Hacking Web Apps

thank you thanks everyone as mentioned i'm brent white and i'm tim roberts and basically what we're going to talk about today is anybody that's getting into infosec or maybe if you're a developer and you want to figure out what to the kind of the path to take to start learning how to secure your own applications and code we're going to basically walk through what happens all the way from client kickoff to report delivery and so it'll be a lot of high-level information but definitely enough to get you in the right direction to assessing web apps all right so a few things uh when you guys do your kickoff call usually this happens after a client everything decided on your

statement of work the kickoff call kind of bridges the gap from the actual penetration assessment and uh and that statement of work so during this call it's often when you're developing the rules of engagement that's when you discuss your scoping you discuss limitations and your points of contact so let's say you know for the scoping if it's a pci kind of assessment then some you know the scoping may be broader or bigger so these are the kind of questions you want to ask your client is what are you guys looking at why are you doing this assessment is it just for a check box or you know do you want a deep dive and also doing this for the point of

contacts this is for both the client contacts and of course the testers so if you were to knock over a box or the application who do you contact during that time or who do they contact how do you get in touch with each other and you'll also do the limits as far as when is the testing is it okay to do automated scanning 24x7 or is it production environment and they only want the heavier automated stuff done after hours things like that you also want to make sure to ask the client hey are there any pages or functions that you want us to avoid you know maybe there's a contact form that if you put an automated scanner on it

some poor soul is going to have thousands of emails in their inbox so you want to make sure to ask those things and get those details from the start and so something to keep in mind is that at the end of every assessment a report is going to be expected and i only mention this because when i started the job i made the mistake of not collecting enough evidence and so while i was trying to write the report i realized there were several things that i didn't document fully and kind of you know had to like a dog tucking its tail had to go back to the client say hey i know the assessment's over but it's not

really because i screwed up can i have some more time can you provide more access and so just to save you from that embarrassment just keep in mind that they will expect a report and document as much stuff as possible and as far as documentation goes as well brent had done a web application talk before and a qsa approached him afterwards and said hey you know uh pci stuff something that i see a lot of is a pen test report will come in for pci requirements and it doesn't mention anything about pci it doesn't have the olaf checklist it doesn't have anything like that in the report so i've had to decline those reports for

pci requirements so uh that this is just kind of a mention for that so whenever you guys are doing these reports again go back to the scope why are you doing this what is the client wanting and try to tailor it uh to help them when they're presenting for auditors and and things like that yeah and you'll also make sure to mention see tim said the oauth top ten put on there uh of the top ten things what did they pass what did they fail mention when the assessment took place and also mention what the whole the whole goal of the project was and what you look for so those things will help your report from being rejected

from your qsa as far as evidence gathering again something that i use well a lot of us use is keep notes cubenote is a nice built-in kind of project manager you can put folders and subfolders you can paste screenshots and it's just kind of a nice reference to keep going back to as you're performing your assessments so you remember hey what were my requests what was my http request what was this or that screenshots things and a great thing one of the reasons i prefer keep note 2 is that if a client wants to see all of your raw data you know outside of the report all you have to do with this is just export it as

html and you can just give everything to them so they're not having to install a new program to see all your files and it's also available it comes pre-installed in cali but it's also available for windows and osx platform too so and just to kind of give you an idea of how i group things how i collect evidence is that you can see so if i have several hosts that i'm looking at for it for an assessment then i might group it by the host so on the left side you can see each host has its own folder and then each vulnerability i found under that host or if if it's just one or two or you know

easy enough to keep up with i'll just group it by vulnerability i've changed how i've done this several times over the years and this seems to be the method i've stuck with the longest so you'll just kind of figure out as you go what works best for you and you can also see i've color coded them and this gives me just a quick visual reference of kind of the state of the application or where i'm at so like the the darker red would be your high or criticals and then the red would be you're serious yellow would be medium and so on the green i know the green isn't a vulnerability but it's just reference information for

me so the scope or credentials or something that i might need to click on quickly again this is just personal preference so it's going to be you're going to figure out what works best for you yeah because this is just to help you stay on track um you know also with with this you can include checklists you can i mean there's a lot you can do with keep note but again like brent mentioned there's a lot of commercial stuff out there you can get and there's freeware as well and you might find out you like you just using microsoft word as well sorry so evidence gathering what do you document so make sure that you document all of your

