[Russia] Bugs -> max, time <= T

OWASP EEE
OWASP EEEOWASP
Bugs -> max Time <= T Omar Ganiev 11/10/2015
Hi! • I’m Beched • I do application security assessment and penetration testing at IncSecurity • Also I compete as RDot.Org independent team member
Contents • Intro • Technical view • Algorithmic view • Whitebox • Outro
The problem Common situations where the problem of rapid testing of web application arises: • Pentesting a huge scope full of web apps. You have a couple of weeks to analyse and pwn them • The similar case – bug bounty. You want to collect (low) hanging fruits faster than others • Customer asks about the costs of your work. You want to estimate the cost by looking at web app for 5 minutes • Competition (Capture The Flag). You want to pwn the tasks quickly to focus on others and to get extra points
The solution • Prioritizing • Parallelizing • Automation • Guessing • Heuristics • ??? • PROFIT • That’s it?
Manual testing • Tons of articles and books are written about testing methodology (including OWASP Testing Guide) • Manual testing includes application logic analysis along with fuzzing • Manual testing is more careful (no or 1=1 in DROP-queries, etc)
Manual testing • You can capture low hanging fruits in <= T time manually, but not in N applications • Generally automated scanning surely sucks • But anyway we’ll focus on improving tools rather than hands =)
Semi-automated testing • NMap, Burp Suite, Recon-NG, CMSMap, RAFT, etc… • The tools are cool and save time, but still, you need to do a lot by hands, and the combination of such tools is poorly scalable
Automated testing • Most of pentesters write their own specialized tools for automated pentesting • Generally It is rather complex task with a bit of rocket science • There’re a lot of problems like rich application crawling or natural language processing (your program actually needs to read human language to understand the application)
Automated testing • There’re two main variables for measuring complexity (speed) of the testing methodology: time (depends on CPU & memory usage) and number of network requests • They correlate, and time can be decreased by technical measures • This is coverage vs requests count trade-of • Bugs -> max; time <= T; requests <= Q • We’ll mainly focus on the second parameter
Automated testing • Let’s take a look at some tips’n’tricks useful for pentesting toolkit • We’ll observe technical and algorithmic ways to decrease testing time and number of network requests
Contents • Intro • Technical view • Algorithmic view • Whitebox • Outro
Technical view • Well-known things first • HTTP speed-up: Keep-Alive & HEAD • HEAD method can be used for directory listing and any other checks, which only need response headers (length- or time-based payloads, response splitting, etc) • Keep-Alive is always useful, decreases number of connections and hanshakes and hence the server load
Technical view • Trivial paths first • Why crawling the whole site, if there’re sitemap.xml, robots.txt and Google dorks? • Why scanning the whole site, when you can detect a CMS and version and check for vulns in database? • Why fuzzing a login form a lot, when you can hit top passwords?
Technical view • Scaling • Threading and horizontal scaling increase the speed very much, hence they can provide better covering (if we limit time, but not requests) • Recent example of distributed scanning platform is https://github.com/yahoo/gryffin/ written in Go
Contents • Intro • Technical view • Algorithmic view • Whitebox • Outro
Algorithmic view • Algorithmic view is quite interesting. How can we increase the number of fuzzed points and checked vulnerabilities without increasing requests count? • Let’s remember the problems we face while conducting (semi-)manual testing
Algorithmic view • Ever seen such? • How do you process it manually? • URL patterns, similar pages
Algorithmic view • Already mentiond Gryffin project by Yahoo uses quite a handy algorithm – Simhash • Take a look: http://www.wwwconference.org/www2007/papers/pape r215.pdf • If we build a Simhash-index of pages, we can skip duplicates, saving a lot of time • Possibly it’s better to take into account not only response body, but response status, headers, parameters, etc
Algorithmic view • How to gather input points (GET, POST, Cookie, headers, …)? • Classical way: automate browser (PhantomJS) and crawl the website, process each request • Quick way: • Parse forms, parse links with query strings, parse XHR parameters from JS
Algorithmic view • How to gather unknown input points? • Brute force • Quick: Iterative binary search • Collect a list of common parameter names, hit them all in query string at once and check page for changes, then perform dichotomy
