ColdFusionConference, profile picture
Uploaded byColdFusionConference
PDF, PPTX775 views

Web hackingtools 2015

This document provides an overview of a presentation on web penetration testing and hacking tools. It introduces the speaker and their background in security. It outlines that the presentation will demonstrate various penetration testing tools against vulnerable web applications and provide a quick overview of web application firewalls and vulnerability scanners. It also provides warnings about not performing any of the activities against live systems without permission. The document includes background on recent security events, vulnerabilities, and hacking tools to provide context for the presentation.

Embed presentation

Download as PDF, PPTX
Web Penetration and Hacking Tools David Epler Security Architect depler@aboutweb.com
About Me • Application Developer originally • Contributor to Learn CF In a Week • OWASP Individual Member • OWASP Zed Attack Proxy (ZAP) Evangelist • Security Certifications - CEH, GWAPT
About the Session • What will NOT be covered • How to fix your code • How to secure your OS, Web Server, Database Server, or Application Server
About the Session • What will be covered • Recent events in security and hacking • Demonstration of various penetration testing tools used against web applications • Quick overview of Web Application Firewalls and Web Vulnerability Scanners
About the Demos • Virtual Machines, not live servers • BackTrack/Kali Linux • OWASP Broken Web Apps • Windows 7 & Server 2008 R2
 DO NOT perform any activities shown on any network/system or network connected device without proper permission!
205Average number of days a network is compromised by a hacker before discovery
 Down from 229 days in 2014 as reported by Mandiant M-Trends Report
Broken SSL/TLS goto$fail;$ goto$fail;
Heartbleed • At disclosure 615,268 of the Internet's secure web servers were vulnerable • May 8, 2014 - 318,239 • June 21, 2014 - 309,197 • Contributed to Community Health Systems theft of 4.5 million patient records
Qualys SSL Server Test https://www.ssllabs.com/ssltest/
OWASP Top Ten (2013) A1: Injection A6: Sensitive Data Exposure A3: Cross-Site Scripting (XSS) A2: Broken Authentication and Session Management A4: Insecure Direct Object References A8: Cross Site Request Forgery (CSRF) A5: Security Misconfiguration A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
Vulnerability Prevalence from VeraCode SoSS Cross Site Scripting! (XSS) SQL Injection Information Leakage Directory Traversal 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 47% 29% 27% 60% 56% 60% 30% 61% 49% 58% 31% 57% 22% 62% 72% 95% ColdFusion Java .NET PHP
Things you’ll never see in logs • Internet search engines used for passive reconnaissance • Google Hacks • Internet Archive • Netcraft • Alexa • Shodan • Not quite passive but can be hard to spot • Web Crawler/Spider/Mirroring
OWASP Top Ten (2013) A1: Injection A6: Sensitive Data Exposure A3: Cross-Site Scripting (XSS) A2: Broken Authentication and Session Management A4: Insecure Direct Object References A8: Cross Site Request Forgery (CSRF) A5: Security Misconfiguration A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
OWASP Top Ten (2013) A1: Injection A6: Sensitive Data Exposure A3: Cross-Site Scripting (XSS) A2: Broken Authentication and Session Management A4: Insecure Direct Object References A8: Cross Site Request Forgery (CSRF) A5: Security Misconfiguration A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
• Stacked Queries • http://www.victim.com/products.asp?id=1;exec +master..xp_cmdshell+'dir' • Tautology • http://www.victim.com/logon.aspx?username=admin' or 1=1;-- • UNION Statements • http://www.victim.com/products.asp?id=12+UNION +SELECT +userid,first_name,second_name,password+FROM +customers • Blind SQL Injection (SQLi)
Demo • Tool • sqlmap • Target • OWASP Broken Web Apps • Apache 2.2.14 + PHP 5.3.2 • MySQL 5.1.41
sqlmap Demo • http://www.youtube.com/watch? v=8Id6XUOcw3E
Adobe Password Analysis From http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password- disaster-adobes-giant-sized-cryptographic-blunder/
Adobe Password Analysis From http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password- disaster-adobes-giant-sized-cryptographic-blunder/
Adobe Password Analysis From http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password- disaster-adobes-giant-sized-cryptographic-blunder/
Password Cracking • Techniques • Rainbow Tables • Brute Force • Dictionary/Word Lists • Hybrid ! • RockYou.com (Dec 2009) • 14.3 million unique clear text passwords
25 GPU HPC Cluster • Presented by Jeremi Gosney at Passwords^12 Conference • 5 - 4U Servers • 25 Radeon GPUs • Hashcat
