Andrés Riancho sec.com H2HC, 1

Similar documents
A framework to 0wn the Web - part I -

Web Penetration Testing

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

CyberP3i Hands-on Lab Series

Web Application Security Payloads. Andrés Riancho SecTor 2010, Toronto, Canada.

CSWAE Certified Secure Web Application Engineer

IronWASP (Iron Web application Advanced Security testing Platform)

w3af - Web application attack and audit framework Documentation

w3af - Web application attack and audit framework Documentation

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

Certified Secure Web Application Engineer

w3af - Web application attack and audit framework Documentation

Securing Your Company s Web Presence

w3af User Guide Document version: 1.7 Original author: Andres Riancho Reviewed by: Mike Harbison Andy Bach Chris Teodorski

Web Application Penetration Testing

Vulnerability & Attack Injection for Web Applications

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

Injectable Exploits. New Tools for Pwning Web Apps and Browsers

An analysis of security in a web application development process

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

GOING WHERE NO WAFS HAVE GONE BEFORE

Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense

Web Security. Thierry Sans

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Internet infrastructure

CERN Web Application Detection

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

Penetration Testing with Kali Linux

Coding for Penetration

mission critical applications mission critical security Oracle Critical Patch Update October 2011 E-Business Suite Impact

Secure Programming and! Common Errors! PART II"

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

CS 410/510: Web Security X1: Labs Setup WFP1, WFP2, and Kali VMs on Google Cloud

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Web Application Security Statistics Project 2007

RiskSense Attack Surface Validation for Web Applications

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

epldt Web Builder Security March 2017

Chapter 5: Vulnerability Analysis

Web Application Payloads

1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques

Solutions Business Manager Web Application Security Assessment

Web Applications & APIs

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Pwn ing you(r) cyber offenders

Who am I? Sandro Gauci and EnableSecurity Over 8 years in the security industry Published security research papers Tools - SIPVicious and SurfJack

CRAXweb: Web Testing and Attacks through QEMU in S2E. Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Application security : going quicker

MBFuzzer - MITM Fuzzing for Mobile Applications

SECURE CODING ESSENTIALS

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Security Solution. Web Application

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

Practical Automated Web Application Attack Techniques Justin Clarke Gotham Digital Science Gotham Digital Science Ltd

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

Introduction Who needs WAF anyway? The Death of WAF? Advanced WAF Why F5?

Content Security Policy

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

WFUZZ! for Penetration Testers! Christian Martorella & Xavier Mendez! SOURCE Conference 2011! Barcelona!

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

Advanced Diploma on Information Security

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

OWASP Broken Web Application Project. When Bad Web Apps are Good

General ways to find and exploit directory traversals on Android. Xiang Xiaobo 360 Alpha Team

TIBCO Cloud Integration Security Overview

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Contents in Detail. Foreword by Peter Van Eeckhoutte

C o n t e n t S i n D e ta i l FOrewOrd by Matt Graeber xii PreFaCe xvii C# CraSH COurSe FuzzinG and exploiting xss and SQL injection

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

gfuzz: An instrumented Web application fuzzing environment Ezequiel D. Gutesman Corelabs Core Security Technologies

Host Website from Home Anonymously

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Economies of Scale in Hacking Dave Aitel Immunity

Stopping Automated Application Attack Tools

Expanding Human Interactions for In-Depth Testing of Web Applications

Q WEB APPLICATION ATTACK STATISTICS

Web Applications Security. Radovan Gibala F5 Networks

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Hack in the Box Trends and Tools. H D Moore

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Metasploit. Installation Guide Release 4.4

Using Vulnerability Injection to Improve Web Security

Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Web Application Security Evaluation

Cross Platform Penetration Testing Suite

Preventing vulnerabilities in HANAbased MARCH TROOPERS SECURITY CONFERENCE

Introduction to Ethical Hacking

SensePost Training Overview 2011/2012

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Vulnerability Management From B Movie to Blockbuster Rahim Jina

Transcription:

Andrés Riancho andres@bonsai-sec.com sec.com H2HC, HC, Brazil - 2009 1

Web Application Security enthusiast Developer (python!) Open Source Evangelist With some knowledge in networking, IPS design and evasion w3af project leader Founder of BonsaiInformation Security

Who works with Application Security? Who heard about w3af? Who used w3af? Who tried to read w3af's code? Who hacked w3af's code?

w3afstands for Web Application Attack and Audit Framework An Open Source project (GPLv2) A set of scripts that evolved into a serious project A vulnerability scanner An exploitation tool A set of manual analysis tools

Identifies almost all web application vulnerabilities using more than 130 plugins. Cross platform (written in python). GTK and Console user interface Really easy to extend Uses Tactical exploitation techniques to discover new URLs and vulnerabilities Exploits [blind] SQL injections, OS commanding, remote file inclusions, local file inclusions, XSS, unsafe file uploads and more!

Synergy among plugins WML Support (WAP) Broken HTML support A smarter fuzzer Manual and automated analysis web applications MITM proxy Manual request editor Fuzzy request generator Least, but not less important: an active community

w3af is divided in two main parts, the coreand the plugins. The corecoordinatesthe process and provides featuresthat plugins consume. Plugins find the vulnerabilities, and exploit them. Plugins share information with each other using a knowledge base. Design patterns and objects everywhere!

8 different types of plugins exist: discovery audit grep attack output mangle evasion bruteforce

They find new URLs, forms, etc.and create a complete sitemap. The findings are saved in the core as fuzzable requests. Examples of discovery plugins are: webspider urlfuzzer googlespider pykto

They are run in a loop, the output of one discovery plugin is sent as input to the next plugin. This process continues until all plugins fail to find a new resource. This feature increases the code coverage of each scan, allowing the audit plugins to find more vulnerabilities.

Other discovery plugins try to fingerprint remote httpd, verify if the remote site has an HTTP load balancer installed, etc. halberd hmap afd fingerprint_waf I need some refactoring Crawlers Infrastructure

They take the output of discovery plugins and find vulnerabilities like: [blind] SQL injection XSS Buffer overflows Response splitting. Vulnerabilities are identified using different methods, that vary on the type of vulnerability being identified, but when possible, all methods are used: Error based Time delay Creating a new remote file Different responses (AND 1=1, AND 1=2)

As vulnerabilities are found, they are saved as vuln objectsin the knowledge base. These vuln objects are then used as the input for attack plugins, that will exploit the vulnerabilities.

These plugins read the vuln objects from the KB and try to exploit them. Examples of attack plugins are: sql_webshell davshell sqlmap xssbeef remote file include shell OS Commanding shell

16

17

Live scan: User browses the website through w3af w3af parses the requests, and sends them to audit plugins in order to find vulnerabilities. The user can view findings in real time, while browsing the target website. Better management reporting Enhance the MITM Proxy. Releasing 1.0 in a few days (I'm saying this since April)

w3af is a growing project, with many features and huge potential. Over the past year, a lot of bugs were fixed, making the project waaaaaaaaaaaaaay more stable. But we still have a lot of known bugs, and performance enhancements, that we're going to be working on. New plugins are always welcome! But what I really want is

Project website http://w3af.sf.net/ Two different mailing lists, usersand develop. IRC channel, #w3af at Freenode. Attend one of my w3af trainings! Next one is in December @ NYC. If you deliver Web App Sec Trainings, include this tool!

22

I tested it a while ago and it crashed every time, what has changed? Is w3af a possible competitorto AppScan, Cenzic, Acunetix? Is w3af going to be Open Source for ever? Is w3af included in the Web Application Security training that you're going to deliver on Monday and Tuesday?

24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback