Silent web app testing by example - BerlinSides 2011
-
Upload
abraham-aranguren -
Category
Technology
-
view
7.790 -
download
2
description
Transcript of Silent web app testing by example - BerlinSides 2011
![Page 1: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/1.jpg)
Silent web app testingby example
Abraham Aranguren@7a_
[email protected]://7-a.org
Berlin Sides, December 29th 2011
![Page 2: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/2.jpg)
Agenda• Quick Intro
• Walk-through:
� No permission needed
� Mild/Subtle testing techniques
� Passive discovery at post-exploitation
• Conclusion
• Q&A
![Page 3: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/3.jpg)
About me• Spanish dude
• Degree + Diploma in Computer Science
• Uni: Security research + honour mark
• IT: Since 2000 (netadmin / developer)
• Comeback to (offensive) security in 2007
• OSCP, CISSP, GWEB, CEH, MCSE, Etc.
• Web App Sec and Dev/Architect
• OWTF, GIAC, BeEF
![Page 4: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/4.jpg)
Intro47% (31 out of 66) of the tests in the OWASP Testing
guide can be legally* performed at least partiallywithout permission
* Except in Spain, where visiting a page can be illegal ☺
* This is only my interpretation and not that of my employer + might not apply to your country!
![Page 5: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/5.jpg)
But …. why???• Pre-engagement quality
• Choose bank wisely ☺
• Fun / Research
• No permission yet but tight deadline
• Get a head start in a pen test
• No fuzzing allowed / hard restrictions
• Waiting for info on other areas
![Page 6: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/6.jpg)
Talk ScopeThis talk is mostly NOT about:
• https � NIDS blind*
• Use POST � not logged (usually)
• Wifi, Tor, proxies, proxychains …
This talk is about:
• Using normal traffic or no traffic
• Confuse payloads = look as legit traffic
![Page 7: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/7.jpg)
Types of Traffic• Passive: No traffic to target
Example: Third party site touches target not us
• Semi Passive: Normal traffic to target
Examples: Visit site, download published content
• Active: Direct vulnerability probing
Examples: SQL injection, XSS, CSRF, etc. tries
![Page 8: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/8.jpg)
LegendEthics/Scope legend*:
• P � No Permission needed: No attack traffic
• ! � Mild attack traffic / Could break things
• !! � You better have written permission ..
Vulnerable vs. Not Vulnerable legend:
• Vulnerable
• Not Vulnerable
* When in doubt, don’t do it or consult a lawyer!
P
![Page 9: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/9.jpg)
Testing: Spiders, Robots, and Crawlers (OWASP-IG-001)
$ wget http://target.com/robots.txt
Case 1 � Not found: Indexing required?
Case 2 � Found: Analyse entries
P
![Page 10: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/10.jpg)
Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) cont.
Case 1 � robots.txt Not Found
…should Google index a site like this?
Or should robots.txt exist and be like this?
User-agent: *
Disallow: /
P
![Page 11: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/11.jpg)
Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) cont.
Case 2 � robots.txt Found (default Drupal robots.txt!)
User-agent: *
Crawl-delay: 10
# Directories
Disallow: /includes/
Disallow: /misc/
...
# Files
Disallow: /CHANGELOG.txt Drupal Version ☺
Disallow: /xmlrpc.php
P
![Page 12: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/12.jpg)
Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) cont.
Case 2 � Research known vulns passively
(i.e. OpenID bypass for Drupal 6.16)P
![Page 13: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/13.jpg)
(General) Environment replication
Also check http://www.oldapps.com/, Google, etc.
P
Download it .. Sometimes from project page ☺
![Page 14: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/14.jpg)
(General) Environment replication
RIPS for PHP: http://rips-scanner.sourceforge.net/
Yasca for most other (also PHP): http://www.scovetta.com/yasca.html
P
Static Analyis, Fuzz, Try exploits, ..
![Page 15: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/15.jpg)
Search engine discovery / recon (OWASP-IG-002) cont.
PGoogle Hacking techniques like ..
![Page 16: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/16.jpg)
Search engine discovery / recon (OWASP-IG-002) cont.
