A journey into application security will cover the relation and evolution of application security with the different approaches to development from Waterfall to Devops.
A presentation+class delivered to a PHP developer group at Brown University that discussed Web Application Security with a heavy emphasis on PHP, and discussed security in the SDLC, and showed with some examples what to do and not do
Title: Hands on Penetration Testing 101 by Scott Sutherland & Karl Fosaaen
Abstract: The goal of this training is to introduce attendees to standard penetration test methodologies, tools, and techniques. Hands on labs will cover the basics of asset discovery, vulnerability enumeration, system penetration, privilege escalation, and bypassing end point protection. During the labs, common vulnerabilities will be leveraged to illustrate attack techniques, using freely available tools such as Nmap and Metasploit. This training will be valuable to anyone interested in gaining a better understanding of penetration testing or to system administrators trying to understand common attack approaches.
Drupal, WordPress, and Joomla are very popular Content Management Systems (CMS) that have been widely adopted by government agencies, major businesses, social networks, and more — underscoring why understanding how these systems work and properly securing these applications is of the utmost importance. This talk focuses on the penetration tester’s perspective of CMS’ and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists- all of which are open-source and can be downloaded and implemented following the presentation.
Assessing the security posture of a web application is a common project for a penetration tester and a good skill for developers to know. In this talk, We’ll go over the different stages of a web application pen test, from start to finish. We’ll start with tools used during the discovery phase to utilize OSINT sources such as search engines, sub-domain brute-forcing and other methods to help you get a good idea of targets “footprint”, automated scanners and their use, all the way to manual testing and tools used for fuzzing parameters to find potential SQL injection vulnerabilities. We’ll also discuss pro-tips and tricks that we use while conducting a full application penetration assessment. After this talk, you should have a good understanding of what is needed as well as where to start on your journey to hacking web apps.
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
This slide deck is structured to start from the basics of web application security and explores common web attacks. The first half is packed with theory, while we are all for jumping into exercises having a solid grasp of the fundamentals will be crucial to your success in webappsec.
The deck dives into XSS, CSRF and SQL injections. It briefly outlines others like XXE, SSRF, logic errors, broken session management, and so on.
A journey into application security will cover the relation and evolution of application security with the different approaches to development from Waterfall to Devops.
A presentation+class delivered to a PHP developer group at Brown University that discussed Web Application Security with a heavy emphasis on PHP, and discussed security in the SDLC, and showed with some examples what to do and not do
Title: Hands on Penetration Testing 101 by Scott Sutherland & Karl Fosaaen
Abstract: The goal of this training is to introduce attendees to standard penetration test methodologies, tools, and techniques. Hands on labs will cover the basics of asset discovery, vulnerability enumeration, system penetration, privilege escalation, and bypassing end point protection. During the labs, common vulnerabilities will be leveraged to illustrate attack techniques, using freely available tools such as Nmap and Metasploit. This training will be valuable to anyone interested in gaining a better understanding of penetration testing or to system administrators trying to understand common attack approaches.
Drupal, WordPress, and Joomla are very popular Content Management Systems (CMS) that have been widely adopted by government agencies, major businesses, social networks, and more — underscoring why understanding how these systems work and properly securing these applications is of the utmost importance. This talk focuses on the penetration tester’s perspective of CMS’ and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists- all of which are open-source and can be downloaded and implemented following the presentation.
Assessing the security posture of a web application is a common project for a penetration tester and a good skill for developers to know. In this talk, We’ll go over the different stages of a web application pen test, from start to finish. We’ll start with tools used during the discovery phase to utilize OSINT sources such as search engines, sub-domain brute-forcing and other methods to help you get a good idea of targets “footprint”, automated scanners and their use, all the way to manual testing and tools used for fuzzing parameters to find potential SQL injection vulnerabilities. We’ll also discuss pro-tips and tricks that we use while conducting a full application penetration assessment. After this talk, you should have a good understanding of what is needed as well as where to start on your journey to hacking web apps.
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
This slide deck is structured to start from the basics of web application security and explores common web attacks. The first half is packed with theory, while we are all for jumping into exercises having a solid grasp of the fundamentals will be crucial to your success in webappsec.
The deck dives into XSS, CSRF and SQL injections. It briefly outlines others like XXE, SSRF, logic errors, broken session management, and so on.
Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover Application Security Tools that can be helpful for analyzing security threats as well as putting up some defense . This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
We discuss tips and tricks we have picked up along our way performing penetration tests and red teaming engagements. We also cover 5 main ways we break into a company.
OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.
This topic will cover key concepts in android application security testing by employing a variety of tools and techniques to fasten the testing process.
This was presented at Null Bangalore Chapter (Saturday April 26 2014, 11:00 AM)
Threat Intelligence is by far one of the most over-used buzz words in the security industry. Many professionals have very mixed feelings about Threat Intelligence feeds as well. This discussion is around how LogRhythm’s internal security team utilizes Threat Intelligence to operationalize efficiently and streamline Security Operations processes and help improve an organization’s defenses. We will show how you can generate your own Threat Intelligence and create information sharing loops within like industries to fully realize the team's defensive capabilities. On top of the technical aspects around building out a good Threat Intel program, we will discuss how to manage this from a leadership perspective and get buy-in from the top. Most importantly, once these systems are in place, how we can show value to leadership using key performance indicators and leverage this to improve the overall security program.
Malware analysis, threat intelligence and reverse engineeringbartblaze
In this presentation, I introduce the concepts of malware analysis, threat intelligence and reverse engineering. Experience or knowledge is not required.
Feel free to send me feedback via Twitter (@bartblaze) or email.
Blog post: https://bartblaze.blogspot.com/2018/02/malware-analysis-threat-intelligence.html
Labs: https://github.com/bartblaze/MaTiRe
Mind the disclaimer.
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
In this talk, I'll be discussing my experience developing intelligence-gathering capabilities to track several different independent groups of threat actors on a very limited budget (read: virtually no budget whatsoever). I'll discuss discovering the groups using open source intelligence gathering and honeypots, monitoring attacks, collecting and analyzing malware artifacts to figure out what their capabilities are, and reverse engineering their malware to develop the capability to track their targets in real time. Finally, I'll chat about defensive strategies and provide recommendations for enterprise security analysts and other security researchers.
BSides Philly Finding a Company's BreakPointAndrew McNicol
We cover modern day hacking techniques to establish a foothold into a target network. This is a great introduction to hacking techniques to those new to pentesting, with hopes of breaking the mindset of "scan then exploit".
The process of penetration testing starts with the "Reconnaissance Phase". This phase, if performed carefully, always provides a winning situation. However, Often in the application security and bug bounty hunting, recon is mapped to finding some assets and uncovering hidden endpoints only & is somewhat under-utilized. Recon is the most crucial thing in application security and bug bounties which always keeps you separated from a competing crowd and gives easy wins.
In "Weaponizing Recon - Weaponizing Recon - Shamshing Applications for Security Vulnerabilities & Profit", will cover the deepest and most interesting recon methodologies to be one step ahead of your competition and how to utilize the tools and publicly available information to map your attack surface & maximize the profit. During the talk, we will cover:
1. Introduction to Recon
2. Basic Recon 101
3. Mapping Attack Surface with Basic Recon
4. Weaponizing Recon to Hit Attack Surface
5. Recon Hacks 101
6. Practical Offensive Recon
7. Automating Recon for Profit
8. Finding Vulnerabilities with Recon
9. Creating your own Recon Map
10. Practical Examples & Demonstrations
Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover Application Security Tools that can be helpful for analyzing security threats as well as putting up some defense . This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
We discuss tips and tricks we have picked up along our way performing penetration tests and red teaming engagements. We also cover 5 main ways we break into a company.
OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.
This topic will cover key concepts in android application security testing by employing a variety of tools and techniques to fasten the testing process.
This was presented at Null Bangalore Chapter (Saturday April 26 2014, 11:00 AM)
Threat Intelligence is by far one of the most over-used buzz words in the security industry. Many professionals have very mixed feelings about Threat Intelligence feeds as well. This discussion is around how LogRhythm’s internal security team utilizes Threat Intelligence to operationalize efficiently and streamline Security Operations processes and help improve an organization’s defenses. We will show how you can generate your own Threat Intelligence and create information sharing loops within like industries to fully realize the team's defensive capabilities. On top of the technical aspects around building out a good Threat Intel program, we will discuss how to manage this from a leadership perspective and get buy-in from the top. Most importantly, once these systems are in place, how we can show value to leadership using key performance indicators and leverage this to improve the overall security program.
Malware analysis, threat intelligence and reverse engineeringbartblaze
In this presentation, I introduce the concepts of malware analysis, threat intelligence and reverse engineering. Experience or knowledge is not required.
