BSidesIOWA 2015 Track1: Intro to WebApp Testing with Mutillidae by Andrew Freeborn

e

all right uh I'm Andrew Freeborn I want to thank uh everybody coming today thank the organizers and sponsors and uh for you guys for being here as well so today uh I'm Andre freeorn I work for a large Bank in om Nebraska and we're going to talk about uh introo web app testing with matil so I picked this talk because I thought it would be pretty interesting to show a lot of OAS projects and kind of what I hear from peers at least back in Omaha as far as how do I get into web app testing how do I test websites is it some kind of magics what do I do it's not really Magics but you know not

knowing how to get into it is kind of kind of hard to get into it so today we're going to cover uh what is this matil day uh tools for the job some uh techniques that um that I've learned from and and uh refer to to for uh learning and growing uh learning with matilla day uh demo and uh some links in QA so ma day is an OAS project OAS if you're not familiar with them they are an open source uh based organization they promote uh standards applications uh projects and they really help to promote uh knowledge within the community and help us all grow as a as a community and so one of these projects

is uh mati and currently maintained by Jeremy drwan his uh Twitter handle is weaponized and um is very active he's uh always adding uh new features that we see in the field as far as new vulnerabilities and so it's constantly maintained with uh new techniques and vulnerabilities and it's an intentionally vulnerable website so one of the problems of uh learning and trying to to test and kind of get access to these kind of applications is know how do I you know what way do I how do I test where do I need to go so matila is a vulnerable is a intentionally vulnerable application a website that you run that has all kinds of vulnerabilities and so with that it's

very pent test friendly so I know that uh I can drill down to certain Vernal abilities and focus on those Vernal abilities and help me to um focus and Learn and Grow say with uh SQL injection or Brooklyn authentication and so being an all project uh there's emphasis on the OAS top 10 2013 uh even back to 2010 in 2007 but it's not just OAS it's you know websites aren't just oh it's OAS they have focuses on web services and Json taxs and XML and these are things that we see all the time for different applications no matter your vertical or where you're at and with that uh it's very quick to set up and highly

accessible so the tools for the job it's doesn't really take much to run this application it's uh if you have a relatively newish computer you're able to you should be able to install like a VMware Player or virtual box or hyperv or even run your host OS it's an Apache website so it's pretty easy to drop in and go if you want to install it you know 30 gigs is more than enough space or I'm running it right now on 12 gigs of space and four gigs of RAM on your uh laptop or your uh boxer you may have for the whole but giving a gig is is well enough for this application of course mtil day uh since

it's oos open source it's currently on Source Forge and GitHub so you're free to pull it down look it apart you know take it apart add things for your organization or even email back Jeremy and say hey I've seen this vulnerability can we talk about maybe adding this in or I see this bug and I found bugs and talking with Jeremy and getting things fixed up and uh you push it back out to the community so everybody's benefiting from uh those kind of experiences and so one popular ways that I found using mtil is using with a samurai samurai WTF Linux drro it's a live CD or you can install it and so the WTF is for a web

testing framework and so Samurai has not only matil but dvwa and other tools and kind of like a Cali but more for web testing so C is more offensive but Samurai more for like having an enclosed system with tools and applications you can test and having a closed space you're not worri about going to the internet to attack or to an internal to your organization and with u Samurai there's uh the oops uh zap project similar to burp Suite but of course there's burp suet free on there and other open source tools that they have on there and free tools as well so if you don't have it on Samurai you can also put it on your uh

distribution or your your o OS as needed so techniques for web testing you know it's really super fun to point automated tools and found tial injection well you know there's a time in place for automated tools but there's also a time in place for manual testing as well so if you know both tools are very helpful on tools really give you a soup with land help you to identify okay based on these automated scans I've seen that there's these SQL injection verm abilities there's broken authentication but if we just leave it at automated testing what do we really learn from that if I go to my boss and say hey boss I found an 84 seal

injection entry points he's going to say great we're going to be so awesome with those developers well he's going to say you tested it right you validated that there're actually seal injection points well um no so how can I come how can I actually test that like how would I know do I use S map do I use manual testing do I use other these other tools so there's a time place for automated testing there's also a time place for manual testing and validation of these actual vulnerabilities that we find but how do I test that how do I just go to google.com and start doing SQL map or these other injection attempts well motility helps answer that question and

so also with these processes we need to make sure that okay if I do these tests if I'm looking for formability a b and c how can I do if I do a repeat of that test if I go back to the developer oh yeah we remated this okay let's test again A B and C well if I skip b or if I don't know about B I need to make sure that as a web app pent tester I'm be consistent you can uh put out a product that's consistent and uh I know that it's going to be covered for all the test I should be looking for so of course OAS being a body of

standards well not body standards but an open source uh repository of many good goodness they have a testing guide version four is currently out and so version four they go through uh the top 10 uh list they go through the um not really a step by step of how do I test SQL injection but saying SQL injection this is a vulnerability for you know exploring SQL weaknesses this is how you would test that this is how you also test this popular ways to do uh crite scripting attacks with it encoding tuo en coding so using as a framework for your organization helping use that to refine your organization's policy for testing really helps to make sure that

okay our policy has this but I've seen in the wild that from the top 10 and from the PCI they recently put out new guidance uh using it from like you know depending on your verticals and like your um Audits and like how you're reporting you might need to use things from the PCI or nist or even pulling from OAS so using these techniques that's not really uh prescriptive you must do this you must do that but definitely adding these things from all these different kind of Standards to help make a more holistic approach to your testing procedures so you're having more coverage and making sure you're catching things as they grow and evolve in web

Technologies so learning with mattil day step one tools got it Tex techniques and procedures we got the OAS top uh top 10 we have the testing guide now we have Sam it's up and running ill is running step three kind of shaky not really too sure what's going on there step four profit we're highly paid web testers woo no it's only that easy right so how do we actually learn with matil you know as I mentioned earlier it's a their Vernal abil is broken out so you know say um I can't remember off hand I should have jery just put out a new vulnerability I can't remember the new vulnerability but I want to test this I

want to see okay I see this new vulnerability in the wild I don't really want to go to test fire or some application kind of hope that this vulnerability is there and exploitable so with that I want to refine My My Craft against xss or brooken authentication or SQL injection and so there's the application the website is very good at helping you go to this the Vernal abilities that you want to test upon and try to help you understand it'll go to the web page but it's not like here's a web page figure it out Google right no so it has uh different hints and walkthroughs so if you already know kind what you're doing you can you

know try testing you know it might be vulnerable to xss or a seal injection or a multitude of different vulnerabilities but at the very top as we'll see in the demo there's uh hints you can do walkthroughs videos and so it really helps break down for like the the person who's not familiar with all these kind of things what was a take you know do I need to Google do I need to go this do I need to buy that you know things there's things that helpful as far as books and videos and walkthroughs but this helps to be an all one solution not all one solution but helps to help the user as much as possible understand these

vulnerabilities and how to exploit them and exploit them safely in the environment where they're able to test these things and learn from man all right so I'm try to do some demos

hopefully and I just have um well my machine is this be fusion with that VM but I um I just have the stop Samurai uh 3.1 distribution installed on my machine and so it's uh by default an older version of the tillate is uh installed on there but the current version right now is two I can't read that far uh 619 and so that's a continually evolving environment you definitely um to benefit most from this is G the latest version and basically just drop into the WW Dy or depending on where you're hosting your apps at but there's all kinds of um documentation videos online showing how you're able to um update matil day things we want to go through so as I

mentioned uh let's go through some I'm [Music] currently uh I made Chrome so

let's all right so on the left hand side we can see here we have uh the top 10 for the 2013 the 2010 2007 web services for soap and rest uh HTML 5 and um XML and other kind of based vulnerabilities not really specifically for all this top 10 but definitely things we've SE in a while that we want to learn and grow from uh documentation and he's great about do different kind of things real quickly I just want to see if you put in here what he added yep so the recent that's uh that was released and kind of I don't want to say widely known but still out there is the path R to the style sheet injection

