VERIFYING WEB APPLICATION SECURITY: TOOLS, TECHNIQUES & TRICKS
VERIFYING WEB APPLICATION SECURITY: TOOLS, TECHNIQUES & TRICKS
About Me• I’m an undeserving sinner saved by grace• Husband, Father and unrelenting geek• Burdened for college-aged youth
– Teach a College & Career Sunday School class– Starting a Collegians for Christ chapter at local community college
• 2nd Amendment Supporter• Hacking Capture The Flag addict
– Currently building my own CTF mobile rig• Senior Associate at InfusionPoints, LLC• Attended Marshall University in Huntington, WV
About Me• I’m an undeserving sinner saved by grace• Husband, Father and unrelenting geek• Burdened for college-aged youth
– Teach a College & Career Sunday School class– Starting a Collegians for Christ chapter at local community college
• 2nd Amendment Supporter• Hacking Capture The Flag addict
– Currently building my own CTF mobile rig• Senior Associate at InfusionPoints, LLC• Attended Marshall University in Huntington, WV
About Me• I’m an undeserving sinner saved by grace• Husband, Father and unrelenting geek• Burdened for college-aged youth
– Teach a College & Career Sunday School class– Starting a Collegians for Christ chapter at local community college
• 2nd Amendment Supporter• Hacking Capture The Flag addict
– Currently building my own CTF mobile rig• Senior Associate at InfusionPoints, LLC• Attended Marshall University in Huntington, WV
About Me• I’m an undeserving sinner saved by grace• Husband, Father and unrelenting geek• Burdened for college-aged youth
– Teach a College & Career Sunday School class– Starting a Collegians for Christ chapter at local community college
• 2nd Amendment Supporter• Hacking Capture The Flag addict
– Currently building my own CTF mobile rig• Senior Associate at InfusionPoints, LLC• Attended Marshall University in Huntington, WV
Disclaimer• While I have personally performed many web application
assessments, I do not have all of the answers • Web application security changes and new vulnerabilities,
techniques, & tools are discovered frequently• Sorry for the TL;DR and severe lack of memes• My perspective is skewed towards that of an attacker (…
and I don’t use oxford commas with consistency)
Agreement• In providing you with the information contained
within this presentation, you agree to only leverage these tools, techniques, and tricks to enhance the security stature of a consenting organization.
• Use ethically and obtain written permission before attempting to assess a website.
Reasoning• Why is web security important?– Prevalent use in daily activities– Quickly becoming more complex– Publicly accessible interface– Ties into back-end databases– Often coded without security focus
Agenda• Getting Started• Reconnaissance• Mapping• Discovery• Exploitation• Wrap-up• Questions & Answers
Getting Started• You need to have…– Written consent from target company– Understanding of web technologies– Working knowledge of OWASP Top 10
Getting Started• OWASP Top 10 Vulnerabilities– Injection (SQLi or Command)– Weak Authentication and Session
Management– XSS (Stored, Reflected, & DOM)– Insecure Direct Object References– Security Misconfiguration
Reference: https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
Getting Started• OWASP Top 10 Vulnerabilities– Sensitive Data Exposure– Missing Function Level Access Control– Cross-Site Request Forgery (CSRF)– Using Components With Known
Vulnerabilities– Unvalidated Redirects and Forwards
Reference: https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
Getting Started• You need to have…– Written consent from target company– Understanding of web technologies– Working knowledge of OWASP Top 10– Knowledge of assessment toolsets– Ability to think like an attacker– Understanding of how to scope assessment– Proven, repeatable, & explainable process
Getting Started• Web Application Testing Methodology
Getting Started• Web Application Testing Methodology
Getting Started• Web Application Testing Methodology
Getting Started• Web Application Testing Methodology
Getting Started• Web Application Testing Methodology
Reconnaissance
Reconnaissance• Know thy target’s architecture• Static, Dynamic, or Application Server
Reconnaissance• Static Web Server
– Not susceptible to majority of current web vulnerabilities.
– Look for:• Misconfigurations• Additional network services• Underlying operating system
– Leverage information:• Extract metadata• Build brute force password lists from site content
Reconnaissance• Dynamic Web Server
– Most common type of modern web server– Pulls dynamic content from back-end database
• Commonly a SQL database• Other sources include Oracle, MS Access, XML, flat file,
mainframe or file servers– Cost effective solution– Dynamic content server often protected, sometimes
residing on internal network– Complicate hardening and protections
Reconnaissance• Application Server
– Still pulls dynamic content from back-end database, but interaction with server is done through another web or proxy server• Examples: IBM WebSphere, Mono, Base4,& JBoss
– Provide applications with self-contained features– Application server trusts expected requests from in-
line proxy or web server– Complicate hardening and protections
Reconnaissance• What request methods are available?– GET -- PUT– POST -- DELETE– HEAD -- CONNECT– TRACE -- OPTIONS
Reconnaissance• What authentication methods are in use?– Basic– Digest– Client Certificate– Windows Authentication– Forms
Reconnaissance• DNS Enumeration– Whois– Nslookup– Dig– Host– Fierce
Reconnaissance• Open Source Intelligence (OSINT)– Google Dorks (GHDB)– Bing (IP:aaa.bbb.ccc.ddd)– Wikto– Social Media (Job postings / Acquisitions)– Recon-ng– Maltego
Mapping
Mapping• Know thy target’s footprint• Many tools are available to help gain a
better understanding of what any given web target is built on, with, or for
Mapping• Nmap
– Actively scans target reporting open ports– Very granular in control for variables such as:
• Speed, Intensity, Protocol, Port depth, Verbosity, Service Versioning, OS Fingerprinting, & Output Formats
– Very extensible through Nmap Scripting Engine– Multi-platform / CLI / GUI– Most common arguments that I use:
• -v –sV –O –T4 –open –max-retries=0 –iL [list] –oA [prefix]
Mapping• Netcat
– Swiss Army Knife of network connectivity– Grab server connection strings and headers:
• printf “GET / HTTP/1.0\n\n” |nc –v scanme.nmap.org 80
• HTTPrint– Cross-platform web fingerprinting tool– Fingerprints server based on Layer 7 responses for:
• Capitalization of various headers, header field ordering, improper HTTP versions, and improper protocols
– Compares responses to fingerprint database
Mapping• Rapid Assessment of Web Resources (RAWR)
– I have a slight bias towards using this tool – Developed based on desires of having a single solution to perform
many of the mapping functions and producing normalized output – Will leverage Nmap to perform port scans tailored to web services– Captures screen shots of all web interfaces detected– Lists available HTTP Methods and login fields– Downloads Cookies, robots.txt, & crossdomain.xml– Generates diagram of site while performing spidering, etc…
Mapping• Nikto
– Uses a flat file ‘database’ of items to scan for on the server– Looks for default files and common server-side scripts that
are known to be vulnerable– Does produce false-positive findings
• Wfuzz– Web focused web fuzzer or brute-force tool– Leverages built-in dictionaries or ranges– Identifies hidden directories and files on a webserver
Mapping• Portswigger BurpSuite
– The BEST interception proxy on the market (IMHO)– Java based which allows for multi-platform functionality– Free and Professional versions (Pro $300)– Contains many tools for web assessments
• Proxy, Spider, Vulnerability Scanner, Intruder, Repeater, Sequencer, Decoder, Comparer, & Extender
– Extensible through BApp Store for 3rd party tools– Great reporting engine in Professional version
Mapping• Paros Proxy
– A very good interception proxy– Supports automated spidering
• Zed Attack Proxy– Fully-functional interception proxy– Automated spidering and vulnerability scanning– Built-in decoder– Interacts with API and Websocket– Produces report of identified findings
Mapping• Wget
– A fast command-line web browser– Supports full site spidering– Can mirror entire websites– Will mimic known User Agent Strings– Can adhere to or bypass robots.txt– Example: wget --mirror --adjust-extension --page-requisites --
execute robots=off --wait 15 --random-wait --convert-links --user-agent=Mozilla http://scanme.nmap.org
Mapping• DirBuster
– Java cross-platform directory brute forcing tool– Attempts to identify unlinked or sub-linked resources by
brute forcing directory and file names– Leverages large dictionaries built from extensive web
scanning– Accepts custom word lists– Uses multi-threading to increase speed– Allows user to set the depth that it will search to
Discovery
Discovery• Know thy target’s vulnerabilities• Not all web vulnerability scanning
engines are equal• Do not expect any given scanner to
detect all of a target’s vulnerabilities
Discovery• WebSecurify– Multi-platform GUI scanning engine– Provides multiple plugins for specific
scanning focuses– Works as a browser plugin for Chrome or
Firefox
Discovery• Grendel-Scan– Multi-platform GUI scanning engine– Starts crawling a website to perform spidering– Employs a listening interception proxy to give
the tool a boost in the discovery phase– Very configurable based on available plugins– Very good detection of Reflected XSS and SQLi
Discovery• Skipfish
– Extremely fast web application scanner– Produces low false-positive rate– Utilizes a dictionary for initial direction and then adapts
based on the responses of the site– Adjusts to websites consisting of multiple technologies– Produces actionable reporting– The three main modes are:
No brute-force, Minimal brute-force, & Normal brute-force
Discovery• W3AF
– Multi-platform python based GUI and CLI interfaces– Designed to perform spidering and vulnerability discovery and
exploitation– Bundles in tools such as SQLMap and BeEF– Supports scripting through the CLI– Leverages multiple plugins to perform focused scanning– Utilizes Evasion Plug-ins to evade IDS and Firewall detection– Produces great reporting out of the box– Assists with the next step of the assessment phase, Exploitation
Discovery• PortSwigger BurpSuite
– While I will not delve too deep here due to this being BurpSuite’s second mention, this is really where this tool excels
– Many of the functions of BurpSuite allow for exhaustive spidering and automated scanning of target sites
– The Intruder tool can be leveraged with wordlists to perform fuzzing and discovery of unlinked files and directories. (FuzzDB lists are great here)
Discovery• Manual Testing
– Automated scanners are awesome, but complementing those with direction of your own understanding of development and human nature can not be replaced
– Manual directory tampering and browsing• User directories,./home/, ./admin/, ./config/,./root/, etc.
– Username harvesting• Many login forms will return different messages between valid and invalid
usernames even for unsuccessful attempts– Parameter tampering / Cookie manipulation
• Modify variables in GET arguments or cookie values to see if your permissive access changes or if you can masquerade as another user
Exploitation
Exploitation• Know thy exploit ninja skills– When vulnerabilities are identified,
understanding the vulnerability is paramount to taking advantage of it
– Secondly, knowing the most effective tool or technique to perform the exploit is equally important. This is obtained through experience. (aka, breaking things)
Exploitation• The majority of vulnerabilities that I identify through
the prior steps are exploited directly within my Interception Proxy– Each of these vulnerabilities generally map back directly to
the OWASP Top 10 in one way or another– Once identified through automated scanning or manual
testing though, the finding needs to be validated– If you are not performing exploitation, you are merely
performing a vulnerability scan
Exploitation• Command Injection
– For command injection, I will leverage the BurpSuite Intruder• Find the potentially vulnerable payload position(s) within a valid
request captured by the proxy• Right-click on that request and Send to Intruder• Select the appropriate payload positions• Supply Intruder with a dictionary file of known commands for the OS
that you have determined the webserver to be running on (FuzzDB)• Click Start Attack and if vulnerable… profit
Exploitation• SQL Injection
– For SQLi, I will leverage SQLMap• SQLMap is capable of handling Blind, Union, or Error-based injection
for a wide array of databases• I cheat on this one and use CO2 from the BApp Store• Provide the URL, Post Data, and cookies if necessary• Select additional options for the type of DB and intended outcome of
the exploitation• Click Run, and if vulnerable… profit• If it is not successful, it provides you with the full command line
statement for you to tamper with in the terminal
Exploitation• Weak Authentication & Session Management
– Leverage Burpsuite Repeater, Intruder, & Comparer• Many different types of attacks against session management can
be performed directly from within BurpSuite.• Authentication could be bypassed through manual cookie or
parameter tampering• SQLi could also be in effect allowing you to bypass authentication• Some authentication is not validated for pages within restricted
access areas. Once the application is mapped out, validate whether those are accessible without valid credentials.
Exploitation• XSS (Reflected, Stored, & DOM)
– Reflected XSS found by BurpSuite is very rarely inaccurate in my experience.
– Alternatively, automated scanners are not good at detecting Stored XSS.• Stored XSS is best found by using human logic to find in any given application
where a variable may be populated by the developer– BurpSuite has made great strides towards detecting DOM based XSS
with higher precision through recent updates.– For XSS vulnerabilities to make full use of client exploitation, I will
usually leverage BeEF– Do NOT put a grey alert pop-up in your report
Exploitation• Insecure Direct Object References
– This type of vulnerability can be exhibited through directory traversal / file include, local or remote file inclusion.
– These are some of my favorite vulnerabilities, and make full use of info gained during the recon, mapping, and discovery phases
– Generally these will be exploited manually based on the architecture that your target environment is hosted on
– Digging for other accessible files can be time-consuming, but also very rewarding
– Files of interest would be :• Credential stores, configuration files, database strings, & log files
Reporting
Reporting• Know thy target audience• Remember that all of the actions leading
up to this point are for one purpose… …to produce a deliverable
• That deliverable is your assessment report.
Reporting• Your report should be written for each level of
individual who will receive it– This may consist of technical, managerial, and executive staff– Each group has different expectations as to what that report
will provide for them• Make sure that it documents clearly remediation steps
or mitigating controls that can be leveraged to reduce the organization’s risk
Resources• Formal Training:– SANS.org Sec542 & Sec642– OffensiveSecurity.com– Elearnsecurity.com
• Freely-available Training:– Youtube.com/user/webpwnized– SecurityTube.net– Cybrary.it
Resources• Assessment Distributions:
– Kali – https://www.kali.org/downloads/
– SamuraiWTF - http://www.samurai-wtf.org/– MobiSec - http://mobisec.professionallyevil.com/
• Vulnerable Web Resources: (vulnhub.com)– bWAPP - http://www.itsecgames.com/
– NOWASP – Multillidae 2 - http://sourceforge.net/projects/mutillidae/files/
– Web Security Dojo – https://www.mavensecurity.com/web_security_dojo/
Resources• Tools:
– Fierce: http://ha.ckers.org/fierce/– Wikto: https://github.com/sensepost/wikto– Recon-ng: https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Home– Maltego: https://www.paterva.com/web6/products/maltego.php– Nmap: https://nmap.org/download.html– HTTPrint: http://www.net-square.com/httprint.html– Rapid Assessment of Web Resources (RAWR): https://bitbucket.org/al14s/rawr– Nikto: https://cirt.net/Nikto2– Wfuzz: https://github.com/xmendez/wfuzz– Portswigger BurpSuite: https://portswigger.net/burp/download.html
Resources• Tools:
– Paros Proxy: http://sourceforge.net/projects/paros/– Zed Attack Proxy: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project– Wget: https://www.gnu.org/software/wget/– DirBuster: http://sourceforge.net/projects/dirbuster/– WebSecurify: http://www.websecurify.com/– Grendel-Scan: http://sourceforge.net/projects/grendel/– Skipfish: https://code.google.com/p/skipfish/– W3AF: http://w3af.org/download/– FuzzDB: https://github.com/fuzzdb-project/fuzzdb– SQLMap: http://sqlmap.org/
Questions?
Thank You!
• Personal Contact Info:– Twitter: @c0ncealed– Email:[email protected]– SSN: [redacted]– Professionally: [email protected]