Reported Benchmarks of 25 GPU HPC cluster MD5 SHA1 BCrypt (05) Attempts per Second 0 100,000,000,000 200,000,000,000 71,000 63,000,000,000 180,000,000,000
Gosney vs LinkedIn Password Hashes PercentCracked 0% 20% 40% 60% 80% 100% 30 seconds 2 hours 1 day 6 days 90% 64% 53% 21%
OWASP Top Ten (2013) A3: Cross-Site Scripting (XSS) A1: Injection A6: Sensitive Data Exposure A2: Broken Authentication and Session Management A4: Insecure Direct Object References A8: Cross Site Request Forgery (CSRF) A5: Security Misconfiguration A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
OWASP Top Ten (2013) A3: Cross-Site Scripting (XSS) A1: Injection A6: Sensitive Data Exposure A2: Broken Authentication and Session Management A4: Insecure Direct Object References A8: Cross Site Request Forgery (CSRF) A5: Security Misconfiguration A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
• Stored • Attacker’s script is stored on the server (e.g. blog comments, forums) and later displayed in HTML pages, without proper filtering • Reflected • HTML page reflects user input data back to the browser, without sanitizing the response • DOM Based Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Demo • Tools • BeEF (Browser Exploitation Framework) • Metasploit • Target • OWASP Broken Web Apps • Apache 2.2.14 + PHP 5.3.2 • Victim • Windows 7 • IE 9 + Java 7 Plugin
BeEF Demo • http://www.youtube.com/watch? v=U27bEwZixN4
OWASP Top Ten (2013) A5: Security Misconfiguration A4: Insecure Direct Object References A2: Broken Authentication and Session Management A1: Injection A6: Sensitive Data Exposure A3: Cross-Site Scripting (XSS) A8: Cross Site Request Forgery (CSRF) A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
OWASP Top Ten (2013) A5: Security Misconfiguration A4: Insecure Direct Object References A2: Broken Authentication and Session Management A1: Injection A6: Sensitive Data Exposure A3: Cross-Site Scripting (XSS) A8: Cross Site Request Forgery (CSRF) A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
• Stolen Data Headers from the Federal Reserve Hack (Feb 2013) • Downed US vuln catalog infected for at least TWO MONTHS (March 2013) • Web host Linode, hackers clash over credit-card raid claim (April 2013) • Washington Court Data Breach Exposes 160K SSNs (May 2013) • Alleged Hacker Indicted In New Jersey For Data Breach Conspiracy Targeting Government Agency Networks (Oct 2013) Notable ColdFusion Hacks in 2013
Demo • Tool • Published Exploit Script • Target • Windows Server 2008 R2 • IIS 7.5 + ColdFusion 10 w/ Update 9 • Secure Profile Enabled
Exploit Script Demo • http://www.youtube.com/watch? v=XsQWK_UaASk
If you don’t secure your stuff, you are just making it easy for hackers 
 and they DON’T mostly come at night.
So should you just turn everything off and unplug it?
• Web application firewall (WAF) are used to protect web applications without the need to modify them • Can be an appliance, server plugin, or filter • Provide an additional layer of security • Can react faster than changing application code • More common in front of legacy applications Web Application Firewall
• Open source, free web application firewall • Apache, IIS 7, Nginx, reverse proxy • Security Models • Negative Security Model • Positive Security Model • Virtual Patching • Extrusion Detection Model • OWASP ModSecurity Core Rule Set Project ModSecurity
• Provide automated way to test web application for vulnerabilities • Static vs Dynamic Analysis • Can be challenging to setup authentication and session management • Can’t improvise, every web application is unique • Usually integrated as part of Secure Software Development Life Cycle (SSDLC) Web Vulnerability Scanners
Book The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, Second Edition by  Dafydd Stuttard and Marcus Pinto" John Wiley & Sons © 2012 (912 pages)" ISBN: 9781118026472"
• Blog: http://www.dcepler.net • Email: depler@aboutweb.com • Twitter: @dcepler Q&A - Thanks
• Tools • sqlmap • BeEF • Metasploit ! • Virtual Machines/Live CDs • Kali Linux • Samurai Web Testing Framework • OWASP Broken Web Apps Resources
• Security Benchmarks/Guides • CIS Benchmarks • DISA STIG • Microsoft Security Compliance Manager ! • Securing/Patching ColdFusion • ColdFusion 9 Server Lockdown Guide (pdf) • ColdFusion 10 Server Lockdown Guide (pdf) • ColdFusion 11 Server Lockdown Guide (pdf) • Unofficial Updater 2 Resources
• OWASP Top Ten 2013 • Shodan: The scariest search engine on the Internet • Report: Crematoriums To Caterpillars Shodan Reveals Internet Of Things • Google Hacking Database (GHDB) Resources
• Web Application Firewalls • Commercial • Trustwave - WebDefend Web Application Firewall • Cisco - ACE Web Application Firewall • Citrix - NetScaler App Firewall • F5 - BIG-IP Application Security Manager • Privacyware - ThreatSentry IIS Web Application Firewall • Fuseguard - Foundeo • Free • Trustwave - ModSecurity • Microsoft - URLScan 3.1 Resources
• Web Vulnerability Scanners • Dynamic Scanner • Cenzic Hailstorm • HP WebInspect • IBM Security AppScan • Static Scanner • HP Fortify Static Code Analyzer • VeraCode Static • Intercepting Proxies • Burp Suite • OWASP Zed Attack Proxy (ZAP) Resources
Books SQL Injection Attacks and Defense, Second Edition by  Justin Clarke" Syngress Publishing © 2012 (576 pages) " ISBN: 9781597499637 Web Application Obfuscation: '-/ WAFs..dEvasion..dFilters//alert (/ Obfuscation/)-' by  Mario Heiderich, Eduardo AlbertoVela Nava, Gareth Heyes and David Lindsay" Syngress Publishing © 2011 (290 pages)" ISBN: 9781597496049 XSS Attacks: Cross Site Scripting Exploits and Defense by  Jeremiah Grossman, Robert “RSnake” Hansen, Petko “pdp” D. Petkov and Anton Rager" Syngress Publishing © 2007 (479 pages)" ISBN: 9781597491549" Penetration Tester's Open Source Toolkit, Third Edition by  Jeremy Faircloth" Syngress Publishing © 2011 (465 pages) ISBN: 9781597496278
• Free Commercial Reports • Mandiant • M-Trends 2015 (April 2015) • APT1: Exposing One of China’s Cyber Espionage Units (Feb 2013) ! • VeraCode • State of Software Security Report Volume 5 (April 2013) References
• Heartbleed • More than 300k systems 'still vulnerable' to Heartbleed attacks • Heartbleed Hack Still a Threat Six Months After Discovery References
• Target • Sources: Target Investigating Data Breach • Email Attack on Vendor Set Up Breach at Target • Data breach hits Target’s profits, but that’s only the tip of the iceberg References
• Home Depot • Home Depot Hit By Same Malware as Target • Home Depot: 56M Cards Impacted, Malware Contained References
• Adobe Password Hack • Adobe Breach Impacted At Least 38 Million Users • How an epic blunder by Adobe could strengthen hand of password crackers • Anatomy of a password disaster - Adobe's giant-sized cryptographic blunder • Top 100 Adobe Passwords • XKCD Crossword Puzzle References
• Password Cracking • Jeremi Gosney - Password Cracking HPC - Passwords^12 Presentation (pdf) • Jens Steube - Exploiting a SHA1 Weakness in Password Cracking - Passwords^12 Presentation (pdf) • New 25 GPU Monster Devours Passwords In Seconds • Oh great: New attack makes some password cracking faster, easier than ever • Why passwords have never been weaker—and crackers have never been stronger • The Final Word on the LinkedIn Leak • How I became a password cracker • Project Erebus v2.5 • SHA-1 crypto protocol cracked using Amazon cloud computing resources References
• Recent Hacks • SQL Injection Flaw Haunts All Ruby on Rails Versions (Jan 2013) • Critics: Substandard crypto needlessly puts Evernote accounts at risk (March 2013) • Huge attack on WordPress sites could spawn never-before-seen super botnet (April 2013) • Why LivingSocial’s 50-million password breach is graver than you may think (April 2013) • Yahoo! Blind SQL Injection could lead to data leakage (April 2013) • Common Web Vulnerabilities Plague Top WordPress Plug-Ins (June 2013) • WordPress Fixes Remote Code Execution Flaw With 3.6.1 Release (Sept 2013) References
• Recent Hacks • New York Times Hacked Again, This Time Allegedly by Chinese (Jan 2013) • AP Twitter feed hacked; no attack at White House (April 2013) • Dev site behind Apple, Facebook hacks didn’t know it was booby- trapped (Feb 2013) • IE 8 Zero Day Found as DoL Watering Hole Attack Spreads to Nine Other Sites (May 2013) • Hackers exploit critical IE bug; Microsoft promises patch (Sept 2013) • Many Flash, Java Users Running Older, Vulnerable Versions (Sept 2013) • Adobe To Announce Source Code, Customer Data Breach (Oct 2013) • Thousands of Sites Hacked Via vBulletin Hole (Oct 2013) References
• XSS Attacks • Persistent XSS Vulnerability Plagues WordPress Plugin (April 2015) • Researcher Gets $5,000 for XSS Flaw in Google Apps Admin Console (Jan 2015) • Drupal Patches XSS Vulnerability in Spam Module (Sept 2014) • Details on Patched Microsoft Office 365 XSS Vulnerability Disclosed (Jan 2014) • Security company says Nasdaq waited two weeks to fix XSS flaw (Sept 2013) • Apple Store Vulnerable to XSS (June 2013) • PayPal Site Vulnerable to XSS Attack (May 2013) References
Shellshock • Series of vulnerabilities in how Bash processes environment variables • CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 • Allows for remote code execution
• Shellshock • What is #shellshock? • RedHat: Mitigating the shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) • How do I secure Apache against the Bash Shellshock vulnerability? • Shellshock Exploits Spreading Mayhem Botnet Malware References