P
AutomatedGoogle Hacking
http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/
![Page 17: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/17.jpg)
Search engine discovery / recon (OWASP-IG-002) cont.
P
Metadata tools:• FOCA (v. 3 now!)• Metagoofil• Exiftool• EXIF FF plugin
http://www.informatica64.com/foca.aspx
![Page 18: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/18.jpg)
Search engine discovery / recon (OWASP-IG-002) cont.
P
The Harvester:•Emails•Employee Names•Subdomains•Hostnames
http://www.edge-security.com/theHarvester.php
![Page 19: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/19.jpg)
Search engine discovery / recon (OWASP-IG-002) cont.
P
http://www.paterva.com/web5/client/download.php
Image Credit: http://www.paterva.com
![Page 20: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/20.jpg)
Search engine discovery / recon (OWASP-IG-002) cont.
P
http://www.paterva.com/web5/client/download.php
Image Credit: http://www.paterva.com
![Page 21: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/21.jpg)
Search engine discovery / recon (OWASP-IG-002) cont.
P
https://addons.mozilla.org/en-US/firefox/addon/passiverecon/
A bit of most in one:
![Page 22: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/22.jpg)
Testing: Identify application entry points (OWASP-IG-003)
PUse a proxy and JUST browse the site
• Let the proxy log ALL requests
• Understand the site
Proxies that detect vulns passively:
• ratproxy
• ZAP Proxy
Efficient manual browsing:Snap Links Plus http://snaplinks.mozdev.org/
![Page 23: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/23.jpg)
Testing for Web Application Fingerprint (OWASP-IG-004)
PGoal: What is that server running?
Semi passive banner grab example:
• $ curl -i -A 'Mozilla/5.0 (X11; Linux i686; rv6.0) Gecko/20100101 Firefox/6.0' -H 'Host: target.com' https://target.com
…
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
![Page 24: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/24.jpg)
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
http://toolbar.netcraft.com - Passive banner grab,etc.
![Page 25: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/25.jpg)
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
http://www.shodanhq.com/
Search in the headers without touching the site:
![Page 26: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/26.jpg)
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
http://builtwith.com
•CMS•Widgets•Libraries•etc
![Page 27: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/27.jpg)
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
Do you know what that site is running now?
Let’s look for exploits and vulns
![Page 28: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/28.jpg)
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
Exploit DB - http://www.exploit-db.com
![Page 29: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/29.jpg)
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
NVD - http://web.nvd.nist.gov - CVSS Score = High
![Page 30: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/30.jpg)
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
OSVDB - http://osvdb.org - CVSS Score = High
![Page 31: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/31.jpg)
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
http://www.securityfocus.com - Better on Google
![Page 32: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/32.jpg)
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
http://www.exploitsearch.net - All in one
![Page 33: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/33.jpg)
Testing for Application Discovery (OWASP-IG-005)
P
http://www.robtex.com - Passive DNS Discovery
![Page 34: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/34.jpg)
Testing for Application Discovery (OWASP-IG-005) cont.
P
http://whois.domaintools.com
![Page 35: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/35.jpg)
Testing for Application Discovery (OWASP-IG-005) cont.
P
http://centralops.net or proxychains .. nmap –sT
![Page 36: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/36.jpg)
Testing for Application Discovery (OWASP-IG-005) cont.
P
http://centralops.net
![Page 37: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/37.jpg)
Testing for Error Code(OWASP-IG-006)
PHas Google found error messages for you?
![Page 38: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/38.jpg)
Testing for Error Code(OWASP-IG-006) cont.
PCheck errors via Google Cache
![Page 39: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/39.jpg)
Testing for SSL-TLS (OWASP-CM-001)
P
https://www.ssllabs.com/ssldb/analyze.html
No traffic ..
![Page 40: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/40.jpg)
Testing for SSL-TLS (OWASP-CM-001) cont.
P
https://www.ssllabs.com/ssldb/analyze.html
.. And pretty graphs
![Page 41: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/41.jpg)
Testing for SSL-TLS (OWASP-CM-001) cont.
PDo not forget about Strict-Transport-Security!
