Legal and efficient web app testing without permissionAbraham Aranguren
The document discusses efficient and legal web application testing techniques that can be performed without permission. It introduces the Open Web Testing Framework (OWTF) which allows pentesters to run tools and analyze results in parallel through a reporting interface. OWTF utilizes "cheating tactics" like passive information gathering and semi-passive testing to identify vulnerabilities and attack vectors before the official test begins. The document provides examples of how tools in OWTF can be used to profile websites, discover entry points, and identify vulnerabilities in a pre-engagement or reconnaissance phase without active interaction with the target.
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques
NOTE: Use the "Download" option at the top to see the presentation as a PDF properly
Email is the primary way that malware infiltrates systems. By default, Windows allows dangerous file types like scripts to execute when double-clicked, enabling malware. However, several simple changes can significantly reduce this risk. First, block common file types from email attachments and change their associations to open in Notepad instead of executing. Second, enable macros blocking in Office and tweak registry settings. Third, monitor for encrypted emails and evaluate any attachments. Together these low-effort changes can prevent the majority of malware delivered by email.
Legal and efficient web app testing without permissionAbraham Aranguren
The document discusses efficient and legal web application testing techniques that can be performed without permission. It introduces the Open Web Testing Framework (OWTF) which allows pentesters to run tools and analyze results in parallel through a reporting interface. OWTF utilizes "cheating tactics" like passive information gathering and semi-passive testing to identify vulnerabilities and attack vectors before the official test begins. The document provides examples of how tools in OWTF can be used to profile websites, discover entry points, and identify vulnerabilities in a pre-engagement or reconnaissance phase without active interaction with the target.
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques
NOTE: Use the "Download" option at the top to see the presentation as a PDF properly
Email is the primary way that malware infiltrates systems. By default, Windows allows dangerous file types like scripts to execute when double-clicked, enabling malware. However, several simple changes can significantly reduce this risk. First, block common file types from email attachments and change their associations to open in Notepad instead of executing. Second, enable macros blocking in Office and tweak registry settings. Third, monitor for encrypted emails and evaluate any attachments. Together these low-effort changes can prevent the majority of malware delivered by email.
This document provides information on detecting WMI exploitation. It discusses how WMI can be used by adversaries to remotely execute payloads, persist, query systems, and more. It outlines various ways WMI is exploited, including installing malicious MOF files and DLLs. The document recommends enabling specific Windows event logs and logging options to detect WMI activity, such as Process Creation, Authentication, and PowerShell logs. It also discusses tools that can help hunt for WMI exploitation like LOG-MD, Sysinternals AutoRuns, and WMI Explorer.
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
This document discusses fileless or memory-based malware that exists only in memory and provides recommendations for detecting and responding to it. It recommends:
1. Developing a process to monitor running processes and modules for signs of injection or unauthorized code. Tools like Log-MD-Premium can help detect these memory-only infections.
2. Enabling detailed process logging, especially of command lines, to provide visibility. Detections and hunting can then focus on suspicious process activity.
3. Extracting and analyzing files from memory dumps or live systems to identify malware artifacts and indicators through static file evaluation and string analysis.
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games?
Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!
Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then?
We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?
Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.
Malware Archaeology
LOG-MD
Are Malware Sandboxes as good as manual malware analysis?
A look at some samples sent through automated malware sandboxes vs. manaul analysis
This document discusses defending against ransomware and provides recommendations. It begins by establishing the problem of ransomware growth and costs. It then recommends (1) blocking common file types at email gateways and Outlook, (2) blocking macros in Office documents, (3) changing file associations of script types to open in Notepad instead of executing, (4) using Group Policy to prevent changes from Windows updates, and (5) disabling dangerous Word features like DDE links. Implementing these free solutions can help block the majority of ransomware attacks.
Deeplook into apt and how to detect and defend v1.0Michael Gough
This document summarizes a presentation about detecting a Chinese advanced persistent threat called WINNTI. The presentation discusses the evolution of WINNTI attacks from 2012 to 2014, describing new techniques used in 2014 including hiding payloads in the Windows registry and altering system management binaries. It provides tips for detecting WINNTI, such as enabling detailed process auditing, monitoring for suspicious commands, and using tools like Sysmon and Log-MD to facilitate malware discovery and investigation.
Security can seem intimidating and complex for many of us, but we shouldn’t (can’t) let that stop us from making sure we’re doing everything we can to secure our WordPress sites. After all, our websites are often part of our livelihood.
In this session Adam will discuss the “big picture” of website security and break down the fundamental tasks needed for a strong security plan, in order of importance. Adam will provide an actionable checklist on what you can start doing today to better secure your WordPress websites.
After attending this session, audience members will have a better understanding of website security as a whole and what steps they can take to mitigate risk. Attendees will be able to start building their WordPress security master plan immediately.
Test-driven security involves writing security-focused test cases to test for vulnerabilities during the development process. This helps enable continuous deployment by ensuring new code does not introduce security bugs. The key aspects discussed are:
1) Having developers or security experts write test cases to validate common vulnerabilities like authentication failures, input validation, and authorization checks.
2) Involving non-technical team members like project managers in writing test cases using plain language to specify scenarios.
3) Integrating security testing into continuous integration pipelines to automatically catch issues during code reviews.
