Attacking OWASP: Exploiting the Top 10

almost there testing all right now I feel cyber all right is it this is ridiculous well thanks everybody for uh for staying out you guys are the last last Defenders of our country um so just a little bit about me to start off with um I'm nobody really special I I do work in web application penetration testing exclusively so I do this stuff on a daily basis and I I look at code and I do static code analysis for a a large government program based out of Charleston South Carolina um we look at probably two and a half million lines of code and it's an Agile development environment so we do 12we releases and we're constantly constantly

scanning constantly updating using any tools we have cart blanch to use whatever we want to do to to test this stuff to make sure sure that it's protected um I I do enjoy talking about it so feel free to uh come talk to me after the show or feel free to check me out on Twitter I'm not really angry I just look this way um so let's get started so for anybody who doesn't know oasp is an organization that looks to improve web application security like that's their thing they go out and they they're doing all kinds of crazy stuff with coming up with new tools with coming up with with templates on how to properly secure code how to

attack websites how to secure the websites they um put out a lot of cheat sheets they spend a lot of time for free to give us the resources to to make our applications better um for anybody who's never went out to their site I highly encourage it it's something that I'm looking at at an almost daily basis and one of their most famous products is the OAS top 10 and it's not really any authoritative list as far as statistical analysis they don't do breach reports they don't do you know like the Verizon um breach report they just have a bunch of people that sit around and talk about the things that they see on their networks

and their applications and they try and figure out what the the best and the worst was since the last last oos top 10 which turns out that was in 2013 so it's due to be updated soon but they don't put put any dates out um and I haven't really felt a lot of pressure with them putting a new one out because it never changes the same top 10 are always the same top 10 and they have been for the past three top 10 lists and we just keep going on doing the same things over and over which is where guys like my team come in and we go and we talk to the developers so when we find

these vulnerabilities we go back and we teach developers how to fix them in an ongoing architectural basis we don't just go and fix individual defects we change the Frameworks and we teach them and we go and talk to individual guys and get them excited about doing security and changing the mindset going forward so we will uh I know everybody's probably itching to get out of here so I'm going to speed through some of these ones that are a little bit more um passive when you're doing an attack um I'm just going to jump right into it I didn't pick any specific order to do these I kind of grouped them together in the beginning for some that

are more passive you don't specifically attack some of these vulnerabilities you just look for them in applications and try and find out well you know I I found this weakness and the first one is components with known vul vulnerabilities and Tim covered this a little bit or a lot so you go through and you and you get to know an application and you see that it's using imported libraries like some of the stuff we look at import a lot of third party Li libraries and sometimes the developers don't know don't care or don't have the time to go out and ensure that they're using the latest version with no vulnerabilities so as an attacker look for that stuff go through

and see if if they're using jQuery if they're using no SQL um go through and look and as an attacker you can find the keys to the kingdom in the libraries that other people are importing so the the application that you're attacking doesn't always have to be the one that was written by the developers of the company you're testing go through and find everything that's attached to that application and and see what you can do with it kind of on the same same path there security misconfiguration this is something that we don't have to deal with too much but in the commercial space you get a lot more people who put applications up rapidly or it's a it's

smaller shops and they may not have a full IT staff to do their Apache and I configurations so they go around and and they do the minimum effort to to get the thing working we need to get it shipped we need to get making money or else we're all going home right so you can go in and you can find misconfigurations on all the servers you can find um you know waffs and load balancers misconfigured and all that stuff will open the application right up to you you can find you know databases exposed to the internet all these things fall under security misconfiguration but again it's not really something that you're going to attack unless maybe you hand it over to

more of a network pentest style um is not direct application related one of my personal favorites dealing with uh Medical Health Systems is sensitive data exposure a lot of the things that we deal with people don't want out there on the internet you don't want your health data your pii your Phi Social Security numbers all those types of things out there for for showan and and Recon NG to to scrape off of every site on the internet so as we go through these applications the things we look for are what we classify as privacy violations where sensitive data is exposed out in a way that it's not supposed to be so this covers a lot of different types of

categories of data one of them is comments things that are not supposed to be in the application I've done engagements where I've been through applications and there's comments that just tell me exactly what I need to know to go to the admin page with no login credentials right so the stuff is there but the more subtle side is the things that where the application is functioning correctly and the developer didn't necessarily do anything wrong they're just not protecting it so if I can go through and do a database call that brings back a you know some kind of subscriber record and I can just change a parameter to do a different identification number and get back

somebody else's data that's kind of the same thing because then I can set up a script that will automatically pull down every single one and sell it to the Chinese um not that I would ever do that so if you have access to the source make sure you look at that find all the Privacy violations find anything where there's just information that's not supposed to be out there but every web application shows you half of the source at least you can look at all the JavaScript you can look at all the HTML um both net and Java you can make mistakes where the the backend comments get included into the frontend code so all of your all of your

JSP comments you know your C comments can get put out where nobody needs to be seeing them you know have some kind of practice as a blue team side have a practice to strip your comments out before it goes out so as an attacker that's one of the biggest things you need to be looking for first off view Source every time you want to look at an application get started because you're going to find lots of goodies um moving right along unvalidated redirects and forwards this is extremely powerful because you can get users to execute code very easily in a way that will do anything you want to their browser so you see this on essentially every single

application that you come across right everybody logs in and logs out you're getting redirected around and nobody really pays attention to how many times you're getting redirected and most developers don't think to secure this type of stuff because if you don't if you don't have control over where you're sending the the user then you don't have control over the application at all and I can execute any arbitrary script by sending someone a a fishing link that redirects them on the log out to to my site. CH so look for these types of things we've had them on our on our government systems and it's it's a little bit tricky to to fix so developers will skip right over it

because they don't want to have to do it um everybody just puts a you know where okay actually here's my first question where do you typically see the the redirect URLs when you're doing the login log out and moving around through a an application what's that so where do you see it if you're if you're an attacker and you're looking at an application and you click the login button where are you going to look to see not quite the address bar right no the URL bar at the top the address bar you win a notebook so it's right out there in the address bar for everybody to see and nobody cares about that stuff right but

what can you do as an attacker just change the address bar right change the the redirect URL in a man- in- the- middle or a fishing attack or any number of ways so it's out there when you see it in the address bar that is a get request right and if you how many of you here know the difference between a get request in a post anybody not so on a post you're not going to see any of the parameters so in a post attack or in a post request if you don't see the parameters how are you going to send this in a fishing email to send someone to click on a link that you want them to

click so you do hyperlink but you want h how do you if a server is expecting a post how do you use something where you can include the parameters in the the [Music] link get the post which is a python script that takes in um parameters on the URL and then creates a form in the browser that is auto submitted as a post you download that python to do it can you can you win something so there are other tools where you can go both directions you can do get to post and you you can do post to get one of the things I do a lot is I'll go the other direction and do a post to

get so I very rarely see Server administrators that will limit the HTTP verbs to only post right they just do whatever is available by default Apache does post and get a lot of times you can just open up burp Suite you know say request method um you can do Mark bagot get to post and get around this type of thing so you can still ex execute the same type of attack without changing anything on the the fishing message um the next one is broken authentication and session management and this is something that's extremely difficult for developers to get right for some reason they they continually try to just invent their own methods of of session

management and authentication and we see it all the time um where people will will reinvent the wheel you know come up with bad practices and invent their own methods so how do you find this stuff what types of things are you looking for as an attacker in session management one of the worst things you can do is is session fixation so when you're going through you can you can do tests for these in with burp suite and what you're looking for is when you go to a web application and you see the session ID before you log in and then you log in successfully if you have the exact same session ID it's called session fixation

so you can go through and and start guessing session IDs and you can start guessing other people's session IDs um a lot of times it's not a you know it's not a cryptographically secure hash it's just a random string of characters um other places that you can see broken authentication and session management is password resets and um emails and homegrown crypto or just poorly implemented crypto you find this stuff all over the place and it's it's really easy to detect and it's you don't have to be a a crypto wizard to you know see when somebody's using an md5 with a static salt um it's pretty easy to Break um insecure direct object references this is another one that that

Tim covered a little bit and this is just grabbing things that you're not supposed to be grabbing right can you go to a a web application and grab a document and then just put that in your browser bar and go to it directly without the application doing any kind of authentication on you can you go through and just start randomly guessing that IDs on the the documents or the objects you're trying to get to you can you pull back subscriber records that don't belong to you or can you execute um operations in the application that you're not supposed to be able to because people don't uh people don't secure the what's the word I'm looking

for yeah people just don't do a good job of checking to make sure that the object access on the second transaction is secure so everybody or a lot of developers will make sure that when you log in and you can see the the pages that you're supposed to be seeing but they don't say that when you go to do the direct object reference that you have some kind of policy on the second call that this user has the permissions to get that object so it's it's very very common because it's something that a lot of developers don't think about if you're authenticated then they assume that you're already a good user and you're doing the things that you're

supposed to be doing another one that is that pops up a lot in this is path manipulation if you're supposed to be looking for documents you know in in whatever or in you know images slashy file but you can throw in dot do do do do do do do slash or start working your way out from there um you can figure out where you live on the server and generally figure out where to get to the good things on the server that you want to get to um path manipulation is very powerful and it helps a lot with network pent tests as well once you can get to Etsy Shadow and stuff like that um with

path manipulation and insecure direct object references you can get to the point where you can if you can figure out what directory you live on in the server you can go towards uploading a webshell and executing the webshell if you don't know where you are it's pretty hard to get back to the webshell once you upload it um so oh I just covered that with talking about it so this is the type of thing where when you're looking at a at the source code for an application the developer is going to go through and just look at the things that they expect um oh yeah there we go there's the dot dot slashes so if you can get to some

kind of path manipulation like that then you can own the server as well as the application this is one of my personal favorites because I I like to use it um in my daily life my daily surfing Life anytime application developers do JavaScript Access Control it's just game over right one of one of my favorite vulnerabilities that we talk about from our work program is we were able to just cut checks for for $224,999 because the developers thought that by graying out a button in the browser that that operation was Secure right so what do you do how do you test that as an attacker you open up the JavaScript console the the developer console every browser has a way where

you can just go in there and say I think I have another slide for this yeah so you can just go in there and say from enabled is false change to enabled is true right they didn't change anything on the back end the method is still wired up and it still is going to cut that check for $224,999 right and the reason why we limited that is because we knew that at 25,000 I was going to have to send two fishing emails to get the check cut and the second approval right so I only wanted to send one so we capped it at $24,000 so we see this all the time I've I have accidentally left burp Suite open and

surf the Internet and seen things where I could you know just say enabled equals false something you can do somebody was talking about pay walls a little bit earlier when you go to New York Times pay walls you can just open up your JavaScript browser console disable the JavaScript functionality and get to whatever you want to do because all of that is handled in JavaScript so that's that's something that is on the entire internet um and that's a that's a really easy way to practice because you're not really hurting anybody until you submit and then it's illegal and you're going to jail so this is another one of my favorites and this one can get a little bit tricky

to talk about because it involves um you know having your own server set up so that you can do some reflection you know and doing maybe doing some fishing but it's an extremely powerful attack that is you know it's kind of gotten popular in the last couple in the last year or so I don't know but you can make a lot happen with cross-site request forgery and what happens here is the user has to already be logged into the application so the user logs in and they're having a good old time doing their daily reports and whatever it is the users do and you see you have the the bad guy there because he's wearing a black hoodie

um so the user gets fishing email message and the fishing email message goes towards the bad server right so you're going to instead of mysite.com you're going to my.com and the attacker already knows a little bit about your application so they know something that they want to happen right they have a goal this is not a this is more of a target attack it's not an accidental driveby um you know you know it's it's a lot of times included in Watering Hole attacks and things where they know a little bit about the environment and they a little bit know a little bit about the people that they're trying to get after so when they get

fished they tell the users's browser to execute something on the original application so since they're already logged in they're clicking that link and you know maybe the the bad application has a an iframe or something like that so the s's mirrored they do some redirection and it goes back towards the original application and again they're cutting checks for $25,000 with the permissions of the originally logged in user so when you're doing your incident response um on the server side you're just going to see a normal call coming from that user who has those permissions and you're going you know they're going to be explaining why they're making those you know making doing those operations um something

that's it's super powerful and you hear a lot about it in the in some of the recent attacks um cross-site scripting is everybody talks about xss right it's it's everywhere it's always happening the web is so complex and you know web 2.0e that xss is everywhere and um even Jass can do it so what happens with xss is people will take a a piece of the website take a form submission and change the form submission to do something that the form is not normally supposed to be doing so I'm G to try and flip over and do my demo here so what I want to do with crossy scripting is inject some other type of code into the

form submission so that I can get it to do what I want to do and what happens there there's two main types people talk about there's reflected and there's stored and I'm going to show you guys some reflected if everything works for me which is not what's with the draft I missed that I catch everything else draft database it's just it's just stupid no about half of those arrows I put on

there oh I know what I need to do hold on I'm making my VM show up so you guys can see what I'm

doing maybe so okay we're we're going to move on a little bit while I'm doing this with crossy scripting one of the things that I'm going to show you as soon as it's working is I'm changing the way that the web output works when the after it hits the server and comes back with reflected xss it has to hit the server first one of the things you see happen a lot with Junior testers is that they'll do something in the JavaScript console and they'll do something and they'll get the xss to pop up in their own browser but actually hit the server and came back right in order to make this work there has to be a reflection so when you just

make it pop in your own browser all you did was xss yourself and you're not actually hurting anybody

um why is that not showing up

there we go 20 minutes later so I'm using mutil for this because I'm not going to jail for you people so this is an application and I choose to use it on the samurai WTF framework that's kind of it's like Cali but it's more specifically built for web pen testers so it's got got all kinds of good stuffff for for learning how to do web pen testing the hell it's all free and one of the reasons why I like this one more than others is that it's got different levels of of security and different levels of other tests built in so I can go through here right now right now hints are enabled so I'm going to shut the hints

off but you can go through here from an extremely basic level and say I want to go to the oos 2013 top 10 and I'm going to try cross-side scripting and I want to look at the absolute most basic xss available and so they have a form set up where you can try and figure out what's going on so some of the things you're looking for and I want to show you the whole process here going through this is where does where does this come back when it works correctly right so if I'm if I'm just using this and I think this is going to fail because I don't have any internet but if I'm using this

correctly what happens when the site works right so but what I'm looking for is where does that reflection come back in the web page response now because we don't have any internet here Google's not going to resolve and and we're not going to be able to see what happened but imagine in your mind that we just got an IP address back and it shows it on the page when you do this with an internet connection so the first thing I'm going to do is rightclick and view page source and I'm going to find the area where this one happens to be at the very bottom I'm going to find the area where it shows the output that I was

looking for from the correct form submission right so I'm going to see the HTML in the source for where the form response comes back so when you're doing this you're going to look for like this contain this location contains Dynamic output so you're going to look for the stuff on the page and it's going to match what's in the source because it's just HTML so now you got to figure out how can I break that HTML in the middle and insert my own code and make it do what I want to do how am I going to change the script that's executed on the site so for example we're going to close that window and go back here and I'm going to do a

string that I know works for the sake of a a better demo and I don't want to type all that out and get it wrong so what I put in here is an image an HTML image tag with a source of X which is not a proper image source right so it's it's going to fail and a script tag of on aor alert is xss and we use this because it's an extremely quick way to demo the fact that the script works right so we know that that this works because we got the xss but like like Tim was saying um we're looking for more impact because if you're if you're showing this to a you

