Legal and efficient web app testing without permission · Agenda • Intro - Why + How without...
Transcript of Legal and efficient web app testing without permission · Agenda • Intro - Why + How without...
![Page 1: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/1.jpg)
Legal And EfficientWeb App Testing
Without Permission
Abraham Aranguren@7a_ @owtfp
[email protected]://7-a.org
http://owtf.org
![Page 2: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/2.jpg)
Agenda
• Intro
- Why + How without permission
- OWTF basics
• Practical Cheating:
- OWASP + OWTF Walk-through
• Conclusion
• Q&A
![Page 3: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/3.jpg)
About me• Spanish dude
• Uni: Degree, InfoSec research + honour mark
• IT: Since 2000, defensive sec as netadmin / developer
• (Offensive) InfoSec: Since 2007
• OSCP, CISSP, GWEB, CEH, MCSE, etc.
• Web App Sec and Dev/Architect
• Infosec consultant, blogger, OWTF, GIAC, BeEF
![Page 4: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/4.jpg)
The pen testing problem
http://scottthong.wordpress.com
![Page 5: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/5.jpg)
Attacker TacticsFrom “Open Source Information Gathering” by Chris Gates, Brucon 2009
http://carnal0wnage.attackresearch.com/
![Page 6: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/6.jpg)
Pentester disadvantagePentesters vs Bad guys• Pentesters have time/scope constraints != Bad guys• Pentesters have to write a report != Bad guys
Complexity is increasingMore complexity = more time needed to test properly
Customers are rarely willing to:“Pay for enough / reasonable testing time“
A call for efficiency:• We must find vulns faster• We must be more efficient• .. or bad guys will find the vulns, not us
![Page 7: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/7.jpg)
Can we learn from history?
Has this
Huge disadvantageproblem been solved before?
![Page 8: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/8.jpg)
Ancient “Top Attackers”Individually outstanding due to:• Artificial selection: Babies killed if “defective” (!) • Military training (“Agoge”): Ages 7-18• Final test: Survive in the countryside with only a knife• Spartan Law: No retreat, No surrender (i.e. victory or death)
Globally outstanding due to solid tactic: “Hoplite phalanx”• Shield wall + Spear points• Frontally very strong + used successfully for centuries
http://scottthong.wordpress.com / http://en.wikipedia.org/wiki/Sparta
![Page 9: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/9.jpg)
How would you beat them?
How could a room full of (sedentary? ☺☺☺☺) Geeksbeat a room full of Spartans?
Ok, more realistic scenario ☺☺☺☺: • Your troops must fight the Spartans• You have the same number of soldiers• Your soldiers are not that great• How can you WIN?
![Page 10: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/10.jpg)
Ancient “Pentest Cheating”Battle of Lechaeum: Spartans defeated by “lamers”!
Tactic “Cheating”:• Don’t fight, thow things!: Javelins + bows = Athenians WON• Phalanx weak against: “shooters”, cavalry, flank/back attacks
http://www.ancientgreekbattles.net / http://en.wikipedia.org/wiki/Phalanx_formation /http://en.wikipedia.org/wiki/Battle_of_Lechaeum
![Page 11: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/11.jpg)
Why not take this to the next level?
Why not legitimately?• Shoot “before the battle” without permission• Shoot while we analyse information in parallel• Prepare more shootings without being noticed
![Page 12: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/12.jpg)
A Pentester “cheating try”Offensive (Web) Testing Framework = Multi-level “cheating” tactics
![Page 13: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/13.jpg)
OWTF Chess-like approach
Kasparov against Deep Blue - http://www.robotikka.com
![Page 14: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/14.jpg)
OWTF Plugin Groups
![Page 15: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/15.jpg)
OWTF > Web: Aux Plugins
Metasploit-like automation for external tools, custom tests and more
![Page 16: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/16.jpg)
OWTF “Cheating”: Talk ScopeAt least 48.5% (32 out of 66) of the tests in the OWASP Testing guide can be legally* performed at least partially without permission
* Except in Spain, where visiting a page can be illegal ☺* This is only my interpretation and not that of my employer + might not apply to your country!