get and post requests as well as the full response and this will allow the client whenever they're going through the remediation process they can basically copy and paste and try to you know get the same results that you got and this just helps them to see everything you did to get and find that vulnerability also you want to document any kind of unscheduled downtime so let's say you do knock over a system uh application or something like that or you know maybe the client messes up and you're not unable to communicate with the application now you know you want to document that kind of stuff you want to also document any kind of changes that you've

made so let's say you've made some accounts you uploaded did some sql injection created some accounts or modified some tables or something you want to make sure that that's documented so that you can go back and clean up any mess that you've left yeah there have been a few times where we've been able to put scripts you know shell scripts or something on the the client on the host but we weren't able to actually remove those ourselves so you definitely want to tell the client if you've put a shell script on the host and don't leave it there and then something bad happens so another thing i've actually seen people get in trouble for this

don't post any pictures of any hacks that you do from for a client website if you do want to share it make sure you sanitize it so that it's not obvious where it came from just to cover yourself and any non-disclosure agreements that you might be under you also want to make sure that you're getting relevant legible screenshots of whatever vulnerabilities you're coming across so whether it's your http request and in response headers or it's you know a dump of a database or anything like that anything you put in the report you want to make sure it helps the client to not only see what you did but go back and be able to duplicate

that once they've done their remediation efforts so an example this is a database dump that i did through sql injection there were there's so much information that i knew okay no matter what i do i can't put all of this even though i sanitized this enough to put in the report you have to consider that this image is going to be have to fit in a printable area for a report so when you squeeze that down it's going to be hard to see even the black background with the green text so what you would want to do in this case if there's a small area that you can zoom in on where you can kind of make it

a bigger screen like a bigger area for the report that's fine or copy and paste this in the report and uh if so on the next slide you can see for example uh any code or anything that we have that's actual code that we've sent or received or for that sql dump for instance i would copy and i would paste that in the code area so the client can see it so you just want to make sure that whatever you're putting in there is easily readable for the client you know if we go back to the screenshot you'll see like there's 240 entries in this so obviously you don't want to include everything that you find

you can just include a snippet prove your point you know you don't have to put the entire database in the report obviously uh you want to list all known affected pages and parameters for vulnerabilities the reason why is you know sometimes you'll just put one parameter on there let's say you ran a nessa scan or something like that and you're like oh okay well that looks vulnerable you go and you test that parameter and now you're just talking about that parameter did you look at uh you know all the affected pages and all the parameters on there do they know to look at that or they just know to look at the username field or or something right so

again back to this screen username is vulnerable to sql injection make sure you also test password is that vulnerable to sql injection or any other parameters that might be in there and as tim mentioned so if username is vulnerable and say password happens to be vulnerable to make sure in the report you're listing all parameters that are vulnerable to sql injection for example so oh go ahead tim yeah so the evidence gathering the methodology uh the checklist uh if you're new to this stuff you know where do i start uh what do i test um there's there's a lot of nice checklists out there you know we mentioned earlier olaf's you know you can if you don't have a

methodology that you follow within your organization if you are a pen tester you know just google look online there's there's tons of stuff and a lot of references out there something that this helps is obviously it helps you with your you're keeping track just like keep notes it helps with consistency with your reporting with your testing and also when you do this even though it helps it can also limit you so whenever you uh you make these checklists or you go by keep in mind to think outside of the box don't just limit yourself to a checklist security i think i can speak for brent as well but checklist security is kind of a joke right it's like oh we just

want a checkbox to say we did this assessment or we just want to go through this list and you're like a robot you're you're running a script it's not like that we're you know as hackers as pen testers we're creative we think outside of the box we want to find new ways of exploiting this stuff so make sure you don't limit yourself with that okay now we're going to start getting into more of the actual assessment part of the talk so one of the things that i like to start off with is looking at what's out there on the internet already so open source intelligence several tools out there again this is it's open source it's free it's amazing

what you can find but keep in time it's very time consuming so uh there are there have actually been several times where i've found through old development forums uh usernames like test usernames and passwords that they gave to people that they were wanting them to help troubleshoot an issue they had and those credentials were still valid and so you know just go and log into their database so they or a database schemas or anything so look for those things and developers it's it's cool to get help you know with dev uh dev forms and things like that but make sure when you do post something for getting help that you sanitize that and if for whatever reason if you do