Sandbox vs manual malware analysis v1.1Michael Gough
The document discusses the differences between sandbox analysis and manual analysis of malware. Sandbox analysis uses virtual machines and cloud-based solutions to analyze malware, but may miss artifacts since malware can detect virtual environments. The author argues that manual analysis on bare-metal systems provides more complete artifacts and indicators. Manual analysis allows evaluating malware as it was intended by detonating it directly on hardware.
This PowerShell command uses many odd characters and variable names to obfuscate its intent, which is typically seen with malware. It likely downloads additional payloads or malware to the system. Logging and monitoring PowerShell activity can help detect this type of obfuscated command.
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
Derbycon 2011
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...Alan Richardson
A Webinar on Risk Analysis and Management, Exploratory Testing, and Technical Testing.
I want to get across the model that I have for risks, which is that risks are “beliefs” and a result of our beliefs. We believe some things will go wrong more than others. And because our beliefs are limited but the range of risks is not, we need to somehow go beyond our beliefs and look at tools and processes for doing that.
Also we know that risk is important for testing. What I want to do in this talk is present risk as the underpinning and driving force behind everything we do in testing.
You can use risk to justify the stuff that you do as a tester. And you can use risk to derive your test scope as well as your test process.
The document introduces Abraham Aranguren and provides an agenda for his presentation on the Offensive Web Testing Framework (OWTF), including an overview of OWTF, installing and running OWTF, passive and semi-passive web analysis with OWTF, active web analysis with OWTF, and auxiliary plugins for search engine testing and IDs testing.
This document provides information about the speaker, including their name, contact information, work experience, projects, and interests. They are a security researcher who previously worked as a VA and now works for HP Application Security Center. They enjoy talking about hacking and drinking beer and gin and tonics. The document also outlines an upcoming workshop they will be conducting on web hacking tools and techniques.
This document provides information on detecting WMI exploitation. It discusses how WMI can be used by adversaries to remotely execute payloads, persist, query systems, and more. It outlines various ways WMI is exploited, including installing malicious MOF files and DLLs. The document recommends enabling specific Windows event logs and logging options to detect WMI activity, such as Process Creation, Authentication, and PowerShell logs. It also discusses tools that can help hunt for WMI exploitation like LOG-MD, Sysinternals AutoRuns, and WMI Explorer.
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
This document discusses fileless or memory-based malware that exists only in memory and provides recommendations for detecting and responding to it. It recommends:
1. Developing a process to monitor running processes and modules for signs of injection or unauthorized code. Tools like Log-MD-Premium can help detect these memory-only infections.
2. Enabling detailed process logging, especially of command lines, to provide visibility. Detections and hunting can then focus on suspicious process activity.
3. Extracting and analyzing files from memory dumps or live systems to identify malware artifacts and indicators through static file evaluation and string analysis.
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games?
Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!
Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then?
We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?
Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.
Malware Archaeology
LOG-MD
Are Malware Sandboxes as good as manual malware analysis?
A look at some samples sent through automated malware sandboxes vs. manaul analysis
This document discusses defending against ransomware and provides recommendations. It begins by establishing the problem of ransomware growth and costs. It then recommends (1) blocking common file types at email gateways and Outlook, (2) blocking macros in Office documents, (3) changing file associations of script types to open in Notepad instead of executing, (4) using Group Policy to prevent changes from Windows updates, and (5) disabling dangerous Word features like DDE links. Implementing these free solutions can help block the majority of ransomware attacks.
Deeplook into apt and how to detect and defend v1.0Michael Gough
This document summarizes a presentation about detecting a Chinese advanced persistent threat called WINNTI. The presentation discusses the evolution of WINNTI attacks from 2012 to 2014, describing new techniques used in 2014 including hiding payloads in the Windows registry and altering system management binaries. It provides tips for detecting WINNTI, such as enabling detailed process auditing, monitoring for suspicious commands, and using tools like Sysmon and Log-MD to facilitate malware discovery and investigation.
Security can seem intimidating and complex for many of us, but we shouldn’t (can’t) let that stop us from making sure we’re doing everything we can to secure our WordPress sites. After all, our websites are often part of our livelihood.
In this session Adam will discuss the “big picture” of website security and break down the fundamental tasks needed for a strong security plan, in order of importance. Adam will provide an actionable checklist on what you can start doing today to better secure your WordPress websites.
After attending this session, audience members will have a better understanding of website security as a whole and what steps they can take to mitigate risk. Attendees will be able to start building their WordPress security master plan immediately.
Test-driven security involves writing security-focused test cases to test for vulnerabilities during the development process. This helps enable continuous deployment by ensuring new code does not introduce security bugs. The key aspects discussed are:
1) Having developers or security experts write test cases to validate common vulnerabilities like authentication failures, input validation, and authorization checks.
2) Involving non-technical team members like project managers in writing test cases using plain language to specify scenarios.
3) Integrating security testing into continuous integration pipelines to automatically catch issues during code reviews.
Sandbox vs manual malware analysis v1.1Michael Gough
The document discusses the differences between sandbox analysis and manual analysis of malware. Sandbox analysis uses virtual machines and cloud-based solutions to analyze malware, but may miss artifacts since malware can detect virtual environments. The author argues that manual analysis on bare-metal systems provides more complete artifacts and indicators. Manual analysis allows evaluating malware as it was intended by detonating it directly on hardware.
