SlideShare a Scribd company logo

Silent web app testing by example - BerlinSides 2011

Abraham Aranguren
Abraham Aranguren

A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques NOTE: Use the "Download" option at the top to see the presentation as a PDF properly

1 of 109
Downloaded 218 times
Silent web app testing by example Berlin Sides, December 29th 2011 Abraham Aranguren @7a_ abraham.aranguren@gmail.com http://7-a.org
Agenda • Quick Intro • Walk-through: No permission needed Mild/Subtle testing techniques Passive discovery at post-exploitation • Conclusion • Q&A
About me • Spanish dude • Degree + Diploma in Computer Science • Uni: Security research + honour mark • IT: Since 2000 (netadmin / developer) • Comeback to (offensive) security in 2007 • OSCP, CISSP, GWEB, CEH, MCSE, Etc. • Web App Sec and Dev/Architect • OWTF, GIAC, BeEF
Intro 47% (31 out of 66) of the tests in the OWASP Testing guide can be legally* performed at least partially without permission * Except in Spain, where visiting a page can be illegal ☺ * This is only my interpretation and not that of my employer + might not apply to your country!
But …. why??? • Pre-engagement quality • Choose bank wisely ☺ • Fun / Research • No permission yet but tight deadline • Get a head start in a pen test • No fuzzing allowed / hard restrictions • Waiting for info on other areas
Talk Scope This talk is mostly NOT about: • https NIDS blind* • Use POST not logged (usually) • Wifi, Tor, proxies, proxychains … This talk is about: • Using normal traffic or no traffic • Confuse payloads = look as legit traffic
Types of Traffic • Passive: No traffic to target Example: Third party site touches target not us • Semi Passive: Normal traffic to target Examples: Visit site, download published content • Active: Direct vulnerability probing Examples: SQL injection, XSS, CSRF, etc. tries
Legend Ethics/Scope legend*: P • P No Permission needed: No attack traffic • ! Mild attack traffic / Could break things • !! You better have written permission .. Vulnerable vs. Not Vulnerable legend: • Vulnerable • Not Vulnerable * When in doubt, don’t do it or consult a lawyer!
Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) $ wget http://target.com/robots.txt P Case 1 Not found: Indexing required? Case 2 Found: Analyse entries
Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) cont. Case 1 robots.txt Not Found …should Google index a site like this? P Or should robots.txt exist and be like this? User-agent: * Disallow: /
Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) cont. P Case 2 robots.txt Found (default Drupal robots.txt!) User-agent: * Crawl-delay: 10 # Directories Disallow: /includes/ Disallow: /misc/ ... # Files Disallow: /CHANGELOG.txt  Drupal Version ☺ Disallow: /xmlrpc.php
Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) cont. Case 2 Research known vulns passively (i.e. OpenID bypass for Drupal 6.16) P
(General) Environment replication Download it .. Sometimes from project page ☺ P Also check http://www.oldapps.com/, Google, etc.
(General) Environment replication Static Analyis, Fuzz, Try exploits, .. P RIPS for PHP: http://rips-scanner.sourceforge.net/ Yasca for most other (also PHP): http://www.scovetta.com/yasca.html
Search engine discovery / recon (OWASP-IG-002) cont. Google Hacking techniques like .. P
Search engine discovery / recon (OWASP-IG-002) cont. P Automated Google Hacking http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/
Search engine discovery / recon (OWASP-IG-002) cont. P Metadata tools: • FOCA (v. 3 now!) • Metagoofil • Exiftool • EXIF FF plugin http://www.informatica64.com/foca.aspx
Search engine discovery / recon (OWASP-IG-002) cont. P The Harvester: •Emails •Employee Names •Subdomains •Hostnames http://www.edge-security.com/theHarvester.php
Search engine discovery / recon (OWASP-IG-002) cont. P Image Credit: http://www.paterva.com http://www.paterva.com/web5/client/download.php
Search engine discovery / recon (OWASP-IG-002) cont. P Image Credit: http://www.paterva.com http://www.paterva.com/web5/client/download.php
Search engine discovery / recon (OWASP-IG-002) cont. A bit of most in one: P https://addons.mozilla.org/en-US/firefox/addon/passiverecon/
Testing: Identify application entry points (OWASP-IG-003) Use a proxy and JUST browse the site • Let the proxy log ALL requests P • Understand the site Proxies that detect vulns passively: • ratproxy • ZAP Proxy Efficient manual browsing: Snap Links Plus http://snaplinks.mozdev.org/
Testing for Web Application Fingerprint (OWASP-IG-004) Goal: What is that server running? P Semi passive banner grab example: • $ curl -i -A 'Mozilla/5.0 (X11; Linux i686; rv6.0) Gecko/20100101 Firefox/6.0' -H 'Host: target.com' https://target.com … Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
Testing for Web Application Fingerprint (OWASP-IG-004) cont. P http://toolbar.netcraft.com - Passive banner grab,etc.
Testing for Web Application Fingerprint (OWASP-IG-004) cont. Search in the headers without touching the site: P http://www.shodanhq.com/
Testing for Web Application Fingerprint (OWASP-IG-004) cont. P •CMS •Widgets •Libraries •etc http://builtwith.com
Testing for Web Application Fingerprint (OWASP-IG-004) cont. P Do you know what that site is running now? Let’s look for exploits and vulns
Testing for Web Application Fingerprint (OWASP-IG-004) cont. P Exploit DB - http://www.exploit-db.com
Testing for Web Application Fingerprint (OWASP-IG-004) cont. P NVD - http://web.nvd.nist.gov - CVSS Score = High
Testing for Web Application Fingerprint (OWASP-IG-004) cont. P OSVDB - http://osvdb.org - CVSS Score = High
Testing for Web Application Fingerprint (OWASP-IG-004) cont. P http://www.securityfocus.com - Better on Google
Testing for Web Application Fingerprint (OWASP-IG-004) cont. P http://www.exploitsearch.net - All in one
Testing for Application Discovery (OWASP-IG-005) P http://www.robtex.com - Passive DNS Discovery
Testing for Application Discovery (OWASP-IG-005) cont. P http://whois.domaintools.com
Testing for Application Discovery (OWASP-IG-005) cont. P http://centralops.net or proxychains .. nmap –sT
Testing for Application Discovery (OWASP-IG-005) cont. P http://centralops.net
Testing for Error Code (OWASP-IG-006) Has Google found error messages for you? P
Testing for Error Code (OWASP-IG-006) cont. Check errors via Google Cache P
Testing for SSL-TLS (OWASP-CM-001) No traffic .. P https://www.ssllabs.com/ssldb/analyze.html
Testing for SSL-TLS (OWASP-CM-001) cont. .. And pretty graphs P https://www.ssllabs.com/ssldb/analyze.html