Feel free to send me feedback via Twitter (@bartblaze) or email.
Blog post: https://bartblaze.blogspot.com/2018/02/malware-analysis-threat-intelligence.html
Labs: https://github.com/bartblaze/MaTiRe
Mind the disclaimer.
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
In this talk, I'll be discussing my experience developing intelligence-gathering capabilities to track several different independent groups of threat actors on a very limited budget (read: virtually no budget whatsoever). I'll discuss discovering the groups using open source intelligence gathering and honeypots, monitoring attacks, collecting and analyzing malware artifacts to figure out what their capabilities are, and reverse engineering their malware to develop the capability to track their targets in real time. Finally, I'll chat about defensive strategies and provide recommendations for enterprise security analysts and other security researchers.
BSides Philly Finding a Company's BreakPointAndrew McNicol
We cover modern day hacking techniques to establish a foothold into a target network. This is a great introduction to hacking techniques to those new to pentesting, with hopes of breaking the mindset of "scan then exploit".
The process of penetration testing starts with the "Reconnaissance Phase". This phase, if performed carefully, always provides a winning situation. However, Often in the application security and bug bounty hunting, recon is mapped to finding some assets and uncovering hidden endpoints only & is somewhat under-utilized. Recon is the most crucial thing in application security and bug bounties which always keeps you separated from a competing crowd and gives easy wins.
In "Weaponizing Recon - Weaponizing Recon - Shamshing Applications for Security Vulnerabilities & Profit", will cover the deepest and most interesting recon methodologies to be one step ahead of your competition and how to utilize the tools and publicly available information to map your attack surface & maximize the profit. During the talk, we will cover:
1. Introduction to Recon
2. Basic Recon 101
3. Mapping Attack Surface with Basic Recon
4. Weaponizing Recon to Hit Attack Surface
5. Recon Hacks 101
6. Practical Offensive Recon
7. Automating Recon for Profit
8. Finding Vulnerabilities with Recon
9. Creating your own Recon Map
10. Practical Examples & Demonstrations
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxlior mazor
Stay safe, grab a drink and join us virtually for our upcoming "The Hacking Game - Think Like a Hacker" meetup to learn how hackers can compromise applications, advanced data protection methods and how to focus on fixing your most critical vulnerabilities.
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
Derbycon 2011
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
A short introduction to the more advanced python and programming in general. Intended for users that has already learned the basic coding skills but want to have a rapid tour of more in-depth capacities offered by Python and some general programming background.
Execrices are available at: https://github.com/chiffa/Intermediate_Python_programming
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
The Web Application Hackers Toolchain
1.
2. About Me:
• Twitter @jhaddix
• jhaddix@securityaegis.com
• I blog like I know stuff:
• http://www.securityaegis.com
• http://www.ethicalhacker.net
• Former VA/Netpen turned Webpen
• Currently work for HP Application Security Center
• Webpen, Netpen, Mobile, etc…
• Random Projects
• Open Penetration Testers Bookmark Collection
• http://code.google.com/p/pentest-bookmarks/
• Nmap Http-enum fingerprints
• ghetto Nessus parsers
• Burp hacking presentation
• No I can’t get you a touchpad
• I love talking about hacking, and I like to drink Beer & Gin and Tonics
• I don’t know if that’s a girly drink in Brussels =(
• You’re welcome to educate me…
3. Words for the Wise:
“Until a man is twenty-five, he still thinks, every so often, that
under the right circumstances he could be the baddest
motherfucker in the world. If (he) moved to a martial-arts
monastery in China and studied real hard for ten years. If (his)
family was wiped out by Colombian drug dealers and (he) swore
(himself) to revenge. If (he) got a fatal disease, had one year to
live, and devoted it to wiping out street crime. If (he) just dropped
out and devoted (his) life to being bad.
Hiro used to feel this way, too, but then he ran into Raven. In a
way, this was liberating. He no longer has to worry about being
the baddest motherfucker in the world. The position is taken.”
― Neal Stephenson, Snow Crash
4. Workshop:
Done a few conference talks, never done a workshop:
• I’m going to move fast, you will get the slides from the con.
• Videos for demos available shortly after the conference
• If there’s something you want to know just pull me aside sometime or
catch me around the con, I’ll do my best to answer all questions.
• You’re pretty much getting a whole class converted to a workshop =).
• Excuses!
• http://code.google.com/p/owaspbwa/
• OK… lets do it.
5.
6. • Web Hacking Tool Classes:
• OSINT (Passive or Semi-Passive)
• Discovery (usually dir brute-forcing or platform
identification)
• Brute Force (password bruting tools)
• Proxies (usually include spider’s)
• Fuzzers/Scanners (error or vuln identification tools)
• Exploitation (vuln exploitation tools)
• Data Aggregation
7. • What am I, a script kiddie?
•Yes and no, you’re a pentester; Which means you have
approximately 40hrs to do what a blackhat has months to
do.
•We need to identify technologies faster, vulns faster, and
speed up the attack process.
•We need to identify the best process and tools to use,
even for our manual web pentesting.
8. GOAL: Gather data to be useful in a web pentest without
(or minimally) interacting with the target.
Google Hacking:
SearchDiggity
Metadata:
FOCA
Email Gathering:
TheHarvester
Metasploit
9. SearchDiggity:
The SearchDiggity tools are basically automation of google/bing hacking
queries. Think of about a thousand vulnerability checks executed against
your target except they are not actually touching your target, only the
search engine cache.
10. GOAL: Free vulnerability
checks aka Google
hacking.
SearchDiggity:
• Requires Ajax Search
Query API key
• 100 queries per day
unless you register a CC
• Buy a pre-paid visa for
$10
• Find vulns fast
11. GOAL: Extract domain usernames, internal pathing, software
versions, etc
FOCA:
FOCA is a windows tool to spider a domain for documents using google/bing/exalead,
download them, and then extract relevant metadata and server information.
• http://www.informatica64.com/DownloadFOCA/
I always go see these guys at DC:
• http://vimeo.com/10602662
• http://vimeo.com/16706893
14. GOAL: Gather email addresses for forms based logins, etc.
One of the first parts of recon in a pentest is gathering valid login names
and emails. We can use these to profile our target, bruteforce
authentication systems, send client-side attacks (through phishing), look
through social networks for juicy info on platforms and technologies, etc.
Where do we get this info? Well without doing a full-blown Open Source
Recon (OSINT) style assessment, we can use two simple scripts:
• Metasploit's search_email_collector.rb and
• theHarvester
15. Metasploit, under modules/auxiliary/gather, has search_email_collector.rb and
uses search techniques for Google, Bing, and Yahoo.
http://www.metasploit.com/modules/auxiliary/gather/search_email_collector
ruby /framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=your_target_domain OUTFILE=output_file E
Running MSF search_email_collector...
[*] Please wait while we load the module tree...
[*] Harvesting emails .....
[*] Searching Google for email addresses from defcon.com
[*] Extracting emails from Google search results...
[*] Searching Bing email addresses from defcon.com
[*] Extracting emails from Bing search results...
[*] Searching Yahoo for email addresses from defcon.com
[*] Extracting emails from Yahoo search results...
[*] Located 7 email addresses for defcon.com
[*] headsets@defcon.com
[*] info@defcon.com
[*] jobs@defcon.com
[*] nick.s@defcon.com
[*] nick@defcon.com
[*] robert@defcon.com
[*] spr@defcon.com
16. theHarvester (just updated to v2.1) has now fixed some of its previous
bugs. It supports searching Google, Bing, PGP servers, shodan, dns-
bruteforcing, and LinkedIn.
https://code.google.com/p/theharvester/
zombie@haktop:/tools/email/theHarvester# ./theHarvester.py -d
defcon.com -b google -l 500
Accounts found:
===================
quietpro@defcon.com
nick.s@defcon.com
robert@defcon.com
lynne@defcon.com
joe@defcon.com
info@defcon.com
dtangent@defcon.com
18. There’s also a ton of OSINT sites to help identify server information
without ever touching your target yourself:
• Netcraft (Uptime Survey, server info)
• Domain Tools (Whois Lookup and Domain info)
• Centralops.net (traceroute, nslookup, automatic whois lookup, ping, finger)
• Hackerfantastic.com ( GeoIP, whois, host, dig, blacklists, ping, traceroute & nmap)
• whois.webhosting.info (WHOIS and Reverse IP Service/virtual hosting info)
• BING IP Search
• SSL Labs – Projects / Public SSL Server Database – SSL Server Test
• SHODAN – Computer Search Engine (indexed port scans and banner grabs)
• Chris Gates presented on OSINT at Brucon 2009
• http://vimeo.com/6811411
• Other good OSINT resources:
• http://www.slideshare.net/agent0x0/enterprise-open-source-
intelligence-gathering
• http://www.slideshare.net/Laramies/tactical-information-gathering
19. Now we need to map the site. Some issues that we need to
deal with when mapping the site are poor ajax support for
spidering (we go over this later) and finding non-linked
resources. To find non linked resources we bruteforce
common file/path names, framework paths, etc.
