Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Application Penetration Testing Introduction


Published on

  • Be the first to comment

Web Application Penetration Testing Introduction

  1. 1. 2011 NSAA IT Pre-Conference WorkshopPenetration Testing For Maximum BenefitWEB APP HACKING<br />
  2. 2. Web Application Testing<br />A concise Overview<br />Scott Johnson<br />Principal Security Consultant<br />Emagined Security<br />Introductions<br />
  3. 3. Grasp of the web application testing process<br />Convinced of the necessity<br />Knowledge of core tools<br />Confident that “I can do this”<br />Goals<br />
  4. 4. Overview<br />Testing Phases<br />Demonstration<br />Agenda<br />
  5. 5. Black Art or Science?<br />A penetration test is a method of evaluating the security of a computer system or network by simulating an attack. A Web Application Penetration Test focuses only on evaluating the security of a web application. The process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. (OWASP)<br /><ul><li>Targets the legitimate business functions users use everyday.
  6. 6. The supporting infrastructure is generally off limits
  7. 7. It is not a code review</li></ul>What is Web Application Testing?<br />
  8. 8. Common Misnomers<br />“Our site is safe”:<br />We have firewalls in place<br />We encrypt our data <br />We have IDS / IPS<br />We have a privacy policy <br />Why Test?<br />
  9. 9. Web App Hacking in the News<br />
  10. 10. The firewall is going to let them in<br />Encryption will hide most of the attacks<br />Privacy? Like they care!<br />Your Front Door Hacker<br />
  11. 11. How does it work?<br />SQL injection over HTTPS (port 443)<br />Database returns<br />Account Passwords<br />Network Security Controls<br /><br />Firewall<br />IDS / IPS<br />Data Base Server<br />
  12. 12. You Don’t have to look like this<br />You can perform web app testing if:<br /><ul><li>Basic understanding of HTTP protocol
  13. 13. Methodical
  14. 14. Tenacious curiosity</li></ul>Uber Nerd<br />Founder and CTO of eEye Security <br />Marc Maiffret<br />
  15. 15. Passive Phase<br />Information gathering<br />Understanding the logic<br />Observing normal behavior<br />Active Phase<br />Targeted testing<br />Applying methodologies<br />Testing Phases<br />
  16. 16. Reconnaissance<br />Reconnaissance is a mission to obtain information by visual observation or other detection methods, about the activities and resources of an enemy or potential enemy, (US Army FM 7-92; Chap 4)<br />Know your target before you begin, its worth the effort<br />Determine Application types and versions<br />Cross reference vulnerabilities with OSVDB / NVD<br /><br />Observe normal behavior<br />Advanced Google searching<br />Aka Google hacking<br /><br />Application Mapping<br />Spidering / Web crawling<br />Directory busting<br />Passive Phase<br />
  17. 17. The Attack Plan<br />Configuration Management <br />Business Logic <br />Authentication <br />Session Management <br />Authorization <br />Data Validation <br />Denial of Service <br />Web Services Testing <br />Active Phase<br />
  18. 18. Deploying Your Assets<br />Browser (prefer Firefox and friends)<br />Foxyproxy, Live HTTP Headers, Firebug, Web Developer, etc…<br />Web Proxy<br />Aserver (a computer system or an application program) that acts as an intermediary for requests from clients seeking resources from other servers.<br />Examples<br />BURP<br />Webscarab<br />Paros<br />Tools<br />
  19. 19. Scanner<br />Tool that automates many of the tests methods described earlier<br />Many commercial tools – AppScan, Web Inspect, Accunetix, etc..<br />W3AF Web Application Attack and Audit Framework<br />OWASP ZAP<br />Free open source web scanner.<br />Pro’s – Fast and the tester quickly target weak spots<br />Con’s prone to false positives, poor session management<br />Does not replace manual testing<br />Tools - continued<br />
  20. 20. Definition: A software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes or failing built-in code assertions. (Wikipedia)<br />Fundamental technique in web application testing<br />Parameters<br />Form fields<br />Cookies<br />HTTP Headers<br />Can uncover many kinds of vulnerabilities: SQL injection, XSS, improper error handling, DDoS, etc…<br />Fuzzing<br />
  21. 21. SQL Injection<br />Fuzzing aimed at the database layer of an application<br />Improper user input filtering is the root cause<br />‘1 or 1=1 classic test string<br />Many variations, automated fuzzing helpful<br />
  22. 22. Bypass access controls<br />Hijack sessions<br />Disclose sensitive information.<br />Persistent – lives on the server<br />Non Persistent – malicious link<br />Targets users not your site!<br />Cross Site Scripting<br /><script>alert(“You Won!”)</script><br />
  23. 23.………BbK9M1vm8m3s%3df22b5<script> function changeSrc() {document.getElementById("myframe").src="";}<br /></script><body bgcolor="Red"><table bgcolor=”red”><p><iframe align=top” width=”40%” height=”400” id="myframe" src=""><p>Your browser does not support iframes.</p></iframe><br> An Error Occurred<p><input type="button" onclick="changeSrc()" value="Click to Continue" /><p><p><p><p></body><br /></script>f973c1e3be0<br />XSS - Example<br />
  24. 24. Using a Web Proxy<br />Basic Recon.<br />Platform Back Track<br />Starting BURP<br />Configuring your browser<br />Starting Web Goat<br />http://x.x.x.x:8080/webgoat/attack<br />guest / guest<br />Capturing Traffic<br />SQL Injection Example<br />Cross Site Scripting (XSS) Example<br />Demonstration Overview<br />
  25. 25. <ul><li>Google Hacking
  26. 26. Inurl:
  27. 27. Site:
  28. 28. Filetype:</li></ul>Entire books on the subject<br /><br />Reference:<br /><br /><br />Demo 1. – Reconnaissance<br />
  29. 29. Finding Indexes<br />site:sc.govintitle:index.of<br />Demo 1. Reconnaissance<br />
  30. 30. Finding login pages<br /> login | logon<br />Demo 1. Reconnaissance<br />
  31. 31. Site:sc.govintitle:error | warning<br />Demo. 1 – Error Pages<br />
  32. 32. Demo 1- Passwords?<br />
  33. 33. Demo 1 - Passwords<br />You Bet!<br />
  34. 34. Spidering / Web Crawling<br />OWASP<br />Webscarab<br />ZAP<br />Portswigger<br />Burp Suite<br />Demo 1 - Reconnaissance<br />
  35. 35. Demo 1. ZAP - Spider<br />
  36. 36. Demo 2 - Setup <br />Make sure the port number is the same<br />In this case port 8008<br />
  37. 37. Browse to webgoat<br />http://x.x.x.x:8080/webgoat/attack<br />User ID = guest<br />Password = guest<br />Demo 2 - Setup<br />
  38. 38. Demo 2 – SQL Injection<br />
  39. 39. Why does that work?<br />Make the SQL statement evaluate as true!<br />1=1 right?<br />Answer:<br />1+'or+'1'=’1<br />Demo. 2 - SQL Injection - Answer<br />
  40. 40. Demo 2 XSS (persistent)<br />
  41. 41. W3AF Vulnerability Scanner<br />Platform Back Track<br />Starting W3AF<br />Layout and configuration<br />Defining the Target<br />Selecting Plugins<br />Analyzing Results and Reporting<br />Demonstration 3<br />
  42. 42. Demo. 3 – W3AF Layout<br />
  43. 43. Demo. 3 – W3AF Results<br />
  44. 44. Web Proxy<br />BURP<br />Paros<br />Webscarab / Zap<br />Fuzzing<br />WS Fuzzer<br />Brute Forcing<br />Brutus<br />Password Cracking<br />John The Ripper<br />Scanner<br />W3AF<br />Zap<br />Don’t forget the shell<br />Tool Starter Kit<br />There are many tools <br />Some technology centric: Citrix, Flash, javascript, etc… <br />Back Track is your starter kit<br />
  45. 45. OWASP Testing Guide<br />Comprehensive Guide<br /><br />BURP<br /><br />W3AF<br /><br />Fire Fox & Friends<br /><br />Back Track –Every tool you need to get started<br /><br />References<br />
  46. 46. Questions<br />
  47. 47. Supplamental Slides<br />
  48. 48. Increase the likelihood of a successful test<br />Communication and Cooperation<br />Reaffirm scope of test<br />Validate functionality and user accounts<br />Technical support on the ready<br />No unforeseen outages or code changes<br />Pre-Flight Checks<br />
  49. 49. Burp Suite Pro<br />
  50. 50. W3AF<br />