• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
c0c0n2010 -
 

c0c0n2010 -

on

  • 2,508 views

 

Statistics

Views

Total Views
2,508
Views on SlideShare
2,500
Embed Views
8

Actions

Likes
1
Downloads
0
Comments
0

2 Embeds 8

http://www.linkedin.com 7
http://172.16.32.13 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    c0c0n2010 - c0c0n2010 - Presentation Transcript

    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest Mauro Risonho de Paula Assumpção firebits firebits@backtrack.com.br mauro.risonho@nsec.com.br 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest ● Mauro Risonho de Paula Assumpção A.K.A firebits ● I'm from Brazil! ● I work in pentest (and others services) remoting the world Contact US! firebits@backtrack.com.br mauro.risonho@nsec.com.br 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest ● Looking for a good opportunity in a company's security information in my profile;) ● Anywhere in the world. ● And make a quick course in English to speak better:) Contact US! firebits@backtrack.com.br mauro.risonho@nsec.com.br 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest ● Unfortunately, I do not speak English fluently, but write and understand well! ● Thanks for all who are here and maybe in 2011, I know everyone personally. It will be an honor. Contact US! firebits@backtrack.com.br mauro.risonho@nsec.com.br 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest Who I am? ● Pentester, Writer Exploits, Developer, Security Analyst and Research Vulnerable. In Brazil is “Autodidata”. 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest Who I am? ● Director, Security Consultant and Security Systems pentest the NSEC (little Company in Brasil). Carried out projects for security and development in Petrobras REVAP, Microsiga, Unilever, Rhodia, Tostines, Avon, CMS Energy, Stefanini IT,Solutions, NeoIT, Intel, Google, Degussa, Niplan and others. Leader / Founder of "Backtrack Brazil" www.backtrack.com.br and Moderator and Translator Backtrack USA www.backtrack-linux.org 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest ● The focus of this presentation is to develop a new Lab for Penetration of information security professionals as well as some who wish to improve or deepen their knowledge. ● Let's show some skills of these frameworks, with some commands and techniques, but we will not consummate the técncia pentest to the end, as a matter of time and also the curiosity of those concerned.;) 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest PAPER Pentest Labs Vulnerable Web Apps Frameworks And Pentest 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest OWASP Broken Web Applications Excelent Learning Tool http://code.google.com/p/owaspbwa/ ● OWASP WebGoat – Java ● OWASP Vicnum – Perl ● OWASP Mutillidae – PHP ● Damn Vulnerable Web Application - PHP 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest OWASP Broken Web Applications Excelent Learning Tool http://code.google.com/p/owaspbwa/ ● OWASP CSRFGuard Test Application – Java ● Mandiant Struts Forms – Java/Struts ● Simple ASP.NET Forms (ASP.NET/C#) ● Simple Form with DOM Cross Site Scripting (HTML/JavaScript) 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest OWASP Broken Web Applications Excelent Learning Tool http://code.google.com/p/owaspbwa/ ● WordPress version 2.0.0 (PHP, released December 31, 2005) ● phpBB version 2.0.0 (PHP, released April 4, 2002, home page) ● Yazd version 1.0 (Java, released February 20, 2002, home page) 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest DEMO VIDEO OWASP Broken Web Applications 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest Broken Web Applications Paper Web 2.0 AJAX http://www.fortifysoftware.com/servlet/downloads/pu blic/JavaScript_Hijacking.pdf 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest BadStore Link: http://www.badstore.net/ Platform: Perl, Apache and MySQL Install: Meant to run by booting a Live CD, but I'd recommend using my Live CD VMX Notes: Easy to set up, and it's nice that you can run it from a VM with a little work. Just make sure you set the VM to use the IP addresses that are only available from the local host OS (NAT or Host-only). 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest Damn Vulnerable Web App Link: http://www.ethicalhack3r.co.uk/damn-vulnerable-web-app/ Platform: PHP, Apache and MySQL Install: Should work on any box you can install Apache/PHP/MySQL on. Notes: When I first posted Mutillidae, Ryan Dewhurst emailed me and told be about a project he started a few months before mine. His is also PHP/MySQL based, and looks prettier than mine. :) I've yet to play with it much, but I may be using some of his code in the near future to expand Mutillidae. 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest Hacme Travel Link:http://www.foundstone.com/us/resources/proddesc/hacmetr avel.htm Platform: Windows XP, MSDE 2000 Release A, Microsoft .NET Framework v1.1, C++ Install: Notes: 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest Hacme Bank Link:http://www.foundstone.com/us/resources/proddesc/hacmeb ank.htm Platform: Windows, IIS, .Net 1.1 Install: Notes: 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest Hacme Shipping Link:http://www.foundstone.com/us/resources/proddesc/hacmes hipping.htm Platform: Windows XP, Microsoft IIS, Adobe ColdFusion MX Server 7.0 for Windows, MySQL (4.x or 5.x with strict mode disabled) Install: Notes: 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest Hacme Casino Link:http://www.foundstone.com/us/resources/proddesc/hacmec asino.htm Platform: Ruby on Rails Install:Installer that sets up a built in WEBrick server Notes: 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest DEMO VIDEO Hacme Casino 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest Hacme Books Link:http://www.foundstone.com/us/resources/proddesc/hacmeb ooks.htm Platform: J2EE application, Java Development Kit Install: Notes: 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest Moth Link:http://www.bonsai-sec.com/en/research/moth.php Platform: Linux VMWare image Install: Just download the VM and open it in VMWare player Notes: ● Nanbiquara 2.0 (PHP + MySQL) ● Riotpix .61p (PHP + MySQL) ● Vanilla 1.1.4 (PHP + MySQL) ● Wordpress 2.6.5 (PHP + MySQL) ● Yazd war 3.0r (Tomcat 6 + MySQL)
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest DEMO VIDEO Moth 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest Mutillidae Link:http://www.irongeek.com/i.php?page=security/mutillidae- deliberately-vulnerable-php-owasp-top-10 Platform: PHP, Apache and MySQL Install: Should work on any box you can install Apache/PHP/MySQL on. I have personally tested it in XAMPP under Windows and Linux. Notes:Mutillidae is my personal project to implement the OWASP Top 10 Vulnerabilities. It's designed to be easy to follow and geared towards a classroom environment. Think of it as a noob's WebGoat.
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest Vicnum Link:http://sourceforge.net/projects/vicnum/ Platform: PHP and Perl Install: Should work on any box you can install Apache/PHP/MySQL on. Try it with XAMPP. Notes:Mordecai Kraushar sent me an email about his project. The more the merrier. Here is how it is described: "A web application showing common vulnerabilities such as cross site scripting and session management issues. Helpful to IT auditors honing web security skills and to those setting up 'capture the flag' exercises. For the VM login as root/vicnum"
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest WebGoat Link:http://www.owasp.org/index.php/Category:OWASP_WebGo at_Project Platform: J2EE web application Install: Self contained Tomcat server you can run from a directory under Windows or Linux Notes:Love the fact it's so self contained and easy to run. By default it only listens on the loopback address, so you can run it from your workstation a production network with little worries. 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest DEMO VIDEO WebGoat 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest WebMaven (AKA: Buggy Bank) Link:http://www.mavensecurity.com/WebMaven.php Platform: Perl CGI scripts Install: You have to install this on a box with a web server and Perl CGI support. The creators recommend Xitami for the sake of ease.Makes sure that you don't put the server on a production networ Notes:I've not played with this one much. The website for WebMaven says it was the basis for WebGoat v1. 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest References Link:http://www.irongeek.com Link:http://www.owasp.org Link:http://www.google.com Link:http://www.backtrack-linux.org 2010
    • Pentest Labs Vulnerable Web Apps Frameworks and Pentest THANKS FOR ALL!!! Mauro Risonho de Paula Assumpção http://www.informationsecurityday.com/c0c0n/ firebits@backtrack.com.br mauro.risonho@nsec.com.br 2010