Introducing26th September 2012                           Abraham Aranguren                              @7a_ @owtfp       ...
Agenda• Intro     Before we start check     OWTF Intro     Installing OWTF     Running OWTF• Part 1: OWTF Passive + Semi-p...
Before we startIf you don’t have OWTF or OWTF demos yet:Step 1) Go to http://owtf.org (redirects to OWASP project)Step 2) ...
About me•   Spanish dude•   Uni: Degree, InfoSec research + honour mark•   IT: Since 2000, defensive sec as netadmin / dev...
Pentester disadvantagePentesters vs Bad guys• Pentesters have time/scope constraints != Bad guys• Pentesters have to write...
A Pentester “cheating try”Offensive (Web) Testing Framework = Multi-level “cheating” tactics
OWTF Chess-like approach    Kasparov against Deep Blue - http://www.robotikka.com
Demos
Installing
Installing OWTFIMPORTANT: ALL in the wiki: https://github.com/7a/owtf/wiki :)Option 1) (Easiest) From Backtrack - http://w...
Installing OWTFOption 2) Manual InstallStep 1 – Go to http://owtf.org - redirects to OWASP Project pageStep 2 – Click on D...
Missing Tools [*] WARNING: Tool path not found for: /pentest/web/owtf/tools/restricted/ssl/ssl-     cipher-check.pl [*] WA...
Define where tools areMain Config file: /pentest/web/owtf/profiles/general/default.cfgOption 1) Full pathTOOL_SET_DIR: /pe...
Running
OWTF CLI helpCall owtf without arguments to see the options available./owtf.py… -l <web/net/aux>:          list available ...
Listing OWTF pluginsThere are many plugins to choose from you can list them like this:./owtf.py -l web | more…[*] ********...
Simulation modeSimulation mode “-s”:1) SIMULATES what OWTF will do (so it does not do it!):2) Is useful to check the effec...
OWTF Plugin Groups
Plugin GroupsOWTF defines 3 major plugin groups (-g):• web (default) = targets are interpreted as URLs = web assessment on...
Part 1Passive and Semi-Passive      Web analysis
Plugin Types (-t)At least 48.5% (32 out of 66) of the tests in the OWASP Testing guide can belegally* performed at least p...
Plugins + Plugin Types• Only runs the passive plugins:owtf.py -t passive https://accounts.google.com• Only runs ALL Spider...
Demo / Exercise    Putting it all together..
Too much info?Use the filter to drill to what you care about:
Before we continueIf you don’t have OWTF or OWTF demos yet:Step 1) Go to http://owtf.org (redirects to OWASP project)Step ...
Classic Pentest Stages1. Pre-engagement: No permission “OWTF Cheat tactics” = Start here2. Engagement: Permission Official...
Context consideration:Case 1 robots.txt Not Found         …should Google index a site like this?Or should robots.txt exist...
Case 1 robots.txt Not Found - Semi passive• Direct request for robots.txt• Without visiting entries
Case 2 robots.txt Found – Passive• Indirect Stats, Downloaded txt file for review, “Open All in Tabs”
OWTF HTML Filter challenge: Embedding of untrusted third party HTMLDefence layers:1) HTML Filter: Open source challengeFil...
Start reporting!: Take your notes with fancy formattingStep 1 – Click the “Edit” linkStep 2 – Start documenting findings +...
Start reporting!: Paste PoC screenshots
The magic bar ;) – Useful to generate the human report later
Demo / Exercise
Passive PluginStep 1- Browse output files to review the full raw tool output:Step 2 – Review tools run by the passive Sear...
Tool output can also be reviewed via clicking through the OWTF report directly:
The Harvester:                         •Emails                         •Employee Names                         •Subdomains...
Metadata analysis:• TODO: Integration with FOCA when CLI callable via wine (/cc @chemaalonso ☺)• Implemented: Integration ...
Demo / Exercise
Inbound proxy not stable yet but all this happens automatically:• robots.txt entries added to “Potential URLs”• URLs found...
All HTTP transactions logged by target in transaction logStep 1 – Click on “Transaction Log”Step 2 – Review transaction en...
Step 3 – Review raw transaction information (if desired)
Step 1 - Make all direct OWTF requests go through Outbound Proxy:Passes all entry points to the tactical fuzzer for analys...
Demo / Exercise
Goal: What is that server running?Manually verify request for fingerprint:
Whatweb integration with non-aggresive parameter (semi passive detection):                   https://github.com/urbanadven...
Fingerprint header analysis: Match stats
Convenient vulnerability search box (1 box per header found ☺):Search All Open all site searches in tabs
Exploit DB - http://www.exploit-db.com
NVD - http://web.nvd.nist.gov - CVSS Score = High
OSVDB - http://osvdb.org - CVSS Score = High
http://www.securityfocus.com - Better on Google
http://www.exploitsearch.net - All in one
Passive Fingerprint analysis
http://toolbar.netcraft.com - Passive banner grab,etc.
