Silent web app testing by example - BerlinSides 2011

Silent web app testing
by example
Berlin Sides, December 29th 2011

Abraham Aranguren
@7a_
abraham.aranguren@gmail.com
http://7-a.org

Agenda
• Quick Intro
• Walk-through:
No permission needed
Mild/Subtle testing techniques
Passive discovery at post-exploitation
• Conclusion
• Q&A

About me
• Spanish dude
• Degree + Diploma in Computer Science
• Uni: Security research + honour mark
• IT: Since 2000 (netadmin / developer)
• Comeback to (offensive) security in 2007
• OSCP, CISSP, GWEB, CEH, MCSE, Etc.
• Web App Sec and Dev/Architect
• OWTF, GIAC, BeEF

Intro
47% (31 out of 66) of the tests in the OWASP Testing
guide can be legally* performed at least partially
without permission

* Except in Spain, where visiting a page can be illegal ☺
* This is only my interpretation and not that of my employer + might not apply to your country!

But …. why???
• Pre-engagement quality
• Choose bank wisely ☺
• Fun / Research
• No permission yet but tight deadline
• Get a head start in a pen test
• No fuzzing allowed / hard restrictions
• Waiting for info on other areas

Talk Scope
This talk is mostly NOT about:
• https NIDS blind*
• Use POST not logged (usually)
• Wifi, Tor, proxies, proxychains …

This talk is about:
• Using normal traffic or no traffic
• Confuse payloads = look as legit traffic

Types of Traffic
• Passive: No traffic to target
Example: Third party site touches target not us

• Semi Passive: Normal traffic to target
Examples: Visit site, download published content

• Active: Direct vulnerability probing
Examples: SQL injection, XSS, CSRF, etc. tries

Legend
Ethics/Scope legend*: P
• P No Permission needed: No attack traffic
• ! Mild attack traffic / Could break things
• !! You better have written permission ..

Vulnerable vs. Not Vulnerable legend:
• Vulnerable
• Not Vulnerable

* When in doubt, don’t do it or consult a lawyer!

Testing: Spiders, Robots, and
Crawlers (OWASP-IG-001)

$ wget http://target.com/robots.txt
P

Case 1 Not found: Indexing required?
Case 2 Found: Analyse entries

Crawlers (OWASP-IG-001) cont.
Case 1 robots.txt Not Found
…should Google index a site like this?
P

Or should robots.txt exist and be like this?
User-agent: *
Disallow: /

P
Case 2 robots.txt Found (default Drupal robots.txt!)
User-agent: *
Crawl-delay: 10
# Directories
Disallow: /includes/
Disallow: /misc/
...
# Files
Disallow: /CHANGELOG.txt  Drupal Version ☺
Disallow: /xmlrpc.php

Case 2 Research known vulns passively
(i.e. OpenID bypass for Drupal 6.16)
P

(General) Environment replication
Download it .. Sometimes from project page ☺

P

Also check http://www.oldapps.com/, Google, etc.

(General) Environment replication
Static Analyis, Fuzz, Try exploits, ..

P

RIPS for PHP: http://rips-scanner.sourceforge.net/
Yasca for most other (also PHP): http://www.scovetta.com/yasca.html

Search engine discovery / recon
(OWASP-IG-002) cont.
Google Hacking techniques like ..
P


P
Automated
Google
Hacking

http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/


P
Metadata tools:
• FOCA (v. 3 now!)
• Metagoofil
• Exiftool
• EXIF FF plugin

http://www.informatica64.com/foca.aspx


P
The Harvester:
•Emails
•Employee Names
•Subdomains
•Hostnames

http://www.edge-security.com/theHarvester.php


P

Image Credit: http://www.paterva.com
http://www.paterva.com/web5/client/download.php

A bit of most in one:
P

https://addons.mozilla.org/en-US/firefox/addon/passiverecon/

Testing: Identify application entry
points (OWASP-IG-003)
Use a proxy and JUST browse the site
• Let the proxy log ALL requests P
• Understand the site

Proxies that detect vulns passively:
• ratproxy
• ZAP Proxy

Efficient manual browsing:
Snap Links Plus http://snaplinks.mozdev.org/

Testing for Web Application
Fingerprint (OWASP-IG-004)
Goal: What is that server running?
P
Semi passive banner grab example:
• $ curl -i -A 'Mozilla/5.0 (X11; Linux i686; rv6.0)
Gecko/20100101 Firefox/6.0' -H 'Host: target.com'
https://target.com
…
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10
with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g

Fingerprint (OWASP-IG-004) cont.

P

http://toolbar.netcraft.com - Passive banner grab,etc.

