Your SlideShare is downloading. ×
SANS 2014 - Superbees Wanted
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

SANS 2014 - Superbees Wanted

303
views

Published on

Event: SANS 2014 …

Event: SANS 2014
Topic: Superbees Wanted
Location: Orlando, Florida (US)
Organizer: SANS

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
303
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Welcome! Nice to meet you.It’s an honor to be here, talking about bWAPP at SANS 2014 Orlando.
  • Some impressions of my stay in Orlando...An almost empty swimming pool.
  • Because everyone is going to Netwars.
  • Magic happens here...
  • My name is Malik Mesellem (from Belgium).I have always had a passion for Ethical Hacking and Penetration Testing (actually from since I was a teenager…).I am obsessed with Windows and web application (in)security.In 2010, I decided to start my own company: MME BVBA.We are specialized in IT security audits, penetration testing, ethical hacking, and InfoSec training.I give master classes and lectures for several institutions. For Belgium, I am a mentor for the SANS Institute and an OWASP ZAP evangelist (evantjelist).And of course, I am the founder and creator of bWAPP…
  • My name is Malik Mesellem (from Belgium).I have always had a passion for Ethical Hacking and Penetration Testing (actually from since I was a teenager…).I am obsessed with Windows and web application (in)security.In 2010, I decided to start my own company: MME BVBA.We are specialized in IT security audits, penetration testing, ethical hacking, and InfoSec training.I give master classes and lectures for several institutions. For Belgium, I am a mentor for the SANS Institute and an OWASP ZAP evangelist (evantjelist).And of course, I am the founder and creator of bWAPP…
  • Today I will talk about web security and web application penetration testing with bWAPP.We start our presentation with an overview of why web applications are an attractive target.Then, I will show how bWAPP can help you to ‘improve’ your web security.I will explain the concepts of web application penetration testing and last but not least...We will exploit some vulnerabilities, so expect live demo’s (if there’s time enough)!
  • OK! Let’s kick off...
  • Web application security is today's most overlooked aspect of securing the enterprise.These days, hackers are concentrating their efforts on our (precious) websites and web applications.Websites and web applications are a very attractive target for cyber criminality, cyber warfare and hacktivism...
  • They are an attractive target because…They are 24/7 available via the InternetSometimes, mission-critical business applicationsare published on the Internet through a web interface, and there is often direct access to backend data and to the internal network (using pivoting techniques)You should also know that traditional firewalls and SSL provide no protection against web attacks, and sysadmins know little about these sophisticated application-level attacksIn addition, many applications are also custom-made, meaning that they are probably vulnerable
  • Meet the bad guys!
  • It’s definitely time to improve our web security! Defense is really needed…
  • bWAPP, or a buggy web application, is a free and open source deliberately insecure web application. It is made for testing and educational purposes.It includes all major known web vulnerabilities.It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects.I started with the bWAPP project in Christmas Holidays 2012. As a penetration tester, I was looking for a lab environment to test and improve my web application pentesting skills. There are many deliberately insecure web applications, but most of them lack diversity and flexibility… so that’s why I started to create my own vulnerable application, bWAPP.For me, it was also a good practice to learn how to deal with these web vulnerabilities: to learn some secure coding techniques and hardening best practices.
  • This is the bWAPP main page, or portal, after a successful login.
  • Web application security is not just installing a firewall, or scanning a website for ‘potential’ issues…Black-box penetration testing, simulating real attack scenarios, is still needed!It confirms potential vulnerabilities and excludes false positives, but it also guarantees that your defense measures are working effectively.bWAPP can help you to improve your web application security-testing skills…
  • It’s all about testing, testing, and testing…Would you be at ease with a pilot who has just read the manual of his plane, and skipped the testing phase?This guy is definitely not prepared for REAL attack scenarios 
  • Some testimonials of ‘notorious’ people working in InfoSec.As you can see, they are all very happy with bWAPP . Look at this guy (Ed)...
  • Some testimonials of ‘notorious’ people working in InfoSec.As you can see, they are all very happy with bWAPP . Look at this guy (Ed)...
