Silent web app testing          by exampleBerlin Sides, December 29th 2011                         Abraham Aranguren      ...
Agenda• Quick Intro• Walk-through:    No permission needed    Mild/Subtle testing techniques    Passive discovery at post-...
About me•   Spanish dude•   Degree + Diploma in Computer Science•   Uni: Security research + honour mark•   IT: Since 2000...
Intro47% (31 out of 66) of the tests in the OWASP Testing  guide can be legally* performed at least partially  without per...
But …. why???•   Pre-engagement quality•   Choose bank wisely ☺•   Fun / Research•   No permission yet but tight deadline•...
Talk ScopeThis talk is mostly NOT about:• https NIDS blind*• Use POST not logged (usually)• Wifi, Tor, proxies, proxychain...
Types of Traffic• Passive: No traffic to targetExample: Third party site touches target not us• Semi Passive: Normal traff...
LegendEthics/Scope legend*:                               P• P       No Permission needed: No attack traffic• !      Mild ...
Testing: Spiders, Robots, and   Crawlers (OWASP-IG-001)$ wget http://target.com/robots.txt                                ...
Testing: Spiders, Robots, andCrawlers (OWASP-IG-001) cont.Case 1   robots.txt Not Found         …should Google index a sit...
Testing: Spiders, Robots, andCrawlers (OWASP-IG-001) cont.                                                   PCase 2 robot...
Testing: Spiders, Robots, and  Crawlers (OWASP-IG-001) cont.Case 2 Research known vulns passively(i.e. OpenID bypass for D...
(General) Environment replicationDownload it .. Sometimes from project page ☺                                             ...
(General) Environment replication           Static Analyis, Fuzz, Try exploits, ..                                        ...
Search engine discovery / recon    (OWASP-IG-002) cont.   Google Hacking techniques like ..                               ...
Search engine discovery / recon             (OWASP-IG-002) cont.                                                          ...
Search engine discovery / recon    (OWASP-IG-002) cont.                                            P                      ...
Search engine discovery / recon    (OWASP-IG-002) cont.                                                P                  ...
Search engine discovery / recon    (OWASP-IG-002) cont.                                              PImage Credit: http:/...
Search engine discovery / recon    (OWASP-IG-002) cont.                                              PImage Credit: http:/...
Search engine discovery / recon          (OWASP-IG-002) cont.    A bit of most in one:                                    ...
Testing: Identify application entry     points (OWASP-IG-003)Use a proxy and JUST browse the site• Let the proxy log ALL r...
Testing for Web Application     Fingerprint (OWASP-IG-004)Goal: What is that server running?                              ...
Testing for Web ApplicationFingerprint (OWASP-IG-004) cont.                                                         Phttp:...
Testing for Web Application Fingerprint (OWASP-IG-004) cont.Search in the headers without touching the site:   P          ...
Testing for Web ApplicationFingerprint (OWASP-IG-004) cont.                                              P                ...
Testing for Web ApplicationFingerprint (OWASP-IG-004) cont.                                                P   Do you know...
Testing for Web ApplicationFingerprint (OWASP-IG-004) cont.                                             P    Exploit DB - ...
Testing for Web ApplicationFingerprint (OWASP-IG-004) cont.                                                    PNVD - http...
Testing for Web ApplicationFingerprint (OWASP-IG-004) cont.                                                 P  OSVDB - htt...
Testing for Web ApplicationFingerprint (OWASP-IG-004) cont.                                                   P http://www...
Testing for Web ApplicationFingerprint (OWASP-IG-004) cont.                                                P    http://www...
Testing for Application Discovery         (OWASP-IG-005)                                                 P http://www.robt...
Testing for Application Discovery      (OWASP-IG-005) cont.                                      P       http://whois.doma...
Testing for Application Discovery      (OWASP-IG-005) cont.                                                    P http://ce...
Testing for Application Discovery      (OWASP-IG-005) cont.                                    P          http://centralop...
Testing for Error Code   (OWASP-IG-006)Has Google found error messages for you?                                           P
Testing for Error Code(OWASP-IG-006) cont.  Check errors via Google Cache                                  P
Testing for SSL-TLS      (OWASP-CM-001)                 No traffic ..                                             Phttps:/...
Testing for SSL-TLS   (OWASP-CM-001) cont.             .. And pretty graphs                                             Ph...
Testing for SSL-TLS     (OWASP-CM-001) cont.Do not forget about Strict-Transport-Security!                                ...
