Silent web app testing by example - BerlinSides 2011

  • 7,568 views
Uploaded on

A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques …

A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques

NOTE: Use the "Download" option at the top to see the presentation as a PDF properly

More in: Technology , Design
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
7,568
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
183
Comments
0
Likes
6

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Silent web app testing by exampleBerlin Sides, December 29th 2011 Abraham Aranguren @7a_ abraham.aranguren@gmail.com http://7-a.org
  • 2. Agenda• Quick Intro• Walk-through: No permission needed Mild/Subtle testing techniques Passive discovery at post-exploitation• Conclusion• Q&A
  • 3. About me• Spanish dude• Degree + Diploma in Computer Science• Uni: Security research + honour mark• IT: Since 2000 (netadmin / developer)• Comeback to (offensive) security in 2007• OSCP, CISSP, GWEB, CEH, MCSE, Etc.• Web App Sec and Dev/Architect• OWTF, GIAC, BeEF
  • 4. Intro47% (31 out of 66) of the tests in the OWASP Testing guide can be legally* performed at least partially without permission* Except in Spain, where visiting a page can be illegal ☺* This is only my interpretation and not that of my employer + might not apply to your country!
  • 5. But …. why???• Pre-engagement quality• Choose bank wisely ☺• Fun / Research• No permission yet but tight deadline• Get a head start in a pen test• No fuzzing allowed / hard restrictions• Waiting for info on other areas
  • 6. Talk ScopeThis talk is mostly NOT about:• https NIDS blind*• Use POST not logged (usually)• Wifi, Tor, proxies, proxychains …This talk is about:• Using normal traffic or no traffic• Confuse payloads = look as legit traffic
  • 7. Types of Traffic• Passive: No traffic to targetExample: Third party site touches target not us• Semi Passive: Normal traffic to targetExamples: Visit site, download published content• Active: Direct vulnerability probingExamples: SQL injection, XSS, CSRF, etc. tries
  • 8. LegendEthics/Scope legend*: P• P No Permission needed: No attack traffic• ! Mild attack traffic / Could break things• !! You better have written permission ..Vulnerable vs. Not Vulnerable legend:• Vulnerable• Not Vulnerable* When in doubt, don’t do it or consult a lawyer!
  • 9. Testing: Spiders, Robots, and Crawlers (OWASP-IG-001)$ wget http://target.com/robots.txt PCase 1 Not found: Indexing required?Case 2 Found: Analyse entries
  • 10. Testing: Spiders, Robots, andCrawlers (OWASP-IG-001) cont.Case 1 robots.txt Not Found …should Google index a site like this? POr should robots.txt exist and be like this?User-agent: *Disallow: /
  • 11. Testing: Spiders, Robots, andCrawlers (OWASP-IG-001) cont. PCase 2 robots.txt Found (default Drupal robots.txt!)User-agent: *Crawl-delay: 10# DirectoriesDisallow: /includes/Disallow: /misc/...# FilesDisallow: /CHANGELOG.txt  Drupal Version ☺Disallow: /xmlrpc.php
  • 12. Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) cont.Case 2 Research known vulns passively(i.e. OpenID bypass for Drupal 6.16) P
  • 13. (General) Environment replicationDownload it .. Sometimes from project page ☺ PAlso check http://www.oldapps.com/, Google, etc.
  • 14. (General) Environment replication Static Analyis, Fuzz, Try exploits, .. P RIPS for PHP: http://rips-scanner.sourceforge.net/Yasca for most other (also PHP): http://www.scovetta.com/yasca.html
  • 15. Search engine discovery / recon (OWASP-IG-002) cont. Google Hacking techniques like .. P
  • 16. Search engine discovery / recon (OWASP-IG-002) cont. P Automated Google Hackinghttp://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/
  • 17. Search engine discovery / recon (OWASP-IG-002) cont. P Metadata tools: • FOCA (v. 3 now!) • Metagoofil • Exiftool • EXIF FF plugin http://www.informatica64.com/foca.aspx
  • 18. Search engine discovery / recon (OWASP-IG-002) cont. P The Harvester: •Emails •Employee Names •Subdomains •Hostnameshttp://www.edge-security.com/theHarvester.php
  • 19. Search engine discovery / recon (OWASP-IG-002) cont. PImage Credit: http://www.paterva.comhttp://www.paterva.com/web5/client/download.php
  • 20. Search engine discovery / recon (OWASP-IG-002) cont. PImage Credit: http://www.paterva.comhttp://www.paterva.com/web5/client/download.php
  • 21. Search engine discovery / recon (OWASP-IG-002) cont. A bit of most in one: Phttps://addons.mozilla.org/en-US/firefox/addon/passiverecon/
  • 22. Testing: Identify application entry points (OWASP-IG-003)Use a proxy and JUST browse the site• Let the proxy log ALL requests P• Understand the siteProxies that detect vulns passively:• ratproxy• ZAP ProxyEfficient manual browsing:Snap Links Plus http://snaplinks.mozdev.org/
  • 23. Testing for Web Application Fingerprint (OWASP-IG-004)Goal: What is that server running? PSemi passive banner grab example:• $ curl -i -A Mozilla/5.0 (X11; Linux i686; rv6.0) Gecko/20100101 Firefox/6.0 -H Host: target.com https://target.com…Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
  • 24. Testing for Web ApplicationFingerprint (OWASP-IG-004) cont. Phttp://toolbar.netcraft.com - Passive banner grab,etc.