  • Let’s talk about the architecture, the core of bWAPP...bWAPP is a PHP application that uses a backend MySQL database.It can be hosted on Linux, Windows (or even on Mac) with Apache or IIS.It is also supported on WAMP or XAMPP.Another possibility is to download the bee-box… (more on that later)
  • Some features...It’s very easy to use and to understandThePHP code is well structured and documented, despite my terrible programming knowledge It has different security levels: starting with security level low, ending with security level highThere’s an option to create new users. Every bWAPP user has a password and a secret…A ‘resetapplication’ and ‘reset database’featureA manual intervention page, with a CAPTCHAEmail functionalities, for testing issues like SMTP and host header injections
  • More features...We have a local PHP settings fileA no-authentication and ‘Evil Bee’ modeThere’s even an ‘evil’ directory, with some nice attack scripts…We have a WSDL file. How to deal with that?And there are fuzzing possibilities… for detecting valid web pages or sessions…
  • I can hear you thinking…What makes bWAPP so unique?Well, it has over 70 web bugs! It covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project.The focus is not just on one specific issue, like SQL injection or Cross-Site Scripting. No, we are trying to cover a wide range of vulnerabilities.The OWASP Top 10 provides an accurate snapshot of the current threat landscape in application security and reflects the collaborative efforts and insights of thousands of accomplished security engineers. To reflect the ongoing changes in technology and common online business practices, the list is periodically updated.
  • An overview of some included vulnerabilities...It has injection vulnerabilities like...
  • As you can see, we have it all!
  • Just select your bug and hack it!
  • So bWAPP is a test platform for improving your security-testing skills. bWAPP is not an application that tells you ‘how’ to test!If desired, we have a complete cheat sheet containing all the bWAPP solutions! This cheat sheet is also for free, the only thing we ask is to follow us on Twitter to stay updated on bWAPP. We also have an exclusive web security training course: Attacking & Defending Web Apps with bWAPP.
  • Some external links...There’s our homepage: the homepage of the ITSEC GAMES projectWe have the download location: the bWAPP source code is hosted on Sourceforge, there is also a Git (repository)And we have our blog, unfortunately not updated in a while , we are still looking for volunteers...
  • Every bee needs a home, meet our bee-box… (please,don’t confuse with the Belgacombbox)The bee-box is a custom Linux Ubuntu virtual machine (VM), pre-installed with bWAPP.It’s actually a LAMP environment.It is compatible with VMware Player, Workstation, Fusion, and with Oracle VirtualBox.bee-box requires zero installation!
  • The bee-box is also made deliberately insecure… (yes of course!)With the bee-box you have the opportunity to exploreall bWAPP vulnerabilities!The bee-box gives you several ways to hack and deface the bWAPP website. Currently there are 13 differentweb defacement possibilities!It's even possible to hack the bee-box to get full root access using a local privilege escalation exploit… awesome!Hacking, defacing and exploiting without going to jail... how cool is that?bee-box can also be downloaded from Sourceforge.
  • To play with bWAPP, local access on the bee-box is not needed. The only thing you need to do is to configure an IP address and some optional settings. Once it has a valid IP address, it is possible to access the bWAPP website from outside.
  • Some bee-box features...
  • bWAPP and bee-box are both part of the ‘ITSEC GAMES’ project. The ‘ITSEC GAMES’ are a funny approach to IT security education.IT security, ethical hacking, training and fun... all these ingredients are mixed together!Our objectives are to teach InfoSec courses from an educational and recreational point of view.We offer a wide range of InfoSec courses and workshops. Definitely a must for everysysadmin!
  • There’s just 1 thing to remember, the logon credentials are...
  • bee/bugIs that clear enough?
  • So pleasedon’t bug meanymore with questions about how to login to bWAPP…
  • Unfortunately we have more credentials to remember...This slide is for whizkids only ...That’s my brother, the mastermind behind bWAPP.He was even on Belgian television a few months ago...
  • The installation and configuration steps are pretty easy...
  • bWAPP uses form-based authentication, that may be an obstacle for some tools, sometimes a pain to configure…That’s why I implemented the A.I.M. mode.A.I.M., or ‘Authentication Is Missing’, is a no-authentication mode.It may be used for testing web scanners and crawlers, it bypasses authentication obstacles.Here are the steps to crawl all pages, and to detect all vulnerabilities without authentication:Change the IP address in the settings file to the IP address of the machine from where you are running the scanPoint your webscanner,crawler or attack tool to ‘aim.php’ pagePush the button: all hell breaks loose…
  • General application settings…There is a settings file: ‘settings.php’, located under the bWAPP admin folder.Some configurable settings are:Database connection and SMTP settingsThe A.I.M. mode (more on that on the next slide)The ‘Evil bee’ mode (bypasses the bWAPP security levels)Static credentials, used on some pages
  • An overview of the settings file...