Algorithmic view • How to fuzz input points? • Long way: take a big list of fuzzing strings and fuzz each parameter • Quick way: construct polyglot payloads and check for a bunch of vulns at once • Take a look: http://www.slideshare.net/MathiasKarlsson2/p olyglot-payloads-in-practice-by-avlidienbrun n-at-hackpra
Algorithmic view • Polyglot payloads can be constructed because of ignored contexts (such as comments) in diferent languages • Example of polyglot string: <tagxss> %0dresponse:splitting'"attributexss • Null-byte or backslash should be placed last • Time-based for (Postgre|My)SQL-injection: '/*! +sleep(10)*/+n1#(select 2 from (select pg_sleep(10))x)n+'
Algorithmic view • Ok, what do we actually do, when we look at web app by eyes? • We estimate “hackableness” of app or page and then think how can we hack it • Why not automate thinking? %)
Algorithmic view • The thinking flow is like this: “Hm… It’s enterprise .NET site with a single login form. Probably not that hackable … Hm… It’s default WordPress installation without plugins and custom themes. Probably not hackable … Hm… It’s shitty custom PHP engine with a lot of forms and input parameters. Instantly hackable! 8) “
Algorithmic view • What makes us think one or another way? Let’s point out some of features: Platform (PHP, ASP, Ruby, …) Server (Apache, Nginx, IIS, …) Engine (WordPress, Django, RoR, …) Queries (count parameters in links on main page) Scripts (number of script tags on main page) Inputs (number of input tags on main page) SSL (if the site works with HTTPS or not)
Algorithmic view • The simpliest vulnerable-vs-secure classifier ever: if PHP: vulnerable = True else: vulnerable = False • Ok, just kidding =)
Algorithmic view Machine learning FTW!
Algorithmic view
Algorithmic view • Today before the talk I scanned about a thousand sites and built this decision tree on obtained data • Actual classifier is a bit bigger than simpliest, but yet the common sense is preserved %) • If the main page is PHP-script, there’re at least 4 GET-parameters in the links on it, and there’s at least one script tag, then site is probably vulnerable =)
Algorithmic view • Ok, this is about cost estimation, but how can this help us to scan the site? • Ever seen this?
Algorithmic view • Let’s calculate more features for each page and build priority queue during scan • If you do it right, /favicon.ico will be scanned last, and /admin.php will be scanned first
Algorithmic view • Which features can we calculate? • Dynamic/static page: detected platform (dynamic language vs none), content-type (html vs static), extension • Response status: OK vs Forbidden vs Redirect vs Not Found vs … • A bit of NLP: if the path contains important words like admin, password, login, etc
Algorithmic view
Algorithmic view • Lower priority() – higher priority:
Contents • Intro • Technical view • Algorithmic view • Whitebox • Outro
Whitebox • Static code analysis is a lot more rocket science thing, than blackbox testing • Modern enterprise static code analysis systems are big and still not enough good (some of them still not better than grep) • They may have nice ads with samples, but ads- samples can probably be constructed by hand ;)
Whitebox • Most pentesters have their own dirty hacks and regexps for finding the vulns • I also use a simple grep wrapper, which allows to spot out security bottlenecks and obvious bugs in no time • Especially useful during CTF, when the source code is not that big • If integrated with IDE, can be rather cool semi-manual analyser
Whitebox • Collect a list of dangerous sinks for various languages • Take a pattern for variable (like $.* in PHP) • Take a list of securing functions • Generate regexps with negative lookahead, which will search for patterns like this: danger_func(…not_a_securing_func(…$var
Whitebox • Get the result like this • Parse it into any IDE and analyse traces
Contents • Intro • Technical view • Algorithmic view • Whitebox • Outro
Summary • Application testing can be made faster in many ways • Some of ways are achievable during manual assessment, some of them are not • We can build fast and scalable web application scanner for this • It will traverse pwning paths graph in an efficient way and halt after hitting the requests limit
Results • Some of reviewed techniques are already implemented in reps on my GitHub (libpywebhack repository not updated for years): https://github.com/beched • It will be updated as soon as I finish debugging PoC scripts
Questions? beched@incsecurity.ru
1 of 44

