The magic of passive web vulnerability analysis lava kumar
1. OWASP InfoSec India Conference 2012
August 24th – 25th, 2012 The OWASP Foundation
Hotel Crowne Plaza, Gurgaon http://www.owasp.org
http://www.owasp.in
The Magic of Passive Web
Vulnerability Analysis
Lavakumar Kuppan
lava@ironwasp.org
https://twitter.com/lavakumark
https://ironwasp.org
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
2. About
Penetration Tester
5+ years of experience
Security Researcher
Flash 0-day
WAF bypass 0-day using HPP
Multiple HTML5 based attack techniques
5th best Web Application Hacking Technique of 2010
Attack and Defense Labs – http://andlabs.org
HTML5 Security Resources Repository – http://html5security.org
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
3. About
Developer
IronWASP (C# + Python + Ruby)
Ravan (PHP + JavaScript)
JS-Recon (JavaScript)
Shell of the Future (C# + JavaScript)
Imposter (C# + JavaScript)
Speaker
BlackHat
OWASP AppSec Asia
NullCon
SecurityByte
ClubHack
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
4. Pentesters are focused on the big catch
SQL Injection
Cross-site Scripting
Command Injection
Code Injection
etc
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 4
5. So the focus is mostly on Active Checks
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 5
6. Passive Analysis is done by the tools
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 6
7. What about Manual Passive
Analysis?
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 7
8. Let’s look at what Manual Passive
Analysis will find
(using IronWASP)
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 8
9. Step 1 – Collecting HTTP Logs
Set IronWASP as the proxy and browse the
site
Automated Crawling of the site
Import Burp Proxy Logs
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 9
10. Step 2 – Make list of all Parameter Name/Value
Parameters include:
Query parameters
Body parameters
Cookie parameters
Request & Response Header parameters
Set-Cookie parameters
Form field parameters in HTML response
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 10
11. Step 3 - Print out the parameter names
Eg:
lang
user
pwd
id
…
…
logged_in
is_admin
…
…
Notice anything interesting?
This can be probed further manually
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 11
12. And used for Hidden Parameter Guessing
Regular Password Change Url:
http://test.site/change_pwd.php
Password Change Url with inclusion of
Hidden Parameter
http://test.site/change_pwd.php?is_admin=1
Now ‘Change Password’ feature does not ask
for old password!!!
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 12
13. Step 4 - Print out the parameter values
Eg:
en
true
23944
s77eod
…
…
Fy2010_11_report.pdf
Fy2011_12_report.pdf
…
…
http://partner.site/data.php
…
…
SELECT id FROM Users
…
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 13
14. Parameter Values say a lot
Fy2010_11_report.pdf – possible LFI vulnerability
http://partner.site/data.php - possible RFI / Open
Redirect vulnerability
SELECT id FROM Users – SQL queries created on the
client-side and executed on the server-side !!!
Ironically automated scanners might not detect this
type of SQL Injection!
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 14
15. Check parameter values for possible encoding
Do you see anything interesting in the strings below:
asdljz2398sdsdsdsdkss
z23sds9sd9a;sdk=awe
bgf2yto6c2vjcmv0mtiz
646973636f756e743a323125
2238019jadja8498434dfdf
Lsjflosow2384fkshfl
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 15
16. How about now?
asDljz2398sdYDKus3lns
z23sdE9sd9Asdk=awe
bGF2YTo6c2VjcmV0MTIz –Base64 Decode-> lava::secret123
646973636f756e743a323125 –Hex Decode-> discount:21%
2238019jadja8498434dfdf
lsjflosow2384fkshfl
Base64 and Hex encoding are the most commonly used encoding
schemes in web apps
Try base64 and hex decoding all parameter values and see if they
decode to ASCII strings or binary strings with embedded ASCII
values
There could be interesting data hidden there
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 16
17. Check parameter values for Hashes
Make list of parameter values that are of the same
format as MD5 & SHA
Try cracking these hashes by using dictionary list of
the other parameter values
You will know if any parameter value is linked to this
hash
Helps you probe the connection further
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 17
18. CSRF token Analysis
Once you know the name of the CSRF token check it
against the list of Parameter names
If any request contains the CSRF token in Query
then it’s a problem (similar to Session ID in Url)
http://test.site/action.php?create_user=test&token=JDK7kS02jso
If any POST request does not contain the CSRF
token in body then is probably a problem.
Investigate.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 18
19. Clickjacking through lack of Framebusting
Find out the JavaScript code that is used as
Framebuster to protect against ClickJacking
Check JavaScript islands in all HTML pages for this
Framebuster
List out all pages that don’t have it. These are
probably vulnerable to Clickjacking. Investigate.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 19
20. Clickjacking through lack of Framebusting
Find out the JavaScript code that is used as
Framebuster to protect against ClickJacking
Check JavaScript islands in all HTML pages for this
Framebuster
List out all pages that don’t have it. These are
probably vulnerable to Clickjacking. Investigate.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 20
21. Cookies set/manipulated on the Client-side
Compare key/values from the Set-Cookie response
headers to the key/values in the Cookie request
header
Any key/values in the Cookie header that is missing
from the Set-Cookie header has been set by
JavaScript
Indicates data storage or possible logical decision
making on client-side. Investigate.
Eg:
Set-Cookie: discount=10%; path=/
Cookie: SessionId=oasow823djdlna33rfz; discount=13%
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 21
22. Check for Reflections
Analyze all responses for reflection of any of the
input parameters
If user input is reflected back in the response then it
must be tested for Cross-site Scripting
This helps identify potential candidates for Stored
Cross-site Scripting
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 22
23. Closing notes
These are only indications, what you can do is only
limited by your imagination
A Python script that automates all discussed
techniques will be made available at
https://github.com/lavakumar before end of this
month
This script would soon be turned in to an IronWASP
module with GUI
Thank You!
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 23
24. Subscribe mailing list
www.owasp.in
Keep up to date!
24
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)