SlideShare a Scribd company logo

Legal and efficient web app testing without permission

Abraham Aranguren
Abraham Aranguren

Demos here: http://owtf.org. Live demos link will be published when available!

TechnologyDesign
1 of 129
Download to read offline
Legal And Efficient Web App Testing Without Permission HackPra, April 11th 2012 Abraham Aranguren @7a_ @owtfp abraham.aranguren@owasp.org http://7-a.org http://owtf.org
Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion • Q&A
About me • Spanish dude • Uni: Degree, InfoSec research + honour mark • IT: Since 2000, defensive sec as netadmin / developer • (Offensive) InfoSec: Since 2007 • OSCP, CISSP, GWEB, CEH, MCSE, etc. • Web App Sec and Dev/Architect • Infosec consultant, blogger, OWTF, GIAC, BeEF
The pen testing problem http://scottthong.wordpress.com
Attacker Tactics From “Open Source Information Gathering” by Chris Gates, Brucon 2009 http://carnal0wnage.attackresearch.com/
Pentester disadvantage Pentesters vs Bad guys • Pentesters have time/scope constraints != Bad guys • Pentesters have to write a report != Bad guys Complexity is increasing More complexity = more time needed to test properly Customers are rarely willing to: “Pay for enough / reasonable testing time“ A call for efficiency: • We must find vulns faster • We must be more efficient • .. or bad guys will find the vulns, not us
Can we learn from history? Has this Huge disadvantage problem been solved before?
Ancient “Top Attackers” Individually outstanding due to: • Artificial selection: Babies killed if “defective” (!) • Military training (“Agoge”): Ages 7-18 • Final test: Survive in the countryside with only a knife • Spartan Law: No retreat, No surrender (i.e. victory or death) Globally outstanding due to solid tactic: “Hoplite phalanx” • Shield wall + Spear points • Frontally very strong + used successfully for centuries http://scottthong.wordpress.com / http://en.wikipedia.org/wiki/Sparta
How would you beat them? How could a room full of (sedentary? ☺) Geeks beat a room full of Spartans? Ok, more realistic scenario ☺: • Your troops must fight the Spartans • You have the same number of soldiers • Your soldiers are not that great • How can you WIN?
Ancient “Pentest Cheating” Battle of Lechaeum: Spartans defeated by “lamers”! Tactic “Cheating”: • Don’t fight, thow things!: Javelins + bows = Athenians WON • Phalanx weak against: “shooters”, cavalry, flank/back attacks http://www.ancientgreekbattles.net / http://en.wikipedia.org/wiki/Phalanx_formation / http://en.wikipedia.org/wiki/Battle_of_Lechaeum
Why not take this to the next level? Why not legitimately? • Shoot “before the battle” without permission • Shoot while we analyse information in parallel • Prepare more shootings without being noticed
A Pentester “cheating try” Offensive (Web) Testing Framework = Multi-level “cheating” tactics
OWTF Chess-like approach Kasparov against Deep Blue - http://www.robotikka.com
OWTF Plugin Groups
OWTF > Web: Aux Plugins Metasploit-like automation for external tools, custom tests and more
OWTF “Cheating”: Talk Scope At least 48.5% (32 out of 66) of the tests in the OWASP Testing guide can be legally* performed at least partially without permission * Except in Spain, where visiting a page can be illegal ☺ * This is only my interpretation and not that of my employer + might not apply to your country!
Classic Pentest Stages 1. Pre-engagement: No permission “OWTF Cheat tactics” = Start here 2. Engagement: Permission Official test start = Active Testing here
OWTF 101 Step 1- Run it Pre-engagement safe CLI OWTF options without permission o owtf.py –t passive http://target.com o owtf.py –t semi_passive http://target.com  semi_passive + grep o owtf.py –t quiet http://target.com  passive + semi_passive + grep
OWTF 101 (cont.) Step 2- Human Analysis in parallel Pentester all-out “cheating” via OWTF continuous reporting: • Pentester works on the report interface • Start human analysis from “minute 1”: No “waiting until X for scan to finish” • Tools run in background via OWTF: No tool babysitting + No wasted energy • Refresh report for newer results • The human and the tools complement each other: “Fighting together as a team”
Context consideration: Case 1 robots.txt Not Found …should Google index a site like this? Or should robots.txt exist and be like this? User-agent: * Disallow: /
Case 1 robots.txt Not Found - Semi passive • Direct request for robots.txt • Without visiting entries
Case 2 robots.txt Found – Passive • Indirect Stats, Downloaded txt file for review, “Open All in Tabs”
OWTF HTML Filter challenge: Embedding of untrusted third party HTML Defence layers: 1) HTML Filter: Open source challenge Filter 6 unchallenged since 04/02/2012, Can you hack it? ☺ http://blog.7-a.org/2012/01/embedding-untrusted-html-xss-challenge.html 2) HTML 5 sanboxed iframe 3) Storage in another directory = cannot access OWTF Review in localStorage
Start reporting!: Take your notes with fancy formatting Step 1 – Click the “Edit” link Step 2 – Start documenting findings + Ensure preview is ok
Start reporting!: Paste PoC screenshots
The magic bar ;) – Useful to generate the human report later
Passive Plugin Step 1- Browse output files to review the full raw tool output: Step 2 – Review tools run by the passive Search engine discovery plugin: Was your favourite tool not run? Tell OWTF to run your tools on: owtf_dir/profiles/resources/default.cfg (backup first!)
Tool output can also be reviewed via clicking through the OWTF report directly:
The Harvester: •Emails •Employee Names •Subdomains •Hostnames http://www.edge-security.com/theHarvester.php
Metadata analysis: • TODO: Integration with FOCA when CLI callable via wine (/cc @chemaalonso ☺) • Implemented: Integration with Metagoofil http://www.edge-security.com/metagoofil.php
Inbound proxy not stable yet but all this happens automatically: • robots.txt entries added to “Potential URLs” • URLs found by tools are scraped + added to “Potential URLs” During Active testing (later): • “Potential URLs” visited + added to “Verified URLs” + Transaction log
All HTTP transactions logged by target in transaction log Step 1 – Click on “Transaction Log” Step 2 – Review transaction entries
Step 3 – Review raw transaction information (if desired)
Step 1 - Make all direct OWTF requests go through Outbound Proxy: Passes all entry points to the tactical fuzzer for analysis later Step 2 - Entry points can then also be analysed via tactical fuzzer:
Goal: What is that server running? Manually verify request for fingerprint:
Whatweb integration with non-aggresive parameter (semi passive detection): https://github.com/urbanadventurer/WhatWeb
Fingerprint header analysis: Match stats
Convenient vulnerability search box (1 box per header found ☺): Search All Open all site searches in tabs
Exploit DB - http://www.exploit-db.com
NVD - http://web.nvd.nist.gov - CVSS Score = High
OSVDB - http://osvdb.org - CVSS Score = High
http://www.securityfocus.com - Better on Google
http://www.exploitsearch.net - All in one
Passive Fingerprint analysis
http://toolbar.netcraft.com - Passive banner grab,etc.
•CMS •Widgets •Libraries •etc http://builtwith.com
Search in the headers without touching the site: http://www.shodanhq.com/
Passive suggestions - Prepare your test in a terminal window to hit “Enter” on “permission minute 1”
What else can be done with a fingerprint?
Environment replication Download it .. Sometimes from project page ☺ Also check http://www.oldapps.com/, Google, etc.
Static Analyis, Fuzz, Try exploits, .. RIPS for PHP: http://rips-scanner.sourceforge.net/ Yasca for most other (also PHP): http://www.scovetta.com/yasca.html
http://www.robtex.com - Passive DNS Discovery
http://whois.domaintools.com
http://centralops.net
http://centralops.net
Has Google found error messages for you?
Check errors via Google Cache
The link is generated with OWTF with that box ticked: Important! https://www.ssllabs.com/ssldb/analyze.html
Pretty graphs to copy-paste to your OWTF report ☺ https://www.ssllabs.com/ssldb/analyze.html
Do not forget about Strict-Transport-Security! sslstrip chances decrease dramatically: Only 1st time user visits the site!
Not found example: Found example:
HTML content analysis: HTML Comments
Efficient HTML content matches analysis Step 1 - Click Step 2 – Human Review of Unique matches
Efficient HTML content matches analysis Step 1 - Click Step 2 –Review Unique matches (click on links for sample match info) Want to see all? then click
HTML content analysis: CSS and JavaScript Comments (/* */)
HTML content analysis: Single line JavaScript Comments (//)
HTML content analysis: PHP source code
HTML content analysis: ASP source code
If you find an admin interface don’t forget to .. Google for default passwords:
Disclaimer: Permission is required for this
http://centralops.net
Is the login page on “http” instead of “https”?
Pro Tip: When browsing the site manually .. … look carefully at pop-ups like this: Consider (i.e. prep the attack): Firesheep: http://codebutler.github.com/firesheep/ SSLStrip: https://github.com/moxie0/sslstrip
Mario was going to report a bug to Mozilla and found another!
Abuse user/member public search functions: • Search for “” (nothing) or “a”, then “b”, .. • Download all the data using 1) + pagination (if any) • Merge the results into a CSV-like format • Import + save as a spreadsheet • Show the spreadsheet to your customer
Analyse the username(s) they gave you to test: • Username based on numbers? USER12345 • Username based on public info? (i.e. names, surnames, ..) name.surname • Default CMS user/pass?
Part 1 – Remember Password: Autocomplete Good Bad Via 1) <form … autocomplete=“off”> <form action="/user/login" Or Via 2) <input … autocomplete=“off”> method="post"> <input type="password" name="pass" />
Manual verification for password autocomplete (i.e. for the customer) Easy “your grandma can do it” test: 1. Login 2. Logout 3. Click the browser Back button twice* 4. Can you login again –without typing the login or password- by re- sending the login form? Can the user re-submit the login form via the back button? * Until the login form submission Other sensitive fields: Pentester manual verification • Credit card fields • Password hint fields • Other
Part 2 - Password Reset forms Manually look at the questions / fields in the password reset form • Does it let you specify your email address? • Is it based on public info? (name, surname, etc) • Does it send an email to a potentially dead email address you can register? (i.e. hotmail.com)
Goal: Is Caching of sensitive info allowed? Manual verification steps: “your grandma can do it” ☺ (need login): 1. Login 2. Logout 3. Click the browser Back button 4. Do you see logged in content or a this page has expired error / the login page? Manual analysis tools: • Commands: curl –i http://target.com • Proxy: Burp, ZAP, WebScarab, etc • Browser Plugins: https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/ https://addons.mozilla.org/en-US/firefox/addon/firebug/
HTTP/1.1 headers Good Bad Cache-Control: no-cache Cache-control: private HTTP/1.0 headers Good Bad Pragma: no-cache Pragma: private Expires: <past date or illegal (e.g. 0)> Expires: <way too far in the future> The world Good Bad https://accounts.google.com No caching headers = caching allowed Cache-control: no-cache, no-store HTTP/1.1 200 OK Pragma: no-cache Date: Tue, 09 Aug 2011 13:38:43 GMT Expires: Mon, 01-Jan-1990 00:00:00 GMT Server: …. X-Powered-By: …. Connection: close Content-Type: text/html; charset=UTF-8
Repeat for Meta tags Good Bad <META HTTP-EQUIV="Cache-Control" <META HTTP-EQUIV="Cache-Control" CONTENT="no-cache"> CONTENT=“private">
Step 1 – Find CAPTCHAs: Passive search
Offline Manual analysis: • Download image and try to break it • Are CAPTCHAs reused? • Is a hash or token passed? (Good algorithm? Predictable?) • Look for vulns on CAPTCHA version CAPTCHA breaking tools PWNtcha - captcha decoder - http://caca.zoy.org/wiki/PWNtcha Captcha Breaker - http://churchturing.org/captcha-dist/
Manually Examine cookies for weaknesses offline Base64 Encoding (!= Encryption ☺) Decoded value MTkyLjE2OC4xMDAuMTpvd2FzcHVzZ owaspuser:192.168.100.1: XI6cGFzc3dvcmQ6MTU6NTg= a7656fafe94dae72b1e1487670148412
http://hackvertor.co.uk/public
Lots of decode options, including: • auto_decode • auto_decode_repeat • d_base64 • etc. http://hackvertor.co.uk/public
F5 BIG-IP Cookie decoder: http://blog.taddong.com/2011/12/cookie-decoder-f5-big-ip.html
• Secure: not set= session cookie leaked= pwned • HttpOnly: not set = cookies stealable via JS • Domain: set properly • Expires: set reasonably • Path: set to the right /sub-application • 1 session cookie that works is enough ..
Manually check when verifying credentials during pre-engagement: Login and analyse the Session ID cookie (i.e. PHPSESSID) Good Bad (normal + by default) Before: 10a966616e8ed63f7a9b741f80e65e3c Before: 10a966616e8ed63f7a9b741f80e65e3c After: Nao2mxgho6p9jisslen9v3t6o5f943h After: 10a966616e8ed63f7a9b741f80e65e3c IMPORTANT: You can also set the session ID via JavaScript (i.e. XSS)