[Russia] Bugs -> max, time &lt;= T

Download to read offline
Internet

Bugs -> max, time &lt;= T. Omar Ganiev

OWASP EEE
OWASP EEEOWASP

Recommended

CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting by
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
210 views101 slides
Json Rpc Proxy Generation With Php by
Json Rpc Proxy Generation With PhpJson Rpc Proxy Generation With Php
Json Rpc Proxy Generation With Phpthinkphp
1.9K views61 slides
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3) by
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)Sam Bowne
678 views56 slides
CNIT 129S: Ch 4: Mapping the Application by
CNIT 129S: Ch 4: Mapping the ApplicationCNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationSam Bowne
1.7K views82 slides
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2) by
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
692 views46 slides
CNIT 129S: Ch 7: Attacking Session Management by
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management Sam Bowne
1.1K views128 slides

More Related Content

What's hot

Security Code Review 101 by
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
1.7K views69 slides
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2) by
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)Sam Bowne
859 views41 slides
CNIT 129S: Securing Web Applications Ch 1-2 by
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
2K views55 slides
BSidesJXN 2017 - Improving Vulnerability Management by
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
462 views28 slides
CNIT 129S: Ch 5: Bypassing Client-Side Controls by
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsSam Bowne
2.2K views94 slides
Introduction to django by
Introduction to djangoIntroduction to django
Introduction to djangoVlad Voskoboynik
340 views29 slides

What's hot(20)

Security Code Review 101 by Paul Ionescu
Security Code Review 101Security Code Review 101
Security Code Review 101
Paul Ionescu1.7K views
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2) by Sam Bowne
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
Sam Bowne859 views
CNIT 129S: Securing Web Applications Ch 1-2 by Sam Bowne
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2
Sam Bowne2K views
BSidesJXN 2017 - Improving Vulnerability Management by Andrew McNicol
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
Andrew McNicol462 views
CNIT 129S: Ch 5: Bypassing Client-Side Controls by Sam Bowne
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side Controls
Sam Bowne2.2K views
Introduction to django by Vlad Voskoboynik
Introduction to djangoIntroduction to django
Introduction to django
Vlad Voskoboynik340 views
Php Debugging from the Trenches by Simon Jones
Php Debugging from the TrenchesPhp Debugging from the Trenches
Php Debugging from the Trenches
Simon Jones3.5K views
REST Api Tips and Tricks by Maksym Bruner
REST Api Tips and TricksREST Api Tips and Tricks
REST Api Tips and Tricks
Maksym Bruner444 views
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2) by Sam Bowne
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
Sam Bowne945 views
DIR ISF - Email keeps getting us pwned v1.1 by Michael Gough
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
Michael Gough846 views
CNIT 129S: Ch 6: Attacking Authentication by Sam Bowne
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking Authentication
Sam Bowne1.2K views
CNIT 129S: 10: Attacking Back-End Components by Sam Bowne
CNIT 129S: 10: Attacking Back-End ComponentsCNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End Components
Sam Bowne1.5K views
9: OllyDbg by Sam Bowne
9: OllyDbg9: OllyDbg
9: OllyDbg
Sam Bowne389 views
Hibernate performance tuning by Mikalai Alimenkou
Hibernate performance tuningHibernate performance tuning
Hibernate performance tuning
Mikalai Alimenkou6.1K views
3. Security Engineering by Sam Bowne
3. Security Engineering3. Security Engineering
3. Security Engineering
Sam Bowne950 views
CNIT 129S Ch 4: Mapping the Application by Sam Bowne
CNIT 129S Ch 4: Mapping the ApplicationCNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the Application
Sam Bowne297 views
Introduction to shodan by n|u - The Open Security Community
Introduction to shodanIntroduction to shodan
Introduction to shodan
n|u - The Open Security Community573 views
Preventing Complexity in Game Programming by Yaser Zhian
Preventing Complexity in Game ProgrammingPreventing Complexity in Game Programming
Preventing Complexity in Game Programming
Yaser Zhian698 views
Email keeps getting us pwned v1.1 by Michael Gough
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
Michael Gough1.3K views
padding oracle attack by Satish b
padding oracle attackpadding oracle attack
padding oracle attack
Satish b16.1K views