Testing for SSL-TLS (OWASP-CM-001) cont. Do not forget about Strict-Transport-Security! P $ curl -i https://accounts.google.com HTTP/1.1 302 Moved Temporarily Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=2592000; includeSubDomains sslstrip chances decrease dramatically: Only 1st time user visits the site!
Application Configuration Management (OWASP-CM-004) Just browse the site as normal and .. look for comments! (lame but works!): P <!-- The password is 123 --> /* TODO: Security hole here .. */ //FIXME: The function below is vulnerable…
Testing for Admin Interfaces (OWASP-CM-007) • 3rd party stuff on .NET ViewState, headers,.. P • Telerik.Web.UI?? Google it!
Testing for Admin Interfaces (OWASP-CM-007) cont. Google for default passwords: P
Testing for Admin Interfaces (OWASP-CM-007) cont. !!
Testing for Admin Interfaces (OWASP-CM-007) cont. !!
Testing for HTTP Methods and XST (OWASP-CM-008) An OPTIONS request is quite normal: P $ curl -i -A 'Mozilla/5.0' -X 'OPTIONS *' –k https://site.com HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: Apache/2.0.63 (Unix) Allow: GET,HEAD,POST,OPTIONS,TRACE Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8
Testing for HTTP Methods and XST (OWASP-CM-008) cont. P http://centralops.net
Testing for HTTP Methods and XST (OWASP-CM-008) cont. P http://centralops.net
Testing for credentials transport (OWASP-AT-001) Is the login page on “http” instead of “https”? And … look carefully at pop-ups like this: P Consider: Firesheep and sslstrip
Testing for user enumeration (OWASP-AT-002) – by design P Mario was going to report a bug to Mozilla and found another!
Testing for user enumeration (OWASP-AT-002) – by design Abuse user/member search functions: • Search for “” (nothing) or “a”, then “b”, .. P • Download all the data using 1) + pagination (if any) • Merge the results into a CSV-like format • Import + save as a spreadsheet • Show the spreadsheet to your customer
Testing for Default or Guessable User Account (OWASP-AT-003) Analyse the username(s) they gave you to test: P • Username based on numbers? USER12345 • Username based on public info? (i.e. names, surnames, ..) name.surname • Default CMS user/pass?
Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) Is autocomplete set to off? • Via 1) <form … autocomplete=“off”> P • Or Via 2) <input … autocomplete=“off”> Or not? <form action="/user/login" method="post"> <input type="password" name="pass" />
Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) cont. Easy “your grandma can do it” test: 1. Login 2. Logout P 3. Click the browser Back button twice* 4. Can you login again –without typing the login or password- by re-sending the login form? Can the user re-submit the login form via the back button? * Until the login form submission
Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) cont. Also .. Look at the questions / fields in the password reset form … P • Does it let you specify your email address? • Is it based on public info? (name, surname, etc) • Does it send an email to a potentially dead email address you can register? (i.e. hotmail.com)
Logout and Browser Cache Management (OWASP-AT-007) Goal: Is Caching of sensitive info allowed? P Easy “your grandma can do it” test (need login): 1. Login 2. Logout 3. Click the browser Back button 4. Do you see logged in content or a this page has expired error / the login page?
Logout and Browser Cache Management (OWASP-AT-007) cont. See headers with: • Commands: curl –i http://target.com P • Proxy: Burp, ZAP, WebScarab, etc • Browser Plugins: https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/ https://addons.mozilla.org/en-US/firefox/addon/firebug/
Logout and Browser Cache Management (OWASP-AT-007) cont. P 1) Wrong caching HTTP/1.1 headers: Cache-control: private Instead of: Cache-Control: no-cache
Logout and Browser Cache Management (OWASP-AT-007) cont. 2) Wrong caching HTTP/1.0 headers: P Pragma: private Expires: <way too far in the future> Instead of: Pragma: no-cache Expires: <past date or illegal value (e.g. 0)
Logout and Browser Cache Management (OWASP-AT-007) cont. 3) No caching headers (= caching allowed, default!) P HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: …. X-Powered-By: …. Connection: close Content-Type: text/html; charset=UTF-8 Instead of (best): $ curl –i https://accounts.google.com... Cache-control: no-cache, no-store Pragma: no-cache Expires: Mon, 01-Jan-1990 00:00:00 GMT
Logout and Browser Cache Management (OWASP-AT-007) cont. Repeat for Meta tags: P 4) Wrong HTTP/1.1: <META HTTP-EQUIV="Cache-Control" CONTENT=“private"> Instead of: <META HTTP-EQUIV="Cache-Control" CONTENT="no- cache"> Etc. (see previous slides)
Testing for Captcha (OWASP-AT-008) Can be done offline: • Download image and try to break it P • Are CAPTCHAs reused? • Is a hash or token passed? (Good algorithm? Predictable?) • Look for vulns on CAPTCHA version: PWNtcha - captcha decoder - http://caca.zoy.org/wiki/PWNtcha Captcha Breaker - http://churchturing.org/captcha-dist/
Testing for Session Management Schema (OWASP-SM-001) Examine cookies for weaknesses offline P Base64 MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFzc3dv cmQ6MTU6NTg= Is owaspuser:192.168.100.1: a7656fafe94dae72b1e1487670148412
Testing for Session Management Schema (OWASP-SM-001) cont. P http://hackvertor.co.uk/public
Testing for Session Management Schema (OWASP-SM-001) cont. Lots of decode options, including: • auto_decode P • auto_decode_repeat • d_base64 • etc. http://hackvertor.co.uk/public
Testing for Session Management Schema (OWASP-SM-001) cont. Cookie decoder: F5 BIG-IP P http://blog.taddong.com/2011/12/cookie-decoder-f5-big-ip.html
Testing for cookies attributes (OWASP-SM-002) • Secure: not set= session cookie leaked= pwned • HttpOnly: not set = cookies stealable via JS P • Domain: set properly • Path: set to the right /sub-application • Expires: set reasonably • 1 session cookie that works is enough ..
Testing for Session Fixation (OWASP-SM-003) Session ID normally NOT changed by default.. P Before Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c + After Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c = Vulnerable
Testing for Exposed Session Variables (OWASP-SM-004) Session ID: • In URL P • In POST • In HTML Example from the field: http://target.com/xxx/xyz.function?session_num=7785
Testing for CSRF (OWASP-SM-005) Look at HTML code: P No anti-CSRF token = Vulnerable Anti-CSRF token = Wait to ACTIVE testing ☺
Testing for Bypassing Authorization Schema (OWASP-AZ-002) Look at unauthenticated cross-site requests: P http://other-site.com/user=3&report=4 Referer: site.com Change ids in application: ! http://site.com/view_doc=4
