SlideShare una empresa de Scribd logo
1 de 43
Descargar para leer sin conexión
2011 NSAA IT Pre-Conference WorkshopPenetration Testing For Maximum BenefitWEB APP HACKING,[object Object]
Web Application Testing,[object Object],A concise Overview,[object Object],Scott Johnson,[object Object],Principal Security Consultant,[object Object],Emagined Security,[object Object],Introductions,[object Object]
Grasp of the web application testing process,[object Object],Convinced of the necessity,[object Object],Knowledge of core tools,[object Object],Confident that “I can do this”,[object Object],Goals,[object Object]
Overview,[object Object],Testing Phases,[object Object],Demonstration,[object Object],Agenda,[object Object]
Black Art or Science?,[object Object],A penetration test is a method of evaluating the security of a computer system or network by simulating an attack. A Web Application Penetration Test focuses only on evaluating the security of a web application. The process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. (OWASP),[object Object],[object Object]
The supporting infrastructure is generally off limits
It is not a code reviewWhat is Web Application Testing?,[object Object]
Common Misnomers,[object Object],“Our site is safe”:,[object Object],We have firewalls in place,[object Object],We encrypt our data ,[object Object],We have IDS / IPS,[object Object],We have a privacy policy ,[object Object],Why Test?,[object Object]
Web App Hacking in the News,[object Object]
The firewall is going to let them in,[object Object],Encryption will hide most of the attacks,[object Object],Privacy? Like they care!,[object Object],Your Front Door Hacker,[object Object]
How does it work?,[object Object],SQL injection over  HTTPS (port 443),[object Object],Database returns,[object Object],Account Passwords,[object Object],Network Security Controls,[object Object],acme.bank.com,[object Object],Firewall,[object Object],IDS / IPS,[object Object],Data Base Server,[object Object]
You Don’t have to look like this,[object Object],You can perform web app testing if:,[object Object],[object Object]
Methodical
Tenacious curiosityUber Nerd,[object Object],Founder and CTO of eEye Security ,[object Object],Marc Maiffret,[object Object]
Passive Phase,[object Object],Information gathering,[object Object],Understanding the logic,[object Object],Observing normal behavior,[object Object],Active Phase,[object Object],Targeted testing,[object Object],Applying methodologies,[object Object],Testing Phases,[object Object]
Reconnaissance,[object Object],Reconnaissance is a mission to obtain information by visual observation or other detection methods, about the activities and resources of an enemy or potential enemy, (US Army FM 7-92; Chap 4),[object Object],Know your target before you begin, its worth the effort,[object Object],Determine Application types and versions,[object Object],Cross reference vulnerabilities with OSVDB / NVD,[object Object],http://web.nvd.nist.gov/view/vuln/search,[object Object],Observe normal behavior,[object Object],Advanced Google searching,[object Object],Aka Google hacking,[object Object],http://en.wikipedia.org/wiki/Google_hacking,[object Object],Application Mapping,[object Object],Spidering / Web crawling,[object Object],Directory busting,[object Object],Passive Phase,[object Object]
The Attack Plan,[object Object],Configuration Management ,[object Object],Business Logic ,[object Object],Authentication ,[object Object],Session Management ,[object Object],Authorization ,[object Object],Data Validation ,[object Object],Denial of Service ,[object Object],Web Services Testing ,[object Object],Active Phase,[object Object]
Deploying Your Assets,[object Object],Browser (prefer Firefox and friends),[object Object],Foxyproxy, Live HTTP Headers, Firebug, Web Developer, etc…,[object Object],Web Proxy,[object Object],Aserver (a computer system or an application program) that acts as an intermediary for requests from clients seeking resources from other servers.,[object Object],Examples,[object Object],BURP,[object Object],Webscarab,[object Object],Paros,[object Object],Tools,[object Object]
