Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP?
Malik Mesellem
Defense Needed, Superbees Wanted
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Contact Me
 Malik Mesellem
Email | malik@itsecgames.com
Link...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Defense Needed
 Web application security is today's most ove...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Defense Needed
 Why are web applications an attractive targe...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Defense Needed
 Why are web applications an attractive targe...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
DEFENSE
is needed !
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP == defense
 bWAPP, or a buggy Web APPlication
 Delibe...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP == defense
 Web application security is not just insta...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 Testimonials
Awesome! It's good to see fantastic tool...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 Architecture
 Open source PHP application
 Backend ...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 Features (1)
 Very easy to use and to understand
 W...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 Features (2)
 Local PHP settings file
 No-authentic...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 What makes bWAPP so unique?
 Well, it has over 70 we...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 Which bug do you want to hack today? (1)
 SQL, HTML,...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 Which bug do you want to hack today? (2)
 Configurat...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 Which bug do you want to hack today? (3)
 Cross-Site...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 Which bug do you want to hack today?
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 External links
 Home page - www.itsecgames.com
 Dow...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bee-box
 Every bee needs a home… the bee-box
 VM pre-instal...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bee-box
 bee-box is also made deliberately insecure…
 Oppor...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bee-box
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bee-box
 Features (1)
 Apache, MySQL and PHP installed
 Se...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bee-box
 Features (2)
 Weak self-signed SSL certificate
 ‘...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 Ready, set, and hack!
 Only one thing to r...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bee/bug
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 Ready, set, and hack!
 Only one thing to r...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 Installation and configuration
 Install VM...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 A.I.M. mode
 Authentication Is Missing, a ...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 General application settings
 settings.php...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 Settings
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 Worst-case-scenario-options
 Reset the app...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Finally… time for a
DEMO
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Demo
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Penetration Testing
 Penetration testing, or pentesting
 Me...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Web App Penetration Testing
 Web application pentesting is f...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Web App Penetration Testing
 It’s all about identifying, exp...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Testing Methodologies
 A simple testing methodology
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Testing Methodologies
 A more advanced testing methodology
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
OWASP
 OWASP, or Open Web Application Security Project
 Wor...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
OWASP
 Current OWASP Projects
 Top 10 Project and Testing G...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
OWASP
 OWASP Top 10 Project, lists the 10 most severe web
ap...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
OWASP
 OWASP Top 10 Application Security Risks
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
OWASP
 OWASP Top 10 placement
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
OWASP
 OWASP Top 10 placement
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Introduction to Kali Linux
 Kali Linux is a Debian-derived L...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Introduction to Kali Linux
 Includes many web app pentesting...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Intercepting Proxies
 Intercepting proxies are testing tools...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Intercepting Proxies
 ZAP, Zed Attack Proxy
 OWASP project,...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Intercepting Proxies
 ZAP, Zed Attack Proxy
 Functionalitie...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Intercepting Proxies
 ZAP, Zed Attack Proxy
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Demo
 ZAP, Zed Attack Proxy
 Parameter/cookie tampering
 O...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Commercial Web Scanners
 Netsparker
 Automated ‘false posit...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Commercial Web Scanners
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Commercial Web Scanners
 Netsparker
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Ready to
Exploit
some bugs?
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Hungry Evil Bees
 Hacking, Defacing and Exploiting
 SQL Inj...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
SQL Injection
 SQL injection is very common in web applicati...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
SQL Injection
 Injection in the OWASP Top 10
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
SQL Injection
 Normal operation
DATABASE
SQL interpreter
WEB...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
DATABASE
SQL interpreter
WEB APP
HTML | SQL
BROWSER
HTML (GET...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
SQL Injection
 Simple injections
 '--
 ' or 'a'='a
 ' or ...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
SQL Injection
 Union injections
 ' UNION SELECT field1, fie...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
SQL Injection
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Demo
 SQL Injection
 Bypassing login forms
 Manually extra...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Cross-Site Scripting
 Cross-Site Scripting, or XSS, occurs w...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Cross-Site Scripting
 Types of XSS flaws
 Reflected XSS
 S...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Cross-Site Scripting
 XSS in the OWASP Top 10
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Demo
 Cross-Site Scripting
 Detecting XSS
 Phishing & sess...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Denial-of-Service
 Denial-of-Service attack, or DoS attack
...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Denial-of-Service
 Newer layer 7 DoS attacks are more powerf...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Denial-of-Service
 Layer 7 DoS methods
 HTTP Slow Headers
...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Demo
 Denial-of-Service
 HTTP Slow POST
 XML Bomb
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Web Shells
 Web shells are malicious web pages that provide ...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Web Shells
 External attack vectors
 (Blind) SQL Injection
...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Demo
 Web Shell
 Web shell creation
 Remote shell access
...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Superbees Wanted
 Hi little bees, during this talk we
 Defa...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
 And we have so much more bugs to exploit…
 It’s definitely...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Contact Me
 Malik Mesellem
Email | malik@itsecgames.com
Link...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Cheat Sheet
 Hi little bees… we have a cheat sheet for you
...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Need a Training?
 Attacking & Defending Web Apps with bWAPP
...
Upcoming SlideShare
Loading in …5
×