$ curl -i https://accounts.google.com
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Strict-Transport-Security: max-age=2592000; includeSubDomains
sslstrip chances decrease dramatically:
Only 1st time user visits the site!
![Page 42: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/42.jpg)
Application Configuration Management (OWASP-CM-004)
PJust browse the site as normal and ..
look for comments! (lame but works!):
<!-- The password is 123 -->
/* TODO: Security hole here .. */
//FIXME: The function below is vulnerable…
![Page 43: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/43.jpg)
Testing for Admin Interfaces (OWASP-CM-007)
P• 3rd party stuff on .NET ViewState, headers,..
• Telerik.Web.UI?? Google it!
![Page 44: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/44.jpg)
Testing for Admin Interfaces (OWASP-CM-007) cont.
PGoogle for default passwords:
![Page 45: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/45.jpg)
Testing for Admin Interfaces (OWASP-CM-007) cont.
!!
![Page 46: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/46.jpg)
Testing for Admin Interfaces (OWASP-CM-007) cont.
!!
![Page 47: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/47.jpg)
Testing for HTTP Methods and XST (OWASP-CM-008)
An OPTIONS request is quite normal:
$ curl -i -A 'Mozilla/5.0' -X 'OPTIONS *' –khttps://site.com
HTTP/1.1 200 OKDate: Tue, 09 Aug 2011 13:38:43 GMTServer: Apache/2.0.63 (Unix)Allow: GET,HEAD,POST,OPTIONS,TRACEContent-Length: 0Connection: closeContent-Type: text/plain; charset=UTF-8
P
![Page 48: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/48.jpg)
Testing for HTTP Methods and XST (OWASP-CM-008) cont.
http://centralops.net
P
![Page 49: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/49.jpg)
Testing for HTTP Methods and XST (OWASP-CM-008) cont.
http://centralops.net
P
![Page 50: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/50.jpg)
Testing for credentials transport (OWASP-AT-001)
Is the login page on “http” instead of “https”?
And … look carefully at pop-ups like this:
Consider: Firesheep and sslstrip
P
![Page 51: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/51.jpg)
Testing for user enumeration (OWASP-AT-002) – by design
P
Mario was going to report a bug to Mozilla and found another!
![Page 52: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/52.jpg)
Testing for user enumeration (OWASP-AT-002) – by design
PAbuse user/member search functions:
• Search for “” (nothing) or “a”, then “b”, ..• Download all the data using 1) + pagination (if
any)• Merge the results into a CSV-like format• Import + save as a spreadsheet• Show the spreadsheet to your customer
![Page 53: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/53.jpg)
Testing for Default or Guessable User Account (OWASP-AT-003)
PAnalyse the username(s) they gave you to test:
• Username based on numbers?USER12345
• Username based on public info? (i.e. names, surnames, ..)
name.surname
• Default CMS user/pass?
![Page 54: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/54.jpg)
Vulnerable Remember Password and Pwd Reset (OWASP-AT-006)
PIs autocomplete set to off?• Via 1) <form … autocomplete=“off”>• Or Via 2) <input … autocomplete=“off”>
Or not?<form action="/user/login" method="post"><input type="password" name="pass" />
![Page 55: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/55.jpg)
Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) cont.
PEasy “your grandma can do it” test: 1. Login 2. Logout3. Click the browser Back button twice*4. Can you login again –without typing the login or
password- by re-sending the login form?
Can the user re-submit the login form via the back button?
* Until the login form submission
![Page 56: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/56.jpg)
Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) cont.
PAlso .. Look at the questions / fields in the password reset form …
• Does it let you specify your email address?• Is it based on public info? (name, surname, etc)• Does it send an email to a potentially dead email
address you can register? (i.e. hotmail.com)
![Page 57: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/57.jpg)
Logout and Browser Cache Management (OWASP-AT-007)
PGoal: Is Caching of sensitive info allowed?
Easy “your grandma can do it” test (need login): 1. Login 2. Logout3. Click the browser Back button4. Do you see logged in content or a this page has
expired error / the login page?
![Page 58: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/58.jpg)
Logout and Browser Cache Management (OWASP-AT-007) cont.