Application ConfigurationManagement (OWASP-CM-004)Just browse the site as normal and ..look for comments! (lame but works!...
Testing for Admin Interfaces      (OWASP-CM-007)• 3rd party stuff on .NET ViewState, headers,..                           ...
Testing for Admin Interfaces  (OWASP-CM-007) cont.    Google for default passwords:                                    P
Testing for Admin Interfaces  (OWASP-CM-007) cont.                               !!
Testing for Admin Interfaces  (OWASP-CM-007) cont.                               !!
Testing for HTTP Methods and XST         (OWASP-CM-008)An OPTIONS request is quite normal:                                ...
Testing for HTTP Methods and XST      (OWASP-CM-008) cont.                                  P          http://centralops.net
Testing for HTTP Methods and XST      (OWASP-CM-008) cont.                                  P          http://centralops.net
Testing for credentials transport        (OWASP-AT-001)Is the login page on “http” instead of “https”?And … look carefully...
Testing for user enumeration        (OWASP-AT-002) – by design                                                      PMario...
Testing for user enumeration   (OWASP-AT-002) – by designAbuse user/member search functions:  • Search for “” (nothing) or...
Testing for Default or Guessable  User Account (OWASP-AT-003)Analyse the username(s) they gave you to test:               ...
Vulnerable Remember Password and   Pwd Reset (OWASP-AT-006)  Is autocomplete set to off?  • Via 1) <form … autocomplete=“o...
Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) cont. Easy “your grandma can do it” test: 1. Login 2. Logout    ...
Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) cont. Also .. Look at the questions / fields in the password res...
Logout and Browser Cache Management (OWASP-AT-007)Goal: Is Caching of sensitive info allowed?                             ...
Logout and Browser CacheManagement (OWASP-AT-007) cont.  See headers with:  • Commands: curl –i http://target.com         ...
Logout and Browser CacheManagement (OWASP-AT-007) cont.                                      P 1) Wrong caching HTTP/1.1 h...
Logout and Browser CacheManagement (OWASP-AT-007) cont. 2) Wrong caching HTTP/1.0 headers:              P Pragma: private ...
Logout and Browser CacheManagement (OWASP-AT-007) cont. 3) No caching headers (= caching allowed, default!)   P HTTP/1.1 2...
Logout and Browser CacheManagement (OWASP-AT-007) cont. Repeat for Meta tags:                                         P 4)...
Testing for Captcha            (OWASP-AT-008)Can be done offline:• Download image and try to break it                     ...
Testing for Session Management     Schema (OWASP-SM-001)Examine cookies for weaknesses offline                            ...
Testing for Session ManagementSchema (OWASP-SM-001) cont.                                      P     http://hackvertor.co....
Testing for Session ManagementSchema (OWASP-SM-001) cont.        Lots of decode options, including:        • auto_decode  ...
Testing for Session Management       Schema (OWASP-SM-001) cont.              Cookie decoder: F5 BIG-IP                Pht...
Testing for cookies attributes      (OWASP-SM-002)• Secure: not set= session cookie leaked= pwned• HttpOnly: not set = coo...
Testing for Session Fixation       (OWASP-SM-003)Session ID normally NOT changed by default..                             ...
Testing for Exposed Session  Variables (OWASP-SM-004)Session ID:• In URL                                      P• In POST• ...
Testing for CSRF (OWASP-SM-005)  Look at HTML code:                                               P  No anti-CSRF token = ...
Testing for Bypassing Authorization     Schema (OWASP-AZ-002)  Look at unauthenticated cross-site requests:               ...
Testing for Reflected/Stored Cross site scripting (OWASP-DV-001)                                                 P Headers...
UI Redressing Protection  i.e. Clickjacking (OWASP Code?)    Look for for UI Redressing protections:                      ...
Testing for DOM-based Cross site            scripting (OWASP-DV-003)         Review JavaScript code on the page:          ...
Testing for Cross site flashing            (OWASP-DV-004)1) Find Flash files:                                        P
Testing for Cross site flashing        (OWASP-DV-004) cont.2) Find crossdomain.xml                                       P
Testing for Cross site flashing      (OWASP-DV-004) cont.3) Look at crossdomain.xml:Example 1:<cross-domain-policy>       ...
Testing for Cross site flashing   (OWASP-DV-004) cont.  4) Download + decompile Flash files:  $ flare hello.swf           ...
Testing for Cross site flashing       (OWASP-DV-004) cont.                                                        Phttp://...
Testing for Cross site flashing         (OWASP-DV-004) cont.  Active testing ☺                                            ...
Testing for SQL Injection   (OWASP-DV-005)  Did Google find SQLi for you?                                  P
DoS Failure to Release Resources       (OWASP-DS-007)1.   Browse Site2.3.     Time requests     Get top X slowest requests...
Testing: WS Information Gathering         (OWASP-WS-001)Google searches: inurl:wsdl site:example.comWeb service analysis: ...
Testing for WS Replay          (OWASP-WS-007)Similar to CSRF:                                                PIs there an ...
Testing for file extensions handling         (OWASP-CM-005) some attack traffic but subtle. File Uploads:                 ...
Testing for Error Code           (OWASP-IG-006)• Use var_name[] in PHP:                                                   ...
Testing for user enumeration         (OWASP-AT-002)• Error messages                                                    !“t...
Testing for Reflected/Stored Crosssite scripting (OWASP-DV-001+2)Subtle look for signs of output encoding:   !O’Brien     ...
Testing for SQL Injection         (OWASP-DV-005)SQL errors:                                               !• Strings: O’Br...
Testing for Application Discovery(OWASP-IG-005) @ post-exploitation Got shell?                                 !!
Testing for Application Discovery(OWASP-IG-005) @post-exploitation You feel like ..                                     !!
Testing for Application Discovery(OWASP-IG-005) @post-exploitation They feel like ..                                     !!
Testing for Application Discovery(OWASP-IG-005) @post-exploitation They feel like ..                                     !!
Testing for Application Discovery(OWASP-IG-005) @post-exploitation They feel like ..                                     !!
Testing for Application Discovery(OWASP-IG-005) @post-exploitation And finally ..                                     !!
Testing for Application Discovery(OWASP-IG-005) @post-exploitation You have a mission!                              !! • “...
Testing for Application Discovery(OWASP-IG-005) @post-exploitation • Web server running as SYSTEM? (default!) • No need to...
Testing for Application Discovery(OWASP-IG-005) @post-exploitation Just type your chosen password ..                      ...
Testing for Application Discovery(OWASP-IG-005) @post-exploitation • Steal passwords ..                                   ...
Testing for Application Discovery(OWASP-IG-005) @post-exploitation Pivot to the other hosts reusing passwords             ...
Testing for Application Discovery(OWASP-IG-005) @post-exploitationPASSIVE Ping Sweep: Unique IPs & MACs from the  ARP tabl...
Testing for Application Discovery(OWASP-IG-005) @post-exploitationPASSIVE Local “Port scanning” from winenum              ...
Testing for Application Discovery(OWASP-IG-005) @post-exploitationDon’t forget about IPv6 & UDP ☺                         ...
Testing for Application Discovery(OWASP-IG-005) @post-exploitationPASSIVE Remote “Port scanning” from winenum  via active ...
Pen tester Conclusion• No permission != cannot start• A lot of work can be done in advanceThis work in advance helps with:...
Business Conclusion•   Web app security > Input validation•   We see no traffic != we are not targeted•   No IDS alerts !=...
Special thanks to•   OWASP Testing Guide contributors•   Krzysztof Kotowicz•   Marcus Niemietz•   Mario Heiderich•   Miche...
Q&A                Abraham Aranguren                       @7a_           abraham.aranguren@gmail.com                   ht...
Upcoming SlideShare
Loading in...5
×

Silent web app testing by example - BerlinSides 2011

8,145

Published on

A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques

NOTE: Use the "Download" option at the top to see the presentation as a PDF properly

Published in: Technology, Design
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
8,145
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
196
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

Silent web app testing by example - BerlinSides 2011

  1. 1. Silent web app testing by exampleBerlin Sides, December 29th 2011 Abraham Aranguren @7a_ abraham.aranguren@gmail.com http://7-a.org
  2. 2. Agenda• Quick Intro• Walk-through: No permission needed Mild/Subtle testing techniques Passive discovery at post-exploitation• Conclusion• Q&A
  3. 3. About me• Spanish dude• Degree + Diploma in Computer Science• Uni: Security research + honour mark• IT: Since 2000 (netadmin / developer)• Comeback to (offensive) security in 2007• OSCP, CISSP, GWEB, CEH, MCSE, Etc.• Web App Sec and Dev/Architect• OWTF, GIAC, BeEF
  4. 4. Intro47% (31 out of 66) of the tests in the OWASP Testing guide can be legally* performed at least partially without permission* Except in Spain, where visiting a page can be illegal ☺* This is only my interpretation and not that of my employer + might not apply to your country!
  5. 5. But …. why???• Pre-engagement quality• Choose bank wisely ☺• Fun / Research• No permission yet but tight deadline• Get a head start in a pen test• No fuzzing allowed / hard restrictions• Waiting for info on other areas
  6. 6. Talk ScopeThis talk is mostly NOT about:• https NIDS blind*• Use POST not logged (usually)• Wifi, Tor, proxies, proxychains …This talk is about:• Using normal traffic or no traffic• Confuse payloads = look as legit traffic
  7. 7. Types of Traffic• Passive: No traffic to targetExample: Third party site touches target not us• Semi Passive: Normal traffic to targetExamples: Visit site, download published content• Active: Direct vulnerability probingExamples: SQL injection, XSS, CSRF, etc. tries
  8. 8. LegendEthics/Scope legend*: P• P No Permission needed: No attack traffic• ! Mild attack traffic / Could break things• !! You better have written permission ..Vulnerable vs. Not Vulnerable legend:• Vulnerable• Not Vulnerable* When in doubt, don’t do it or consult a lawyer!
  9. 9. Testing: Spiders, Robots, and Crawlers (OWASP-IG-001)$ wget http://target.com/robots.txt PCase 1 Not found: Indexing required?Case 2 Found: Analyse entries
  10. 10. Testing: Spiders, Robots, andCrawlers (OWASP-IG-001) cont.Case 1 robots.txt Not Found …should Google index a site like this? POr should robots.txt exist and be like this?User-agent: *Disallow: /
  11. 11. Testing: Spiders, Robots, andCrawlers (OWASP-IG-001) cont. PCase 2 robots.txt Found (default Drupal robots.txt!)User-agent: *Crawl-delay: 10# DirectoriesDisallow: /includes/Disallow: /misc/...# FilesDisallow: /CHANGELOG.txt  Drupal Version ☺Disallow: /xmlrpc.php
  12. 12. Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) cont.Case 2 Research known vulns passively(i.e. OpenID bypass for Drupal 6.16) P
  13. 13. (General) Environment replicationDownload it .. Sometimes from project page ☺ PAlso check http://www.oldapps.com/, Google, etc.
  14. 14. (General) Environment replication Static Analyis, Fuzz, Try exploits, .. P RIPS for PHP: http://rips-scanner.sourceforge.net/Yasca for most other (also PHP): http://www.scovetta.com/yasca.html
  15. 15. Search engine discovery / recon (OWASP-IG-002) cont. Google Hacking techniques like .. P
  16. 16. Search engine discovery / recon (OWASP-IG-002) cont. P Automated Google Hackinghttp://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/
  17. 17. Search engine discovery / recon (OWASP-IG-002) cont. P Metadata tools: • FOCA (v. 3 now!) • Metagoofil • Exiftool • EXIF FF plugin http://www.informatica64.com/foca.aspx
  18. 18. Search engine discovery / recon (OWASP-IG-002) cont. P The Harvester: •Emails •Employee Names •Subdomains •Hostnameshttp://www.edge-security.com/theHarvester.php
  19. 19. Search engine discovery / recon (OWASP-IG-002) cont. PImage Credit: http://www.paterva.comhttp://www.paterva.com/web5/client/download.php
  20. 20. Search engine discovery / recon (OWASP-IG-002) cont. PImage Credit: http://www.paterva.comhttp://www.paterva.com/web5/client/download.php
  21. 21. Search engine discovery / recon (OWASP-IG-002) cont. A bit of most in one: Phttps://addons.mozilla.org/en-US/firefox/addon/passiverecon/
  22. 22. Testing: Identify application entry points (OWASP-IG-003)Use a proxy and JUST browse the site• Let the proxy log ALL requests P• Understand the siteProxies that detect vulns passively:• ratproxy• ZAP ProxyEfficient manual browsing:Snap Links Plus http://snaplinks.mozdev.org/
  23. 23. Testing for Web Application Fingerprint (OWASP-IG-004)Goal: What is that server running? PSemi passive banner grab example:• $ curl -i -A Mozilla/5.0 (X11; Linux i686; rv6.0) Gecko/20100101 Firefox/6.0 -H Host: target.com https://target.com…Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
  24. 24. Testing for Web ApplicationFingerprint (OWASP-IG-004) cont. Phttp://toolbar.netcraft.com - Passive banner grab,etc.
