Silent web app testing by example - BerlinSides 2011

Silent web app testingby example

Abraham Aranguren@7a_

[email protected]://7-a.org

Berlin Sides, December 29th 2011

Agenda• Quick Intro

• Walk-through:

� No permission needed

� Mild/Subtle testing techniques

� Passive discovery at post-exploitation

• Conclusion

• Q&A

About me• Spanish dude

• Degree + Diploma in Computer Science

• Uni: Security research + honour mark

• IT: Since 2000 (netadmin / developer)

• Comeback to (offensive) security in 2007

• OSCP, CISSP, GWEB, CEH, MCSE, Etc.

• Web App Sec and Dev/Architect

• OWTF, GIAC, BeEF

Intro47% (31 out of 66) of the tests in the OWASP Testing

guide can be legally* performed at least partiallywithout permission

* Except in Spain, where visiting a page can be illegal ☺

* This is only my interpretation and not that of my employer + might not apply to your country!

But …. why???• Pre-engagement quality

• Choose bank wisely ☺

• Fun / Research

• No permission yet but tight deadline

• Get a head start in a pen test

• No fuzzing allowed / hard restrictions

• Waiting for info on other areas

Talk ScopeThis talk is mostly NOT about:

• https � NIDS blind*

• Use POST � not logged (usually)

• Wifi, Tor, proxies, proxychains …

This talk is about:

• Using normal traffic or no traffic

• Confuse payloads = look as legit traffic

Types of Traffic• Passive: No traffic to target

Example: Third party site touches target not us

• Semi Passive: Normal traffic to target

Examples: Visit site, download published content

• Active: Direct vulnerability probing

Examples: SQL injection, XSS, CSRF, etc. tries

LegendEthics/Scope legend*:

• P � No Permission needed: No attack traffic

• ! � Mild attack traffic / Could break things

• !! � You better have written permission ..

Vulnerable vs. Not Vulnerable legend:

• Vulnerable

• Not Vulnerable

* When in doubt, don’t do it or consult a lawyer!

P

Testing: Spiders, Robots, and Crawlers (OWASP-IG-001)

$ wget http://target.com/robots.txt

Case 1 � Not found: Indexing required?

Case 2 � Found: Analyse entries

P

Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) cont.

Case 1 � robots.txt Not Found

…should Google index a site like this?

Or should robots.txt exist and be like this?

User-agent: *

Disallow: /

P


Case 2 � robots.txt Found (default Drupal robots.txt!)

User-agent: *

Crawl-delay: 10

# Directories

Disallow: /includes/

Disallow: /misc/

...

# Files

Disallow: /CHANGELOG.txt Drupal Version ☺

Disallow: /xmlrpc.php

P


Case 2 � Research known vulns passively

(i.e. OpenID bypass for Drupal 6.16)P

(General) Environment replication

Also check http://www.oldapps.com/, Google, etc.

P

Download it .. Sometimes from project page ☺

(General) Environment replication

RIPS for PHP: http://rips-scanner.sourceforge.net/

Yasca for most other (also PHP): http://www.scovetta.com/yasca.html

P

Static Analyis, Fuzz, Try exploits, ..

Search engine discovery / recon (OWASP-IG-002) cont.

PGoogle Hacking techniques like ..


P

AutomatedGoogle Hacking

http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/


P

Metadata tools:• FOCA (v. 3 now!)• Metagoofil• Exiftool• EXIF FF plugin

http://www.informatica64.com/foca.aspx


P

The Harvester:•Emails•Employee Names•Subdomains•Hostnames

http://www.edge-security.com/theHarvester.php


P

http://www.paterva.com/web5/client/download.php

Image Credit: http://www.paterva.com


P

https://addons.mozilla.org/en-US/firefox/addon/passiverecon/

A bit of most in one:

Testing: Identify application entry points (OWASP-IG-003)

PUse a proxy and JUST browse the site

• Let the proxy log ALL requests

• Understand the site

Proxies that detect vulns passively:

• ratproxy

• ZAP Proxy

Efficient manual browsing:Snap Links Plus http://snaplinks.mozdev.org/

Testing for Web Application Fingerprint (OWASP-IG-004)

PGoal: What is that server running?

Semi passive banner grab example:

• $ curl -i -A 'Mozilla/5.0 (X11; Linux i686; rv6.0) Gecko/20100101 Firefox/6.0' -H 'Host: target.com' https://target.com

…

Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g

Testing for Web Application Fingerprint (OWASP-IG-004) cont.

P

http://toolbar.netcraft.com - Passive banner grab,etc.


P

http://www.shodanhq.com/

Search in the headers without touching the site:


P

http://builtwith.com

•CMS•Widgets•Libraries•etc


P

Do you know what that site is running now?

Let’s look for exploits and vulns


P

Exploit DB - http://www.exploit-db.com


P

NVD - http://web.nvd.nist.gov - CVSS Score = High


P

OSVDB - http://osvdb.org - CVSS Score = High


P

http://www.securityfocus.com - Better on Google


P

http://www.exploitsearch.net - All in one

Testing for Application Discovery (OWASP-IG-005)

P

http://www.robtex.com - Passive DNS Discovery

Testing for Application Discovery (OWASP-IG-005) cont.

P

http://whois.domaintools.com


P

http://centralops.net or proxychains .. nmap –sT


P

http://centralops.net

Testing for Error Code(OWASP-IG-006)

PHas Google found error messages for you?

Testing for Error Code(OWASP-IG-006) cont.

PCheck errors via Google Cache

Testing for SSL-TLS (OWASP-CM-001)

P

https://www.ssllabs.com/ssldb/analyze.html

No traffic ..

Testing for SSL-TLS (OWASP-CM-001) cont.

P

https://www.ssllabs.com/ssldb/analyze.html

.. And pretty graphs

Testing for SSL-TLS (OWASP-CM-001) cont.

PDo not forget about Strict-Transport-Security!

$ curl -i https://accounts.google.com

HTTP/1.1 302 Moved Temporarily

Content-Type: text/html; charset=UTF-8

Strict-Transport-Security: max-age=2592000; includeSubDomains

sslstrip chances decrease dramatically:

Only 1st time user visits the site!

Application Configuration Management (OWASP-CM-004)

PJust browse the site as normal and ..

look for comments! (lame but works!):



/* TODO: Security hole here .. */

//FIXME: The function below is vulnerable…

Testing for Admin Interfaces (OWASP-CM-007)

P• 3rd party stuff on .NET ViewState, headers,..

• Telerik.Web.UI?? Google it!

Testing for Admin Interfaces (OWASP-CM-007) cont.

PGoogle for default passwords:

Testing for Admin Interfaces (OWASP-CM-007) cont.

!!

Testing for HTTP Methods and XST (OWASP-CM-008)

An OPTIONS request is quite normal:

$ curl -i -A 'Mozilla/5.0' -X 'OPTIONS *' –khttps://site.com

HTTP/1.1 200 OKDate: Tue, 09 Aug 2011 13:38:43 GMTServer: Apache/2.0.63 (Unix)Allow: GET,HEAD,POST,OPTIONS,TRACEContent-Length: 0Connection: closeContent-Type: text/plain; charset=UTF-8

P

Testing for HTTP Methods and XST (OWASP-CM-008) cont.

http://centralops.net

P

Testing for credentials transport (OWASP-AT-001)

Is the login page on “http” instead of “https”?

And … look carefully at pop-ups like this:

Consider: Firesheep and sslstrip

P

Testing for user enumeration (OWASP-AT-002) – by design

P

Mario was going to report a bug to Mozilla and found another!

Testing for user enumeration (OWASP-AT-002) – by design

PAbuse user/member search functions:

• Search for “” (nothing) or “a”, then “b”, ..• Download all the data using 1) + pagination (if

any)• Merge the results into a CSV-like format• Import + save as a spreadsheet• Show the spreadsheet to your customer

Testing for Default or Guessable User Account (OWASP-AT-003)

PAnalyse the username(s) they gave you to test:

• Username based on numbers?USER12345

• Username based on public info? (i.e. names, surnames, ..)

name.surname

• Default CMS user/pass?

Vulnerable Remember Password and Pwd Reset (OWASP-AT-006)

PIs autocomplete set to off?• Via 1) <form … autocomplete=“off”>• Or Via 2) <input … autocomplete=“off”>

Or not?<form action="/user/login" method="post"><input type="password" name="pass" />

Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) cont.

PEasy “your grandma can do it” test: 1. Login 2. Logout3. Click the browser Back button twice*4. Can you login again –without typing the login or

password- by re-sending the login form?

Can the user re-submit the login form via the back button?

* Until the login form submission

Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) cont.

PAlso .. Look at the questions / fields in the password reset form …

• Does it let you specify your email address?• Is it based on public info? (name, surname, etc)• Does it send an email to a potentially dead email

address you can register? (i.e. hotmail.com)

Logout and Browser Cache Management (OWASP-AT-007)

PGoal: Is Caching of sensitive info allowed?

Easy “your grandma can do it” test (need login): 1. Login 2. Logout3. Click the browser Back button4. Do you see logged in content or a this page has

expired error / the login page?

Logout and Browser Cache Management (OWASP-AT-007) cont.

PSee headers with:• Commands: curl –i http://target.com• Proxy: Burp, ZAP, WebScarab, etc• Browser Plugins:

https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/

https://addons.mozilla.org/en-US/firefox/addon/firebug/


P1) Wrong caching HTTP/1.1 headers:Cache-control: private

Instead of:Cache-Control: no-cache


P2) Wrong caching HTTP/1.0 headers:Pragma: privateExpires: <way too far in the future>

Instead of:Pragma: no-cacheExpires: <past date or illegal value (e.g. 0)


P3) No caching headers (= caching allowed, default!)

HTTP/1.1 200 OKDate: Tue, 09 Aug 2011 13:38:43 GMTServer: ….X-Powered-By: ….Connection: closeContent-Type: text/html; charset=UTF-8

Instead of (best): $ curl –i https://accounts.google.com... Cache-control: no-cache, no-storePragma: no-cacheExpires: Mon, 01-Jan-1990 00:00:00 GMT


PRepeat for Meta tags:

4) Wrong HTTP/1.1:<META HTTP-EQUIV="Cache-Control"

CONTENT=“private">

Instead of:<META HTTP-EQUIV="Cache-Control" CONTENT="no-

cache">Etc. (see previous slides)

Testing for Captcha(OWASP-AT-008)

PCan be done offline: • Download image and try to break it• Are CAPTCHAs reused?• Is a hash or token passed? (Good algorithm?

Predictable?)• Look for vulns on CAPTCHA version:

PWNtcha - captcha decoder - http://caca.zoy.org/wiki/PWNtchaCaptcha Breaker - http://churchturing.org/captcha-dist/

Testing for Session Management Schema (OWASP-SM-001)

PExamine cookies for weaknesses offline

Base64 MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFzc3dvcmQ6MTU6NTg=

Isowaspuser:192.168.100.1:

a7656fafe94dae72b1e1487670148412

Testing for Session Management Schema (OWASP-SM-001) cont.

P

http://hackvertor.co.uk/public


P

http://hackvertor.co.uk/public

Lots of decode options, including:• auto_decode• auto_decode_repeat• d_base64• etc.


P

http://blog.taddong.com/2011/12/cookie-decoder-f5-big-ip.html

Cookie decoder: F5 BIG-IP

Testing for cookies attributes (OWASP-SM-002)

P• Secure: not set= session cookie leaked= pwned• HttpOnly: not set = cookies stealable via JS• Domain: set properly• Path: set to the right /sub-application• Expires: set reasonably

• 1 session cookie that works is enough ..

Testing for Session Fixation (OWASP-SM-003)

PSession ID normally NOT changed by default..

Before Login PHPSESSID:10a966616e8ed63f7a9b741f80e65e3c+After Login PHPSESSID:10a966616e8ed63f7a9b741f80e65e3c=Vulnerable

Testing for Exposed Session Variables (OWASP-SM-004)

PSession ID:• In URL• In POST• In HTML

Example from the field:http://target.com/xxx/xyz.function?session_num=7785

Testing for CSRF (OWASP-SM-005)

PLook at HTML code:

No anti-CSRF token = VulnerableAnti-CSRF token = Wait to ACTIVE testing ☺

Testing for Bypassing Authorization Schema (OWASP-AZ-002)

PLook at unauthenticated cross-site requests:

http://other-site.com/user=3&report=4Referer: site.com

Change ids in application: !http://site.com/view_doc=4

Testing for Reflected/Stored Cross site scripting (OWASP-DV-001)

PHeaders Enabling/Disabling Client-Side XSS filters:

• X-XSS-Protection (IE-Only)• X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)

Example:

$ curl -i https://accounts.google.comX-XSS-Protection: 1; mode=block

UI Redressing Protectioni.e. Clickjacking (OWASP Code?)

PLook for for UI Redressing protections:

• X-Frame-Options (best)• X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)• JavaScript Frame busting (bypassable sometimes)

Example:$ curl -i https://accounts.google.comX-Frame-Options: Deny

“Clickjacking for Shells”:http://www.morningstarsecurity.com/research/clickjacking-wordpress

Testing for DOM-based Cross site scripting (OWASP-DV-003)

PReview JavaScript code on the page:

<script> document.write("Site is at: " + document.location.href + "."); </script>

Sometimes active testing possible in your browser(no trip to server = not an attack = not logged):

http://target.com/...#vulnerable_param=xss

http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html

Testing for Cross site flashing (OWASP-DV-004)

P1) Find Flash files:

Testing for Cross site flashing (OWASP-DV-004) cont.

P2) Find crossdomain.xml

P3) Look at crossdomain.xml:Example 1:<cross-domain-policy><allow-access-from domain="*"/></cross-domain-policy>

Example 2:<cross-domain-policy>  <allow-http-request-headers-fromdomain="www.example.com" headers="MyHeader"/> </cross-domain-policy>

http://en.wikipedia.org/wiki/Same_origin_policyhttp://kb2.adobe.com/cps/403/kb403185.html


P4) Download + decompile Flash files:$ flare hello.swf


P

http://www.brothersoft.com/hp-swfscan-download-253747.html

http://tinyurl.com/SWFScan-msi


P

Good news: Unlike DOM XSS, the # trick will always work for Flash Files

Active testing ☺

1) Trip to server = need permission !http://target.com/test.swf?xss=foo&xss2=bar

2) But … your browser is yours:

No trip to server = no permission needed P

http://target.com/test.swf#?xss=foo&xss2=bar

Testing for SQL Injection (OWASP-DV-005)

PDid Google find SQLi for you?

DoS Failure to Release Resources (OWASP-DS-007)

P1. Browse Site2. Time requests3. Get top X slowest requests4. Slowest = Best DoS target

Testing: WS Information Gathering (OWASP-WS-001)

PGoogle searches: inurl:wsdl site:example.com

Web service analysis: http://www.example.com/ws/FindIP.asmx?WSDL

Public services search: http://seekda.com/http://www.wsindex.org/http://www.soapclient.com/

Testing for WS Replay (OWASP-WS-007)

PSimilar to CSRF:Is there an anti-replay token in the request?

Testing for file extensions handling (OWASP-CM-005)

some attack traffic but subtle. File Uploads:

• If upload.php or .asp, .html, .. is allowed by app• A valid GIF or JPG comment can be a valid PHP

script, etc ..

• Difference from attack to legit can be subtle• File uploads are POST = often not logged(Enterprises do, but small businesses normally don’t)

!!

Testing for Error Code (OWASP-IG-006)

• Use var_name[] in PHP:

• Make __VIEWSTATE = ‘a’:

[ViewStateException: Invalid viewstate …..…) in c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary

ASP.NET Files\root\ ….

!

Testing for user enumeration (OWASP-AT-002)

• Error messages

“this user does not exist”“the website member could not be found”Etc.

• Time differences

$ time curl https://target.com -d 'user=x&pass=y'Bad login Example:Valid User (retrieved from DB): > 1.5 secsInvalid User (not in DB = faster): < 0.7 secs

!

Testing for Reflected/Stored Cross site scripting (OWASP-DV-001+2)

Subtle look for signs of output encoding:

O’Brien � O'Brien

O”Brien � O"Brien or O%22Brien

Ted..> � Ted..> or Ted..%3E

Ted,< � Ted,.< or Ted..%3C

Charset, etc.

!

Testing for SQL Injection (OWASP-DV-005)

SQL errors:

• Strings: O’Brien• IDs: Instead of “1” type “1l” or “1 l”

Math operations: Is the same item displayed?• target.com/id=2 � target.com/id=1%2B1

!

Testing for Application Discovery (OWASP-IG-005) @ post-exploitation

Got shell?!!

Testing for Application Discovery (OWASP-IG-005) @post-exploitation

You feel like ..!!


They feel like ..!!


And finally ..!!


You have a mission!

• “Shell is only the beginning” – Darkoperator• Your job is to show impact*• Web app sec can also involve network sec!

Goal: How much damage could be done?

*within scope restrictions!

!!


• Web server running as SYSTEM? (default!)• No need to crack passwords .. !!


Just type your chosen password ..!!


• Steal passwords ..

• Be patient, it’s worth it ..

!!


Pivot to the other hosts reusing passwords!!

Testing for Application Discovery (OWASP-IG-005) @post-exploitationPASSIVE Ping Sweep: Unique IPs & MACs from the

ARP table of all popped boxes via winenum P

Testing for Application Discovery (OWASP-IG-005) @post-exploitationPASSIVE Local “Port scanning” from winenum

P

Testing for Application Discovery (OWASP-IG-005) @post-exploitationDon’t forget about IPv6 & UDP ☺

P

Testing for Application Discovery (OWASP-IG-005) @post-exploitationPASSIVE Remote “Port scanning” from winenum

via active connections P

Pen tester Conclusion• No permission != cannot start• A lot of work can be done in advance

This work in advance helps with:• Increased efficiency• Deal better with tight deadlines• Better pre-engagement• Better test quality• Best chance to get in

Bottom line: Do it

Business Conclusion

• Web app security > Input validation• We see no traffic != we are not targeted• No IDS alerts != we are safe• Your site can be tested without you noticing• Test your security before others do

Special thanks to

• OWASP Testing Guide contributors• Krzysztof Kotowicz• Marcus Niemietz• Mario Heiderich• Michele Orru• Sandro Gauci

Q&AAbraham Aranguren

@[email protected]

http://7-a.org

Q - owtf! This is a lot of workA - I know, check out: http://owtf.org

Silent web app testing by example - BerlinSides 2011

Technology

Transcript of Silent web app testing by example - BerlinSides 2011