PSee headers with:• Commands: curl –i http://target.com• Proxy: Burp, ZAP, WebScarab, etc• Browser Plugins:
https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
https://addons.mozilla.org/en-US/firefox/addon/firebug/
![Page 59: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/59.jpg)
Logout and Browser Cache Management (OWASP-AT-007) cont.
P1) Wrong caching HTTP/1.1 headers:Cache-control: private
Instead of:Cache-Control: no-cache
![Page 60: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/60.jpg)
Logout and Browser Cache Management (OWASP-AT-007) cont.
P2) Wrong caching HTTP/1.0 headers:Pragma: privateExpires: <way too far in the future>
Instead of:Pragma: no-cacheExpires: <past date or illegal value (e.g. 0)
![Page 61: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/61.jpg)
Logout and Browser Cache Management (OWASP-AT-007) cont.
P3) No caching headers (= caching allowed, default!)
HTTP/1.1 200 OKDate: Tue, 09 Aug 2011 13:38:43 GMTServer: ….X-Powered-By: ….Connection: closeContent-Type: text/html; charset=UTF-8
Instead of (best): $ curl –i https://accounts.google.com... Cache-control: no-cache, no-storePragma: no-cacheExpires: Mon, 01-Jan-1990 00:00:00 GMT
![Page 62: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/62.jpg)
Logout and Browser Cache Management (OWASP-AT-007) cont.
PRepeat for Meta tags:
4) Wrong HTTP/1.1:<META HTTP-EQUIV="Cache-Control"
CONTENT=“private">
Instead of:<META HTTP-EQUIV="Cache-Control" CONTENT="no-
cache">Etc. (see previous slides)
![Page 63: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/63.jpg)
Testing for Captcha(OWASP-AT-008)
PCan be done offline: • Download image and try to break it• Are CAPTCHAs reused?• Is a hash or token passed? (Good algorithm?
Predictable?)• Look for vulns on CAPTCHA version:
PWNtcha - captcha decoder - http://caca.zoy.org/wiki/PWNtchaCaptcha Breaker - http://churchturing.org/captcha-dist/
![Page 64: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/64.jpg)
Testing for Session Management Schema (OWASP-SM-001)
PExamine cookies for weaknesses offline
Base64 MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFzc3dvcmQ6MTU6NTg=
Isowaspuser:192.168.100.1:
a7656fafe94dae72b1e1487670148412
![Page 65: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/65.jpg)
Testing for Session Management Schema (OWASP-SM-001) cont.
P
http://hackvertor.co.uk/public
![Page 66: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/66.jpg)
Testing for Session Management Schema (OWASP-SM-001) cont.
P
http://hackvertor.co.uk/public
Lots of decode options, including:• auto_decode• auto_decode_repeat• d_base64• etc.
![Page 67: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/67.jpg)
Testing for Session Management Schema (OWASP-SM-001) cont.
P
http://blog.taddong.com/2011/12/cookie-decoder-f5-big-ip.html
Cookie decoder: F5 BIG-IP
![Page 68: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/68.jpg)
Testing for cookies attributes (OWASP-SM-002)
P• Secure: not set= session cookie leaked= pwned• HttpOnly: not set = cookies stealable via JS• Domain: set properly• Path: set to the right /sub-application• Expires: set reasonably
• 1 session cookie that works is enough ..
![Page 69: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/69.jpg)
Testing for Session Fixation (OWASP-SM-003)
PSession ID normally NOT changed by default..
Before Login PHPSESSID:10a966616e8ed63f7a9b741f80e65e3c+After Login PHPSESSID:10a966616e8ed63f7a9b741f80e65e3c=Vulnerable
![Page 70: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/70.jpg)
Testing for Exposed Session Variables (OWASP-SM-004)
PSession ID:• In URL• In POST• In HTML
Example from the field:http://target.com/xxx/xyz.function?session_num=7785
![Page 71: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/71.jpg)
Testing for CSRF (OWASP-SM-005)
PLook at HTML code:
No anti-CSRF token = VulnerableAnti-CSRF token = Wait to ACTIVE testing ☺
![Page 72: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/72.jpg)
Testing for Bypassing Authorization Schema (OWASP-AZ-002)
PLook at unauthenticated cross-site requests:
http://other-site.com/user=3&report=4Referer: site.com
Change ids in application: !http://site.com/view_doc=4
![Page 73: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/73.jpg)
Testing for Reflected/Stored Cross site scripting (OWASP-DV-001)
PHeaders Enabling/Disabling Client-Side XSS filters:
• X-XSS-Protection (IE-Only)• X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)
Example:
$ curl -i https://accounts.google.comX-XSS-Protection: 1; mode=block
![Page 74: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/74.jpg)
UI Redressing Protectioni.e. Clickjacking (OWASP Code?)