Scanner,[object Object],Tool that automates many of the tests methods described earlier,[object Object],Many commercial tools – AppScan, Web Inspect, Accunetix, etc..,[object Object],W3AF Web Application Attack and Audit Framework,[object Object],OWASP ZAP,[object Object],Free open source web scanner.,[object Object],Pro’s – Fast and the tester quickly target weak spots,[object Object],Con’s prone to false positives, poor session management,[object Object],Does not replace manual testing,[object Object],Tools - continued,[object Object]
Definition: A software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes or failing built-in code assertions. (Wikipedia),[object Object],Fundamental technique in web application testing,[object Object],Parameters,[object Object],Form fields,[object Object],Cookies,[object Object],HTTP Headers,[object Object],Can uncover many kinds of vulnerabilities: SQL injection, XSS, improper error handling, DDoS, etc…,[object Object],Fuzzing,[object Object]
SQL Injection,[object Object],Fuzzing aimed at the database layer of an application,[object Object],Improper user input filtering is the root cause,[object Object],‘1 or 1=1 classic test string,[object Object],Many variations, automated fuzzing helpful,[object Object]
Bypass access controls,[object Object],Hijack sessions,[object Object],Disclose sensitive information.,[object Object],Persistent – lives on the server,[object Object],Non Persistent – malicious link,[object Object],Targets users not your site!,[object Object],Cross Site Scripting,[object Object],<script>alert(“You Won!”)</script>,[object Object]
https://stg.acmesite.com/home/EP_SelectionIB.aspx?request=Ayn0G3lQ7l………BbK9M1vm8m3s%3df22b5<script> function changeSrc() {document.getElementById("myframe").src="http://www.emagined.com";},[object Object],</script><body bgcolor="Red"><table bgcolor=”red”><p><iframe  align=top” width=”40%” height=”400” id="myframe" src="https://stg.xyz.com"><p>Your browser does not support iframes.</p></iframe><br> An Error Occurred<p><input type="button" onclick="changeSrc()" value="Click to Continue" /><p><p><p><p></body>,[object Object],</script>f973c1e3be0,[object Object],XSS - Example,[object Object]
Using a Web Proxy,[object Object],Basic Recon.,[object Object],Platform Back Track,[object Object],Starting BURP,[object Object],Configuring your browser,[object Object],Starting Web Goat,[object Object],http://x.x.x.x:8080/webgoat/attack,[object Object],guest / guest,[object Object],Capturing Traffic,[object Object],SQL Injection Example,[object Object],Cross Site Scripting (XSS) Example,[object Object],Demonstration Overview,[object Object]
[object Object]
Inurl:
Site:
Filetype:Entire books on the subject,[object Object],http://www.gnucitizen.org/blog/google-hacking-for-penetration-testers-second-edition/,[object Object],Reference:,[object Object],http://www.ethicalhacker.net/content/view/41/2/,[object Object],http://www.google.com/intl/en/help/operators.html,[object Object],Demo 1. – Reconnaissance,[object Object]
Finding Indexes,[object Object],site:sc.govintitle:index.of,[object Object],Demo 1. Reconnaissance,[object Object]
Finding login pages,[object Object],Site:sc.gov login | logon,[object Object],Demo 1. Reconnaissance,[object Object]
Site:sc.govintitle:error | warning,[object Object],Demo. 1 – Error Pages,[object Object]
Demo 1- Passwords?,[object Object]
Demo 1 - Passwords,[object Object],You Bet!,[object Object]
Spidering / Web Crawling,[object Object],OWASP,[object Object],Webscarab,[object Object],ZAP,[object Object],Portswigger,[object Object],Burp Suite,[object Object],Demo 1 - Reconnaissance,[object Object]
Demo 1. ZAP - Spider,[object Object]
Demo 2 - Setup	,[object Object],Make sure the port number is the same,[object Object],In this case port 8008,[object Object]
Browse to webgoat,[object Object],http://x.x.x.x:8080/webgoat/attack,[object Object],User ID = guest,[object Object],Password = guest,[object Object],Demo 2 - Setup,[object Object]
Demo 2 – SQL Injection,[object Object]
Why does that work?,[object Object],Make the SQL statement evaluate as true!,[object Object],1=1 right?,[object Object],Answer:,[object Object],1+'or+'1'=’1,[object Object],Demo. 2 - SQL Injection - Answer,[object Object]
Demo 2  XSS (persistent),[object Object]
W3AF Vulnerability Scanner,[object Object],Platform Back Track,[object Object],Starting W3AF,[object Object],Layout and configuration,[object Object],Defining the Target,[object Object],Selecting Plugins,[object Object],Analyzing Results and Reporting,[object Object],Demonstration 3,[object Object]
Demo. 3 – W3AF Layout,[object Object]
Demo. 3 – W3AF Results,[object Object]

Más contenido relacionado

La actualidad más candente

Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilitiesebusinessmantra
 
Web application security & Testing
Web application security  & TestingWeb application security  & Testing
Web application security & TestingDeepu S Nath
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Andrea Hauser
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingRana Khalil
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 

La actualidad más candente (20)

Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
 
Security testing
Security testingSecurity testing
Security testing
 
Web application security & Testing
Web application security  & TestingWeb application security  & Testing
Web application security & Testing
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 

Destacado

NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Bảo mật ứng dụng web
Bảo mật ứng dụng webBảo mật ứng dụng web
Bảo mật ứng dụng webabesoon
 
Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.Nahidul Kibria
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooNahidul Kibria
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaHanaysha
 
Sending a for ahuh. win32 exploit development old school
Sending a for ahuh. win32 exploit development old schoolSending a for ahuh. win32 exploit development old school
Sending a for ahuh. win32 exploit development old schoolNahidul Kibria
 
Leveraging Existing Tests in Automated Test Generation for Web Applications
Leveraging Existing Tests in Automated Test Generation for Web ApplicationsLeveraging Existing Tests in Automated Test Generation for Web Applications
Leveraging Existing Tests in Automated Test Generation for Web ApplicationsSALT Lab @ UBC
 
Scaling application with RabbitMQ
Scaling application with RabbitMQScaling application with RabbitMQ
Scaling application with RabbitMQNahidul Kibria
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksNetSPI
 
Vulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements inVulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements inKeith G. Tidball
 

Destacado (20)

NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
 
Bảo mật ứng dụng web
Bảo mật ứng dụng webBảo mật ứng dụng web
Bảo mật ứng dụng web
 
Vtb final
Vtb finalVtb final
Vtb final
 
Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUT
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
 
Web application Testing
Web application TestingWeb application Testing
Web application Testing
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq Hanaysha
 
Sending a for ahuh. win32 exploit development old school
Sending a for ahuh. win32 exploit development old schoolSending a for ahuh. win32 exploit development old school
Sending a for ahuh. win32 exploit development old school
 
Leveraging Existing Tests in Automated Test Generation for Web Applications
Leveraging Existing Tests in Automated Test Generation for Web ApplicationsLeveraging Existing Tests in Automated Test Generation for Web Applications
Leveraging Existing Tests in Automated Test Generation for Web Applications
 
Scaling application with RabbitMQ
Scaling application with RabbitMQScaling application with RabbitMQ
Scaling application with RabbitMQ
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
What is pentest
What is pentestWhat is pentest
What is pentest
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
Vulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements inVulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements in
 

Similar a Web Application Penetration Testing Introduction

香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsphanleson
 
Hack applications
Hack applicationsHack applications
Hack applicationsenrizmoore
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
GNUCITIZEN Dwk Owasp Day September 2007
GNUCITIZEN Dwk Owasp Day   September 2007GNUCITIZEN Dwk Owasp Day   September 2007
GNUCITIZEN Dwk Owasp Day September 2007guest20ab09
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Web Application Finger Printing - Methods/Techniques and Prevention
Web Application Finger Printing - Methods/Techniques and PreventionWeb Application Finger Printing - Methods/Techniques and Prevention
Web Application Finger Printing - Methods/Techniques and Preventionn|u - The Open Security Community
 
Web application finger printing - whitepaper
Web application finger printing - whitepaperWeb application finger printing - whitepaper
Web application finger printing - whitepaperAnant Shrivastava
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Eoin Keary
 
Hackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformHackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformIhor Uzhvenko
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Veracode
 
Cost Effective Web Application Testing
Cost Effective Web Application TestingCost Effective Web Application Testing
Cost Effective Web Application TestingHari Pudipeddi
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testingHarinath Pudipeddi
 

Similar a Web Application Penetration Testing Introduction (20)

Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s canners
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Hack applications
Hack applicationsHack applications
Hack applications
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
GNUCITIZEN Dwk Owasp Day September 2007
GNUCITIZEN Dwk Owasp Day   September 2007GNUCITIZEN Dwk Owasp Day   September 2007
GNUCITIZEN Dwk Owasp Day September 2007
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
Web Application Finger Printing - Methods/Techniques and Prevention
Web Application Finger Printing - Methods/Techniques and PreventionWeb Application Finger Printing - Methods/Techniques and Prevention
Web Application Finger Printing - Methods/Techniques and Prevention
 
Web application finger printing - whitepaper
Web application finger printing - whitepaperWeb application finger printing - whitepaper
Web application finger printing - whitepaper
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
 
Hackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformHackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platform
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
 
Cost Effective Web Application Testing
Cost Effective Web Application TestingCost Effective Web Application Testing
Cost Effective Web Application Testing
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testing
 

