Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
Malik Mesellem
Defense Needed, Superbees Wanted
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
MS15-034
Web related!
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Contact Me
 Malik Mesellem
Email | malik@itsecgames.com
Twit...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Defense Needed
 Web application security is today's most ove...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Defense Needed
 Why are web applications an attractive targe...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Defense Needed
 Why are web applications an attractive targe...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
DEFENSE
is needed !
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP == defense
 bWAPP, or a buggy Web APPlication
 Delibe...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP == defense
 Web application security is not just insta...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OMG! Are we prepared for
REAL attack scenarios???
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Testimonials
Awesome! It's good to see fantastic tool...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Architecture
 Open source PHP application
 Backend ...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Features (1)
 Very easy to use and to understand
 W...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Features (2)
 Local PHP settings file
 No-authentic...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 What makes bWAPP so unique?
 Well, it has over 100 w...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Which bug do you want to hack today? (1)
 SQL, HTML,...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Which bug do you want to hack today? (2)
 Configurat...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Which bug do you want to hack today? (3)
 Cross-Site...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Which bug do you want to hack today?
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Coming soon!
 Cryptographic attacks
 Insecure sessi...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 External links
 Home page - www.itsecgames.com
 Dow...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee-box
 Every bee needs a home… the bee-box
 VM pre-instal...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee-box
 bee-box is also made deliberately insecure…
 Oppor...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee-box
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee-box
 Features (1)
 Apache, Lighttpd, Nginx, MySQL and P...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee-box
 Features (2)
 Weak self-signed SSL certificate
 ‘...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 Ready, set, and hack!
 Only one thing to r...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee/bug
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 Ready, set, and hack!
 Only one thing to r...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 Installation and configuration
 Install VM...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 General application settings
 settings.php...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 General application settings
 Opening the ...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 Settings
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 A.I.M. mode
 Authentication Is Missing, a ...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 Worst-case-scenario-options
 Reset the app...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Finally… time for a
DEMO
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Demo
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Penetration Testing
 Penetration testing, or pentesting
 Me...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Web App Penetration Testing
 Web application pentesting is f...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Web App Penetration Testing
 It’s all about identifying, exp...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Testing Methodologies
 A simple testing methodology
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Testing Methodologies
 A more advanced testing methodology
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
 OWASP, or Open Web Application Security Project
 Wor...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
 Current OWASP Projects
 Top 10 Project and Testing G...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
 OWASP Top 10 Project, lists the 10 most severe web
ap...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
 OWASP Top 10 Application Security Risks
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
 OWASP Top 10 placement
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
 OWASP Top 10 placement
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Intercepting Proxies
 Intercepting proxies are testing tools...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Intercepting Proxies
 ZAP, Zed Attack Proxy
 OWASP project,...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Intercepting Proxies
 ZAP, Zed Attack Proxy
 Functionalitie...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Intercepting Proxies
 ZAP, Zed Attack Proxy
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Demo
 ZAP, Zed Attack Proxy
 Parameter/cookie tampering
 O...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Commercial Web Scanners
 Netsparker
 Automated ‘false posit...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Commercial Web Scanners
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Commercial Web Scanners
 Netsparker
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Ready to
Exploit
some bugs?