•CMS                       •Widgets                       •Libraries                       •etchttp://builtwith.com
Search in the headers without touching the site:               http://www.shodanhq.com/
Passive suggestions- Prepare your test in a terminal window to hit “Enter” on “permission minute 1”
What else can be done with a fingerprint?
Environment replicationDownload it .. Sometimes from project page ☺Also check http://www.oldapps.com/, Google, etc.
Static Analyis, Fuzz, Try exploits, ..          RIPS for PHP: http://rips-scanner.sourceforge.net/Yasca for most other (al...
Demo / Exercise
http://www.robtex.com - Passive DNS Discovery
http://whois.domaintools.com
http://centralops.net
http://centralops.net
Demo / Exercise
Has Google found error messages for you?
Check errors via Google Cache
Demo / Exercise
The link is generated with OWTF with that box ticked: Important!            https://www.ssllabs.com/ssldb/analyze.html
Pretty graphs to copy-paste to your OWTF report ☺   https://www.ssllabs.com/ssldb/analyze.html
Do not forget about Strict-Transport-Security!sslstrip chances decrease dramatically:Only 1st time user visits the site!
Not found example:Found example:
Demo / Exercise
HTML content analysis: HTML Comments
Efficient HTML content matches analysisStep 1 - ClickStep 2 – Human Review of Unique matches
Efficient HTML content matches analysisStep 1 - ClickStep 2 –Review Unique matches (click on links for sample match info) ...
HTML content analysis: CSS and JavaScript Comments (/* */)
HTML content analysis: Single line JavaScript Comments (//)
HTML content analysis: PHP source code
HTML content analysis: ASP source code
Demo / Exercise
Demo / Exercise
If you find an admin interface don’t forget to ..         Google for default passwords:
Disclaimer: Permission is required for this
Demo / Exercise
http://centralops.net
Demo / Exercise
Is the login page on “http” instead of “https”?
Demo / Exercise
Pro Tip: When browsing the site manually .. … look carefully at pop-ups like this:  Consider (i.e. prep the attack):Firesh...
Mario was going to report a bug to Mozilla and found another!
Abuse user/member public search functions:   • Search for “” (nothing) or “a”, then “b”, ..   • Download all the data usin...
Demo / Exercise
Analyse the username(s) they gave you to test:• Username based on numbers?USER12345• Username based on public info? (i.e. ...
Demo / Exercise
Part 1 – Remember Password: Autocomplete                Good                                      BadVia 1) <form … autoco...
Manual verification for password autocomplete (i.e. for the customer)Easy “your grandma can do it” test:1. Login2. Logout3...
Part 2 - Password Reset formsManually look at the questions / fields in the password reset form• Does it let you specify y...
Demo / Exercise
Goal: Is Caching of sensitive info allowed?Manual verification steps: “your grandma can do it” ☺ (need login):1. Login2. L...
HTTP/1.1 headers                   Good                                            BadCache-Control: no-cache             ...
Repeat for Meta tags              Good                                Bad<META HTTP-EQUIV="Cache-Control"   <META HTTP-EQU...
Demo / Exercise
Step 1 – Find CAPTCHAs: Passive search
Offline Manual analysis:• Download image and try to break it• Are CAPTCHAs reused?• Is a hash or token passed? (Good algor...
Demo / Exercise
Manually Examine cookies for weaknesses offline  Base64 Encoding (!= Encryption ☺)                Decoded valueMTkyLjE2OC4...
http://hackvertor.co.uk/public
Lots of decode options, including: • auto_decode • auto_decode_repeat • d_base64 • etc.http://hackvertor.co.uk/public
F5 BIG-IP Cookie decoder:http://blog.taddong.com/2011/12/cookie-decoder-f5-big-ip.html
Demo / Exercise
• Secure: not set= session cookie leaked= pwned• HttpOnly: not set = cookies stealable via JS• Domain: set properly• Expir...
Demo / Exercise
Manually check when verifying credentials during pre-engagement:    Login and analyse the Session ID cookie (i.e. PHPSESSI...
Demo / Exercise
Session ID:• In URL• In POST• In HTMLExample from the field:http://target.com/xxx/xyz.function?session_num=7785Look at una...
Demo / Exercise
Headers Enabling/Disabling Client-Side XSS filters:• X-XSS-Protection (IE-Only)• X-Content-Security-Policy (FF >= 4.0 + Ch...
Demo / Exercise
Review JavaScript code on the page:      <script>      document.write("Site is at: " + document.location.href + ".");     ...
Did Google find SQLi for you?
Demo / Exercise
<!--#exec cmd="/bin/ls /" --><!--#INCLUDE VIRTUAL="/web.config"-->
Demo / Exercise
1.   Browse Site2.   Time requests3.   Get top X slowest requests4.   Slowest = Best DoS target
Demo / Exercise
Google searches: inurl:wsdl site:example.comPublic services search:http://seekda.com/http://www.wsindex.org/http://www.soa...
