VERIFYING WEB APPLICATION SECURITY: TOOLS, TECHNIQUES & TRICKS
About Me • I’m an undeserving sinner saved by grace • Husband, Father and unrelenting geek • Burdened for college-aged youth – Teach a College & Career Sunday School class – Starting a Collegians for Christ chapter at local community college
• 2nd Amendment Supporter • Hacking Capture The Flag addict – Currently building my own CTF mobile rig
• Senior Associate at InfusionPoints, LLC • Attended Marshall University in Huntington, WV
About Me • I’m an undeserving sinner saved by grace • Husband, Father and unrelenting geek • Burdened for college-aged youth – Teach a College & Career Sunday School class – Starting a Collegians for Christ chapter at local community college
• 2nd Amendment Supporter • Hacking Capture The Flag addict – Currently building my own CTF mobile rig
• Senior Associate at InfusionPoints, LLC • Attended Marshall University in Huntington, WV
About Me • I’m an undeserving sinner saved by grace • Husband, Father and unrelenting geek • Burdened for college-aged youth – Teach a College & Career Sunday School class – Starting a Collegians for Christ chapter at local community college
• 2nd Amendment Supporter • Hacking Capture The Flag addict – Currently building my own CTF mobile rig
• Senior Associate at InfusionPoints, LLC • Attended Marshall University in Huntington, WV
About Me • I’m an undeserving sinner saved by grace • Husband, Father and unrelenting geek • Burdened for college-aged youth – Teach a College & Career Sunday School class – Starting a Collegians for Christ chapter at local community college
• 2nd Amendment Supporter • Hacking Capture The Flag addict – Currently building my own CTF mobile rig
• Senior Associate at InfusionPoints, LLC • Attended Marshall University in Huntington, WV
Disclaimer • While I have personally performed many web application assessments, I do not have all of the answers • Web application security changes and new vulnerabilities, techniques, & tools are discovered frequently • Sorry for the TL;DR and severe lack of memes • My perspective is skewed towards that of an attacker (…and I don’t use oxford commas with consistency)
Agreement • In providing you with the information contained within this presentation, you agree to only leverage these tools, techniques, and tricks to enhance the security stature of a consenting organization. • Use ethically and obtain written permission before attempting to assess a website.
Reasoning • Why is web security important? – Prevalent use in daily activities – Quickly becoming more complex – Publicly accessible interface – Ties into back-end databases – Often coded without security focus
Agenda • Getting Started • Reconnaissance • Mapping • Discovery • Exploitation • Wrap-up • Questions & Answers
Getting Started • You need to have… – Written consent from target company – Understanding of web technologies – Working knowledge of OWASP Top 10
Getting Started • OWASP Top 10 Vulnerabilities – Injection (SQLi or Command) – Weak Authentication and Session Management – XSS (Stored, Reflected, & DOM) – Insecure Direct Object References – Security Misconfiguration Reference: https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
Getting Started • OWASP Top 10 Vulnerabilities – Sensitive Data Exposure – Missing Function Level Access Control – Cross-Site Request Forgery (CSRF) – Using Components With Known Vulnerabilities – Unvalidated Redirects and Forwards Reference: https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
Getting Started • You need to have… – Written consent from target company – Understanding of web technologies – Working knowledge of OWASP Top 10 – Knowledge of assessment toolsets – Ability to think like an attacker – Understanding of how to scope assessment – Proven, repeatable, & explainable process
Getting Started • Web Application Testing Methodology
Getting Started • Web Application Testing Methodology
Getting Started • Web Application Testing Methodology
Getting Started • Web Application Testing Methodology
Getting Started • Web Application Testing Methodology
Reconnaissance
Reconnaissance • Know thy target’s architecture • Static, Dynamic, or Application Server
Reconnaissance • Static Web Server – Not susceptible to majority of current web vulnerabilities. – Look for: – Misconfigurations – Additional network services – Underlying operating system
– Leverage information: – Extract metadata – Build brute force password lists from site content
Reconnaissance • Dynamic Web Server – Most common type of modern web server – Pulls dynamic content from back-end database – Commonly a SQL database – Other sources include Oracle, MS Access, XML, flat file, mainframe or file servers
– Cost effective solution – Dynamic content server often protected, sometimes residing on internal network – Complicate hardening and protections
Reconnaissance • Application Server – Still pulls dynamic content from back-end database, but interaction with server is done through another web or proxy server – Examples: IBM WebSphere, Mono, Base4,& JBoss
– Provide applications with self-contained features – Application server trusts expected requests from in-line proxy or web server – Complicate hardening and protections
Reconnaissance • What request methods are available? – GET
-- PUT
– POST
-- DELETE
– HEAD
-- CONNECT
– TRACE
-- OPTIONS
Reconnaissance • What authentication methods are in use? – Basic – Digest – Client Certificate – Windows Authentication – Forms
Reconnaissance • DNS Enumeration – Whois – Nslookup – Dig – Host – Fierce
Reconnaissance • Open Source Intelligence (OSINT) – Google Dorks (GHDB) – Bing (IP:aaa.bbb.ccc.ddd) – Wikto – Social Media (Job postings / Acquisitions) – Recon-ng – Maltego
Mapping
Mapping • Know thy target’s footprint • Many tools are available to help gain a better understanding of what any given web target is built on, with, or for
Mapping • Nmap – Actively scans target reporting open ports – Very granular in control for variables such as: – Speed, Intensity, Protocol, Port depth, Verbosity, Service Versioning, OS Fingerprinting, & Output Formats
– Very extensible through Nmap Scripting Engine – Multi-platform / CLI / GUI – Most common arguments that I use: – -v –sV –O –T4 –open –max-retries=0 –iL [list] –oA [prefix]
Mapping • Netcat – Swiss Army Knife of network connectivity – Grab server connection strings and headers: – printf “GET / HTTP/1.0\n\n” |nc –v scanme.nmap.org 80
• HTTPrint – Cross-platform web fingerprinting tool – Fingerprints server based on Layer 7 responses for: – Capitalization of various headers, header field ordering, improper HTTP versions, and improper protocols
– Compares responses to fingerprint database
Mapping • Rapid Assessment of Web Resources (RAWR) – I have a slight bias towards using this tool – Developed based on desires of having a single solution to perform many of the mapping functions and producing normalized output – Will leverage Nmap to perform port scans tailored to web services – Captures screen shots of all web interfaces detected – Lists available HTTP Methods and login fields – Downloads Cookies, robots.txt, & crossdomain.xml – Generates diagram of site while performing spidering, etc…
Mapping • Nikto – Uses a flat file ‘database’ of items to scan for on the server – Looks for default files and common server-side scripts that are known to be vulnerable – Does produce false-positive findings
• Wfuzz – Web focused web fuzzer or brute-force tool – Leverages built-in dictionaries or ranges – Identifies hidden directories and files on a webserver
Mapping • Portswigger BurpSuite – The BEST interception proxy on the market (IMHO) – Java based which allows for multi-platform functionality – Free and Professional versions (Pro $300) – Contains many tools for web assessments – Proxy, Spider, Vulnerability Scanner, Intruder, Repeater, Sequencer, Decoder, Comparer, & Extender
– Extensible through BApp Store for 3rd party tools – Great reporting engine in Professional version
Mapping • Paros Proxy – A very good interception proxy – Supports automated spidering
• Zed Attack Proxy – Fully-functional interception proxy – Automated spidering and vulnerability scanning – Built-in decoder – Interacts with API and Websocket – Produces report of identified findings
Mapping • Wget – A fast command-line web browser – Supports full site spidering – Can mirror entire websites – Will mimic known User Agent Strings – Can adhere to or bypass robots.txt – Example: wget --mirror --adjust-extension --page-requisites --execute robots=off --wait 15 --random-wait --convert-links --user-agent=Mozilla http://scanme.nmap.org
Mapping • DirBuster – Java cross-platform directory brute forcing tool – Attempts to identify unlinked or sub-linked resources by brute forcing directory and file names – Leverages large dictionaries built from extensive web scanning – Accepts custom word lists – Uses multi-threading to increase speed – Allows user to set the depth that it will search to
Discovery
Discovery • Know thy target’s vulnerabilities • Not all web vulnerability scanning engines are equal • Do not expect any given scanner to detect all of a target’s vulnerabilities
Discovery • WebSecurify – Multi-platform GUI scanning engine – Provides multiple plugins for specific scanning focuses – Works as a browser plugin for Chrome or Firefox
Discovery • Grendel-Scan – Multi-platform GUI scanning engine – Starts crawling a website to perform spidering – Employs a listening interception proxy to give the tool a boost in the discovery phase – Very configurable based on available plugins – Very good detection of Reflected XSS and SQLi
Discovery • Skipfish – Extremely fast web application scanner – Produces low false-positive rate – Utilizes a dictionary for initial direction and then adapts based on the responses of the site – Adjusts to websites consisting of multiple technologies – Produces actionable reporting – The three main modes are:
No brute-force, Minimal brute-force, & Normal brute-force
Discovery • W3AF – Multi-platform python based GUI and CLI interfaces – Designed to perform spidering and vulnerability discovery and exploitation – Bundles in tools such as SQLMap and BeEF – Supports scripting through the CLI – Leverages multiple plugins to perform focused scanning – Utilizes Evasion Plug-ins to evade IDS and Firewall detection – Produces great reporting out of the box – Assists with the next step of the assessment phase, Exploitation
Discovery • PortSwigger BurpSuite – While I will not delve too deep here due to this being BurpSuite’s second mention, this is really where this tool excels – Many of the functions of BurpSuite allow for exhaustive spidering and automated scanning of target sites – The Intruder tool can be leveraged with wordlists to perform fuzzing and discovery of unlinked files and directories. (FuzzDB lists are great here)
Discovery • Manual Testing – Automated scanners are awesome, but complementing those with direction of your own understanding of development and human nature can not be replaced – Manual directory tampering and browsing – User directories,./home/, ./admin/, ./config/,./root/, etc.
– Username harvesting – Many login forms will return different messages between valid and invalid usernames even for unsuccessful attempts
– Parameter tampering / Cookie manipulation – Modify variables in GET arguments or cookie values to see if your permissive access changes or if you can masquerade as another user
Exploitation
Exploitation • Know thy exploit ninja skills – When vulnerabilities are identified, understanding the vulnerability is paramount to taking advantage of it – Secondly, knowing the most effective tool or technique to perform the exploit is equally important. This is obtained through experience. (aka, breaking things)
Exploitation • The majority of vulnerabilities that I identify through the prior steps are exploited directly within my Interception Proxy – Each of these vulnerabilities generally map back directly to the OWASP Top 10 in one way or another – Once identified through automated scanning or manual testing though, the finding needs to be validated – If you are not performing exploitation, you are merely performing a vulnerability scan
Exploitation • Command Injection – For command injection, I will leverage the BurpSuite Intruder – Find the potentially vulnerable payload position(s) within a valid request captured by the proxy – Right-click on that request and Send to Intruder – Select the appropriate payload positions – Supply Intruder with a dictionary file of known commands for the OS that you have determined the webserver to be running on (FuzzDB) – Click Start Attack and if vulnerable… profit
Exploitation • SQL Injection – For SQLi, I will leverage SQLMap – SQLMap is capable of handling Blind, Union, or Error-based injection for a wide array of databases – I cheat on this one and use CO2 from the BApp Store – Provide the URL, Post Data, and cookies if necessary – Select additional options for the type of DB and intended outcome of the exploitation – Click Run, and if vulnerable… profit – If it is not successful, it provides you with the full command line statement for you to tamper with in the terminal
Exploitation • Weak Authentication & Session Management – Leverage Burpsuite Repeater, Intruder, & Comparer – Many different types of attacks against session management can be performed directly from within BurpSuite. – Authentication could be bypassed through manual cookie or parameter tampering – SQLi could also be in effect allowing you to bypass authentication – Some authentication is not validated for pages within restricted access areas. Once the application is mapped out, validate whether those are accessible without valid credentials.
Exploitation • XSS (Reflected, Stored, & DOM) – Reflected XSS found by BurpSuite is very rarely inaccurate in my experience. – Alternatively, automated scanners are not good at detecting Stored XSS. – Stored XSS is best found by using human logic to find in any given application where a variable may be populated by the developer
– BurpSuite has made great strides towards detecting DOM based XSS with higher precision through recent updates. – For XSS vulnerabilities to make full use of client exploitation, I will usually leverage BeEF – Do NOT put a grey alert pop-up in your report
Exploitation • Insecure Direct Object References – This type of vulnerability can be exhibited through directory traversal / file include, local or remote file inclusion. – These are some of my favorite vulnerabilities, and make full use of info gained during the recon, mapping, and discovery phases – Generally these will be exploited manually based on the architecture that your target environment is hosted on – Digging for other accessible files can be time-consuming, but also very rewarding – Files of interest would be : – Credential stores, configuration files, database strings, & log files
Reporting
Reporting • Know thy target audience • Remember that all of the actions leading up to this point are for one purpose… …to produce a deliverable • That deliverable is your assessment report.
Reporting • Your report should be written for each level of individual who will receive it – This may consist of technical, managerial, and executive staff – Each group has different expectations as to what that report will provide for them
• Make sure that it documents clearly remediation steps or mitigating controls that can be leveraged to reduce the organization’s risk
Resources • Formal Training: – SANS.org Sec542 & Sec642 – OffensiveSecurity.com – Elearnsecurity.com
• Freely-available Training: – Youtube.com/user/webpwnized – SecurityTube.net – Cybrary.it
Resources • Assessment Distributions: – Kali – https://www.kali.org/downloads/ – SamuraiWTF - http://www.samurai-wtf.org/ – MobiSec - http://mobisec.professionallyevil.com/
• Vulnerable Web Resources: (vulnhub.com) – bWAPP - http://www.itsecgames.com/ – NOWASP – Multillidae 2 - http://sourceforge.net/projects/mutillidae/files/ – Web Security Dojo – https://www.mavensecurity.com/web_security_dojo/
Resources • Tools: – Fierce:
http://ha.ckers.org/fierce/
– Wikto:
https://github.com/sensepost/wikto
– Recon-ng:
https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Home
– Maltego: https://www.paterva.com/web6/products/maltego.php – Nmap:
https://nmap.org/download.html
– HTTPrint:http://www.net-square.com/httprint.html – Rapid Assessment of Web Resources (RAWR): https://bitbucket.org/al14s/rawr – Nikto: https://cirt.net/Nikto2 – Wfuzz:
https://github.com/xmendez/wfuzz
– Portswigger BurpSuite: https://portswigger.net/burp/download.html
Resources • Tools: – Paros Proxy: http://sourceforge.net/projects/paros/ – Zed Attack Proxy: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project – Wget: https://www.gnu.org/software/wget/ – DirBuster:
http://sourceforge.net/projects/dirbuster/
– WebSecurify:
http://www.websecurify.com/
– Grendel-Scan: http://sourceforge.net/projects/grendel/ – Skipfish: https://code.google.com/p/skipfish/ – W3AF:
http://w3af.org/download/
– FuzzDB: https://github.com/fuzzdb-project/fuzzdb – SQLMap: http://sqlmap.org/
Questions?
Thank You!
• Personal Contact Info: – Twitter: @c0ncealed – Email:c0ncealedx64@gmail.com – SSN: [redacted] – Professionally: tom.moore@infusionpoints.com