PLook for for UI Redressing protections:
• X-Frame-Options (best)• X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)• JavaScript Frame busting (bypassable sometimes)
Example:$ curl -i https://accounts.google.comX-Frame-Options: Deny
“Clickjacking for Shells”:http://www.morningstarsecurity.com/research/clickjacking-wordpress
![Page 75: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/75.jpg)
Testing for DOM-based Cross site scripting (OWASP-DV-003)
PReview JavaScript code on the page:
<script> document.write("Site is at: " + document.location.href + "."); </script>
Sometimes active testing possible in your browser(no trip to server = not an attack = not logged):
http://target.com/...#vulnerable_param=xss
http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
![Page 76: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/76.jpg)
Testing for Cross site flashing (OWASP-DV-004)
P1) Find Flash files:
![Page 77: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/77.jpg)
Testing for Cross site flashing (OWASP-DV-004) cont.
P2) Find crossdomain.xml
![Page 78: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/78.jpg)
Testing for Cross site flashing (OWASP-DV-004) cont.
P3) Look at crossdomain.xml:Example 1:<cross-domain-policy><allow-access-from domain="*"/></cross-domain-policy>
Example 2:<cross-domain-policy> <!-- This domain can accept a MyHeader header froma SWF file on www.example.com --> <allow-http-request-headers-fromdomain="www.example.com" headers="MyHeader"/> </cross-domain-policy>
http://en.wikipedia.org/wiki/Same_origin_policyhttp://kb2.adobe.com/cps/403/kb403185.html
![Page 79: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/79.jpg)
Testing for Cross site flashing (OWASP-DV-004) cont.
P4) Download + decompile Flash files:$ flare hello.swf
![Page 80: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/80.jpg)
Testing for Cross site flashing (OWASP-DV-004) cont.
P
http://www.brothersoft.com/hp-swfscan-download-253747.html
http://tinyurl.com/SWFScan-msi
![Page 81: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/81.jpg)
Testing for Cross site flashing (OWASP-DV-004) cont.
P
Good news: Unlike DOM XSS, the # trick will always work for Flash Files
Active testing ☺
1) Trip to server = need permission !http://target.com/test.swf?xss=foo&xss2=bar
2) But … your browser is yours:
No trip to server = no permission needed P
http://target.com/test.swf#?xss=foo&xss2=bar
![Page 82: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/82.jpg)
Testing for SQL Injection (OWASP-DV-005)
PDid Google find SQLi for you?
![Page 83: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/83.jpg)
DoS Failure to Release Resources (OWASP-DS-007)
P1. Browse Site2. Time requests3. Get top X slowest requests4. Slowest = Best DoS target
![Page 84: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/84.jpg)
Testing: WS Information Gathering (OWASP-WS-001)
PGoogle searches: inurl:wsdl site:example.com
Web service analysis: http://www.example.com/ws/FindIP.asmx?WSDL
Public services search: http://seekda.com/http://www.wsindex.org/http://www.soapclient.com/
![Page 85: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/85.jpg)
Testing for WS Replay (OWASP-WS-007)
PSimilar to CSRF:Is there an anti-replay token in the request?
![Page 86: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/86.jpg)
Testing for file extensions handling (OWASP-CM-005)
some attack traffic but subtle. File Uploads:
• If upload.php or .asp, .html, .. is allowed by app• A valid GIF or JPG comment can be a valid PHP
script, etc ..
• Difference from attack to legit can be subtle• File uploads are POST = often not logged(Enterprises do, but small businesses normally don’t)
!!