  • 25. Testing for Web Application Fingerprint (OWASP-IG-004) cont.Search in the headers without touching the site: P http://www.shodanhq.com/
  • 26. Testing for Web ApplicationFingerprint (OWASP-IG-004) cont. P •CMS •Widgets •Libraries •etc http://builtwith.com
  • 27. Testing for Web ApplicationFingerprint (OWASP-IG-004) cont. P Do you know what that site is running now? Let’s look for exploits and vulns
  • 28. Testing for Web ApplicationFingerprint (OWASP-IG-004) cont. P Exploit DB - http://www.exploit-db.com
  • 29. Testing for Web ApplicationFingerprint (OWASP-IG-004) cont. PNVD - http://web.nvd.nist.gov - CVSS Score = High
  • 30. Testing for Web ApplicationFingerprint (OWASP-IG-004) cont. P OSVDB - http://osvdb.org - CVSS Score = High
  • 31. Testing for Web ApplicationFingerprint (OWASP-IG-004) cont. P http://www.securityfocus.com - Better on Google
  • 32. Testing for Web ApplicationFingerprint (OWASP-IG-004) cont. P http://www.exploitsearch.net - All in one
  • 33. Testing for Application Discovery (OWASP-IG-005) P http://www.robtex.com - Passive DNS Discovery
  • 34. Testing for Application Discovery (OWASP-IG-005) cont. P http://whois.domaintools.com
  • 35. Testing for Application Discovery (OWASP-IG-005) cont. P http://centralops.net or proxychains .. nmap –sT
  • 36. Testing for Application Discovery (OWASP-IG-005) cont. P http://centralops.net
  • 37. Testing for Error Code (OWASP-IG-006)Has Google found error messages for you? P
  • 38. Testing for Error Code(OWASP-IG-006) cont. Check errors via Google Cache P
  • 39. Testing for SSL-TLS (OWASP-CM-001) No traffic .. Phttps://www.ssllabs.com/ssldb/analyze.html
  • 40. Testing for SSL-TLS (OWASP-CM-001) cont. .. And pretty graphs Phttps://www.ssllabs.com/ssldb/analyze.html
  • 41. Testing for SSL-TLS (OWASP-CM-001) cont.Do not forget about Strict-Transport-Security! P$ curl -i https://accounts.google.comHTTP/1.1 302 Moved TemporarilyContent-Type: text/html; charset=UTF-8Strict-Transport-Security: max-age=2592000; includeSubDomainssslstrip chances decrease dramatically:Only 1st time user visits the site!
  • 42. Application ConfigurationManagement (OWASP-CM-004)Just browse the site as normal and ..look for comments! (lame but works!): P<!-- The password is 123 -->/* TODO: Security hole here .. *///FIXME: The function below is vulnerable…
  • 43. Testing for Admin Interfaces (OWASP-CM-007)• 3rd party stuff on .NET ViewState, headers,.. P• Telerik.Web.UI?? Google it!
  • 44. Testing for Admin Interfaces (OWASP-CM-007) cont. Google for default passwords: P
  • 45. Testing for Admin Interfaces (OWASP-CM-007) cont. !!
  • 46. Testing for Admin Interfaces (OWASP-CM-007) cont. !!