WSDL analysisSensitive methods in WSDL?i.e. Download DB, Test DB, Get CC, etc.http://www.example.com/ws/FindIP.asmx?WSDL<w...
Same Origin Policy (SOP) 1011. Domain A’s page can send a request to Domain B’s page from Browser2. BUT Domain A’s page ca...
• Request == Predictable Pwned       “..can send a request to Domain B” (SOP)CSRF Protection 101:•Require long random toke...
Demo / Exercise
Similar to CSRF:        Is there an anti-replay token in the request?               Potentially Good                      ...
1) Passive search for Flash/Silverlight files + policies:Flash file search:                      Silverlight file search:
Static analysis: Download + decompile Flash files$ flare hello.swfFlare: http://www.nowrap.de/flare.htmlFlasm (timelines, ...
Static analysis tools                 Adobe SWF Investigator   http://labs.adobe.com/technologies/swfinvestigator/        ...
Active testing ☺  1) Trip to server = need permission  http://target.com/test.swf?xss=foo&xss2=bar  2) But … your browser ...
Some technologies allow settings that relax SOP:• Adobe Flash (via policy file)• Microsoft Silverlight (via policy file)• ...
Policy file retrieval for analysis
CSRF by design     read tokens = attacker WIN             Flash / Silverlight - crossdomain.xml<cross-domain-policy><allow...
CSRF by design        read tokens = attacker WIN                  Silverlight - clientaccesspolicy.xml<?xml version="1.0" ...
Need help?
Workshop exercise1) Install swtftools:wget http://www.swftools.org/swftools-0.9.2.tar.gztar xvfz swftools-0.9.2.tar.gzcd s...
Workshop exercise (continued)2) Analyse vulnerable file:wget http://demo.testfire.net/vulnerable.swf  Download vulnerable...
Workshop exercise (continued)3) Verify using the “#” trick (payload not sent to target):http://demo.testfire.net/vulnerabl...
UI Redressing protections:    • X-Frame-Options (best)    • X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)    • Java...
Andrew Horton’s “Clickjacking for Shells”:http://www.morningstarsecurity.com/research/clickjacking-wordpressKrzysztof Koto...
Demo / Exercise
Part 2  ActiveWeb analysis
Demo / Exercise
Part 3Aux Plugins
Demo / Exercise
Special thanks to  Adi Mutu (@an_animal), Gareth Heyes (@garethheyes), KrzysztofKotowicz (@kkotowicz), Marc Wickenden (@ma...
Q&A                             Abraham Aranguren                                @7a_ @owtfp                        abraha...
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Upcoming SlideShare
Loading in...5
×

Introducing OWASP OWTF Workshop BruCon 2012

3,592

Published on

Demos, code and slides available on github:
https://github.com/7a/owtf/tree/master/demos

0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,592
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
108
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Transcript of "Introducing OWASP OWTF Workshop BruCon 2012"

  1. 1. Introducing26th September 2012 Abraham Aranguren @7a_ @owtfp abraham.aranguren@owasp.org http://7-a.org http://owtf.org
  2. 2. Agenda• Intro Before we start check OWTF Intro Installing OWTF Running OWTF• Part 1: OWTF Passive + Semi-passive Web analysis• Part 2: OWTF Active Web analysis• Part 3: OWTF aux plugins – SE, IDs testing• Conclusion• Q&A
  3. 3. Before we startIf you don’t have OWTF or OWTF demos yet:Step 1) Go to http://owtf.org (redirects to OWASP project)Step 2) Start downloading the latest VersionThis link! ☺Download OWASP OWTFStep 3) Start downloading the latest DemoThis link! ☺Download OWASP OWTF DEMOs (only Firefox >= 8 required)
  4. 4. About me• Spanish dude• Uni: Degree, InfoSec research + honour mark• IT: Since 2000, defensive sec as netadmin / developer• (Offensive) InfoSec: Since 2007• OSCP, CISSP, GWEB, CEH, MCSE, etc.• Web App Sec and Dev/Architect• Infosec consultant, blogger, OWTF, GIAC, BeEF
  5. 5. Pentester disadvantagePentesters vs Bad guys• Pentesters have time/scope constraints != Bad guys• Pentesters have to write a report != Bad guysComplexity is increasingMore complexity = more time needed to test properlyCustomers are rarely willing to:“Pay for enough / reasonable testing time“A call for efficiency:• We must find vulns faster• We must be more efficient• .. or bad guys will find the vulns, not us
  6. 6. A Pentester “cheating try”Offensive (Web) Testing Framework = Multi-level “cheating” tactics
  7. 7. OWTF Chess-like approach Kasparov against Deep Blue - http://www.robotikka.com
  8. 8. Demos
  9. 9. Installing
