Pentest Labs
Vulnerable Web Apps Frameworks and Pentest



            Mauro Risonho de Paula
                       Assum...
Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
                     ●   Mauro Risonho de Paula
                  ...
Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
                     ●   Looking for a good opportunity in a
     ...
Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
                     ●   Unfortunately, I do not speak English
   ...
Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
Who I am?

●   Pentester, Writer Exploits, Developer,
    Security...
Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
Who I am?
● Director, Security Consultant and Security Systems pen...
Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
●   The focus of this presentation is to develop a
    new Lab for...
Pentest Labs
Vulnerable Web Apps Frameworks and Pentest


                  PAPER

               Pentest Labs

     Vulne...
Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
OWASP Broken Web Applications
Excelent Learning Tool
http://code.g...
Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
OWASP Broken Web Applications
Excelent Learning Tool
http://code.g...
Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
OWASP Broken Web Applications
Excelent Learning Tool
http://code.g...
Pentest Labs
Vulnerable Web Apps Frameworks and Pentest




               DEMO
               VIDEO
      OWASP Broken We...
Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
Broken Web Applications
Paper Web 2.0 AJAX
http://www.fortifysoftw...
Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
BadStore
Link: http://www.badstore.net/
Platform: Perl, Apache and...
Pentest Labs
 Vulnerable Web Apps Frameworks and Pentest
Damn Vulnerable Web App
Link: http://www.ethicalhack3r.co.uk/damn...
Pentest Labs
 Vulnerable Web Apps Frameworks and Pentest
Hacme Travel
Link:http://www.foundstone.com/us/resources/proddesc...
Pentest Labs
 Vulnerable Web Apps Frameworks and Pentest
Hacme Bank
Link:http://www.foundstone.com/us/resources/proddesc/h...
Pentest Labs
 Vulnerable Web Apps Frameworks and Pentest
Hacme Shipping
Link:http://www.foundstone.com/us/resources/prodde...
Pentest Labs
 Vulnerable Web Apps Frameworks and Pentest
Hacme Casino
Link:http://www.foundstone.com/us/resources/proddesc...
Pentest Labs
Vulnerable Web Apps Frameworks and Pentest




               DEMO
               VIDEO
               Hacme ...
Pentest Labs
 Vulnerable Web Apps Frameworks and Pentest
Hacme Books
Link:http://www.foundstone.com/us/resources/proddesc/...
Pentest Labs
 Vulnerable Web Apps Frameworks and Pentest
Moth
Link:http://www.bonsai-sec.com/en/research/moth.php
Platform...
Pentest Labs
Vulnerable Web Apps Frameworks and Pentest




               DEMO
               VIDEO
                  Mot...
Pentest Labs
 Vulnerable Web Apps Frameworks and Pentest
Mutillidae
Link:http://www.irongeek.com/i.php?page=security/mutil...
Pentest Labs
 Vulnerable Web Apps Frameworks and Pentest
Vicnum
Link:http://sourceforge.net/projects/vicnum/
Platform: PHP...
Pentest Labs
 Vulnerable Web Apps Frameworks and Pentest
WebGoat
Link:http://www.owasp.org/index.php/Category:OWASP_WebGo
...
Pentest Labs
Vulnerable Web Apps Frameworks and Pentest




               DEMO
               VIDEO
                 WebG...
Pentest Labs
 Vulnerable Web Apps Frameworks and Pentest
WebMaven (AKA: Buggy Bank)
Link:http://www.mavensecurity.com/WebM...
Pentest Labs
 Vulnerable Web Apps Frameworks and Pentest
References
Link:http://www.irongeek.com
Link:http://www.owasp.org...
Pentest Labs
Vulnerable Web Apps Frameworks and Pentest


THANKS FOR ALL!!!
Mauro Risonho de Paula
Assumpção
http://www.in...
Upcoming SlideShare
Loading in …5
×

c0c0n2010 -

2,598 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,598
On SlideShare
0
From Embeds
0
Number of Embeds
50
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

