More Related Content
Similar to SANS 2015 - Superbees Wanted (20)
SANS 2015 - Superbees Wanted
- 1. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
Malik Mesellem
Defense Needed, Superbees Wanted
- 3. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
MS15-034
Web related!
- 4. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Contact Me
Malik Mesellem
Email | malik@itsecgames.com
Twitter | twitter.com/MME_IT
LinkedIn | be.linkedin.com/in/malikmesellem
Blog | itsecgames.blogspot.com
- 5. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
Contents
Defense Needed
bWAPP & bee-box
WebApp Pentesting
Hungry Evil Bees
Superbees Wanted
- 6. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
Contents
Defense Needed
bWAPP & bee-box
WebApp Pentesting
Hungry Evil Bees
Superbees Wanted
- 7. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Defense Needed
Web application security is today's most overlooked
aspect of securing the enterprise
Hackers are concentrating their efforts on websites and
web applications
Web apps are an attractive target for cyber criminality,
cyber warfare and hacktivism
- 8. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Defense Needed
Why are web applications an attractive target?
Easily available via the Internet (24/7)
Mission-critical business applications with sensitive data
Often direct access to backend data
Traditional firewalls and SSL provide no protection
Many applications are custom-made == vulnerable
- 9. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Defense Needed
Why are web applications an attractive target?
Easily available via the Internet (24/7)
Mission-critical business applications with sensitive data
Often direct access to backend data
Traditional firewalls and SSL provide no protection
Many applications are custom-made == vulnerable
- 10. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
DEFENSE
is needed !
- 11. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
Contents
Defense Needed
bWAPP & bee-box
WebApp Pentesting
Hungry Evil Bees
Superbees Wanted
- 12. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP == defense
bWAPP, or a buggy Web APPlication
Deliberately insecure web application, includes all
major known web vulnerabilities
Helps security enthusiasts, developers and students
to discover and to prevent issues
Prepares one for successful penetration testing and
ethical hacking projects
- 13. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP == defense
Web application security is not just installing a firewall,
or scanning a site for ‘potential’ issues
Black-box penetration testing, simulating real attack
scenarios, is still needed!
Confirms potential vulnerabilities, and excludes false positives
Guarantees that your defense measures are working effectively
bWAPP helps to improve your security-testing skills…
- 15. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OMG! Are we prepared for
REAL attack scenarios???
- 16. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
Testimonials
Awesome! It's good to see fantastic tools staying up to date ...
Ed Skoudis
Founder of Counter Hack
I just installed bWAPP 1.6 into the next release of SamuraiWTF ... Its a great app ...
Justin Searle
Managing Partner at UtiliSec
Great progress on bWAPP BTW! :)
Vivek Ramachandran
Owner of SecurityTube
- 17. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
Architecture
Open source PHP application
Backend MySQL database
Linux/Windows Apache/IIS
WAMP or XAMPP
- 18. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
Features (1)
Very easy to use and to understand
Well structured and documented PHP code
Different security levels (low/medium/high)
‘New user’ creation (password/secret)
‘Reset application/database’ feature
Manual intervention page
Email functionalities
- 19. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
Features (2)
Local PHP settings file
No-authentication mode (A.I.M.)
‘Evil Bee’ mode, bypassing security checks
‘Evil’ directory, including attack scripts
WSDL file (Web Services/SOAP)
Fuzzing possibilities
- 20. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
What makes bWAPP so unique?
Well, it has over 100 web vulnerabilities
Covering all major known web bugs
Including all risks from the Top 10 project
Focus is not on one specific issue!
- 21. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
Which bug do you want to hack today? (1)
SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP,
PHP Code, Host Header and SMTP injections
Authentication, authorization and session management issues
Malicious, unrestricted file uploads and backdoor files
Arbitrary file access and directory traversals
Heartbleed and Shellshock vulnerability
Local and remote file inclusions (LFI/RFI)
Server Side Request Forgery (SSRF)
- 22. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
Which bug do you want to hack today? (2)
Configuration issues: Man-in-the-Middle, Cross-Domain policy file,
FTP, SNMP, WebDAV, information disclosures,...