  • Some worst case scenario options, our last hope...
  • Finally, time for a demo...
  • This is the main login form.Do you remember the credentials?That’s right: bee/bugFrom here it’s also possible to choose your security level....Here we have an overview of all vulnerabilities...They are arranged according to the OWASP Top 10 Project.
  • Let’s talk about web application penetration testing...
  • Penetration testing, or pentesting, is a method of evaluating computer, network or application security by simulating an attack.It is an active analysis of potential vulnerabilities.Ethical hacking techniques are confirming the potential vulnerabilities, excluding any false positives!Penetration tests are sometimes a component of afull security audit.
  • Web application pentesting is focusing on evaluatingthe security of a web application.The application is tested for known web vulnerabilities.Manual, automatic and semi-automatic tests are used.A source code analysis and a web server configuration review are optional (these are white-box testing techniques).
  • It’s all about identifying, exploiting, and reporting vulnerabilities!Some considerations…
  • A simple testing methodology could start with reconnaissance, vulnerability mapping, and exploitation. In this order, clockwise.
  • A more advanced testing methodology can flow in all directions, clockwise and counterclockwise.
  • Also very important is ‘what’ to test... OWASP can help us with that...OWASP, or the Open Web Application Security Project, is a worldwide non-profit organization focused on improving the security of software.They have freely-available articles, methodologies, documentation, tools, and technologies.OWASP is vendor neutral, they make no recommendations for commercial products or services!
  • Here are some active OWASP projects, starting with the OWASP Top 10 Project and the Testing Guide…---The OWASP Top 10 Project lists the 10 most severe web application security risks.TheTesting Guide shows you how to verify the security of your running application (ideal for pentesters).The Development Guide shows your project how to architect and build asecure application, and the Code Review Guide tells you how to verify the security of your application's source code.The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. It covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues.The Application Security Verification Standardcan be used to establish a level of confidence in the security of web applications. A level (~ score) is assigned to the web application: the ASVS defines four levels of verification, with each level increasing in breadth (= breedte) as the application moves up the levels.The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection.The Broken Web Applications (BWA) Project produces a VM running a variety of applications with known vulnerabilities (like bWAPP). Our bWAPP application will be included in the next version of BWA! Isn’t that cool? The Zed Attack Proxy, or ZAP, is an intercepting proxy…
  • The OWASP Top 10 Project lists the 10 most severe web application security risks.It is constantly updated, the latest version was released in 2013.The Top 10 Project is a good starting point for a web application penetration test. It covers aspects like ‘What to test?’, ‘How to test?’, and ‘How to prevent?’
  • An overview of the OWASP security risks.On one, we have injection vulnerabilities.On two, we have authentication and session management issues.On three, we have Cross-Site Scripting, and so on…
  • This slide shows you the differences between the OWASP Top 10 2010 and OWASP Top 10 2013.We have some minor changes.Injections like SQLi, HTMLi,... are still on number 1...
  • So where to place the OWASP Top 10 Project in our testing methodology?
  • Well, that’s next to our vulnerability mapping phase... we will test the web application for vulnerabilities listed in the Top 10 Project.
  • An indispensable platform for a penetration tester is a distribution with all the attack tools included.An example is Kali Linux, formerly known as BackTrack.Kali Linux is a Debian-derived Linux distribution, designed for digital forensics and penetration testing.It’s maintained and funded by Offensive Security.
  • Many web application pentesting tools are included...
  • Animportant tool to test the security of a web application is an intercepting proxy.It is acting as a Man-in-the-Middle, located between the browser and the web application.With an intercepting proxy we have the ability to intercept and to modify the HTTP requests and responses.Some intercepting proxies also include integrated tools to discover vulnerabilities,and to crawl and brute force files and directories.