know the the business leadership and they're saying great so you can put a popup on my screen it there's zero impact this is your this is your quick test but where do you move from here right so what other what other types of actual impact are you going to be able to show leadership to get something out of this right so another another good good quick one is to use you know kind of the exact same thing but instead of just a basic string document.cookie is another quick one and this is going to give you your your session ID and anything else you know a lot of these applications use some really critical stuff in the

cookies so taking this as you know one small step forward it's still just a pop-up box with some stupid data in it but where we're going to go from from here is you get your your site back up and you can you you can do the fishing emails that will send that URL somebody clicks on it or you do a fishing campaign and you get a hundred people to click and then you just got information on you know 100 users in the in the company the next step is to start breaking into the the browser exploitation tools the beef you know browser exploitation stuff where you can actually control the browser because if you can control the browser through

Javas scpt you can do literally anything you can do time travel with JavaScript um it's just very hard to uh to demo it quickly when you're doing the little test

but what if you're not looking at a what if you're not looking at a a a single submission web form some of the stuff that we see a lot are Ajax sites that have multiple submissions over and over again because they're always doing stuff on the back end and so where do you go from there for for web pen testing that's where burp suite comes in burp suite for anybody who hasn't heard of it is a a browser proxy tool testing tool so everything I've been doing now is going through this proxy and it can see every request and response before it gets sent out to the server and this is a this is a free tool there's a there's

a pro version for $300 but if this is something that interests you you know make the investment and get the pro version because it adds a lot of functionality that's um maybe rate Limited in the free version or unavailable in the free version but for the basic testing stuff I'm doing right here this is all free so all of these tests screen is Tiny show up in the to capture here so what we're going to do now is we're going to look at the other or another xss vulnerability

here with the I'm just going to go straight to the URL oh yeah so maybe you're looking for Mark baggot tools on some website that gives you a list of pentest tools right so this one doesn't have a a form submission where you can put anything in developers tend to think that because it's a drop-down box it's somehow more secure than a text field which is not the case right anything that you can do be prior to submission can be altered so I just chose an Expose and it you know it brings back the the information that it has in the database about an Expose and so we want to see what burp s caught right so burp s

caught tool ID equals 7 which is is kind of meaningless for us because we don't want to just put a bunch of numbers in there and get the information that they already have in there right so that's when you start fuzzing it with special characters and you see how you can get it to break now I'm not going to sit here and type all this stuff out but what you see is by putting a a double quote in there as the first character you get some special circumstances so the cool thing about burp Suite is it will stop the connection Midstream and allow you to change things so I want to see what hail storm

is I'm going to turn intercept on on Burp suite and look up hailstorm now this is this is going to sit here forever because burp site is over here waiting for me so my proxy intercepted this and I can change this value to be the string that I know works right and so when I'm when I'm doing this process it is a lot of of testing and and getting it wrong I go through this wrong a hundred times before I find the one right string unless it's one of the lucky ones if I go out to the xss cheat sheet um put together by R snake and find a lot of I mean there's like a thousand

different tests on there so you can put the tests in and and kind of get stuff back until you find one that you know works and so you forward that and it gets sent out to the server and comes back with your your xss popup right so you can you can do that exact same process on Ajax applications that are doing these calls on the back end and you can do them directly with application calls that don't have to go through the web form submission first if it's done in JavaScript or if it's calling uh you know different forms that are on the server you can call those JavaScript methods directly without actually submitting the web form um so

you can send those out in fishing campaigns and you can send them out in you know other types of attacks so that brings us to my personal favorite which is Darkness there we go which is injection SQL injection um SQL injection is not the only kind of injection anytime you can get code into the middle of somebody else's code that's injection so it happens with HTML happens with JavaScript SQL is just the most talked about because it generally has the most impact for for breaches in the modern world so you can get anything you want out of the database you can put anything you want in the database you can attack the operating system through the