  • 47. Testing for HTTP Methods and XST (OWASP-CM-008)An OPTIONS request is quite normal: P$ curl -i -A Mozilla/5.0 -X OPTIONS * –khttps://site.comHTTP/1.1 200 OKDate: Tue, 09 Aug 2011 13:38:43 GMTServer: Apache/2.0.63 (Unix)Allow: GET,HEAD,POST,OPTIONS,TRACEContent-Length: 0Connection: closeContent-Type: text/plain; charset=UTF-8
  • 48. Testing for HTTP Methods and XST (OWASP-CM-008) cont. P http://centralops.net
  • 49. Testing for HTTP Methods and XST (OWASP-CM-008) cont. P http://centralops.net
  • 50. Testing for credentials transport (OWASP-AT-001)Is the login page on “http” instead of “https”?And … look carefully at pop-ups like this: PConsider: Firesheep and sslstrip
  • 51. Testing for user enumeration (OWASP-AT-002) – by design PMario was going to report a bug to Mozilla and found another!
  • 52. Testing for user enumeration (OWASP-AT-002) – by designAbuse user/member search functions: • Search for “” (nothing) or “a”, then “b”, .. P • Download all the data using 1) + pagination (if any) • Merge the results into a CSV-like format • Import + save as a spreadsheet • Show the spreadsheet to your customer
  • 53. Testing for Default or Guessable User Account (OWASP-AT-003)Analyse the username(s) they gave you to test: P• Username based on numbers?USER12345• Username based on public info? (i.e. names, surnames, ..)name.surname• Default CMS user/pass?
  • 54. Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) Is autocomplete set to off? • Via 1) <form … autocomplete=“off”> P • Or Via 2) <input … autocomplete=“off”> Or not? <form action="/user/login" method="post"> <input type="password" name="pass" />
  • 55. Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) cont. Easy “your grandma can do it” test: 1. Login 2. Logout P 3. Click the browser Back button twice* 4. Can you login again –without typing the login or password- by re-sending the login form? Can the user re-submit the login form via the back button? * Until the login form submission
  • 56. Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) cont. Also .. Look at the questions / fields in the password reset form … P • Does it let you specify your email address? • Is it based on public info? (name, surname, etc) • Does it send an email to a potentially dead email address you can register? (i.e. hotmail.com)
  • 57. Logout and Browser Cache Management (OWASP-AT-007)Goal: Is Caching of sensitive info allowed? PEasy “your grandma can do it” test (need login):1. Login2. Logout3. Click the browser Back button4. Do you see logged in content or a this page has expired error / the login page?
  • 58. Logout and Browser CacheManagement (OWASP-AT-007) cont. See headers with: • Commands: curl –i http://target.com P • Proxy: Burp, ZAP, WebScarab, etc • Browser Plugins:https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/https://addons.mozilla.org/en-US/firefox/addon/firebug/
  • 59. Logout and Browser CacheManagement (OWASP-AT-007) cont. P 1) Wrong caching HTTP/1.1 headers: Cache-control: private Instead of: Cache-Control: no-cache
  • 60. Logout and Browser CacheManagement (OWASP-AT-007) cont. 2) Wrong caching HTTP/1.0 headers: P Pragma: private Expires: <way too far in the future> Instead of: Pragma: no-cache Expires: <past date or illegal value (e.g. 0)
  • 61. Logout and Browser CacheManagement (OWASP-AT-007) cont. 3) No caching headers (= caching allowed, default!) P HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: …. X-Powered-By: …. Connection: close Content-Type: text/html; charset=UTF-8 Instead of (best): $ curl –i https://accounts.google.com... Cache-control: no-cache, no-store Pragma: no-cache Expires: Mon, 01-Jan-1990 00:00:00 GMT
  • 62. Logout and Browser CacheManagement (OWASP-AT-007) cont. Repeat for Meta tags: P 4) Wrong HTTP/1.1: <META HTTP-EQUIV="Cache-Control" CONTENT=“private"> Instead of: <META HTTP-EQUIV="Cache-Control" CONTENT="no- cache"> Etc. (see previous slides)
  • 63. Testing for Captcha (OWASP-AT-008)Can be done offline:• Download image and try to break it P• Are CAPTCHAs reused?• Is a hash or token passed? (Good algorithm? Predictable?)• Look for vulns on CAPTCHA version:PWNtcha - captcha decoder - http://caca.zoy.org/wiki/PWNtchaCaptcha Breaker - http://churchturing.org/captcha-dist/
  • 64. Testing for Session Management Schema (OWASP-SM-001)Examine cookies for weaknesses offline PBase64 MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFzc3dv cmQ6MTU6NTg=Isowaspuser:192.168.100.1: a7656fafe94dae72b1e1487670148412
  • 65. Testing for Session ManagementSchema (OWASP-SM-001) cont. P http://hackvertor.co.uk/public
  • 66. Testing for Session ManagementSchema (OWASP-SM-001) cont. Lots of decode options, including: • auto_decode P • auto_decode_repeat • d_base64 • etc. http://hackvertor.co.uk/public
  • 67. Testing for Session Management Schema (OWASP-SM-001) cont. Cookie decoder: F5 BIG-IP Phttp://blog.taddong.com/2011/12/cookie-decoder-f5-big-ip.html
  • 68. Testing for cookies attributes (OWASP-SM-002)• Secure: not set= session cookie leaked= pwned• HttpOnly: not set = cookies stealable via JS P• Domain: set properly• Path: set to the right /sub-application• Expires: set reasonably• 1 session cookie that works is enough ..