Session ID: • In URL • In POST • In HTML Example from the field: http://target.com/xxx/xyz.function?session_num=7785 Look at unauthenticated cross-site requests: http://other-site.com/user=3&report=4 Referer: site.com Change ids in application: (ids you have permission for!) http://site.com/view_doc=4
Headers Enabling/Disabling Client-Side XSS filters: • X-XSS-Protection (IE-Only) • X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)
Review JavaScript code on the page: <script> document.write("Site is at: " + document.location.href + "."); </script> Sometimes active testing possible in your browser (no trip to server = not an attack = not logged): http://target.com/...#vulnerable_param=xss http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
Did Google find SQLi for you?
<!--#exec cmd="/bin/ls /" --> <!--#INCLUDE VIRTUAL="/web.config"-->
1. Browse Site 2. Time requests 3. Get top X slowest requests 4. Slowest = Best DoS target
Google searches: inurl:wsdl site:example.com Public services search: http://seekda.com/ http://www.wsindex.org/ http://www.soapclient.com/
WSDL analysis Sensitive methods in WSDL? i.e. Download DB, Test DB, Get CC, etc. http://www.example.com/ws/FindIP.asmx?WSDL <wsdl:operation name="getCreditCard" parameterOrder="id"> <wsdl:input message="impl:getCreditCardRequest" name="getCreditCardRequest"/> <wsdl:output message="impl:getCreditCardResponse" name="getCreditCardResponse"/> </wsdl:operation>
Same Origin Policy (SOP) 101 1. Domain A’s page can send a request to Domain B’s page from Browser 2. BUT Domain A’s page cannot read Domain B’s page from Browser http://www.ibm.com/developerworks/rational/library/09/rationalapplicationdeveloperportaltoolkit3/
• Request == Predictable Pwned “..can send a request to Domain B” (SOP) CSRF Protection 101: •Require long random token (99% hidden anti-CSRF token) Not predictable •Attacker cannot read the token from Domain B (SOP) Domain B ignores request Potentially Good Bad Anti-CSRF token present: Verify with permission No anti-CSRF token
Similar to CSRF: Is there an anti-replay token in the request? Potentially Good Bad Anti-CSRF token present: Verify with permission No anti-CSRF token
1) Passive search for Flash/Silverlight files + policies: Flash file search: Silverlight file search:
Static analysis: Download + decompile Flash files $ flare hello.swf Flare: http://www.nowrap.de/flare.html Flasm (timelines, etc): http://www.nowrap.de/flasm.html
Static analysis tools Adobe SWF Investigator http://labs.adobe.com/technologies/swfinvestigator/ SWFScan SWFScan: http://www.brothersoft.com/hp-swfscan-download-253747.html
Active testing ☺ 1) Trip to server = need permission http://target.com/test.swf?xss=foo&xss2=bar 2) But … your browser is yours: No trip to server = no permission needed # http://target.com/test.swf ?xss=foo&xss2=bar Good news: Unlike DOM XSS, the # trick will always work for Flash Files
Some technologies allow settings that relax SOP: • Adobe Flash (via policy file) • Microsoft Silverlight (via policy file) • HTML 5 Cross Origin Resource Sharing (via HTTP headers) Cheating: Reading the policy file or HTTP headers != attack http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html
Policy file retrieval for analysis
CSRF by design read tokens = attacker WIN Flash / Silverlight - crossdomain.xml <cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy> Bad defence example: restrict pushing headers accepted by Flash: All headers from any domain accepted <allow-http-request-headers-from domain="*" headers="*" /> Flash: http://kb2.adobe.com/cps/403/kb403185.html
CSRF by design read tokens = attacker WIN Silverlight - clientaccesspolicy.xml <?xml version="1.0" encoding="utf-8"?><access-policy><cross-domain- access><policy> <allow-from http-request-headers="SOAPAction"> <domain uri="*"/> </allow-from> <grant-to><resource path="/" include-subpaths="true"/></grant-to> </policy></cross-domain-access></access-policy> Silverlight: http://msdn.microsoft.com/en-us/library/cc197955%28v=vs.95%29.aspx
Need help?
UI Redressing protections: • X-Frame-Options (best) • X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13) • JavaScript Frame busting (bypassable sometimes) Good Bad X-Frame-Options: Deny
Andrew Horton’s “Clickjacking for Shells”: http://www.morningstarsecurity.com/research/clickjacking-wordpress Krzysztof Kotowicz’s “Something Wicked this way comes”: http://www.slideshare.net/kkotowicz/html5-something-wicked-this-way-comes- hackpra https://connect.ruhr-uni-bochum.de/p3g2butmrt4/ Marcus Niemietz’s “UI Redressing and Clickjacking”: http://www.slideshare.net/DefconRussia/marcus-niemietz-ui-redressing-and- clickjacking-about-click-fraud-and-data-theft
Too much info? Use the filter to drill to what you care about:
Business Conclusion • Web app security > Input validation • We see no traffic != we are not targeted • No IDS alerts != we are safe • Your site can be tested without you noticing • Test your security before others do
Pen tester Conclusion • No permission != cannot start • A lot of work can be done in advance This work in advance helps with: • Increased efficiency • Deal better with tight deadlines • Better pre-engagement • Better test quality • Best chance to get in
Bottom line Do not wait for “Tool X” or Permission Phil Stevens - http://www.strengthguild.com/ http://www.ironradio.org/
Bottom line Try harder! Benedikt Magnusson - 1015lbs / 461kg World Record Deadlift 2nd April 2011
Special thanks to Adi Mutu (@an_animal), Krzysztof Kotowicz (@kkotowicz), Marc Wickenden (@marcwickenden), Marcus Niemietz (@mniemietz), Mario Heiderich (@0x6D6172696F), Michael Kohl (@citizen428), Nicolas Grégoire (@Agarri_FR), Sandro Gauci (@sandrogauci) OWASP Testing Guide contributors Finux Tech Weekly – Episode 17 – mins 31-49 http://www.finux.co.uk/episodes/mp3/FTW-EP17.mp3 Finux Tech Weekly – Episode 12 – mins 33-38 http://www.finux.co.uk/episodes/mp3/FTW-EP12.mp3 http://www.finux.co.uk/episodes/ogg/FTW-EP12.ogg Exotic Liability – Episode 83 – mins 49-53 http://exoticliability.libsyn.com/exotic-liability-83-oh-yeah
Q&A Abraham Aranguren @7a_ @owtfp abraham.aranguren@owasp.org http://7-a.org http://owtf.org Project Site (links to everything): http://owtf.org • Try OWTF: https://github.com/7a/owtf/tree/master/releases • Try a demo report: https://github.com/7a/owtf/tree/master/demos • Documentation: https://github.com/7a/owtf/tree/master/readme • Contribute: https://github.com/7a/owtf