database all through the magic of SQL injection when you're doing this you don't have to be a a a wizard DBA and you don't have to sleep dreaming about plsql um as you go through the process when you go to Every website and you can do this on I do not recommend doing it on Internet sites because you don't want to go to jail but start with me day start with metasploitable work on learning what it takes to find SQL injection the first thing you do every time you go to to any web form when you're messing around this stuff is just put a just put a single quote in and see if you can get error messages

back so if the application is giving you error messages it's going to give away a lot of the stuff that you need to know about what happened right so these guys aren't suppressing any kind of errors on this site on purpose because it's a training tool you might not always get this but you typically get a lot of this you know you'll typically get some kind of failure you'll see that you know my SQL returned and error messages and error message um you'll see that that things are broken and you can get information from that every bit of information that you can get from this failure get you one step closer towards successfully executing the SQL injection

and using SQL map right SQL map is an amazing tool for for doing this stuff and we'll come to that in just a minute so once you learn some of the basic SQL injection strings like there's there's basic ones that you always do as your your first test so yep they're just magic so like I know that I don't have a valid log into this website and I want to see if this works so the first thing you do everybody always makes an admin account right like you stand up a web application and you're like well we got to have some kind of admin and so you put an admin in there and you just know that this string is going to

be the magic one single quote space I'll do it over here so you can see it single quote space or 1 equals 1 Das Dash now when I do this the first time it's I think it's going to fail let's see for once I'm hoping my demo fails so it did so for a copy of black hat python who can tell me why that that magic string failed and I'll I'll bring it up again right here right there at the bottom nope close nope right there missing a space at the end boom yep it's missing a space at the end this is your book you got to have a space at the end when you're doing

this because it's a comment and something has to be in there to start the comment um so if I if I do this exact same thing that's I stopped last time so you add the space and go right back over

here it still doesn't work oh yeah I did that was the the uh user list so this just dumped out everything in the database right so I really wouldn't do a lot of this manually when I'm doing a normal test because I don't want to be sitting here typing out attempted database strings over and over again I'm just going to go straight to SQL map so again for the the purposes of

expediency I've already done some of the work ahead so we know that that's our website mutil day they have an index page pH login.php and because they're using a post and not a get we're going to use the the uh data section ah so if it were a get you could put it all in the URL just the normal parameters broken up with right you know after the question mark um but so we're going to do it like this submit button button the button is login because that's what the form requires and then we're just going to ask for the banner so SQL map is going to go through there and give us a whole bunch of stuff because it can do

it infinitely faster than I can because I'm a terrible typist so we got the banner we know that it's running on Linux ubun 2 it's Apache 2.4.7 and our dbms is MySQL but that's kind of boring so we want to go for you know you can start to work your way out from there find the current user running his root at Local Host it's probably not a great idea um you can just start this is going to run for a while and I'm going to kill it but you can just start dumping the entire database out and since we're running as root it's going to get everything that root can get permissions wise so all of the all the schema tables

and everything that you could possibly want um but some of the more fun stuff with SQL map is using uh the command shell store procedures so you can send shell commands to the OS through a store procedure inside of every backend database a lot of them have them disabled now but thanks to the magic of SQL queries you can just reenable the store procedure so if you can get SQL injection to begin with the only way that an a really good DBA can disable the command shell store procedure is to remove it completely so they would have to know a lot you know about defending databases to to specifically go in and remove the command shell store procedure um you can

upload you can upload files from here so if you can get SQL injection and maybe you can't get the kind of stuff you want or if you're just looking for a bounce Point as an attacker you can upload your web shells um you can create any kind of file you want it's all done through file creation as opposed to like an upload process so you have to upload the you know the the text directly to the file um it's extremely powerful and you know lots of breaches so let's let's go into our questions section does anybody have any questions before we start asking you questions

no I was that good all right so ready for some trivia questions you get you got some no I I've got all right so our first what was the name of the um web application training tool