c0c0n2010 -

  1. 1. Pentest Labs Vulnerable Web Apps Frameworks and Pentest Mauro Risonho de Paula Assumpção firebits firebits@backtrack.com.br mauro.risonho@nsec.com.br 2010
  2. 2. Pentest Labs Vulnerable Web Apps Frameworks and Pentest ● Mauro Risonho de Paula Assumpção A.K.A firebits ● I'm from Brazil! ● I work in pentest (and others services) remoting the world Contact US! firebits@backtrack.com.br mauro.risonho@nsec.com.br 2010
  3. 3. Pentest Labs Vulnerable Web Apps Frameworks and Pentest ● Looking for a good opportunity in a company's security information in my profile;) ● Anywhere in the world. ● And make a quick course in English to speak better:) Contact US! firebits@backtrack.com.br mauro.risonho@nsec.com.br 2010
  4. 4. Pentest Labs Vulnerable Web Apps Frameworks and Pentest ● Unfortunately, I do not speak English fluently, but write and understand well! ● Thanks for all who are here and maybe in 2011, I know everyone personally. It will be an honor. Contact US! firebits@backtrack.com.br mauro.risonho@nsec.com.br 2010
  5. 5. Pentest Labs Vulnerable Web Apps Frameworks and Pentest Who I am? ● Pentester, Writer Exploits, Developer, Security Analyst and Research Vulnerable. In Brazil is “Autodidata”. 2010
  6. 6. Pentest Labs Vulnerable Web Apps Frameworks and Pentest Who I am? ● Director, Security Consultant and Security Systems pentest the NSEC (little Company in Brasil). Carried out projects for security and development in Petrobras REVAP, Microsiga, Unilever, Rhodia, Tostines, Avon, CMS Energy, Stefanini IT,Solutions, NeoIT, Intel, Google, Degussa, Niplan and others. Leader / Founder of "Backtrack Brazil" www.backtrack.com.br and Moderator and Translator Backtrack USA www.backtrack-linux.org 2010
  7. 7. Pentest Labs Vulnerable Web Apps Frameworks and Pentest ● The focus of this presentation is to develop a new Lab for Penetration of information security professionals as well as some who wish to improve or deepen their knowledge. ● Let's show some skills of these frameworks, with some commands and techniques, but we will not consummate the técncia pentest to the end, as a matter of time and also the curiosity of those concerned.;) 2010
  8. 8. Pentest Labs Vulnerable Web Apps Frameworks and Pentest PAPER Pentest Labs Vulnerable Web Apps Frameworks And Pentest 2010
  9. 9. Pentest Labs Vulnerable Web Apps Frameworks and Pentest OWASP Broken Web Applications Excelent Learning Tool http://code.google.com/p/owaspbwa/ ● OWASP WebGoat – Java ● OWASP Vicnum – Perl ● OWASP Mutillidae – PHP ● Damn Vulnerable Web Application - PHP 2010
  10. 10. Pentest Labs Vulnerable Web Apps Frameworks and Pentest OWASP Broken Web Applications Excelent Learning Tool http://code.google.com/p/owaspbwa/ ● OWASP CSRFGuard Test Application – Java ● Mandiant Struts Forms – Java/Struts ● Simple ASP.NET Forms (ASP.NET/C#) ● Simple Form with DOM Cross Site Scripting (HTML/JavaScript) 2010
  11. 11. Pentest Labs Vulnerable Web Apps Frameworks and Pentest OWASP Broken Web Applications Excelent Learning Tool http://code.google.com/p/owaspbwa/ ● WordPress version 2.0.0 (PHP, released December 31, 2005) ● phpBB version 2.0.0 (PHP, released April 4, 2002, home page) ● Yazd version 1.0 (Java, released February 20, 2002, home page) 2010
  12. 12. Pentest Labs Vulnerable Web Apps Frameworks and Pentest DEMO VIDEO OWASP Broken Web Applications 2010
  13. 13. Pentest Labs Vulnerable Web Apps Frameworks and Pentest Broken Web Applications Paper Web 2.0 AJAX http://www.fortifysoftware.com/servlet/downloads/pu blic/JavaScript_Hijacking.pdf 2010
  14. 14. Pentest Labs Vulnerable Web Apps Frameworks and Pentest BadStore Link: http://www.badstore.net/ Platform: Perl, Apache and MySQL Install: Meant to run by booting a Live CD, but I'd recommend using my Live CD VMX Notes: Easy to set up, and it's nice that you can run it from a VM with a little work. Just make sure you set the VM to use the IP addresses that are only available from the local host OS (NAT or Host-only). 2010
  15. 15. Pentest Labs Vulnerable Web Apps Frameworks and Pentest Damn Vulnerable Web App Link: http://www.ethicalhack3r.co.uk/damn-vulnerable-web-app/ Platform: PHP, Apache and MySQL Install: Should work on any box you can install Apache/PHP/MySQL on. Notes: When I first posted Mutillidae, Ryan Dewhurst emailed me and told be about a project he started a few months before mine. His is also PHP/MySQL based, and looks prettier than mine. :) I've yet to play with it much, but I may be using some of his code in the near future to expand Mutillidae. 2010
