Injectable Exploits. New Tools for Pwning Web Apps and Browsers

Similar documents
A Samurai-WTF intro to the Zed Attack Proxy

Web Application Penetration Testing

Moving Targets: Assessing the Security of Mobile Devices. March 3 rd, 2016 Kevin Johnson, CEO Secure Ideas

Web Security. Thierry Sans

Notes From The field

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

Certified Secure Web Application Engineer

Penetration Testing with Kali Linux

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

CSWAE Certified Secure Web Application Engineer

Testing from the Cloud: Is the sky falling?

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Testing from the Cloud: Is the sky falling?

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Introduction to Ethical Hacking

Web Penetration Testing

Bypassing Web Application Firewalls

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

Coding for Penetration

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

GOING WHERE NO WAFS HAVE GONE BEFORE

WebGoat& WebScarab. What is computer security for $1000 Alex?

PHP and MySQL Programming

The Way of the Bounty. by David Sopas

Andrés Riancho sec.com H2HC, 1

OWASP TOP 10. By: Ilia

Who am I? Sandro Gauci and EnableSecurity Over 8 years in the security industry Published security research papers Tools - SIPVicious and SurfJack

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Metasploit. Installation Guide Release 4.4

NoSQL Injection SEC642. Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques S

Certified Vulnerability Assessor

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

SECURITY TESTING. Towards a safer web world

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Application vulnerabilities and defences

Penetration Testing. James Walden Northern Kentucky University

Web Application Attacks

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Practical Automated Web Application Attack Techniques Justin Clarke Gotham Digital Science Gotham Digital Science Ltd

Security Testing for Benefits Screening & Management Project

BraindumpsIT. BraindumpsIT - IT Certification Company provides Braindumps pdf!

INNOV-09 How to Keep Hackers Out of your Web Application

OWASP Broken Web Application Project. When Bad Web Apps are Good

A D V I S O R Y S E R V I C E S. Web Application Assessment

Lab 5: Web Attacks using Burp Suite

Securing ArcGIS Services

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

Web Application Security. Philippe Bogaerts

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

Coding for Penetration Testers Building Better Tools

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

java -jar Xmx2048mb /Applications/burpsuite_pro_v1.5.jar

Web Applications Penetration Testing

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Security. CSC309 TA: Sukwon Oh

Host Website from Home Anonymously

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

CSCE 548 Building Secure Software SQL Injection Attack

Your Turn to Hack the OWASP Top 10!

NEST Kali Linux Tutorial: Burp Suite

The OWASP Foundation

Web Attacks Lab. 35 Points Group Lab Due Date: Lesson 16

CS 410/510: Web Security X1: Labs Setup WFP1, WFP2, and Kali VMs on Google Cloud

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

CyberP3i Hands-on Lab Series

Mavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner. HA5 3PU / UK

Injecting Security Controls into Software Applications. Katy Anton

Multi-Post XSRF Web App Exploitation, total pwnage

Security Regression. Addressing Security Regression by Unit Testing. Christopher

A framework to 0wn the Web - part I -

Web Exploitation Framework wxf

Securing Your Company s Web Presence

CTF Workshop. Crim Synopsys, Inc. 1

Secure DevOps: A Puma s Tail

Evaluating Website Security with Penetration Testing Methodology

Principles of ICT Systems and Data Security

Application security : going quicker

HHC 2017 writeup, by RedTeam611

ZAP Innovations. OWASP Zed Attack Proxy. Simon Bennetts. OWASP AppSec EU Hamburg The OWASP Foundation

Solutions Business Manager Web Application Security Assessment

Common Websites Security Issues. Ziv Perry

Web Application Threats and Remediation. Terry Labach, IST Security Team

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Framework for Application Security Testing. September 11th, 2018

Portcullis Computer Security.

Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications

CS 361S - Network Security and Privacy Spring Project #1

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Security Penetration Test of HIE Portal for A CUSTOMER IMPLEMENTION. Services provided to: [LOGO(s) of company providing service to]

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Transcription:

Injectable Exploits New Tools for Pwning Web Apps and Browsers Kevin Johnson kevin@inguardians.com Justin Searle justin@inguardians.com Frank DiMaggio frank@secureideas.net 1

Who are we? Kevin Johnson BASE/SamuraiWTF/Laudanum/Yokoso! Project Lead Penetration Tester Author and instructor of SANS SEC542 Justin Searle SamuraiWTF/Yokoso!/Middler Project Lead Penetration Tester SmartGrid and Embedded Hardware Researcher Frank DiMaggio Web App Security Researcher Laudanum Project Lead SamuraiWTF/Yokoso!/BASE Core Developer 2

Laudanum http://laudanum.inguardians.com 3

Writing Files with SQL Injection Most RDBMS' can write to files For example MySQL has the INTO directive SELECT * FROM table INTO dumpfile 'data.txt'; Can write anywhere MySQL has permissions Got root? 4

Controlling Output But we can control the output SELECT "Injectable Files are Cool!" FROM table; It's not a search of the table Returns a record set that is just the string! 5

Milk and Cookies By combining the previous two queries We can inject files of our choosing Written to where the RDBMS has permissions 6

Laudanum provides the payloads for this injection! 7

Pieces of Laudanum Exploit scripts designed for injection Multiple functions Written in popular web scripting languages PHP, ASP, CFM, JSP 8

Shells Shell access is a win! Scripts to provide shell access Web based shell so no interactive commands Can use BASE64 encoding to bypass IDS and monitoring 9

Utilities Many scripts that are useful during pen-tests are in development DNS Retrieval Active Directory Querying Port Scanners Vuln Scanners Limited by our Imagination! 10

Scope Limitations Important for Pen-Tests Built-in features in the scripts Allows us to control who can access IP restrictions Authentication Returns 404 Status Codes if you fail scope check 11

Yokoso! http://yokoso.inguardians.com/ 12

Yokoso! All foreign nationals landing in Japan are required to submit to fingerprinting and having their picture taken since November 2007. 13

What is Yokoso! Yokoso is a collection of fingerprints These can be used in multiple ways XSS Mapping Function Attack Scripts 14

Fingerprints? More of our infrastructure is webmanaged Fingerprints are the URLs of unique resources Resources within the administration Unique files that identify the system index_ie.htm pb_apache.gif 15

Pre or Post Auth Some resources require authentication Yokoso! contains both pre and post authentication fingerprints Pre auth fingerprints are used for infrastructure discovery Post auth fingerprints are used for user mapping 16

Usages for the Fingerprints These fingerprints can be used within XSS attacks Infrastructure Discovery Determining critical devices Within the attacked browser's network History Browsing Where has this browser been Are they interesting to us? 17

Fingerprints Wanted! Collect fingerprints using interception proxies like Burp or WebScarab Save those logs Remove all unrelated requests and responses PURGE private data from remaining data Put a placeholder in the place of the data Send us what s left Tell us what we are looking at! 18

SamuraiWTF (Web Testing Framework) http://samurai.inguardians.com/ 19

SamuraiWTF 2 Versions: Live CD and VMware Image Based on the latest version of Ubuntu A few of the tools included: Laudanum Yokoso! w3af BeEF Burp Suite Grendel-Scan Dirbuster WebScarab ratproxy nmap 20

Future plans for SamuraiWTF Move to Kubuntu Move toward the Ubuntu build process Move all software and configurations to Debian packages Software upgrades between official releases Easier for users to customize the distro Provides access to WTF tools in all Ubuntu installs Facilitate collaboration within dev team 21

How Can You Help?! Project Links http://laudanum.inguardians.com/ http://yokoso.inguardians.com/ http://samurai.inguardians.com/ Join one of the projects. If you like the tools (we think you will), pass the word. 22

Thanks! Kevin Johnson kevin@inguardians.com Twitter @secureideas Justin Searle justin@inguardians.com Twitter @meeas Frank DiMaggio frank@secureideas.net Twitter @hanovrfst 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback