B-Sides Orlando 2014 - Superbees Wanted

571 views
480 views

Published on

Event: Security B-Sides Orlando
Topic: Superbees Wanted
Location: Orlando, Florida (US)
Organizer: Security B-Sides

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
571
On SlideShare
0
From Embeds
0
Number of Embeds
26
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

B-Sides Orlando 2014 - Superbees Wanted

  1. 1. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP? Defense Needed, Superbees Wanted Malik Mesellem
  2. 2. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. About Me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com
  3. 3. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
  4. 4. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
  5. 5. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Web application security is today's most overlooked aspect of securing the enterprise  Hackers are concentrating their efforts on websites and web applications  Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism
  6. 6. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  7. 7. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  8. 8. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. DEFENSE is needed !
  9. 9. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
  10. 10. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP == defense  bWAPP, or a buggy Web APPlication  Deliberately insecure web application, includes all major known web vulnerabilities  Helps security enthusiasts, developers and students to discover and to prevent issues  Prepares one for successful penetration testing and ethical hacking projects
  11. 11. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP
  12. 12. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Web application security is not just installing a firewall, or scanning a site for ‘potential’ issues  Black-box penetration testing, simulating real attack scenarios, is still needed!  Confirms potential vulnerabilities, and excludes false positives  Guarantees that your defense measures are working effectively  bWAPP helps to improve your security-testing skills…
  13. 13. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
  14. 14. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Testimonials Awesome! It's good to see fantastic tools staying up to date ... - Ed Skoudis Founder of Counter Hack I just installed bWAPP 1.6 into the next release of SamuraiWTF ... Its a great app ... - Justin Searle Managing Partner at UtiliSec Great progress on bWAPP BTW! :) - Vivek Ramachandran Owner of SecurityTube
  15. 15. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Architecture  Open source PHP application  Backend MySQL database  Hosted on Linux/Windows Apache/IIS  Supported on WAMP or XAMPP
  16. 16. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Features (1)  Very easy to use and to understand  Well structured and documented PHP code  Different security levels (low/medium/high)  ‘New user’ creation (password/secret)  ‘Reset application/database’ feature  Manual intervention page  Email functionalities
  17. 17. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Features (2)  Local PHP settings file  No-authentication mode (A.I.M.)  ‘Evil Bee’ mode, bypassing security checks  ‘Evil’ directory, including attack scripts  WSDL file (Web Services/SOAP)  Fuzzing possibilities
  18. 18. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  What makes bWAPP so unique?  Well, it has over 70 web bugs!  Covering all major known web vulnerabilities  Including all risks from the OWASP Top 10 project
  19. 19. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (1)  SQL, HTML, SSI, OS Command, XML, XPath, LDAP, PHP Code, Host Header and SMTP injections  Authentication, authorization and session management issues  Malicious, unrestricted file uploads and backdoor files  Arbitrary file access and directory traversals  PHP-CGI remote code execution  Local and remote file inclusions (LFI/RFI)  Server Side Request Forgery (SSRF)
  20. 20. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (2)  Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, WebDAV, information disclosures,...  HTTP parameter pollution and HTTP response splitting  XML External Entity attacks (XXE)  HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues  Unvalidated redirects and forwards  Denial-of-Service (DoS) attacks
  21. 21. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (3)  Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)  AJAX and Web Services issues (JSON/XML/SOAP)  Parameter tampering and cookie poisoning  HTTP verb tampering  Local privilege escalation  And much more 
  22. 22. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today?
  23. 23. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP
  24. 24. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  External links  Home page - www.itsecgames.com  Download location - sourceforge.net/projects/bwapp  Blog - itsecgames.blogspot.com
  25. 25. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Every bee needs a home… the bee-box  VM pre-installed with bWAPP  LAMP environment: Linux, Apache, MySQL and PHP  Compatible with VMware and VirtualBox  Requires zero installation
  26. 26. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  bee-box is also made deliberately insecure…  Opportunity to explore all bWAPP vulnerabilities  Gives you several ways to hack and deface bWAPP  Even possible to hack the bee-box to get full root access!  Hacking, defacing and exploiting without going to jail  You can download bee-box from here
  27. 27. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box
  28. 28. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Features (1)  Apache, MySQL and PHP installed  Several PHP extensions installed  Vulnerable PHP-CGI  phpMyAdmin installed  Postfix installed and configured  Insecure FTP and WebDAV configurations  AppArmor disabled
  29. 29. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Features (2)  Weak self-signed SSL certificate  ‘Fine-tuned’ file access permissions  .htaccess files support enabled  Some basic security tools installed  Shortcuts to start, install and update bWAPP  An amazing wallpaper   An outdated Linux kernel…
  30. 30. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Both are part of the ITSEC GAMES project  A funny approach to IT security education  IT security, ethical hacking, training and fun...  All ingredients mixed together   Educational and recreational InfoSec training
  31. 31. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Ready, set, and hack!  There’s just one thing to remember  The logon credentials are…
  32. 32. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee/bug
  33. 33. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Ready, set, and hack!  There’s just one thing to remember  The logon credentials are bee/bug  So please don’t bug me anymore…
  34. 34. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  More credentials (for wizkids only!)  bWAPP web app  bee/bug  bee-box VM  bee/bug  su: bug  MySQL database  root/bug
  35. 35. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Installation and configuration  Install VMware Player or Oracle VirtualBox  Extract, install, and start the bee-box VM  Configure or check the IP settings  Browse to the bWAPP web app  http://[IP]/bWAPP/  Login with bee/bug
  36. 36. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  General application settings  settings.php, located under the bWAPP admin folder  Connection settings  SMTP settings  A.I.M. mode  Evil bee mode  Static credentials
  37. 37. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Settings
  38. 38. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  A.I.M.  Authentication Is Missing, a no-authentication mode  May be used for testing web scanners and crawlers  Procedure  Change the IP address in the settings file  Point your web scanner or crawler to http://[IP]/bWAPP/aim.php  All hell breaks loose…
  39. 39. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Worst-case-scenario-options  Reset the application  http://[IP]/bWAPP/reset.php  Reset the application + database  http://[IP]/bWAPP/reset.php?secret=bWAPP  Reinstall the database  Drop the database from phpMyAdmin  http://[IP]/bWAPP/install.php
  40. 40. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Host file (optional)  Change the host file on the local machine
  41. 41. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Postfix (optional)  Reconfigure and restart Postfix on the bee-box  sudo gedit /etc/postfix/main.cf sudo /etc/init.d/postfix restart
  42. 42. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Finally… time for a DEMO
  43. 43. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo
  44. 44. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
  45. 45. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Penetration Testing  Penetration testing, or pentesting  Method of evaluating computer, network or application security by simulating an attack  Active analysis of potential vulnerabilities by using ethical hacking techniques  Penetration tests are sometimes a component of a full security audit
  46. 46. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Web App Penetration Testing  Web application pentesting is focusing on evaluating the security of a web application  Application is tested for known web vulnerabilities  Manual, automatic and semi-automatic tests  Source code analysis and web server configuration review as an option
  47. 47. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Web App Penetration Testing  It’s all about identifying, exploiting, and reporting vulnerabilities  Some considerations…  Commercial tools vs. open source tools  Not a best practice to use only one tool  Most commercial scanners don’t exploit  False positives are not allowed!  People don’t like auto-generated reports
  48. 48. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Testing Methodologies  A simple testing methodology
  49. 49. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Testing Methodologies  A more advanced testing methodology
  50. 50. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP, or Open Web Application Security Project  Worldwide non-profit organization focused on improving the security of software  Freely-available articles, methodologies, documentation, tools, and technologies  Vendor neutral, no recommendations for commercial products or services!
  51. 51. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  Current OWASP Projects  Top 10 Project and Testing Guide  Development and Code Review Guide  Application Security Verification Standard  Broken Web Applications (BWA)  Zed Attack Proxy (ZAP)
  52. 52. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 Project, lists the 10 most severe web application security risks  Constantly updated, latest version released in 2013  Referenced by many standards, books, tools, and organizations, including MITRE and PCI DSS  Good starting point for a web application pentest  What to test? How to test? How to prevent?
  53. 53. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 Application Security Risks
  54. 54. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 - 2010 <> 2013
  55. 55. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 placement