and so these kind of things that if we don't know about we can't test so having uh a very well um supported community and having this kind of applications we can test this and know okay this is how I test this I can go back to my developers and say hey guys um and GS you guys guys really need to uh stop Knuckleheads because you guys really need to fix it so we'll uh we can browse through here we see all the different kind of tack we have a test with and we'll just uh go on down to uh classi scripting we'll go to reflected first order and we'll just do a DNS Lo

sad face that was me today I was working this morning are not with me

today what's that might no it shouldn't shouldn't need

to no let me try just see if I can get to uh

all [Applause] right this is really

slow all right all right so here we go cross sh go don't quite know what to do so up here you can kind of see if here it says uh home login register as you would for like say a bank or any kind of authenticated website uh toggle hints uh show popup hints tle security and it forces to sell and the database and show log so the initial state for matate is very uh simple to pop in various ways you're you don't want to have you know the level five you know strong government security clearance uh protected website for trying to learn definitely want to have the easy approach to learn different vulnerabilities and not be discouraged

or like say oh this is too hard I can't figure this out you definitely want to have the ability to do these kind of things and build upon what you learn incrementally to do the more complex and more uh intense set of attacks and so with that we'll go through a few attacks here and we'll um I can go ahead and show the hints talk about hints Al we'll see if it pops up so while we're waiting for that let's do some lookups Local Host look up DS so with that um it shouldn't be too hard to uh do these different attacks you know un fortunately I can't really show as quickly as I would like to the

different vulnerabilities but as soon as you hit the the show walkthroughs you'll see all the kinds of uh you see all the um hints as I mentioned earlier with the uh things you can perform with that how you would do those kind of things and why you would want to do certain things in certain situations for example for uh H scripting there's a lot of built-in mitigations for different web browsers so if you're testing a website and you're proing for for a website Crow might be blocking it but this will be vulnerable if I'm testing with Firefox it is still vulnerable but Firefox says oh let's show that alert popup box and so you need to keep in mind as well that

it's not enough to just test through Chrome and call it good enough I mean IE a really sad tool is still a valid tool to help test things that you wouldn't find protections as you would more Firefox but even uh other browsers like Mantra through OAS help to uh show that you know if the website isn't catching if your client side tool isn't catching and protecting you it's still vulnerable if the user is on some kind of other browser or intentionally trying to exploit the application so it's still uh it's still a deal to show and do testing through different kind of website uh web browsers and show them how they can be potentially exploited so if I'm new to the business

I want to say I have heard a lot about this excess test thing sounds pretty sweet so I want to go to the this web page as we're at now and we'll click on Cross scripting hints so now I have a lot more information than when I started when my first come here I just had a a text box and a button I had no idea what to do you I could do pin 88888 pin Google great but I didn't know what I need to be doing next and so that's part of the problem as far as learning how to do about testing is you don't know where you need to go with this and so as in

here we have all this documentation built into the website itself it's not pulling off through Google my adapter is down so like wait for Google to pull up a web page or wiip pedia article I have all information here built-in so the user at self Pace can learn from these kind of things and learn oh okay so that's how I do the um the attack I uh pull some JavaScript do some JavaScript and I pop box with xss that's how I get that to work and if it's uh going to work for me we'll do some of those Dental here but as you can see it goes very well into depth and many other Pages have these kind of documentation

and built in help in line so you don't have to worry about oh Google V has to come back and Chase down rabbit holes it's all right there with you and so everybody learns differently I learn from Reading other people learn from videos other people learn from doing their hands on keyboard words and so with this way it really does help as best as possible integrate all those different learning methods into one C saaria and so with that there's also a YouTube link so I don't have you know as I said Network on to right now but if I were click that link I would get a link showing me how I would do a HP only

