OWASP InfoSec India Conference 2012August 24th – 25th, 2012                                 The OWASP FoundationHotel Crow...
AboutPenetration Tester  5+ years of experienceSecurity Researcher  Flash 0-day  WAF bypass 0-day using HPP  Multiple HTML...
AboutDeveloper  IronWASP (C# + Python + Ruby)  Ravan (PHP + JavaScript)  JS-Recon (JavaScript)  Shell of the Future   (C# ...
Pentesters are focused on the big catch SQL Injection Cross-site Scripting Command Injection Code Injection etc       OWAS...
So the focus is mostly on Active Checks     OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)   5
Passive Analysis is done by the tools   OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)   6
What about Manual Passive        Analysis? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)   7
Let’s look at what Manual Passive          Analysis will find             (using IronWASP)    OWASP InfoSec India Conferen...
Step 1 – Collecting HTTP LogsSet IronWASP as the proxy and browse thesiteAutomated Crawling of the siteImport Burp Proxy L...
Step 2 – Make list of all Parameter Name/Value  Parameters include:      Query parameters      Body parameters      Cookie...
Step 3 - Print out the parameter namesEg: lang user pwd id … … logged_in is_admin … …  Notice anything interesting?  This ...
And used for Hidden Parameter Guessing  Regular Password Change Url:  http://test.site/change_pwd.php  Password Change Url...
Step 4 - Print out the parameter valuesEg: en true 23944 s77eod … … Fy2010_11_report.pdf Fy2011_12_report.pdf … … http://p...
Parameter Values say a lotFy2010_11_report.pdf – possible LFI vulnerabilityhttp://partner.site/data.php - possible RFI / O...
Check parameter values for possible encoding    Do you see anything interesting in the strings below:    asdljz2398sdsdsds...
How about now?asDljz2398sdYDKus3lnsz23sdE9sd9Asdk=awebGF2YTo6c2VjcmV0MTIz –Base64 Decode-> lava::secret123646973636f756e74...
Check parameter values for HashesMake list of parameter values that are of the sameformat as MD5 & SHATry cracking these h...
CSRF token AnalysisOnce you know the name of the CSRF token check itagainst the list of Parameter namesIf any request cont...
Clickjacking through lack of Framebusting  Find out the JavaScript code that is used as  Framebuster to protect against Cl...
Clickjacking through lack of Framebusting  Find out the JavaScript code that is used as  Framebuster to protect against Cl...
Cookies set/manipulated on the Client-side   Compare key/values from the Set-Cookie response   headers to the key/values i...
Check for ReflectionsAnalyze all responses for reflection of any of theinput parametersIf user input is reflected back in ...
Closing notesThese are only indications, what you can do is onlylimited by your imaginationA Python script that automates ...
Subscribe mailing list            www.owasp.in            Keep up to date!                                                ...
Upcoming SlideShare
Loading in …5
×

The magic of passive web vulnerability analysis lava kumar

1,586 views
1,539 views

Published on

The Magic of Passive Web Vulnerability Analysis - Lava Kumar - OWASP India Conference 2012

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,586
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The magic of passive web vulnerability analysis lava kumar