  • An example of an open source intercepting proxy is ZAP, or the Zed Attack Proxy.ZAP is an active OWASP project.The application is written in Java by a team of volunteers.We can also use ZAP as a pentesting tool for finding vulnerabilities: it provides automated scanning, as well as a set of tools to find security vulnerabilities manually.
  • Some functionalities...
  • I’ll demonstrate some features of ZAP on our bWAPP platform......A very powerful open source tool!
  • Let’s install ZAP,and exploresome features of ZAP on our bWAPP platform......A very powerful open source tool!
  • An alternative is to use a commercial web vulnerability scanner, like Netsparker.Very easy to use, and it also knows how to deal with modern web technologies like AJAX, HTML5 and Web Services.They even have a free ‘Community Edition’ for detecting SQL injection and Cross-Site Scripting (XSS). Very handy!
  • Here are the results of a bWAPP scan with Netsparker.
  • As you can see, a lot of vulnerabilities were detected.
  • Let's run an authenticated scan with Netsparker to detect injection issues.
  • We will do an exercise on Netsparker.Let's run a non-authenticated and authenticated scan with Netsparker to detect some vulnerabilities in bWAPP.I have a trial edition for you…
  • OK!Are you ready to exploit some bugs? 
  • I will try to cover...
  • Let’s start with injections!Injection flaws occur when an application sends untrusted data to an interpreter.They are often found in SQL, OS commands, Xpath,XML parsers, SMTP headers, program arguments, etc.Injections are easy to discover when examining code, but rather difficult to discover via pentesting!Scanners and fuzzers can help in finding injection flaws.
  • Injection can result in...
  • According to the OWASP Top 10 Project, injection vulnerabilities are ranked number one.
  • SQL injection is very common in web applications.It occurs when user input is sent to a SQL interpreteras part of a query.The attacker tricks the interpreter into executing unintended SQL queries.
  • According to the OWASP Top 10 Project, injection vulnerabilities are ranked number one.
  • This image illustrates how a traditional login form works.A user is required to provide a valid ‘login’ and ‘password’.Check the insecure SQL query…
  • What if the user enters [’ or 1=1--], manipulating and breaking the original SQL query? You should know that [or 1=1] is always TRUE...Well, he will be able to login without a valid password!That’s a common example of SQL injection.
  • Let’s check the code...
  • Some simple SQL injection strings... used to bypass login forms.
  • Union injections: joining data from 2 different tables in the database.And stacked queries: executing multiple independent SQL queries.
  • Here is an ‘effective’ example of a stacked query... it is definitely his lucky day 
  • We also have Blind Sql Injection...Blind SQL injection is a type of SQL injection attackthat asks the backend database true or false questions.It is often used when the web application is configured to show generic messages: when the database does not output data to the web page, or when the code vulnerable to SQL injection is not displayed.It is nearly identical to normal SQL injection, but the way the datais retrieved from the database differs…
  • Here is an example of boolean-based SQL injection.
  • And here is an example of time-based SQL injection.We are playing with the SQL SLEEP command...
  • Let’s do some SQL injection...
  • Let’s do some SQL injection...
  • Another injection issue is HTML injection.Itoccurs when a user inserts HTML code via a specific input field or parameter.A website is vulnerable because it does not validate the user-supplied data.HTML injection is very dangerous when it is stored permanently!HTML injections can lead to website defacements, phishing attacks and even client-side exploitation.Please, don’t underestimate the power of HTML injection!
  • A quick demo...
  • Cross-Site Scripting, or XSS, occurs when an attacker injects a script into a web application.The script doesn’t run on the website, but in a victim’s browser.The website just delivers the script to the victim.A website is vulnerable because it does not validate the user-supplied data.XSS is very dangerous when it is stored permanently!Usually JavaScript is injected, but it may also include HTML, Flash, or any other type of code that the browser may execute.XSScan lead to website defacements, phishing attacks, session hijacking, and even client-side exploitation. So please, don’t underestimate the power of XSS!
  • Cross-Site Scripting, or XSS, occurs when an attacker injects a script into a web application.The script doesn’t run on the website, but in a victim’s browser.The website just delivers the script to the victim.A website is vulnerable because it does not validate the user-supplied data.Usually JavaScript is injected, but it may also include HTML, Flash, or any other type of code that the browser may execute.
  • We distinguish two types of XSS flaws: Reflected and Stored.With Reflected XSS, a user is tricked into clicking on a link containing the JavaScript code, or tricked into browsing to a malicious website containing the code.With Stored XSS, the JavaScript code is stored permanently on the vulnerable website. More dangerous!
  • According to the OWASP Top 10 Project, Cross-Site Scripting vulnerabilities are ranked number three.
  • XSS is easy to detect...We will hijack a user session...
  • We will...XSS is easy to detect...
  • XSS is easy to detect...We will hijack a user session...
  • Denial-of-Service attacks, or DoS attacks.With a DoS attack an attacker attempts to prevent legitimate users from accessing the application, server or network.This happens by consuming network bandwidth, server sockets, threads, or CPUresources.Another type of DoS attack is a Distributed Denial-of-Service attack, or DDoS attack.DoS and DDoS attacks are popular techniques used by hacktivists.
  • Newer layer 7 DoS attacks are more powerful!They are often called “Low-bandwidth application layer DoS”.It’s possible to make a server unreachable with only 1 web client.Here, we are stressing the web application or web server (and not the hardware or network).
  • Some layer 7 DoS methods...
  • I have good news... our bee-box is vulnerable to some DoS attacks!
  • I have good news... our bee-box is vulnerable to some DoS attacks!
  • Let’s talk aboutUnrestricted File Uploads, and web shells.File upload flawsoccur when an attacker can upload files without any restrictions, or bybypassing weak restrictions.The first step in many attacks is to get some code to the system.An unrestricted file upload flawhelps the attacker… now the attack only needs to find a way to get the code executed.
  • Let’s talk about evil web shells.Web shells are malicious web pages that provide an attacker functionality on a web server.They make use of server-side scripting languages likePHP, ASP, ASPX, JSP, CFM, Perl,...Some web shell functionalities...
  • Here are some external attack vectors for using and uploading web shells...You can test each of these vulnerabilities on our bWAPP platform!
  • Our last demo for today...We will generate a payload, a web shell, and we will upload the web shell using a file upload flaw in bWAPP......We have shell access again!...From our shell, it is even possible to escalate our privileges... and to get root access!
  • Another hands-on lab...
  • Another web issue... File Inclusions.File inclusion flaws occur when an attacker includesa file, usually through a script on the web server.Again, the vulnerability occurs due to the use of user-supplied input without proper validation.There are 2 types of file inclusion flaws: Local File Inclusion (LFI) and Remote File Inclusion (RFI)
  • Let’s check the PHP code...
  • File inclusion can lead to...
  • According to the OWASP Top 10 Project, file inclusion vulnerabilities are ranked number seven.
  • Our last exercise for today......We have shell access again!...From our shell, it is even possible to escalate our privileges... and to get root access!
  • So during this presentation we defaced our website, compromised the server, even compromised a client, made the server unreachable, hijacked a session, and stole somecredentials…
  • So during this presentation/workshop we defaced your website, compromised your server, compromised your clients, made your server unreachable, hijacked your session, and stole your credentials…
  • And we have so much more bugs to exploit…It’s definitely time to improve your web security.Defense is needed: firewalls and vulnerabilityscanners are not the ultimate solution. Testing, penetration testing, is required!It confirms potential vulnerabilities, excludes false positives, and guarantees that your defense measures are working effectively.Downloading bWAPP is a first start, it will help you to improve your web application security-testing skills!Remember: every bee needs a superbee. Are you that superbee?
  • Thank you very much for attending this presentation!Are there any questions?
  • Thank you very much for attending this presentation!Are there any questions?
  • Transcript

    • 1. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP? Malik Mesellem Defense Needed, Superbees Wanted
    • 2. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
    • 3. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
    • 4. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
    • 5. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
    • 6. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Contact Me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com
    • 7. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
    • 8. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
    • 9. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Web application security is today's most overlooked aspect of securing the enterprise  Hackers are concentrating their efforts on websites and web applications  Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism
    • 10. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
    • 11. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
    • 12. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. DEFENSE is needed !