  10. 10. Installing OWTFIMPORTANT: ALL in the wiki: https://github.com/7a/owtf/wiki :)Option 1) (Easiest) From Backtrack - http://www.backtrack-linux.orgapt-get install owtfcd /pentest/web/owtf/tools./bt5_install.shcd /pentest/web/owtf/install./install.sh
  11. 11. Installing OWTFOption 2) Manual InstallStep 1 – Go to http://owtf.org - redirects to OWASP Project pageStep 2 – Click on Download OWASP OWTFStep 3 – Select latest version + downloadStep 4 – tar xvfz OWTF_0.15_Brucon.tar.gzStep 5 – Check install scripts:cd install ; sudo ./install.sh – Install librariescd tools ; ./bt5_install.sh, etc – Install tools
  12. 12. Missing Tools [*] WARNING: Tool path not found for: /pentest/web/owtf/tools/restricted/ssl/ssl- cipher-check.pl [*] WARNING: Tool path not found for: /pentest/web/owtf/tools/restricted/arachni- v0.3-cde … [*] WARNING: Tool path not found for: /pentest/web/owtf/tools/restricted/hoppy- 1.8.1 [*] [*] WARNING!!!: 7 tools could not be found. Some suggestions: [*] - Define where your tools are here: /pentest/web/owtf/profiles/general/default.cfg [*] - Use the /pentest/web/owtf/tools/bt5_install.sh script to install missing tools Continue anyway? [y/n]NOTE: OWTF will run with the tools you have, installing all tools is not mandatory
  13. 13. Define where tools areMain Config file: /pentest/web/owtf/profiles/general/default.cfgOption 1) Full pathTOOL_SET_DIR: /pentest/exploits/setTOOL_THEHARVESTER_DIR: /pentest/enumeration/theharvesterTOOL_METAGOOFIL_DIR: /pentest/enumeration/google/metagoofilTOOL_HTTPRINT_DIR: /pentest/enumeration/web/httprint/linuxTOOL_WAFW00F: /pentest/web/waffit/wafw00f.pyOption 2) Framework path: @@@FRAMEWORK_DIR@@@/tools/…#TOOL_WHATWEB: @@@FRAMEWORK_DIR@@@/tools/whatweb/whatweb- 0.4.7/whatwebTOOL_WHATWEB: @@@FRAMEWORK_DIR@@@/tools/restricted/whatweb/whatweb-0.4.7/whatweb
  14. 14. Running
  15. 15. OWTF CLI helpCall owtf without arguments to see the options available./owtf.py… -l <web/net/aux>: list available plugins in the plugin group (web, net or aux) -f: force plugin result overwrite (default is avoid overwrite) -i <yes/no> interactive: yes (default, more control) / no (script-friendly) -e <except plugin1,2,..> comma separated list of plugins to be ignored in the test -o <only plugin1,2,..> comma separated list of the only plugins to be used in the test -p (ip:)port setup an inbound proxy for manual site analysis -x ip:port send all owtf requests using the proxy for the given ip and port -s Do not do anything, simply simulate how plugins would run…
  16. 16. Listing OWTF pluginsThere are many plugins to choose from you can list them like this:./owtf.py -l web | more…[*] **************************************** Passive Plugins[*] passive: Application_Discovery_____________________________(OWASP-IG- 005)________Third party discovery resources[*] passive: HTTP_Methods_and_XST______________________________(OWASP- CM-008)________Third party resources[*] passive: Old_Backup_and_Unreferenced_Files_________________(OWASP-CM- 006)________Google Hacking for juicy files…
  17. 17. Simulation modeSimulation mode “-s”:1) SIMULATES what OWTF will do (so it does not do it!):2) Is useful to check the effect of a command before running it# owtf.py -s https://accounts.google.com | more
  18. 18. OWTF Plugin Groups
  19. 19. Plugin GroupsOWTF defines 3 major plugin groups (-g):• web (default) = targets are interpreted as URLs = web assessment only• net = targets are interpreted as hosts/network ranges = traditional network discovery and probing• aux = targets are NOT interpreted, it is up to the plugin/resource definition to decide what to do with the targetExample:The following would run all web plugins against http://demo.testfire.net./owtf.py -g web http://demo.testfire.net
  20. 20. Part 1Passive and Semi-Passive Web analysis
  21. 21. Plugin Types (-t)At least 48.5% (32 out of 66) of the tests in the OWASP Testing guide can belegally* performed at least partially without permission* Except in Spain, where visiting a page can be illegal ☺* This is only my interpretation and not that of my employer + might not apply to your country!
  22. 22. Plugins + Plugin Types• Only runs the passive plugins:owtf.py -t passive https://accounts.google.com• Only runs ALL Spiders_Robots_and_Crawlers plugins:owtf.py -o Spiders_Robots_and_Crawlers https://accounts.google.com• Only runs the passive Spiders_Robots_and_Crawlers plugin:owtf.py -t passive -o Spiders_Robots_and_Crawlers https://accounts.google.com
  23. 23. Demo / Exercise Putting it all together..