![Page 17: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/17.jpg)
Classic Pentest Stages1. Pre-engagement: No permission � “OWTF Cheat tactics” = Start here2. Engagement: Permission � Official test start = Active Testing here
![Page 18: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/18.jpg)
OWTF 101Step 1- Run it
Pre-engagement safe CLI OWTF options without permissiono owtf.py –t passive http://target.com
o owtf.py –t semi_passive http://target.com semi_passive + grep
o owtf.py –t quiet http://target.com passive + semi_passive + grep
![Page 19: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/19.jpg)
OWTF 101 (cont.)Step 2- Human Analysis in parallel
Pentester all-out “cheating” via OWTF continuous reporting:• Pentester works on the report interface• Start human analysis from “minute 1”: No “waiting until X for scan to finish”• Tools run in background via OWTF: No tool babysitting + No wasted energy• Refresh report for newer results• The human and the tools complement each other: “Fighting together as a team”
![Page 20: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/20.jpg)
Context consideration:
Case 1 � robots.txt Not Found
…should Google index a site like this?
Or should robots.txt exist and be like this?
User-agent: *
Disallow: /
![Page 21: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/21.jpg)
Case 1 � robots.txt Not Found - Semi passive• Direct request for robots.txt• Without visiting entries
![Page 22: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/22.jpg)
Case 2 � robots.txt Found – Passive
• Indirect Stats, Downloaded txt file for review, “Open All in Tabs”
![Page 23: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/23.jpg)
OWTF HTML Filter challenge: Embedding of untrusted third party HTML
Defence layers:
1) HTML Filter: Open source challenge
Filter 6 unchallenged since 04/02/2012, Can you hack it? ☺
http://blog.7-a.org/2012/01/embedding-untrusted-html-xss-challenge.html
2) HTML 5 sanboxed iframe
3) Storage in another directory = cannot access OWTF Review in localStorage
![Page 24: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/24.jpg)
Start reporting!: Take your notes with fancy formatting
Step 1 – Click the “Edit” link
Step 2 – Start documenting findings + Ensure preview is ok
![Page 25: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/25.jpg)
Start reporting!: Paste PoC screenshots
![Page 26: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/26.jpg)
The magic bar ;) – Useful to generate the human report later
![Page 27: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/27.jpg)
Step 1- Browse output files to review the full raw tool output:
Step 2 – Review tools run by the passive Search engine discovery plugin:
Was your favourite tool not run?Tell OWTF to run your tools on: owtf_dir/profiles/resources/default.cfg (backup first!)
Passive Plugin
![Page 28: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/28.jpg)
Tool output can also be reviewed via clicking through the OWTF report directly:
![Page 29: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/29.jpg)
The Harvester:•Emails•Employee Names•Subdomains•Hostnames
http://www.edge-security.com/theHarvester.php
![Page 30: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/30.jpg)
Metadata analysis:• TODO: Integration with FOCA when CLI callable via wine (/cc @chemaalonso ☺) • Implemented: Integration with Metagoofil
http://www.edge-security.com/metagoofil.php
![Page 31: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/31.jpg)
Inbound proxy not stable yet but all this happens automatically:
• robots.txt entries added to “Potential URLs”
• URLs found by tools are scraped + added to “Potential URLs”
During Active testing (later):
• “Potential URLs” visited + added to “Verified URLs” + Transaction log
![Page 32: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/32.jpg)
All HTTP transactions logged by target in transaction log
Step 1 – Click on “Transaction Log”
Step 2 – Review transaction entries
![Page 33: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/33.jpg)
Step 3 – Review raw transaction information (if desired)
![Page 34: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/34.jpg)
Step 1 - Make all direct OWTF requests go through Outbound Proxy:
Passes all entry points to the tactical fuzzer for analysis later
Step 2 - Entry points can then also be analysed via tactical fuzzer:
![Page 35: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/35.jpg)
Manually verify request for fingerprint:
Goal: What is that server running?
![Page 36: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/36.jpg)
Whatweb integration with non-aggresive parameter (semi passive detection):
https://github.com/urbanadventurer/WhatWeb
![Page 37: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/37.jpg)
Fingerprint header analysis: Match stats
![Page 38: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/38.jpg)
Convenient vulnerability search box (1 box per header found ☺):
Search All ���� Open all site searches in tabs
![Page 39: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/39.jpg)
Exploit DB - http://www.exploit-db.com
![Page 40: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/40.jpg)
NVD - http://web.nvd.nist.gov - CVSS Score = High
![Page 41: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/41.jpg)
OSVDB - http://osvdb.org - CVSS Score = High
![Page 42: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/42.jpg)
http://www.securityfocus.com - Better on Google
![Page 43: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/43.jpg)
http://www.exploitsearch.net - All in one
![Page 44: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/44.jpg)
Passive Fingerprint analysis
![Page 45: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/45.jpg)
http://toolbar.netcraft.com - Passive banner grab,etc.
