Silent web app testing by example - BerlinSides 2011
-
Upload
abraham-aranguren -
Category
Technology
-
view
7.790 -
download
2
description
Transcript of Silent web app testing by example - BerlinSides 2011
Silent web app testingby example
Abraham Aranguren@7a_
[email protected]://7-a.org
Berlin Sides, December 29th 2011
Agenda• Quick Intro
• Walk-through:
� No permission needed
� Mild/Subtle testing techniques
� Passive discovery at post-exploitation
• Conclusion
• Q&A
About me• Spanish dude
• Degree + Diploma in Computer Science
• Uni: Security research + honour mark
• IT: Since 2000 (netadmin / developer)
• Comeback to (offensive) security in 2007
• OSCP, CISSP, GWEB, CEH, MCSE, Etc.
• Web App Sec and Dev/Architect
• OWTF, GIAC, BeEF
Intro47% (31 out of 66) of the tests in the OWASP Testing
guide can be legally* performed at least partiallywithout permission
* Except in Spain, where visiting a page can be illegal ☺
* This is only my interpretation and not that of my employer + might not apply to your country!
But …. why???• Pre-engagement quality
• Choose bank wisely ☺
• Fun / Research
• No permission yet but tight deadline
• Get a head start in a pen test
• No fuzzing allowed / hard restrictions
• Waiting for info on other areas
Talk ScopeThis talk is mostly NOT about:
• https � NIDS blind*
• Use POST � not logged (usually)
• Wifi, Tor, proxies, proxychains …
This talk is about:
• Using normal traffic or no traffic
• Confuse payloads = look as legit traffic
Types of Traffic• Passive: No traffic to target
Example: Third party site touches target not us
• Semi Passive: Normal traffic to target
Examples: Visit site, download published content
• Active: Direct vulnerability probing
Examples: SQL injection, XSS, CSRF, etc. tries
LegendEthics/Scope legend*:
• P � No Permission needed: No attack traffic
• ! � Mild attack traffic / Could break things
• !! � You better have written permission ..
Vulnerable vs. Not Vulnerable legend:
• Vulnerable
• Not Vulnerable
* When in doubt, don’t do it or consult a lawyer!
P
Testing: Spiders, Robots, and Crawlers (OWASP-IG-001)
$ wget http://target.com/robots.txt
Case 1 � Not found: Indexing required?
Case 2 � Found: Analyse entries
P
Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) cont.
Case 1 � robots.txt Not Found
…should Google index a site like this?
Or should robots.txt exist and be like this?
User-agent: *
Disallow: /
P
Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) cont.
Case 2 � robots.txt Found (default Drupal robots.txt!)
User-agent: *
Crawl-delay: 10
# Directories
Disallow: /includes/
Disallow: /misc/
...
# Files
Disallow: /CHANGELOG.txt Drupal Version ☺
Disallow: /xmlrpc.php
P
Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) cont.
Case 2 � Research known vulns passively
(i.e. OpenID bypass for Drupal 6.16)P
(General) Environment replication
Also check http://www.oldapps.com/, Google, etc.
P
Download it .. Sometimes from project page ☺
(General) Environment replication
RIPS for PHP: http://rips-scanner.sourceforge.net/
Yasca for most other (also PHP): http://www.scovetta.com/yasca.html
P
Static Analyis, Fuzz, Try exploits, ..
Search engine discovery / recon (OWASP-IG-002) cont.
PGoogle Hacking techniques like ..
Search engine discovery / recon (OWASP-IG-002) cont.
P
AutomatedGoogle Hacking
http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/
Search engine discovery / recon (OWASP-IG-002) cont.
P
Metadata tools:• FOCA (v. 3 now!)• Metagoofil• Exiftool• EXIF FF plugin
http://www.informatica64.com/foca.aspx
Search engine discovery / recon (OWASP-IG-002) cont.
P
The Harvester:•Emails•Employee Names•Subdomains•Hostnames
http://www.edge-security.com/theHarvester.php
Search engine discovery / recon (OWASP-IG-002) cont.
P
http://www.paterva.com/web5/client/download.php
Image Credit: http://www.paterva.com
Search engine discovery / recon (OWASP-IG-002) cont.
P
http://www.paterva.com/web5/client/download.php
Image Credit: http://www.paterva.com
Search engine discovery / recon (OWASP-IG-002) cont.
P
https://addons.mozilla.org/en-US/firefox/addon/passiverecon/
A bit of most in one:
Testing: Identify application entry points (OWASP-IG-003)
PUse a proxy and JUST browse the site
• Let the proxy log ALL requests
• Understand the site
Proxies that detect vulns passively:
• ratproxy
• ZAP Proxy
Efficient manual browsing:Snap Links Plus http://snaplinks.mozdev.org/
Testing for Web Application Fingerprint (OWASP-IG-004)
PGoal: What is that server running?
Semi passive banner grab example:
• $ curl -i -A 'Mozilla/5.0 (X11; Linux i686; rv6.0) Gecko/20100101 Firefox/6.0' -H 'Host: target.com' https://target.com
…
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
http://toolbar.netcraft.com - Passive banner grab,etc.
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
http://www.shodanhq.com/
Search in the headers without touching the site:
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
http://builtwith.com
•CMS•Widgets•Libraries•etc
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
Do you know what that site is running now?
Let’s look for exploits and vulns
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
Exploit DB - http://www.exploit-db.com
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
NVD - http://web.nvd.nist.gov - CVSS Score = High
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
OSVDB - http://osvdb.org - CVSS Score = High
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
http://www.securityfocus.com - Better on Google
Testing for Web Application Fingerprint (OWASP-IG-004) cont.
P
http://www.exploitsearch.net - All in one
Testing for Application Discovery (OWASP-IG-005)
P
http://www.robtex.com - Passive DNS Discovery
Testing for Application Discovery (OWASP-IG-005) cont.
P
http://whois.domaintools.com
Testing for Application Discovery (OWASP-IG-005) cont.
P
http://centralops.net or proxychains .. nmap –sT
Testing for Application Discovery (OWASP-IG-005) cont.
P
http://centralops.net
Testing for Error Code(OWASP-IG-006)
PHas Google found error messages for you?
Testing for Error Code(OWASP-IG-006) cont.
PCheck errors via Google Cache
Testing for SSL-TLS (OWASP-CM-001)
P
https://www.ssllabs.com/ssldb/analyze.html
No traffic ..
Testing for SSL-TLS (OWASP-CM-001) cont.
P
https://www.ssllabs.com/ssldb/analyze.html
.. And pretty graphs
Testing for SSL-TLS (OWASP-CM-001) cont.
PDo not forget about Strict-Transport-Security!
$ curl -i https://accounts.google.com
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Strict-Transport-Security: max-age=2592000; includeSubDomains
sslstrip chances decrease dramatically:
Only 1st time user visits the site!
Application Configuration Management (OWASP-CM-004)
PJust browse the site as normal and ..
look for comments! (lame but works!):
<!-- The password is 123 -->
/* TODO: Security hole here .. */
//FIXME: The function below is vulnerable…
Testing for Admin Interfaces (OWASP-CM-007)
P• 3rd party stuff on .NET ViewState, headers,..
• Telerik.Web.UI?? Google it!
Testing for Admin Interfaces (OWASP-CM-007) cont.
PGoogle for default passwords:
Testing for Admin Interfaces (OWASP-CM-007) cont.
!!
Testing for Admin Interfaces (OWASP-CM-007) cont.
!!
Testing for HTTP Methods and XST (OWASP-CM-008)
An OPTIONS request is quite normal:
$ curl -i -A 'Mozilla/5.0' -X 'OPTIONS *' –khttps://site.com
HTTP/1.1 200 OKDate: Tue, 09 Aug 2011 13:38:43 GMTServer: Apache/2.0.63 (Unix)Allow: GET,HEAD,POST,OPTIONS,TRACEContent-Length: 0Connection: closeContent-Type: text/plain; charset=UTF-8
P
Testing for HTTP Methods and XST (OWASP-CM-008) cont.
http://centralops.net
P
Testing for HTTP Methods and XST (OWASP-CM-008) cont.
http://centralops.net
P
Testing for credentials transport (OWASP-AT-001)
Is the login page on “http” instead of “https”?
And … look carefully at pop-ups like this:
Consider: Firesheep and sslstrip
P
Testing for user enumeration (OWASP-AT-002) – by design
P
Mario was going to report a bug to Mozilla and found another!
Testing for user enumeration (OWASP-AT-002) – by design
PAbuse user/member search functions:
• Search for “” (nothing) or “a”, then “b”, ..• Download all the data using 1) + pagination (if
any)• Merge the results into a CSV-like format• Import + save as a spreadsheet• Show the spreadsheet to your customer
Testing for Default or Guessable User Account (OWASP-AT-003)
PAnalyse the username(s) they gave you to test:
• Username based on numbers?USER12345
• Username based on public info? (i.e. names, surnames, ..)
name.surname
• Default CMS user/pass?
Vulnerable Remember Password and Pwd Reset (OWASP-AT-006)
PIs autocomplete set to off?• Via 1) <form … autocomplete=“off”>• Or Via 2) <input … autocomplete=“off”>
Or not?<form action="/user/login" method="post"><input type="password" name="pass" />
Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) cont.
PEasy “your grandma can do it” test: 1. Login 2. Logout3. Click the browser Back button twice*4. Can you login again –without typing the login or
password- by re-sending the login form?
Can the user re-submit the login form via the back button?
* Until the login form submission
Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) cont.
PAlso .. Look at the questions / fields in the password reset form …
• Does it let you specify your email address?• Is it based on public info? (name, surname, etc)• Does it send an email to a potentially dead email
address you can register? (i.e. hotmail.com)
Logout and Browser Cache Management (OWASP-AT-007)
PGoal: Is Caching of sensitive info allowed?
Easy “your grandma can do it” test (need login): 1. Login 2. Logout3. Click the browser Back button4. Do you see logged in content or a this page has
expired error / the login page?
Logout and Browser Cache Management (OWASP-AT-007) cont.
PSee headers with:• Commands: curl –i http://target.com• Proxy: Burp, ZAP, WebScarab, etc• Browser Plugins:
https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
https://addons.mozilla.org/en-US/firefox/addon/firebug/
Logout and Browser Cache Management (OWASP-AT-007) cont.
P1) Wrong caching HTTP/1.1 headers:Cache-control: private
Instead of:Cache-Control: no-cache
Logout and Browser Cache Management (OWASP-AT-007) cont.
P2) Wrong caching HTTP/1.0 headers:Pragma: privateExpires: <way too far in the future>
Instead of:Pragma: no-cacheExpires: <past date or illegal value (e.g. 0)
Logout and Browser Cache Management (OWASP-AT-007) cont.
P3) No caching headers (= caching allowed, default!)
HTTP/1.1 200 OKDate: Tue, 09 Aug 2011 13:38:43 GMTServer: ….X-Powered-By: ….Connection: closeContent-Type: text/html; charset=UTF-8
Instead of (best): $ curl –i https://accounts.google.com... Cache-control: no-cache, no-storePragma: no-cacheExpires: Mon, 01-Jan-1990 00:00:00 GMT
Logout and Browser Cache Management (OWASP-AT-007) cont.
PRepeat for Meta tags:
4) Wrong HTTP/1.1:<META HTTP-EQUIV="Cache-Control"
CONTENT=“private">
Instead of:<META HTTP-EQUIV="Cache-Control" CONTENT="no-
cache">Etc. (see previous slides)
Testing for Captcha(OWASP-AT-008)
PCan be done offline: • Download image and try to break it• Are CAPTCHAs reused?• Is a hash or token passed? (Good algorithm?
Predictable?)• Look for vulns on CAPTCHA version:
PWNtcha - captcha decoder - http://caca.zoy.org/wiki/PWNtchaCaptcha Breaker - http://churchturing.org/captcha-dist/
Testing for Session Management Schema (OWASP-SM-001)
PExamine cookies for weaknesses offline
Base64 MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFzc3dvcmQ6MTU6NTg=
Isowaspuser:192.168.100.1:
a7656fafe94dae72b1e1487670148412
Testing for Session Management Schema (OWASP-SM-001) cont.
P
http://hackvertor.co.uk/public
Testing for Session Management Schema (OWASP-SM-001) cont.
P
http://hackvertor.co.uk/public
Lots of decode options, including:• auto_decode• auto_decode_repeat• d_base64• etc.
Testing for Session Management Schema (OWASP-SM-001) cont.
P
http://blog.taddong.com/2011/12/cookie-decoder-f5-big-ip.html
Cookie decoder: F5 BIG-IP
Testing for cookies attributes (OWASP-SM-002)
P• Secure: not set= session cookie leaked= pwned• HttpOnly: not set = cookies stealable via JS• Domain: set properly• Path: set to the right /sub-application• Expires: set reasonably
• 1 session cookie that works is enough ..
Testing for Session Fixation (OWASP-SM-003)
PSession ID normally NOT changed by default..
Before Login PHPSESSID:10a966616e8ed63f7a9b741f80e65e3c+After Login PHPSESSID:10a966616e8ed63f7a9b741f80e65e3c=Vulnerable
Testing for Exposed Session Variables (OWASP-SM-004)
PSession ID:• In URL• In POST• In HTML
Example from the field:http://target.com/xxx/xyz.function?session_num=7785
Testing for CSRF (OWASP-SM-005)
PLook at HTML code:
No anti-CSRF token = VulnerableAnti-CSRF token = Wait to ACTIVE testing ☺
Testing for Bypassing Authorization Schema (OWASP-AZ-002)
PLook at unauthenticated cross-site requests:
http://other-site.com/user=3&report=4Referer: site.com
Change ids in application: !http://site.com/view_doc=4
Testing for Reflected/Stored Cross site scripting (OWASP-DV-001)
PHeaders Enabling/Disabling Client-Side XSS filters:
• X-XSS-Protection (IE-Only)• X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)
Example:
$ curl -i https://accounts.google.comX-XSS-Protection: 1; mode=block
UI Redressing Protectioni.e. Clickjacking (OWASP Code?)
PLook for for UI Redressing protections:
• X-Frame-Options (best)• X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)• JavaScript Frame busting (bypassable sometimes)
Example:$ curl -i https://accounts.google.comX-Frame-Options: Deny
“Clickjacking for Shells”:http://www.morningstarsecurity.com/research/clickjacking-wordpress
Testing for DOM-based Cross site scripting (OWASP-DV-003)
PReview JavaScript code on the page:
<script> document.write("Site is at: " + document.location.href + "."); </script>
Sometimes active testing possible in your browser(no trip to server = not an attack = not logged):
http://target.com/...#vulnerable_param=xss
http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
Testing for Cross site flashing (OWASP-DV-004)
P1) Find Flash files:
Testing for Cross site flashing (OWASP-DV-004) cont.
P2) Find crossdomain.xml
Testing for Cross site flashing (OWASP-DV-004) cont.
P3) Look at crossdomain.xml:Example 1:<cross-domain-policy><allow-access-from domain="*"/></cross-domain-policy>
Example 2:<cross-domain-policy> <!-- This domain can accept a MyHeader header froma SWF file on www.example.com --> <allow-http-request-headers-fromdomain="www.example.com" headers="MyHeader"/> </cross-domain-policy>
http://en.wikipedia.org/wiki/Same_origin_policyhttp://kb2.adobe.com/cps/403/kb403185.html
Testing for Cross site flashing (OWASP-DV-004) cont.
P4) Download + decompile Flash files:$ flare hello.swf
Testing for Cross site flashing (OWASP-DV-004) cont.
P
http://www.brothersoft.com/hp-swfscan-download-253747.html
http://tinyurl.com/SWFScan-msi
Testing for Cross site flashing (OWASP-DV-004) cont.
P
Good news: Unlike DOM XSS, the # trick will always work for Flash Files
Active testing ☺
1) Trip to server = need permission !http://target.com/test.swf?xss=foo&xss2=bar
2) But … your browser is yours:
No trip to server = no permission needed P
http://target.com/test.swf#?xss=foo&xss2=bar
Testing for SQL Injection (OWASP-DV-005)
PDid Google find SQLi for you?