Testing for Reflected/Stored Cross site scripting (OWASP-DV-001) P Headers Enabling/Disabling Client-Side XSS filters: • X-XSS-Protection (IE-Only) • X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13) Example: $ curl -i https://accounts.google.com X-XSS-Protection: 1; mode=block
UI Redressing Protection i.e. Clickjacking (OWASP Code?) Look for for UI Redressing protections: P • X-Frame-Options (best) • X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13) • JavaScript Frame busting (bypassable sometimes) Example: $ curl -i https://accounts.google.com X-Frame-Options: Deny “Clickjacking for Shells”: http://www.morningstarsecurity.com/research/clickjacking-wordpress
Testing for DOM-based Cross site scripting (OWASP-DV-003) Review JavaScript code on the page: P <script> document.write("Site is at: " + document.location.href + "."); </script> Sometimes active testing possible in your browser (no trip to server = not an attack = not logged): # http://target.com/... vulnerable_param=xss http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
Testing for Cross site flashing (OWASP-DV-004) 1) Find Flash files: P
Testing for Cross site flashing (OWASP-DV-004) cont. 2) Find crossdomain.xml P
Testing for Cross site flashing (OWASP-DV-004) cont. 3) Look at crossdomain.xml: Example 1: <cross-domain-policy> P <allow-access-from domain="*"/> </cross-domain-policy> Example 2: <cross-domain-policy> <!-- This domain can accept a MyHeader header from a SWF file on www.example.com --> <allow-http-request-headers-from domain="www.example.com" headers="MyHeader"/> </cross-domain-policy> http://en.wikipedia.org/wiki/Same_origin_policy http://kb2.adobe.com/cps/403/kb403185.html
Testing for Cross site flashing (OWASP-DV-004) cont. 4) Download + decompile Flash files: $ flare hello.swf P
Testing for Cross site flashing (OWASP-DV-004) cont. P http://www.brothersoft.com/hp-swfscan-download-253747.html http://tinyurl.com/SWFScan-msi
Testing for Cross site flashing (OWASP-DV-004) cont. Active testing ☺ P 1) Trip to server = need permission ! http://target.com/test.swf?xss=foo&xss2=bar 2) But … your browser is yours: No trip to server = no permission needed P # http://target.com/test.swf ?xss=foo&xss2=bar Good news: Unlike DOM XSS, the # trick will always work for Flash Files
Testing for SQL Injection (OWASP-DV-005) Did Google find SQLi for you? P
DoS Failure to Release Resources (OWASP-DS-007) 1. Browse Site 2. 3. Time requests Get top X slowest requests P 4. Slowest = Best DoS target
Testing: WS Information Gathering (OWASP-WS-001) Google searches: inurl:wsdl site:example.com Web service analysis: P http://www.example.com/ws/FindIP.asmx?WSDL Public services search: http://seekda.com/ http://www.wsindex.org/ http://www.soapclient.com/
Testing for WS Replay (OWASP-WS-007) Similar to CSRF: P Is there an anti-replay token in the request?
Testing for file extensions handling (OWASP-CM-005) some attack traffic but subtle. File Uploads: !! • If upload.php or .asp, .html, .. is allowed by app • A valid GIF or JPG comment can be a valid PHP script, etc .. • Difference from attack to legit can be subtle • File uploads are POST = often not logged (Enterprises do, but small businesses normally don’t)
Testing for Error Code (OWASP-IG-006) • Use var_name[] in PHP: ! • Make __VIEWSTATE = ‘a’: [ViewStateException: Invalid viewstate ….. … ) in c:WINDOWSMicrosoft.NETFrameworkv2.0.50727Temporary ASP.NET Filesroot ….
Testing for user enumeration (OWASP-AT-002) • Error messages ! “this user does not exist” “the website member could not be found” Etc. • Time differences $ time curl https://target.com -d 'user=x&pass=y' Bad login Example: Valid User (retrieved from DB): > 1.5 secs Invalid User (not in DB = faster): < 0.7 secs
Testing for Reflected/Stored Cross site scripting (OWASP-DV-001+2) Subtle look for signs of output encoding: ! O’Brien O&apos;Brien O”Brien O&quot;Brien or O%22Brien Ted..> Ted..&gt; or Ted..%3E Ted,< Ted,.&lt; or Ted..%3C Charset, etc.
Testing for SQL Injection (OWASP-DV-005) SQL errors: ! • Strings: O’Brien • IDs: Instead of “1” type “1l” or “1 l” Math operations: Is the same item displayed? • target.com/id=2 target.com/id=1%2B1
Testing for Application Discovery (OWASP-IG-005) @ post-exploitation Got shell? !!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation You feel like .. !!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation They feel like .. !!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation They feel like .. !!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation They feel like .. !!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation And finally .. !!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation You have a mission! !! • “Shell is only the beginning” – Darkoperator • Your job is to show impact* • Web app sec can also involve network sec! Goal: How much damage could be done? *within scope restrictions!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation • Web server running as SYSTEM? (default!) • No need to crack passwords .. !!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation Just type your chosen password .. !!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation • Steal passwords .. !! • Be patient, it’s worth it ..
Testing for Application Discovery (OWASP-IG-005) @post-exploitation Pivot to the other hosts reusing passwords !!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation PASSIVE Ping Sweep: Unique IPs & MACs from the ARP table of all popped boxes via winenum P
Testing for Application Discovery (OWASP-IG-005) @post-exploitation PASSIVE Local “Port scanning” from winenum P
Testing for Application Discovery (OWASP-IG-005) @post-exploitation Don’t forget about IPv6 & UDP ☺ P
Testing for Application Discovery (OWASP-IG-005) @post-exploitation PASSIVE Remote “Port scanning” from winenum via active connections P
Pen tester Conclusion • No permission != cannot start • A lot of work can be done in advance This work in advance helps with: • Increased efficiency • Deal better with tight deadlines • Better pre-engagement • Better test quality • Best chance to get in Bottom line: Do it
Business Conclusion • Web app security > Input validation • We see no traffic != we are not targeted • No IDS alerts != we are safe • Your site can be tested without you noticing • Test your security before others do
Special thanks to • OWASP Testing Guide contributors • Krzysztof Kotowicz • Marcus Niemietz • Mario Heiderich • Michele Orru • Sandro Gauci
Q&A Abraham Aranguren @7a_ abraham.aranguren@gmail.com http://7-a.org Q - owtf! This is a lot of work A - I know, check out: http://owtf.org
Ad