Discovery Tools:
• Dirbuster & Wfuzz
• SVNDigger Lists
• FuzzDB and RAFT Lists
• (optionally) Nmap HTTP-Enum & CMS Explorer
20. Dirbuster is a cross
platform directory
bruteforcer written in java
(GUI app).
Tips:
• Disable Recursion and
Redirects for faster
leaner bruting (our
spiders will follow
redirects later)
• We can change
threading on the fly
• Dirbuster’s built-in lists
are from a project that
basically spidered the
whole internet.
21. Wfuzz is a command line equivalent, with a bit more functionality for
general web fuzzing (filter by resp code, wc, charc, etc):
• http://www.edge-security.com/wfuzz.php
Also has some lists!
23. Alright, so for non linked resources and discovery we can use Dirbuster’s
lists or Wfuzz’s but they are very generic (that’s not necessarily a bad
thing). Like I mentioned before, Dirbuster’s are based off of spidering the
net and aggregating the most common directory data and common
words (partially).
But isn't that finding linked resources? Yes
There are some more options for us as far as lists go:
SVNDigger – a set of directory lists based of pathing of open source
projects on Google Code and SourceForge.
RAFT Lists:
http://code.google.com/p/fuzzdb/
Within the Discovery/PredictableRes path
25. RAFT is a recent proxy project released
at BHUSA 2011, with a set of wordlists
for content discovery based upon
spidering 1.7 million “robots.txt”
disallows and contextual framework
paths. There’s some overlap with
SVNDigger. The lists themselves are
downloadable from the RAFT site but
they are also contained in the FuzzDB
Discovery/PredictableRes directory
which we’ll be seeing in the tactical
fuzzing section later.
Broken down into directories, words, and files
which takes us to smarter recursive content
discovery…
26. 1. Use raft-large-directories
in Dirbuster or Burp
2. Take the successful
output and add it to a
Burp Intruder setup
(clusterbomb) as payload
set 1
3. Add raft-large-files.txt as
2nd payload set
29. Hopefully at this point we have some logins or emails to try and bruteforce
authentication from the OSINT section. I prefer Burp Suite’s Intruder Module for
bruteforcing authentication.
1. Attempt Login
2. Go to Proxy History Tab
3. Find the POST request
4. Send to Intruder
5. Use Cluster Bomb payload
6. Clear all payload positions
7. Mark username and password fields as
payload positions
8. Goto “payloads” tab
9. Set “payload set” 1 to your username list
10. Set “payload set” 2 to your password list
11. Click on the intruder Menu
12. Start Attack
13. Look for different lengths or grep possible
successful auth messages under options
30. With some valid usernames we want to up our chances of bruting a valid
password. Ron Bowes (@iagox86) has some fantastic password research and has
archived many of the lists that have been leaked on the web.
http://www.skullsecurity.org/blog/2010/the-ultimate-faceoff-between-
password-lists
Huge password repository. Actual user data from hacked sites:
• RockYou (Rockyou 75 is a winner)
• Phpbb
• Myspace
• Hotmail
• Hak5
• Facebook
• More…
32. GOAL: Spider the site, identify fuzz points, chain and feed scanner.
For proxies and spidering I use Burp Suite. There exists some good Paros forks (ZAP)
but Burp, even the free version, has much more power and extensibility.
33. Fiddler is a unique and
powerful option as well due to
some great plugins such as
Watcher (for passively
identifying user controllable
)and x5s (for identifying
possible xss insertion points).
These can help us later when
we want to start tacitly
fuzzing.
34.
35. Proxies sit between you and the browser but they can also enhance your testing by
chaining them with your other tools. This is great if your scanner has a proxy mode, this
way we get walk through the functionality of the site and hit it with two different spider
engines and finally attack it with our scanner. Additionally, chaining proxies and scanners
can help us deal with auth/session issues in hard to scan environments (NTLM/Kerberos). If
you’re sticking with open source tools or non-proxy mode scanners you can export your
spider results as links and import them into you scanner.