Web Application Penetration Testing Introduction

Notas del editor

  1. 10 years in the industryLast 4 solely dedicated to pentestingBoth Infrastructure and Web Application penetration testing Worked both sides : Defense (security operations) and Offense (pentesting)
  2. Take away with you that web app testing is a necessary piece to securing you dataI could spend a week on this topic. This will be brief. Hopefully you will walk away with enough knowledge to get started.I highly recommend reading material from OWASP
  3. Focus will be on the demonstrationI will need to spend some time giving overview of methodology and some termsDemonstrationsLike the bank robber in the image, hackers are looking for items of value. The applications are the gateway to this data.[Image Explained]Long gone are the days of defacing a web site. Hackers are going after your data
  4. The key word is ”method” in the definitionThe focus is on the application not the infrastructure.The goal is to take advantage of a weakness in a legitimate function for nefarious purposes.Anywhere from stealing money to stealing your identity to controlling the machine to stage another attack.Testing methods are well documented. You don’t have to be a hacker to test your apps.
  5. [Answerthe question / misnomers after the video]You just audited my network / infrastructure! I must be secure?This is not an infrastructure test, a different focus that a infrastructure test will not coverBefore I answer, watch this video
  6. Hackers retaliate to the shutdown of Wiki LeaksSo how does it work?
  7. [Answerthe misnomers on this page]Firewall lets the hacker in, IPS / IDS is almost useless when the traffic is encrypted (SSL port 443). The cartoon image is dead on. You let him into your network. Network security was uselessYou are going to assume the role of the “Hacker”So how does this work?
  8. Wrong! Pentesting is teachable. There are plenty of materials online and in books.You just need a little aptitude for details and have voracious curiosity.[ story about meeting Marc Maiffre founder of eEye ---short , mountain dew drinking little nerd. Little rich nerd though.]The Code Red worm was a computer worm observed on the Internet on July 13, 2001. It attacked computers running Microsoft&apos;s IIS web server.The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh. The worm was named the .ida &quot;Code Red&quot; worm because Code Red Mountain Dew was what they were drinking at the time, and because of the phrase &quot;Hacked by Chinese!&quot; with which the worm defaced websites.[1]
  9. Before we start hacking, a little background…TWO PHASE APPROACH. Don’t be tempted to jump to phase two, could miss something or make inefficient use of timeThe passive phase will help refine your approach for phase IIYou will save time and get better resultsYou will deploy the same tactics and techniques as a hacker would!!! !!Trust me a competent hacker does his homework.
  10. Is it Apache 2.x or IIS 7.xYou can look up know vulnerabilities by application type and version. This is public knowledge and very helpfulKnowing how the application works normally and its logic will help you determine abnormal behavior. Google knows all about your site if its on the Internet. You’d be surprised what types of documents are out on your site. You might find someone&apos;s password.Spidering allows you to map out the site based on hyperlinks!!!NVD – a ton of information can be found here to help determine vulnerabilities
  11. Now you get to Hack! This phase is where the real testing begins. All the work up to now has prepared you for this moment.The attack plan is a list of all the exploitation categories. Your recon will allow you to tailor your attacks to and focus on certain categories.The items in the list are general categories for various attacks. Your research will help you determine which of the test categories are more likely to yield results. Configuration Management – Did you find a backend administrative page during phase 1. Maybe there is a default password enabledBusiness Logic – what would happen if I skipped step “B” and sent my browser to step “C”? Session Management – can more than one user login with the same account. Are cookies properly disposed of?Data validation – Classic XSS and SQL Injection. Session hijacking and database dumps. Web Services: SOAP REST, XML oh my!! This is a sub category of web application testing and is out of scope but the same phase approach applies. Some additional tools are needed.NOTE about the Image: “If McClellan had done his homework, he would have know that he had a3:1 advantage , Lee’s back was to the Potomac and could have ended the war. But McClellan belived Lee had twice as many men as he actually did and as a result was overly cautious. The result, the battle of Antietam was effectively a draw, Lee escaped, and the war drug out for another three years. Shortly after the battle Lincoln fired McClellan (again).
  12. Introduction to type of toolsYou don’t need many tools to begin, these are the basics. All can be found on Back TrackA browser, I prefer Firefox because it has many plugins that really helpWeb Developer, Tamper Data, Live Http Headers, XSS and SQL inject me, Foxy Proxy, etc..Web Proxy, I’ll used BURP in the demonstrations.Briefly explain what a web proxy is, refer to the pirate image
  13. Scanner – can be used as the initial instrument in phase II, still need to perform phase I manually. Review the Pros’s and Cons
  14. The majority of phase two testing is somehow related to fuzzingFuzzing equals abusive user input.What happens when the program gets data it does not expect? -1 versus +1 , large strings of data, inserting codeIdeally the application gives you a very generic error message and rejects data that is inappropriate. But…Error pages can reveal a lot of information especially if debugging is enabled.Example, database schema or data, location of files, software versionsSummaryThe majority of web app testing can be summed up as “using the app in ways the developer did not intend”.Next two slides, Classic examples of fuzzing (SQL Injection and XSS)