provide access to someone that can come in and look at your code make sure that you disable that once they are finished so that guys like us don't find it and give you a terrible report afterwards so uh also you know he was talking about the developer forums a lot of the internal application assessments that we do will come across like a developer wiki and that wiki a lot of times there's a treasure trove of information as far as the kind of applications they're using like he said test accounts and things like that in different table names and paths so don't overlook that kind of stuff it's like oh it's developer wikis it's just the developer environment

it's not production it's not relevant well the thing is is i personally come across accounts that are the same in the development environment as they are in the production so when they rolled over they forgot about those test accounts so this test account still exists so i always keep that in mind yeah you know when finding those accounts too through google or archived email forums or things those give you usernames that you can go and try to brute force authentication to the app so again like we just mentioned we found the database types full schemas test credentials and things in the wild that were still relevant so just keep that in mind and look for it developers keep in mind to

clean that stuff up a few more few more tools again there's so many tools out there but just a few that that we like to use on a regular basis we're i really like discover by lee baird as you can see some of the the options that are available to it you can quickly scan for a domain active passive searching you can put in the company name and the domain as well or specific person and so on as well as other cool tools if you need to parse xml start a listener several things just make it kind of quick and easy for you so uh you know you mentioned other tools there's uh metagoof all right there there's uh

moutago harvester um there's a lot of different tools out there for uh osen gathering so keep that in mind don't limit yourself to just one tool either one tool may just have a limited amount of features while another one may have something that that one missed so try to use multiple tools not just one why do you run automated tools you're supposed to be a hacker uh well one of the things that we do is uh we run these tools for the sake of time so unlike real life where a hacker may have several months or years or whatever to sit there and build upon this as pin testers often we're given a short amount of testing windows so like a week

maybe two weeks so in that we often run the automated tools then we'll go back and we'll do some manual stuff and then we'll start testing the false positives from the automated tools so even though nessus may tell you this is vulnerable to cross-site scripting well you go to it you test the parameter and nothing's happening well what what's why isn't this popping up did you turn your pop-ups off is java disabled and you're a script disabled in your browser i look at that stuff but also is a report just throwing out a false positive saying this is vulnerable and all it is is is tripping on one of the uh the code or a tick or something yeah so automated

scanning really just a quick way to do a wide range of tests to find a lot of low hanging fruit and kind of gives you a i guess a game plan if if it's showing things of how you want to attack the application after that so um and something that i want to stress is that a bone scan is not a penetration assessment everybody together okay bone scan is not a penetration assessment and we we see this a lot of time from larger firms that will sell packages where it's basically a vulnerability scan and they pass it off as pin test well it's not it's von scan your gun is going to have a lot of false

positives it's not going to have that human interaction and it's not going to go as deep as you could take it for certain vulnerabilities so please keep that in mind be good stewards and spread the word to anybody that says that otherwise and to those that say it is i have no idea what i'm doing there you go so if you guys are receiving 50 page acunetix dumps or something like that and this is your pen test i hate to break the news to you but you're paying for somebody to click go so this is not a penetration other automated scanners uh there's several out there but some that are the ones that we go to on a regular basis

so we like nessus i like to use nessus because it's you know it does a lot of quick checks on the on the host level so it'll do okay it's like cgi like you'll look at ssl tls settings it'll you know it'll help find admin portals or backup pages things like that another thing i like to use to get a deeper dive is ibm appscan and again there there are several others out there but just mentioning the ones that that we use on a regular basis so uh you know ibm apps can you can see it it checks for several several things it's it's a great application and they've got a nice web service test uh module in it too so yeah

and then burp sweep pro you're gonna hear us reference that quite a few times because it's just a great tool does a wide wide variety of of testing and things nick2 that's also another built-in scanner and it comes pre-installed in cali and it's going to do quick scans again for hidden directories well-known admin portals or backup files uh cgi vulnerabilities it covers a quick wide range of things too so if you if you've already sort of looked at the application or you're trying to get through something quickly instead of using to use an automated scanner like nessus or ibm appscan or something just run nik to because it's pretty focused and it's pretty quick tool

also looking at this uh identify if you see like frameworks like uh wordpress or something like that um wordpress is very popular because it's easy right it's like a blog management throw it on there and developers are using it quite often but what happens is as soon as they hand it off it's often not maintained so plugins aren't updated they're not updating wordpress or joomla or jupa and so this leaves vulnerabilities so make sure if you guys are our clients and developers are developing this make sure that you have this patch management even on uh stuff like wordpress yep out of the box uh it's okay but when you start adding plugins and things you need