Similar to [Russia] Bugs -> max, time &lt;= T

Practical automation for beginners by
Practical automation for beginnersPractical automation for beginners
Practical automation for beginnersSeoweon Yoo
2.7K views22 slides
5 Common Mistakes You are Making on your Website by
5 Common Mistakes You are Making on your Website 5 Common Mistakes You are Making on your Website
5 Common Mistakes You are Making on your WebsiteAcquia
1.9K views39 slides
Best practices-wordpress-enterprise by
Best practices-wordpress-enterpriseBest practices-wordpress-enterprise
Best practices-wordpress-enterpriseTaylor Lovett
680 views59 slides
Best Practices for WordPress in Enterprise by
Best Practices for WordPress in EnterpriseBest Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseTaylor Lovett
10.8K views59 slides
Security in CI/CD Pipelines: Tips for DevOps Engineers by
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
1.9K views33 slides
Code for Startup MVP (Ruby on Rails) Session 1 by
Code for Startup MVP (Ruby on Rails) Session 1Code for Startup MVP (Ruby on Rails) Session 1
Code for Startup MVP (Ruby on Rails) Session 1Henry S
5.9K views57 slides

Similar to [Russia] Bugs -> max, time &lt;= T(20)

Practical automation for beginners by Seoweon Yoo
Practical automation for beginnersPractical automation for beginners
Practical automation for beginners
Seoweon Yoo2.7K views
5 Common Mistakes You are Making on your Website by Acquia
5 Common Mistakes You are Making on your Website 5 Common Mistakes You are Making on your Website
5 Common Mistakes You are Making on your Website
Acquia1.9K views
Best practices-wordpress-enterprise by Taylor Lovett
Best practices-wordpress-enterpriseBest practices-wordpress-enterprise
Best practices-wordpress-enterprise
Taylor Lovett680 views
Best Practices for WordPress in Enterprise by Taylor Lovett
Best Practices for WordPress in EnterpriseBest Practices for WordPress in Enterprise
Best Practices for WordPress in Enterprise
Taylor Lovett10.8K views
Security in CI/CD Pipelines: Tips for DevOps Engineers by DevOps.com
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com1.9K views
Code for Startup MVP (Ruby on Rails) Session 1 by Henry S
Code for Startup MVP (Ruby on Rails) Session 1Code for Startup MVP (Ruby on Rails) Session 1
Code for Startup MVP (Ruby on Rails) Session 1
Henry S5.9K views
Profiling and Tuning a Web Application - The Dirty Details by Achievers Tech
Profiling and Tuning a Web Application - The Dirty DetailsProfiling and Tuning a Web Application - The Dirty Details
Profiling and Tuning a Web Application - The Dirty Details
Achievers Tech8K views
Introduction to Penetration Testing by Andrew McNicol
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
Andrew McNicol10.4K views
Scraping the web with Laravel, Dusk, Docker, and PHP by Paul Redmond
Scraping the web with Laravel, Dusk, Docker, and PHPScraping the web with Laravel, Dusk, Docker, and PHP
Scraping the web with Laravel, Dusk, Docker, and PHP
Paul Redmond7.8K views
Improving your team’s source code searching capabilities by Nikos Katirtzis
Improving your team’s source code searching capabilitiesImproving your team’s source code searching capabilities
Improving your team’s source code searching capabilities
Nikos Katirtzis510 views
Improving your team's source code searching capabilities - Voxxed Thessalonik... by Nikos Katirtzis
Improving your team's source code searching capabilities - Voxxed Thessalonik...Improving your team's source code searching capabilities - Voxxed Thessalonik...
Improving your team's source code searching capabilities - Voxxed Thessalonik...
Nikos Katirtzis52 views
What-is-Laravel-23-August-2017.pptx by AbhijeetKumar456867
What-is-Laravel-23-August-2017.pptxWhat-is-Laravel-23-August-2017.pptx
What-is-Laravel-23-August-2017.pptx
AbhijeetKumar45686795 views
Case study by karan saini
Case studyCase study
Case study
karan saini8 views
How to Do a Performance Audit of Your .NET Website by DNN
How to Do a Performance Audit of Your .NET WebsiteHow to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET Website
DNN4K views
Static Site Generators: what they are and when they are useful by Paul Walk
Static Site Generators: what they are and when they are usefulStatic Site Generators: what they are and when they are useful
Static Site Generators: what they are and when they are useful
Paul Walk501 views
Real time web by Medhat Dawoud
Real time webReal time web
Real time web
Medhat Dawoud4.3K views
Search Engine Optimization (Seo) for Developers by Matthew Robinson
Search Engine Optimization (Seo) for DevelopersSearch Engine Optimization (Seo) for Developers
Search Engine Optimization (Seo) for Developers
Matthew Robinson497 views
Manipulating Web Application Interfaces by Felipe M
Manipulating Web Application InterfacesManipulating Web Application Interfaces
Manipulating Web Application Interfaces
Felipe M589 views
Beginners overview of automated testing with Rspec by jeffrey1ross
Beginners overview of automated testing with RspecBeginners overview of automated testing with Rspec
Beginners overview of automated testing with Rspec
jeffrey1ross365 views
Putting Compilers to Work by SingleStore
Putting Compilers to WorkPutting Compilers to Work
Putting Compilers to Work
SingleStore1.7K views