![Page 46: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/46.jpg)
http://builtwith.com
•CMS•Widgets•Libraries•etc
![Page 47: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/47.jpg)
http://www.shodanhq.com/
Search in the headers without touching the site:
![Page 48: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/48.jpg)
Passive suggestions- Prepare your test in a terminal window to hit “Enter” on “permission minute 1”
![Page 49: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/49.jpg)
What else can be done with a fingerprint?
![Page 50: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/50.jpg)
Also check http://www.oldapps.com/, Google, etc.
Environment replicationDownload it .. Sometimes from project page ☺
![Page 51: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/51.jpg)
RIPS for PHP: http://rips-scanner.sourceforge.net/
Yasca for most other (also PHP): http://www.scovetta.com/yasca.html
Static Analyis, Fuzz, Try exploits, ..
![Page 52: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/52.jpg)
![Page 53: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/53.jpg)
http://www.robtex.com - Passive DNS Discovery
![Page 54: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/54.jpg)
http://whois.domaintools.com
![Page 55: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/55.jpg)
http://centralops.net
![Page 56: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/56.jpg)
http://centralops.net
![Page 57: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/57.jpg)
Has Google found error messages for you?
![Page 58: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/58.jpg)
Check errors via Google Cache
![Page 59: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/59.jpg)
![Page 60: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/60.jpg)
https://www.ssllabs.com/ssldb/analyze.html
The link is generated with OWTF with that box ticked: Important!
![Page 61: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/61.jpg)
https://www.ssllabs.com/ssldb/analyze.html
Pretty graphs to copy-paste to your OWTF report ☺
![Page 62: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/62.jpg)
Do not forget about Strict-Transport-Security!
sslstrip chances decrease dramatically:
Only 1st time user visits the site!
![Page 63: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/63.jpg)
Not found example:
Found example:
![Page 64: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/64.jpg)
HTML content analysis: HTML Comments
![Page 65: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/65.jpg)
Step 2 – Human Review of Unique matches
Efficient HTML content matches analysis
Step 1 - Click
![Page 66: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/66.jpg)
Step 2 –Review Unique matches (click on links for sample match info)
Efficient HTML content matches analysis
Step 1 - Click
Want to see all? then click
![Page 67: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/67.jpg)
HTML content analysis: CSS and JavaScript Comments (/* */)
![Page 68: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/68.jpg)
HTML content analysis: Single line JavaScript Comments (//)
![Page 69: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/69.jpg)
HTML content analysis: PHP source code
![Page 70: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/70.jpg)
HTML content analysis: ASP source code
![Page 71: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/71.jpg)
![Page 72: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/72.jpg)
![Page 73: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/73.jpg)
![Page 74: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/74.jpg)
If you find an admin interface don’t forget to ..
Google for default passwords:
![Page 75: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/75.jpg)
Disclaimer: Permission is required for this
![Page 76: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/76.jpg)
![Page 77: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/77.jpg)
![Page 78: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/78.jpg)
http://centralops.net
![Page 79: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/79.jpg)
Is the login page on “http” instead of “https”?
![Page 80: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/80.jpg)
Pro Tip: When browsing the site manually ..
… look carefully at pop-ups like this:
Consider (i.e. prep the attack):
Firesheep: http://codebutler.github.com/firesheep/SSLStrip: https://github.com/moxie0/sslstrip
![Page 81: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/81.jpg)
Mario was going to report a bug to Mozilla and found another!
![Page 82: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/82.jpg)
Abuse user/member public search functions:• Search for “” (nothing) or “a”, then “b”, ..• Download all the data using 1) + pagination (if any)• Merge the results into a CSV-like format• Import + save as a spreadsheet• Show the spreadsheet to your customer
![Page 83: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/83.jpg)
Analyse the username(s) they gave you to test:• Username based on numbers?USER12345
• Username based on public info? (i.e. names, surnames, ..)name.surname
• Default CMS user/pass?