to learn techniques how to harden that i don't know as a pen tester i absolutely love it when i see a client using wordpress whether it's on an internal assessment or a web app or something it's pretty good because you can find juicy stuff pretty easy so built in the kali you have tools like wordpress scan that specifically scan wordpress for outdated plugins outdated versions you can even even enumerate user names which helps you for br with brute forcing later and uh there's also tools again for like drupal and joomla things like that so they're just focused scanners for those frameworks here's mentioning some tools uh here's one oh wass has a few tools out there

zap directory buster this just brute force um directories files uh et cetera so if you're still not very familiar with command line there's some guise even for uh out there for colleague yeah and uh just a little bit more on dirt buster sometimes if i've kind of hit a wall and i'm kind of finding some finding a little harder to find things to go after what i'll do is i'll run doorbuster you can specify lists of known directory names very large lists you can also specify file extensions to look for so if it is php website you can have it look for php or dot bak because it's pretty popular for people to change the file extensions to dot bak or

similar things like that and so it will go through and it will look for those and it'll do an enumeration like uh you know air like the 200 response or error 404 and so on so that's how it knows if those things exist or not it takes time especially if you have a large list it's running against but it can really pay off yeah also you can look up like pdf files or word documents it's amazing but you'll see a lot of companies will upload their vulnerability scans online and they're externally facing so maybe you want to drop in some google doors or something or use a tool like this to start crawling that site for pdfs or

these documents and looking at some of the vulnerabilities of the past there's a lot of as brem mentioned there's a lot of stuff in kali a lot of pre-installs if you're not familiar with it just go to the drop down menu you'll see web application web vulnerability scanners and tons of things on there in addition to this you'll also see other commercially available scanners out there like nexpose and say iqnetics i mentioned that before there's several tools out there and the ones we're just dropping again is just the tools that we prefer that kind of our go to but don't limit yourself to just these yep and it's it's good to use multiple tools because you'll get

different results even if they have the same setting just their scan engines might be slightly different and so you'll get different results a lot of times okay i continued talking about automated scanning a few pro tips you don't just want to throw in the url and hit go you want to look at the settings you want to make sure that you're not going to flood the host with too many threads too many connections at once you want to make sure that you're also not enabling denial service checks i don't think that we've ever had a client that says oh yeah sure please check for denial service and knock something over if you can most of them

don't want to be bothered with that if you do have a scanner that checks for it then just let them know hey we this is showing that the potential for that is there check it out and some of them will say okay uh just let us know if it's there but don't exploit it yeah safe mode is uh a lot of those you'll see safe mode for the denial of service exploits that attempts to run so what that does it just checks for the response it doesn't actually deliver the payload or anything like that uh pro tips again um add any page functions the client has asked you to avoid you know brent mentioned before

the email submission form or the contact form again you don't want some administrator getting their inbox flooded by your automated tools so make sure you exclude that if you have to sign up pages you know you might need to specify a page off founder for false positives so if this is a kind of gray box or white box approach to the assessment then you're in this constant communication with the client so it's okay to ask them these kinds of questions if it's a black box then obviously you want to go back and keep testing it manually just to see hey why is this shooting this air what do the headers look like and yeah um so anybody in here that has

done automated scanning against a website and every single thing it sends you get a response like an air like a 200 okay that everything it checks for is there has anybody experienced that yeah it's a pain in the butt to clean up and it's just a waste of time so several automated scanners allow you to go in and specify okay even though this is saying 200 okay this is actually their custom like their custom response to something that isn't found a lot of sites where if you request something that's not there it will automatically take you to a home page or something and so when you have a scanner that's sending thousands and thousands of requests looking for files

it's going to say yeah we're all here but it's not really there so you can actually go and specify a custom i guess you the 200 okay but you'd call it like the page not found or whatever the the scanner calls it so also for this if you're doing again if you're doing kind of a disclosed assessment with the client and they provide credentials for the the site oftentimes instead of just you know sitting there trying to crack decide if it's not a black box assessment you're testing windows limited they'll just provide you a normal user or an administrator account and then you can test it from there so that way they get a more