Recommended

Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Abraham Aranguren
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013Abraham Aranguren
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficAbraham Aranguren
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 

Recommended

Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Abraham Aranguren
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013Abraham Aranguren
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficAbraham Aranguren
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
Try harder or go home
Try harder or go homeTry harder or go home
Try harder or go homejaredhaight
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?Ciaran McNally
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
BSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to BurpBSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to BurpTiago Mendo
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 lokeshpidawekar
 
The Hacker's Guide To Session Hijacking
The Hacker's Guide To Session HijackingThe Hacker's Guide To Session Hijacking
The Hacker's Guide To Session HijackingPatrycja Wegrzynowicz
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
Augmented reality in your web proxy
Augmented reality in your web proxyAugmented reality in your web proxy
Augmented reality in your web proxyRoberto Suggi Liverani
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
Automating to Augment Testing
Automating to Augment TestingAutomating to Augment Testing
Automating to Augment TestingAlan Richardson
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF n|u - The Open Security Community
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick GalbreathCODE BLUE
 
Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3AOE
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionYury Chemerkin
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 

More Related Content

What's hot

Try harder or go home
Try harder or go homeTry harder or go home
Try harder or go homejaredhaight
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?Ciaran McNally
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
BSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to BurpBSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to BurpTiago Mendo
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 lokeshpidawekar
 
The Hacker's Guide To Session Hijacking
The Hacker's Guide To Session HijackingThe Hacker's Guide To Session Hijacking
The Hacker's Guide To Session HijackingPatrycja Wegrzynowicz
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
Automating to Augment Testing
Automating to Augment TestingAutomating to Augment Testing
Automating to Augment TestingAlan Richardson
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick GalbreathCODE BLUE
 
Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3AOE
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 

What's hot (20)

Try harder or go home
Try harder or go homeTry harder or go home
Try harder or go home
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
BSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to BurpBSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to Burp
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
 
The Hacker's Guide To Session Hijacking
The Hacker's Guide To Session HijackingThe Hacker's Guide To Session Hijacking
The Hacker's Guide To Session Hijacking
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
 
Augmented reality in your web proxy
Augmented reality in your web proxyAugmented reality in your web proxy
Augmented reality in your web proxy
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
 