This PowerShell command uses many odd characters and variable names to obfuscate its intent, which is typically seen with malware. It likely downloads additional payloads or malware to the system. Logging and monitoring PowerShell activity can help detect this type of obfuscated command.
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
Derbycon 2011
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...Alan Richardson
A Webinar on Risk Analysis and Management, Exploratory Testing, and Technical Testing.
I want to get across the model that I have for risks, which is that risks are “beliefs” and a result of our beliefs. We believe some things will go wrong more than others. And because our beliefs are limited but the range of risks is not, we need to somehow go beyond our beliefs and look at tools and processes for doing that.
Also we know that risk is important for testing. What I want to do in this talk is present risk as the underpinning and driving force behind everything we do in testing.
You can use risk to justify the stuff that you do as a tester. And you can use risk to derive your test scope as well as your test process.
The document introduces Abraham Aranguren and provides an agenda for his presentation on the Offensive Web Testing Framework (OWTF), including an overview of OWTF, installing and running OWTF, passive and semi-passive web analysis with OWTF, active web analysis with OWTF, and auxiliary plugins for search engine testing and IDs testing.
This document provides information about the speaker, including their name, contact information, work experience, projects, and interests. They are a security researcher who previously worked as a VA and now works for HP Application Security Center. They enjoy talking about hacking and drinking beer and gin and tonics. The document also outlines an upcoming workshop they will be conducting on web hacking tools and techniques.
This document provides an agenda for a presentation on going beyond automated testing for security assessments. The presentation covers testing methodologies, soft skills needed for manual testing like determination and focus, limitations of automated testing, techniques for finding unknown systems and content, exploiting vulnerabilities, reporting and automation best practices, and recommendations for useful training resources. The goal is to share experiences with external security assessments and how manual testing finds issues missed by automated tools.
DEFCON 23 - Jason Haddix - how do i shot webFelipe Prado
1. The document discusses hacking techniques for web applications, including methodology, discovery techniques, mapping, and tactical fuzzing approaches for XSS, SQLi, file inclusion, and uploads.
2. It provides tips on finding less tested application scopes, port scanning, directory bruteforcing, crawling, and using tools like SQLmap and intrigue for reconnaissance.
3. The document outlines tactics for auth bypass, session hijacking, parameter tampering, and common vulnerabilities like XSS, SQLi, file inclusion, and CSRF with examples of payloads and techniques.
Testing mit Codeception: Full-stack testing PHP frameworkSusannSgorzaly
Codeception is a PHP testing framework for Behavior Driven Development, which covers all kinds of tests: unit tests, functional tests and acceptance tests. It is fast and simple in both usage and execution. This talk will give you a introduction to the software testing basics using codeception. It will also cover some stumbling blocks when writing tests, like:
- Test code stability against small changes
- Data stability
- Test structure
Last but not least I will give you a short outlook how to make your tests also understandable for product owners.
The document discusses logging and analytics for software products. It notes that only logging essential information is important to understand current issues based on past events. Effective logging requires balancing what to log with actually implementing the logging. The document proposes logging all events to a single, standardized format that can be queried across systems to gain insights that are otherwise difficult to obtain from separate logging mechanisms.
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
1. The document provides tips for effective hacking and bug hunting in 2015, focusing on web applications.
2. It discusses philosophy shifts towards crowdsourced testing, and techniques for discovery such as finding less tested application parts and acquisitions.
3. The document also covers mapping methodology, parameters to attack, and bypassing filters for XSS, SQLi, file inclusion, and CSRF vulnerabilities.
Update on progress of the 4 OWASP OWTF GSoC 2013 projects, with an intro overview about OWTF and some examples on how the OWASP Testing Guide is being covered at the moment towards the end.
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
This document discusses the differences between manual and automated security testing. It provides examples of issues that automated scanners often cannot find, such as logical bugs, authentication bypasses, unknown parameters, and creative hacks. The conclusion recommends using automated tools for repetitive tasks but using human intelligence for more creative hacking problems in order to thoroughly test systems.
When performing security assessments or participating in bug bounties, there is generally a methodology you follow when assessing source-code or performing dynamic analysis. This involves using tools, reviewing results and understanding what you should be testing for. Reviewing modern web applications can be quite challenging, and this talk will go into details on how we can automate the boring (but necessary parts) and how to set a roadmap of what should be focused on when dealing with modern JavaScript applications.
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
Part of F5 mitigations series
Brute force on apps is on the rise
Will become WBT @ F5U
Conclusion:
Internet brute force can go undetected and is a serious threat to applications
F5 owns the largest set of options to detect and prevent application brute force
The document provides steps to clean up a WordPress site after it has been hacked. It begins by advising to stay calm and then outlines options to hire an expert service to clean up the site, reinstall WordPress from scratch, or conduct a forensic investigation yourself. Next, it describes how attackers typically find vulnerable sites, assess what exploits might work, run scripts to gain access, and implant backdoors or scripts. The rest of the document details the 10 comprehensive steps to fully clean up a hacked site, including shutting down access, finding compromised files, determining how the site was hacked, removing malware, restoring clean files and the database, resetting keys and passwords, hardening the site, and monitoring going forward.
The document discusses techniques for rapidly testing web applications through automation to find security vulnerabilities within a limited time frame (T) and network requests (Q). It proposes prioritizing testing based on features like platform, number of inputs, and response status. Algorithmic approaches are suggested like using polyglot payloads to check for multiple issues simultaneously, building a decision tree to classify hackability, and calculating page priorities to guide the scan. Whitebox testing techniques like custom grep scripts to find code vulnerabilities are also covered. The goal is to build an efficient automated web application scanner that traverses the "pwning paths graph" to find bugs within the constraints.