  • 69. Testing for Session Fixation (OWASP-SM-003)Session ID normally NOT changed by default.. PBefore Login PHPSESSID:10a966616e8ed63f7a9b741f80e65e3c+After Login PHPSESSID:10a966616e8ed63f7a9b741f80e65e3c=Vulnerable
  • 70. Testing for Exposed Session Variables (OWASP-SM-004)Session ID:• In URL P• In POST• In HTMLExample from the field:http://target.com/xxx/xyz.function?session_num=7785
  • 71. Testing for CSRF (OWASP-SM-005) Look at HTML code: P No anti-CSRF token = Vulnerable Anti-CSRF token = Wait to ACTIVE testing ☺
  • 72. Testing for Bypassing Authorization Schema (OWASP-AZ-002) Look at unauthenticated cross-site requests: P http://other-site.com/user=3&report=4 Referer: site.com Change ids in application: ! http://site.com/view_doc=4
  • 73. Testing for Reflected/Stored Cross site scripting (OWASP-DV-001) P Headers Enabling/Disabling Client-Side XSS filters: • X-XSS-Protection (IE-Only) • X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13) Example: $ curl -i https://accounts.google.com X-XSS-Protection: 1; mode=block
  • 74. UI Redressing Protection i.e. Clickjacking (OWASP Code?) Look for for UI Redressing protections: P • X-Frame-Options (best) • X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13) • JavaScript Frame busting (bypassable sometimes) Example: $ curl -i https://accounts.google.com X-Frame-Options: Deny“Clickjacking for Shells”:http://www.morningstarsecurity.com/research/clickjacking-wordpress
  • 75. Testing for DOM-based Cross site scripting (OWASP-DV-003) Review JavaScript code on the page: P <script> document.write("Site is at: " + document.location.href + "."); </script> Sometimes active testing possible in your browser (no trip to server = not an attack = not logged): # http://target.com/... vulnerable_param=xsshttp://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
  • 76. Testing for Cross site flashing (OWASP-DV-004)1) Find Flash files: P
  • 77. Testing for Cross site flashing (OWASP-DV-004) cont.2) Find crossdomain.xml P
  • 78. Testing for Cross site flashing (OWASP-DV-004) cont.3) Look at crossdomain.xml:Example 1:<cross-domain-policy> P<allow-access-from domain="*"/></cross-domain-policy>Example 2:<cross-domain-policy><!-- This domain can accept a MyHeader header froma SWF file on www.example.com --><allow-http-request-headers-fromdomain="www.example.com" headers="MyHeader"/></cross-domain-policy> http://en.wikipedia.org/wiki/Same_origin_policy http://kb2.adobe.com/cps/403/kb403185.html
  • 79. Testing for Cross site flashing (OWASP-DV-004) cont. 4) Download + decompile Flash files: $ flare hello.swf P
  • 80. Testing for Cross site flashing (OWASP-DV-004) cont. Phttp://www.brothersoft.com/hp-swfscan-download-253747.htmlhttp://tinyurl.com/SWFScan-msi
  • 81. Testing for Cross site flashing (OWASP-DV-004) cont. Active testing ☺ P 1) Trip to server = need permission ! http://target.com/test.swf?xss=foo&xss2=bar 2) But … your browser is yours: No trip to server = no permission needed P # http://target.com/test.swf ?xss=foo&xss2=barGood news: Unlike DOM XSS, the # trick will always work for Flash Files
  • 82. Testing for SQL Injection (OWASP-DV-005) Did Google find SQLi for you? P
  • 83. DoS Failure to Release Resources (OWASP-DS-007)1. Browse Site2.3. Time requests Get top X slowest requests P4. Slowest = Best DoS target
  • 84. Testing: WS Information Gathering (OWASP-WS-001)Google searches: inurl:wsdl site:example.comWeb service analysis: Phttp://www.example.com/ws/FindIP.asmx?WSDLPublic services search:http://seekda.com/http://www.wsindex.org/http://www.soapclient.com/
  • 85. Testing for WS Replay (OWASP-WS-007)Similar to CSRF: PIs there an anti-replay token in the request?