SANS 2014 - Superbees Wanted

1,374 views

Published on

Event: SANS 2014
Topic: Superbees Wanted
Location: Orlando, Florida (US)
Organizer: SANS

Published in: Technology
  • Be the first to comment

  • Be the first to like this

SANS 2014 - Superbees Wanted

  1. 1. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP? Malik Mesellem Defense Needed, Superbees Wanted
  2. 2. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
  3. 3. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
  4. 4. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
  5. 5. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
  6. 6. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Contact Me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com
  7. 7. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
  8. 8. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
  9. 9. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Web application security is today's most overlooked aspect of securing the enterprise  Hackers are concentrating their efforts on websites and web applications  Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism
  10. 10. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  11. 11. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  12. 12. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. DEFENSE is needed !
  13. 13. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
  14. 14. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP == defense  bWAPP, or a buggy Web APPlication  Deliberately insecure web application, includes all major known web vulnerabilities  Helps security enthusiasts, developers and students to discover and to prevent issues  Prepares one for successful penetration testing and ethical hacking projects
  15. 15. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP == defense  Web application security is not just installing a firewall, or scanning a site for ‘potential’ issues  Black-box penetration testing, simulating real attack scenarios, is still needed!  Confirms potential vulnerabilities, and excludes false positives  Guarantees that your defense measures are working effectively  bWAPP helps to improve your security-testing skills…
  16. 16. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
  17. 17. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Testimonials Awesome! It's good to see fantastic tools staying up to date ... - Ed Skoudis Founder of Counter Hack I just installed bWAPP 1.6 into the next release of SamuraiWTF ... Its a great app ... - Justin Searle Managing Partner at UtiliSec Great progress on bWAPP BTW! :) - Vivek Ramachandran Owner of SecurityTube
  18. 18. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Architecture  Open source PHP application  Backend MySQL database  Hosted on Linux/Windows Apache/IIS  Supported on WAMP or XAMPP
  19. 19. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Features (1)  Very easy to use and to understand  Well structured and documented PHP code  Different security levels (low/medium/high)  ‘New user’ creation (password/secret)  ‘Reset application/database’ feature  Manual intervention page  Email functionalities
  20. 20. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Features (2)  Local PHP settings file  No-authentication mode (A.I.M.)  ‘Evil Bee’ mode, bypassing security checks  ‘Evil’ directory, including attack scripts  WSDL file (Web Services/SOAP)  Fuzzing possibilities
  21. 21. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  What makes bWAPP so unique?  Well, it has over 70 web bugs  Covering all major known web vulnerabilities  Including all risks from the OWASP Top 10 project  Focus is not on one specific issue!
  22. 22. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (1)  SQL, HTML, SSI, OS Command, XML, XPath, LDAP, PHP Code, Host Header and SMTP injections  Authentication, authorization and session management issues  Malicious, unrestricted file uploads and backdoor files  Arbitrary file access and directory traversals  PHP-CGI remote code execution  Local and remote file inclusions (LFI/RFI)  Server Side Request Forgery (SSRF)
  23. 23. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (2)  Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, WebDAV, information disclosures,...  HTTP parameter pollution and HTTP response splitting  XML External Entity attacks (XXE)  HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues  Unvalidated redirects and forwards  Denial-of-Service (DoS) attacks
  24. 24. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (3)  Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)  AJAX and Web Services issues (JSON/XML/SOAP)  Parameter tampering and cookie poisoning  HTTP verb tampering  Local privilege escalation  And much more 
  25. 25. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today?
  26. 26. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP
  27. 27. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  External links  Home page - www.itsecgames.com  Download location - sourceforge.net/projects/bwapp  Blog - itsecgames.blogspot.com
  28. 28. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Every bee needs a home… the bee-box  VM pre-installed with bWAPP  LAMP environment: Linux, Apache, MySQL and PHP  Compatible with VMware and VirtualBox  Requires zero installation
  29. 29. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  bee-box is also made deliberately insecure…  Opportunity to explore all bWAPP vulnerabilities  Gives you several ways to hack and deface bWAPP  Even possible to hack the bee-box to get full root access!  Hacking, defacing and exploiting without going to jail  You can download bee-box from here
  30. 30. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box
  31. 31. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Features (1)  Apache, MySQL and PHP installed  Several PHP extensions installed  Vulnerable PHP-CGI  phpMyAdmin installed  Postfix installed and configured  Insecure FTP and WebDAV configurations  AppArmor disabled
  32. 32. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Features (2)  Weak self-signed SSL certificate  ‘Fine-tuned’ file access permissions  .htaccess files support enabled  Some basic security tools installed  Shortcuts to start, install and update bWAPP  An amazing wallpaper   An outdated Linux kernel…