The document discusses automated acceptance testing (AAT) in .NET. It provides an overview of AAT, including the benefits of communication, catching mistakes, and automation. It then discusses various AAT tools and frameworks for .NET, with a focus on SpecFlow for writing tests in Gherkin. The document demonstrates SpecFlow's workflow and syntax. It concludes by addressing challenges with AAT and providing tips for overcoming issues like brittle tests through techniques like page objects and headless browsers.
This document discusses various techniques for finding and exploiting vulnerabilities during a penetration test when vulnerabilities are marked as "low" or "medium" in severity. It argues that penetration testers and clients should not rely solely on vulnerability scanners and should thoroughly investigate even lower severity issues. Specific techniques mentioned include exploiting default credentials on services like VNC, exploiting exposed admin interfaces found through tools like Metasploit, taking advantage of browsable directories with backups or other sensitive files, exploiting SharePoint misconfigurations, exploiting HTTP PUT or WebDAV configurations, exploiting Apple Filing Protocol, and exploiting trace.axd to view request details in .NET applications. The document emphasizes finding overlooked vulnerabilities and keeping "a human in the mix" rather than full reliance
The document discusses various SSL/TLS security issues including Heartbleed, GNUTLS bugs, Apple bugs, Lucky13, BEAST, and CRIME. It provides details on the Heartbleed bug in OpenSSL, explaining how it allowed retrieval of up to 64KB of private data from affected servers. It also discusses other exploits like BEAST, CRIME, and Lucky13. The document advises administrators to patch systems, monitor for issues, and leverage big data to identify anomalies. Developers are advised to carefully manage library dependencies and versions to prevent vulnerabilities.
Some old and new tips, tricks and tools for rapid web application security assessment (black and white box). They are useful in various situtations: pentest with very limited time or huge scope, competition, bugbounty program, etc.
Browser automation testing frameworks like Nightwatch.js allow developers to automatically test their web applications. Nightwatch.js provides an easy way to write tests using JavaScript. Tests can launch browsers, fill forms, click links, and verify outputs. Nightwatch.js tests can help developers catch errors that might break functionality and ensure compatibility across browsers. The documentation is good and it is actively maintained with over 10,000 downloads per month. Developers can integrate Nightwatch.js tests into their own projects to avoid future issues.
DEF CON 23 - BRENT - white hacking web apps wpFelipe Prado
This document provides an overview of executing a web application penetration test. It discusses the discovery phase using OSINT tools to identify the target's online presence. It then covers gathering evidence, utilizing automated scanning tools to find vulnerabilities, and thorough manual testing techniques like exploring parameters, authentication, and the host server. The goal is to break into web applications like a professional penetration tester and provide a detailed report of findings.
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
The document discusses keying techniques for encrypting payloads in a way that only allows decryption on specific target systems. It covers using local system resources like environment variables or file paths to derive encryption keys. It also introduces using remote resources like web pages or DNS records hosted by the attacker to control when payloads execute. Tools like Ebowla, KeyRing, and KeyServer are presented as ways to implement these keying techniques for various scripting languages and to automate controlling remote keys. The goal is to make payloads only executable on intended targets and to maintain control over payload execution.
Similar to Abraham aranguren. legal and efficient web app testing without permission (20)
Добро пожаловать в очередной выпуск ежемесячного сборника материалов, который является вашим универсальным ресурсом для получения информации о самых последних разработках, аналитических материалах и лучших практиках в постоянно развивающейся области безопасности. В этом выпуске мы подготовили разнообразную подборку статей, новостей и результатов исследований, рассчитанных как на профессионалов, так и на обычных любителей. Цель нашего дайджеста - сделать наш контент интересным и доступным. Приятного чтения
(https://boosty.to/chronicles_security + ссылки на источник внутри документа)
Добро пожаловать в очередной выпуск ежемесячного сборника материалов, который является вашим универсальным ресурсом для получения информации о самых последних разработках, аналитических материалах и лучших практиках в постоянно развивающейся области безопасности. В этом выпуске мы подготовили разнообразную подборку статей, новостей и результатов исследований, рассчитанных как на профессионалов, так и на обычных любителей. Цель нашего дайджеста - сделать наш контент интересным и доступным. Приятного чтения
(https://boosty.to/chronicles_security + ссылки на источник внутри документа)
Добро пожаловать в очередной выпуск ежемесячного сборника материалов, который является вашим универсальным ресурсом для получения информации о самых последних разработках, аналитических материалах и лучших практиках в постоянно развивающейся области безопасности. В этом выпуске мы подготовили разнообразную подборку статей, новостей и результатов исследований, рассчитанных как на профессионалов, так и на обычных любителей. Цель нашего дайджеста - сделать наш контент интересным и доступным. Приятного чтения
(https://boosty.to/irony_security + ссылки на источник внутри документа)
Добро пожаловать в очередной выпуск ежемесячного сборника материалов, который является вашим универсальным ресурсом для получения информации о самых последних разработках, аналитических материалах и лучших практиках в постоянно развивающейся области безопасности. В этом выпуске мы подготовили разнообразную подборку статей, новостей и результатов исследований, рассчитанных как на профессионалов, так и на обычных любителей. Цель нашего дайджеста - сделать наш контент интересным и доступным. Приятного чтения
(https://boosty.to/irony_security + ссылки на источник внутри документа)