  56. 56. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Introduction to Kali Linux  Kali Linux is a Debian-derived Linux distribution  Designed for digital forensics and penetration testing  Formerly known as BackTrack  Maintained and funded by Offensive Security  Support for x86 and ARM
  57. 57. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Introduction to Kali Linux  Includes many web app pentesting tools  Burp Suite  DirBuster  Metasploit  Nikto  sqlmap  w3af  WebSploit  ZAP
  58. 58. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  Kali Linux - Installation and basic usage  Strongly advised to disable AV  Extract, install, and start the VM  VM on ‘Bridged’ (<> NAT)  Login with root/toor  Check/configure IP and language settings  dhclient eth0 -v  Explore Kali Linux and its tools When facing problems, ask for a LiveDVD...
  59. 59. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  Intercepting proxies are testing tools acting as a legitimate Man-in-the-Middle (MitM)  Located between the browser and the web application  Ability to intercept and to modify requests/responses  Provide a historical record of all requests  Include integrated tools to discover vulnerabilities, and to crawl and brute force files and directories
  60. 60. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy  OWASP project, by Simon Bennetts  Java application, released in September 2010  Fork of the Paros intercepting proxy  Pentesting tool for finding vulnerabilities  Provides automated scanning, as well as a set of tools to find security vulnerabilities manually
  61. 61. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy  Functionalities  Intercepting proxy, listening on TCP/8080  Traditional and AJAX spider  Automated and passive scanner  Fuzzing and brute force capabilities  Smartcard and client certificate support  Authentication and session support
  62. 62. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy
  63. 63. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  ZAP, Zed Attack Proxy  Parameter/cookie tampering  Online password attack  Vulnerability detection
  64. 64. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners  Netsparker  Automated ‘false positive free’ web security scanner  Identifies security issues and vulnerabilities such as SQL injection and Cross-Site Scripting (XSS)  Automatically exploits detected vulnerabilities to ensure no false positives are reported  Site: https://www.netsparker.com/
  65. 65. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners
  66. 66. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners  Netsparker
  67. 67. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  Netsparker  Non-authenticated scan  Authenticated scan
  68. 68. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Ready to Exploit some bugs?
  69. 69. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
  70. 70. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hungry Evil Bees  Hacking, Defacing and Exploiting  SQL / HTML / SSI Injection  Cross-Site Scripting (XSS)  Denial-of-Service (DoS)  PHP-CGI Remote Code Exec  Unrestricted File Uploads  File Inclusions (LFI/RFI)  Local Privilege Escalation
  71. 71. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  SQL Injection  Bypassing login forms  Manually extracting data  Testing for blind SQL injection  Automated SQL injection  Website defacement
  72. 72. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  HTML Injection  Website defacement  Page redirection  Phishing attack  Client-side exploitation
  73. 73. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  SSI Injection  Disclosing sensitive files  Website defacement  Shell access
  74. 74. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  Cross-Site Scripting  Detecting XSS  Session hijacking
  75. 75. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  Denial-of-Service  HTTP Slow POST  XML Bomb
  76. 76. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  PHP-CGI Remote Code Execution  API and PHP version verification  Source code disclosure  Website defacement  OWASP ZAP  Metasploit
  77. 77. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  Unrestricted File Uploads  Web shell creation  Shell access, evading firewalls  Website defacement
  78. 78. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  File Inclusions  Disclosing sensitive files  Website defacement  Shell access, evading firewalls  Escalating privileges...
  79. 79. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
  80. 80. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Superbees Wanted  Hi little bees, during this workshop we  Defaced your website 5 times  Compromised your server  Compromised your clients  Made your server unreachable  Hijacked your session  Stole your credentials…
  81. 81. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.  And we have so much more bugs to exploit…  Definitely time to improve your web security  Defense is needed, and testing is required!  Downloading bWAPP is a first start  Remember: every bee needs a superbee  Are you that superbee? Superbees Wanted @MME_IT #bWAPP
  82. 82. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Contact Me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com
  83. 83. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Cheat Sheet  Hi little bees… we have a cheat sheet for you  Containing all bWAPP solutions  Follow us on Twitter, and ask for our cheat sheet  You will definitely become a superbee! @MME_IT #bWAPP
  84. 84. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Training  Attacking & Defending Web Apps with bWAPP  2-day comprehensive web security course  Focus on attack and defense techniques!  More info: http://goo.gl/ASuPa1 (pdf)

×