Upload File

what the fuzz

23
WHAT THE FUZZ??? Christopher Frenz

Upload: christopher-frenz

Post on 11-Apr-2017

199 views

Category:

Software


0 download

Report

TRANSCRIPT

Page 1: What the fuzz

WHAT THE FUZZ???Christopher Frenz

Page 2: What the fuzz

NEED FOR APPLICATION SECURITY

• According to SANS• 60% of all internet attacks target

Web applications• SQL Injection and XSS constitute

80% of all recently discovered vulnerabilities

• Application vulnerabilities now exceed OS vulnerabilities

Applications

Operating Systems

Network

# Vulnerabilities

Page 3: What the fuzz

OWASP TOP 10

https://xkcd.com/327/

Page 4: What the fuzz

WHAT TO DO???• More developers need to be made aware of the need for secure software

development as well as the practices associated with secure software development• Education is key

• Security needs to be part of the mindset of any software development project from day 1• Security CANNOT be an afterthought• Security CANNOT be effectively added on later (e.g. firewalls)

Page 5: What the fuzz

WHY EDUCATION?• Response from development

team – There is no issue here, you encountered this error while using Mozilla. Our product documentation says the application is only compatible with IE.

Page 6: What the fuzz

A QUESTION OF CASE• What the Fuzz?

• Basic testing or fuzzing would have discovered that capitalizing a letter would result in all data being returned and not just the authorized set

• Validation was only being done client side

Page 7: What the fuzz

SECURING THE SDLC

• Requirements• Security needs to be a requirement• Risk Assessment

• Design• Security controls to ensure all requirements

are met• Design review

• Implementation• Coding standards• Static code analysis• Peer code review

• Testing• Abuse Cases• Fuzzing• Vulnerability scans• Pen Testing

• Release/Maintenance• Patching/Updating

Security needs to be a factor in all phases of the software development lifecycle

Page 8: What the fuzz

THREAT MODELING• Spoofing• Tampering• Repudiation• Information disclosure• Denial of Service• Elevation of privilege

• Makes programmers think like an attacker in order to identify potential ways in which their application could be abused

Page 9: What the fuzz

RISK ASSESSMENT• Damage potential• Reproducibility• Exploitability• Affected Users• Discoverability

• Each threat is ranked in each category on a scale of 1 to 3, with 1 being a threat with minimal potential impact and 3 being a serious threat

Page 10: What the fuzz

STRIDE + DREAD EXAMPLE

Helps to identify which threats pose the biggest risk

Page 11: What the fuzz

FUZZING

• Fuzzing is an automated process of providing invalid and random inputs into an application and monitoring the application for crashes • It can help to identify inputs that the application cannot properly

handle and that hence could be used as potential attack

Page 12: What the fuzz

OWASP MUTILLIDAE

A deliberately vulnerable web application for training security testing skills

Page 13: What the fuzz

XAMPP ON VIRTUAL MACHINE

Page 14: What the fuzz

MUTILLIDAE

Mutillidae unzips into the htdocs folder of the Apache install

Page 15: What the fuzz

BURP

Suite of tools for performing Web application security testing

Page 16: What the fuzz

FOXY PROXY

Enables you to quickly switch between the Burp intercepting proxy and non-proxied browsing

Page 17: What the fuzz

START BURP

Start Burp and use Foxy Proxy to ensure that our Web browser requests go through Burp

Page 18: What the fuzz

FIND TARGET

Burp lets us see the pages loaded through the browser as well as spider a target site to identify additional web pages

Page 19: What the fuzz

FUZZ TARGET

Lets Identify the page we want to target for fuzzing and send it to the Burp Intruder Module

Page 20: What the fuzz

IDENTIFY POSITIONS

Identify which positions we want to receive our fuzzed input strings

Page 21: What the fuzz

LAUNCH THE ATTACK

Interesting, one attack returned a different page than the rest. Let’s try it out.

Page 22: What the fuzz

TEST THE ATTACK

We used an SQLi attack to bypass the authentication mechanism

Page 23: What the fuzz

QUESTIONS


BITOUN FUZZ - mk0anasoundsyn79sy00.kinstacdn.com€¦ · fuzz 1 let’s make the feed me fuzzy ! delivered at 50%, it’s large enough to fuzz ! 0% : we can transform this fuzz into

Fuzz and hotlink

Hot Fuzz Analysis

Fuzz testing

What’s all the fuzz about?...Fuzz-Targets: Die Voraussetzung für die Anwendung von Fuzzern ist das Erstellen sogenannter Fuzz Targets. Fuzz Targets sind kleine Programme, die von

Fuzz Face - Fuzz Dog's Pedal Partspedalparts.co.uk/docs/FuzzFace-Multi.pdf · Fuzz Face Vintage fuzz with optional voltage inverter Contents of this document are ©2014 Pedal Parts

Peach fuzz

Leviathan Fuzz - wamplerpedals.comLeviathan Fuzz Brian hasn't been your typical "fuzz guy" all his life. He doesn't use words like "hair" to describe the amount of distortion, and

Fuzz Testing the ISO 15118 Protocol Stack

Hot Fuzz Storyboard

Tube Sound Fuzz

Windows 8 fuzz

What’s all the fuzz about? - SANS All the Fuzz About...What’s all the fuzz about? Project Robus Aegis™ Platform Adam Crain, ... Unsolicited response fuzzing of a master listening

Hot fuzz pp

The Fuzz - March 2013

fuzz orchestra

RTW Hot Fuzz - TV Spielfilm · Hot Fuzz – Verbrechen verboten Hot Fuzz – Verbrechen verboten Actionkrimipersiflage mit dem „Shaun of the Dead“-Duo Pegg/Frost. Der übereifrige

Program Analysis...Pkn Add energy to each state Introduction 11 energy = #fuzz low energy (low #fuzz) high energy (high #fuzz) How much #fuzz should be generated? What is the minimum

Joris Merks - Why the fuzz about content

What is the fuzz and buzz about public relations

Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities …ftp.cs.wisc.edu/pub/paradyn/technical_papers/fuzz... ·  · 2006-02-09Page 1 October 1995 Fuzz Revisited:

Fuzz slides - University of Wisconsin–Madisonpages.cs.wisc.edu/~bart/fuzz/fuzz-revisited-talk.pdf · Copyright © 1995 Barton P. Miller Fuzz Revisited ..... Page 9 Programming Errors

Tutorial de la Fuzz Fire Factory - frankyfuzzfire.free.frfrankyfuzzfire.free.fr/DIY/Fuzz Factory/Tutorial de la Fuzz Fire... · Tutorial de la Fuzz Factory : I : les présentations

How To Build A Fuzz E-One - diy.smallbearelec.comdiy.smallbearelec.com/Projects/FuzzE-One/Kit/FuzzE-One.pdf · What Is The Fuzz E-One? The Fuzz E-One is a clone of the famous Gibson/Maestro

Fuzz Service

Fuzz Pedal

Learning to Fuzz: Application-Independent Fuzz …mp.binaervarianz.de/TreeFuzz_TR_Nov2016.pdf · Learning to Fuzz: Application-Independent Fuzz Testing with Probabilistic, Generative

Proyecto Fuzz Face

Hot fuzz clip

Hot Fuzz 2

Axis Fuzz Kit Building Manual - effect pedal kits · 2018-03-12 · The Axis Fuzz Kit is based in the Roger Mayer Axis Fuzz, the effect pedal responsible for Jimi Hendrix sound in

Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT [email protected]

DSOTM FUZZ - 2018 · 2019-03-15 · DSOTM FUZZ - 2018 A smooth, articulate and sustaining Fuzz Tone comparable to fuzz tones heard on Pink Floyd's 1973 Dark Side of the Moon album,

Octave Fuzz

Leviathan Fuzz - Audiofanzine · Leviathan Fuzz Brian hasn't been your typical "fuzz guy" all his life. He doesn't use words like "hair" to describe the amount of distortion, and