More Related Content

PDF
Web hackingtools cf-summit2014
byColdFusionConference
 
PPTX
[Wroclaw #5] OWASP Projects: beyond Top 10
byOWASP
 
PPTX
Cyber ppt
bykarthik menon
 
PDF
Security in practice with Java EE 6 and GlassFish
byMarkus Eisele
 
PDF
How to avoid top 10 security risks in Java EE applications and how to avoid them
byMasoud Kalali
 
PDF
Problems with parameters b sides-msp
byMike Saunders
 
PPTX
[Wroclaw #7] Security test automation
byOWASP
 
PDF
Security Automation using ZAP
byVaibhav Gupta
 
Web hackingtools cf-summit2014
byColdFusionConference
 
[Wroclaw #5] OWASP Projects: beyond Top 10
byOWASP
 
Cyber ppt
bykarthik menon
 
Security in practice with Java EE 6 and GlassFish
byMarkus Eisele
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
byMasoud Kalali
 
Problems with parameters b sides-msp
byMike Saunders
 
[Wroclaw #7] Security test automation
byOWASP
 
Security Automation using ZAP
byVaibhav Gupta
 

What's hot

PPTX
[Wroclaw #7] AWS (in)security - the devil is in the detail
byOWASP
 
PDF
Security Testing using ZAP in SFDC
byThinqloud
 
PPTX
The OWASP Zed Attack Proxy
byAditya Gupta
 
PDF
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
byAbhay Bhargav
 
PPTX
CSS 17: NYC - Stories from the SOC
byAlert Logic
 
PPTX
Application Security Tools
byLalit Kale
 
PPTX
Security Testing - Zap It
byManjyot Singh
 
PDF
Zed Attack Proxy (ZAP)
byJAINAM KAPADIYA
 
PPTX
CSS 17: NYC - Protecting your Web Applications
byAlert Logic
 
PPTX
Web & Cloud Security in the real world
byMadhu Akula
 
PPTX
DVWA(Damn Vulnerabilities Web Application)
bySoham Kansodaria
 
PDF
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
byPhilippe Gamache
 
PPTX
CSS 17: NYC - Realities of Security in the Cloud
byAlert Logic
 
PDF
[Wroclaw #7] Why So Serial?
byOWASP
 
KEY
DVWA BruCON Workshop
bytestuser1223
 
PDF
[OWASP Poland Day] Web App Security Architectures
byOWASP
 
PPTX
Zap vs burp
byTomasz Fajks
 
PPTX
Ten Commandments of Secure Coding
byMateusz Olejarka
 
PDF
CSS17: Houston - Protecting Web Apps
byAlert Logic
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
byOWASP
 
Security Testing using ZAP in SFDC
byThinqloud
 
The OWASP Zed Attack Proxy
byAditya Gupta
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
byAbhay Bhargav
 
CSS 17: NYC - Stories from the SOC
byAlert Logic
 
Application Security Tools
byLalit Kale
 
Security Testing - Zap It
byManjyot Singh
 
Zed Attack Proxy (ZAP)
byJAINAM KAPADIYA
 
CSS 17: NYC - Protecting your Web Applications
byAlert Logic
 
Web & Cloud Security in the real world
byMadhu Akula
 
DVWA(Damn Vulnerabilities Web Application)
bySoham Kansodaria
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
byPhilippe Gamache
 
CSS 17: NYC - Realities of Security in the Cloud
byAlert Logic
 
[Wroclaw #7] Why So Serial?
byOWASP
 
DVWA BruCON Workshop
bytestuser1223
 
[OWASP Poland Day] Web App Security Architectures
byOWASP
 
Zap vs burp
byTomasz Fajks
 
Ten Commandments of Secure Coding
byMateusz Olejarka
 
CSS17: Houston - Protecting Web Apps
byAlert Logic
 

Similar to Web hackingtools 2015

PDF
Common Web Application Attacks
byAhmed Sherif
 
PPTX
Web application Security tools
byNico Penaredondo
 
ODP
Hunting Security Bugs in Modern Web Applications
byToe Khaing
 
ODP
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
byTabăra de Testare
 
PPT
OWASP App Sec US - 2010
byAditya K Sood
 
PDF
Web Security
byKHOANGUYNNGANH
 
PDF
Web Security: What's wrong, and how the bad guys can break your website
byAndrew Sorensen
 
PDF
Web Application Security: Introduction to common classes of security flaws an...
byThoughtworks
 
PDF
Tw noche geek quito webappsec
byThoughtworks
 
PDF
Alert logic anatomy owasp infographic
byCMR WORLD TECH
 
PPTX
OWASP top 10-2013
bytmd800
 
PPT
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
byjangomanso
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PPTX
Owasp top 10 Vulnerabilities by cyberops infosec
byCyberops Infosec LLP
 