More from OWASP EEE

[Austria] ZigBee exploited by
[Austria] ZigBee exploited[Austria] ZigBee exploited
[Austria] ZigBee exploitedOWASP EEE
747 views48 slides
[Austria] Security by Design by
[Austria] Security by Design[Austria] Security by Design
[Austria] Security by DesignOWASP EEE
665 views16 slides
[Austria] How we hacked an online mobile banking Trojan by
[Austria] How we hacked an online mobile banking Trojan[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking TrojanOWASP EEE
654 views41 slides
[Poland] It's only about frontend by
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontendOWASP EEE
521 views56 slides
[Poland] SecOps live cooking with OWASP appsec tools by
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec toolsOWASP EEE
461 views35 slides
[Cluj] Turn SSL ON by
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
406 views16 slides

More from OWASP EEE(20)

[Austria] ZigBee exploited by OWASP EEE
[Austria] ZigBee exploited[Austria] ZigBee exploited
[Austria] ZigBee exploited
OWASP EEE747 views
[Austria] Security by Design by OWASP EEE
[Austria] Security by Design[Austria] Security by Design
[Austria] Security by Design
OWASP EEE665 views
[Austria] How we hacked an online mobile banking Trojan by OWASP EEE
[Austria] How we hacked an online mobile banking Trojan[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan
OWASP EEE654 views
[Poland] It's only about frontend by OWASP EEE
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
OWASP EEE521 views
[Poland] SecOps live cooking with OWASP appsec tools by OWASP EEE
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools
OWASP EEE461 views
[Cluj] Turn SSL ON by OWASP EEE
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
OWASP EEE406 views
[Cluj] Information Security Through Gamification by OWASP EEE
[Cluj] Information Security Through Gamification[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification
OWASP EEE585 views
[Cluj] CSP (Content Security Policy) by OWASP EEE
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
OWASP EEE576 views
[Cluj] A distributed - collaborative client certification system by OWASP EEE
[Cluj] A distributed - collaborative client certification system[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system
OWASP EEE163 views
[Russia] Node.JS - Architecture and Vulnerabilities by OWASP EEE
[Russia] Node.JS - Architecture and Vulnerabilities[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities
OWASP EEE560 views
[Russia] MySQL OOB injections by OWASP EEE
[Russia] MySQL OOB injections[Russia] MySQL OOB injections
[Russia] MySQL OOB injections
OWASP EEE1.6K views
[Russia] Give me a stable input by OWASP EEE
[Russia] Give me a stable input[Russia] Give me a stable input
[Russia] Give me a stable input
OWASP EEE335 views
[Russia] Building better product security by OWASP EEE
[Russia] Building better product security[Russia] Building better product security