  24. 24. Too much info?Use the filter to drill to what you care about:
  25. 25. Before we continueIf you don’t have OWTF or OWTF demos yet:Step 1) Go to http://owtf.org (redirects to OWASP project)Step 2) Start downloading the latest DemoThis link! ☺Download OWASP OWTF DEMOs (only Firefox >= 8 required)
  26. 26. Classic Pentest Stages1. Pre-engagement: No permission “OWTF Cheat tactics” = Start here2. Engagement: Permission Official test start = Active Testing here
  27. 27. Context consideration:Case 1 robots.txt Not Found …should Google index a site like this?Or should robots.txt exist and be like this?User-agent: *Disallow: /
  28. 28. Case 1 robots.txt Not Found - Semi passive• Direct request for robots.txt• Without visiting entries
  29. 29. Case 2 robots.txt Found – Passive• Indirect Stats, Downloaded txt file for review, “Open All in Tabs”
  30. 30. OWTF HTML Filter challenge: Embedding of untrusted third party HTMLDefence layers:1) HTML Filter: Open source challengeFilter 6 unchallenged since 04/02/2012, Can you hack it? ☺http://blog.7-a.org/2012/01/embedding-untrusted-html-xss-challenge.html2) HTML 5 sanboxed iframe3) Storage in another directory = cannot access OWTF Review in localStorage
  31. 31. Start reporting!: Take your notes with fancy formattingStep 1 – Click the “Edit” linkStep 2 – Start documenting findings + Ensure preview is ok
  32. 32. Start reporting!: Paste PoC screenshots
  33. 33. The magic bar ;) – Useful to generate the human report later
  34. 34. Demo / Exercise
  35. 35. Passive PluginStep 1- Browse output files to review the full raw tool output:Step 2 – Review tools run by the passive Search engine discovery plugin:Was your favourite tool not run?Tell OWTF to run your tools on: owtf_dir/profiles/resources/default.cfg (backup first!)
  36. 36. Tool output can also be reviewed via clicking through the OWTF report directly:
  37. 37. The Harvester: •Emails •Employee Names •Subdomains •Hostnameshttp://www.edge-security.com/theHarvester.php
  38. 38. Metadata analysis:• TODO: Integration with FOCA when CLI callable via wine (/cc @chemaalonso ☺)• Implemented: Integration with Metagoofil http://www.edge-security.com/metagoofil.php
  39. 39. Demo / Exercise
  40. 40. Inbound proxy not stable yet but all this happens automatically:• robots.txt entries added to “Potential URLs”• URLs found by tools are scraped + added to “Potential URLs”During Active testing (later):• “Potential URLs” visited + added to “Verified URLs” + Transaction log
  41. 41. All HTTP transactions logged by target in transaction logStep 1 – Click on “Transaction Log”Step 2 – Review transaction entries
  42. 42. Step 3 – Review raw transaction information (if desired)
  43. 43. Step 1 - Make all direct OWTF requests go through Outbound Proxy:Passes all entry points to the tactical fuzzer for analysis laterStep 2 - Entry points can then also be analysed via tactical fuzzer:
  44. 44. Demo / Exercise
  45. 45. Goal: What is that server running?Manually verify request for fingerprint:
  46. 46. Whatweb integration with non-aggresive parameter (semi passive detection): https://github.com/urbanadventurer/WhatWeb
  47. 47. Fingerprint header analysis: Match stats
  48. 48. Convenient vulnerability search box (1 box per header found ☺):Search All Open all site searches in tabs
  49. 49. Exploit DB - http://www.exploit-db.com
  50. 50. NVD - http://web.nvd.nist.gov - CVSS Score = High
  51. 51. OSVDB - http://osvdb.org - CVSS Score = High
  52. 52. http://www.securityfocus.com - Better on Google
  53. 53. http://www.exploitsearch.net - All in one
  54. 54. Passive Fingerprint analysis
  55. 55. http://toolbar.netcraft.com - Passive banner grab,etc.
  56. 56. •CMS •Widgets •Libraries •etchttp://builtwith.com
  57. 57. Search in the headers without touching the site: http://www.shodanhq.com/
  58. 58. Passive suggestions- Prepare your test in a terminal window to hit “Enter” on “permission minute 1”
  59. 59. What else can be done with a fingerprint?
  60. 60. Environment replicationDownload it .. Sometimes from project page ☺Also check http://www.oldapps.com/, Google, etc.
  61. 61. Static Analyis, Fuzz, Try exploits, .. RIPS for PHP: http://rips-scanner.sourceforge.net/Yasca for most other (also PHP): http://www.scovetta.com/yasca.html
  62. 62. Demo / Exercise
  63. 63. http://www.robtex.com - Passive DNS Discovery
  64. 64. http://whois.domaintools.com
  65. 65. http://centralops.net
  66. 66. http://centralops.net
  67. 67. Demo / Exercise
  68. 68. Has Google found error messages for you?
  69. 69. Check errors via Google Cache
  70. 70. Demo / Exercise
  71. 71. The link is generated with OWTF with that box ticked: Important! https://www.ssllabs.com/ssldb/analyze.html
  72. 72. Pretty graphs to copy-paste to your OWTF report ☺ https://www.ssllabs.com/ssldb/analyze.html
  73. 73. Do not forget about Strict-Transport-Security!sslstrip chances decrease dramatically:Only 1st time user visits the site!
  74. 74. Not found example:Found example:
  75. 75. Demo / Exercise
  76. 76. HTML content analysis: HTML Comments
  77. 77. Efficient HTML content matches analysisStep 1 - ClickStep 2 – Human Review of Unique matches
  78. 78. Efficient HTML content matches analysisStep 1 - ClickStep 2 –Review Unique matches (click on links for sample match info) Want to see all? then click
  79. 79. HTML content analysis: CSS and JavaScript Comments (/* */)
  80. 80. HTML content analysis: Single line JavaScript Comments (//)
  81. 81. HTML content analysis: PHP source code
  82. 82. HTML content analysis: ASP source code
  83. 83. Demo / Exercise
  84. 84. Demo / Exercise
  85. 85. If you find an admin interface don’t forget to .. Google for default passwords:
  86. 86. Disclaimer: Permission is required for this
  87. 87. Demo / Exercise
  88. 88. http://centralops.net
  89. 89. Demo / Exercise
  90. 90. Is the login page on “http” instead of “https”?
  91. 91. Demo / Exercise
  92. 92. Pro Tip: When browsing the site manually .. … look carefully at pop-ups like this: Consider (i.e. prep the attack):Firesheep: http://codebutler.github.com/firesheep/SSLStrip: https://github.com/moxie0/sslstrip
  93. 93. Mario was going to report a bug to Mozilla and found another!
  94. 94. Abuse user/member public search functions: • Search for “” (nothing) or “a”, then “b”, .. • Download all the data using 1) + pagination (if any) • Merge the results into a CSV-like format • Import + save as a spreadsheet • Show the spreadsheet to your customer
  95. 95. Demo / Exercise
  96. 96. Analyse the username(s) they gave you to test:• Username based on numbers?USER12345• Username based on public info? (i.e. names, surnames, ..)name.surname• Default CMS user/pass?
  97. 97. Demo / Exercise
  98. 98. Part 1 – Remember Password: Autocomplete Good BadVia 1) <form … autocomplete=“off”> <form action="/user/login"Or Via 2) <input … autocomplete=“off”> method="post"> <input type="password" name="pass" />
  99. 99. Manual verification for password autocomplete (i.e. for the customer)Easy “your grandma can do it” test:1. Login2. Logout3. Click the browser Back button twice*4. Can you login again –without typing the login or password- by re- sending the login form? Can the user re-submit the login form via the back button? * Until the login form submissionOther sensitive fields: Pentester manual verification• Credit card fields• Password hint fields• Other
  100. 100. Part 2 - Password Reset formsManually look at the questions / fields in the password reset form• Does it let you specify your email address?• Is it based on public info? (name, surname, etc)• Does it send an email to a potentially dead email address you can register? (i.e. hotmail.com)
  101. 101. Demo / Exercise
  102. 102. Goal: Is Caching of sensitive info allowed?Manual verification steps: “your grandma can do it” ☺ (need login):1. Login2. Logout3. Click the browser Back button4. Do you see logged in content or a this page has expired error / the login page?Manual analysis tools:• Commands: curl –i http://target.com• Proxy: Burp, ZAP, WebScarab, etc• Browser Plugins: https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/ https://addons.mozilla.org/en-US/firefox/addon/firebug/
  103. 103. HTTP/1.1 headers Good BadCache-Control: no-cache Cache-control: private HTTP/1.0 headers Good BadPragma: no-cache Pragma: privateExpires: <past date or illegal (e.g. 0)> Expires: <way too far in the future> The world Good Bad https://accounts.google.com No caching headers = caching allowedCache-control: no-cache, no-store HTTP/1.1 200 OKPragma: no-cache Date: Tue, 09 Aug 2011 13:38:43 GMTExpires: Mon, 01-Jan-1990 00:00:00 GMT Server: …. X-Powered-By: …. Connection: close Content-Type: text/html; charset=UTF-8
  104. 104. Repeat for Meta tags Good Bad<META HTTP-EQUIV="Cache-Control" <META HTTP-EQUIV="Cache-Control"CONTENT="no-cache"> CONTENT=“private">
  105. 105. Demo / Exercise
  106. 106. Step 1 – Find CAPTCHAs: Passive search
  107. 107. Offline Manual analysis:• Download image and try to break it• Are CAPTCHAs reused?• Is a hash or token passed? (Good algorithm? Predictable?)• Look for vulns on CAPTCHA versionCAPTCHA breaking toolsPWNtcha - captcha decoder - http://caca.zoy.org/wiki/PWNtchaCaptcha Breaker - http://churchturing.org/captcha-dist/
  108. 108. Demo / Exercise
  109. 109. Manually Examine cookies for weaknesses offline Base64 Encoding (!= Encryption ☺) Decoded valueMTkyLjE2OC4xMDAuMTpvd2FzcHVzZ owaspuser:192.168.100.1:XI6cGFzc3dvcmQ6MTU6NTg= a7656fafe94dae72b1e1487670148412
  110. 110. http://hackvertor.co.uk/public
  111. 111. Lots of decode options, including: • auto_decode • auto_decode_repeat • d_base64 • etc.http://hackvertor.co.uk/public
  112. 112. F5 BIG-IP Cookie decoder:http://blog.taddong.com/2011/12/cookie-decoder-f5-big-ip.html
  113. 113. Demo / Exercise
  114. 114. • Secure: not set= session cookie leaked= pwned• HttpOnly: not set = cookies stealable via JS• Domain: set properly• Expires: set reasonably• Path: set to the right /sub-application• 1 session cookie that works is enough ..
  115. 115. Demo / Exercise
  116. 116. Manually check when verifying credentials during pre-engagement: Login and analyse the Session ID cookie (i.e. PHPSESSID) Good Bad (normal + by default)Before: 10a966616e8ed63f7a9b741f80e65e3c Before: 10a966616e8ed63f7a9b741f80e65e3cAfter: Nao2mxgho6p9jisslen9v3t6o5f943h After: 10a966616e8ed63f7a9b741f80e65e3c IMPORTANT: You can also set the session ID via JavaScript (i.e. XSS)
  117. 117. Demo / Exercise
  118. 118. Session ID:• In URL• In POST• In HTMLExample from the field:http://target.com/xxx/xyz.function?session_num=7785Look at unauthenticated cross-site requests:http://other-site.com/user=3&report=4Referer: site.comChange ids in application: (ids you have permission for!)http://site.com/view_doc=4
  119. 119. Demo / Exercise
  120. 120. Headers Enabling/Disabling Client-Side XSS filters:• X-XSS-Protection (IE-Only)• X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)
  121. 121. Demo / Exercise
  122. 122. Review JavaScript code on the page: <script> document.write("Site is at: " + document.location.href + "."); </script> Sometimes active testing possible in your browser (no trip to server = not an attack = not logged): http://target.com/...#vulnerable_param=xsshttp://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
  123. 123. Did Google find SQLi for you?
  124. 124. Demo / Exercise
  125. 125. <!--#exec cmd="/bin/ls /" --><!--#INCLUDE VIRTUAL="/web.config"-->
  126. 126. Demo / Exercise
  127. 127. 1. Browse Site2. Time requests3. Get top X slowest requests4. Slowest = Best DoS target
  128. 128. Demo / Exercise
  129. 129. Google searches: inurl:wsdl site:example.comPublic services search:http://seekda.com/http://www.wsindex.org/http://www.soapclient.com/
  130. 130. WSDL analysisSensitive methods in WSDL?i.e. Download DB, Test DB, Get CC, etc.http://www.example.com/ws/FindIP.asmx?WSDL<wsdl:operation name="getCreditCard" parameterOrder="id"> <wsdl:input message="impl:getCreditCardRequest" name="getCreditCardRequest"/> <wsdl:output message="impl:getCreditCardResponse" name="getCreditCardResponse"/></wsdl:operation>
  131. 131. Same Origin Policy (SOP) 1011. Domain A’s page can send a request to Domain B’s page from Browser2. BUT Domain A’s page cannot read Domain B’s page from Browser http://www.ibm.com/developerworks/rational/library/09/rationalapplicationdeveloperportaltoolkit3/
  132. 132. • Request == Predictable Pwned “..can send a request to Domain B” (SOP)CSRF Protection 101:•Require long random token (99% hidden anti-CSRF token) Not predictable•Attacker cannot read the token from Domain B (SOP) Domain B ignores request Potentially Good BadAnti-CSRF token present: Verify with permission No anti-CSRF token
  133. 133. Demo / Exercise
  134. 134. Similar to CSRF: Is there an anti-replay token in the request? Potentially Good BadAnti-CSRF token present: Verify with permission No anti-CSRF token
  135. 135. 1) Passive search for Flash/Silverlight files + policies:Flash file search: Silverlight file search:
  136. 136. Static analysis: Download + decompile Flash files$ flare hello.swfFlare: http://www.nowrap.de/flare.htmlFlasm (timelines, etc): http://www.nowrap.de/flasm.html
  137. 137. Static analysis tools Adobe SWF Investigator http://labs.adobe.com/technologies/swfinvestigator/ SWFScanSWFScan: http://www.brothersoft.com/hp-swfscan-download-253747.html
  138. 138. Active testing ☺ 1) Trip to server = need permission http://target.com/test.swf?xss=foo&xss2=bar 2) But … your browser is yours: No trip to server = no permission needed # http://target.com/test.swf ?xss=foo&xss2=barGood news: Unlike DOM XSS, the # trick will always work for Flash Files
  139. 139. Some technologies allow settings that relax SOP:• Adobe Flash (via policy file)• Microsoft Silverlight (via policy file)• HTML 5 Cross Origin Resource Sharing (via HTTP headers)Cheating: Reading the policy file or HTTP headers != attack http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html
  140. 140. Policy file retrieval for analysis
  141. 141. CSRF by design read tokens = attacker WIN Flash / Silverlight - crossdomain.xml<cross-domain-policy><allow-access-from domain="*"/></cross-domain-policy>Bad defence example: restrict pushing headers accepted by Flash:All headers from any domain accepted<allow-http-request-headers-from domain="*" headers="*" /> Flash: http://kb2.adobe.com/cps/403/kb403185.html
  142. 142. CSRF by design read tokens = attacker WIN Silverlight - clientaccesspolicy.xml<?xml version="1.0" encoding="utf-8"?><access-policy><cross-domain-access><policy> <allow-from http-request-headers="SOAPAction"> <domain uri="*"/> </allow-from> <grant-to><resource path="/" include-subpaths="true"/></grant-to> </policy></cross-domain-access></access-policy> Silverlight: http://msdn.microsoft.com/en-us/library/cc197955%28v=vs.95%29.aspx
  143. 143. Need help?