    • 13. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
    • 14. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP == defense  bWAPP, or a buggy Web APPlication  Deliberately insecure web application, includes all major known web vulnerabilities  Helps security enthusiasts, developers and students to discover and to prevent issues  Prepares one for successful penetration testing and ethical hacking projects
    • 15. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP == defense  Web application security is not just installing a firewall, or scanning a site for ‘potential’ issues  Black-box penetration testing, simulating real attack scenarios, is still needed!  Confirms potential vulnerabilities, and excludes false positives  Guarantees that your defense measures are working effectively  bWAPP helps to improve your security-testing skills…
    • 16. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
    • 17. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Testimonials Awesome! It's good to see fantastic tools staying up to date ... - Ed Skoudis Founder of Counter Hack I just installed bWAPP 1.6 into the next release of SamuraiWTF ... Its a great app ... - Justin Searle Managing Partner at UtiliSec Great progress on bWAPP BTW! :) - Vivek Ramachandran Owner of SecurityTube
    • 18. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Architecture  Open source PHP application  Backend MySQL database  Hosted on Linux/Windows Apache/IIS  Supported on WAMP or XAMPP
    • 19. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Features (1)  Very easy to use and to understand  Well structured and documented PHP code  Different security levels (low/medium/high)  ‘New user’ creation (password/secret)  ‘Reset application/database’ feature  Manual intervention page  Email functionalities
    • 20. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Features (2)  Local PHP settings file  No-authentication mode (A.I.M.)  ‘Evil Bee’ mode, bypassing security checks  ‘Evil’ directory, including attack scripts  WSDL file (Web Services/SOAP)  Fuzzing possibilities
    • 21. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  What makes bWAPP so unique?  Well, it has over 70 web bugs  Covering all major known web vulnerabilities  Including all risks from the OWASP Top 10 project  Focus is not on one specific issue!
    • 22. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (1)  SQL, HTML, SSI, OS Command, XML, XPath, LDAP, PHP Code, Host Header and SMTP injections  Authentication, authorization and session management issues  Malicious, unrestricted file uploads and backdoor files  Arbitrary file access and directory traversals  PHP-CGI remote code execution  Local and remote file inclusions (LFI/RFI)  Server Side Request Forgery (SSRF)
    • 23. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (2)  Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, WebDAV, information disclosures,...  HTTP parameter pollution and HTTP response splitting  XML External Entity attacks (XXE)  HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues  Unvalidated redirects and forwards  Denial-of-Service (DoS) attacks
    • 24. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (3)  Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)  AJAX and Web Services issues (JSON/XML/SOAP)  Parameter tampering and cookie poisoning  HTTP verb tampering  Local privilege escalation  And much more 
    • 25. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today?
    • 26. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP
    • 27. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  External links  Home page - www.itsecgames.com  Download location - sourceforge.net/projects/bwapp  Blog - itsecgames.blogspot.com
    • 28. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Every bee needs a home… the bee-box  VM pre-installed with bWAPP  LAMP environment: Linux, Apache, MySQL and PHP  Compatible with VMware and VirtualBox  Requires zero installation
    • 29. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  bee-box is also made deliberately insecure…  Opportunity to explore all bWAPP vulnerabilities  Gives you several ways to hack and deface bWAPP  Even possible to hack the bee-box to get full root access!  Hacking, defacing and exploiting without going to jail  You can download bee-box from here
    • 30. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box
    • 31. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Features (1)  Apache, MySQL and PHP installed  Several PHP extensions installed  Vulnerable PHP-CGI  phpMyAdmin installed  Postfix installed and configured  Insecure FTP and WebDAV configurations  AppArmor disabled
    • 32. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Features (2)  Weak self-signed SSL certificate  ‘Fine-tuned’ file access permissions  .htaccess files support enabled  Some basic security tools installed  Shortcuts to start, install and update bWAPP  An amazing wallpaper   An outdated Linux kernel…
    • 33. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Ready, set, and hack!  Only one thing to remember  The logon credentials are…
    • 34. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee/bug
    • 35. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Ready, set, and hack!  Only one thing to remember  The logon credentials are bee/bug  So please don’t bug me anymore…
    • 36. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Installation and configuration  Install VMware Player or Oracle VirtualBox  Extract, install, and start the bee-box VM  Configure or check the IP settings  Browse to the bWAPP web app  http://[IP]/bWAPP/  Login with bee/bug