Welcome to the next edition of our Monthly Digest, your one-stop resource for staying informed on the most recent developments, insights, and best practices in the ever-evolving field of security. In this issue, we have curated a diverse collection of articles, news, and research findings tailored to both professionals and casual enthusiasts. Our digest aims to make our content is both engaging and accessible. Happy reading
(https://boosty.to/overkill_security + check original source urls inside)
Welcome to the next edition of our Monthly Digest, your one-stop resource for staying informed on the most recent developments, insights, and best practices in the ever-evolving field of security. In this issue, we have curated a diverse collection of articles, news, and research findings tailored to both professionals and casual enthusiasts. Our digest aims to make our content is both engaging and accessible. Happy reading
(https://boosty.to/overkill_security + check original source urls inside)
Welcome to the next edition of our Monthly Digest, your one-stop resource for staying informed on the most recent developments, insights, and best practices in the ever-evolving field of security. In this issue, we have curated a diverse collection of articles, news, and research findings tailored to both professionals and casual enthusiasts. Our digest aims to make our content is both engaging and accessible. Happy reading
(https://boosty.to/snarky_security + check original source urls inside)
Welcome to the next edition of our Monthly Digest, your one-stop resource for staying informed on the most recent developments, insights, and best practices in the ever-evolving field of security. In this issue, we have curated a diverse collection of articles, news, and research findings tailored to both professionals and casual enthusiasts. Our digest aims to make our content is both engaging and accessible. Happy reading
(https://boosty.to/snarky_security + check original source urls inside)
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Yury Chemerkin
This document summarizes a security vulnerability (Issue 54) discovered in Java SE Platform related to method handles. It details how the lack of security checks when resolving method handles using certain MethodHandle methods like resolveVirtual can allow access to protected members of arbitrary classes. The vulnerability on its own is not enough to bypass Java security, but combined with another issue (Issue 55) it can be used to achieve a full sandbox bypass. The vendor Oracle was notified but has so far not acknowledged Issue 54 as a vulnerability, claiming the behavior is allowed. The reporting organization disagrees with this assessment.
The document discusses the Red October malware campaign and describes its use of a Java exploit to infiltrate victim networks in early 2012. It notes that the Java exploit (CVE-2011-3544) was delivered via a link to a site hosting the malicious NewsFinder.jar file. If clicked, it would exploit outdated Java versions. The exploit installed a downloader that communicated with the attackers' command and control servers, and could receive and execute additional malware payloads. The document analyzes the encryption routines and network communications used by the Java exploit and downloader.
The document provides network, file, system and email indicators of compromise from the Comment Crew group observed over the past year. It lists domains, IP addresses, filenames and file hashes that may be associated with Comment Crew attacks but could also match legitimate software. Additional verification is needed to confirm an actual compromise.
This document discusses Indicators of Compromise (IOCs) related to APT1, a Chinese cyber espionage group. It provides links to download the IOCs and explains how they can be used with Mandiant tools like Redline and MIR to detect malware. The document also defines IOCs and describes how the included IOCs were developed and may differ from other Mandiant IOCs. It notes that the IOCs focus on detecting known malware families and may not find new variants.
This document contains SSL certificates used by APT1, a Chinese cyber espionage group, to encrypt malware communications. It provides 4 self-signed certificates - VIRTUALLYTHERE, IBM, WEBMAIL, and ALPHA - that contain information like issuer, validity period, subject, and public key. Detecting these certificates may indicate an APT1 malware infection.
This document contains a list of hexadecimal strings that are identifiers or codes for unknown items or entities. There are over 200 unique hexadecimal strings included ranging in length from 8 to 32 characters each.
This document contains a list of over 300 domain names. Many of the domain names contain misspellings of popular brands and websites like cnn, yahoo, firefox, and microsoft. The domains appear to be related to phishing or spreading malware by posing as legitimate websites or software updates.
The document provides joint doctrine for information operations planning, preparation, execution, and assessment to support joint operations and achieve information superiority, establishes the core capabilities of information operations as electronic warfare, computer network operations, psychological operations, military deception, and operations security, and provides guidance on intelligence support, command relationships, and planning considerations for information operations.
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
Effective approaches to web application security at scale involve making things safe by default through universal output encoding, detecting risky functionality changes through automated alerts, automating tests to find simple issues, and monitoring metrics to identify attacks and problems off-hours through automated alerts on thresholds.
Windows 8. important considerations for computer forensics and electronic dis...Yury Chemerkin
Windows 8 stores email communications and contacts locally in a format that presents challenges for attorney review in litigation. The testing revealed that Windows 8 imports emails, contacts, and social media information from connected web accounts. Over 2,000 email files were found locally stored in EML format, but no files were found in common formats like MSG, PST, or MBOX. This local storage of email presents potential issues for efficiently processing the communications for discovery in litigation.