  25. 25. Testing for Web Application Fingerprint (OWASP-IG-004) cont.Search in the headers without touching the site: P http://www.shodanhq.com/
  26. 26. Testing for Web ApplicationFingerprint (OWASP-IG-004) cont. P •CMS •Widgets •Libraries •etc http://builtwith.com
  27. 27. Testing for Web ApplicationFingerprint (OWASP-IG-004) cont. P Do you know what that site is running now? Let’s look for exploits and vulns
  28. 28. Testing for Web ApplicationFingerprint (OWASP-IG-004) cont. P Exploit DB - http://www.exploit-db.com
  29. 29. Testing for Web ApplicationFingerprint (OWASP-IG-004) cont. PNVD - http://web.nvd.nist.gov - CVSS Score = High
  30. 30. Testing for Web ApplicationFingerprint (OWASP-IG-004) cont. P OSVDB - http://osvdb.org - CVSS Score = High
  31. 31. Testing for Web ApplicationFingerprint (OWASP-IG-004) cont. P http://www.securityfocus.com - Better on Google
  32. 32. Testing for Web ApplicationFingerprint (OWASP-IG-004) cont. P http://www.exploitsearch.net - All in one
  33. 33. Testing for Application Discovery (OWASP-IG-005) P http://www.robtex.com - Passive DNS Discovery
  34. 34. Testing for Application Discovery (OWASP-IG-005) cont. P http://whois.domaintools.com
  35. 35. Testing for Application Discovery (OWASP-IG-005) cont. P http://centralops.net or proxychains .. nmap –sT
  36. 36. Testing for Application Discovery (OWASP-IG-005) cont. P http://centralops.net
  37. 37. Testing for Error Code (OWASP-IG-006)Has Google found error messages for you? P
  38. 38. Testing for Error Code(OWASP-IG-006) cont. Check errors via Google Cache P
  39. 39. Testing for SSL-TLS (OWASP-CM-001) No traffic .. Phttps://www.ssllabs.com/ssldb/analyze.html
  40. 40. Testing for SSL-TLS (OWASP-CM-001) cont. .. And pretty graphs Phttps://www.ssllabs.com/ssldb/analyze.html
  41. 41. Testing for SSL-TLS (OWASP-CM-001) cont.Do not forget about Strict-Transport-Security! P$ curl -i https://accounts.google.comHTTP/1.1 302 Moved TemporarilyContent-Type: text/html; charset=UTF-8Strict-Transport-Security: max-age=2592000; includeSubDomainssslstrip chances decrease dramatically:Only 1st time user visits the site!
  42. 42. Application ConfigurationManagement (OWASP-CM-004)Just browse the site as normal and ..look for comments! (lame but works!): P<!-- The password is 123 -->/* TODO: Security hole here .. *///FIXME: The function below is vulnerable…
  43. 43. Testing for Admin Interfaces (OWASP-CM-007)• 3rd party stuff on .NET ViewState, headers,.. P• Telerik.Web.UI?? Google it!
  44. 44. Testing for Admin Interfaces (OWASP-CM-007) cont. Google for default passwords: P
  45. 45. Testing for Admin Interfaces (OWASP-CM-007) cont. !!
  46. 46. Testing for Admin Interfaces (OWASP-CM-007) cont. !!
  47. 47. Testing for HTTP Methods and XST (OWASP-CM-008)An OPTIONS request is quite normal: P$ curl -i -A Mozilla/5.0 -X OPTIONS * –khttps://site.comHTTP/1.1 200 OKDate: Tue, 09 Aug 2011 13:38:43 GMTServer: Apache/2.0.63 (Unix)Allow: GET,HEAD,POST,OPTIONS,TRACEContent-Length: 0Connection: closeContent-Type: text/plain; charset=UTF-8
  48. 48. Testing for HTTP Methods and XST (OWASP-CM-008) cont. P http://centralops.net
  49. 49. Testing for HTTP Methods and XST (OWASP-CM-008) cont. P http://centralops.net
  50. 50. Testing for credentials transport (OWASP-AT-001)Is the login page on “http” instead of “https”?And … look carefully at pop-ups like this: PConsider: Firesheep and sslstrip
  51. 51. Testing for user enumeration (OWASP-AT-002) – by design PMario was going to report a bug to Mozilla and found another!