Automating to Augment Testing
Automating to Augment TestingAutomating to Augment Testing
Automating to Augment Testing
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
 
Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 

Similar to Legal and efficient web app testing without permission

Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionYury Chemerkin
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Cross-platform logging and analytics
Cross-platform logging and analyticsCross-platform logging and analytics
Cross-platform logging and analyticsDrew Crawford
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugLewis Ardern
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webFelipe Prado
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpFelipe Prado
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Devoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systemsDevoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systemsBert Jan Schrijver
 
Arnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systemsArnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systemsBert Jan Schrijver
 
[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= TOWASP EEE
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Sensepost assessment automation
Sensepost assessment automationSensepost assessment automation
Sensepost assessment automationSensePost
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Find maximum bugs in limited time
Find maximum bugs in limited timeFind maximum bugs in limited time
Find maximum bugs in limited timebeched
 

Similar to Legal and efficient web app testing without permission (20)

Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permission
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
Cross-platform logging and analytics
Cross-platform logging and analyticsCross-platform logging and analytics
Cross-platform logging and analytics
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
 
OTG-Recon
OTG-ReconOTG-Recon
OTG-Recon
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot web
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wp
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
Devoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systemsDevoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systems
 
Arnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systemsArnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systems
 
[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
Sensepost assessment automation
Sensepost assessment automationSensepost assessment automation
Sensepost assessment automation
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Find maximum bugs in limited time
Find maximum bugs in limited timeFind maximum bugs in limited time
Find maximum bugs in limited time
 

Recently uploaded

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 

Legal and efficient web app testing without permission

  • 1. Legal And Efficient Web App Testing Without Permission HackPra, April 11th 2012 Abraham Aranguren @7a_ @owtfp abraham.aranguren@owasp.org http://7-a.org http://owtf.org
  • 2. Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion • Q&A
  • 3. About me • Spanish dude • Uni: Degree, InfoSec research + honour mark • IT: Since 2000, defensive sec as netadmin / developer • (Offensive) InfoSec: Since 2007 • OSCP, CISSP, GWEB, CEH, MCSE, etc. • Web App Sec and Dev/Architect • Infosec consultant, blogger, OWTF, GIAC, BeEF
  • 4. The pen testing problem http://scottthong.wordpress.com
  • 5. Attacker Tactics From “Open Source Information Gathering” by Chris Gates, Brucon 2009 http://carnal0wnage.attackresearch.com/
  • 6. Pentester disadvantage Pentesters vs Bad guys • Pentesters have time/scope constraints != Bad guys • Pentesters have to write a report != Bad guys Complexity is increasing More complexity = more time needed to test properly Customers are rarely willing to: “Pay for enough / reasonable testing time“ A call for efficiency: • We must find vulns faster • We must be more efficient • .. or bad guys will find the vulns, not us
  • 7. Can we learn from history? Has this Huge disadvantage problem been solved before?
  • 8. Ancient “Top Attackers” Individually outstanding due to: • Artificial selection: Babies killed if “defective” (!) • Military training (“Agoge”): Ages 7-18 • Final test: Survive in the countryside with only a knife • Spartan Law: No retreat, No surrender (i.e. victory or death) Globally outstanding due to solid tactic: “Hoplite phalanx” • Shield wall + Spear points • Frontally very strong + used successfully for centuries http://scottthong.wordpress.com / http://en.wikipedia.org/wiki/Sparta
  • 9. How would you beat them? How could a room full of (sedentary? ☺) Geeks beat a room full of Spartans? Ok, more realistic scenario ☺: • Your troops must fight the Spartans • You have the same number of soldiers • Your soldiers are not that great • How can you WIN?
  • 10. Ancient “Pentest Cheating” Battle of Lechaeum: Spartans defeated by “lamers”! Tactic “Cheating”: • Don’t fight, thow things!: Javelins + bows = Athenians WON • Phalanx weak against: “shooters”, cavalry, flank/back attacks http://www.ancientgreekbattles.net / http://en.wikipedia.org/wiki/Phalanx_formation / http://en.wikipedia.org/wiki/Battle_of_Lechaeum
  • 11. Why not take this to the next level? Why not legitimately? • Shoot “before the battle” without permission • Shoot while we analyse information in parallel • Prepare more shootings without being noticed
  • 12. A Pentester “cheating try” Offensive (Web) Testing Framework = Multi-level “cheating” tactics
  • 13. OWTF Chess-like approach Kasparov against Deep Blue - http://www.robotikka.com
  • 15. OWTF > Web: Aux Plugins Metasploit-like automation for external tools, custom tests and more
  • 16. OWTF “Cheating”: Talk Scope At least 48.5% (32 out of 66) of the tests in the OWASP Testing guide can be legally* performed at least partially without permission * Except in Spain, where visiting a page can be illegal ☺ * This is only my interpretation and not that of my employer + might not apply to your country!
  • 17. Classic Pentest Stages 1. Pre-engagement: No permission “OWTF Cheat tactics” = Start here 2. Engagement: Permission Official test start = Active Testing here
  • 18. OWTF 101 Step 1- Run it Pre-engagement safe CLI OWTF options without permission o owtf.py –t passive http://target.com o owtf.py –t semi_passive http://target.com  semi_passive + grep o owtf.py –t quiet http://target.com  passive + semi_passive + grep
  • 19. OWTF 101 (cont.) Step 2- Human Analysis in parallel Pentester all-out “cheating” via OWTF continuous reporting: • Pentester works on the report interface • Start human analysis from “minute 1”: No “waiting until X for scan to finish” • Tools run in background via OWTF: No tool babysitting + No wasted energy • Refresh report for newer results • The human and the tools complement each other: “Fighting together as a team”
  • 20. Context consideration: Case 1 robots.txt Not Found …should Google index a site like this? Or should robots.txt exist and be like this? User-agent: * Disallow: /
  • 21. Case 1 robots.txt Not Found - Semi passive • Direct request for robots.txt • Without visiting entries
  • 22. Case 2 robots.txt Found – Passive • Indirect Stats, Downloaded txt file for review, “Open All in Tabs”
  • 23. OWTF HTML Filter challenge: Embedding of untrusted third party HTML Defence layers: 1) HTML Filter: Open source challenge Filter 6 unchallenged since 04/02/2012, Can you hack it? ☺ http://blog.7-a.org/2012/01/embedding-untrusted-html-xss-challenge.html 2) HTML 5 sanboxed iframe 3) Storage in another directory = cannot access OWTF Review in localStorage
  • 24. Start reporting!: Take your notes with fancy formatting Step 1 – Click the “Edit” link Step 2 – Start documenting findings + Ensure preview is ok
  • 25. Start reporting!: Paste PoC screenshots
  • 26. The magic bar ;) – Useful to generate the human report later
  • 27. Passive Plugin Step 1- Browse output files to review the full raw tool output: Step 2 – Review tools run by the passive Search engine discovery plugin: Was your favourite tool not run? Tell OWTF to run your tools on: owtf_dir/profiles/resources/default.cfg (backup first!)
  • 28. Tool output can also be reviewed via clicking through the OWTF report directly:
  • 29. The Harvester: •Emails •Employee Names •Subdomains •Hostnames http://www.edge-security.com/theHarvester.php
  • 30. Metadata analysis: • TODO: Integration with FOCA when CLI callable via wine (/cc @chemaalonso ☺) • Implemented: Integration with Metagoofil http://www.edge-security.com/metagoofil.php
  • 31. Inbound proxy not stable yet but all this happens automatically: • robots.txt entries added to “Potential URLs” • URLs found by tools are scraped + added to “Potential URLs” During Active testing (later): • “Potential URLs” visited + added to “Verified URLs” + Transaction log
  • 32. All HTTP transactions logged by target in transaction log Step 1 – Click on “Transaction Log” Step 2 – Review transaction entries
  • 33. Step 3 – Review raw transaction information (if desired)
  • 34. Step 1 - Make all direct OWTF requests go through Outbound Proxy: Passes all entry points to the tactical fuzzer for analysis later Step 2 - Entry points can then also be analysed via tactical fuzzer:
  • 35. Goal: What is that server running? Manually verify request for fingerprint:
  • 36. Whatweb integration with non-aggresive parameter (semi passive detection): https://github.com/urbanadventurer/WhatWeb
  • 38. Convenient vulnerability search box (1 box per header found ☺): Search All Open all site searches in tabs
  • 39. Exploit DB - http://www.exploit-db.com
  • 40. NVD - http://web.nvd.nist.gov - CVSS Score = High
  • 41. OSVDB - http://osvdb.org - CVSS Score = High
  • 46. •CMS •Widgets •Libraries •etc http://builtwith.com
  • 47. Search in the headers without touching the site: http://www.shodanhq.com/
  • 48. Passive suggestions - Prepare your test in a terminal window to hit “Enter” on “permission minute 1”
  • 49. What else can be done with a fingerprint?
  • 50. Environment replication Download it .. Sometimes from project page ☺ Also check http://www.oldapps.com/, Google, etc.
  • 51. Static Analyis, Fuzz, Try exploits, .. RIPS for PHP: http://rips-scanner.sourceforge.net/ Yasca for most other (also PHP): http://www.scovetta.com/yasca.html
  • 52.
  • 57. Has Google found error messages for you?
  • 58. Check errors via Google Cache
  • 59.
  • 60. The link is generated with OWTF with that box ticked: Important! https://www.ssllabs.com/ssldb/analyze.html
  • 61. Pretty graphs to copy-paste to your OWTF report ☺ https://www.ssllabs.com/ssldb/analyze.html
  • 62. Do not forget about Strict-Transport-Security! sslstrip chances decrease dramatically: Only 1st time user visits the site!
  • 64. HTML content analysis: HTML Comments
  • 65. Efficient HTML content matches analysis Step 1 - Click Step 2 – Human Review of Unique matches
  • 66. Efficient HTML content matches analysis Step 1 - Click Step 2 –Review Unique matches (click on links for sample match info) Want to see all? then click
  • 67. HTML content analysis: CSS and JavaScript Comments (/* */)
  • 68. HTML content analysis: Single line JavaScript Comments (//)
  • 69. HTML content analysis: PHP source code
  • 70. HTML content analysis: ASP source code
  • 71.
  • 72.
  • 73.
  • 74. If you find an admin interface don’t forget to .. Google for default passwords:
  • 75. Disclaimer: Permission is required for this
  • 76.
  • 77.
  • 79. Is the login page on “http” instead of “https”?
  • 80. Pro Tip: When browsing the site manually .. … look carefully at pop-ups like this: Consider (i.e. prep the attack): Firesheep: http://codebutler.github.com/firesheep/ SSLStrip: https://github.com/moxie0/sslstrip
  • 81. Mario was going to report a bug to Mozilla and found another!
  • 82. Abuse user/member public search functions: • Search for “” (nothing) or “a”, then “b”, .. • Download all the data using 1) + pagination (if any) • Merge the results into a CSV-like format • Import + save as a spreadsheet • Show the spreadsheet to your customer
  • 83. Analyse the username(s) they gave you to test: • Username based on numbers? USER12345 • Username based on public info? (i.e. names, surnames, ..) name.surname • Default CMS user/pass?
  • 84. Part 1 – Remember Password: Autocomplete Good Bad Via 1) <form … autocomplete=“off”> <form action="/user/login" Or Via 2) <input … autocomplete=“off”> method="post"> <input type="password" name="pass" />
  • 85. Manual verification for password autocomplete (i.e. for the customer) Easy “your grandma can do it” test: 1. Login 2. Logout 3. Click the browser Back button twice* 4. Can you login again –without typing the login or password- by re- sending the login form? Can the user re-submit the login form via the back button? * Until the login form submission Other sensitive fields: Pentester manual verification • Credit card fields • Password hint fields • Other
  • 86. Part 2 - Password Reset forms Manually look at the questions / fields in the password reset form • Does it let you specify your email address? • Is it based on public info? (name, surname, etc) • Does it send an email to a potentially dead email address you can register? (i.e. hotmail.com)
  • 87. Goal: Is Caching of sensitive info allowed? Manual verification steps: “your grandma can do it” ☺ (need login): 1. Login 2. Logout 3. Click the browser Back button 4. Do you see logged in content or a this page has expired error / the login page? Manual analysis tools: • Commands: curl –i http://target.com • Proxy: Burp, ZAP, WebScarab, etc • Browser Plugins: https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/ https://addons.mozilla.org/en-US/firefox/addon/firebug/
  • 88. HTTP/1.1 headers Good Bad Cache-Control: no-cache Cache-control: private HTTP/1.0 headers Good Bad Pragma: no-cache Pragma: private Expires: <past date or illegal (e.g. 0)> Expires: <way too far in the future> The world Good Bad https://accounts.google.com No caching headers = caching allowed Cache-control: no-cache, no-store HTTP/1.1 200 OK Pragma: no-cache Date: Tue, 09 Aug 2011 13:38:43 GMT Expires: Mon, 01-Jan-1990 00:00:00 GMT Server: …. X-Powered-By: …. Connection: close Content-Type: text/html; charset=UTF-8
  • 89.
  • 90. Repeat for Meta tags Good Bad <META HTTP-EQUIV="Cache-Control" <META HTTP-EQUIV="Cache-Control" CONTENT="no-cache"> CONTENT=“private">
  • 91. Step 1 – Find CAPTCHAs: Passive search
  • 92. Offline Manual analysis: • Download image and try to break it • Are CAPTCHAs reused? • Is a hash or token passed? (Good algorithm? Predictable?) • Look for vulns on CAPTCHA version CAPTCHA breaking tools PWNtcha - captcha decoder - http://caca.zoy.org/wiki/PWNtcha Captcha Breaker - http://churchturing.org/captcha-dist/
  • 93. Manually Examine cookies for weaknesses offline Base64 Encoding (!= Encryption ☺) Decoded value MTkyLjE2OC4xMDAuMTpvd2FzcHVzZ owaspuser:192.168.100.1: XI6cGFzc3dvcmQ6MTU6NTg= a7656fafe94dae72b1e1487670148412
  • 95. Lots of decode options, including: • auto_decode • auto_decode_repeat • d_base64 • etc. http://hackvertor.co.uk/public
  • 96. F5 BIG-IP Cookie decoder: http://blog.taddong.com/2011/12/cookie-decoder-f5-big-ip.html
  • 97. • Secure: not set= session cookie leaked= pwned • HttpOnly: not set = cookies stealable via JS • Domain: set properly • Expires: set reasonably • Path: set to the right /sub-application • 1 session cookie that works is enough ..
  • 98.
  • 99. Manually check when verifying credentials during pre-engagement: Login and analyse the Session ID cookie (i.e. PHPSESSID) Good Bad (normal + by default) Before: 10a966616e8ed63f7a9b741f80e65e3c Before: 10a966616e8ed63f7a9b741f80e65e3c After: Nao2mxgho6p9jisslen9v3t6o5f943h After: 10a966616e8ed63f7a9b741f80e65e3c IMPORTANT: You can also set the session ID via JavaScript (i.e. XSS)