![Page 84: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/84.jpg)
Part 1 – Remember Password: Autocomplete
<form action="/user/login" method="post">
<input type="password" name="pass" />
Via 1) <form … autocomplete=“off”>
Or Via 2) <input … autocomplete=“off”>
BadGood
![Page 85: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/85.jpg)
Manual verification for password autocomplete (i.e. for the customer)Easy “your grandma can do it” test: 1. Login2. Logout3. Click the browser Back button twice*4. Can you login again –without typing the login or password- by re-
sending the login form?
Can the user re-submit the login form via the back button?* Until the login form submission
Other sensitive fields: Pentester manual verification• Credit card fields• Password hint fields• Other
![Page 86: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/86.jpg)
Manually look at the questions / fields in the password reset form• Does it let you specify your email address?• Is it based on public info? (name, surname, etc)• Does it send an email to a potentially dead email address you can
register? (i.e. hotmail.com)
Part 2 - Password Reset forms
![Page 87: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/87.jpg)
Goal: Is Caching of sensitive info allowed?
Manual verification steps: “your grandma can do it” ☺ (need login): 1. Login2. Logout3. Click the browser Back button4. Do you see logged in content or a this page has expired error / the login
page?
Manual analysis tools:• Commands: curl –i http://target.com• Proxy: Burp, ZAP, WebScarab, etc• Browser Plugins:
https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
https://addons.mozilla.org/en-US/firefox/addon/firebug/
![Page 88: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/88.jpg)
HTTP/1.1 headers
Cache-control: privateCache-Control: no-cache
BadGood
HTTP/1.0 headers
Pragma: private
Expires: <way too far in the future>
Pragma: no-cache
Expires: <past date or illegal (e.g. 0)>
BadGood
BadGood
No caching headers = caching allowedhttps://accounts.google.com
HTTP/1.1 200 OK
Date: Tue, 09 Aug 2011 13:38:43 GMT
Server: ….
X-Powered-By: ….
Connection: close
Content-Type: text/html; charset=UTF-8
Cache-control: no-cache, no-store
Pragma: no-cache
Expires: Mon, 01-Jan-1990 00:00:00 GMT
The world
![Page 89: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/89.jpg)
![Page 90: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/90.jpg)
Repeat for Meta tags
<META HTTP-EQUIV="Cache-Control" CONTENT=“private">
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
BadGood
![Page 91: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/91.jpg)
Step 1 – Find CAPTCHAs: Passive search
![Page 92: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/92.jpg)
Offline Manual analysis: • Download image and try to break it• Are CAPTCHAs reused?• Is a hash or token passed? (Good algorithm? Predictable?)• Look for vulns on CAPTCHA version
CAPTCHA breaking toolsPWNtcha - captcha decoder - http://caca.zoy.org/wiki/PWNtchaCaptcha Breaker - http://churchturing.org/captcha-dist/
![Page 93: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/93.jpg)
Manually Examine cookies for weaknesses offline
owaspuser:192.168.100.1: a7656fafe94dae72b1e1487670148412
MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFzc3dvcmQ6MTU6NTg=
Decoded valueBase64 Encoding (!= Encryption ☺)
![Page 94: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/94.jpg)
http://hackvertor.co.uk/public
![Page 95: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/95.jpg)
http://hackvertor.co.uk/public
Lots of decode options, including:• auto_decode• auto_decode_repeat• d_base64• etc.
![Page 96: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/96.jpg)
http://blog.taddong.com/2011/12/cookie-decoder-f5-big-ip.html
F5 BIG-IP Cookie decoder:
![Page 97: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/97.jpg)
• Secure: not set= session cookie leaked= pwned• HttpOnly: not set = cookies stealable via JS• Domain: set properly• Expires: set reasonably• Path: set to the right /sub-application• 1 session cookie that works is enough ..