  52. 52. Testing for user enumeration (OWASP-AT-002) – by designAbuse user/member search functions: • Search for “” (nothing) or “a”, then “b”, .. P • Download all the data using 1) + pagination (if any) • Merge the results into a CSV-like format • Import + save as a spreadsheet • Show the spreadsheet to your customer
  53. 53. Testing for Default or Guessable User Account (OWASP-AT-003)Analyse the username(s) they gave you to test: P• Username based on numbers?USER12345• Username based on public info? (i.e. names, surnames, ..)name.surname• Default CMS user/pass?
  54. 54. Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) Is autocomplete set to off? • Via 1) <form … autocomplete=“off”> P • Or Via 2) <input … autocomplete=“off”> Or not? <form action="/user/login" method="post"> <input type="password" name="pass" />
  55. 55. Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) cont. Easy “your grandma can do it” test: 1. Login 2. Logout P 3. Click the browser Back button twice* 4. Can you login again –without typing the login or password- by re-sending the login form? Can the user re-submit the login form via the back button? * Until the login form submission
  56. 56. Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) cont. Also .. Look at the questions / fields in the password reset form … P • Does it let you specify your email address? • Is it based on public info? (name, surname, etc) • Does it send an email to a potentially dead email address you can register? (i.e. hotmail.com)
  57. 57. Logout and Browser Cache Management (OWASP-AT-007)Goal: Is Caching of sensitive info allowed? PEasy “your grandma can do it” test (need login):1. Login2. Logout3. Click the browser Back button4. Do you see logged in content or a this page has expired error / the login page?
  58. 58. Logout and Browser CacheManagement (OWASP-AT-007) cont. See headers with: • Commands: curl –i http://target.com P • Proxy: Burp, ZAP, WebScarab, etc • Browser Plugins:https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/https://addons.mozilla.org/en-US/firefox/addon/firebug/
  59. 59. Logout and Browser CacheManagement (OWASP-AT-007) cont. P 1) Wrong caching HTTP/1.1 headers: Cache-control: private Instead of: Cache-Control: no-cache
  60. 60. Logout and Browser CacheManagement (OWASP-AT-007) cont. 2) Wrong caching HTTP/1.0 headers: P Pragma: private Expires: <way too far in the future> Instead of: Pragma: no-cache Expires: <past date or illegal value (e.g. 0)
  61. 61. Logout and Browser CacheManagement (OWASP-AT-007) cont. 3) No caching headers (= caching allowed, default!) P HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: …. X-Powered-By: …. Connection: close Content-Type: text/html; charset=UTF-8 Instead of (best): $ curl –i https://accounts.google.com... Cache-control: no-cache, no-store Pragma: no-cache Expires: Mon, 01-Jan-1990 00:00:00 GMT
  62. 62. Logout and Browser CacheManagement (OWASP-AT-007) cont. Repeat for Meta tags: P 4) Wrong HTTP/1.1: <META HTTP-EQUIV="Cache-Control" CONTENT=“private"> Instead of: <META HTTP-EQUIV="Cache-Control" CONTENT="no- cache"> Etc. (see previous slides)
  63. 63. Testing for Captcha (OWASP-AT-008)Can be done offline:• Download image and try to break it P• Are CAPTCHAs reused?• Is a hash or token passed? (Good algorithm? Predictable?)• Look for vulns on CAPTCHA version:PWNtcha - captcha decoder - http://caca.zoy.org/wiki/PWNtchaCaptcha Breaker - http://churchturing.org/captcha-dist/
  64. 64. Testing for Session Management Schema (OWASP-SM-001)Examine cookies for weaknesses offline PBase64 MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFzc3dv cmQ6MTU6NTg=Isowaspuser:192.168.100.1: a7656fafe94dae72b1e1487670148412
  65. 65. Testing for Session ManagementSchema (OWASP-SM-001) cont. P http://hackvertor.co.uk/public
  66. 66. Testing for Session ManagementSchema (OWASP-SM-001) cont. Lots of decode options, including: • auto_decode P • auto_decode_repeat • d_base64 • etc. http://hackvertor.co.uk/public
  67. 67. Testing for Session Management Schema (OWASP-SM-001) cont. Cookie decoder: F5 BIG-IP Phttp://blog.taddong.com/2011/12/cookie-decoder-f5-big-ip.html
  68. 68. Testing for cookies attributes (OWASP-SM-002)• Secure: not set= session cookie leaked= pwned• HttpOnly: not set = cookies stealable via JS P• Domain: set properly• Path: set to the right /sub-application• Expires: set reasonably• 1 session cookie that works is enough ..
  69. 69. Testing for Session Fixation (OWASP-SM-003)Session ID normally NOT changed by default.. PBefore Login PHPSESSID:10a966616e8ed63f7a9b741f80e65e3c+After Login PHPSESSID:10a966616e8ed63f7a9b741f80e65e3c=Vulnerable
  70. 70. Testing for Exposed Session Variables (OWASP-SM-004)Session ID:• In URL P• In POST• In HTMLExample from the field:http://target.com/xxx/xyz.function?session_num=7785
  71. 71. Testing for CSRF (OWASP-SM-005) Look at HTML code: P No anti-CSRF token = Vulnerable Anti-CSRF token = Wait to ACTIVE testing ☺
  72. 72. Testing for Bypassing Authorization Schema (OWASP-AZ-002) Look at unauthenticated cross-site requests: P http://other-site.com/user=3&report=4 Referer: site.com Change ids in application: ! http://site.com/view_doc=4
  73. 73. Testing for Reflected/Stored Cross site scripting (OWASP-DV-001) P Headers Enabling/Disabling Client-Side XSS filters: • X-XSS-Protection (IE-Only) • X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13) Example: $ curl -i https://accounts.google.com X-XSS-Protection: 1; mode=block
  74. 74. UI Redressing Protection i.e. Clickjacking (OWASP Code?) Look for for UI Redressing protections: P • X-Frame-Options (best) • X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13) • JavaScript Frame busting (bypassable sometimes) Example: $ curl -i https://accounts.google.com X-Frame-Options: Deny“Clickjacking for Shells”:http://www.morningstarsecurity.com/research/clickjacking-wordpress
  75. 75. Testing for DOM-based Cross site scripting (OWASP-DV-003) Review JavaScript code on the page: P <script> document.write("Site is at: " + document.location.href + "."); </script> Sometimes active testing possible in your browser (no trip to server = not an attack = not logged): # http://target.com/... vulnerable_param=xsshttp://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
  76. 76. Testing for Cross site flashing (OWASP-DV-004)1) Find Flash files: P
  77. 77. Testing for Cross site flashing (OWASP-DV-004) cont.2) Find crossdomain.xml P
  78. 78. Testing for Cross site flashing (OWASP-DV-004) cont.3) Look at crossdomain.xml:Example 1:<cross-domain-policy> P<allow-access-from domain="*"/></cross-domain-policy>Example 2:<cross-domain-policy><!-- This domain can accept a MyHeader header froma SWF file on www.example.com --><allow-http-request-headers-fromdomain="www.example.com" headers="MyHeader"/></cross-domain-policy> http://en.wikipedia.org/wiki/Same_origin_policy http://kb2.adobe.com/cps/403/kb403185.html
  79. 79. Testing for Cross site flashing (OWASP-DV-004) cont. 4) Download + decompile Flash files: $ flare hello.swf P
  80. 80. Testing for Cross site flashing (OWASP-DV-004) cont. Phttp://www.brothersoft.com/hp-swfscan-download-253747.htmlhttp://tinyurl.com/SWFScan-msi
  81. 81. Testing for Cross site flashing (OWASP-DV-004) cont. Active testing ☺ P 1) Trip to server = need permission ! http://target.com/test.swf?xss=foo&xss2=bar 2) But … your browser is yours: No trip to server = no permission needed P # http://target.com/test.swf ?xss=foo&xss2=barGood news: Unlike DOM XSS, the # trick will always work for Flash Files
  82. 82. Testing for SQL Injection (OWASP-DV-005) Did Google find SQLi for you? P
  83. 83. DoS Failure to Release Resources (OWASP-DS-007)1. Browse Site2.3. Time requests Get top X slowest requests P4. Slowest = Best DoS target
  84. 84. Testing: WS Information Gathering (OWASP-WS-001)Google searches: inurl:wsdl site:example.comWeb service analysis: Phttp://www.example.com/ws/FindIP.asmx?WSDLPublic services search:http://seekda.com/http://www.wsindex.org/http://www.soapclient.com/
  85. 85. Testing for WS Replay (OWASP-WS-007)Similar to CSRF: PIs there an anti-replay token in the request?
  86. 86. Testing for file extensions handling (OWASP-CM-005) some attack traffic but subtle. File Uploads: !! • If upload.php or .asp, .html, .. is allowed by app • A valid GIF or JPG comment can be a valid PHP script, etc .. • Difference from attack to legit can be subtle • File uploads are POST = often not logged (Enterprises do, but small businesses normally don’t)
  87. 87. Testing for Error Code (OWASP-IG-006)• Use var_name[] in PHP: !• Make __VIEWSTATE = ‘a’:[ViewStateException: Invalid viewstate …..…) in c:WINDOWSMicrosoft.NETFrameworkv2.0.50727Temporary ASP.NET Filesroot ….
  88. 88. Testing for user enumeration (OWASP-AT-002)• Error messages !“this user does not exist”“the website member could not be found”Etc.• Time differences$ time curl https://target.com -d user=x&pass=yBad login Example:Valid User (retrieved from DB): > 1.5 secsInvalid User (not in DB = faster): < 0.7 secs
  89. 89. Testing for Reflected/Stored Crosssite scripting (OWASP-DV-001+2)Subtle look for signs of output encoding: !O’Brien O&apos;BrienO”Brien O&quot;Brien or O%22BrienTed..> Ted..&gt; or Ted..%3ETed,< Ted,.&lt; or Ted..%3CCharset, etc.
  90. 90. Testing for SQL Injection (OWASP-DV-005)SQL errors: !• Strings: O’Brien• IDs: Instead of “1” type “1l” or “1 l”Math operations: Is the same item displayed?• target.com/id=2 target.com/id=1%2B1
  91. 91. Testing for Application Discovery(OWASP-IG-005) @ post-exploitation Got shell? !!
  92. 92. Testing for Application Discovery(OWASP-IG-005) @post-exploitation You feel like .. !!
  93. 93. Testing for Application Discovery(OWASP-IG-005) @post-exploitation They feel like .. !!
  94. 94. Testing for Application Discovery(OWASP-IG-005) @post-exploitation They feel like .. !!
  95. 95. Testing for Application Discovery(OWASP-IG-005) @post-exploitation They feel like .. !!
  96. 96. Testing for Application Discovery(OWASP-IG-005) @post-exploitation And finally .. !!
  97. 97. Testing for Application Discovery(OWASP-IG-005) @post-exploitation You have a mission! !! • “Shell is only the beginning” – Darkoperator • Your job is to show impact* • Web app sec can also involve network sec! Goal: How much damage could be done? *within scope restrictions!
  98. 98. Testing for Application Discovery(OWASP-IG-005) @post-exploitation • Web server running as SYSTEM? (default!) • No need to crack passwords .. !!
  99. 99. Testing for Application Discovery(OWASP-IG-005) @post-exploitation Just type your chosen password .. !!
  100. 100. Testing for Application Discovery(OWASP-IG-005) @post-exploitation • Steal passwords .. !! • Be patient, it’s worth it ..
  101. 101. Testing for Application Discovery(OWASP-IG-005) @post-exploitation Pivot to the other hosts reusing passwords !!
  102. 102. Testing for Application Discovery(OWASP-IG-005) @post-exploitationPASSIVE Ping Sweep: Unique IPs & MACs from the ARP table of all popped boxes via winenum P
  103. 103. Testing for Application Discovery(OWASP-IG-005) @post-exploitationPASSIVE Local “Port scanning” from winenum P
  104. 104. Testing for Application Discovery(OWASP-IG-005) @post-exploitationDon’t forget about IPv6 & UDP ☺ P
  105. 105. Testing for Application Discovery(OWASP-IG-005) @post-exploitationPASSIVE Remote “Port scanning” from winenum via active connections P
  106. 106. Pen tester Conclusion• No permission != cannot start• A lot of work can be done in advanceThis work in advance helps with:• Increased efficiency• Deal better with tight deadlines• Better pre-engagement• Better test quality• Best chance to get inBottom line: Do it
  107. 107. Business Conclusion• Web app security > Input validation• We see no traffic != we are not targeted• No IDS alerts != we are safe• Your site can be tested without you noticing• Test your security before others do
  108. 108. Special thanks to• OWASP Testing Guide contributors• Krzysztof Kotowicz• Marcus Niemietz• Mario Heiderich• Michele Orru• Sandro Gauci
  109. 109. Q&A Abraham Aranguren @7a_ abraham.aranguren@gmail.com http://7-a.orgQ - owtf! This is a lot of workA - I know, check out: http://owtf.org
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×