  16. 16. Pentest Labs Vulnerable Web Apps Frameworks and Pentest Hacme Travel Link:http://www.foundstone.com/us/resources/proddesc/hacmetr avel.htm Platform: Windows XP, MSDE 2000 Release A, Microsoft .NET Framework v1.1, C++ Install: Notes: 2010
  17. 17. Pentest Labs Vulnerable Web Apps Frameworks and Pentest Hacme Bank Link:http://www.foundstone.com/us/resources/proddesc/hacmeb ank.htm Platform: Windows, IIS, .Net 1.1 Install: Notes: 2010
  18. 18. Pentest Labs Vulnerable Web Apps Frameworks and Pentest Hacme Shipping Link:http://www.foundstone.com/us/resources/proddesc/hacmes hipping.htm Platform: Windows XP, Microsoft IIS, Adobe ColdFusion MX Server 7.0 for Windows, MySQL (4.x or 5.x with strict mode disabled) Install: Notes: 2010
  19. 19. Pentest Labs Vulnerable Web Apps Frameworks and Pentest Hacme Casino Link:http://www.foundstone.com/us/resources/proddesc/hacmec asino.htm Platform: Ruby on Rails Install:Installer that sets up a built in WEBrick server Notes: 2010
  20. 20. Pentest Labs Vulnerable Web Apps Frameworks and Pentest DEMO VIDEO Hacme Casino 2010
  21. 21. Pentest Labs Vulnerable Web Apps Frameworks and Pentest Hacme Books Link:http://www.foundstone.com/us/resources/proddesc/hacmeb ooks.htm Platform: J2EE application, Java Development Kit Install: Notes: 2010
  22. 22. Pentest Labs Vulnerable Web Apps Frameworks and Pentest Moth Link:http://www.bonsai-sec.com/en/research/moth.php Platform: Linux VMWare image Install: Just download the VM and open it in VMWare player Notes: ● Nanbiquara 2.0 (PHP + MySQL) ● Riotpix .61p (PHP + MySQL) ● Vanilla 1.1.4 (PHP + MySQL) ● Wordpress 2.6.5 (PHP + MySQL) ● Yazd war 3.0r (Tomcat 6 + MySQL)
  23. 23. Pentest Labs Vulnerable Web Apps Frameworks and Pentest DEMO VIDEO Moth 2010
  24. 24. Pentest Labs Vulnerable Web Apps Frameworks and Pentest Mutillidae Link:http://www.irongeek.com/i.php?page=security/mutillidae- deliberately-vulnerable-php-owasp-top-10 Platform: PHP, Apache and MySQL Install: Should work on any box you can install Apache/PHP/MySQL on. I have personally tested it in XAMPP under Windows and Linux. Notes:Mutillidae is my personal project to implement the OWASP Top 10 Vulnerabilities. It's designed to be easy to follow and geared towards a classroom environment. Think of it as a noob's WebGoat.
  25. 25. Pentest Labs Vulnerable Web Apps Frameworks and Pentest Vicnum Link:http://sourceforge.net/projects/vicnum/ Platform: PHP and Perl Install: Should work on any box you can install Apache/PHP/MySQL on. Try it with XAMPP. Notes:Mordecai Kraushar sent me an email about his project. The more the merrier. Here is how it is described: "A web application showing common vulnerabilities such as cross site scripting and session management issues. Helpful to IT auditors honing web security skills and to those setting up 'capture the flag' exercises. For the VM login as root/vicnum"
  26. 26. Pentest Labs Vulnerable Web Apps Frameworks and Pentest WebGoat Link:http://www.owasp.org/index.php/Category:OWASP_WebGo at_Project Platform: J2EE web application Install: Self contained Tomcat server you can run from a directory under Windows or Linux Notes:Love the fact it's so self contained and easy to run. By default it only listens on the loopback address, so you can run it from your workstation a production network with little worries. 2010
  27. 27. Pentest Labs Vulnerable Web Apps Frameworks and Pentest DEMO VIDEO WebGoat 2010
  28. 28. Pentest Labs Vulnerable Web Apps Frameworks and Pentest WebMaven (AKA: Buggy Bank) Link:http://www.mavensecurity.com/WebMaven.php Platform: Perl CGI scripts Install: You have to install this on a box with a web server and Perl CGI support. The creators recommend Xitami for the sake of ease.Makes sure that you don't put the server on a production networ Notes:I've not played with this one much. The website for WebMaven says it was the basis for WebGoat v1. 2010
  29. 29. Pentest Labs Vulnerable Web Apps Frameworks and Pentest References Link:http://www.irongeek.com Link:http://www.owasp.org Link:http://www.google.com Link:http://www.backtrack-linux.org 2010
  30. 30. Pentest Labs Vulnerable Web Apps Frameworks and Pentest THANKS FOR ALL!!! Mauro Risonho de Paula Assumpção http://www.informationsecurityday.com/c0c0n/ firebits@backtrack.com.br mauro.risonho@nsec.com.br 2010

×