  • 86. Testing for file extensions handling (OWASP-CM-005) some attack traffic but subtle. File Uploads: !! • If upload.php or .asp, .html, .. is allowed by app • A valid GIF or JPG comment can be a valid PHP script, etc .. • Difference from attack to legit can be subtle • File uploads are POST = often not logged (Enterprises do, but small businesses normally don’t)
  • 87. Testing for Error Code (OWASP-IG-006)• Use var_name[] in PHP: !• Make __VIEWSTATE = ‘a’:[ViewStateException: Invalid viewstate …..…) in c:WINDOWSMicrosoft.NETFrameworkv2.0.50727Temporary ASP.NET Filesroot ….
  • 88. Testing for user enumeration (OWASP-AT-002)• Error messages !“this user does not exist”“the website member could not be found”Etc.• Time differences$ time curl https://target.com -d user=x&pass=yBad login Example:Valid User (retrieved from DB): > 1.5 secsInvalid User (not in DB = faster): < 0.7 secs
  • 89. Testing for Reflected/Stored Crosssite scripting (OWASP-DV-001+2)Subtle look for signs of output encoding: !O’Brien O&apos;BrienO”Brien O&quot;Brien or O%22BrienTed..> Ted..&gt; or Ted..%3ETed,< Ted,.&lt; or Ted..%3CCharset, etc.
  • 90. Testing for SQL Injection (OWASP-DV-005)SQL errors: !• Strings: O’Brien• IDs: Instead of “1” type “1l” or “1 l”Math operations: Is the same item displayed?• target.com/id=2 target.com/id=1%2B1
  • 91. Testing for Application Discovery(OWASP-IG-005) @ post-exploitation Got shell? !!
  • 92. Testing for Application Discovery(OWASP-IG-005) @post-exploitation You feel like .. !!
  • 93. Testing for Application Discovery(OWASP-IG-005) @post-exploitation They feel like .. !!
  • 94. Testing for Application Discovery(OWASP-IG-005) @post-exploitation They feel like .. !!
  • 95. Testing for Application Discovery(OWASP-IG-005) @post-exploitation They feel like .. !!
  • 96. Testing for Application Discovery(OWASP-IG-005) @post-exploitation And finally .. !!
  • 97. Testing for Application Discovery(OWASP-IG-005) @post-exploitation You have a mission! !! • “Shell is only the beginning” – Darkoperator • Your job is to show impact* • Web app sec can also involve network sec! Goal: How much damage could be done? *within scope restrictions!
  • 98. Testing for Application Discovery(OWASP-IG-005) @post-exploitation • Web server running as SYSTEM? (default!) • No need to crack passwords .. !!
  • 99. Testing for Application Discovery(OWASP-IG-005) @post-exploitation Just type your chosen password .. !!
  • 100. Testing for Application Discovery(OWASP-IG-005) @post-exploitation • Steal passwords .. !! • Be patient, it’s worth it ..
  • 101. Testing for Application Discovery(OWASP-IG-005) @post-exploitation Pivot to the other hosts reusing passwords !!
  • 102. Testing for Application Discovery(OWASP-IG-005) @post-exploitationPASSIVE Ping Sweep: Unique IPs & MACs from the ARP table of all popped boxes via winenum P
  • 103. Testing for Application Discovery(OWASP-IG-005) @post-exploitationPASSIVE Local “Port scanning” from winenum P
  • 104. Testing for Application Discovery(OWASP-IG-005) @post-exploitationDon’t forget about IPv6 & UDP ☺ P
  • 105. Testing for Application Discovery(OWASP-IG-005) @post-exploitationPASSIVE Remote “Port scanning” from winenum via active connections P
  • 106. Pen tester Conclusion• No permission != cannot start• A lot of work can be done in advanceThis work in advance helps with:• Increased efficiency• Deal better with tight deadlines• Better pre-engagement• Better test quality• Best chance to get inBottom line: Do it
  • 107. Business Conclusion• Web app security > Input validation• We see no traffic != we are not targeted• No IDS alerts != we are safe• Your site can be tested without you noticing• Test your security before others do
  • 108. Special thanks to• OWASP Testing Guide contributors• Krzysztof Kotowicz• Marcus Niemietz• Mario Heiderich• Michele Orru• Sandro Gauci
  • 109. Q&A Abraham Aranguren @7a_ abraham.aranguren@gmail.com http://7-a.orgQ - owtf! This is a lot of workA - I know, check out: http://owtf.org