Web Application Penetration Testing Introduction

Editor's Notes

• #3: 10 years in the industryLast 4 solely dedicated to pentestingBoth Infrastructure and Web Application penetration testing Worked both sides : Defense (security operations) and Offense (pentesting)
• #4: Take away with you that web app testing is a necessary piece to securing you dataI could spend a week on this topic. This will be brief. Hopefully you will walk away with enough knowledge to get started.I highly recommend reading material from OWASP
• #5: Focus will be on the demonstrationI will need to spend some time giving overview of methodology and some termsDemonstrationsLike the bank robber in the image, hackers are looking for items of value. The applications are the gateway to this data.[Image Explained]Long gone are the days of defacing a web site. Hackers are going after your data
• #6: The key word is ”method” in the definitionThe focus is on the application not the infrastructure.The goal is to take advantage of a weakness in a legitimate function for nefarious purposes.Anywhere from stealing money to stealing your identity to controlling the machine to stage another attack.Testing methods are well documented. You don’t have to be a hacker to test your apps.
• #7: [Answerthe question / misnomers after the video]You just audited my network / infrastructure! I must be secure?This is not an infrastructure test, a different focus that a infrastructure test will not coverBefore I answer, watch this video
• #8: Hackers retaliate to the shutdown of Wiki LeaksSo how does it work?
• #9: [Answerthe misnomers on this page]Firewall lets the hacker in, IPS / IDS is almost useless when the traffic is encrypted (SSL port 443). The cartoon image is dead on. You let him into your network. Network security was uselessYou are going to assume the role of the “Hacker”So how does this work?
• #11: Wrong! Pentesting is teachable. There are plenty of materials online and in books.You just need a little aptitude for details and have voracious curiosity.[ story about meeting Marc Maiffre founder of eEye ---short , mountain dew drinking little nerd. Little rich nerd though.]The Code Red worm was a computer worm observed on the Internet on July 13, 2001. It attacked computers running Microsoft's IIS web server.The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh. The worm was named the .ida "Code Red" worm because Code Red Mountain Dew was what they were drinking at the time, and because of the phrase "Hacked by Chinese!" with which the worm defaced websites.[1]
• #12: Before we start hacking, a little background…TWO PHASE APPROACH. Don’t be tempted to jump to phase two, could miss something or make inefficient use of timeThe passive phase will help refine your approach for phase IIYou will save time and get better resultsYou will deploy the same tactics and techniques as a hacker would!!! !!Trust me a competent hacker does his homework.
• #13: Is it Apache 2.x or IIS 7.xYou can look up know vulnerabilities by application type and version. This is public knowledge and very helpfulKnowing how the application works normally and its logic will help you determine abnormal behavior. Google knows all about your site if its on the Internet. You’d be surprised what types of documents are out on your site. You might find someone's password.Spidering allows you to map out the site based on hyperlinks!!!NVD – a ton of information can be found here to help determine vulnerabilities
• #14: Now you get to Hack! This phase is where the real testing begins. All the work up to now has prepared you for this moment.The attack plan is a list of all the exploitation categories. Your recon will allow you to tailor your attacks to and focus on certain categories.The items in the list are general categories for various attacks. Your research will help you determine which of the test categories are more likely to yield results. Configuration Management – Did you find a backend administrative page during phase 1. Maybe there is a default password enabledBusiness Logic – what would happen if I skipped step “B” and sent my browser to step “C”? Session Management – can more than one user login with the same account. Are cookies properly disposed of?Data validation – Classic XSS and SQL Injection. Session hijacking and database dumps. Web Services: SOAP REST, XML oh my!! This is a sub category of web application testing and is out of scope but the same phase approach applies. Some additional tools are needed.NOTE about the Image: “If McClellan had done his homework, he would have know that he had a3:1 advantage , Lee’s back was to the Potomac and could have ended the war. But McClellan belived Lee had twice as many men as he actually did and as a result was overly cautious. The result, the battle of Antietam was effectively a draw, Lee escaped, and the war drug out for another three years. Shortly after the battle Lincoln fired McClellan (again).
• #15: Introduction to type of toolsYou don’t need many tools to begin, these are the basics. All can be found on Back TrackA browser, I prefer Firefox because it has many plugins that really helpWeb Developer, Tamper Data, Live Http Headers, XSS and SQL inject me, Foxy Proxy, etc..Web Proxy, I’ll used BURP in the demonstrations.Briefly explain what a web proxy is, refer to the pirate image
• #16: Scanner – can be used as the initial instrument in phase II, still need to perform phase I manually. Review the Pros’s and Cons
• #17: The majority of phase two testing is somehow related to fuzzingFuzzing equals abusive user input.What happens when the program gets data it does not expect? -1 versus +1 , large strings of data, inserting codeIdeally the application gives you a very generic error message and rejects data that is inappropriate. But…Error pages can reveal a lot of information especially if debugging is enabled.Example, database schema or data, location of files, software versionsSummaryThe majority of web app testing can be summed up as “using the app in ways the developer did not intend”.Next two slides, Classic examples of fuzzing (SQL Injection and XSS)
• #18: The attack is through the web application to the database, not a direct attack on the database!!!!!Sql injection changes the query string to something other than the intended query.Often the application will respond with detailed errors, giving away schema and or the contents of the database.This vulnerability can disclose sensitive data in your database.
• #19: XSS can be discovered by fuzzingXSS enables attackers to inject client-side scripts into web pages or trick users into sending malicious code to a vulnerable web serverOften a part of a Phishing Attack
• #20: This is a non persistent example, very ugly exampleAn actual example I created to prove a pointNo filtering at all!Focus on the content between the <script> tagsThis example injects an iframe that calls in data from a third party website. The “request” parameter is injected with the attack string
• #21: To follow along, have BackTrack bootedGoalUse a web proxy with Firefox and attack a vulnerable applicationTarget is webgoatWill show two sample atttacks (SQL Injection and XSS)
• #22: With Google Hacking you cand findAny type of file, remote login via citrix, login pages, directory listings, text files, even passwords.
• #23: Directory listing of pages Here you will look for files to help you gain more knowledge about the sitePasswordsConfiguration filesOffice related files – metadata may disclose a user name
• #24: This is good for finding configuration Mgt. admin pages : Jboss,
• #25: This error gives me valuabe information about the databaseTable name = t.MenumenuID is a numeric value. I could use a tool to enumerate the menuID’s Can start to craft a SQL injection attack with this data
• #28: ZAP and Webscarab have Spidering capabilitiesRecord distinct URI’s(Uniform Resource Identifier) URI is the string of identifiers that makes a URL uniqueWebscarab is designed for more manual testingZAP has an automated scanner (parameter manipulator, not a vulnerability database)Burp Suite Pro (paid vor version) is like the previous two combined
• #29: Setup firefox to use the ZAP proxy.ZAP is in BackTrack under web-application proxiesUnder Tools  Options you can configure the local proxy, I used port 8088Capture a web site and run the spider toolNote that Burp is used in much the same mannerIf time permits run the scanner tool. Alternatively run it and come back later to the results
• #30: Xlose ZAP and open up BurpStart Burp Suite (webproxy) for capturing trafficEnsure the proxy is running, sometimes it does not turn on by default.Configure Firefox to use a proxyBrowse to a URL, make sure it shows up in the targets in BURP and then run the spider.
• #31: Log into webgoatDefine Webgoat – An insecure web application for the purpose of teaching how to perform web application pentests. It is a tutorial with several modules. Has various hints and and solutions .If there is time use Burp to spider webgoatShow how to capture trafficSend a packet to repeaterSQL and XSS examples
• #32: Web Goat DemoPurpose: To access Nevile's admin account with out knowing his passwordShow that you cant login with random passwords, show the failure noticeFlaw Exploited:The security flaw is that users have the ability (although limited but enough) to modify the SQL query directly in the password fieldHint: This is the code for the query being built and issued by WebGoat: "SELECT * FROM employee WHERE userid = " + userId + " and password = " + passwordGoal : Make the SQL statement evaluate as true!Answer:sql string to inject in the password field: 1+'or+'1'='1the "+" signs are used to fill in blank spaces and the "--" is a sql statement that this is the end of the query. The "a" can be anything, it just needs to be a false answer to the password does not match the userid's password entry in the database. The Single quotes make it a litteal "1". Sometimes you need the quotes in a sql injection attack, other times you don't. To find out which permutation will work can take time. it can be done manually or more easily done with a brute force method. The Intruder function in BURP can help with this.
• #33: The fix is to use stored procedures and disallow characters like the single quote
• #34: Test:In Webgoatgoto Cross-Site Scripting, Stage 1 Stored XSSGoal: Execute a Stored Cross Site Scripting (XSS) attack.Answer:In the Street field of theuser’s profile type in a javascript<script>alert(“You Won”)</script>Or<script> function showcookie() document.write(document.cookie); </script><body><br><input type="button" onclick="showcookie()" value="See Cookie" /></body>Logout as Tom and log in as Jerry and see if its there.The ultamate issue is that the user input is unfiltered, allowing one to insert code.
• #35: Start W3AF in Backtrack
• #36: If webgoat is availabe, have them scan it.There is a command line version of w3af, a little more stable, lighter weight.
• #37: Sample results of a scan
• #38: These are your “Hand Tools” they will do the job, not flashy and not necessarily easy to useYour Power tools are the commercial scannersBacktrack has all you need to get started.
• #42: Security Development Life Cycle is out of scope.But web app testing Should be part of the development life cycle!! Ask your self, ”Where is my valuable data on line?” !! help decide what to test firstRisk and Cost analysis is out of scopeBut, given tests generally run over the course of a week or two, you need to do some set up work to make things go smoothlyYou don’t want to inadvertently test a subdomain or function. Some tests may be very targetedAccess can be complicated in testing environments, vpn’s, client certificates, user accountsIn the event of a problem, you can call someone and vice versa. Communication with all groups is key. If a development team does not know about the test and pushed up a new code base, the test can become invalid.Obviously if you cant access the site due to scheduled maintenance, you can’t test and time is money.