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Hungry Evil Bees
 Hacking, Defacing and Exploiting
 SQL Inj...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
 SQL injection is very common in web applicati...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
 Injection in the OWASP Top 10
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
 Normal operation
DATABASE
SQL interpreter
WEB...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
DATABASE
SQL interpreter
WEB APP
HTML | SQL
BROWSER
HTML (GET...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
 Simple injections
 '--
 ' or 'a'='a
 ' or ...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
 Union injections
 ' UNION SELECT field1, fie...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Blind SQL Injection
 Blind SQL injection occurs when the dat...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Blind SQL Injection
 Example: Time-based SQL injection
 bla...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Automated SQL Injection
 sqlmap
 Open source penetration te...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Demo
 SQL Injection
 Bypassing login forms
 Manually extra...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Cross-Site Scripting
 Cross-Site Scripting, or XSS, occurs w...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Cross-Site Scripting
 Types of XSS flaws
 Reflected XSS
 S...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Cross-Site Scripting
 XSS in the OWASP Top 10
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Demo
 Cross-Site Scripting
 Detecting XSS
 Phishing & sess...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Denial-of-Service
 Denial-of-Service attack, or DoS attack
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Denial-of-Service
 Newer layer 7 DoS attacks are more powerf...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Denial-of-Service
 Layer 7 DoS methods
 HTTP Slow Headers
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Demo
 Denial-of-Service
 HTTP Slow POST
 MS15-034 (>SSRF)
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Web Shells
 Web shells are malicious web pages that provide ...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Web Shells
 External attack vectors
 (Blind) SQL Injection
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Demo
 Web Shell
 Web shell creation
 Remote shell access
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Superbees Wanted
 Hi little bees, during this talk we
 Defa...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
 And we have so much more bugs…
 Time to improve your web s...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Contact Me
 Malik Mesellem
Email | malik@itsecgames.com
Twit...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
Malik Mesellem
Defense Needed, Superbees Wanted
Próxima SlideShare
Cargando en…5
×

SANS 2015 - Superbees Wanted

1.854 visualizaciones

Publicado el

Event: SANS 2015
Topic: Superbees Wanted
Location: Orlando, Florida (US)
Organizer: SANS

Publicado en: Tecnología
  • Sé el primero en comentar

SANS 2015 - Superbees Wanted

  1. 1. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. What is bWAPP? Malik Mesellem Defense Needed, Superbees Wanted
  2. 2. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
  3. 3. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. MS15-034 Web related!
  4. 4. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Contact Me  Malik Mesellem Email | malik@itsecgames.com Twitter | twitter.com/MME_IT LinkedIn | be.linkedin.com/in/malikmesellem Blog | itsecgames.blogspot.com
  5. 5. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  WebApp Pentesting  Hungry Evil Bees  Superbees Wanted
  6. 6. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  WebApp Pentesting  Hungry Evil Bees  Superbees Wanted
  7. 7. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Defense Needed  Web application security is today's most overlooked aspect of securing the enterprise  Hackers are concentrating their efforts on websites and web applications  Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism
  8. 8. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Defense Needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  9. 9. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Defense Needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  10. 10. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. DEFENSE is needed !
  11. 11. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  WebApp Pentesting  Hungry Evil Bees  Superbees Wanted
  12. 12. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP == defense  bWAPP, or a buggy Web APPlication  Deliberately insecure web application, includes all major known web vulnerabilities  Helps security enthusiasts, developers and students to discover and to prevent issues  Prepares one for successful penetration testing and ethical hacking projects
  13. 13. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP == defense  Web application security is not just installing a firewall, or scanning a site for ‘potential’ issues  Black-box penetration testing, simulating real attack scenarios, is still needed!  Confirms potential vulnerabilities, and excludes false positives  Guarantees that your defense measures are working effectively  bWAPP helps to improve your security-testing skills…
  14. 14. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
  15. 15. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. OMG! Are we prepared for REAL attack scenarios???
  16. 16. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Testimonials Awesome! It's good to see fantastic tools staying up to date ... Ed Skoudis Founder of Counter Hack I just installed bWAPP 1.6 into the next release of SamuraiWTF ... Its a great app ... Justin Searle Managing Partner at UtiliSec Great progress on bWAPP BTW! :) Vivek Ramachandran Owner of SecurityTube
  17. 17. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Architecture  Open source PHP application  Backend MySQL database  Linux/Windows Apache/IIS  WAMP or XAMPP
  18. 18. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Features (1)  Very easy to use and to understand  Well structured and documented PHP code  Different security levels (low/medium/high)  ‘New user’ creation (password/secret)  ‘Reset application/database’ feature  Manual intervention page  Email functionalities
  19. 19. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Features (2)  Local PHP settings file  No-authentication mode (A.I.M.)  ‘Evil Bee’ mode, bypassing security checks  ‘Evil’ directory, including attack scripts  WSDL file (Web Services/SOAP)  Fuzzing possibilities
  20. 20. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  What makes bWAPP so unique?  Well, it has over 100 web vulnerabilities  Covering all major known web bugs  Including all risks from the Top 10 project  Focus is not on one specific issue!