The stuxnet computer worm. harbinger of an emerging warfare capabilityYury Chemerkin
The document summarizes a Congressional Research Service report on the Stuxnet computer worm. It discusses how Stuxnet targeted Iranian nuclear facilities by infecting industrial control systems. It affected systems in several countries and demonstrated that cyber attacks could disrupt critical infrastructure. The report examines questions for Congress about national security, an international treaty on malicious software, and protecting critical infrastructure from cyber threats.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Abraham aranguren. legal and efficient web app testing without permission
1. Legal And Efficient
Web App Testing
Without Permission
CONFidence, May 22th 2012
Abraham Aranguren
@7a_ @owtfp
abraham.aranguren@gmail.com
http://7-a.org
http://owtf.org
3. About me
• Spanish dude
• Uni: Degree, InfoSec research + honour mark
• IT: Since 2000, defensive sec as netadmin / developer
• (Offensive) InfoSec: Since 2007
• OSCP, CISSP, GWEB, CEH, MCSE, etc.
• Web App Sec and Dev/Architect
• Infosec consultant, blogger, OWTF, GIAC, BeEF
5. Attacker Tactics
From “Open Source Information Gathering” by Chris Gates, Brucon 2009
http://carnal0wnage.attackresearch.com/
6. Pentester disadvantage
Pentesters vs Bad guys
• Pentesters have time/scope constraints != Bad guys
• Pentesters have to write a report != Bad guys
Complexity is increasing
More complexity = more time needed to test properly
Customers are rarely willing to:
“Pay for enough / reasonable testing time“
A call for efficiency:
• We must find vulns faster
• We must be more efficient
• .. or bad guys will find the vulns, not us
7. Can we learn from history?
Has this
Huge disadvantage
problem been solved before?
8. Ancient “Top Attackers”
Individually outstanding due to:
• Artificial selection: Babies killed if “defective” (!)
• Military training (“Agoge”): Ages 7-18
• Final test: Survive in the countryside with only a knife
• Spartan Law: No retreat, No surrender (i.e. victory or death)
Globally outstanding due to solid tactic: “Hoplite phalanx”
• Shield wall + Spear points
• Frontally very strong + used successfully for centuries
http://scottthong.wordpress.com / http://en.wikipedia.org/wiki/Sparta
9. How would you beat them?
How could a room full of (sedentary? ☺) Geeks
beat a room full of Spartans?
Ok, more realistic scenario ☺:
• Your troops must fight the Spartans
• You have the same number of soldiers
• Your soldiers are not that great
• How can you WIN?
10. Ancient “Pentest Cheating”
Battle of Lechaeum: Spartans defeated by “lamers”!
Tactic “Cheating”:
• Don’t fight, thow things!: Javelins + bows = Athenians WON
• Phalanx weak against: “shooters”, cavalry, flank/back attacks
http://www.ancientgreekbattles.net / http://en.wikipedia.org/wiki/Phalanx_formation /
http://en.wikipedia.org/wiki/Battle_of_Lechaeum
11. Why not take this to the next level?
Why not legitimately?
• Shoot “before the battle” without permission
• Shoot while we analyse information in parallel
• Prepare more shootings without being noticed
14. OWTF “Cheating”: Talk Scope
At least 48.5% (32 out of 66) of the tests in the OWASP Testing guide can be
legally* performed at least partially without permission
* Except in Spain, where visiting a page can be illegal ☺
* This is only my interpretation and not that of my employer + might not apply to your country!
15. Classic Pentest Stages
1. Pre-engagement: No permission “OWTF Cheat tactics” = Start here
2. Engagement: Permission Official test start = Active Testing here
16. Context consideration:
Case 1 robots.txt Not Found
…should Google index a site like this?
Or should robots.txt exist and be like this?
User-agent: *
Disallow: /
17. Case 1 robots.txt Not Found - Semi passive
• Direct request for robots.txt
• Without visiting entries
18. Case 2 robots.txt Found – Passive
• Indirect Stats, Downloaded txt file for review, “Open All in Tabs”
19. OWTF HTML Filter challenge: Embedding of untrusted third party HTML
Defence layers:
1) HTML Filter: Open source challenge
Filter 6 unchallenged since 04/02/2012, Can you hack it? ☺
http://blog.7-a.org/2012/01/embedding-untrusted-html-xss-challenge.html
2) HTML 5 sanboxed iframe
3) Storage in another directory = cannot access OWTF Review in localStorage
20. Start reporting!: Take your notes with fancy formatting
Step 1 – Click the “Edit” link
Step 2 – Start documenting findings + Ensure preview is ok
22. The magic bar ;) – Useful to generate the human report later
23. Passive Plugin
Step 1- Browse output files to review the full raw tool output:
Step 2 – Review tools run by the passive Search engine discovery plugin:
Was your favourite tool not run?
Tell OWTF to run your tools on: owtf_dir/profiles/resources/default.cfg (backup first!)