HTTP parameter pollution and HTTP response splitting
XML External Entity attacks (XXE)
HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS)
and web storage issues
Drupal, phpMyAdmin and SQLite issues
Unvalidated redirects and forwards
Denial-of-Service (DoS) attacks
- 23. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
Which bug do you want to hack today? (3)
Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and
Cross-Site Request Forgery (CSRF)
AJAX and Web Services issues (JSON/XML/SOAP)
Parameter tampering and cookie poisoning
Buffer overflows and local privilege escalations
PHP-CGI remote code execution
HTTP verb tampering
And much more
- 24. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
Which bug do you want to hack today?
- 25. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
- 26. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
Coming soon!
Cryptographic attacks
Insecure session variables
Session fixation
More authentication issues
WordPress vulnerabilities
More D-XSS
- 27. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
External links
Home page - www.itsecgames.com
Download location - sourceforge.net/projects/bwapp
Blog - itsecgames.blogspot.com
- 28. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee-box
Every bee needs a home… the bee-box
VM pre-installed with bWAPP
LAMP environment: Linux, Apache, MySQL and PHP
Compatible with VMware and VirtualBox
Requires zero installation
- 29. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee-box
bee-box is also made deliberately insecure…
Opportunity to explore all bWAPP vulnerabilities
Gives you several ways to hack and deface bWAPP
Even possible to hack the bee-box to get full root access!
Hacking, defacing and exploiting without going to jail
You can download bee-box from here
- 30. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee-box
- 31. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee-box
Features (1)
Apache, Lighttpd, Nginx, MySQL and PHP installed
Several PHP extensions installed (LDAP, SQLite,…)
Vulnerable Bash, Drupal, OpenSSL and PHP-CGI
Insecure DistCC, FTP, NTP, SNMP, VNC, WebDAV
phpMyAdmin and SQLiteManager installed
Postfix installed and configured
AppArmor disabled
- 32. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee-box
Features (2)
Weak self-signed SSL certificate
‘Fine-tuned’ file access permissions
.htaccess files support enabled
Some basic security tools installed
Shortcuts to start, install and update bWAPP
An amazing wallpaper
An outdated Linux kernel…
- 33. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
Ready, set, and hack!
Only one thing to remember
Logon credentials are…
- 34. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee/bug
- 35. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
Ready, set, and hack!
Only one thing to remember
Logon credentials are bee/bug
Please don’t bug me anymore…
- 36. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
Installation and configuration
Install VMware Player or Oracle VirtualBox
Extract, install, and start the bee-box VM
Configure or check the IP settings
Browse to the bWAPP web app
http://[IP]/bWAPP/
Login with bee/bug
- 37. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
General application settings
settings.php, located under the bWAPP admin folder
Connection settings
SMTP settings
A.I.M. mode
Evil bee mode
Static credentials
- 38. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
General application settings
Opening the settings file (as root)
sudo gedit /var/www/bWAPP/admin/settings.php
- 39. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
Settings
- 40. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
A.I.M. mode
Authentication Is Missing, a no-authentication mode
May be used for testing web scanners and crawlers
Procedure
Change the IP address in the settings file
Point your web scanner or crawler to
http://[IP]/bWAPP/aim.php
All hell breaks loose…
- 41. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
Worst-case-scenario-options
Reset the application
http://[IP]/bWAPP/reset.php
Reset the application + database
http://[IP]/bWAPP/reset.php?secret=bWAPP
Reinstall the database
Drop the database from phpMyAdmin
http://[IP]/bWAPP/install.php
- 42. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Finally… time for a
DEMO
- 44. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
Contents
Defense Needed
bWAPP & bee-box
WebApp Pentesting
Hungry Evil Bees
Superbees Wanted
- 45. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Penetration Testing
Penetration testing, or pentesting
Method of evaluating computer, network or application
security by simulating an attack
Active analysis of potential vulnerabilities by using
ethical hacking techniques
Penetration tests are sometimes a component of a
full security audit
- 46. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Web App Penetration Testing
Web application pentesting is focusing on evaluating
the security of a web application
Application is tested for known web vulnerabilities
Manual, automatic and semi-automatic tests
Source code analysis and web server configuration
review as an option
- 47. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Web App Penetration Testing
It’s all about identifying, exploiting, and reporting
vulnerabilities
Some considerations…
Commercial tools vs. open source tools
Not a best practice to use only one tool
Most commercial scanners don’t exploit
False positives are not allowed!
People don’t like auto-generated reports
- 48. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Testing Methodologies
A simple testing methodology
- 49. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Testing Methodologies
A more advanced testing methodology
- 50. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
OWASP, or Open Web Application Security Project
Worldwide non-profit organization focused on improving
the security of software
Freely-available articles, methodologies, documentation,
tools, and technologies
Vendor neutral, no recommendations for commercial
products or services!
- 51. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
Current OWASP Projects
Top 10 Project and Testing Guide
Development and Code Review Guide
Application Security Verification Standard
Broken Web Applications (BWA)
Zed Attack Proxy (ZAP)
- 52. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
OWASP Top 10 Project, lists the 10 most severe web
application security risks
Constantly updated, latest version released in 2013
Referenced by many standards, books, tools, and
organizations, including MITRE and PCI DSS
Good starting point for a web application pentest
What to test? How to test? How to prevent?
- 53. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
OWASP Top 10 Application Security Risks
- 54. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
OWASP Top 10 placement
- 55. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
OWASP Top 10 placement
- 56. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Intercepting Proxies
Intercepting proxies are testing tools acting as a
legitimate Man-in-the-Middle (MitM)
Located between the browser and the web application
Ability to intercept and to modify requests/responses
Provide a historical record of all requests
Include integrated tools to discover vulnerabilities,
and to crawl and brute force files and directories
- 57. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Intercepting Proxies
ZAP, Zed Attack Proxy
OWASP project, by Simon Bennetts
Java application, released in September 2010
Fork of the Paros intercepting proxy
Pentesting tool for finding vulnerabilities
Provides automated scanning, as well as a set of tools
to find security vulnerabilities manually
- 58. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Intercepting Proxies
ZAP, Zed Attack Proxy
Functionalities
Intercepting proxy, listening on TCP/8080
Traditional and AJAX spider
Automated and passive scanner
Fuzzing and brute force capabilities
Smartcard and client certificate support
Authentication and session support
- 59. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Intercepting Proxies
ZAP, Zed Attack Proxy
- 60. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Demo
ZAP, Zed Attack Proxy
Parameter/cookie tampering
Online password attack
Vulnerability detection
- 61. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Commercial Web Scanners
Netsparker
Automated ‘false positive free’ web security scanner
Identifies security issues and vulnerabilities such as SQL injection
and Cross-Site Scripting (XSS)
Automatically exploits detected vulnerabilities to ensure no false
positives are reported
Free ‘Community Edition’ available!
- 62. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Commercial Web Scanners
- 63. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Commercial Web Scanners
Netsparker
- 64. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Ready to
Exploit
some bugs?
- 65. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
Contents
Defense Needed
bWAPP & bee-box
WebApp Pentesting
Hungry Evil Bees
Superbees Wanted
- 66. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Hungry Evil Bees
Hacking, Defacing and Exploiting
SQL Injection
Cross-Site Scripting (XSS)
Client-side Attacks
Denial-of-Service (DoS)
Unrestricted File Uploads
Local Privilege Escalation
- 67. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
SQL injection is very common in web applications
Occurs when user input is sent to a SQL interpreter
as part of a query
The attacker tricks the interpreter into executing
unintended SQL queries
- 68. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
Injection in the OWASP Top 10
- 69. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
Normal operation
DATABASE
SQL interpreter
WEB APP
HTML | SQL
BROWSER
HTML (GET/POST)
login
password
SELECT * FROM table
WHERE login = ‘login’ AND
password = ‘password’
result
HTML SQL
- 70. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
DATABASE
SQL interpreter
WEB APP
HTML | SQL
BROWSER
HTML (GET/POST)
login
’ or 1=1--
SELECT * FROM table
WHERE login = ‘login’ AND
password = ‘’ or 1=1-- ’
result
HTML SQL
SQL Injection
Abnormal operation
- 71. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
Simple injections
'--
' or 'a'='a
' or 'a'='a'--
' or '1'='1
' or 1=1--
- 72. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
Union injections
' UNION SELECT field1, field2 FROM table--
' UNION SELECT table_name FROM
INFORMATION_SCHEMA.TABLES
WHERE table_schema=database()--
Stacked queries
'; DROP TABLE table;--