![Page 87: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/87.jpg)
Testing for Error Code (OWASP-IG-006)
• Use var_name[] in PHP:
• Make __VIEWSTATE = ‘a’:
[ViewStateException: Invalid viewstate …..…) in c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET Files\root\ ….
!
![Page 88: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/88.jpg)
Testing for user enumeration (OWASP-AT-002)
• Error messages
“this user does not exist”“the website member could not be found”Etc.
• Time differences
$ time curl https://target.com -d 'user=x&pass=y'Bad login Example:Valid User (retrieved from DB): > 1.5 secsInvalid User (not in DB = faster): < 0.7 secs
!
![Page 89: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/89.jpg)
Testing for Reflected/Stored Cross site scripting (OWASP-DV-001+2)
Subtle look for signs of output encoding:
O’Brien � O'Brien
O”Brien � O"Brien or O%22Brien
Ted..> � Ted..> or Ted..%3E
Ted,< � Ted,.< or Ted..%3C
Charset, etc.
!
![Page 90: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/90.jpg)
Testing for SQL Injection (OWASP-DV-005)
SQL errors:
• Strings: O’Brien• IDs: Instead of “1” type “1l” or “1 l”
Math operations: Is the same item displayed?• target.com/id=2 � target.com/id=1%2B1
!
![Page 91: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/91.jpg)
Testing for Application Discovery (OWASP-IG-005) @ post-exploitation
Got shell?!!
![Page 92: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/92.jpg)
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
You feel like ..!!
![Page 93: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/93.jpg)
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
They feel like ..!!
![Page 94: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/94.jpg)
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
They feel like ..!!
![Page 95: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/95.jpg)
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
They feel like ..!!
![Page 96: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/96.jpg)
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
And finally ..!!
![Page 97: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/97.jpg)
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
You have a mission!
• “Shell is only the beginning” – Darkoperator• Your job is to show impact*• Web app sec can also involve network sec!
Goal: How much damage could be done?
*within scope restrictions!
!!
![Page 98: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/98.jpg)
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
• Web server running as SYSTEM? (default!)• No need to crack passwords .. !!
![Page 99: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/99.jpg)
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
Just type your chosen password ..!!
![Page 100: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/100.jpg)
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
• Steal passwords ..
• Be patient, it’s worth it ..
!!
![Page 101: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/101.jpg)
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
Pivot to the other hosts reusing passwords!!
![Page 102: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/102.jpg)
Testing for Application Discovery (OWASP-IG-005) @post-exploitationPASSIVE Ping Sweep: Unique IPs & MACs from the
ARP table of all popped boxes via winenum P
![Page 103: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/103.jpg)
Testing for Application Discovery (OWASP-IG-005) @post-exploitationPASSIVE Local “Port scanning” from winenum
P
![Page 104: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/104.jpg)
Testing for Application Discovery (OWASP-IG-005) @post-exploitationDon’t forget about IPv6 & UDP ☺
P
![Page 105: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/105.jpg)
Testing for Application Discovery (OWASP-IG-005) @post-exploitationPASSIVE Remote “Port scanning” from winenum
via active connections P
![Page 106: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/106.jpg)
Pen tester Conclusion• No permission != cannot start• A lot of work can be done in advance
This work in advance helps with:• Increased efficiency• Deal better with tight deadlines• Better pre-engagement• Better test quality• Best chance to get in
Bottom line: Do it
![Page 107: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/107.jpg)
Business Conclusion
• Web app security > Input validation• We see no traffic != we are not targeted• No IDS alerts != we are safe• Your site can be tested without you noticing• Test your security before others do
![Page 108: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/108.jpg)
Special thanks to
• OWASP Testing Guide contributors• Krzysztof Kotowicz• Marcus Niemietz• Mario Heiderich• Michele Orru• Sandro Gauci
![Page 109: Silent web app testing by example - BerlinSides 2011](https://reader033.fdocuments.us/reader033/viewer/2022052410/554bbbc0b4c9053a298b4db1/html5/thumbnails/109.jpg)
Q&AAbraham Aranguren
http://7-a.org
Q - owtf! This is a lot of workA - I know, check out: http://owtf.org