[Russia] Building better product security
OWASP EEE382 views
[Lithuania] I am the cavalry by OWASP EEE
[Lithuania] I am the cavalry[Lithuania] I am the cavalry
[Lithuania] I am the cavalry
OWASP EEE539 views
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent by OWASP EEE
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
OWASP EEE774 views
[Lithuania] DigiCerts and DigiID to Enterprise apps by OWASP EEE
[Lithuania] DigiCerts and DigiID to Enterprise apps[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps
OWASP EEE350 views
[Lithuania] Introduction to threat modeling by OWASP EEE
[Lithuania] Introduction to threat modeling[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling
OWASP EEE444 views
[Hungary] I play Jack of Information Disclosure by OWASP EEE
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure
OWASP EEE510 views
[Hungary] Survival is not mandatory. The air force one has departured are you... by OWASP EEE
[Hungary] Survival is not mandatory. The air force one has departured are you...[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...
OWASP EEE378 views
[Hungary] Secure Software? Start appreciating your developers! by OWASP EEE
[Hungary] Secure Software? Start appreciating your developers![Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers!
OWASP EEE237 views

Recently uploaded

How to think like a threat actor for Kubernetes.pptx by
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptxLibbySchulze1
5 views33 slides
Affiliate Marketing by
Affiliate MarketingAffiliate Marketing
Affiliate MarketingNavin Dhanuka
17 views30 slides
ATPMOUSE_융합2조.pptx by
ATPMOUSE_융합2조.pptxATPMOUSE_융합2조.pptx
ATPMOUSE_융합2조.pptxkts120898
35 views70 slides
The Dark Web : Hidden Services by
The Dark Web : Hidden ServicesThe Dark Web : Hidden Services
The Dark Web : Hidden ServicesAnshu Singh
14 views24 slides
Marketing and Community Building in Web3 by
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3Federico Ast
14 views64 slides
hamro digital logics.pptx by
hamro digital logics.pptxhamro digital logics.pptx
hamro digital logics.pptxtupeshghimire
10 views36 slides

Recently uploaded(6)

How to think like a threat actor for Kubernetes.pptx by LibbySchulze1
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptx
LibbySchulze15 views
Affiliate Marketing by Navin Dhanuka
Affiliate MarketingAffiliate Marketing
Affiliate Marketing
Navin Dhanuka17 views
ATPMOUSE_융합2조.pptx by kts120898
ATPMOUSE_융합2조.pptxATPMOUSE_융합2조.pptx
ATPMOUSE_융합2조.pptx
kts12089835 views
The Dark Web : Hidden Services by Anshu Singh
The Dark Web : Hidden ServicesThe Dark Web : Hidden Services
The Dark Web : Hidden Services
Anshu Singh14 views
Marketing and Community Building in Web3 by Federico Ast
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3
Federico Ast14 views
hamro digital logics.pptx by tupeshghimire
hamro digital logics.pptxhamro digital logics.pptx
hamro digital logics.pptx
tupeshghimire10 views

