B-Sides Orlando 2014 - Superbees Wanted
Upcoming SlideShare
Loading in...5
×
 

B-Sides Orlando 2014 - Superbees Wanted

on

  • 195 views

Event: Security B-Sides Orlando

Event: Security B-Sides Orlando
Topic: Superbees Wanted
Location: Orlando, Florida (US)
Organizer: Security B-Sides

Statistics

Views

Total Views
195
Views on SlideShare
184
Embed Views
11

Actions

Likes
0
Downloads
4
Comments
0

2 Embeds 11

https://twitter.com 10
http://www.slideee.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    B-Sides Orlando 2014 - Superbees Wanted B-Sides Orlando 2014 - Superbees Wanted Presentation Transcript

    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP? Defense Needed, Superbees Wanted Malik Mesellem
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. About Me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Web application security is today's most overlooked aspect of securing the enterprise  Hackers are concentrating their efforts on websites and web applications  Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. DEFENSE is needed !
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP == defense  bWAPP, or a buggy Web APPlication  Deliberately insecure web application, includes all major known web vulnerabilities  Helps security enthusiasts, developers and students to discover and to prevent issues  Prepares one for successful penetration testing and ethical hacking projects
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Web application security is not just installing a firewall, or scanning a site for ‘potential’ issues  Black-box penetration testing, simulating real attack scenarios, is still needed!  Confirms potential vulnerabilities, and excludes false positives  Guarantees that your defense measures are working effectively  bWAPP helps to improve your security-testing skills…
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Testimonials Awesome! It's good to see fantastic tools staying up to date ... - Ed Skoudis Founder of Counter Hack I just installed bWAPP 1.6 into the next release of SamuraiWTF ... Its a great app ... - Justin Searle Managing Partner at UtiliSec Great progress on bWAPP BTW! :) - Vivek Ramachandran Owner of SecurityTube
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Architecture  Open source PHP application  Backend MySQL database  Hosted on Linux/Windows Apache/IIS  Supported on WAMP or XAMPP
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Features (1)  Very easy to use and to understand  Well structured and documented PHP code  Different security levels (low/medium/high)  ‘New user’ creation (password/secret)  ‘Reset application/database’ feature  Manual intervention page  Email functionalities
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Features (2)  Local PHP settings file  No-authentication mode (A.I.M.)  ‘Evil Bee’ mode, bypassing security checks  ‘Evil’ directory, including attack scripts  WSDL file (Web Services/SOAP)  Fuzzing possibilities
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  What makes bWAPP so unique?  Well, it has over 70 web bugs!  Covering all major known web vulnerabilities  Including all risks from the OWASP Top 10 project
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (1)  SQL, HTML, SSI, OS Command, XML, XPath, LDAP, PHP Code, Host Header and SMTP injections  Authentication, authorization and session management issues  Malicious, unrestricted file uploads and backdoor files  Arbitrary file access and directory traversals  PHP-CGI remote code execution  Local and remote file inclusions (LFI/RFI)  Server Side Request Forgery (SSRF)
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (2)  Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, WebDAV, information disclosures,...  HTTP parameter pollution and HTTP response splitting  XML External Entity attacks (XXE)  HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues  Unvalidated redirects and forwards  Denial-of-Service (DoS) attacks
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (3)  Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)  AJAX and Web Services issues (JSON/XML/SOAP)  Parameter tampering and cookie poisoning  HTTP verb tampering  Local privilege escalation  And much more 
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today?
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  External links  Home page - www.itsecgames.com  Download location - sourceforge.net/projects/bwapp  Blog - itsecgames.blogspot.com
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Every bee needs a home… the bee-box  VM pre-installed with bWAPP  LAMP environment: Linux, Apache, MySQL and PHP  Compatible with VMware and VirtualBox  Requires zero installation
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  bee-box is also made deliberately insecure…  Opportunity to explore all bWAPP vulnerabilities  Gives you several ways to hack and deface bWAPP  Even possible to hack the bee-box to get full root access!  Hacking, defacing and exploiting without going to jail  You can download bee-box from here
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Features (1)  Apache, MySQL and PHP installed  Several PHP extensions installed  Vulnerable PHP-CGI  phpMyAdmin installed  Postfix installed and configured  Insecure FTP and WebDAV configurations  AppArmor disabled
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Features (2)  Weak self-signed SSL certificate  ‘Fine-tuned’ file access permissions  .htaccess files support enabled  Some basic security tools installed  Shortcuts to start, install and update bWAPP  An amazing wallpaper   An outdated Linux kernel…
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Both are part of the ITSEC GAMES project  A funny approach to IT security education  IT security, ethical hacking, training and fun...  All ingredients mixed together   Educational and recreational InfoSec training
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Ready, set, and hack!  There’s just one thing to remember  The logon credentials are…
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee/bug
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Ready, set, and hack!  There’s just one thing to remember  The logon credentials are bee/bug  So please don’t bug me anymore…
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  More credentials (for wizkids only!)  bWAPP web app  bee/bug  bee-box VM  bee/bug  su: bug  MySQL database  root/bug
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Installation and configuration  Install VMware Player or Oracle VirtualBox  Extract, install, and start the bee-box VM  Configure or check the IP settings  Browse to the bWAPP web app  http://[IP]/bWAPP/  Login with bee/bug
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  General application settings  settings.php, located under the bWAPP admin folder  Connection settings  SMTP settings  A.I.M. mode  Evil bee mode  Static credentials
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Settings
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  A.I.M.  Authentication Is Missing, a no-authentication mode  May be used for testing web scanners and crawlers  Procedure  Change the IP address in the settings file  Point your web scanner or crawler to http://[IP]/bWAPP/aim.php  All hell breaks loose…
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Worst-case-scenario-options  Reset the application  http://[IP]/bWAPP/reset.php  Reset the application + database  http://[IP]/bWAPP/reset.php?secret=bWAPP  Reinstall the database  Drop the database from phpMyAdmin  http://[IP]/bWAPP/install.php
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Host file (optional)  Change the host file on the local machine
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Postfix (optional)  Reconfigure and restart Postfix on the bee-box  sudo gedit /etc/postfix/main.cf sudo /etc/init.d/postfix restart
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Finally… time for a DEMO
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Penetration Testing  Penetration testing, or pentesting  Method of evaluating computer, network or application security by simulating an attack  Active analysis of potential vulnerabilities by using ethical hacking techniques  Penetration tests are sometimes a component of a full security audit
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Web App Penetration Testing  Web application pentesting is focusing on evaluating the security of a web application  Application is tested for known web vulnerabilities  Manual, automatic and semi-automatic tests  Source code analysis and web server configuration review as an option
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Web App Penetration Testing  It’s all about identifying, exploiting, and reporting vulnerabilities  Some considerations…  Commercial tools vs. open source tools  Not a best practice to use only one tool  Most commercial scanners don’t exploit  False positives are not allowed!  People don’t like auto-generated reports
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Testing Methodologies  A simple testing methodology
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Testing Methodologies  A more advanced testing methodology
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP, or Open Web Application Security Project  Worldwide non-profit organization focused on improving the security of software  Freely-available articles, methodologies, documentation, tools, and technologies  Vendor neutral, no recommendations for commercial products or services!
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  Current OWASP Projects  Top 10 Project and Testing Guide  Development and Code Review Guide  Application Security Verification Standard  Broken Web Applications (BWA)  Zed Attack Proxy (ZAP)
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 Project, lists the 10 most severe web application security risks  Constantly updated, latest version released in 2013  Referenced by many standards, books, tools, and organizations, including MITRE and PCI DSS  Good starting point for a web application pentest  What to test? How to test? How to prevent?
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 Application Security Risks
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 - 2010 <> 2013
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 placement