  21. 21. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (1)  SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP, PHP Code, Host Header and SMTP injections  Authentication, authorization and session management issues  Malicious, unrestricted file uploads and backdoor files  Arbitrary file access and directory traversals  Heartbleed and Shellshock vulnerability  Local and remote file inclusions (LFI/RFI)  Server Side Request Forgery (SSRF)
  22. 22. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (2)  Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, SNMP, WebDAV, information disclosures,...  HTTP parameter pollution and HTTP response splitting  XML External Entity attacks (XXE)  HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues  Drupal, phpMyAdmin and SQLite issues  Unvalidated redirects and forwards  Denial-of-Service (DoS) attacks
  23. 23. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (3)  Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)  AJAX and Web Services issues (JSON/XML/SOAP)  Parameter tampering and cookie poisoning  Buffer overflows and local privilege escalations  PHP-CGI remote code execution  HTTP verb tampering  And much more 
  24. 24. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today?
  25. 25. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP
  26. 26. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Coming soon!  Cryptographic attacks  Insecure session variables  Session fixation  More authentication issues  WordPress vulnerabilities  More D-XSS
  27. 27. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  External links  Home page - www.itsecgames.com  Download location - sourceforge.net/projects/bwapp  Blog - itsecgames.blogspot.com
  28. 28. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bee-box  Every bee needs a home… the bee-box  VM pre-installed with bWAPP  LAMP environment: Linux, Apache, MySQL and PHP  Compatible with VMware and VirtualBox  Requires zero installation
  29. 29. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bee-box  bee-box is also made deliberately insecure…  Opportunity to explore all bWAPP vulnerabilities  Gives you several ways to hack and deface bWAPP  Even possible to hack the bee-box to get full root access!  Hacking, defacing and exploiting without going to jail  You can download bee-box from here
  30. 30. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bee-box
  31. 31. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bee-box  Features (1)  Apache, Lighttpd, Nginx, MySQL and PHP installed  Several PHP extensions installed (LDAP, SQLite,…)  Vulnerable Bash, Drupal, OpenSSL and PHP-CGI  Insecure DistCC, FTP, NTP, SNMP, VNC, WebDAV  phpMyAdmin and SQLiteManager installed  Postfix installed and configured  AppArmor disabled
  32. 32. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bee-box  Features (2)  Weak self-signed SSL certificate  ‘Fine-tuned’ file access permissions  .htaccess files support enabled  Some basic security tools installed  Shortcuts to start, install and update bWAPP  An amazing wallpaper   An outdated Linux kernel…
  33. 33. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP & bee-box  Ready, set, and hack!  Only one thing to remember  Logon credentials are…
  34. 34. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bee/bug
  35. 35. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP & bee-box  Ready, set, and hack!  Only one thing to remember  Logon credentials are bee/bug  Please don’t bug me anymore…
  36. 36. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP & bee-box  Installation and configuration  Install VMware Player or Oracle VirtualBox  Extract, install, and start the bee-box VM  Configure or check the IP settings  Browse to the bWAPP web app  http://[IP]/bWAPP/  Login with bee/bug
  37. 37. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP & bee-box  General application settings  settings.php, located under the bWAPP admin folder  Connection settings  SMTP settings  A.I.M. mode  Evil bee mode  Static credentials
  38. 38. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP & bee-box  General application settings  Opening the settings file (as root)  sudo gedit /var/www/bWAPP/admin/settings.php
  39. 39. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP & bee-box  Settings
  40. 40. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP & bee-box  A.I.M. mode  Authentication Is Missing, a no-authentication mode  May be used for testing web scanners and crawlers  Procedure  Change the IP address in the settings file  Point your web scanner or crawler to http://[IP]/bWAPP/aim.php  All hell breaks loose…
  41. 41. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP & bee-box  Worst-case-scenario-options  Reset the application  http://[IP]/bWAPP/reset.php  Reset the application + database  http://[IP]/bWAPP/reset.php?secret=bWAPP  Reinstall the database  Drop the database from phpMyAdmin  http://[IP]/bWAPP/install.php
  42. 42. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Finally… time for a DEMO
  43. 43. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Demo
  44. 44. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  WebApp Pentesting  Hungry Evil Bees  Superbees Wanted
  45. 45. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Penetration Testing  Penetration testing, or pentesting  Method of evaluating computer, network or application security by simulating an attack  Active analysis of potential vulnerabilities by using ethical hacking techniques  Penetration tests are sometimes a component of a full security audit
  46. 46. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Web App Penetration Testing  Web application pentesting is focusing on evaluating the security of a web application  Application is tested for known web vulnerabilities  Manual, automatic and semi-automatic tests  Source code analysis and web server configuration review as an option
  47. 47. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Web App Penetration Testing  It’s all about identifying, exploiting, and reporting vulnerabilities  Some considerations…  Commercial tools vs. open source tools  Not a best practice to use only one tool  Most commercial scanners don’t exploit  False positives are not allowed!  People don’t like auto-generated reports
  48. 48. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Testing Methodologies  A simple testing methodology
  49. 49. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Testing Methodologies  A more advanced testing methodology
  50. 50. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. OWASP  OWASP, or Open Web Application Security Project  Worldwide non-profit organization focused on improving the security of software  Freely-available articles, methodologies, documentation, tools, and technologies  Vendor neutral, no recommendations for commercial products or services!
  51. 51. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. OWASP  Current OWASP Projects  Top 10 Project and Testing Guide  Development and Code Review Guide  Application Security Verification Standard  Broken Web Applications (BWA)  Zed Attack Proxy (ZAP)
  52. 52. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 Project, lists the 10 most severe web application security risks  Constantly updated, latest version released in 2013  Referenced by many standards, books, tools, and organizations, including MITRE and PCI DSS  Good starting point for a web application pentest  What to test? How to test? How to prevent?
  53. 53. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 Application Security Risks
  54. 54. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 placement
  55. 55. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 placement
  56. 56. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Intercepting Proxies  Intercepting proxies are testing tools acting as a legitimate Man-in-the-Middle (MitM)  Located between the browser and the web application  Ability to intercept and to modify requests/responses  Provide a historical record of all requests  Include integrated tools to discover vulnerabilities, and to crawl and brute force files and directories
  57. 57. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy  OWASP project, by Simon Bennetts  Java application, released in September 2010  Fork of the Paros intercepting proxy  Pentesting tool for finding vulnerabilities  Provides automated scanning, as well as a set of tools to find security vulnerabilities manually
  58. 58. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy  Functionalities  Intercepting proxy, listening on TCP/8080  Traditional and AJAX spider  Automated and passive scanner  Fuzzing and brute force capabilities  Smartcard and client certificate support  Authentication and session support
  59. 59. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy
  60. 60. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Demo  ZAP, Zed Attack Proxy  Parameter/cookie tampering  Online password attack  Vulnerability detection
  61. 61. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Commercial Web Scanners  Netsparker  Automated ‘false positive free’ web security scanner  Identifies security issues and vulnerabilities such as SQL injection and Cross-Site Scripting (XSS)  Automatically exploits detected vulnerabilities to ensure no false positives are reported  Free ‘Community Edition’ available!
  62. 62. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Commercial Web Scanners
  63. 63. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Commercial Web Scanners  Netsparker
  64. 64. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Ready to Exploit some bugs?
  65. 65. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  WebApp Pentesting  Hungry Evil Bees  Superbees Wanted
  66. 66. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Hungry Evil Bees  Hacking, Defacing and Exploiting  SQL Injection  Cross-Site Scripting (XSS)  Client-side Attacks  Denial-of-Service (DoS)  Unrestricted File Uploads  Local Privilege Escalation
  67. 67. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. SQL Injection  SQL injection is very common in web applications  Occurs when user input is sent to a SQL interpreter as part of a query  The attacker tricks the interpreter into executing unintended SQL queries
  68. 68. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. SQL Injection  Injection in the OWASP Top 10
  69. 69. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. SQL Injection  Normal operation DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login password SELECT * FROM table WHERE login = ‘login’ AND password = ‘password’ result HTML SQL
  70. 70. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login ’ or 1=1-- SELECT * FROM table WHERE login = ‘login’ AND password = ‘’ or 1=1-- ’ result HTML SQL SQL Injection  Abnormal operation
  71. 71. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. SQL Injection  Simple injections  '--  ' or 'a'='a  ' or 'a'='a'--  ' or '1'='1  ' or 1=1--
  72. 72. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. SQL Injection  Union injections  ' UNION SELECT field1, field2 FROM table--  ' UNION SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=database()--  Stacked queries  '; DROP TABLE table;--
  73. 73. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. SQL Injection
  74. 74. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Blind SQL Injection  Blind SQL injection occurs when the database does not output data to the web page  Nearly identical to normal SQL injection, the way data is retrieved is different…  The result of the SQL injection is determined based on the application’s responses  Boolean-based or time-based  Using automated tools is a must
  75. 75. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Blind SQL Injection  Example: Time-based SQL injection  blah' UNION SELECT 1,1,1,1,1,1 FROM heroes WHERE login='neo' AND ASCII(SUBSTRING(password,1,1))=116 AND SLEEP(5)-- blah' UNION SELECT 1,1,1,1,1,1 FROM heroes WHERE login='neo' AND ASCII(SUBSTRING(password,2,1))=114 AND SLEEP(5)-- blah' UNION SELECT 1,1,1,1,1,1 FROM heroes WHERE login='neo' AND ASCII(SUBSTRING(password,3,1))=105 AND SLEEP(5)-- blah' UNION SELECT 1,1,1,1,1,1 FROM heroes WHERE login='neo' AND ASCII(SUBSTRING(password,4,1))=110 AND SLEEP(5)--
  76. 76. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Automated SQL Injection  sqlmap  Open source penetration testing tool  Automates the process of detecting and exploiting SQL injection  Developed in Python, since July 2006  Full support for MS SQL, MySQL, Oracle, PostgreSQL,…  Full support for various SQL injection techniques  Site: http://sqlmap.org/
  77. 77. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Demo  SQL Injection  Bypassing login forms  Manually extracting data  Automated SQL injection  Website defacement
  78. 78. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Cross-Site Scripting  Cross-Site Scripting, or XSS, occurs when an attacker injects a browser script into a web application  Insufficient validation of user-supplied data  Dangerous when it is stored permanently!  XSS can lead to  Website defacements  Phishing / session hijacking  Client-side exploitation
  79. 79. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Cross-Site Scripting  Types of XSS flaws  Reflected XSS  Stored XSS
  80. 80. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Cross-Site Scripting  XSS in the OWASP Top 10
  81. 81. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Demo  Cross-Site Scripting  Detecting XSS  Phishing & session hijacking  Client-side exploitation
  82. 82. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Denial-of-Service  Denial-of-Service attack, or DoS attack  An attacker attempts to prevent legitimate users from accessing the application, server or network  Consumes network bandwidth, server sockets, threads, or CPU resources  Distributed Denial-of-Service attack, or DDoS  Popular techniques used by hacktivists
  83. 83. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Denial-of-Service  Newer layer 7 DoS attacks are more powerful!  “Low-bandwidth application layer DoS”  Advantages of layer 7 DoS  Legitimate TCP/UDP connections, difficult to differentiate from normal traffic  Requires lesser number of connections, possibility to stop a web server from a single attack  Reach resource limits of services, regardless of the hardware capabilities of the server
  84. 84. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Denial-of-Service  Layer 7 DoS methods  HTTP Slow Headers  HTTP Slow POST  HTTP Slow Reading  Apache Range Header  SSL/TLS Renegotiation  XML Bombs
  85. 85. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Demo  Denial-of-Service  HTTP Slow POST  MS15-034 (>SSRF)
  86. 86. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Web Shells  Web shells are malicious web pages that provide an attacker functionality on a web server  Making use of server-side scripting languages like PHP, ASP, ASPX, JSP, CFM, Perl,...  Web shell functionalities  File transfers  Command execution  Network reconnaissance  Database connectivity
  87. 87. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Web Shells  External attack vectors  (Blind) SQL Injection  OS Command Injection  Remote File Inclusion  Unrestricted File Upload  Insecure FTP, WebDAV,…
  88. 88. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Demo  Web Shell  Web shell creation  Remote shell access  Escalating privileges...  Getting root access!
  89. 89. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
  90. 90. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Superbees Wanted  Hi little bees, during this talk we  Defaced our website  Compromised the server  Compromised a client  Made the server unreachable  Hijacked a session  Stole credentials…
  91. 91. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.  And we have so much more bugs…  Time to improve your web security  Defense is really needed  Downloading bWAPP is a first start  Remember, every bee needs a superbee  Are you that superbee? Superbees Wanted @MME_IT #bWAPP
  92. 92. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Contact Me  Malik Mesellem Email | malik@itsecgames.com Twitter | twitter.com/MME_IT LinkedIn | be.linkedin.com/in/malikmesellem Blog | itsecgames.blogspot.com
  93. 93. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. What is bWAPP? Malik Mesellem Defense Needed, Superbees Wanted

×