  • 100. Session ID: • In URL • In POST • In HTML Example from the field: http://target.com/xxx/xyz.function?session_num=7785 Look at unauthenticated cross-site requests: http://other-site.com/user=3&report=4 Referer: site.com Change ids in application: (ids you have permission for!) http://site.com/view_doc=4
  • 101. Headers Enabling/Disabling Client-Side XSS filters: • X-XSS-Protection (IE-Only) • X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)
  • 102. Review JavaScript code on the page: <script> document.write("Site is at: " + document.location.href + "."); </script> Sometimes active testing possible in your browser (no trip to server = not an attack = not logged): http://target.com/...#vulnerable_param=xss http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
  • 103. Did Google find SQLi for you?
  • 104. <!--#exec cmd="/bin/ls /" --> <!--#INCLUDE VIRTUAL="/web.config"-->
  • 105. 1. Browse Site 2. Time requests 3. Get top X slowest requests 4. Slowest = Best DoS target
  • 106. Google searches: inurl:wsdl site:example.com Public services search: http://seekda.com/ http://www.wsindex.org/ http://www.soapclient.com/
  • 107. WSDL analysis Sensitive methods in WSDL? i.e. Download DB, Test DB, Get CC, etc. http://www.example.com/ws/FindIP.asmx?WSDL <wsdl:operation name="getCreditCard" parameterOrder="id"> <wsdl:input message="impl:getCreditCardRequest" name="getCreditCardRequest"/> <wsdl:output message="impl:getCreditCardResponse" name="getCreditCardResponse"/> </wsdl:operation>
  • 108. Same Origin Policy (SOP) 101 1. Domain A’s page can send a request to Domain B’s page from Browser 2. BUT Domain A’s page cannot read Domain B’s page from Browser http://www.ibm.com/developerworks/rational/library/09/rationalapplicationdeveloperportaltoolkit3/
  • 109. • Request == Predictable Pwned “..can send a request to Domain B” (SOP) CSRF Protection 101: •Require long random token (99% hidden anti-CSRF token) Not predictable •Attacker cannot read the token from Domain B (SOP) Domain B ignores request Potentially Good Bad Anti-CSRF token present: Verify with permission No anti-CSRF token
  • 110. Similar to CSRF: Is there an anti-replay token in the request? Potentially Good Bad Anti-CSRF token present: Verify with permission No anti-CSRF token
  • 111. 1) Passive search for Flash/Silverlight files + policies: Flash file search: Silverlight file search:
  • 112. Static analysis: Download + decompile Flash files $ flare hello.swf Flare: http://www.nowrap.de/flare.html Flasm (timelines, etc): http://www.nowrap.de/flasm.html
  • 113. Static analysis tools Adobe SWF Investigator http://labs.adobe.com/technologies/swfinvestigator/ SWFScan SWFScan: http://www.brothersoft.com/hp-swfscan-download-253747.html
  • 114. Active testing ☺ 1) Trip to server = need permission http://target.com/test.swf?xss=foo&xss2=bar 2) But … your browser is yours: No trip to server = no permission needed # http://target.com/test.swf ?xss=foo&xss2=bar Good news: Unlike DOM XSS, the # trick will always work for Flash Files
  • 115. Some technologies allow settings that relax SOP: • Adobe Flash (via policy file) • Microsoft Silverlight (via policy file) • HTML 5 Cross Origin Resource Sharing (via HTTP headers) Cheating: Reading the policy file or HTTP headers != attack http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html
  • 116. Policy file retrieval for analysis
  • 117. CSRF by design read tokens = attacker WIN Flash / Silverlight - crossdomain.xml <cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy> Bad defence example: restrict pushing headers accepted by Flash: All headers from any domain accepted <allow-http-request-headers-from domain="*" headers="*" /> Flash: http://kb2.adobe.com/cps/403/kb403185.html
  • 118. CSRF by design read tokens = attacker WIN Silverlight - clientaccesspolicy.xml <?xml version="1.0" encoding="utf-8"?><access-policy><cross-domain- access><policy> <allow-from http-request-headers="SOAPAction"> <domain uri="*"/> </allow-from> <grant-to><resource path="/" include-subpaths="true"/></grant-to> </policy></cross-domain-access></access-policy> Silverlight: http://msdn.microsoft.com/en-us/library/cc197955%28v=vs.95%29.aspx
  • 120.
  • 121. UI Redressing protections: • X-Frame-Options (best) • X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13) • JavaScript Frame busting (bypassable sometimes) Good Bad X-Frame-Options: Deny
  • 122. Andrew Horton’s “Clickjacking for Shells”: http://www.morningstarsecurity.com/research/clickjacking-wordpress Krzysztof Kotowicz’s “Something Wicked this way comes”: http://www.slideshare.net/kkotowicz/html5-something-wicked-this-way-comes- hackpra https://connect.ruhr-uni-bochum.de/p3g2butmrt4/ Marcus Niemietz’s “UI Redressing and Clickjacking”: http://www.slideshare.net/DefconRussia/marcus-niemietz-ui-redressing-and- clickjacking-about-click-fraud-and-data-theft
  • 123. Too much info? Use the filter to drill to what you care about:
  • 124. Business Conclusion • Web app security > Input validation • We see no traffic != we are not targeted • No IDS alerts != we are safe • Your site can be tested without you noticing • Test your security before others do
  • 125. Pen tester Conclusion • No permission != cannot start • A lot of work can be done in advance This work in advance helps with: • Increased efficiency • Deal better with tight deadlines • Better pre-engagement • Better test quality • Best chance to get in
  • 126. Bottom line Do not wait for “Tool X” or Permission Phil Stevens - http://www.strengthguild.com/ http://www.ironradio.org/
  • 127. Bottom line Try harder! Benedikt Magnusson - 1015lbs / 461kg World Record Deadlift 2nd April 2011
  • 128. Special thanks to Adi Mutu (@an_animal), Krzysztof Kotowicz (@kkotowicz), Marc Wickenden (@marcwickenden), Marcus Niemietz (@mniemietz), Mario Heiderich (@0x6D6172696F), Michael Kohl (@citizen428), Nicolas Grégoire (@Agarri_FR), Sandro Gauci (@sandrogauci) OWASP Testing Guide contributors Finux Tech Weekly – Episode 17 – mins 31-49 http://www.finux.co.uk/episodes/mp3/FTW-EP17.mp3 Finux Tech Weekly – Episode 12 – mins 33-38 http://www.finux.co.uk/episodes/mp3/FTW-EP12.mp3 http://www.finux.co.uk/episodes/ogg/FTW-EP12.ogg Exotic Liability – Episode 83 – mins 49-53 http://exoticliability.libsyn.com/exotic-liability-83-oh-yeah
  • 129. Q&A Abraham Aranguren @7a_ @owtfp abraham.aranguren@owasp.org http://7-a.org http://owtf.org Project Site (links to everything): http://owtf.org • Try OWTF: https://github.com/7a/owtf/tree/master/releases • Try a demo report: https://github.com/7a/owtf/tree/master/demos • Documentation: https://github.com/7a/owtf/tree/master/readme • Contribute: https://github.com/7a/owtf