    • 37. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  A.I.M. mode  Authentication Is Missing, a no-authentication mode  May be used for testing web scanners and crawlers  Procedure  Change the IP address in the settings file  Point your web scanner or crawler to http://[IP]/bWAPP/aim.php  All hell breaks loose…
    • 38. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  General application settings  settings.php, located under the bWAPP admin folder  Connection settings  SMTP settings  A.I.M. mode  Evil bee mode  Static credentials
    • 39. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Settings
    • 40. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Worst-case-scenario-options  Reset the application  http://[IP]/bWAPP/reset.php  Reset the application + database  http://[IP]/bWAPP/reset.php?secret=bWAPP  Reinstall the database  Drop the database from phpMyAdmin  http://[IP]/bWAPP/install.php
    • 41. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Finally… time for a DEMO
    • 42. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo
    • 43. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
    • 44. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Penetration Testing  Penetration testing, or pentesting  Method of evaluating computer, network or application security by simulating an attack  Active analysis of potential vulnerabilities by using ethical hacking techniques  Penetration tests are sometimes a component of a full security audit
    • 45. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Web App Penetration Testing  Web application pentesting is focusing on evaluating the security of a web application  Application is tested for known web vulnerabilities  Manual, automatic and semi-automatic tests  Source code analysis and web server configuration review as an option
    • 46. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Web App Penetration Testing  It’s all about identifying, exploiting, and reporting vulnerabilities  Some considerations…  Commercial tools vs. open source tools  Not a best practice to use only one tool  Most commercial scanners don’t exploit  False positives are not allowed!  People don’t like auto-generated reports
    • 47. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Testing Methodologies  A simple testing methodology
    • 48. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Testing Methodologies  A more advanced testing methodology
    • 49. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP, or Open Web Application Security Project  Worldwide non-profit organization focused on improving the security of software  Freely-available articles, methodologies, documentation, tools, and technologies  Vendor neutral, no recommendations for commercial products or services!
    • 50. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  Current OWASP Projects  Top 10 Project and Testing Guide  Development and Code Review Guide  Application Security Verification Standard  Broken Web Applications (BWA)  Zed Attack Proxy (ZAP)
    • 51. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 Project, lists the 10 most severe web application security risks  Constantly updated, latest version released in 2013  Referenced by many standards, books, tools, and organizations, including MITRE and PCI DSS  Good starting point for a web application pentest  What to test? How to test? How to prevent?
    • 52. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 Application Security Risks
    • 53. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 placement
    • 54. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 placement
    • 55. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Introduction to Kali Linux  Kali Linux is a Debian-derived Linux distribution  Designed for digital forensics and penetration testing  Formerly known as BackTrack  Maintained and funded by Offensive Security  Support for x86 and ARM
    • 56. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Introduction to Kali Linux  Includes many web app pentesting tools  Burp Suite  DirBuster  Metasploit  Nikto  sqlmap  w3af  WebSploit  ZAP
    • 57. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  Intercepting proxies are testing tools acting as a legitimate Man-in-the-Middle (MitM)  Located between the browser and the web application  Ability to intercept and to modify requests/responses  Provide a historical record of all requests  Include integrated tools to discover vulnerabilities, and to crawl and brute force files and directories
    • 58. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy  OWASP project, by Simon Bennetts  Java application, released in September 2010  Fork of the Paros intercepting proxy  Pentesting tool for finding vulnerabilities  Provides automated scanning, as well as a set of tools to find security vulnerabilities manually
    • 59. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy  Functionalities  Intercepting proxy, listening on TCP/8080  Traditional and AJAX spider  Automated and passive scanner  Fuzzing and brute force capabilities  Smartcard and client certificate support  Authentication and session support
    • 60. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy
    • 61. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  ZAP, Zed Attack Proxy  Parameter/cookie tampering  Online password attack  Vulnerability detection
    • 62. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners  Netsparker  Automated ‘false positive free’ web security scanner  Identifies security issues and vulnerabilities such as SQL injection and Cross-Site Scripting (XSS)  Automatically exploits detected vulnerabilities to ensure no false positives are reported  Free ‘Community Edition’ available!
    • 63. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners
    • 64. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners  Netsparker
    • 65. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Ready to Exploit some bugs?