cookies attack uh with cat shifting so with that Jeremy does a lot of narration for these videos he goes through and explains to the user you know not really like in a condescending manner but like he also was really passionate about this uh project and wants everybody to learn from this and from mtil and what it can offer to the community and help us to as a whole developers um testers as well to really just able be able to um learn from the kind of um uh learn from each other from these kind of attacks and how we can better ourselves in our applications and so uh command injection so let's try to let's try to see if we can get

good Magics here all right try to p a local host and with any luck we should see below that we should see a lookup for our Local Host that's important to show that the um this is a a user generated field so the user has full control of what they put into this field it's up to the developer not necessarily the web browser to protect against the sanitized input of what the user is putting into that field so host could be google.com an IP address and um from here we would see that we get a return field of the um all right got something so we see has timed out no service could be reached great so that's

fine that's what we want to see right we want to see these are entering of data uh when you look up D s and we get some uh the server returning back some message so we know that somewhere in this application when I put this information in it's going out doing some kind of NS lookup or some kind of command so it's talking to the host OS doing this information quering it back and who knows what kind of Sanitation is is performed on that user's input to perform this Lookout so we would expect to see that uh you know the website author is like opposite just enter google.com or Inn or an IP address no

one would ever do attacks that would help compromise a website I mean why would anybody do that that's not fun at all so we can see also as well on Firefox that we have return return that same field back and so now I've entered in a basic uh Crossing attack and so we wait patiently so patiently for what had to come back to us so Chrome um alab box up to date uh return that all right that's I don't know what happened so with that the attack went through we didn't get kind of Errors we didn't get kind of feedback the attack went through however comma Chrome being that's it is Google does no evil kind of

sometimes they also protect the user from these basic attacks so we can see that we tried our uh JavaScript we tried to generate an alert pop-up box nothing happened Firefox a little different so we can see Firefox turned one we were able to where was no sanitized input we put through JavaScript and we can see one popped up could be Pro no like oh great I see a one that's not a that's not a big deal right no but just go back to the point of testing various browsers if I were to do my test through Chrome looks good no popups right but through parox obviously that website still is burnable I mean depending on your tools you still may

have caught that depending on what what was ran or what happened but still it's important to note that it's not just you do one tool and go through and even automated tools have their manual testing methods as well so it's very good to have the multiple set of BU on the same product testing the same the same procedures and Method so you be consistent and make you're having great coverage to show that you're actually testing and not just you know running and gunning with uh what you need to do to get that test out of your out of your queue so we'll go through and we'll go uh this is Google again so we'll show a

l we'll go through a second order of reflective attacks and so uh mati so helpful has a log of everything that the user puts into application so as you can imagine we'll probably see our 127.0.0.1 or Lo IP address for our local host and we'll also see the script tabs we push we push through on the uh input to see however comma it depends on how the website handles users's input so while we let that spin up is spinning up all right we'll do the same in Firefox browse slowly it's like Jurassic Park I know Unix she goes through it's like all right slow slowly browsing through we have dinosaurs here all right so wait wait for that to

load there's a lot of different projects that we have available to us so as I mentioned you know big deal we had a one pop up who cares right so there's a lot of different vectors of attack that can be happen through crossy scripting now if I were a bad guy I'm not aester that's you know what I do I would try to say okay I can get that one to happen what if I were to pass through that attack you know modify not alert box one but if I try to do a uh a hook we just there's a project called uh beef beef is a great project open source as well and so with that if you have an in

that with a class scripting you might have an in to hook that user so um trying to quickly summize that with uh beef it allows you to inject payloads into uh various different scenarios one of them is a cross scripting and so rather than pushing through uh alert one I put in this JavaScript that pops and loads so this user browses this website I inject in through uh through brace methods I pop pop in through this hooking uh JavaScript so the user doesn't really understand what happens might be a popup nothing happens maybe at all but now on the backend as the attacker I now have control of that user's PC I've exploited the website that users browsed and now I