DoS Failure to Release Resources (OWASP-DS-007)
P1. Browse Site2. Time requests3. Get top X slowest requests4. Slowest = Best DoS target
Testing: WS Information Gathering (OWASP-WS-001)
PGoogle searches: inurl:wsdl site:example.com
Web service analysis: http://www.example.com/ws/FindIP.asmx?WSDL
Public services search: http://seekda.com/http://www.wsindex.org/http://www.soapclient.com/
Testing for WS Replay (OWASP-WS-007)
PSimilar to CSRF:Is there an anti-replay token in the request?
Testing for file extensions handling (OWASP-CM-005)
some attack traffic but subtle. File Uploads:
• If upload.php or .asp, .html, .. is allowed by app• A valid GIF or JPG comment can be a valid PHP
script, etc ..
• Difference from attack to legit can be subtle• File uploads are POST = often not logged(Enterprises do, but small businesses normally don’t)
!!
Testing for Error Code (OWASP-IG-006)
• Use var_name[] in PHP:
• Make __VIEWSTATE = ‘a’:
[ViewStateException: Invalid viewstate …..…) in c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET Files\root\ ….
!
Testing for user enumeration (OWASP-AT-002)
• Error messages
“this user does not exist”“the website member could not be found”Etc.
• Time differences
$ time curl https://target.com -d 'user=x&pass=y'Bad login Example:Valid User (retrieved from DB): > 1.5 secsInvalid User (not in DB = faster): < 0.7 secs
!
Testing for Reflected/Stored Cross site scripting (OWASP-DV-001+2)
Subtle look for signs of output encoding:
O’Brien � O'Brien
O”Brien � O"Brien or O%22Brien
Ted..> � Ted..> or Ted..%3E
Ted,< � Ted,.< or Ted..%3C
Charset, etc.
!
Testing for SQL Injection (OWASP-DV-005)
SQL errors:
• Strings: O’Brien• IDs: Instead of “1” type “1l” or “1 l”
Math operations: Is the same item displayed?• target.com/id=2 � target.com/id=1%2B1
!
Testing for Application Discovery (OWASP-IG-005) @ post-exploitation
Got shell?!!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
You feel like ..!!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
They feel like ..!!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
They feel like ..!!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
They feel like ..!!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
And finally ..!!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
You have a mission!
• “Shell is only the beginning” – Darkoperator• Your job is to show impact*• Web app sec can also involve network sec!
Goal: How much damage could be done?
*within scope restrictions!
!!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
• Web server running as SYSTEM? (default!)• No need to crack passwords .. !!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
Just type your chosen password ..!!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
• Steal passwords ..
• Be patient, it’s worth it ..
!!
Testing for Application Discovery (OWASP-IG-005) @post-exploitation
Pivot to the other hosts reusing passwords!!
Testing for Application Discovery (OWASP-IG-005) @post-exploitationPASSIVE Ping Sweep: Unique IPs & MACs from the
ARP table of all popped boxes via winenum P
Testing for Application Discovery (OWASP-IG-005) @post-exploitationPASSIVE Local “Port scanning” from winenum
P
Testing for Application Discovery (OWASP-IG-005) @post-exploitationDon’t forget about IPv6 & UDP ☺
P
Testing for Application Discovery (OWASP-IG-005) @post-exploitationPASSIVE Remote “Port scanning” from winenum
via active connections P
Pen tester Conclusion• No permission != cannot start• A lot of work can be done in advance
This work in advance helps with:• Increased efficiency• Deal better with tight deadlines• Better pre-engagement• Better test quality• Best chance to get in
Bottom line: Do it
Business Conclusion
• Web app security > Input validation• We see no traffic != we are not targeted• No IDS alerts != we are safe• Your site can be tested without you noticing• Test your security before others do
Special thanks to
• OWASP Testing Guide contributors• Krzysztof Kotowicz• Marcus Niemietz• Mario Heiderich• Michele Orru• Sandro Gauci
Q&AAbraham Aranguren
http://7-a.org
Q - owtf! This is a lot of workA - I know, check out: http://owtf.org