![Page 98: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/98.jpg)
![Page 99: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/99.jpg)
Manually check when verifying credentials during pre-engagement:Login and analyse the Session ID cookie (i.e. PHPSESSID)
Before: 10a966616e8ed63f7a9b741f80e65e3c
After: 10a966616e8ed63f7a9b741f80e65e3c
Before: 10a966616e8ed63f7a9b741f80e65e3c
After: Nao2mxgho6p9jisslen9v3t6o5f943h
Bad (normal + by default)Good
IMPORTANT: You can also set the session ID via JavaScript (i.e. XSS)
![Page 100: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/100.jpg)
Session ID:• In URL• In POST• In HTML
Example from the field:http://target.com/xxx/xyz.function?session_num=7785
Look at unauthenticated cross-site requests:
http://other-site.com/user=3&report=4Referer: site.com
Change ids in application: (ids you have permission for!)http://site.com/view_doc=4
![Page 101: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/101.jpg)
Headers Enabling/Disabling Client-Side XSS filters:• X-XSS-Protection (IE-Only)• X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)
![Page 102: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/102.jpg)
Review JavaScript code on the page:
<script> document.write("Site is at: " + document.location.href + "."); </script>
Sometimes active testing possible in your browser(no trip to server = not an attack = not logged):http://target.com/...#vulnerable_param=xss
http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
![Page 103: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/103.jpg)
Did Google find SQLi for you?
![Page 104: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/104.jpg)
<!--#exec cmd="/bin/ls /" --> <!--#INCLUDE VIRTUAL="/web.config"-->
![Page 105: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/105.jpg)
1. Browse Site2. Time requests3. Get top X slowest requests4. Slowest = Best DoS target
![Page 106: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/106.jpg)
Google searches: inurl:wsdl site:example.com
Public services search: http://seekda.com/http://www.wsindex.org/http://www.soapclient.com/
![Page 107: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/107.jpg)
WSDL analysisSensitive methods in WSDL?i.e. Download DB, Test DB, Get CC, etc.http://www.example.com/ws/FindIP.asmx?WSDL
<wsdl:operation name="getCreditCard" parameterOrder="id"><wsdl:input message="impl:getCreditCardRequest" name="getCreditCardRequest"/><wsdl:output message="impl:getCreditCardResponse" name="getCreditCardResponse"/>
</wsdl:operation>
![Page 108: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/108.jpg)
Same Origin Policy (SOP) 101
http://www.ibm.com/developerworks/rational/library/09/rationalapplicationdeveloperportaltoolkit3/
1. Domain A’s page can send a request to Domain B’s page from Browser2. BUT Domain A’s page cannot read Domain B’s page from Browser
![Page 109: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/109.jpg)
No anti-CSRF tokenAnti-CSRF token present: Verify with permission
BadPotentially Good
• Request == Predictable � Pwned � “..can send a request to Domain B” (SOP)CSRF Protection 101:•Require long random token (99% hidden anti-CSRF token) � Not predictable•Attacker cannot read the token from Domain B (SOP) � Domain B ignores request
![Page 110: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/110.jpg)
Similar to CSRF:Is there an anti-replay token in the request?
No anti-CSRF tokenAnti-CSRF token present: Verify with permission
BadPotentially Good
![Page 111: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/111.jpg)
Some technologies allow settings that relax SOP:• Adobe Flash (via policy file)• Microsoft Silverlight (via policy file)• HTML 5 Cross Origin Resource Sharing (via HTTP headers)Cheating: Reading the policy file or HTTP headers != attack
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html
![Page 112: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/112.jpg)
1) Passive search for Flash/Silverlight files + policies:
Silverlight file search:Flash file search:
![Page 113: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/113.jpg)
Policy file retrieval for analysis
![Page 114: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/114.jpg)
Flash: http://kb2.adobe.com/cps/403/kb403185.html
CSRF by design ���� read tokens = attacker WIN
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>
Bad defence example: restrict pushing headers accepted by Flash: All headers from any domain accepted
<allow-http-request-headers-from domain="*" headers="*" />
Flash / Silverlight - crossdomain.xml
![Page 115: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/115.jpg)
Silverlight: http://msdn.microsoft.com/en-us/library/cc197955%28v=vs.95%29.aspx
CSRF by design ���� read tokens = attacker WIN
<?xml version="1.0" encoding="utf-8"?><access-policy><cross-domain-access><policy>
<allow-from http-request-headers="SOAPAction">
<domain uri="*"/>
</allow-from>
<grant-to><resource path="/" include-subpaths="true"/></grant-to>
</policy></cross-domain-access></access-policy>
Silverlight - clientaccesspolicy.xml
![Page 116: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/116.jpg)
Static analysis: Download + decompile Flash files
Flare: http://www.nowrap.de/flare.html
Flasm (timelines, etc): http://www.nowrap.de/flasm.html
$ flare hello.swf
![Page 117: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/117.jpg)
SWFScan
SWFScan: http://www.brothersoft.com/hp-swfscan-download-253747.html
Static analysis tools
Adobe SWF Investigatorhttp://labs.adobe.com/technologies/swfinvestigator/
![Page 118: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/118.jpg)
Good news: Unlike DOM XSS, the # trick will always work for Flash Files
Active testing ☺
1) Trip to server = need permissionhttp://target.com/test.swf?xss=foo&xss2=bar
2) But … your browser is yours:No trip to server = no permission needed
http://target.com/test.swf#?xss=foo&xss2=bar
![Page 119: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/119.jpg)
Need help?
