the actual test through a proxy if you want. One thing to keep in mind is if you are having a scan that isn't functioning well, one of the things support may ask you to do is actually run the scan through a proxy so that you can look at the proxy log. That's an easy way to see what Web inspectors
13:11
actually doing.
13:13
I would recommend that when you run a scan, you also enable the traffic monitor that will allow you in real time to see what weapons back is actually doing.
13:26
All right, then what I can do is if I wanted to, I could save all my sudden and this would allow me the next time I have to run a scan, I would have to go through this process again. I won't have to configure it. I would just open up my safe configuration and running a new scan.
13:43
If you need to run a new skin, you could also just open up the original scan
13:46
and rerun it. And it would reuse the settings as well. So you could do that either way,
13:52
all right.
13:54
And then we'd actually start this game.
14:03
All right, down here at the bottom,
14:05
you can see the status. So it's initializing right now,
14:22
all right. And over here, you can see there the little graphs of my network traffic in my analysis.
14:28
All right, you can see that my scan has started. You can see it's going to start building out the site tree over here. So this is a list of the sessions that it's crawled and audited. All right, remember, there are two phases. There's the crawl, and there's the audit, So I've crawled 126 pages of 389.
14:46
These numbers are going to change very dynamically because it's very common. When I crawl a page,
14:52
I'll identify eight other pages that I then need to crawl as well, and it just adds them to the queue of what to be crawled. Because we're running the crawl in the audit simultaneously. You can see it's already auditing, so I'm done 14 of 592 audits. You can see that's dynamically going to change as well.
15:11
The auditing
15:13
is much more time intensive and computational intensive than the crawling, so you can see the crawling here is almost done. It'll be a while before it finishes the auditing. This bar up here, there's a dark green section
15:26
in a light green session. You can see the dark green or basically sessions or requests that were successful. All right, the light green are things that weapons back attempted to crawl that were rejected. So, like I said, there are certain pages it'll guess based on your existing, your l's
15:43
or known admin pages or things like that. There's some amount of randomness
15:48
to the actual process.
15:52
You don't have to go, so my website are actually mother called another one.
16:00
Get up.
16:02
No.
16:04
So you can see right down here. There's an excluded host section, so it will
16:10
identify
16:11
those items,
16:15
but it won't actually go to that third party site. Now if I want it to go to that third party site, I can list when I do the configuration for the scan. Additional u R l's that I want weapons back to Testa's well.
16:32
Or if I wanted one of the other advantages to doing the crawl before the audit
16:37
is, If I do the crawl first, I could then go into the excluded ones and right click on them and allow them. When I do the crawl in the audit simultaneously, you can't really make changes to the scam because it's actively running. So although I could change some of the configuration items, well, the skin is running.
16:56
There'll be a warning that came up. This is Don't do this
17:00
because we can't guarantee the configuration changes. Lot should be accepted or have the desired effect on the actual skin. So you can see over here crawled, audited. There's a list of the actual findings down here by default. They're organized by severity and check.
17:18
All right, And then here's our site Tree
17:21
over here.
17:22
All right. And I'll go through all of that in more detail when we actually talked about doing the actual audit itself.
17:29
All right?
17:33
And then I think the one area that you can't see because the resolution is the actual scan details. So it tells us. All right, you know, we're running a scan.
17:42
Is the web inspect agent installed on the site that we're actually testing it? ISS.
17:48
All right. How many audit sessions do we have? Issues? Network traffic. You know, those sorts of things. Those are all listed over here on the right.
17:59
And then the other item you remember that I turned on was the traffic monitor.
18:04
Well, go ahead and pull that up real quick.
18:08
And this basically shows you what Web inspect is doing
18:14
at any point in time.
18:15
So if I scroll to the very bottom here,
18:19
so that's the current request.
18:22
Request
18:22
response.
18:25
You know, if you ever have a concern that weapons fact is hung,
18:29
what you could do is if you just scroll to the very bottom of the traffic monitor and highlight that item and then just see whether other items are being added in after the one that you highlighted.
18:40
All right, so you can see right now it's actually moving along fairly rapidly.
18:48
So I'm actually gonna pause this scan because I have a completed one.
18:55
The other thing, you can d'oh. Especially if you are scanning a Web site that requires CAC authentication. Obviously, you are supposed to be physically present when you're using your cat. So if at the end of the day your skin is still running and you need to remove your card and go home, you can pause the scan, go home, come back the next day we start the scan.
19:15
If you wanted to, you could also
19:17
export the scan. Well, it's in pause mode imported into another machine. And then restart the scan. We've done that. Sometimes. Occasionally there'll be someone who doesn't work every day of the week. They started a scan. The skin wasn't done when they went home.
19:33
They want their coworker to finish the scan when they come in the next day,
19:37
we paused it. We export it. We imported into the other machine. They started the next day
19:42
card. We weren't able to get a soft certificate used for authentication. You physically have sticking Common access card. Common access card reader. Obviously being a positive end of the day is preferred. Yes, that person having a lot of their car
20:00
get lost. You like sleeping at the office? I mean, that's the tithe
20:06
you could eat off. Indication supported. I'm tired. What time you'd be? I'm not.
20:12
I guess it's
20:15
Are you? I'm not from there. With it is you know what? It's based off of our I'm not sure of the protocol, but I know that you're this come together. So we support network off Indication and remind me there'll be a section where I go through the the scan settings. There's an entire authentication section, and I'll show you what the options are there. And maybe
20:34
that'll enlighten. Whether
20:36
that supported or no, it seems like just looking at quick dunes quick Google food. It's like a two factor authentication so but after digging exactly what the second factor is, But if it's gonna require a text message or email,
20:48
obviously what we would need that information to be able to authenticate the Web page. But way should be able to record a normal log in macro
20:59
through the weapons, that browser wait for our access to appear via phone.
21:03
Whatever you be, you know, uses.
21:07
Let's go ahead and take a look at that. So now we're gonna run a basic scan just so that you have an idea of what the difference between the guided skin and basic scan is.
21:18
We'll scan the exact same website.
21:26
All right, we'll do the call in the audit.
21:32
Here's the site that we're gonna test.
21:33
All right, if I want to do this is something I didn't show you earlier. I could restrict this.
21:40
All right, if I only wanted to. Do you know the directory I started out of the folder and the subdirectories? I could Sometimes if you have very large sites that you need to scam people will break them up into sections, and you might have to use that option.
21:56
All right. And then for here, I'm actually gonna record the log in macro. So I'm going to cite authentication. I'll show you how that works.
22:11
All right? So it basically goes to my website
22:18
and asked me to log in.
22:21
And this uses the true client recorder, which some other HPD Testing Tools USA's. Well, that gives me a lot of flexibility. If I wanted to, I could actually create a log in macro that prompted me for the user name and password. All right, so if I'm testing the same side of multiple different machines,
22:40
all right, the user name and password change, or if I want to run a test with different user names and passwords because of the
22:47
the role based security and what they have access to, I could do that as well.
22:53
All right. Once I've logged in,
22:56
I could stop. Do not log out before you click. Stop. Just quick. Stop.
23:00
All right, then it's going to replay my log in
23:04
to validate that it actually works correctly,
23:07
All right?
23:10
It did
23:11
actually know what I'm going to need to do here.
23:19
Okay,
23:21
now it's saying, Do you want to select an object on the display Web page to indicate whether your log in or logged out and the reason it's asking me this is weapons back? Needs to know whether it needs to rerun the Web macro to log in
23:37
because occasionally certain tested, it might run. Mike clobbered the session, and we'll have to run her log back in.
23:42
So it's asking for a visual cue. How do I know whether I'm logged in or I'm logged out?
23:48
All right?
23:51
Yeah.
23:52
Yes.
23:55
And then I'm basically say, Well, if you see the sign off link, that means I'm logged in.
24:10
Now it's checking to be sure that confined the log out condition.
24:14
Alright, Everything worked.
24:15
All right, So now I could save this if I wanted to,
24:19
or if I just close it, it'll automatically save it for me,
24:23
All right? And inserted there.
24:30
All right. And then the same sort of options here. Call coverage. Audit Dept.
24:36
Things like that.
24:38
All right. Web form values allowed hosts. Someone was asking about if I had
24:45
additional u r l's that I wanted to include in the test. This is where I would add them in the allowed host section.
24:56
All right, I'm going to turn on the traffic monitor.
25:00
All right? And then I could say this is my scan settings. Run the scan. Start that. Same as the other one that we looked at. I'm not gonna actually run this scan, because it's exactly the same is the one that we were running before.
25:15
All right.
25:18
All right. So this is a scan that I kicked off that's actually completed. So the scan's finished.
25:25
This is what the results actually look like. All right. So what we can do now is you can see, you know, here's a list of what was called what was audited. Critical, high, medium and low. They're basically two ways of actually looking at the results. All right, one ways you can see this section down here. All right?
25:42
I can actually go through the information down here,
25:45
all right? If I click on the columns, it would re sort by that column by right click on the column.
25:52
There are additional columns. So, like if I actually was looking for C W ese, you know, that's a column I could add in. It would then be added, and I could sort by that I could also, if I wanted to copy this column up here, that would add it to the sword order.
26:08
I could do a search, all right. So, like, if I wanted to check for sequel injections,
26:15
I could do that as well. You can do various things that way.
26:21
The other way I can look at the results is through the site tree.
26:26
All right, so what I could do is actually it's pan that.
26:29
All right, so let's see.
26:36
Hear, Ugo, Here's the log in page. You can see that little icon there that indicates that there's a high finding. One of the nice things about weapons back is it does have context sensitive help. So if I'm in this section
26:51
all right, and I cook F one,
26:53
it will actually bring up the help file for that section of weapons back. So I know I can never remember what the difference between the yellow folders and the great folders and the blue folders is So I go to, you know, the site tree, the navigation pane. Pull that site or that portion up
27:19
if I scroll down.
27:23
So here you go. Here's the icon. So blue folders is a folder that was discovered by guessing.
27:30
All right. Yellow folder is basically a folder that's actually referenced by somewhere on your site itself.