Recommended

Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Abraham Aranguren
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's Perspective
RajniHatti
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
ebusinessmantra
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
Octogence
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
Mod security
Mod securityMod security
Mod security
Shruthi Kamath
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuite
Nadim Kadiwala
 
OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?
Beau Bullock
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for Java
Sébastien GIORIA
 
Owasp
Owasp Owasp
Owasp
penetration Tester
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101
Paul Ionescu
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
hearme limited company
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
Onwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Abraham Aranguren
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
Abraham Aranguren
 
Ad

More Related Content

What's hot (20)

API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
Octogence
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
Mod security
Mod securityMod security
Mod security
Shruthi Kamath
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuite
Nadim Kadiwala
 
OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?
Beau Bullock
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for Java
Sébastien GIORIA
 
Owasp
Owasp Owasp
Owasp
penetration Tester
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101
Paul Ionescu
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
hearme limited company
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
Onwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
Octogence
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
Mod security
Mod securityMod security
Mod security
Shruthi Kamath
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuite
Nadim Kadiwala
 
OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?
Beau Bullock
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for Java
Sébastien GIORIA
 
Owasp
Owasp Owasp
Owasp
penetration Tester
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101
Paul Ionescu
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
hearme limited company
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
Onwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 

Viewers also liked (6)

Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Abraham Aranguren
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
Abraham Aranguren
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
Abraham Aranguren
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Abraham Aranguren
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
Abraham Aranguren
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
Abraham Aranguren
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Ad

Similar to Silent web app testing by example - BerlinSides 2011 (20)

BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
Abraham Aranguren
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTF
Jerod Brennen
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
Sagar M Parmar
 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
ThreatReel Podcast
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
Grupo Gesfor I+D+i
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 201510 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
Peter Sabev
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Codemotion
 
Owasp owtf the offensive (web) testing framework + ptes penetration testing e...
Owasp owtf the offensive (web) testing framework + ptes penetration testing e...Owasp owtf the offensive (web) testing framework + ptes penetration testing e...
Owasp owtf the offensive (web) testing framework + ptes penetration testing e...
Mauro Risonho de Paula Assumpcao
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
Damilola Longe, CISSP, CCSP, MSc
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
Simon Bennetts
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
Web Security... Level Up
Web Security... Level UpWeb Security... Level Up
Web Security... Level Up
Izzet Mustafaiev
 
Cybersecurity and Ethical Hacking: Capstone Project
Cybersecurity and Ethical Hacking: Capstone ProjectCybersecurity and Ethical Hacking: Capstone Project
Cybersecurity and Ethical Hacking: Capstone Project
Boston Institute of Analytics
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP
DevSecCon
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
Abraham Aranguren
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTF
Jerod Brennen
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
Sagar M Parmar
 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
ThreatReel Podcast
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
Grupo Gesfor I+D+i
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 201510 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
Peter Sabev
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Codemotion
 
Owasp owtf the offensive (web) testing framework + ptes penetration testing e...
Owasp owtf the offensive (web) testing framework + ptes penetration testing e...Owasp owtf the offensive (web) testing framework + ptes penetration testing e...
Owasp owtf the offensive (web) testing framework + ptes penetration testing e...
Mauro Risonho de Paula Assumpcao
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
Damilola Longe, CISSP, CCSP, MSc
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
Simon Bennetts
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
Web Security... Level Up
Web Security... Level UpWeb Security... Level Up
Web Security... Level Up
Izzet Mustafaiev
 
Cybersecurity and Ethical Hacking: Capstone Project
Cybersecurity and Ethical Hacking: Capstone ProjectCybersecurity and Ethical Hacking: Capstone Project
Cybersecurity and Ethical Hacking: Capstone Project
Boston Institute of Analytics
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP
DevSecCon
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
Ad

Recently uploaded (20)

The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 

Silent web app testing by example - BerlinSides 2011

  • 1. Silent web app testing by example Berlin Sides, December 29th 2011 Abraham Aranguren @7a_ [email protected] http://7-a.org
  • 2. Agenda • Quick Intro • Walk-through: No permission needed Mild/Subtle testing techniques Passive discovery at post-exploitation • Conclusion • Q&A
  • 3. About me • Spanish dude • Degree + Diploma in Computer Science • Uni: Security research + honour mark • IT: Since 2000 (netadmin / developer) • Comeback to (offensive) security in 2007 • OSCP, CISSP, GWEB, CEH, MCSE, Etc. • Web App Sec and Dev/Architect • OWTF, GIAC, BeEF
  • 4. Intro 47% (31 out of 66) of the tests in the OWASP Testing guide can be legally* performed at least partially without permission * Except in Spain, where visiting a page can be illegal ☺ * This is only my interpretation and not that of my employer + might not apply to your country!
  • 5. But …. why??? • Pre-engagement quality • Choose bank wisely ☺ • Fun / Research • No permission yet but tight deadline • Get a head start in a pen test • No fuzzing allowed / hard restrictions • Waiting for info on other areas
  • 6. Talk Scope This talk is mostly NOT about: • https NIDS blind* • Use POST not logged (usually) • Wifi, Tor, proxies, proxychains … This talk is about: • Using normal traffic or no traffic • Confuse payloads = look as legit traffic
  • 7. Types of Traffic • Passive: No traffic to target Example: Third party site touches target not us • Semi Passive: Normal traffic to target Examples: Visit site, download published content • Active: Direct vulnerability probing Examples: SQL injection, XSS, CSRF, etc. tries
  • 8. Legend Ethics/Scope legend*: P • P No Permission needed: No attack traffic • ! Mild attack traffic / Could break things • !! You better have written permission .. Vulnerable vs. Not Vulnerable legend: • Vulnerable • Not Vulnerable * When in doubt, don’t do it or consult a lawyer!
  • 9. Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) $ wget http://target.com/robots.txt P Case 1 Not found: Indexing required? Case 2 Found: Analyse entries
  • 10. Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) cont. Case 1 robots.txt Not Found …should Google index a site like this? P Or should robots.txt exist and be like this? User-agent: * Disallow: /
  • 11. Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) cont. P Case 2 robots.txt Found (default Drupal robots.txt!) User-agent: * Crawl-delay: 10 # Directories Disallow: /includes/ Disallow: /misc/ ... # Files Disallow: /CHANGELOG.txt  Drupal Version ☺ Disallow: /xmlrpc.php
  • 12. Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) cont. Case 2 Research known vulns passively (i.e. OpenID bypass for Drupal 6.16) P
  • 13. (General) Environment replication Download it .. Sometimes from project page ☺ P Also check http://www.oldapps.com/, Google, etc.
  • 14. (General) Environment replication Static Analyis, Fuzz, Try exploits, .. P RIPS for PHP: http://rips-scanner.sourceforge.net/ Yasca for most other (also PHP): http://www.scovetta.com/yasca.html
  • 15. Search engine discovery / recon (OWASP-IG-002) cont. Google Hacking techniques like .. P
  • 16. Search engine discovery / recon (OWASP-IG-002) cont. P Automated Google Hacking http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/
  • 17. Search engine discovery / recon (OWASP-IG-002) cont. P Metadata tools: • FOCA (v. 3 now!) • Metagoofil • Exiftool • EXIF FF plugin http://www.informatica64.com/foca.aspx
  • 18. Search engine discovery / recon (OWASP-IG-002) cont. P The Harvester: •Emails •Employee Names •Subdomains •Hostnames http://www.edge-security.com/theHarvester.php
  • 19. Search engine discovery / recon (OWASP-IG-002) cont. P Image Credit: http://www.paterva.com http://www.paterva.com/web5/client/download.php
  • 20. Search engine discovery / recon (OWASP-IG-002) cont. P Image Credit: http://www.paterva.com http://www.paterva.com/web5/client/download.php
  • 21. Search engine discovery / recon (OWASP-IG-002) cont. A bit of most in one: P https://addons.mozilla.org/en-US/firefox/addon/passiverecon/
  • 22. Testing: Identify application entry points (OWASP-IG-003) Use a proxy and JUST browse the site • Let the proxy log ALL requests P • Understand the site Proxies that detect vulns passively: • ratproxy • ZAP Proxy Efficient manual browsing: Snap Links Plus http://snaplinks.mozdev.org/
  • 23. Testing for Web Application Fingerprint (OWASP-IG-004) Goal: What is that server running? P Semi passive banner grab example: • $ curl -i -A 'Mozilla/5.0 (X11; Linux i686; rv6.0) Gecko/20100101 Firefox/6.0' -H 'Host: target.com' https://target.com … Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
  • 24. Testing for Web Application Fingerprint (OWASP-IG-004) cont. P http://toolbar.netcraft.com - Passive banner grab,etc.
  • 25. Testing for Web Application Fingerprint (OWASP-IG-004) cont. Search in the headers without touching the site: P http://www.shodanhq.com/
  • 26. Testing for Web Application Fingerprint (OWASP-IG-004) cont. P •CMS •Widgets •Libraries •etc http://builtwith.com
  • 27. Testing for Web Application Fingerprint (OWASP-IG-004) cont. P Do you know what that site is running now? Let’s look for exploits and vulns
  • 28. Testing for Web Application Fingerprint (OWASP-IG-004) cont. P Exploit DB - http://www.exploit-db.com
  • 29. Testing for Web Application Fingerprint (OWASP-IG-004) cont. P NVD - http://web.nvd.nist.gov - CVSS Score = High
  • 30. Testing for Web Application Fingerprint (OWASP-IG-004) cont. P OSVDB - http://osvdb.org - CVSS Score = High
  • 31. Testing for Web Application Fingerprint (OWASP-IG-004) cont. P http://www.securityfocus.com - Better on Google
  • 32. Testing for Web Application Fingerprint (OWASP-IG-004) cont. P http://www.exploitsearch.net - All in one
  • 33. Testing for Application Discovery (OWASP-IG-005) P http://www.robtex.com - Passive DNS Discovery
  • 34. Testing for Application Discovery (OWASP-IG-005) cont. P http://whois.domaintools.com
  • 35. Testing for Application Discovery (OWASP-IG-005) cont. P http://centralops.net or proxychains .. nmap –sT
  • 36. Testing for Application Discovery (OWASP-IG-005) cont. P http://centralops.net
  • 37. Testing for Error Code (OWASP-IG-006) Has Google found error messages for you? P
  • 38. Testing for Error Code (OWASP-IG-006) cont. Check errors via Google Cache P
  • 39. Testing for SSL-TLS (OWASP-CM-001) No traffic .. P https://www.ssllabs.com/ssldb/analyze.html
  • 40. Testing for SSL-TLS (OWASP-CM-001) cont. .. And pretty graphs P https://www.ssllabs.com/ssldb/analyze.html
  • 41. Testing for SSL-TLS (OWASP-CM-001) cont. Do not forget about Strict-Transport-Security! P $ curl -i https://accounts.google.com HTTP/1.1 302 Moved Temporarily Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=2592000; includeSubDomains sslstrip chances decrease dramatically: Only 1st time user visits the site!
  • 42. Application Configuration Management (OWASP-CM-004) Just browse the site as normal and .. look for comments! (lame but works!): P <!-- The password is 123 --> /* TODO: Security hole here .. */ //FIXME: The function below is vulnerable…
  • 43. Testing for Admin Interfaces (OWASP-CM-007) • 3rd party stuff on .NET ViewState, headers,.. P • Telerik.Web.UI?? Google it!
  • 44. Testing for Admin Interfaces (OWASP-CM-007) cont. Google for default passwords: P
  • 45. Testing for Admin Interfaces (OWASP-CM-007) cont. !!
  • 46. Testing for Admin Interfaces (OWASP-CM-007) cont. !!
  • 47. Testing for HTTP Methods and XST (OWASP-CM-008) An OPTIONS request is quite normal: P $ curl -i -A 'Mozilla/5.0' -X 'OPTIONS *' –k https://site.com HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: Apache/2.0.63 (Unix) Allow: GET,HEAD,POST,OPTIONS,TRACE Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8
  • 48. Testing for HTTP Methods and XST (OWASP-CM-008) cont. P http://centralops.net
  • 49. Testing for HTTP Methods and XST (OWASP-CM-008) cont. P http://centralops.net
  • 50. Testing for credentials transport (OWASP-AT-001) Is the login page on “http” instead of “https”? And … look carefully at pop-ups like this: P Consider: Firesheep and sslstrip
  • 51. Testing for user enumeration (OWASP-AT-002) – by design P Mario was going to report a bug to Mozilla and found another!
  • 52. Testing for user enumeration (OWASP-AT-002) – by design Abuse user/member search functions: • Search for “” (nothing) or “a”, then “b”, .. P • Download all the data using 1) + pagination (if any) • Merge the results into a CSV-like format • Import + save as a spreadsheet • Show the spreadsheet to your customer
  • 53. Testing for Default or Guessable User Account (OWASP-AT-003) Analyse the username(s) they gave you to test: P • Username based on numbers? USER12345 • Username based on public info? (i.e. names, surnames, ..) name.surname • Default CMS user/pass?
  • 54. Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) Is autocomplete set to off? • Via 1) <form … autocomplete=“off”> P • Or Via 2) <input … autocomplete=“off”> Or not? <form action="/user/login" method="post"> <input type="password" name="pass" />
  • 55. Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) cont. Easy “your grandma can do it” test: 1. Login 2. Logout P 3. Click the browser Back button twice* 4. Can you login again –without typing the login or password- by re-sending the login form? Can the user re-submit the login form via the back button? * Until the login form submission
  • 56. Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) cont. Also .. Look at the questions / fields in the password reset form … P • Does it let you specify your email address? • Is it based on public info? (name, surname, etc) • Does it send an email to a potentially dead email address you can register? (i.e. hotmail.com)
  • 57. Logout and Browser Cache Management (OWASP-AT-007) Goal: Is Caching of sensitive info allowed? P Easy “your grandma can do it” test (need login): 1. Login 2. Logout 3. Click the browser Back button 4. Do you see logged in content or a this page has expired error / the login page?
  • 58. Logout and Browser Cache Management (OWASP-AT-007) cont. See headers with: • Commands: curl –i http://target.com P • Proxy: Burp, ZAP, WebScarab, etc • Browser Plugins: https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/ https://addons.mozilla.org/en-US/firefox/addon/firebug/
  • 59. Logout and Browser Cache Management (OWASP-AT-007) cont. P 1) Wrong caching HTTP/1.1 headers: Cache-control: private Instead of: Cache-Control: no-cache
  • 60. Logout and Browser Cache Management (OWASP-AT-007) cont. 2) Wrong caching HTTP/1.0 headers: P Pragma: private Expires: <way too far in the future> Instead of: Pragma: no-cache Expires: <past date or illegal value (e.g. 0)
  • 61. Logout and Browser Cache Management (OWASP-AT-007) cont. 3) No caching headers (= caching allowed, default!) P HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: …. X-Powered-By: …. Connection: close Content-Type: text/html; charset=UTF-8 Instead of (best): $ curl –i https://accounts.google.com... Cache-control: no-cache, no-store Pragma: no-cache Expires: Mon, 01-Jan-1990 00:00:00 GMT
  • 62. Logout and Browser Cache Management (OWASP-AT-007) cont. Repeat for Meta tags: P 4) Wrong HTTP/1.1: <META HTTP-EQUIV="Cache-Control" CONTENT=“private"> Instead of: <META HTTP-EQUIV="Cache-Control" CONTENT="no- cache"> Etc. (see previous slides)
  • 63. Testing for Captcha (OWASP-AT-008) Can be done offline: • Download image and try to break it P • Are CAPTCHAs reused? • Is a hash or token passed? (Good algorithm? Predictable?) • Look for vulns on CAPTCHA version: PWNtcha - captcha decoder - http://caca.zoy.org/wiki/PWNtcha Captcha Breaker - http://churchturing.org/captcha-dist/
  • 64. Testing for Session Management Schema (OWASP-SM-001) Examine cookies for weaknesses offline P Base64 MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFzc3dv cmQ6MTU6NTg= Is owaspuser:192.168.100.1: a7656fafe94dae72b1e1487670148412
  • 65. Testing for Session Management Schema (OWASP-SM-001) cont. P http://hackvertor.co.uk/public
  • 66. Testing for Session Management Schema (OWASP-SM-001) cont. Lots of decode options, including: • auto_decode P • auto_decode_repeat • d_base64 • etc. http://hackvertor.co.uk/public
  • 67. Testing for Session Management Schema (OWASP-SM-001) cont. Cookie decoder: F5 BIG-IP P http://blog.taddong.com/2011/12/cookie-decoder-f5-big-ip.html
  • 68. Testing for cookies attributes (OWASP-SM-002) • Secure: not set= session cookie leaked= pwned • HttpOnly: not set = cookies stealable via JS P • Domain: set properly • Path: set to the right /sub-application • Expires: set reasonably • 1 session cookie that works is enough ..
  • 69. Testing for Session Fixation (OWASP-SM-003) Session ID normally NOT changed by default.. P Before Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c + After Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c = Vulnerable
  • 70. Testing for Exposed Session Variables (OWASP-SM-004) Session ID: • In URL P • In POST • In HTML Example from the field: http://target.com/xxx/xyz.function?session_num=7785
  • 71. Testing for CSRF (OWASP-SM-005) Look at HTML code: P No anti-CSRF token = Vulnerable Anti-CSRF token = Wait to ACTIVE testing ☺
  • 72. Testing for Bypassing Authorization Schema (OWASP-AZ-002) Look at unauthenticated cross-site requests: P http://other-site.com/user=3&report=4 Referer: site.com Change ids in application: ! http://site.com/view_doc=4
  • 73. Testing for Reflected/Stored Cross site scripting (OWASP-DV-001) P Headers Enabling/Disabling Client-Side XSS filters: • X-XSS-Protection (IE-Only) • X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13) Example: $ curl -i https://accounts.google.com X-XSS-Protection: 1; mode=block
  • 74. UI Redressing Protection i.e. Clickjacking (OWASP Code?) Look for for UI Redressing protections: P • X-Frame-Options (best) • X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13) • JavaScript Frame busting (bypassable sometimes) Example: $ curl -i https://accounts.google.com X-Frame-Options: Deny “Clickjacking for Shells”: http://www.morningstarsecurity.com/research/clickjacking-wordpress
  • 75. Testing for DOM-based Cross site scripting (OWASP-DV-003) Review JavaScript code on the page: P <script> document.write("Site is at: " + document.location.href + "."); </script> Sometimes active testing possible in your browser (no trip to server = not an attack = not logged): # http://target.com/... vulnerable_param=xss http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
  • 76. Testing for Cross site flashing (OWASP-DV-004) 1) Find Flash files: P
  • 77. Testing for Cross site flashing (OWASP-DV-004) cont. 2) Find crossdomain.xml P
  • 78. Testing for Cross site flashing (OWASP-DV-004) cont. 3) Look at crossdomain.xml: Example 1: <cross-domain-policy> P <allow-access-from domain="*"/> </cross-domain-policy> Example 2: <cross-domain-policy> <!-- This domain can accept a MyHeader header from a SWF file on www.example.com --> <allow-http-request-headers-from domain="www.example.com" headers="MyHeader"/> </cross-domain-policy> http://en.wikipedia.org/wiki/Same_origin_policy http://kb2.adobe.com/cps/403/kb403185.html
  • 79. Testing for Cross site flashing (OWASP-DV-004) cont. 4) Download + decompile Flash files: $ flare hello.swf P
  • 80. Testing for Cross site flashing (OWASP-DV-004) cont. P http://www.brothersoft.com/hp-swfscan-download-253747.html http://tinyurl.com/SWFScan-msi
  • 81. Testing for Cross site flashing (OWASP-DV-004) cont. Active testing ☺ P 1) Trip to server = need permission ! http://target.com/test.swf?xss=foo&xss2=bar 2) But … your browser is yours: No trip to server = no permission needed P # http://target.com/test.swf ?xss=foo&xss2=bar Good news: Unlike DOM XSS, the # trick will always work for Flash Files
  • 82. Testing for SQL Injection (OWASP-DV-005) Did Google find SQLi for you? P
  • 83. DoS Failure to Release Resources (OWASP-DS-007) 1. Browse Site 2. 3. Time requests Get top X slowest requests P 4. Slowest = Best DoS target
  • 84. Testing: WS Information Gathering (OWASP-WS-001) Google searches: inurl:wsdl site:example.com Web service analysis: P http://www.example.com/ws/FindIP.asmx?WSDL Public services search: http://seekda.com/ http://www.wsindex.org/ http://www.soapclient.com/
  • 85. Testing for WS Replay (OWASP-WS-007) Similar to CSRF: P Is there an anti-replay token in the request?
  • 86. Testing for file extensions handling (OWASP-CM-005) some attack traffic but subtle. File Uploads: !! • If upload.php or .asp, .html, .. is allowed by app • A valid GIF or JPG comment can be a valid PHP script, etc .. • Difference from attack to legit can be subtle • File uploads are POST = often not logged (Enterprises do, but small businesses normally don’t)
  • 87. Testing for Error Code (OWASP-IG-006) • Use var_name[] in PHP: ! • Make __VIEWSTATE = ‘a’: [ViewStateException: Invalid viewstate ….. … ) in c:WINDOWSMicrosoft.NETFrameworkv2.0.50727Temporary ASP.NET Filesroot ….
  • 88. Testing for user enumeration (OWASP-AT-002) • Error messages ! “this user does not exist” “the website member could not be found” Etc. • Time differences $ time curl https://target.com -d 'user=x&pass=y' Bad login Example: Valid User (retrieved from DB): > 1.5 secs Invalid User (not in DB = faster): < 0.7 secs
  • 89. Testing for Reflected/Stored Cross site scripting (OWASP-DV-001+2) Subtle look for signs of output encoding: ! O’Brien O&apos;Brien O”Brien O&quot;Brien or O%22Brien Ted..> Ted..&gt; or Ted..%3E Ted,< Ted,.&lt; or Ted..%3C Charset, etc.
  • 90. Testing for SQL Injection (OWASP-DV-005) SQL errors: ! • Strings: O’Brien • IDs: Instead of “1” type “1l” or “1 l” Math operations: Is the same item displayed? • target.com/id=2 target.com/id=1%2B1
  • 91. Testing for Application Discovery (OWASP-IG-005) @ post-exploitation Got shell? !!
  • 92. Testing for Application Discovery (OWASP-IG-005) @post-exploitation You feel like .. !!
  • 93. Testing for Application Discovery (OWASP-IG-005) @post-exploitation They feel like .. !!
  • 94. Testing for Application Discovery (OWASP-IG-005) @post-exploitation They feel like .. !!
  • 95. Testing for Application Discovery (OWASP-IG-005) @post-exploitation They feel like .. !!
  • 96. Testing for Application Discovery (OWASP-IG-005) @post-exploitation And finally .. !!
  • 97. Testing for Application Discovery (OWASP-IG-005) @post-exploitation You have a mission! !! • “Shell is only the beginning” – Darkoperator • Your job is to show impact* • Web app sec can also involve network sec! Goal: How much damage could be done? *within scope restrictions!
  • 98. Testing for Application Discovery (OWASP-IG-005) @post-exploitation • Web server running as SYSTEM? (default!) • No need to crack passwords .. !!
  • 99. Testing for Application Discovery (OWASP-IG-005) @post-exploitation Just type your chosen password .. !!
  • 100. Testing for Application Discovery (OWASP-IG-005) @post-exploitation • Steal passwords .. !! • Be patient, it’s worth it ..
  • 101. Testing for Application Discovery (OWASP-IG-005) @post-exploitation Pivot to the other hosts reusing passwords !!
  • 102. Testing for Application Discovery (OWASP-IG-005) @post-exploitation PASSIVE Ping Sweep: Unique IPs & MACs from the ARP table of all popped boxes via winenum P
  • 103. Testing for Application Discovery (OWASP-IG-005) @post-exploitation PASSIVE Local “Port scanning” from winenum P
  • 104. Testing for Application Discovery (OWASP-IG-005) @post-exploitation Don’t forget about IPv6 & UDP ☺ P
  • 105. Testing for Application Discovery (OWASP-IG-005) @post-exploitation PASSIVE Remote “Port scanning” from winenum via active connections P
  • 106. Pen tester Conclusion • No permission != cannot start • A lot of work can be done in advance This work in advance helps with: • Increased efficiency • Deal better with tight deadlines • Better pre-engagement • Better test quality • Best chance to get in Bottom line: Do it
  • 107. Business Conclusion • Web app security > Input validation • We see no traffic != we are not targeted • No IDS alerts != we are safe • Your site can be tested without you noticing • Test your security before others do
  • 108. Special thanks to • OWASP Testing Guide contributors • Krzysztof Kotowicz • Marcus Niemietz • Mario Heiderich • Michele Orru • Sandro Gauci
  • 109. Q&A Abraham Aranguren @7a_ [email protected] http://7-a.org Q - owtf! This is a lot of work A - I know, check out: http://owtf.org