Last week was full of excitement! Daniel Christian Quisenberry was born weighing in at 7 pounds 13 ounces in the right corner. He’s a little Canadian goose honking up a storm. Named after his grandpas, Dan Quisenberry and Christian Todenhagen, he has a lot to live up to when it comes to athleticism, intellectual insight, humor, compassion, and gardening.
To get ready for fatherhood a third time, I thought I needed some more training on how to burp, so I signed up for a BURP training through the local Portland OWASP chapter. I must have signed up for the wrong class though because babies weren’t mentioned. Everything was about web application security and the basics of penetration testing a website.
What is OWASP?
The Open Web Application Security Project (OWASP) promotes improving the security of software globally through online resources and local chapters. They are probably most famous for their OWASP Top Ten which is updated each year and outlines the most crucial security steps for web application developers to prioritize. The Portland chapter meets monthly to update security professionals and developers of trends in Web Application Security and just offered it’s second annual training day which I was lucky enough to attend.
Why did I go?
I care a lot about the security of the sites and applications we build and want to continue to hone my skills to be proactive in maintaining a reliable web experience for our clients and their customers. That and I grew up watching Sneakers and War Games a lot. I don’t do much war-dialing anymore, but I still like to scratch the investigative itch when I can.
What concepts were covered?
The OWASP training day was split into a morning session and an afternoon session with three choices for each. For me, I wanted to get some hands-on experience with the basics of penetration testing and thinking about client-side vulnerabilities because so much happens in the browser now.
Here are some of the topics touched on (definitions provided by Wikipedia):
XSS - Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
CSRF - Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
CORS - CORS stands for Cross-Origin Resource Sharing.
It is a feature offering the possibility for:
- A web application to expose resources to all or a restricted domain.
- A web client to make AJAX request for a resource on other domain than is source domain.
ClickJacking - Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they intended to click on the top level page.
Fuzzing - Fuzz testing or Fuzzing is a Black Box software testing technique, which mainly consists of finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.
BURP and Zap
To explore these topics and get hands-on experience particularly with XSS attacks and fuzzing we used two tools BURP and Zap. These tools are powerful and can do a lot from scanning a target for a wide range of vulnerabilities, proxy web traffic and allow you to modify packets between the client and the server. In our exercises, we took advantage of a couple of security sandbox sites (OWASP Juice Shop and Google Gruyere) useful for playing around with scanning, attacks and learning how to stop them.
I didn’t learn how to help my son’s digestion like I thought I would, but I did learn some useful tools for testing our clients’ websites during development and ways to think about building more secure applications. Who knows what the attack surface of where things will be in 10 or so years when it’s time to start teaching Daniel some magic, maybe I will get BURP with him after all.