PPTX
Web application vulnerability assessment
byRavikumar Paghdal
 
PPTX
Introduction to security testing raj
byRajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
PDF
Security Awareness
byLucas Hendrich
 
PDF
Owasp top 10_openwest_2019
bySean Jackson
 
PDF
Web Application Security Guide by Qualys 2011
bynat page
 
PDF
Qg was guide
bynat page
 
Common Web Application Attacks
byAhmed Sherif
 
Web application Security tools
byNico Penaredondo
 
Hunting Security Bugs in Modern Web Applications
byToe Khaing
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
byTabăra de Testare
 
OWASP App Sec US - 2010
byAditya K Sood
 
Web Security
byKHOANGUYNNGANH
 
Web Security: What's wrong, and how the bad guys can break your website
byAndrew Sorensen
 
Web Application Security: Introduction to common classes of security flaws an...
byThoughtworks
 
Tw noche geek quito webappsec
byThoughtworks
 
Alert logic anatomy owasp infographic
byCMR WORLD TECH
 
OWASP top 10-2013
bytmd800
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
byjangomanso
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
Owasp top 10 Vulnerabilities by cyberops infosec
byCyberops Infosec LLP
 
Web application vulnerability assessment
byRavikumar Paghdal
 
Introduction to security testing raj
byRajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
Security Awareness
byLucas Hendrich
 
Owasp top 10_openwest_2019
bySean Jackson
 
Web Application Security Guide by Qualys 2011
bynat page
 
Qg was guide
bynat page
 

More from ColdFusionConference

PDF
Api manager preconference
byColdFusionConference
 
PDF
Cf ppt vsr
byColdFusionConference
 
PDF
Building better SQL Server Databases
byColdFusionConference
 
PDF
API Economy, Realizing the Business Value of APIs
byColdFusionConference
 
PDF
Don't just pdf, Smart PDF
byColdFusionConference
 
PDF
Crafting ColdFusion Applications like an Architect
byColdFusionConference
 
PDF
Security And Access Control For APIS using CF API Manager
byColdFusionConference
 
PDF
Monetizing Business Models: ColdFusion and APIS
byColdFusionConference
 
PDF
Become a Security Rockstar with ColdFusion 2016
byColdFusionConference
 
PDF
ColdFusion in Transit action
byColdFusionConference
 
PDF
Developer Insights for Application Upgrade to ColdFusion 2016
byColdFusionConference
 
PDF
Where is cold fusion headed
byColdFusionConference
 
PDF
ColdFusion Keynote: Building the Agile Web Since 1995
byColdFusionConference
 
PDF
Instant ColdFusion with Vagrant
byColdFusionConference
 
PPT
Restful services with ColdFusion
byColdFusionConference
 
PDF
Super Fast Application development with Mura CMS
byColdFusionConference
 
PDF
Build your own secure and real-time dashboard for mobile and web
byColdFusionConference
 
PDF
Why Everyone else writes bad code
byColdFusionConference
 
PDF
Securing applications
byColdFusionConference
 
PDF
Testing automaton
byColdFusionConference
 
Api manager preconference
byColdFusionConference
 
Cf ppt vsr
byColdFusionConference
 
Building better SQL Server Databases
byColdFusionConference
 
API Economy, Realizing the Business Value of APIs
byColdFusionConference
 
Don't just pdf, Smart PDF
byColdFusionConference
 
Crafting ColdFusion Applications like an Architect
byColdFusionConference
 
Security And Access Control For APIS using CF API Manager
byColdFusionConference
 
Monetizing Business Models: ColdFusion and APIS
byColdFusionConference
 
Become a Security Rockstar with ColdFusion 2016
byColdFusionConference
 
ColdFusion in Transit action
byColdFusionConference
 
Developer Insights for Application Upgrade to ColdFusion 2016
byColdFusionConference
 
Where is cold fusion headed
byColdFusionConference
 
ColdFusion Keynote: Building the Agile Web Since 1995
byColdFusionConference
 
Instant ColdFusion with Vagrant
byColdFusionConference
 
Restful services with ColdFusion
byColdFusionConference
 
Super Fast Application development with Mura CMS
byColdFusionConference
 
Build your own secure and real-time dashboard for mobile and web
byColdFusionConference
 
Why Everyone else writes bad code
byColdFusionConference
 
Securing applications
byColdFusionConference
 
Testing automaton
byColdFusionConference
 

Recently uploaded

PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PDF
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 