27:37
Ah, great folders. Basically, our path truncation,
27:42
icons critical. High, medium and low. So on and so forth.
27:48
Shortcuts, All that sort of thing is in there. So if you're ever in a portion of Web inspect and you don't know what something is, just go to that part hit F one. It'll bring up the helpage for that particular portion.
28:00
All right, So if I click on this finding
28:03
you can see here by quick on vulnerability,
28:07
that'll tell me what was actually found for this. Pay this session.
28:12
All right. I could scroll down. There.
28:15
Probably wasn't the best choice because there are multiple ones here. They're all be listed.
28:21
If I want to see the Web browser view off
28:25
log in page, I can click on that.
28:30
Like I said, the testing is request response base. So if I want to look at all right, what did weapons back to actually send to my website as part of this test and or session?
28:41
Here's my request.
28:45
All right, here's my response.
28:51
That portion highlighted in red in the response.
28:56
That's how weapons back knew that this particular item was successful.
29:00
All right,
29:02
that indicates that all right, it was trying to do something, and it was actually able Thio manipulate the website to get it to do what it actually wanted.
29:12
Details for the actual request
29:15
steps. So if you actually wanted to try and reproduce this, these air, the steps that you go through to get to this portion of the website to reproduce it.
29:27
All right? Links
29:32
form, values, attachments, attack info, things like that.
29:37
All right, so all of that is available here.
29:40
The other thing I could do if I wanted is if I double click on the actual finding in the bottom section here,
29:48
it will bring up a separate page
29:51
that has all of that information in it. So you can see here is the browser view.
29:56
Here's the request view response,
29:59
a description of the actual vulnerabilities
30:03
attachments. I could actually go in and add notes. I could add a screenshot. I could add comments. I could do all sorts of things there as well. I would also be able to mark this is a false positive or just ignore this particular finding.
30:21
All right, I'd be able to push this into my defect tracking system if I wanted to, or I'd be able to retest just this one particular finding so you can retest either all of the findings. For a scan, you can re run the entire scan, or you can retest just this one, finding all right C of multiple options there
30:40
really valuable
30:41
real world where time is limited and you have certain issues that have been flagged with certain levels of importance. Right? You have to test the specific issues before specific authority to operate
30:53
on a T. I was granted. So I use that all the time toe specimen to test a subset because we always
31:02
really the limiting factor typically would application security is labor.
31:06
I never have enough people took run all of this game that need to be performed so being as efficient as we can with our time,
31:15
right
31:17
are the other thing we could do is there are multiple views for the site. So there's the site view. So this is gonna list it based on the site tree, More or less.
31:26
There's the sequence view. This is gonna list all the findings in the order that they're they're actually conducted by weapons back.
31:34
All right, or there's the search view. So someone mentioned before? All right. I want to see whether Webb inspect was able to get into the admin section of my website. All right, well, I'm gonna do a search
31:47
on the Euro
31:48
Bradman. Alright. Well, these
31:52
are the sessions.
31:53
You know, the contained the word admin in the euro s. So it was I'd be able to look at these and figure out, you know, these are actually all admin. Page is not folders, whether it actually was able to find that session. So I just said there's a search view
32:10
so I can go down to search. Let's say that I wanted to see all the findings related to Social Security numbers being publicly disclosed.
32:20
You can see here are the search options. I'm gonna go to response raw
32:23
type in Social Security number that list all of the tests that resulted in SS and being in the response. You can see there are a couple here that actually have vulnerabilities,
32:35
so I could click on one of those.
32:37
Then I look at, you know, the Web browser view.
32:40
There's my cell security number.
32:44
Request
32:45
response
32:54
again. You could see section highlighted in red. That's how it knew that that particular vulnerability existed.
33:10
Then let's go ahead and find one of these command injection. So if I open this particular finding,
33:17
you could see this one
33:20
because I actually used the Web Inspect Agent was installed on the server. This particular finding actually has a stack trace. So that's one of the benefits of using the agent eyes. We can pull a stock trace off of the Web server even if it's not publicly displayed, and provide it back to be embedded in the finding.
33:39
So in this case, when I went to the actual
33:44
developer to ask them to fix it, not only would I be able to say All right, well, look, you know, I went to
33:52
you know, this particular page, all right? And
33:55
I provided this information,
34:00
all right? I'd also be able to say, Well, the stock trace indicates here that you probably want to
34:07
I can't read it cause it's cut off. Go thio this particular page toe. Look at the source code there to try and figure out exactly what's going on,
34:17
all right?
34:22
And when I can also do, if I wanted to for specific findings, let's go to
34:38
here.
34:39
I could also do what's called a step mon.
34:45
All right, which would allow me to goto particular part of the site tree and say, Hey, look, I want to manually add in additional sessions or checks so I can say start from there.
34:57
Hit record
34:59
brows.
35:07
All right, It's going to start from whatever session I selected,
35:10
all right? And then I could say, Oh, I want to go here and I want to put in,
35:15
uh, this zip code.
35:20
They find
35:22
nothing was found.
35:23
It's finished,
35:28
all right, And then that would be added to my site tree and would be tested as well

Up Next