  33. 33. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Ready, set, and hack!  Only one thing to remember  The logon credentials are…
  34. 34. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee/bug
  35. 35. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Ready, set, and hack!  Only one thing to remember  The logon credentials are bee/bug  So please don’t bug me anymore…
  36. 36. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Installation and configuration  Install VMware Player or Oracle VirtualBox  Extract, install, and start the bee-box VM  Configure or check the IP settings  Browse to the bWAPP web app  http://[IP]/bWAPP/  Login with bee/bug
  37. 37. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  A.I.M. mode  Authentication Is Missing, a no-authentication mode  May be used for testing web scanners and crawlers  Procedure  Change the IP address in the settings file  Point your web scanner or crawler to http://[IP]/bWAPP/aim.php  All hell breaks loose…
  38. 38. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  General application settings  settings.php, located under the bWAPP admin folder  Connection settings  SMTP settings  A.I.M. mode  Evil bee mode  Static credentials
  39. 39. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Settings
  40. 40. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP & bee-box  Worst-case-scenario-options  Reset the application  http://[IP]/bWAPP/reset.php  Reset the application + database  http://[IP]/bWAPP/reset.php?secret=bWAPP  Reinstall the database  Drop the database from phpMyAdmin  http://[IP]/bWAPP/install.php
  41. 41. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Finally… time for a DEMO
  42. 42. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo
  43. 43. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
  44. 44. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Penetration Testing  Penetration testing, or pentesting  Method of evaluating computer, network or application security by simulating an attack  Active analysis of potential vulnerabilities by using ethical hacking techniques  Penetration tests are sometimes a component of a full security audit
  45. 45. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Web App Penetration Testing  Web application pentesting is focusing on evaluating the security of a web application  Application is tested for known web vulnerabilities  Manual, automatic and semi-automatic tests  Source code analysis and web server configuration review as an option
  46. 46. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Web App Penetration Testing  It’s all about identifying, exploiting, and reporting vulnerabilities  Some considerations…  Commercial tools vs. open source tools  Not a best practice to use only one tool  Most commercial scanners don’t exploit  False positives are not allowed!  People don’t like auto-generated reports
  47. 47. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Testing Methodologies  A simple testing methodology
  48. 48. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Testing Methodologies  A more advanced testing methodology
  49. 49. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP, or Open Web Application Security Project  Worldwide non-profit organization focused on improving the security of software  Freely-available articles, methodologies, documentation, tools, and technologies  Vendor neutral, no recommendations for commercial products or services!
  50. 50. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  Current OWASP Projects  Top 10 Project and Testing Guide  Development and Code Review Guide  Application Security Verification Standard  Broken Web Applications (BWA)  Zed Attack Proxy (ZAP)
  51. 51. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 Project, lists the 10 most severe web application security risks  Constantly updated, latest version released in 2013  Referenced by many standards, books, tools, and organizations, including MITRE and PCI DSS  Good starting point for a web application pentest  What to test? How to test? How to prevent?
  52. 52. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 Application Security Risks
  53. 53. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 placement
  54. 54. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 placement
  55. 55. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Introduction to Kali Linux  Kali Linux is a Debian-derived Linux distribution  Designed for digital forensics and penetration testing  Formerly known as BackTrack  Maintained and funded by Offensive Security  Support for x86 and ARM
  56. 56. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Introduction to Kali Linux  Includes many web app pentesting tools  Burp Suite  DirBuster  Metasploit  Nikto  sqlmap  w3af  WebSploit  ZAP
  57. 57. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  Intercepting proxies are testing tools acting as a legitimate Man-in-the-Middle (MitM)  Located between the browser and the web application  Ability to intercept and to modify requests/responses  Provide a historical record of all requests  Include integrated tools to discover vulnerabilities, and to crawl and brute force files and directories
  58. 58. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy  OWASP project, by Simon Bennetts  Java application, released in September 2010  Fork of the Paros intercepting proxy  Pentesting tool for finding vulnerabilities  Provides automated scanning, as well as a set of tools to find security vulnerabilities manually
  59. 59. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy  Functionalities  Intercepting proxy, listening on TCP/8080  Traditional and AJAX spider  Automated and passive scanner  Fuzzing and brute force capabilities  Smartcard and client certificate support  Authentication and session support
  60. 60. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy
  61. 61. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  ZAP, Zed Attack Proxy  Parameter/cookie tampering  Online password attack  Vulnerability detection