Search in the headers without touching the site: P

http://www.shodanhq.com/


P
•CMS
•Widgets
•Libraries
•etc

http://builtwith.com


P
Do you know what that site is running now?

Let’s look for exploits and vulns


P

Exploit DB - http://www.exploit-db.com


P

NVD - http://web.nvd.nist.gov - CVSS Score = High


P

OSVDB - http://osvdb.org - CVSS Score = High


P

http://www.securityfocus.com - Better on Google


P

http://www.exploitsearch.net - All in one

Testing for Application Discovery
(OWASP-IG-005)

P

http://www.robtex.com - Passive DNS Discovery


P

http://whois.domaintools.com


P

http://centralops.net or proxychains .. nmap –sT


P

http://centralops.net

Testing for Error Code
(OWASP-IG-006)
Has Google found error messages for you?
P

Check errors via Google Cache
P

Testing for SSL-TLS
(OWASP-CM-001)
No traffic ..
P

https://www.ssllabs.com/ssldb/analyze.html

Testing for SSL-TLS
(OWASP-CM-001) cont.
.. And pretty graphs
P

https://www.ssllabs.com/ssldb/analyze.html

Testing for SSL-TLS
Do not forget about Strict-Transport-Security!
P
$ curl -i https://accounts.google.com
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Strict-Transport-Security: max-age=2592000;
includeSubDomains

sslstrip chances decrease dramatically:
Only 1st time user visits the site!

Application Configuration
Management (OWASP-CM-004)
Just browse the site as normal and ..
look for comments! (lame but works!):
P

/* TODO: Security hole here .. */
//FIXME: The function below is vulnerable…

Testing for Admin Interfaces
(OWASP-CM-007)
• 3rd party stuff on .NET ViewState, headers,..
P

• Telerik.Web.UI?? Google it!

Google for default passwords:
P

!!

Testing for HTTP Methods and XST
(OWASP-CM-008)
An OPTIONS request is quite normal:
P
$ curl -i -A 'Mozilla/5.0' -X 'OPTIONS *' –k
https://site.com

HTTP/1.1 200 OK
Date: Tue, 09 Aug 2011 13:38:43 GMT
Server: Apache/2.0.63 (Unix)
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

Testing for HTTP Methods and XST

P

http://centralops.net

Testing for credentials transport
(OWASP-AT-001)
Is the login page on “http” instead of “https”?
And … look carefully at pop-ups like this:
P

Consider: Firesheep and sslstrip

Testing for user enumeration
(OWASP-AT-002) – by design

P

Mario was going to report a bug to Mozilla and found another!

(OWASP-AT-002) – by design
Abuse user/member search functions:
• Search for “” (nothing) or “a”, then “b”, .. P
• Download all the data using 1) + pagination (if
any)
• Merge the results into a CSV-like format
• Import + save as a spreadsheet
• Show the spreadsheet to your customer

Testing for Default or Guessable
User Account (OWASP-AT-003)
Analyse the username(s) they gave you to test:
P
• Username based on numbers?
USER12345

• Username based on public info? (i.e. names, surnames,
..)
name.surname

• Default CMS user/pass?

Vulnerable Remember Password and
Pwd Reset (OWASP-AT-006)

Is autocomplete set to off?
• Via 1) <form … autocomplete=“off”>
P
• Or Via 2) <input … autocomplete=“off”>

Or not?
<form action="/user/login" method="post">
<input type="password" name="pass" />

Pwd Reset (OWASP-AT-006) cont.
Easy “your grandma can do it” test:
1. Login
2. Logout
P
3. Click the browser Back button twice*
4. Can you login again –without typing the login or
password- by re-sending the login form?

Can the user re-submit the login form via the back
button?
* Until the login form submission

Pwd Reset (OWASP-AT-006) cont.
Also .. Look at the questions / fields in
the password reset form … P
• Does it let you specify your email address?
• Is it based on public info? (name, surname, etc)
• Does it send an email to a potentially dead email
address you can register? (i.e. hotmail.com)

Logout and Browser Cache
Management (OWASP-AT-007)
Goal: Is Caching of sensitive info allowed?
P
Easy “your grandma can do it” test (need login):
1. Login
2. Logout
3. Click the browser Back button
4. Do you see logged in content or a this page has
expired error / the login page?