Web hackingtools 2015

  • 1.
    Web Penetration and HackingTools David Epler Security Architect depler@aboutweb.com
  • 2.
    About Me • ApplicationDeveloper originally • Contributor to Learn CF In a Week • OWASP Individual Member • OWASP Zed Attack Proxy (ZAP) Evangelist • Security Certifications - CEH, GWAPT
  • 3.
    About the Session •What will NOT be covered • How to fix your code • How to secure your OS, Web Server, Database Server, or Application Server
  • 4.
    About the Session •What will be covered • Recent events in security and hacking • Demonstration of various penetration testing tools used against web applications • Quick overview of Web Application Firewalls and Web Vulnerability Scanners
  • 5.
    About the Demos •Virtual Machines, not live servers • BackTrack/Kali Linux • OWASP Broken Web Apps • Windows 7 & Server 2008 R2
 DO NOT perform any activities shown on any network/system or network connected device without proper permission!
  • 6.
    205Average number ofdays a network is compromised by a hacker before discovery
 Down from 229 days in 2014 as reported by Mandiant M-Trends Report
  • 7.
  • 8.
    Heartbleed • At disclosure615,268 of the Internet's secure web servers were vulnerable • May 8, 2014 - 318,239 • June 21, 2014 - 309,197 • Contributed to Community Health Systems theft of 4.5 million patient records
  • 9.
    Qualys SSL ServerTest https://www.ssllabs.com/ssltest/
  • 14.
    OWASP Top Ten(2013) A1: Injection A6: Sensitive Data Exposure A3: Cross-Site Scripting (XSS) A2: Broken Authentication and Session Management A4: Insecure Direct Object References A8: Cross Site Request Forgery (CSRF) A5: Security Misconfiguration A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
  • 15.
    Vulnerability Prevalence from VeraCodeSoSS Cross Site Scripting! (XSS) SQL Injection Information Leakage Directory Traversal 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 47% 29% 27% 60% 56% 60% 30% 61% 49% 58% 31% 57% 22% 62% 72% 95% ColdFusion Java .NET PHP
  • 16.
    Things you’ll never seein logs • Internet search engines used for passive reconnaissance • Google Hacks • Internet Archive • Netcraft • Alexa • Shodan • Not quite passive but can be hard to spot • Web Crawler/Spider/Mirroring
  • 17.
    OWASP Top Ten(2013) A1: Injection A6: Sensitive Data Exposure A3: Cross-Site Scripting (XSS) A2: Broken Authentication and Session Management A4: Insecure Direct Object References A8: Cross Site Request Forgery (CSRF) A5: Security Misconfiguration A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
  • 18.
    OWASP Top Ten(2013) A1: Injection A6: Sensitive Data Exposure A3: Cross-Site Scripting (XSS) A2: Broken Authentication and Session Management A4: Insecure Direct Object References A8: Cross Site Request Forgery (CSRF) A5: Security Misconfiguration A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
  • 20.
    • Stacked Queries •http://www.victim.com/products.asp?id=1;exec +master..xp_cmdshell+'dir' • Tautology • http://www.victim.com/logon.aspx?username=admin' or 1=1;-- • UNION Statements • http://www.victim.com/products.asp?id=12+UNION +SELECT +userid,first_name,second_name,password+FROM +customers • Blind SQL Injection (SQLi)
  • 21.
    Demo • Tool • sqlmap •Target • OWASP Broken Web Apps • Apache 2.2.14 + PHP 5.3.2 • MySQL 5.1.41
  • 22.
  • 24.
  • 25.
  • 26.
  • 27.
    Password Cracking • Techniques •Rainbow Tables • Brute Force • Dictionary/Word Lists • Hybrid ! • RockYou.com (Dec 2009) • 14.3 million unique clear text passwords
  • 28.
    25 GPU HPCCluster • Presented by Jeremi Gosney at Passwords^12 Conference • 5 - 4U Servers • 25 Radeon GPUs • Hashcat
  • 29.
    Reported Benchmarks of 25GPU HPC cluster MD5 SHA1 BCrypt (05) Attempts per Second 0 100,000,000,000 200,000,000,000 71,000 63,000,000,000 180,000,000,000
  • 30.
    Gosney vs LinkedIn PasswordHashes PercentCracked 0% 20% 40% 60% 80% 100% 30 seconds 2 hours 1 day 6 days 90% 64% 53% 21%
  • 32.
    OWASP Top Ten(2013) A3: Cross-Site Scripting (XSS) A1: Injection A6: Sensitive Data Exposure A2: Broken Authentication and Session Management A4: Insecure Direct Object References A8: Cross Site Request Forgery (CSRF) A5: Security Misconfiguration A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
  • 33.
    OWASP Top Ten(2013) A3: Cross-Site Scripting (XSS) A1: Injection A6: Sensitive Data Exposure A2: Broken Authentication and Session Management A4: Insecure Direct Object References A8: Cross Site Request Forgery (CSRF) A5: Security Misconfiguration A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
  • 34.
    • Stored • Attacker’sscript is stored on the server (e.g. blog comments, forums) and later displayed in HTML pages, without proper filtering • Reflected • HTML page reflects user input data back to the browser, without sanitizing the response • DOM Based Cross-Site Scripting (XSS)
  • 35.
  • 36.
    Demo • Tools • BeEF(Browser Exploitation Framework) • Metasploit • Target • OWASP Broken Web Apps • Apache 2.2.14 + PHP 5.3.2 • Victim • Windows 7 • IE 9 + Java 7 Plugin
  • 37.
  • 38.
    OWASP Top Ten(2013) A5: Security Misconfiguration A4: Insecure Direct Object References A2: Broken Authentication and Session Management A1: Injection A6: Sensitive Data Exposure A3: Cross-Site Scripting (XSS) A8: Cross Site Request Forgery (CSRF) A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
  • 39.
    OWASP Top Ten(2013) A5: Security Misconfiguration A4: Insecure Direct Object References A2: Broken Authentication and Session Management A1: Injection A6: Sensitive Data Exposure A3: Cross-Site Scripting (XSS) A8: Cross Site Request Forgery (CSRF) A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
  • 40.
    • Stolen DataHeaders from the Federal Reserve Hack (Feb 2013) • Downed US vuln catalog infected for at least TWO MONTHS (March 2013) • Web host Linode, hackers clash over credit-card raid claim (April 2013) • Washington Court Data Breach Exposes 160K SSNs (May 2013) • Alleged Hacker Indicted In New Jersey For Data Breach Conspiracy Targeting Government Agency Networks (Oct 2013) Notable ColdFusion Hacks in 2013
  • 42.
    Demo • Tool • PublishedExploit Script • Target • Windows Server 2008 R2 • IIS 7.5 + ColdFusion 10 w/ Update 9 • Secure Profile Enabled
  • 43.
    Exploit Script Demo •http://www.youtube.com/watch? v=XsQWK_UaASk
  • 44.
    If you don’tsecure your stuff, you are just making it easy for hackers 
 and they DON’T mostly come at night.
  • 45.
    So should youjust turn everything off and unplug it?
  • 46.
    • Web applicationfirewall (WAF) are used to protect web applications without the need to modify them • Can be an appliance, server plugin, or filter • Provide an additional layer of security • Can react faster than changing application code • More common in front of legacy applications Web Application Firewall
  • 47.
    • Open source,free web application firewall • Apache, IIS 7, Nginx, reverse proxy • Security Models • Negative Security Model • Positive Security Model • Virtual Patching • Extrusion Detection Model • OWASP ModSecurity Core Rule Set Project ModSecurity
  • 48.
    • Provide automatedway to test web application for vulnerabilities • Static vs Dynamic Analysis • Can be challenging to setup authentication and session management • Can’t improvise, every web application is unique • Usually integrated as part of Secure Software Development Life Cycle (SSDLC) Web Vulnerability Scanners
  • 49.
    Book The Web ApplicationHacker's Handbook: Finding and Exploiting Security Flaws, Second Edition by  Dafydd Stuttard and Marcus Pinto" John Wiley & Sons © 2012 (912 pages)" ISBN: 9781118026472"
  • 50.
    • Blog: http://www.dcepler.net •Email: depler@aboutweb.com • Twitter: @dcepler Q&A - Thanks
  • 51.
    • Tools • sqlmap •BeEF • Metasploit ! • Virtual Machines/Live CDs • Kali Linux • Samurai Web Testing Framework • OWASP Broken Web Apps Resources
  • 52.
    • Security Benchmarks/Guides •CIS Benchmarks • DISA STIG • Microsoft Security Compliance Manager ! • Securing/Patching ColdFusion • ColdFusion 9 Server Lockdown Guide (pdf) • ColdFusion 10 Server Lockdown Guide (pdf) • ColdFusion 11 Server Lockdown Guide (pdf) • Unofficial Updater 2 Resources
  • 53.
    • OWASP TopTen 2013 • Shodan: The scariest search engine on the Internet • Report: Crematoriums To Caterpillars Shodan Reveals Internet Of Things • Google Hacking Database (GHDB) Resources
  • 54.
    • Web ApplicationFirewalls • Commercial • Trustwave - WebDefend Web Application Firewall • Cisco - ACE Web Application Firewall • Citrix - NetScaler App Firewall • F5 - BIG-IP Application Security Manager • Privacyware - ThreatSentry IIS Web Application Firewall • Fuseguard - Foundeo • Free • Trustwave - ModSecurity • Microsoft - URLScan 3.1 Resources
  • 55.
    • Web VulnerabilityScanners • Dynamic Scanner • Cenzic Hailstorm • HP WebInspect • IBM Security AppScan • Static Scanner • HP Fortify Static Code Analyzer • VeraCode Static • Intercepting Proxies • Burp Suite • OWASP Zed Attack Proxy (ZAP) Resources