can exploit through that different ways and from there can retrieve credentials tokens any number of things that through the simple alert one I compromise that to compromise the user and potentially the website itself there's a number of ways to be compromised and so while maying trivial one popped up it's really not trivial at all so as we saw with that DNS lookup entered in our output entered it in our out our input received out nothing but we browse to this log and this log shows all the users input that was entered through various mes and so Chrome didn't help us this time and again through here we just browse to the website we didn't do anything at all we just browse this

website if I pass thisal to you boom it's going to pop up pop up a one or it could be a beef hook so we need to be careful that we poke around with different tools and different uh pages and try to do as be as comprehensive as possible so Chrome popup pop up from my uh other side from Firefox and chrome and here we can go to Firefox popup we expect that and pop as well so just browsing the websites for compromise not even doing anything at all so it really is um a great way to help learn and to grow that you might have known not known how to do these kind of attacks but through this

platform it really does help the user to learn and grow and test on themselves because it's hard to you know I don't want to go to Amazon webcloud I don't want to do all this and blah BL blah it's very simple as a live CD even to spin it up and do a little bit of testing or just play around there's no cops there's no um you know you have to worry about anybody seeing you or being worried that you're going to do it wrong it's just VM all with enclosed you can certainly give it internet access if you want to to do different things but no network nwork access as necessary but you from here you can do all kinds of

testing that you need to do so I'm me try to P tap

over slowly

when I quickly go back to my uh Supply deck where I have the uh questions or yeah I'm sorry me links and uh other things that help my let's see if I

can all right fill this up real quick this back over all right so we had time for the other demos but definitely check it out it's well worth the time and uh very simple to thr up and start playing around with it so links here we have M the O project website we have a samurai through in Guardians and a collection of different people like Kevin Johnson and other people who contribute to this platform and they're hoping to be more active as they had in the past but 31's the new version of 4 is coming out here pretty soon the uh OAS testing guide version 4 the top 10 the PCI P test nist and uh I

thing that also helped me as well was this a 12p part series on matil day so Jeremy drwan had a thing down um I think it was an Issa Charlotte and they went through a 12-part series like one Saturday just going through motility and different different kind of tests and helping to demonstrate different kind of vulnerabilities and going through this far more in depth than I show today but definitely worth checking out still very relevant you know today even we're having problems with xss and other things that we thought would be simple to fix but still have for whatever reason uh that's my email and my Twitter and um any questions so does this actually come on

a live CD or an installation process uh so mity uh you can just download from GitHub but uh with Samurai it's kind of built into the product and so Samurai has dvwa mati and other projects and so you can be run as a live C on through samurai or it can on your host OS uh with the patchet spin up uh mati day so is very low friction to help spin up in a multip multitude of ways what langu you know uh I think it's PHP a lot that back in yep yep um do they also just offer VM image it looks like they might yeah for Samurai there's like a VMware image you just pull down but you know

they should be able flick around to like um virtual box or on it or if yeah off hand not too sure though but Ma has like a a Force for you can just pull just mtil day down and samares but just happens to be that you know for a more cohesive testing environment having Samarai for like zap and burp and other things you want to test out with proxying and other kind of attacks you want to do like sqle map that's all built into a samurai platform so having that accessible from one like oh app get install uh I don't know what you need so having all that with all one package really elimates having like oh I need to

do this my dependencies are broken and I need frustration I give up so it's defitely having that you know all together is very successful anybody else I have a kind of technical question so um do you know if on the samurai image it's actually listening on the public interface because I I'd love to be able to hit this from a Col BM and you know communicate with the samurai BM but it's not listening on like you know top yeah it's like a VMware image so how you want to uh configure that virtual machine for different interfaces or bridging across or ning across it's just like a standard VM but like a link distribution of that VM so anyway how

you configure a VM it be the same way you would first sumarize so you could throw in the public domain if you want or if you want to put it on like your your internal Network and scanning scan scan oh my gosh going in here definely could be a sad face for somebody a was this testing hold on was hold on anybody else all right thanks everybody check it out and I appreciate your time thanks [Applause]