[Russia] Bugs -> max, time &lt;= T

  • 1. Bugs -> max Time <= T Omar Ganiev 11/10/2015
  • 2. Hi! • I’m Beched • I do application security assessment and penetration testing at IncSecurity • Also I compete as RDot.Org independent team member
  • 3. Contents • Intro • Technical view • Algorithmic view • Whitebox • Outro
  • 4. The problem Common situations where the problem of rapid testing of web application arises: • Pentesting a huge scope full of web apps. You have a couple of weeks to analyse and pwn them • The similar case – bug bounty. You want to collect (low) hanging fruits faster than others • Customer asks about the costs of your work. You want to estimate the cost by looking at web app for 5 minutes • Competition (Capture The Flag). You want to pwn the tasks quickly to focus on others and to get extra points
  • 5. The solution • Prioritizing • Parallelizing • Automation • Guessing • Heuristics • ??? • PROFIT • That’s it?
  • 6. Manual testing • Tons of articles and books are written about testing methodology (including OWASP Testing Guide) • Manual testing includes application logic analysis along with fuzzing • Manual testing is more careful (no or 1=1 in DROP-queries, etc)
  • 7. Manual testing • You can capture low hanging fruits in <= T time manually, but not in N applications • Generally automated scanning surely sucks • But anyway we’ll focus on improving tools rather than hands =)
  • 8. Semi-automated testing • NMap, Burp Suite, Recon-NG, CMSMap, RAFT, etc… • The tools are cool and save time, but still, you need to do a lot by hands, and the combination of such tools is poorly scalable
  • 9. Automated testing • Most of pentesters write their own specialized tools for automated pentesting • Generally It is rather complex task with a bit of rocket science • There’re a lot of problems like rich application crawling or natural language processing (your program actually needs to read human language to understand the application)
  • 10. Automated testing • There’re two main variables for measuring complexity (speed) of the testing methodology: time (depends on CPU & memory usage) and number of network requests • They correlate, and time can be decreased by technical measures • This is coverage vs requests count trade-of • Bugs -> max; time <= T; requests <= Q • We’ll mainly focus on the second parameter
  • 11. Automated testing • Let’s take a look at some tips’n’tricks useful for pentesting toolkit • We’ll observe technical and algorithmic ways to decrease testing time and number of network requests
  • 12. Contents • Intro • Technical view • Algorithmic view • Whitebox • Outro
  • 13. Technical view • Well-known things first • HTTP speed-up: Keep-Alive & HEAD • HEAD method can be used for directory listing and any other checks, which only need response headers (length- or time-based payloads, response splitting, etc) • Keep-Alive is always useful, decreases number of connections and hanshakes and hence the server load
  • 14. Technical view • Trivial paths first • Why crawling the whole site, if there’re sitemap.xml, robots.txt and Google dorks? • Why scanning the whole site, when you can detect a CMS and version and check for vulns in database? • Why fuzzing a login form a lot, when you can hit top passwords?
  • 15. Technical view • Scaling • Threading and horizontal scaling increase the speed very much, hence they can provide better covering (if we limit time, but not requests) • Recent example of distributed scanning platform is https://github.com/yahoo/gryffin/ written in Go
  • 16. Contents • Intro • Technical view • Algorithmic view • Whitebox • Outro
  • 17. Algorithmic view • Algorithmic view is quite interesting. How can we increase the number of fuzzed points and checked vulnerabilities without increasing requests count? • Let’s remember the problems we face while conducting (semi-)manual testing
  • 18. Algorithmic view • Ever seen such? • How do you process it manually? • URL patterns, similar pages
  • 19. Algorithmic view • Already mentiond Gryffin project by Yahoo uses quite a handy algorithm – Simhash • Take a look: http://www.wwwconference.org/www2007/papers/pape r215.pdf • If we build a Simhash-index of pages, we can skip duplicates, saving a lot of time • Possibly it’s better to take into account not only response body, but response status, headers, parameters, etc
  • 20. Algorithmic view • How to gather input points (GET, POST, Cookie, headers, …)? • Classical way: automate browser (PhantomJS) and crawl the website, process each request • Quick way: • Parse forms, parse links with query strings, parse XHR parameters from JS