robust view at their application so whenever you're doing that make sure that some of these tools have macros you can configure others you can just dump user names and passwords into it but make sure that when you're running these automated scans if you are doing an authenticated scan that you're not dumped off so let's say you're doing it in the session drops and it's still running all these scripts well now it's running and generating a bunch of errors because the session is no longer available so make sure that those sessions are still active whenever you're doing authenticated web vulnerability schemes yeah and that's a good thing about ibm the ibm appscan is that it detects when the session has

dropped and it will actually pause itself until it has learned that it has authenticated again and then it will resume so that's very handy so and then once you've verified everything and you're ready to go then obviously then when you're comfortable then click scan for or go for it so so we're going to start getting into a little more manual testing so once the scanner is finished again you have to you have to go through and manually verify the results you can't rely on a scanner that everything is accurate so you want to go through and look at you know the things that are legitimate document those so let's say let's say you find cross-site scripting or the scanner

finds cross-site scripting is it you know and it's just the alert one or alert xss see how how much further you can take that can you start including in javascript where you can activate a key logger or you know do some sort of file inclusion or what can you do to take it further than just the alert one and if you do the alert make it worth the alert do like a document cookie or document.cookie or something like that try to get a session cookie out of it don't just have oh it says it's vulnerable because i was able to make a cross-site scripting i can make some pop up and say hey look at me

that's not i mean who cares take it further push yourself don't limit yourself on just that's what a vulnerability scanner does don't limit yourself on just that actually uh you know try to pin test it yeah and something to keep in mind too some of the people that are going to be looking at your report are maybe c-level people that don't fully understand what they're looking at so if they just see a one they're gonna think okay well why do i care about that but if they see something popping up where it's like okay here is an active key logger that might you know get their attention more where perhaps the department that's having you do the assessment can get

more funding or more budget to actually have more time to fix these vulnerabilities so just kind of keep that in mind too when you're writing your report the more eye-opening the exploit is the better chance that you're getting executive buy-in to remediate these issues too as the client so when you just bring a client uh you know earlier we mentioned just dumping a vulnerability scan and saying hey uh you know cso or cto here's a report okay cool i see a chart with some highs and lows whatever fix the highs that's not how that should work and that's why all these vulnerabilities are out there too is because you know some people just accept that

always push it make it eye opening i mean don't take down their system but make it eye opening make them say hey that's what these guys can do imagine what the guys in russia or china that have that are funded uh can do right again uh back to burp c pro i like to use this for manual like manual testing so it's a proxy app where everything i request in the browser is stored in this application so i can look at everything that i've sent and all the responses so there's a cool tool that a lot of automated scanners have too spider the spydering option so you load the application and anything that's linked within the code it will

just go and spider that and start caching it so that you don't have to take the time to try and make sure you click on every possible link or resource within the application when you guys are doing this too with these spidering um make sure you're paying attention to the scope so let's say example.com is your is the web application you're testing well example.com may have a bunch of other stuff on there like built into it like facebook connect or google twitter things like that akamai may be on there whatever make sure that your your scope is still your scope that it didn't add these things when it started crawling and now when it starts running the tests and

throwing fuzzing parameters and stuff like that at it that it's not hitting uh something that's outside of scope so always pay attention to that's why it's nice to have those proxies and even your live headers and things like that a few things you want to look at review the response that you're getting a lot of times it will tell you what's running so is it running iis or apache and a lot of times even though it will go even further and tell you the version that it's running so then you can go and check and see are there any you know exploits in the wild that i can use here and try and leverage you know this this vulnerability maybe

get shell or something so bash bug is it you know is it vulnerable to shell shock you can find those things out simply a lot of times by finding out what's running on the server uh parameter fuzzing you know is input sanitization on there is uh is it validating uh any input of foreign characters how does the application respond to that if you can generate a sql error then hey it will not be vulnerable to sql injection because i put a tick in here one equals one or whatever so make sure that you're looking at that that's what's nice about uh best as well parameters can be found in the url as well so don't just

look at the tool look at the url what's it doing try to understand the the application's functionality and how it's communicating yeah so you know as tim mentioned say let's say there's a zip code input on a form and it's expecting a zip code well can you put you know alphanumeric can you put special characters in there something that it's not expecting so you want to you want to give these these input fields things that they aren't expecting just to see how you can get it to act differently than what it's supposed to and then again kind of adding to if they are po if they are passing sensitive information like the username or password through a get request