- 73. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
- 74. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Blind SQL Injection
Blind SQL injection occurs when the database does
not output data to the web page
Nearly identical to normal SQL injection, the way data
is retrieved is different…
The result of the SQL injection is determined based on
the application’s responses
Boolean-based or time-based
Using automated tools is a must
- 75. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Blind SQL Injection
Example: Time-based SQL injection
blah' UNION SELECT 1,1,1,1,1,1 FROM heroes WHERE login='neo'
AND ASCII(SUBSTRING(password,1,1))=116 AND SLEEP(5)--
blah' UNION SELECT 1,1,1,1,1,1 FROM heroes WHERE login='neo'
AND ASCII(SUBSTRING(password,2,1))=114 AND SLEEP(5)--
blah' UNION SELECT 1,1,1,1,1,1 FROM heroes WHERE login='neo'
AND ASCII(SUBSTRING(password,3,1))=105 AND SLEEP(5)--
blah' UNION SELECT 1,1,1,1,1,1 FROM heroes WHERE login='neo'
AND ASCII(SUBSTRING(password,4,1))=110 AND SLEEP(5)--
- 76. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Automated SQL Injection
sqlmap
Open source penetration testing tool
Automates the process of detecting and exploiting SQL injection
Developed in Python, since July 2006
Full support for MS SQL, MySQL, Oracle, PostgreSQL,…
Full support for various SQL injection techniques
Site: http://sqlmap.org/
- 77. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Demo
SQL Injection
Bypassing login forms
Manually extracting data
Automated SQL injection
Website defacement
- 78. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Cross-Site Scripting
Cross-Site Scripting, or XSS, occurs when an attacker
injects a browser script into a web application
Insufficient validation of user-supplied data
Dangerous when it is stored permanently!
XSS can lead to
Website defacements
Phishing / session hijacking
Client-side exploitation
- 79. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Cross-Site Scripting
Types of XSS flaws
Reflected XSS
Stored XSS
- 80. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Cross-Site Scripting
XSS in the OWASP Top 10
- 81. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Demo
Cross-Site Scripting
Detecting XSS
Phishing & session hijacking
Client-side exploitation
- 82. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Denial-of-Service
Denial-of-Service attack, or DoS attack
An attacker attempts to prevent legitimate users from
accessing the application, server or network
Consumes network bandwidth, server sockets, threads,
or CPU resources
Distributed Denial-of-Service attack, or DDoS
Popular techniques used by hacktivists
- 83. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Denial-of-Service
Newer layer 7 DoS attacks are more powerful!
“Low-bandwidth application layer DoS”
Advantages of layer 7 DoS
Legitimate TCP/UDP connections, difficult to differentiate from
normal traffic
Requires lesser number of connections, possibility to stop a web
server from a single attack
Reach resource limits of services, regardless of the hardware
capabilities of the server
- 84. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Denial-of-Service
Layer 7 DoS methods
HTTP Slow Headers
HTTP Slow POST
HTTP Slow Reading
Apache Range Header
SSL/TLS Renegotiation
XML Bombs
- 85. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Demo
Denial-of-Service
HTTP Slow POST
MS15-034 (>SSRF)
- 86. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Web Shells
Web shells are malicious web pages that provide an
attacker functionality on a web server
Making use of server-side scripting languages like
PHP, ASP, ASPX, JSP, CFM, Perl,...
Web shell functionalities
File transfers
Command execution
Network reconnaissance
Database connectivity
- 87. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Web Shells
External attack vectors
(Blind) SQL Injection
OS Command Injection
Remote File Inclusion
Unrestricted File Upload
Insecure FTP, WebDAV,…
- 88. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Demo
Web Shell
Web shell creation
Remote shell access
Escalating privileges...
Getting root access!
- 89. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
Contents
Defense Needed
bWAPP & bee-box
Web App Pentesting
Hungry Evil Bees
Superbees Wanted
- 90. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Superbees Wanted
Hi little bees, during this talk we
Defaced our website
Compromised the server
Compromised a client
Made the server unreachable
Hijacked a session
Stole credentials…
- 91. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
And we have so much more bugs…
Time to improve your web security
Defense is really needed
Downloading bWAPP is a first start
Remember, every bee needs a superbee
Are you that superbee?
Superbees Wanted
@MME_IT
#bWAPP
- 92. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Contact Me
Malik Mesellem
Email | malik@itsecgames.com
Twitter | twitter.com/MME_IT
LinkedIn | be.linkedin.com/in/malikmesellem
Blog | itsecgames.blogspot.com
- 93. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
Malik Mesellem
Defense Needed, Superbees Wanted