Testing web apps using OWASP Switchblade

- [Voiceover] OWASP, the Open Web Application Security Project is an initiative which identifies, ranks and provides materials to support testing of web vulnerabilities. It's free to become part of the OWASP community and its material is free to use. The OWASP Top Ten Threats is published annually and used as a reference for testing by many pen testers. OWASP chapters appear in cities around the world and there's an active wiki for users to share information on the project. Of recent years, it's expanded its remit to cover mobile applications and internet of things.

The links at the top right of the home page provide easy access to key materials such as the Top Ten and the OWASP Testing Guide. OWASP also provides some very useful testing tools such as the Offensive Web Testing Framework, or OWTF, and defensive capabilities such as AppSensor. The particular tool I want to demonstrate in this course is the OWASP Switchblade tool. This is used to test how susceptible a website is to denial-of-service attacks.

The tool was originally written by the Proactive Risk folks as an education tool for the OWASP community and has been made available under the Creative Commons license. It runs as a Windows application and can be downloaded as a ready to run Zip file. I've already downloaded this into the Switchblade subdirectory. Okay, we've got the various executables and supporting libraries for Switchblade here. We can start Switchblade by double-clicking gui.exe. Switchblade has a fairly simple interface.

The drop-down box provides three types of attack that can be run: Slow headers, Slow POST and SSL renegotiation. I'll run a Slow headers attack. Let's change the URL to a Metasploitable system on http://10.0.2.6 I don't need a proxy. The general parameters are used to vary the amount of resources being focused on the attack and can be tuned according to your testing platform.

I'll change the rate to 1,000 and this will create connections as fast as possible. Let's open a browser and look at the website on my Metasploitable system. Okay, we can see the Metaploitable page and this is running fine. Now, let's launch the Switchblade attack. I'll now press a button called Run Attack. We can see that connections have been made and the attack is now underway. Let's see what's happening on Metasploitable.

I'll try to refresh the page and see what happens. Okay, we're now waiting. The web server's been flooded. If we look at Switchblade, we can see that we've made 280 connections and the remaining ones errored when the server became overloaded. I can go into my Metasploitable server and use the netstat command to check the current connections.

We can see there are many connections open. Okay, let's cancel the attack and we'll wait for the server to calm down. Okay, and we're back running again. So, that's an example of using Switchblade to carry out an application-level attack. The Slow POST is a very similar attack to Slow headers, using the same feature of holding the connection open while the http request is sent very slowly. The SSL renegotiation is also similar but attacks the SSL negotiation handshake.