that's a vulnerability anything that's sensitive like that it needs to be sent over a post request again because if it's if it's sent through a get request and it's cached on the machine and someone goes and does forensics or their machines compromised then all we have to do is go look and we can see okay example.com forward slash you know username equals and then password equals and so you've given us the credentials right there so check and see how they're actually passing these sensitive sensitive information do they have uh you know file submissions on the application as well so how are those being passed what kind of file types can you upload to that can you do remote file inclusion

can you upload a php script on there is it sanitizing does it specific so test for that see if you can upload a malicious malicious script or payload there burp swede has several lists also for enumeration so um in addition to the built-in uh functions and lists on a lot of these automated tools there were several resources out there for downloading and making your own or adding to it so again just don't limit yourself to the out of the box mentality yeah and again uh like oauth for example they have a huge list of all these these strings that you can pass to test for cross-site scripting so you know go download that list and run it through

against a parameter through burp suite or something else that allows you to throw a custom dictionary at it so if you want to go to the next slide we can see so this is just a screenshot of burp suite and you can see when you send something to the intruder function it will automatically pick up on each parameter so if you want to look at all the parameters at once i personally don't recommend doing them all at once i kind of like to focus on one at a time and so you can specify what parameter you want to look at and then on another screen that's where you load your your list so if you are looking for sql

injection or again cross-site scripting or trying to discover file types or something that's just kind of what the screen looks like to specify those so when you are doing this as well make sure that you know you're looking at these parameters so if you just automatically use intruder or something like that and burp and you plug it in there it may just find these the equal and then it's going to start attacking that so make sure that you modify this to attack just the parameters you want so maybe you don't want the session cookie to be uh fuzzed because you're authenticated right so make sure that uh you're looking at that and if you're again if you're new to all of

this and this sounds pretty foreign the sound is kind of generic but make sure you google on how to use burp suite and things like that there are so many free videos and tutorials and things that you can download that will walk you through and teach you exactly how to do everything that we've mentioned already so a manual scanner that i like to use from time to time is xenotics by owasp i think it's only available for windows platform but it will emulate three different browser types at once and it will go through and look at specific parameters or every single parameter and will fuzz and it will actually play it in real time as if it's

actual human doing it and that way you can get a real then actual pop-up or whatever it's sending instead of having to just look at it through code so it's it's pretty it's pretty useful uh save the posts and get requests sql map if you guys have ever used that it's a great tool for sql injection so you're putting those requests into it you just kind of plug it in and again it finds those parameters and it'll start attacking is sensitive information being passed you know he mentioned earlier is it being passed through uh is it get or is it a post request passwords a session id username etc so if somebody's sniffing on the network

maybe also maybe it's running on port 80. so maybe they don't have a certificate authority on there it's not ssl and you're able to just sniff those credentials as people are logging on to it so keep that in mind look for valuable comments in the source code oftentimes if you view source you just look at the source code on there you'll see some comments made by developers about the functionality of the application but you also might find some nice source code in there too that will help you understand more about how the application functions and passes information yeah there's there's actually been several times where uh developer comments you know we're kind of talking back and forth to each other

just to remind themselves this does this and then it will do this but not if you know and so on we've found again we've found credentials we've found admin credentials and we've all also found the database username internal ip addresses and things that have helped us tailor our attacks so and now to uh kind of prevent death by powerpoint i'll give you this come on guys it's cute oh okay a little bit more about manual testing some things you want to look at uh something i like to point out is is when you're looking at these applications look at it as an unauthenticated user what can you see now look at it as an authenticated user

so during the kickoff call you want to ask okay if you're going to give me credentials i want admin level credentials and then i want you know standard user credentials and the reason you do that is so that you can look at this application again is what does an unauthenticated user see are there links in the source code that you're hiding visually through javascript but if i look in the source code i can still see the admin links you know is that stuff in there and can i access it as an unauthenticated user as a non-admin user am i able to get to those admin level functions so these are you know sort of basic

privilege escalation things to look at but just keep in mind that you want to look at this application from uh any any different level of authentication or unauthentication that you can that's what's good about this too is that if you have an admit account or just any account really can you use that account again can you open up your vm and then pop it in another browser or xenotex or something like that and uh don't use the same session over and over again so uh especially admins you know you get the admin password someone else is on there doing what they're supposed to be doing but you log on as well so now you know it's the same

it's handling multiple sessions for that same user so that's something you want to test for as well in the password reuse if you did find an old password can you use that same password again can you change it back to the old password how are they handling authentication user credentials password expiration and such yeah so why is it a big deal if you can if the same user can log on to different multi locations at the same time or you kind of have to look at it from use case so if this is a bank and you're logged in and someone else logs in and it kills your session then you know something's up okay why did i just get logged out of

my account something's going on here but if they don't terminate that session and they allow multiple sessions that could be an issue let's say that someone does have your credentials and they're looking at your account at the same time you are that's that's something that you want to report log off features as well does it automatically log you off after so much inactivity or does it just stay there are you on there and you forget to log off and oh my gosh you walk away from your system and someone now has access to your account on your system you didn't lock your system perhaps so these are things also especially if you steal a session cookie so you get a document

cookie to pop up let's say with a cross-site scripting and then you see that you know hey this is a legitimate session cookie and then you use that well again like brent said it doesn't knock them off and now you're you're kind of piggybacking on that session yeah there's actually been several assessments where i've sniffed traffic and i've been able to get the session cookies and you know see what site they were looking at uh one of them well i can't say the name of it but i was able to actually go in and just sort of throw in the session cookie and had access to the same account that they had and was able to get some pretty

sensitive information from that client so so don't just look at the application as well you know depending on the scope maybe the host isn't within scope but if it is at least look at the services that are running on it uh what version of apache is running what version of iis etc are they doing patch management are these vulnerable to some exploit out there that i can now gain an interpretive shell or something like that so don't just limit yourself to the application whenever you're looking at these look at the hosts as well you know also when you're doing the crawling and the spidering is there an admin portal is that available is it publicly facing

you know again cpanel uh is a good example yeah apache yeah like default we found default creds on uh tomcat several times and we were actually able to go and deploy a malicious like the lodnum script the war files and get shell on the host just because they had default credits on tomcat same with uh with cpanel can you brute force that with the username that you found or you know known a known list like rockyou.txt a good password list so just you know just think kind of think outside the box like a guy tim said don't just look at the application but look at the host as well because that will a lot of times you can

leverage that so again we're kind of starting to repeat ourselves a little bit here but uh look for dangerous http methods there have been quite a few times where because of how the application was set up that they had put and delete enabled so we put our own script up there and it actually ran and so we had a shell or we could we could browse directories on the host and things like that so look at those things make sure you document it obviously let the client know and if you're not familiar with like some of these http methods uh nmap uh there's a nse script on there for for testing these so you can see if it's got

debug or put or anything like that enabled yeah it's pretty quick um again we talked about earlier look at the ssl tls settings are do they still have tls 1.0 or ssl3 are they and do they have super like really weak ciphers enabled uh what's their signing you know is it weak signing so you want to look at all these things again all these tools are built into cali too like test ssl um and what's the other ssl ssl check yeah ssl check it out um so there there are quite a few that are on there as well and i know koalas has a website that you can throw on there but be careful about that because the

client might not be happy about you running their website through this so just check with them if you're going to use a public tool like that again look for file uploading features you know brem mentioned before where we were able to upload a malicious files php batch uh perl scripts or something like that so a lot of people don't think about this oh really can you you can do that well yeah you have an upload function on your website just let me upload stuff yeah so let's say let's say that the website you can edit a profile and you can add a profile picture so obviously you have to upload your profile picture well if it

says that jpeg or something are they actually sticking to that are they sanitizing that because there have been so many times where we do let's say if it's pdf upload so we'll do uh like it'll be shell.php.pdf and so all they're looking at at the end is dot pdf but the server ignores that so it actually runs the script and again that's another shell on that host because they weren't sanitizing that file upload so you know you want to look at those things too also brent mentioned uh you know changing it from php.pdf so if you are doing let's say an external assessment or a black box assessment scenario based whatever you know you want to make sure you're

using measures to evade the firewalls antivirus ids ips you know any kind of detection or prevention mechanisms they may have in place and to do that you know one way is to change the file name or the file type another way any kind of obfuscation polymorphic code file extension changing you can wrap you know malicious files and name it a pdf stuff like that so if you guys also are on the defensive side if you see a pdf in there and that pdf's like one page and it's several megs why that's weird so make sure you know why is that that small file small file so big so that's a way to kind of detect that

too and again as we mentioned before methodologies especially if you're new to this uh look at it see what all the best practices are you know for for testing all the areas to look at it's a great way to stay on track don't ever use a tool that you've never used before try something that you haven't tried before on a client site especially if it's production server because if you're not exactly sure what it is and you break something and they come you know call you or panic or come running into the room if you're on site and say oh my god the building's on fire what did you do and then you say uh well

i don't know that's never a good thing so that was a scattered twist yeah just something i just downloaded from anonymous they said it was cool so um you know always always check it out make sure that you know what your tool is doing test it in a lab don't test it in a client environment and then when you are all ready to go and then you go hack some websites so you know so also i want to add to this uh this the practice in the lab and stuff like that some people that aren't pen testers perhaps you have a lab at home and you're testing and you're doing your own thing and you start downloading some

stuff from some torrents and their crack software cracked versions of havage or acunetix or something you start running that on your system keep in mind that a lot of these crack versions of this applications also may have built-in exploits in it too and so you may be thinking oh sweet i'm getting all these awesome hacker tools well you're now also infecting your own system so uh be very careful about using kind of these uh pirated startup software um you know something about kali what's great about offensive security is that they have uh you know they put these tools in here and it's they're pretty safe to use as far as knowing that there's not a rat built

into it or something so i think we have a few minutes left we want to make sure there's time for any questions that you all might have if you're not comfortable asking us then you know please come see us after our talk also if you guys uh think of any questions while you leave feel free to contact us on twitter at rent w design or at zanshin hacks uh look for next because it's late any questions yeah so you guys mentioned a couple of schools well several for obviously web app and testing some for commercial some open source um do you have some that are free open source you would highly recommend like you can't afford

you know burp has the commercial version like the free version in the commercial version so you can use the commercial version but uh oh wasp you know he mentioned xenotex but it's free it's good it's got a lot of features to it so and there is the free version of burp suite obviously it's limited in some of the things you can do but you can get the job done and there's other tools too like different kind of uh infusions that will do uh what the commercial side does but it's it's it's incredible so yeah just yeah it's just a little more tedious so not as convenient

yeah so um as far as like on the server level i what i know is that in the script it will look for just that file extension like in like say javascript or something and so then it passes it and will actually let it upload to the server level uh when it's at server level a lot of times the server will read the file name and then the first like the first extension and it will still allow it to execute so does that answer your question also when you're using polymorphic code or you're changing stuff you want to make sure that it's not actually changing the the previous file the core file right you don't want it to change the algorithms

or anything like that on on there it's just kind of it's a mask so even with the file types oftentimes you're able to evade it because it's just a mask you're on a mac for example you know you change the file type it'll change the file type right so um but but some of this it'll it'll remain the same as whatever that that root file type does yeah kind of like converting it from plain text to like base 64 encoding or something like that so it's still there it's just in a different it's broken up a lot so

so how do you find where the file ended up going so when you do the upload you want to make sure that all all that stuff is running through a proxy and so you can actually go and see where it sent it to and follow that link to see i mean sometimes even if you can't upload it you don't have permissions to view it sometimes you do but if you look at the response and and everything that's being sent back and forth you can track down where it's being sent to when there's some stuff too you can change the file name on the site after you've uploaded it you know let's say it has like some kind of ftp function or

something you're able to browse it and you know you can just change okay well i've bypassed your your filtering for the upload of file type well now i can just change the name because i'm auth authenticated to your anonymous ftp or something so yeah and that's like a really crappy worst case scenario if that's yeah so yeah hope i hope if you're a client you don't have that question uh a couple things one is is

no i i have i've used that before it's been a while yeah but that i like that that tool too is just the things that we use have you ever used

is it r-a-w-r yeah yeah i've heard of it but i haven't used it i'd say take a look at it it's that's a free it's an open source tools okay yeah and while we're doing questions guys if anybody else in here is a pen tester or something if you guys have any recommendations for you know some free tools and stuff i mean this is what these events are for right it's uh knowledge sharing getting together and just say hey here's what i've done uh what do you use and stuff like that so make sure you guys are networking don't just kind of stay in your own little bubble and talk to us because we've got our methods

but you guys may have some better methods right yeah if you have recommendations for us i'd love to hear that anything that can improve our skill set or you know time management or anything help the community yeah please let us know anyone else cool all right thanks guys for listening appreciate it