  144. 144. Workshop exercise1) Install swtftools:wget http://www.swftools.org/swftools-0.9.2.tar.gztar xvfz swftools-0.9.2.tar.gzcd swftools-0.9.2sh ./configuremakemake installwhereis swfdump  Check that we have swfdump installed nowswfdump: /usr/local/bin/swfdump
  145. 145. Workshop exercise (continued)2) Analyse vulnerable file:wget http://demo.testfire.net/vulnerable.swf  Download vulnerable fileswfdump -a vulnerable.swf > vulnerable.txt  Disassemble flash filegrep -B1 GetVariable vulnerable.txt|tr " " "n"|grep ("|sort –u  Get FlashVars("empty_mc")("externalInterfaceVar")("flash")("font")("fontTxtFieldExists")("fontVar")("getUrlBlankVar")("getUrlJSParam")("getUrlParentVar")  Used in this example…
  146. 146. Workshop exercise (continued)3) Verify using the “#” trick (payload not sent to target):http://demo.testfire.net/vulnerable.swf#?getUrlParentVar=javascript:alert(‘pwned!’)Click on “Get URL (parent)” for example above And you get: XSS ☺
  147. 147. UI Redressing protections: • X-Frame-Options (best) • X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13) • JavaScript Frame busting (bypassable sometimes) Good BadX-Frame-Options: Deny
  148. 148. Andrew Horton’s “Clickjacking for Shells”:http://www.morningstarsecurity.com/research/clickjacking-wordpressKrzysztof Kotowicz’s “Something Wicked this way comes”:http://www.slideshare.net/kkotowicz/html5-something-wicked-this-way-comes-hackprahttps://connect.ruhr-uni-bochum.de/p3g2butmrt4/Marcus Niemietz’s “UI Redressing and Clickjacking”:http://www.slideshare.net/DefconRussia/marcus-niemietz-ui-redressing-and-clickjacking-about-click-fraud-and-data-theft
  149. 149. Demo / Exercise
  150. 150. Part 2 ActiveWeb analysis
  151. 151. Demo / Exercise
  152. 152. Part 3Aux Plugins
  153. 153. Demo / Exercise
  154. 154. Special thanks to Adi Mutu (@an_animal), Gareth Heyes (@garethheyes), KrzysztofKotowicz (@kkotowicz), Marc Wickenden (@marcwickenden), Marcus Niemietz (@mniemietz), Mario Heiderich (@0x6D6172696F), Michael Kohl (@citizen428), Nicolas Grégoire (@Agarri_FR), Sandro Gauci (@sandrogauci) OWASP Testing Guide contributors Finux Tech Weekly – Episode 17 – mins 31-49 http://www.finux.co.uk/episodes/mp3/FTW-EP17.mp3 Finux Tech Weekly – Episode 12 – mins 33-38 http://www.finux.co.uk/episodes/mp3/FTW-EP12.mp3 http://www.finux.co.uk/episodes/ogg/FTW-EP12.ogg Exotic Liability – Episode 83 – mins 49-53 http://exoticliability.libsyn.com/exotic-liability-83-oh-yeah
  155. 155. Q&A Abraham Aranguren @7a_ @owtfp abraham.aranguren@owasp.org http://7-a.org http://owtf.orgProject Site (links to everything): http://owtf.org• Try OWTF: https://github.com/7a/owtf/tree/master/releases• Try a demo report: https://github.com/7a/owtf/tree/master/demos• Documentation: https://github.com/7a/owtf/tree/master/readme• Contribute: https://github.com/7a/owtf
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×