Management (OWASP-AT-007) cont.
See headers with:
• Commands: curl –i http://target.com P
• Proxy: Burp, ZAP, WebScarab, etc
• Browser Plugins:

https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
https://addons.mozilla.org/en-US/firefox/addon/firebug/


P
1) Wrong caching HTTP/1.1 headers:
Cache-control: private

Instead of:
Cache-Control: no-cache


2) Wrong caching HTTP/1.0 headers: P
Pragma: private
Expires: <way too far in the future>

Instead of:
Pragma: no-cache
Expires: <past date or illegal value (e.g. 0)


3) No caching headers (= caching allowed, default!) P
HTTP/1.1 200 OK
Date: Tue, 09 Aug 2011 13:38:43 GMT
Server: ….
X-Powered-By: ….
Connection: close
Content-Type: text/html; charset=UTF-8

Instead of (best): $ curl –i https://accounts.google.com...
Cache-control: no-cache, no-store
Pragma: no-cache
Expires: Mon, 01-Jan-1990 00:00:00 GMT

Repeat for Meta tags:
P
4) Wrong HTTP/1.1:
<META HTTP-EQUIV="Cache-Control"
CONTENT=“private">

Instead of:
<META HTTP-EQUIV="Cache-Control" CONTENT="no-
cache">
Etc. (see previous slides)

Testing for Captcha
(OWASP-AT-008)
Can be done offline:
• Download image and try to break it P
• Are CAPTCHAs reused?
• Is a hash or token passed? (Good algorithm?
Predictable?)
• Look for vulns on CAPTCHA version:

PWNtcha - captcha decoder - http://caca.zoy.org/wiki/PWNtcha
Captcha Breaker - http://churchturing.org/captcha-dist/

Testing for Session Management
Schema (OWASP-SM-001)
Examine cookies for weaknesses offline
P
Base64
MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFzc3dv
cmQ6MTU6NTg=

Is
owaspuser:192.168.100.1:
a7656fafe94dae72b1e1487670148412

Schema (OWASP-SM-001) cont.

P

http://hackvertor.co.uk/public

Lots of decode options, including:
• auto_decode
P
• auto_decode_repeat
• d_base64
• etc.

http://hackvertor.co.uk/public


Cookie decoder: F5 BIG-IP P

http://blog.taddong.com/2011/12/cookie-decoder-f5-big-ip.html

Testing for cookies attributes
(OWASP-SM-002)
• Secure: not set= session cookie leaked= pwned
• HttpOnly: not set = cookies stealable via JS P
• Domain: set properly
• Path: set to the right /sub-application
• Expires: set reasonably

• 1 session cookie that works is enough ..

Testing for Session Fixation
(OWASP-SM-003)
Session ID normally NOT changed by default..
P
Before Login PHPSESSID:
10a966616e8ed63f7a9b741f80e65e3c
+
After Login PHPSESSID:
10a966616e8ed63f7a9b741f80e65e3c
=
Vulnerable

Testing for Exposed Session
Variables (OWASP-SM-004)
Session ID:
• In URL P
• In POST
• In HTML

Example from the field:
http://target.com/xxx/xyz.function?session_num=7785

Testing for CSRF (OWASP-SM-005)
Look at HTML code:
P
No anti-CSRF token = Vulnerable
Anti-CSRF token = Wait to ACTIVE testing ☺

Testing for Bypassing Authorization
Schema (OWASP-AZ-002)
Look at unauthenticated cross-site requests:
P
http://other-site.com/user=3&report=4
Referer: site.com

Change ids in application: !
http://site.com/view_doc=4

Testing for Reflected/Stored Cross
site scripting (OWASP-DV-001)

P
Headers Enabling/Disabling Client-Side XSS filters:

• X-XSS-Protection (IE-Only)
• X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)

Example:

X-XSS-Protection: 1; mode=block

UI Redressing Protection
i.e. Clickjacking (OWASP Code?)
Look for for UI Redressing protections:
P
• X-Frame-Options (best)
• X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)
• JavaScript Frame busting (bypassable sometimes)

Example:
X-Frame-Options: Deny

“Clickjacking for Shells”:
http://www.morningstarsecurity.com/research/clickjacking-wordpress

Testing for DOM-based Cross site
scripting (OWASP-DV-003)
Review JavaScript code on the page:
P
<script>
document.write("Site is at: " + document.location.href + ".");
</script>

Sometimes active testing possible in your browser
(no trip to server = not an attack = not logged):

#
http://target.com/... vulnerable_param=xss

http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html

Testing for Cross site flashing
(OWASP-DV-004)
1) Find Flash files:
P

(OWASP-DV-004) cont.
2) Find crossdomain.xml
P

3) Look at crossdomain.xml:
Example 1:
<cross-domain-policy>
P
<allow-access-from domain="*"/>
</cross-domain-policy>

Example 2:
<cross-domain-policy>

<allow-http-request-headers-from
domain="www.example.com" headers="MyHeader"/>
</cross-domain-policy>
http://en.wikipedia.org/wiki/Same_origin_policy
http://kb2.adobe.com/cps/403/kb403185.html

