As shown at BSides Charm in Baltimore on April 23, here is my presentation on how a hacker looks at a web site, or it can also be seen as a checklist for a web application pentest. Feedback appreciated at plaverty9
8. What Is A Hacker Looking For?
Not all that much…
9. What Is A Hacker Looking For?
• URL Parameters
• Data Inputs
• 3rd Party Content
• Robots.txt
• Redirects
• Cookies
• Session Data
• Administrator Area/CSRF
• HTML Source Comments
• Weak Passwords
• Weak/Broken SSL
• Old Versions of Site
• Lack of Data Sanitization
• File Uploads
• Business Logic Flaws
• CMS Frameworks
• Company Phone Book
• Company Org Chart
• OSINT
• Outdated Operating System
• Unlocked/Open DNS
• Unnecessary Services
26. Robots.txt
• Intended to guide search engines
• Show directories/files to not index - Why?
• What will attackers look for?
27. Robots.txt
• Intended to guide search engines
• Show directories/files to not index - Why?
• What will attackers look for?
Mitigation Ideas:
• Auto-ban at WAF for following
• Spider Trap (Ethan Robish)
32. Cookies & Session Data
Use a plugin!
• Firefox: Cookie Manager, Edit Cookies
• Chrome: Edit this Cookie, Cookies – app for Chrome
• Safari: SafariCookieEditor
• Use a Proxy: Burp, ZAP
• Do it manually!
33. Cookies & Session Data
• Session replays
• Authentication Bypass
• Secure flag set?
• https://www.owasp.org/index.php/SecureFlag
• Ars Technica: “Unsafe cookies leave WordPress accounts open to
hijacking, 2-factor bypass” – 5/26/14
• https://zyan.scripts.mit.edu/blog/wordpress-fail/
38. Weak/Default Passwords
• Try default passwords: http://www.cirt.net/passwords
• Try from the large dumps: https://wiki.skullsecurity.org/Passwords
• http://resources.infosecinstitute.com/10-popular-password-cracking-tools/
• Also in favorite distros (ie. Kali)
Password Re-use
• How you doin’, Ashley Madison?
• AM Top 100: http://arstechnica.com/security/2015/09/new-stats-show-
ashley-madison-passwords-are-just-as-weak-as-all-the-rest/
39. Weak/Broken Secure Communications
• Outdated SSL can be broken (http://www.poodletest.com)
• Every secure page must be served via SSL (SSLStrip?)
• Files requiring authentication must force authentication
40. Old Versions of Site
Custom file extensions: .old, .bak, .tmp, .svn, .tar, .gz, .git
Example: index.php.old
Source: (Tim Medin) http://pen-testing.sans.org/blog/pen-
testing/2012/12/06/all-your-svn-are-belong-to-us
41. File Uploads
• Usually intended to upload attachments, images, etc.
• Specific file type intended
Problems:
• Other file types allowed?
• Executable file types?
• End user control where file goes?
42. Business Logic Flaws
• Not scannable
• Know how site should work
• Usually due to unvalidated user input
43. CMS Frameworks
• Wordpress, Drupal, Joomla
• Set it and forget it
• Easy to set up, requires frequent maintenance/updates
• Plugins/modules/custom code
• Templates/themes
• DRUPALGEDDON! https://www.drupal.org/SA-CORE-2014-005
44. Company/Employee Information
• Phone book
• Organizational Chart
• OSINT (Open Source INTelligence)
• Facebook/Twitter/Blogs/Cat pages
• Maltego
• Social Engineering!
46. Outdated Operating System
• Exploit-DB (exploit-db.com)
• CVE Details (cvedetails.com)
• Specific to software (ie. Joomla security)
• Many others!
47. DNS Hijacking
Set locks at two levels:
• Client
• ClientTransferProhibited
• ClientDeleteProhibited
• ClientUpdateProhibited
• Server
• ServerTransferProhibited
• ServerDeleteProhibited
• ServerUpdateProhibited
Dword A DWORD is a 32-bit unsigned integer (range: 0 through 4294967295 decimal). Because a DWORD is unsigned, its first bit (Most Significant Bit (MSB)) is not reserved for signing.