Browser -> Burp -> Scanner (in proxy mode) -> Site
1. Walk app, executing all Ajax and rich functionality (snaplinks is handy)
2. Browse to anything from the discovery stage to populate proxy and scanner
3. Spider with Proxy of choice
4. (optional, this might pollute your site tree) Fuzz with fuzzer/proxy of choice
5. Run Scan
This all gets fed to the scanner sitemap/tree. Now the scanner has the best chance of
finding all fuzz points and vulns.
36. You said scanners! Which ones?!
Shay Chen has some excellent
research on the accuracy of open
source and commercial scanners.
Only covers XSS and SQLi atm
37. Now that you have the blanket stuff out of the way, its time to interpret the proxy and
scanner data for tactical fuzzing points.
Does this functionality display something back to the user?
Fuzz for XSS
Does it interact with a database?
Fuzz for SQLi or other injections
Does it call on the server file system?
Fuzz for LFI/PT
Does it call on a URL or external/internal site/domain?
Fuzz for RFI
Tactical Fuzzing? Wtf?
38. Now we can fully utilize the project we mentioned a few times earlier, the Fuzz
Database:
“ The fuzzdb aggregates known attack patterns, predictable resource names,
server response messages, and other resources like web shells into the most
comprehensive Open Source database of malicious and malformed input test
cases.”
39. 1. Use Fuzzdb strings on all the afore mentioned forms and parameters
2. Re-fuzz all parameters that gave errors on the spidering/scanning results.
3. After concretely identifying the platform, re-fuzz/content discover with that
platforms specific lists.
40. The fuzzdb also has an excellent error /vuln grep file for import into Burp:
41. When it comes to exploitation tools mostly we need some
automagic tools to exploit different forms of SQL injection or file
include vulnerabilities. For manual testing we also need a set of
web shells.
Our standards are SQLmap, Havij, SQLninja for sql injection
fimap and metasploit for file include vulnerabilities.
and a common set of web shells from the fuzzdb .
42. SQLmap is a comprehensive SQL injection tool with the ability to do many forms of
injection.
SQLmap Tips:
-l can import Burp logs to test your hosts (when saving in Burp use only your targets in
scope) ./sqlmap -l /root/sqli.txt
Often we want to force POST parameters ,setting –data will force POST: --
data=userid=test&pass=test
We can specify parameters with -p : ./sqlmap –u TARGET-p userid,pass
--level=LEVEL Level of tests to perform (1-5, default 1) has to do with insertion points.
--risk=RISK Risk of tests to perform (0-3, default 1) has to do with test cases.
./sqlmap -l /root/sqli.txt --level=5 --risk=3
You can max out speed at threads=10
--forms will parse and test all forms on target
--os-pwn for possible meterpreter shell
43. Other tools mentioned help us in edge cases:
Havij for very up to date WAF evasion (modsec) Use at your
own risk.
http://itsecteam.com/en/projects/project1.htm
SQLNinja when SQLmap will not exploit
http://sqlninja.sourceforge.net/
Fimap for file include exploitation
http://code.google.com/p/fimap/
Metasploit for remote file includes
exploit/unix/webapp/php_include
44.
45. We also need some stand
alone shells in several
different languages for
upload vulns. Luckily the
FuzzDB has these as well.
46. What about taking XSS beyond alert(‘xss’)?
BeEF is the best tool for javascript attacks. It’s more extensible now that it
integrates with metasploit. We now can:
Hook the browser with invisible iframes
Inject/change content on the fly
Footprint the internal network
Sniff keystrokes
Deliver browser based exploits or metasploit meterpreter java payloads for
full control of the target
48. What about web
services, SOAP,
XML?
With a wsdl and
SOAPui proxied
through Burp
and tactically
fuzzing with the
Fuzzdb test
cases we can do
more than any
script or tool I’ve
seen released.
49. I don’t have a fancy portal to put my data =(
The Dradis framework has been revamped to accept a ton for tool outputs allowing us to
import data and keep working faster.
Imports:
Nmap
Burp
Nessus
Metasploit
Netsparker
Openvas
w3af
Mindmapping software works well too.
50.
51. With all this out of the way semi-quickly we can now take more
time to tactically fuzz and test for logic and more obscure
manual checks!
52. Special thanks go out to:
Andre Gironda
Chris Gates, Armando Romeo, Joe McCray, James Fitts,
Bernardo Damele, Daniel Miessler, Ferruh Mavituna, Shay
Chen, Ron Bowes, Adam Muntner, and all tool authors.