  1. 1. OWASP InfoSec India Conference 2012August 24th – 25th, 2012 The OWASP FoundationHotel Crowne Plaza, Gurgaon http://www.owasp.orghttp://www.owasp.in The Magic of Passive Web Vulnerability Analysis Lavakumar Kuppan lava@ironwasp.org https://twitter.com/lavakumark https://ironwasp.org OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  2. 2. AboutPenetration Tester 5+ years of experienceSecurity Researcher Flash 0-day WAF bypass 0-day using HPP Multiple HTML5 based attack techniques 5th best Web Application Hacking Technique of 2010 Attack and Defense Labs – http://andlabs.org HTML5 Security Resources Repository – http://html5security.org OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  3. 3. AboutDeveloper IronWASP (C# + Python + Ruby) Ravan (PHP + JavaScript) JS-Recon (JavaScript) Shell of the Future (C# + JavaScript) Imposter (C# + JavaScript)Speaker BlackHat OWASP AppSec Asia NullCon SecurityByte ClubHack OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  4. 4. Pentesters are focused on the big catch SQL Injection Cross-site Scripting Command Injection Code Injection etc OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 4
  5. 5. So the focus is mostly on Active Checks OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 5
  6. 6. Passive Analysis is done by the tools OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 6
  7. 7. What about Manual Passive Analysis? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 7
  8. 8. Let’s look at what Manual Passive Analysis will find (using IronWASP) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 8
  9. 9. Step 1 – Collecting HTTP LogsSet IronWASP as the proxy and browse thesiteAutomated Crawling of the siteImport Burp Proxy Logs OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 9
  10. 10. Step 2 – Make list of all Parameter Name/Value Parameters include: Query parameters Body parameters Cookie parameters Request & Response Header parameters Set-Cookie parameters Form field parameters in HTML response OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 10
  11. 11. Step 3 - Print out the parameter namesEg: lang user pwd id … … logged_in is_admin … … Notice anything interesting? This can be probed further manually OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 11
  12. 12. And used for Hidden Parameter Guessing Regular Password Change Url: http://test.site/change_pwd.php Password Change Url with inclusion of Hidden Parameter http://test.site/change_pwd.php?is_admin=1Now ‘Change Password’ feature does not ask for old password!!! OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 12
  13. 13. Step 4 - Print out the parameter valuesEg: en true 23944 s77eod … … Fy2010_11_report.pdf Fy2011_12_report.pdf … … http://partner.site/data.php … … SELECT id FROM Users … OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 13
  14. 14. Parameter Values say a lotFy2010_11_report.pdf – possible LFI vulnerabilityhttp://partner.site/data.php - possible RFI / OpenRedirect vulnerabilitySELECT id FROM Users – SQL queries created on theclient-side and executed on the server-side !!!Ironically automated scanners might not detect thistype of SQL Injection! OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 14
  15. 15. Check parameter values for possible encoding Do you see anything interesting in the strings below: asdljz2398sdsdsdsdkss z23sds9sd9a;sdk=awe bgf2yto6c2vjcmv0mtiz 646973636f756e743a323125 2238019jadja8498434dfdf Lsjflosow2384fkshfl OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 15
  16. 16. How about now?asDljz2398sdYDKus3lnsz23sdE9sd9Asdk=awebGF2YTo6c2VjcmV0MTIz –Base64 Decode-> lava::secret123646973636f756e743a323125 –Hex Decode-> discount:21%2238019jadja8498434dfdflsjflosow2384fkshfl Base64 and Hex encoding are the most commonly used encoding schemes in web apps Try base64 and hex decoding all parameter values and see if they decode to ASCII strings or binary strings with embedded ASCII values There could be interesting data hidden there OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 16
  17. 17. Check parameter values for HashesMake list of parameter values that are of the sameformat as MD5 & SHATry cracking these hashes by using dictionary list ofthe other parameter valuesYou will know if any parameter value is linked to thishashHelps you probe the connection further OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 17
  18. 18. CSRF token AnalysisOnce you know the name of the CSRF token check itagainst the list of Parameter namesIf any request contains the CSRF token in Querythen it’s a problem (similar to Session ID in Url)http://test.site/action.php?create_user=test&token=JDK7kS02jsoIf any POST request does not contain the CSRFtoken in body then is probably a problem.Investigate. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 18
  19. 19. Clickjacking through lack of Framebusting Find out the JavaScript code that is used as Framebuster to protect against ClickJacking Check JavaScript islands in all HTML pages for this Framebuster List out all pages that don’t have it. These are probably vulnerable to Clickjacking. Investigate. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 19
  20. 20. Clickjacking through lack of Framebusting Find out the JavaScript code that is used as Framebuster to protect against ClickJacking Check JavaScript islands in all HTML pages for this Framebuster List out all pages that don’t have it. These are probably vulnerable to Clickjacking. Investigate. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 20
  21. 21. Cookies set/manipulated on the Client-side Compare key/values from the Set-Cookie response headers to the key/values in the Cookie request header Any key/values in the Cookie header that is missing from the Set-Cookie header has been set by JavaScript Indicates data storage or possible logical decision making on client-side. Investigate. Eg: Set-Cookie: discount=10%; path=/ Cookie: SessionId=oasow823djdlna33rfz; discount=13% OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 21
  22. 22. Check for ReflectionsAnalyze all responses for reflection of any of theinput parametersIf user input is reflected back in the response then itmust be tested for Cross-site ScriptingThis helps identify potential candidates for StoredCross-site Scripting OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 22
  23. 23. Closing notesThese are only indications, what you can do is onlylimited by your imaginationA Python script that automates all discussedtechniques will be made available athttps://github.com/lavakumar before end of thismonthThis script would soon be turned in to an IronWASPmodule with GUI Thank You! OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 23
  24. 24. Subscribe mailing list www.owasp.in Keep up to date! 24OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)

×