    • 66. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
    • 67. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hungry Evil Bees  Hacking, Defacing and Exploiting  SQL Injection  Cross-Site Scripting (XSS)  Client-side Attacks  Denial-of-Service (DoS)  Unrestricted File Uploads  Local Privilege Escalation
    • 68. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  SQL injection is very common in web applications  Occurs when user input is sent to a SQL interpreter as part of a query  The attacker tricks the interpreter into executing unintended SQL queries
    • 69. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  Injection in the OWASP Top 10
    • 70. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  Normal operation DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login password SELECT * FROM table WHERE login = ‘login’ AND password = ‘password’ result HTML SQL
    • 71. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login ’ or 1=1-- SELECT * FROM table WHERE login = ‘login’ AND password = ‘’ or 1=1-- ’ result HTML SQL SQL Injection  Abnormal operation
    • 72. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  Simple injections  '--  ' or 'a'='a  ' or 'a'='a'--  ' or '1'='1  ' or 1=1--
    • 73. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  Union injections  ' UNION SELECT field1, field2 FROM table--  ' UNION SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=database()--  Stacked queries  '; DROP TABLE table;--
    • 74. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection
    • 75. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  SQL Injection  Bypassing login forms  Manually extracting data  Automated SQL injection  Website defacement
    • 76. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Cross-Site Scripting  Cross-Site Scripting, or XSS, occurs when an attacker injects a browser script into a web application  Insufficient validation of user-supplied data  Dangerous when it is stored permanently!  XSS can lead to  Website defacements  Phishing / session hijacking  Client-side exploitation
    • 77. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Cross-Site Scripting  Types of XSS flaws  Reflected XSS  Stored XSS
    • 78. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Cross-Site Scripting  XSS in the OWASP Top 10
    • 79. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  Cross-Site Scripting  Detecting XSS  Phishing & session hijacking  Client-side exploitation
    • 80. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Denial-of-Service  Denial-of-Service attack, or DoS attack  An attacker attempts to prevent legitimate users from accessing the application, server or network  Consumes network bandwidth, server sockets, threads, or CPU resources  Distributed Denial-of-Service attack, or DDoS  Popular techniques used by hacktivists
    • 81. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Denial-of-Service  Newer layer 7 DoS attacks are more powerful!  “Low-bandwidth application layer DoS”  Advantages of layer 7 DoS  Legitimate TCP/UDP connections, difficult to differentiate from normal traffic  Requires lesser number of connections, possibility to stop a web server from a single attack  Reach resource limits of services, regardless of the hardware capabilities of the server
    • 82. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Denial-of-Service  Layer 7 DoS methods  HTTP Slow Headers  HTTP Slow POST  HTTP Slow Reading  Apache Range Header  SSL/TLS Renegotiation  XML Bombs
    • 83. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  Denial-of-Service  HTTP Slow POST  XML Bomb
    • 84. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Web Shells  Web shells are malicious web pages that provide an attacker functionality on a web server  Making use of server-side scripting languages like PHP, ASP, ASPX, JSP, CFM, Perl,...  Web shell functionalities  File transfers  Command execution  Network reconnaissance  Database connectivity
    • 85. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Web Shells  External attack vectors  (Blind) SQL Injection  OS Command Injection  Remote File Inclusion  Unrestricted File Upload  Insecure FTP, WebDAV,…
    • 86. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  Web Shell  Web shell creation  Remote shell access  Escalating privileges...  Getting root access!
    • 87. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
    • 88. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Superbees Wanted  Hi little bees, during this talk we  Defaced our website  Compromised the server  Compromised a client  Made the server unreachable  Hijacked a session  Stole credentials…
    • 89. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.  And we have so much more bugs to exploit…  It’s definitely time to improve your web security  Defense is needed, and testing is required!  Downloading bWAPP is a first start  Remember: every bee needs a superbee  Are you that superbee? Superbees Wanted @MME_IT #bWAPP
    • 90. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Contact Me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com
    • 91. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Cheat Sheet  Hi little bees… we have a cheat sheet for you  Containing all bWAPP solutions  Follow us on Twitter, and ask for our cheat sheet  You will definitely become a superbee! @MME_IT #bWAPP
    • 92. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Need a Training?  Attacking & Defending Web Apps with bWAPP  2-day comprehensive web security course  Focus on attack and defense techniques!  More info: http://goo.gl/ASuPa1 (pdf)