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Introduction to Kali Linux  Kali Linux is a Debian-derived Linux distribution  Designed for digital forensics and penetration testing  Formerly known as BackTrack  Maintained and funded by Offensive Security  Support for x86 and ARM
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Introduction to Kali Linux  Includes many web app pentesting tools  Burp Suite  DirBuster  Metasploit  Nikto  sqlmap  w3af  WebSploit  ZAP
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  Kali Linux - Installation and basic usage  Strongly advised to disable AV  Extract, install, and start the VM  VM on ‘Bridged’ (<> NAT)  Login with root/toor  Check/configure IP and language settings  dhclient eth0 -v  Explore Kali Linux and its tools When facing problems, ask for a LiveDVD...
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  Intercepting proxies are testing tools acting as a legitimate Man-in-the-Middle (MitM)  Located between the browser and the web application  Ability to intercept and to modify requests/responses  Provide a historical record of all requests  Include integrated tools to discover vulnerabilities, and to crawl and brute force files and directories
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy  OWASP project, by Simon Bennetts  Java application, released in September 2010  Fork of the Paros intercepting proxy  Pentesting tool for finding vulnerabilities  Provides automated scanning, as well as a set of tools to find security vulnerabilities manually
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy  Functionalities  Intercepting proxy, listening on TCP/8080  Traditional and AJAX spider  Automated and passive scanner  Fuzzing and brute force capabilities  Smartcard and client certificate support  Authentication and session support
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  ZAP, Zed Attack Proxy  Parameter/cookie tampering  Online password attack  Vulnerability detection
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners  Netsparker  Automated ‘false positive free’ web security scanner  Identifies security issues and vulnerabilities such as SQL injection and Cross-Site Scripting (XSS)  Automatically exploits detected vulnerabilities to ensure no false positives are reported  Site: https://www.netsparker.com/
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners  Netsparker
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  Netsparker  Non-authenticated scan  Authenticated scan
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Ready to Exploit some bugs?
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hungry Evil Bees  Hacking, Defacing and Exploiting  SQL / HTML / SSI Injection  Cross-Site Scripting (XSS)  Denial-of-Service (DoS)  PHP-CGI Remote Code Exec  Unrestricted File Uploads  File Inclusions (LFI/RFI)  Local Privilege Escalation
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  SQL Injection  Bypassing login forms  Manually extracting data  Testing for blind SQL injection  Automated SQL injection  Website defacement
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  HTML Injection  Website defacement  Page redirection  Phishing attack  Client-side exploitation
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  SSI Injection  Disclosing sensitive files  Website defacement  Shell access
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  Cross-Site Scripting  Detecting XSS  Session hijacking
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  Denial-of-Service  HTTP Slow POST  XML Bomb
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  PHP-CGI Remote Code Execution  API and PHP version verification  Source code disclosure  Website defacement  OWASP ZAP  Metasploit
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  Unrestricted File Uploads  Web shell creation  Shell access, evading firewalls  Website defacement
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hands-On Lab  File Inclusions  Disclosing sensitive files  Website defacement  Shell access, evading firewalls  Escalating privileges...
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Superbees Wanted  Hi little bees, during this workshop we  Defaced your website 5 times  Compromised your server  Compromised your clients  Made your server unreachable  Hijacked your session  Stole your credentials…
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.  And we have so much more bugs to exploit…  Definitely time to improve your web security  Defense is needed, and testing is required!  Downloading bWAPP is a first start  Remember: every bee needs a superbee  Are you that superbee? Superbees Wanted @MME_IT #bWAPP
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Contact Me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Cheat Sheet  Hi little bees… we have a cheat sheet for you  Containing all bWAPP solutions  Follow us on Twitter, and ask for our cheat sheet  You will definitely become a superbee! @MME_IT #bWAPP
    • What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Training  Attacking & Defending Web Apps with bWAPP  2-day comprehensive web security course  Focus on attack and defense techniques!  More info: http://goo.gl/ASuPa1 (pdf)