This week at work I went to a “security” training. Web app security specifically. The training covered XSS (cross-site scripting), CSRF (cross-site request forgery) and SQL injection.
One could consider these the very basics of web application security. The basic summary for it is “don’t trust data you didn’t come up with,” “don’t make it easy for people to pretend to be other people,” and “hey, maybe don’t let just any site access your site [if you aren’t a publicly consumed web app]” (what up
But the most interesting part of the training is the tooling! Yay tools!
Burp is a very user-unfriendly tool (made by and for security folk! I am not surprised) that real-life security folk use to do some of their testing. You can download a free edition and can run it on your own machine, it requires Java.
What it does when it runs is set up a server running locally so that you can set your browser to “man-in-the-middle” (MITM) using some proxy settings. It’s recommended that you do this on a browser more like Firefox, because Chrome has some security features so that, even if a web app is not secure, Chrome will “protect” an end user. So for security testing, go for Firefox.
Once you figure that out, you can use Burp to watch traffic, copy requests, make scads of them, etc. As a MITM, you can modify requests before they get to the target server (ex. by modifying headers). You can also perform automated attacks on an application (throttled capabilities in the free version). Pretty interesting, especially that some real-life profesh people use it.
No, I did not find out why it is called Burp. If you know, please tell me.
Once we had Burp running, we looked at Mutillidae. It’s a purposefully vulnerable web application that you can run (in a VM preferably, but if that’s out of reach I understand XAMPP works for it). It has lots of hints and things to poke around at.
Also, there’s a paper on this tool! Yay papers!
After training, a colleague mentioned Google Gruyere (because it has lots of holes … get it?). Seems like it might be more accessible than Mutillidae (ex. it will create an instance for you if you go to a start page). If you know of any other similar projects, do share!
OWASP is the Open Web Application Security Project. I did not know that these folk have lots of groups all around the world! So if you’re interested in learning more about application security, you can find your local chapter.
“Rainbow tables” were mentioned during the training, and pretty interesting along the lines of “things that when you know about them give you no confidence in any web application”. Precomputed tables of hashed values. You can probably figure out who might find that useful (COUGH IT’S PASSWORDS COUGH).