  • 21. Algorithmic view • How to gather unknown input points? • Brute force • Quick: Iterative binary search • Collect a list of common parameter names, hit them all in query string at once and check page for changes, then perform dichotomy
  • 22. Algorithmic view • How to fuzz input points? • Long way: take a big list of fuzzing strings and fuzz each parameter • Quick way: construct polyglot payloads and check for a bunch of vulns at once • Take a look: http://www.slideshare.net/MathiasKarlsson2/p olyglot-payloads-in-practice-by-avlidienbrun n-at-hackpra
  • 23. Algorithmic view • Polyglot payloads can be constructed because of ignored contexts (such as comments) in diferent languages • Example of polyglot string: <tagxss> %0dresponse:splitting'"attributexss • Null-byte or backslash should be placed last • Time-based for (Postgre|My)SQL-injection: '/*! +sleep(10)*/+n1#(select 2 from (select pg_sleep(10))x)n+'
  • 24. Algorithmic view • Ok, what do we actually do, when we look at web app by eyes? • We estimate “hackableness” of app or page and then think how can we hack it • Why not automate thinking? %)
  • 25. Algorithmic view • The thinking flow is like this: “Hm… It’s enterprise .NET site with a single login form. Probably not that hackable … Hm… It’s default WordPress installation without plugins and custom themes. Probably not hackable … Hm… It’s shitty custom PHP engine with a lot of forms and input parameters. Instantly hackable! 8) “
  • 26. Algorithmic view • What makes us think one or another way? Let’s point out some of features: Platform (PHP, ASP, Ruby, …) Server (Apache, Nginx, IIS, …) Engine (WordPress, Django, RoR, …) Queries (count parameters in links on main page) Scripts (number of script tags on main page) Inputs (number of input tags on main page) SSL (if the site works with HTTPS or not)
  • 27. Algorithmic view • The simpliest vulnerable-vs-secure classifier ever: if PHP: vulnerable = True else: vulnerable = False • Ok, just kidding =)
  • 30. Algorithmic view • Today before the talk I scanned about a thousand sites and built this decision tree on obtained data • Actual classifier is a bit bigger than simpliest, but yet the common sense is preserved %) • If the main page is PHP-script, there’re at least 4 GET-parameters in the links on it, and there’s at least one script tag, then site is probably vulnerable =)
  • 31. Algorithmic view • Ok, this is about cost estimation, but how can this help us to scan the site? • Ever seen this?
  • 32. Algorithmic view • Let’s calculate more features for each page and build priority queue during scan • If you do it right, /favicon.ico will be scanned last, and /admin.php will be scanned first
  • 33. Algorithmic view • Which features can we calculate? • Dynamic/static page: detected platform (dynamic language vs none), content-type (html vs static), extension • Response status: OK vs Forbidden vs Redirect vs Not Found vs … • A bit of NLP: if the path contains important words like admin, password, login, etc
  • 35. Algorithmic view • Lower priority() – higher priority:
  • 36. Contents • Intro • Technical view • Algorithmic view • Whitebox • Outro
  • 37. Whitebox • Static code analysis is a lot more rocket science thing, than blackbox testing • Modern enterprise static code analysis systems are big and still not enough good (some of them still not better than grep) • They may have nice ads with samples, but ads- samples can probably be constructed by hand ;)
  • 38. Whitebox • Most pentesters have their own dirty hacks and regexps for finding the vulns • I also use a simple grep wrapper, which allows to spot out security bottlenecks and obvious bugs in no time • Especially useful during CTF, when the source code is not that big • If integrated with IDE, can be rather cool semi-manual analyser
  • 39. Whitebox • Collect a list of dangerous sinks for various languages • Take a pattern for variable (like $.* in PHP) • Take a list of securing functions • Generate regexps with negative lookahead, which will search for patterns like this: danger_func(…not_a_securing_func(…$var
  • 40. Whitebox • Get the result like this • Parse it into any IDE and analyse traces
  • 41. Contents • Intro • Technical view • Algorithmic view • Whitebox • Outro
  • 42. Summary • Application testing can be made faster in many ways • Some of ways are achievable during manual assessment, some of them are not • We can build fast and scalable web application scanner for this • It will traverse pwning paths graph in an efficient way and halt after hitting the requests limit
  • 43. Results • Some of reviewed techniques are already implemented in reps on my GitHub (libpywebhack repository not updated for years): https://github.com/beched • It will be updated as soon as I finish debugging PoC scripts