• Save
The magic of passive web vulnerability analysis   lava kumar
Upcoming SlideShare
Loading in...5
×
 

The magic of passive web vulnerability analysis lava kumar

on

  • 1,418 views

The Magic of Passive Web Vulnerability Analysis - Lava Kumar - OWASP India Conference 2012

The Magic of Passive Web Vulnerability Analysis - Lava Kumar - OWASP India Conference 2012

Statistics

Views

Total Views
1,418
Views on SlideShare
1,245
Embed Views
173

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 173

http://www.owasp.in 145
http://2012.owasp.in 28

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    The magic of passive web vulnerability analysis   lava kumar The magic of passive web vulnerability analysis lava kumar Presentation Transcript

    • OWASP InfoSec India Conference 2012August 24th – 25th, 2012 The OWASP FoundationHotel Crowne Plaza, Gurgaon http://www.owasp.orghttp://www.owasp.in The Magic of Passive Web Vulnerability Analysis Lavakumar Kuppan lava@ironwasp.org https://twitter.com/lavakumark https://ironwasp.org OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
    • AboutPenetration Tester 5+ years of experienceSecurity Researcher Flash 0-day WAF bypass 0-day using HPP Multiple HTML5 based attack techniques 5th best Web Application Hacking Technique of 2010 Attack and Defense Labs – http://andlabs.org HTML5 Security Resources Repository – http://html5security.org OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
    • AboutDeveloper IronWASP (C# + Python + Ruby) Ravan (PHP + JavaScript) JS-Recon (JavaScript) Shell of the Future (C# + JavaScript) Imposter (C# + JavaScript)Speaker BlackHat OWASP AppSec Asia NullCon SecurityByte ClubHack OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
    • Pentesters are focused on the big catch SQL Injection Cross-site Scripting Command Injection Code Injection etc OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 4
    • So the focus is mostly on Active Checks OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 5
    • Passive Analysis is done by the tools OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 6
    • What about Manual Passive Analysis? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 7
    • Let’s look at what Manual Passive Analysis will find (using IronWASP) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 8
    • Step 1 – Collecting HTTP LogsSet IronWASP as the proxy and browse thesiteAutomated Crawling of the siteImport Burp Proxy Logs OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 9
    • Step 2 – Make list of all Parameter Name/Value Parameters include: Query parameters Body parameters Cookie parameters Request & Response Header parameters Set-Cookie parameters Form field parameters in HTML response OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 10
    • Step 3 - Print out the parameter namesEg: lang user pwd id … … logged_in is_admin … … Notice anything interesting? This can be probed further manually OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 11
    • And used for Hidden Parameter Guessing Regular Password Change Url: http://test.site/change_pwd.php Password Change Url with inclusion of Hidden Parameter http://test.site/change_pwd.php?is_admin=1Now ‘Change Password’ feature does not ask for old password!!! OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 12
    • Step 4 - Print out the parameter valuesEg: en true 23944 s77eod … … Fy2010_11_report.pdf Fy2011_12_report.pdf … … http://partner.site/data.php … … SELECT id FROM Users … OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 13
    • Parameter Values say a lotFy2010_11_report.pdf – possible LFI vulnerabilityhttp://partner.site/data.php - possible RFI / OpenRedirect vulnerabilitySELECT id FROM Users – SQL queries created on theclient-side and executed on the server-side !!!Ironically automated scanners might not detect thistype of SQL Injection! OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 14
    • Check parameter values for possible encoding Do you see anything interesting in the strings below: asdljz2398sdsdsdsdkss z23sds9sd9a;sdk=awe bgf2yto6c2vjcmv0mtiz 646973636f756e743a323125 2238019jadja8498434dfdf Lsjflosow2384fkshfl OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 15
    • How about now?asDljz2398sdYDKus3lnsz23sdE9sd9Asdk=awebGF2YTo6c2VjcmV0MTIz –Base64 Decode-> lava::secret123646973636f756e743a323125 –Hex Decode-> discount:21%2238019jadja8498434dfdflsjflosow2384fkshfl Base64 and Hex encoding are the most commonly used encoding schemes in web apps Try base64 and hex decoding all parameter values and see if they decode to ASCII strings or binary strings with embedded ASCII values There could be interesting data hidden there OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 16
    • Check parameter values for HashesMake list of parameter values that are of the sameformat as MD5 & SHATry cracking these hashes by using dictionary list ofthe other parameter valuesYou will know if any parameter value is linked to thishashHelps you probe the connection further OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 17
    • CSRF token AnalysisOnce you know the name of the CSRF token check itagainst the list of Parameter namesIf any request contains the CSRF token in Querythen it’s a problem (similar to Session ID in Url)http://test.site/action.php?create_user=test&token=JDK7kS02jsoIf any POST request does not contain the CSRFtoken in body then is probably a problem.Investigate. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 18
    • Clickjacking through lack of Framebusting Find out the JavaScript code that is used as Framebuster to protect against ClickJacking Check JavaScript islands in all HTML pages for this Framebuster List out all pages that don’t have it. These are probably vulnerable to Clickjacking. Investigate. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 19
    • Clickjacking through lack of Framebusting Find out the JavaScript code that is used as Framebuster to protect against ClickJacking Check JavaScript islands in all HTML pages for this Framebuster List out all pages that don’t have it. These are probably vulnerable to Clickjacking. Investigate. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 20
    • Cookies set/manipulated on the Client-side Compare key/values from the Set-Cookie response headers to the key/values in the Cookie request header Any key/values in the Cookie header that is missing from the Set-Cookie header has been set by JavaScript Indicates data storage or possible logical decision making on client-side. Investigate. Eg: Set-Cookie: discount=10%; path=/ Cookie: SessionId=oasow823djdlna33rfz; discount=13% OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 21
    • Check for ReflectionsAnalyze all responses for reflection of any of theinput parametersIf user input is reflected back in the response then itmust be tested for Cross-site ScriptingThis helps identify potential candidates for StoredCross-site Scripting OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 22
    • Closing notesThese are only indications, what you can do is onlylimited by your imaginationA Python script that automates all discussedtechniques will be made available athttps://github.com/lavakumar before end of thismonthThis script would soon be turned in to an IronWASPmodule with GUI Thank You! OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 23
    • Subscribe mailing list www.owasp.in Keep up to date! 24OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)