  62. 62. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners  Netsparker  Automated ‘false positive free’ web security scanner  Identifies security issues and vulnerabilities such as SQL injection and Cross-Site Scripting (XSS)  Automatically exploits detected vulnerabilities to ensure no false positives are reported  Free ‘Community Edition’ available!
  63. 63. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners
  64. 64. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners  Netsparker
  65. 65. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Ready to Exploit some bugs?
  66. 66. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
  67. 67. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Hungry Evil Bees  Hacking, Defacing and Exploiting  SQL Injection  Cross-Site Scripting (XSS)  Client-side Attacks  Denial-of-Service (DoS)  Unrestricted File Uploads  Local Privilege Escalation
  68. 68. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  SQL injection is very common in web applications  Occurs when user input is sent to a SQL interpreter as part of a query  The attacker tricks the interpreter into executing unintended SQL queries
  69. 69. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  Injection in the OWASP Top 10
  70. 70. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  Normal operation DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login password SELECT * FROM table WHERE login = ‘login’ AND password = ‘password’ result HTML SQL
  71. 71. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login ’ or 1=1-- SELECT * FROM table WHERE login = ‘login’ AND password = ‘’ or 1=1-- ’ result HTML SQL SQL Injection  Abnormal operation
  72. 72. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  Simple injections  '--  ' or 'a'='a  ' or 'a'='a'--  ' or '1'='1  ' or 1=1--
  73. 73. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  Union injections  ' UNION SELECT field1, field2 FROM table--  ' UNION SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=database()--  Stacked queries  '; DROP TABLE table;--
  74. 74. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection
  75. 75. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  SQL Injection  Bypassing login forms  Manually extracting data  Automated SQL injection  Website defacement
  76. 76. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Cross-Site Scripting  Cross-Site Scripting, or XSS, occurs when an attacker injects a browser script into a web application  Insufficient validation of user-supplied data  Dangerous when it is stored permanently!  XSS can lead to  Website defacements  Phishing / session hijacking  Client-side exploitation
  77. 77. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Cross-Site Scripting  Types of XSS flaws  Reflected XSS  Stored XSS
  78. 78. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Cross-Site Scripting  XSS in the OWASP Top 10
  79. 79. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  Cross-Site Scripting  Detecting XSS  Phishing & session hijacking  Client-side exploitation
  80. 80. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Denial-of-Service  Denial-of-Service attack, or DoS attack  An attacker attempts to prevent legitimate users from accessing the application, server or network  Consumes network bandwidth, server sockets, threads, or CPU resources  Distributed Denial-of-Service attack, or DDoS  Popular techniques used by hacktivists
  81. 81. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Denial-of-Service  Newer layer 7 DoS attacks are more powerful!  “Low-bandwidth application layer DoS”  Advantages of layer 7 DoS  Legitimate TCP/UDP connections, difficult to differentiate from normal traffic  Requires lesser number of connections, possibility to stop a web server from a single attack  Reach resource limits of services, regardless of the hardware capabilities of the server
  82. 82. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Denial-of-Service  Layer 7 DoS methods  HTTP Slow Headers  HTTP Slow POST  HTTP Slow Reading  Apache Range Header  SSL/TLS Renegotiation  XML Bombs
  83. 83. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  Denial-of-Service  HTTP Slow POST  XML Bomb
  84. 84. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Web Shells  Web shells are malicious web pages that provide an attacker functionality on a web server  Making use of server-side scripting languages like PHP, ASP, ASPX, JSP, CFM, Perl,...  Web shell functionalities  File transfers  Command execution  Network reconnaissance  Database connectivity
  85. 85. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Web Shells  External attack vectors  (Blind) SQL Injection  OS Command Injection  Remote File Inclusion  Unrestricted File Upload  Insecure FTP, WebDAV,…
  86. 86. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  Web Shell  Web shell creation  Remote shell access  Escalating privileges...  Getting root access!
  87. 87. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
  88. 88. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Superbees Wanted  Hi little bees, during this talk we  Defaced our website  Compromised the server  Compromised a client  Made the server unreachable  Hijacked a session  Stole credentials…
  89. 89. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.  And we have so much more bugs to exploit…  It’s definitely time to improve your web security  Defense is needed, and testing is required!  Downloading bWAPP is a first start  Remember: every bee needs a superbee  Are you that superbee? Superbees Wanted @MME_IT #bWAPP
  90. 90. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Contact Me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com
  91. 91. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Cheat Sheet  Hi little bees… we have a cheat sheet for you  Containing all bWAPP solutions  Follow us on Twitter, and ask for our cheat sheet  You will definitely become a superbee! @MME_IT #bWAPP
  92. 92. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Need a Training?  Attacking & Defending Web Apps with bWAPP  2-day comprehensive web security course  Focus on attack and defense techniques!  More info: http://goo.gl/ASuPa1 (pdf)

×