  • 56.
    Books SQL Injection Attacksand Defense, Second Edition by  Justin Clarke" Syngress Publishing © 2012 (576 pages) " ISBN: 9781597499637 Web Application Obfuscation: '-/ WAFs..dEvasion..dFilters//alert (/ Obfuscation/)-' by  Mario Heiderich, Eduardo AlbertoVela Nava, Gareth Heyes and David Lindsay" Syngress Publishing © 2011 (290 pages)" ISBN: 9781597496049 XSS Attacks: Cross Site Scripting Exploits and Defense by  Jeremiah Grossman, Robert “RSnake” Hansen, Petko “pdp” D. Petkov and Anton Rager" Syngress Publishing © 2007 (479 pages)" ISBN: 9781597491549" Penetration Tester's Open Source Toolkit, Third Edition by  Jeremy Faircloth" Syngress Publishing © 2011 (465 pages) ISBN: 9781597496278
  • 57.
    • Free CommercialReports • Mandiant • M-Trends 2015 (April 2015) • APT1: Exposing One of China’s Cyber Espionage Units (Feb 2013) ! • VeraCode • State of Software Security Report Volume 5 (April 2013) References
  • 58.
    • Heartbleed • Morethan 300k systems 'still vulnerable' to Heartbleed attacks • Heartbleed Hack Still a Threat Six Months After Discovery References
  • 59.
    • Target • Sources:Target Investigating Data Breach • Email Attack on Vendor Set Up Breach at Target • Data breach hits Target’s profits, but that’s only the tip of the iceberg References
  • 60.
    • Home Depot •Home Depot Hit By Same Malware as Target • Home Depot: 56M Cards Impacted, Malware Contained References
  • 61.
    • Adobe PasswordHack • Adobe Breach Impacted At Least 38 Million Users • How an epic blunder by Adobe could strengthen hand of password crackers • Anatomy of a password disaster - Adobe's giant-sized cryptographic blunder • Top 100 Adobe Passwords • XKCD Crossword Puzzle References
  • 62.
    • Password Cracking •Jeremi Gosney - Password Cracking HPC - Passwords^12 Presentation (pdf) • Jens Steube - Exploiting a SHA1 Weakness in Password Cracking - Passwords^12 Presentation (pdf) • New 25 GPU Monster Devours Passwords In Seconds • Oh great: New attack makes some password cracking faster, easier than ever • Why passwords have never been weaker—and crackers have never been stronger • The Final Word on the LinkedIn Leak • How I became a password cracker • Project Erebus v2.5 • SHA-1 crypto protocol cracked using Amazon cloud computing resources References
  • 63.
    • Recent Hacks •SQL Injection Flaw Haunts All Ruby on Rails Versions (Jan 2013) • Critics: Substandard crypto needlessly puts Evernote accounts at risk (March 2013) • Huge attack on WordPress sites could spawn never-before-seen super botnet (April 2013) • Why LivingSocial’s 50-million password breach is graver than you may think (April 2013) • Yahoo! Blind SQL Injection could lead to data leakage (April 2013) • Common Web Vulnerabilities Plague Top WordPress Plug-Ins (June 2013) • WordPress Fixes Remote Code Execution Flaw With 3.6.1 Release (Sept 2013) References
  • 64.
    • Recent Hacks •New York Times Hacked Again, This Time Allegedly by Chinese (Jan 2013) • AP Twitter feed hacked; no attack at White House (April 2013) • Dev site behind Apple, Facebook hacks didn’t know it was booby- trapped (Feb 2013) • IE 8 Zero Day Found as DoL Watering Hole Attack Spreads to Nine Other Sites (May 2013) • Hackers exploit critical IE bug; Microsoft promises patch (Sept 2013) • Many Flash, Java Users Running Older, Vulnerable Versions (Sept 2013) • Adobe To Announce Source Code, Customer Data Breach (Oct 2013) • Thousands of Sites Hacked Via vBulletin Hole (Oct 2013) References
  • 65.
    • XSS Attacks •Persistent XSS Vulnerability Plagues WordPress Plugin (April 2015) • Researcher Gets $5,000 for XSS Flaw in Google Apps Admin Console (Jan 2015) • Drupal Patches XSS Vulnerability in Spam Module (Sept 2014) • Details on Patched Microsoft Office 365 XSS Vulnerability Disclosed (Jan 2014) • Security company says Nasdaq waited two weeks to fix XSS flaw (Sept 2013) • Apple Store Vulnerable to XSS (June 2013) • PayPal Site Vulnerable to XSS Attack (May 2013) References
  • 66.
    Shellshock • Series ofvulnerabilities in how Bash processes environment variables • CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 • Allows for remote code execution
  • 67.
    • Shellshock • Whatis #shellshock? • RedHat: Mitigating the shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) • How do I secure Apache against the Bash Shellshock vulnerability? • Shellshock Exploits Spreading Mayhem Botnet Malware References