4) Download + decompile Flash files:
$ flare hello.swf P


P

http://www.brothersoft.com/hp-swfscan-download-253747.html
http://tinyurl.com/SWFScan-msi

Active testing ☺
P
1) Trip to server = need permission !
http://target.com/test.swf?xss=foo&xss2=bar

2) But … your browser is yours:

No trip to server = no permission needed P
#
http://target.com/test.swf ?xss=foo&xss2=bar

Good news: Unlike DOM XSS, the # trick will always work for Flash Files

Testing for SQL Injection
(OWASP-DV-005)
Did Google find SQLi for you?
P

DoS Failure to Release Resources
(OWASP-DS-007)
1. Browse Site
2.
3.
Time requests
Get top X slowest requests
P
4. Slowest = Best DoS target

Testing: WS Information Gathering
(OWASP-WS-001)
Google searches: inurl:wsdl site:example.com

Web service analysis:
P
http://www.example.com/ws/FindIP.asmx?WSDL

Public services search:
http://seekda.com/
http://www.wsindex.org/
http://www.soapclient.com/

Testing for WS Replay
(OWASP-WS-007)

Similar to CSRF:
P
Is there an anti-replay token in the request?

Testing for file extensions handling
(OWASP-CM-005)
some attack traffic but subtle. File Uploads:
!!
• If upload.php or .asp, .html, .. is allowed by app
• A valid GIF or JPG comment can be a valid PHP
script, etc ..

• Difference from attack to legit can be subtle
• File uploads are POST = often not logged
(Enterprises do, but small businesses normally don’t)

(OWASP-IG-006)
• Use var_name[] in PHP:
!

• Make __VIEWSTATE = ‘a’:
[ViewStateException: Invalid viewstate …..
…
) in c:WINDOWSMicrosoft.NETFrameworkv2.0.50727Temporary
ASP.NET Filesroot ….

(OWASP-AT-002)
• Error messages
!
“this user does not exist”
“the website member could not be found”
Etc.

• Time differences

$ time curl https://target.com -d 'user=x&pass=y'
Bad login Example:
Valid User (retrieved from DB): > 1.5 secs
Invalid User (not in DB = faster): < 0.7 secs

Testing for Reflected/Stored Cross
site scripting (OWASP-DV-001+2)
Subtle look for signs of output encoding: !
O’Brien O'Brien

O”Brien O"Brien or O%22Brien

Ted..> Ted..> or Ted..%3E

Ted,< Ted,.< or Ted..%3C

Charset, etc.

Testing for SQL Injection
(OWASP-DV-005)
SQL errors:
!
• Strings: O’Brien
• IDs: Instead of “1” type “1l” or “1 l”

Math operations: Is the same item displayed?
• target.com/id=2 target.com/id=1%2B1

(OWASP-IG-005) @ post-exploitation
Got shell?
!!

(OWASP-IG-005) @post-exploitation
You feel like ..
!!

They feel like ..
!!

And finally ..
!!

You have a mission! !!
• “Shell is only the beginning” – Darkoperator
• Your job is to show impact*
• Web app sec can also involve network sec!

Goal: How much damage could be done?

*within scope restrictions!

• Web server running as SYSTEM? (default!)
• No need to crack passwords .. !!

Just type your chosen password ..
!!

• Steal passwords ..
!!

• Be patient, it’s worth it ..

Pivot to the other hosts reusing passwords
!!

PASSIVE Ping Sweep: Unique IPs & MACs from the
ARP table of all popped boxes via winenum
P

PASSIVE Local “Port scanning” from winenum
P

Don’t forget about IPv6 & UDP ☺
P

PASSIVE Remote “Port scanning” from winenum
via active connections P

Pen tester Conclusion
• No permission != cannot start
• A lot of work can be done in advance

This work in advance helps with:
• Increased efficiency
• Deal better with tight deadlines
• Better pre-engagement
• Better test quality
• Best chance to get in

Bottom line: Do it

Business Conclusion
• Web app security > Input validation
• We see no traffic != we are not targeted
• No IDS alerts != we are safe
• Your site can be tested without you noticing
• Test your security before others do

Special thanks to
• OWASP Testing Guide contributors
• Krzysztof Kotowicz
• Marcus Niemietz
• Mario Heiderich
• Michele Orru
• Sandro Gauci

Q&A
Abraham Aranguren
@7a_
abraham.aranguren@gmail.com
http://7-a.org

Q - owtf! This is a lot of work
A - I know, check out: http://owtf.org

Silent web app testing by example - BerlinSides 2011

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Silent web app testing by example - BerlinSides 2011

Similar to Silent web app testing by example - BerlinSides 2011 (20)

Recently uploaded

Recently uploaded (20)

Silent web app testing by example - BerlinSides 2011