24. Tool output can also be reviewed via clicking through the OWTF report directly:
25. The Harvester:
•Emails
•Employee Names
•Subdomains
•Hostnames
http://www.edge-security.com/theHarvester.php
26. Metadata analysis:
• TODO: Integration with FOCA when CLI callable via wine (/cc @chemaalonso ☺)
• Implemented: Integration with Metagoofil
http://www.edge-security.com/metagoofil.php
27. Inbound proxy not stable yet but all this happens automatically:
• robots.txt entries added to “Potential URLs”
• URLs found by tools are scraped + added to “Potential URLs”
During Active testing (later):
• “Potential URLs” visited + added to “Verified URLs” + Transaction log
28. All HTTP transactions logged by target in transaction log
Step 1 – Click on “Transaction Log”
Step 2 – Review transaction entries
29. Step 3 – Review raw transaction information (if desired)
30. Step 1 - Make all direct OWTF requests go through Outbound Proxy:
Passes all entry points to the tactical fuzzer for analysis later
Step 2 - Entry points can then also be analysed via tactical fuzzer:
31. Goal: What is that server running?
Manually verify request for fingerprint:
32. Whatweb integration with non-aggresive parameter (semi passive detection):
https://github.com/urbanadventurer/WhatWeb
47. Static Analyis, Fuzz, Try exploits, ..
RIPS for PHP: http://rips-scanner.sourceforge.net/
Yasca for most other (also PHP): http://www.scovetta.com/yasca.html
61. Efficient HTML content matches analysis
Step 1 - Click
Step 2 – Human Review of Unique matches
62. Efficient HTML content matches analysis
Step 1 - Click
Step 2 –Review Unique matches (click on links for sample match info)
Want to see all? then click
76. Pro Tip: When browsing the site manually ..
… look carefully at pop-ups like this:
Consider (i.e. prep the attack):
Firesheep: http://codebutler.github.com/firesheep/
SSLStrip: https://github.com/moxie0/sslstrip
77. Mario was going to report a bug to Mozilla and found another!
78. Abuse user/member public search functions:
• Search for “” (nothing) or “a”, then “b”, ..
• Download all the data using 1) + pagination (if any)
• Merge the results into a CSV-like format
• Import + save as a spreadsheet
• Show the spreadsheet to your customer
79. Analyse the username(s) they gave you to test:
• Username based on numbers?
USER12345
• Username based on public info? (i.e. names, surnames, ..)
name.surname
• Default CMS user/pass?
80. Part 1 – Remember Password: Autocomplete
Good Bad
Via 1) <form … autocomplete=“off”> <form action="/user/login"
Or Via 2) <input … autocomplete=“off”> method="post">
<input type="password" name="pass" />
81. Manual verification for password autocomplete (i.e. for the customer)
Easy “your grandma can do it” test:
1. Login
2. Logout
3. Click the browser Back button twice*
4. Can you login again –without typing the login or password- by re-
sending the login form?
Can the user re-submit the login form via the back button?
* Until the login form submission
Other sensitive fields: Pentester manual verification
• Credit card fields
• Password hint fields
• Other
82. Part 2 - Password Reset forms
Manually look at the questions / fields in the password reset form
• Does it let you specify your email address?
• Is it based on public info? (name, surname, etc)
• Does it send an email to a potentially dead email address you can
register? (i.e. hotmail.com)
83. Goal: Is Caching of sensitive info allowed?
Manual verification steps: “your grandma can do it” ☺ (need login):
1. Login
2. Logout
3. Click the browser Back button
4. Do you see logged in content or a this page has expired error / the login
page?
Manual analysis tools:
• Commands: curl –i http://target.com
• Proxy: Burp, ZAP, WebScarab, etc
• Browser Plugins:
https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
https://addons.mozilla.org/en-US/firefox/addon/firebug/
84. HTTP/1.1 headers
Good Bad
Cache-Control: no-cache Cache-control: private
HTTP/1.0 headers
Good Bad
Pragma: no-cache Pragma: private
Expires: <past date or illegal (e.g. 0)> Expires: <way too far in the future>
The world
Good Bad
https://accounts.google.com No caching headers = caching allowed
Cache-control: no-cache, no-store HTTP/1.1 200 OK
Pragma: no-cache Date: Tue, 09 Aug 2011 13:38:43 GMT
Expires: Mon, 01-Jan-1990 00:00:00 GMT Server: ….
X-Powered-By: ….
Connection: close
Content-Type: text/html; charset=UTF-8
85.
86. Repeat for Meta tags
Good Bad
<META HTTP-EQUIV="Cache-Control" <META HTTP-EQUIV="Cache-Control"
CONTENT="no-cache"> CONTENT=“private">
88. Offline Manual analysis:
• Download image and try to break it
• Are CAPTCHAs reused?
• Is a hash or token passed? (Good algorithm? Predictable?)
• Look for vulns on CAPTCHA version
CAPTCHA breaking tools
PWNtcha - captcha decoder - http://caca.zoy.org/wiki/PWNtcha
Captcha Breaker - http://churchturing.org/captcha-dist/
89. Manually Examine cookies for weaknesses offline
Base64 Encoding (!= Encryption ☺) Decoded value
MTkyLjE2OC4xMDAuMTpvd2FzcHVzZ owaspuser:192.168.100.1:
XI6cGFzc3dvcmQ6MTU6NTg= a7656fafe94dae72b1e1487670148412
93. • Secure: not set= session cookie leaked= pwned
• HttpOnly: not set = cookies stealable via JS
• Domain: set properly
• Expires: set reasonably
• Path: set to the right /sub-application
• 1 session cookie that works is enough ..
94.
95. Manually check when verifying credentials during pre-engagement:
Login and analyse the Session ID cookie (i.e. PHPSESSID)
Good Bad (normal + by default)
Before: 10a966616e8ed63f7a9b741f80e65e3c Before: 10a966616e8ed63f7a9b741f80e65e3c
After: Nao2mxgho6p9jisslen9v3t6o5f943h After: 10a966616e8ed63f7a9b741f80e65e3c
IMPORTANT: You can also set the session ID via JavaScript (i.e. XSS)
96. Session ID:
• In URL
• In POST
• In HTML
Example from the field:
http://target.com/xxx/xyz.function?session_num=7785
Look at unauthenticated cross-site requests:
http://other-site.com/user=3&report=4
Referer: site.com
Change ids in application: (ids you have permission for!)
http://site.com/view_doc=4
98. Review JavaScript code on the page:
<script>
document.write("Site is at: " + document.location.href + ".");
</script>
Sometimes active testing possible in your browser
(no trip to server = not an attack = not logged):
http://target.com/...#vulnerable_param=xss
http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
101. 1. Browse Site
2. Time requests
3. Get top X slowest requests
4. Slowest = Best DoS target
102. Google searches: inurl:wsdl site:example.com
Public services search:
http://seekda.com/
http://www.wsindex.org/
http://www.soapclient.com/
103. WSDL analysis
Sensitive methods in WSDL?
i.e. Download DB, Test DB, Get CC, etc.
http://www.example.com/ws/FindIP.asmx?WSDL
<wsdl:operation name="getCreditCard" parameterOrder="id">
<wsdl:input message="impl:getCreditCardRequest" name="getCreditCardRequest"/>
<wsdl:output message="impl:getCreditCardResponse" name="getCreditCardResponse"/>
</wsdl:operation>
104. Same Origin Policy (SOP) 101
1. Domain A’s page can send a request to Domain B’s page from Browser
2. BUT Domain A’s page cannot read Domain B’s page from Browser
http://www.ibm.com/developerworks/rational/library/09/rationalapplicationdeveloperportaltoolkit3/
105. • Request == Predictable Pwned “..can send a request to Domain B” (SOP)
CSRF Protection 101:
•Require long random token (99% hidden anti-CSRF token) Not predictable
•Attacker cannot read the token from Domain B (SOP) Domain B ignores request
Potentially Good Bad
Anti-CSRF token present: Verify with permission No anti-CSRF token
106. Similar to CSRF:
Is there an anti-replay token in the request?
Potentially Good Bad
Anti-CSRF token present: Verify with permission No anti-CSRF token
110. Active testing ☺
1) Trip to server = need permission
http://target.com/test.swf?xss=foo&xss2=bar
2) But … your browser is yours:
No trip to server = no permission needed
#
http://target.com/test.swf ?xss=foo&xss2=bar
Good news: Unlike DOM XSS, the # trick will always work for Flash Files
111. Some technologies allow settings that relax SOP:
• Adobe Flash (via policy file)
• Microsoft Silverlight (via policy file)
• HTML 5 Cross Origin Resource Sharing (via HTTP headers)
Cheating: Reading the policy file or HTTP headers != attack
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html
118. Andrew Horton’s “Clickjacking for Shells”:
http://www.morningstarsecurity.com/research/clickjacking-wordpress
Krzysztof Kotowicz’s “Something Wicked this way comes”:
http://www.slideshare.net/kkotowicz/html5-something-wicked-this-way-comes-
hackpra
https://connect.ruhr-uni-bochum.de/p3g2butmrt4/
Marcus Niemietz’s “UI Redressing and Clickjacking”:
http://www.slideshare.net/DefconRussia/marcus-niemietz-ui-redressing-and-
clickjacking-about-click-fraud-and-data-theft
120. Business Conclusion
• Web app security > Input validation
• We see no traffic != we are not targeted
• No IDS alerts != we are safe
• Your site can be tested without you noticing
• Test your security before others do
121. Pen tester Conclusion
• No permission != cannot start
• A lot of work can be done in advance
This work in advance helps with:
• Increased efficiency
• Deal better with tight deadlines
• Better pre-engagement
• Better test quality
• Best chance to get in
122. Bottom line
Do not wait for “Tool X” or Permission
Phil Stevens - http://www.strengthguild.com/ http://www.ironradio.org/
123. Bottom line
Try harder!
Benedikt Magnusson - 1015lbs / 461kg World Record Deadlift
2nd April 2011
124. Special thanks to
Adi Mutu (@am06), Krzysztof Kotowicz (@kkotowicz),
Marc Wickenden (@marcwickenden), Marcus Niemietz (@mniemietz),
Mario Heiderich (@0x6D6172696F), Michael Kohl (@citizen428), Nicolas
Grégoire (@Agarri_FR), Sandro Gauci (@sandrogauci)
OWASP Testing Guide contributors
Finux Tech Weekly – Episode 17 – mins 31-49
http://www.finux.co.uk/episodes/mp3/FTW-EP17.mp3
Finux Tech Weekly – Episode 12 – mins 33-38
http://www.finux.co.uk/episodes/mp3/FTW-EP12.mp3
http://www.finux.co.uk/episodes/ogg/FTW-EP12.ogg
Exotic Liability – Episode 83 – mins 49-53
http://exoticliability.libsyn.com/exotic-liability-83-oh-yeah
125. Q&A
Abraham Aranguren
@7a_ @owtfp
abraham.aranguren@gmail.com
http://7-a.org
http://owtf.org
Project Site (links to everything): http://owtf.org
• Try OWTF: https://github.com/7a/owtf/tree/master/releases
• Try a demo report: https://github.com/7a/owtf/tree/master/demos
• Documentation: https://github.com/7a/owtf/tree/master/readme
• Contribute: https://github.com/7a/owtf