  15. The attack is through the web application to the database, not a direct attack on the database!!!!!Sql injection changes the query string to something other than the intended query.Often the application will respond with detailed errors, giving away schema and or the contents of the database.This vulnerability can disclose sensitive data in your database.
  16. XSS can be discovered by fuzzingXSS enables attackers to inject client-side scripts into web pages or trick users into sending malicious code to a vulnerable web serverOften a part of a Phishing Attack
  17. This is a non persistent example, very ugly exampleAn actual example I created to prove a pointNo filtering at all!Focus on the content between the &lt;script&gt; tagsThis example injects an iframe that calls in data from a third party website. The “request” parameter is injected with the attack string
  18. To follow along, have BackTrack bootedGoalUse a web proxy with Firefox and attack a vulnerable applicationTarget is webgoatWill show two sample atttacks (SQL Injection and XSS)
  19. With Google Hacking you cand findAny type of file, remote login via citrix, login pages, directory listings, text files, even passwords.
  20. Directory listing of pages Here you will look for files to help you gain more knowledge about the sitePasswordsConfiguration filesOffice related files – metadata may disclose a user name
  21. This is good for finding configuration Mgt. admin pages : Jboss,
  22. This error gives me valuabe information about the databaseTable name = t.MenumenuID is a numeric value. I could use a tool to enumerate the menuID’s Can start to craft a SQL injection attack with this data
  23. ZAP and Webscarab have Spidering capabilitiesRecord distinct URI’s(Uniform Resource Identifier) URI is the string of identifiers that makes a URL uniqueWebscarab is designed for more manual testingZAP has an automated scanner (parameter manipulator, not a vulnerability database)Burp Suite Pro (paid vor version) is like the previous two combined
  24. Setup firefox to use the ZAP proxy.ZAP is in BackTrack under web-application proxiesUnder Tools  Options you can configure the local proxy, I used port 8088Capture a web site and run the spider toolNote that Burp is used in much the same mannerIf time permits run the scanner tool. Alternatively run it and come back later to the results
  25. Xlose ZAP and open up BurpStart Burp Suite (webproxy) for capturing trafficEnsure the proxy is running, sometimes it does not turn on by default.Configure Firefox to use a proxyBrowse to a URL, make sure it shows up in the targets in BURP and then run the spider.
  26. Log into webgoatDefine Webgoat – An insecure web application for the purpose of teaching how to perform web application pentests. It is a tutorial with several modules. Has various hints and and solutions .If there is time use Burp to spider webgoatShow how to capture trafficSend a packet to repeaterSQL and XSS examples
  27. Web Goat DemoPurpose: To access Nevile&apos;s admin account with out knowing his passwordShow that you cant login with random passwords, show the failure noticeFlaw Exploited:The security flaw is that users have the ability (although limited but enough) to modify the SQL query directly in the password fieldHint: This is the code for the query being built and issued by WebGoat: &quot;SELECT * FROM employee WHERE userid = &quot; + userId + &quot; and password = &quot; + passwordGoal : Make the SQL statement evaluate as true!Answer:sql string to inject in the password field: 1+&apos;or+&apos;1&apos;=&apos;1the &quot;+&quot; signs are used to fill in blank spaces and the &quot;--&quot; is a sql statement that this is the end of the query. The &quot;a&quot; can be anything, it just needs to be a false answer to the password does not match the userid&apos;s password entry in the database. The Single quotes make it a litteal &quot;1&quot;. Sometimes you need the quotes in a sql injection attack, other times you don&apos;t. To find out which permutation will work can take time. it can be done manually or more easily done with a brute force method. The Intruder function in BURP can help with this.
  28. The fix is to use stored procedures and disallow characters like the single quote
  29. Test:In Webgoatgoto Cross-Site Scripting, Stage 1 Stored XSSGoal: Execute a Stored Cross Site Scripting (XSS) attack.Answer:In the Street field of theuser’s profile type in a javascript&lt;script&gt;alert(“You Won”)&lt;/script&gt;Or&lt;script&gt; function showcookie() document.write(document.cookie); &lt;/script&gt;&lt;body&gt;&lt;br&gt;&lt;input type=&quot;button&quot; onclick=&quot;showcookie()&quot; value=&quot;See Cookie&quot; /&gt;&lt;/body&gt;Logout as Tom and log in as Jerry and see if its there.The ultamate issue is that the user input is unfiltered, allowing one to insert code.
  30. Start W3AF in Backtrack
  31. If webgoat is availabe, have them scan it.There is a command line version of w3af, a little more stable, lighter weight.
  32. Sample results of a scan
  33. These are your “Hand Tools” they will do the job, not flashy and not necessarily easy to useYour Power tools are the commercial scannersBacktrack has all you need to get started.
  34. Security Development Life Cycle is out of scope.But web app testing Should be part of the development life cycle!! Ask your self, ”Where is my valuable data on line?” !! help decide what to test firstRisk and Cost analysis is out of scopeBut, given tests generally run over the course of a week or two, you need to do some set up work to make things go smoothlyYou don’t want to inadvertently test a subdomain or function. Some tests may be very targetedAccess can be complicated in testing environments, vpn’s, client certificates, user accountsIn the event of a problem, you can call someone and vice versa. Communication with all groups is key. If a development team does not know about the test and pushed up a new code base, the test can become invalid.Obviously if you cant access the site due to scheduled maintenance, you can’t test and time is money.