![Page 120: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/120.jpg)
![Page 121: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/121.jpg)
UI Redressing protections:• X-Frame-Options (best)• X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)• JavaScript Frame busting (bypassable sometimes)
X-Frame-Options: Deny
BadGood
![Page 122: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/122.jpg)
Andrew Horton’s “Clickjacking for Shells”: http://www.morningstarsecurity.com/research/clickjacking-wordpress
Krzysztof Kotowicz’s “Something Wicked this way comes”:http://www.slideshare.net/kkotowicz/html5-something-wicked-this-way-comes-hackprahttps://connect.ruhr-uni-bochum.de/p3g2butmrt4/
Marcus Niemietz’s “UI Redressing and Clickjacking”:http://www.slideshare.net/DefconRussia/marcus-niemietz-ui-redressing-and-clickjacking-about-click-fraud-and-data-theft
![Page 123: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/123.jpg)
Too much info?Use the filter to drill to what you care about:
![Page 124: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/124.jpg)
Business Conclusion
• Web app security > Input validation• We see no traffic != we are not targeted• No IDS alerts != we are safe• Your site can be tested without you noticing• Test your security before others do
1872-8778-6931-6727-6849
![Page 125: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/125.jpg)
Pen tester Conclusion
• No permission != cannot start• A lot of work can be done in advance
This work in advance helps with:• Increased efficiency• Deal better with tight deadlines• Better pre-engagement• Better test quality• Best chance to get in
1872-8778-6931-6727-6849
![Page 126: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/126.jpg)
Bottom lineDo not wait for “Tool X” or Permission
Phil Stevens - http://www.strengthguild.com/ http://www.ironradio.org/
![Page 127: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/127.jpg)
Bottom lineTry harder!
Benedikt Magnusson - 1015lbs / 461kg World Record Deadlift
2nd April 2011
![Page 128: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/128.jpg)
Special thanks to
OWASP Testing Guide contributors
Finux Tech Weekly – Episode 17 – mins 31-49http://www.finux.co.uk/episodes/mp3/FTW-EP17.mp3Finux Tech Weekly – Episode 12 – mins 33-38http://www.finux.co.uk/episodes/mp3/FTW-EP12.mp3http://www.finux.co.uk/episodes/ogg/FTW-EP12.oggExotic Liability – Episode 83 – mins 49-53http://exoticliability.libsyn.com/exotic-liability-83-oh-yeah
Adi Mutu (@am06), Krzysztof Kotowicz (@kkotowicz), Marc Wickenden (@marcwickenden), Marcus Niemietz (@mniemietz),
Mario Heiderich (@0x6D6172696F), Michael Kohl (@citizen428), NicolasGrégoire (@Agarri_FR), Sandro Gauci (@sandrogauci)
![Page 129: Legal and efficient web app testing without permission · Agenda • Intro - Why + How without permission - OWTF basics • Practical Cheating: - OWASP + OWTF Walk-through • Conclusion](https://reader035.fdocuments.in/reader035/viewer/2022071012/5fca2eb0a747d97b6f2f1835/html5/thumbnails/129.jpg)
Q&A
Abraham Aranguren@7a_ @owtfp
[email protected]://7-a.org
http://owtf.org
Project Site (links to everything): http://owtf.org• Try OWTF: https://github.com/7a/owtf/tree/master/releases• Try a demo report: https://github.com/7a/owtf/tree/master/demos• Documentation: https://github.com/7a/owtf/tree/master/readme• Contribute: https://github.com/7a/owtf
1872-8778-6931-6727-6849