SlideShare a Scribd company logo

DEF CON 23 - BRENT - white hacking web apps wp

Felipe Prado
Felipe Prado

This document provides an overview of executing a web application penetration test. It discusses the discovery phase using OSINT tools to identify the target's online presence. It then covers gathering evidence, utilizing automated scanning tools to find vulnerabilities, and thorough manual testing techniques like exploring parameters, authentication, and the host server. The goal is to break into web applications like a professional penetration tester and provide a detailed report of findings.

Technology
1 of 4
Download to read offline
1
2
3
4
"Hacking Web Apps" – Brent White / @brentwdesign Abstract: Understanding how to exploit vulnerabilities within a web application is beneficial to both breakers and fixers. It is a core skill for penetration testers, and it provides significant insight into secure coding practices for developers. This talk covers all aspects of executing a web application penetration test. We will start with the discovery phase utilizing OSINT sources; such as, search engines, sub-domain brute-forcing and other methods to help you get a good idea of target’s "footprint", all the way to fuzzing parameters to find potential SQL injection vulnerabilities. I will also discuss several of the tools and techniques that I commonly use. After this talk, you should have a good understanding of what is needed to break into web applications like a professional. Detailed Outline: Before you can start tearing into a web application for a customer, there are a few things that need to happen. There are rules and goals that need to be established for the assessment. This generally happens during the scoping and kick-off discussions. Since scoping and contracts make me sleepy, I will omit the details. The kick-off call is where the rubber starts hitting the road, and exists to bridge the gap between the legal contract and the final report using the Rules of Engagement document, also known as the RoE. The RoE answers the questions of who, when and what and identifies the boundaries between what is and is not allowed during the actual assessment. After the contents of this document have been agreed upon, you are good to go on executing the assessment. === Evidence Gathering === At the end of every assessment, a report is expected. The more evidence you collect and the better it’s organized can really help shorten the time it takes to write the report as well as improve upon the value of it. Before I start anything, I set up documents to keep evidence, notes and progress. Here are a few tips: • KeepNote is my program of choice. ("Dradis" is another popular choice in Kali.) o Available for Linux, Windows and Mac. o Allows you to paste screenshots, create multiple embedded pages and folders. o I'll group things based on vulnerability: Folder named "Default Server Pages" and each page will be the host & port. o I'll also color-code the folder based on risk-rating. (personal preference) o Allows for easy exporting of the KeepNote notebook as .html files & easy copy/paste into your program of choice while report writing. • Document the HTTP GET Request and Response for each vulnerability. • Document any unscheduled downtime. • Document changes in test data.
o Creation of additional accounts, passwords, or client-provided data. o Intentional or inadvertent modification of any static data resource. o Log all monetary transactions. • Do not share screenshots or data/specifics of a great "hack" or "idiotic" vulnerability online. • Make sure to get relevant, legible screenshots of the vulnerability. • Call out or highlight the specific payload during the write-up, so the client can see exactly what was sent. Don't just leave it as URL or Base_64 encoded, etc... • List all known affected pages and parameters for a vulnerability. Not just the one sample that shows the vuln, but everything else you found. • Have a methodology and checklist to go by so that you're not forgetting or missing something during each assessment. OWASP has a good methodology and checklist. === Discovery / OSINT === I like to start my assessments by utilizing the power of "Open-Source Intelligence" (OSINT) to see what information I can find about the web application that others might already know. Here are just a few OSINT resources and tools: • Search engines, Pastebin, ShodanHQ, etc... for anything related to the application. o This is a manual and time-consuming process, but not one to be ignored! o You're looking for anything related to that application // emails, logins, dev help forums. o Any leaked creds, known previous hacks? o Sites like urlvoid.com to check for known active malware/threats for the domain. o I have found DB-type, schemes and test credentials through old development- help forums that were STILL valid! • "Discover" by Lee Baird o Active/Passive scanning for domains, people, domain-squatting, black-listed DNS reporting. o Integrates many tools such as dnsrecon, theharvester, goofile, goog-mail, goohost, can start a Metasploit listener, parse XML and more. • "The Harvester" by Christian Martorella / Edge-Security Research o Scrapes data from Bing, Google, Google Profiles, Ask, Jigsaw, LinkedIn, and Yahoo. == Automated Scanning (Low-hanging fruit) == "Why do you run automated tools? You're supposed to be a hacker." Good question. Automated tools are a God-send as consultants usually have a very limited time to complete the project. They are very helpful at covering a wide range of tests and content discovery in a very short amount of time. However, You can't just run automated scanners and spit out a report. That's just a vulnerability scan, and a piss poor one at that. Even though the scanners help, they don't contain the human element of manual testing and can't find everything. You can't just rely on the scanner, but it's a great addition to the assessment. Here is a list of automated scanners that I like to use: • Nessus o Looks at the host and web app. Covers everything from SSL/TLS layer, content discovery, basic CGI vulns and more. • IBM App Scan o More web app focused for things such as SQL/LDAP injections, CSRF and XSS, etc...
• BurpSuite Pro o Built-in "Active" scanner, content spider and content discovery brute-forcer tools. o Tools for fuzzing parameters, crafting requests and much more. o Extensions available such as CSRF Scanner, XSS Validator and more. • Nikto o Great for finding default pages, logins, known vulnerable scripts, CGI testing and more. Nikto is actually built in to Nessus, but can add a great deal of time to the Nessus scan if enabled, especially if there are multiple applications and hosts being scanned at the same time. o I prefer to un this separately, outside of Nessus. It gives me more control. • WPScan (for WordPress sites) o Identifies known vulnerabilities in WordPress, enumerates themes and plug-ins and can also enumerate usernames. o Also other content-management system scanners out there for Joomla, Drupal and more. • "DirBuster" by OWASP for directory and file discovery o I also load lists into BurpSuite Pro for discovery. o BurpSuite Pro also has a "Discover Content" and "Content Spidering" options to find linked content as well as brute-force content discovery. • There are many more pre-installed options in Kali. Find them at: Kali Linux > Web Applications > Web Vulnerability Scanners • Other scanners available are Saint and Nexpose. Automated Scanner Pro Tips: • You want to verify the settings of the automated scanner. Don't just blindly click "scan" after entering a URL. • Make sure that you're not using something that's checking for Denial-of-Service (DoS) unless specifically requested by the client. • Number of threads/connections at a time? Don't flood the host. • Add any pages/functions the client has asked you to avoid. (Password reset page, sign-up page, "Contact" form, etc...) • Might need to specify a specific "Page not found" or Error 404 page to help weed out false-positives for file discovery. • Configure the log-in process and credentials for authenticated scans. • You must take the time to verify the results and weed out any false-positives. == Manual testing == • Automated Scanner results o Document the vulnerabilities that are legitimate. Can you take it further than the scanner? ! For example, if the scanner suspects SQL injection, see if you can exploit that with something like SQLMap. • Explore the application through a proxy program like BurpSuite Pro. o Manually explore the app while the "Spider" and "Content Discovery" tools are running. o OWASP's "DirBuster" is a brute force tool to find files and directories. • Review the server response to help verify what the server is running (IIS, Apache) • Look for parameters to fuzz o How do they handle characters and commands outside of the normal actions?
o Parameters can be directly in the URL. They are also found in HTTP GET and POST requests • Try Cross-site Scripting (XSS) payloads, Cross-site Request Forgery (CSRF), SQL/LDAP injection, Local File Inclusion (LFI) and Remote File Inclusion (RFI) o BurpSuite Pro has lists available that you can load for file discovery, XSS, SQLi, usernames and more. There are also several places to download your own lists, or make your own. o "Xenotix" by OWASP is a XSS tester. o Save the POST or GET request and execute with SQLMap to search for SQL injection • Is sensitive info being passed through the URL in a GET request? o Usernames, Passwords, Session ID, etc... • Look for valuable comments in the source code of the HTTP Responses o I've found internal IPs, database names, usernames, "hidden" admin URLs, database calls in JavaScript and more! o This is certainly a manual process and is time-consuming. However, a thorough and consistent review will pay off. • Authentication - can it by bypassed or broken? o Can you access URLs and functions as an unauthenticated user that you could while logged in? o Can you re-use the session token after logging off? Is there a "log off" feature? o Can you have multiple sessions as the same user at the same time? o What are the password requirements? Can you set your password to "password"? o Can you re-use a previous password? • Look at the host, not just the web app o Identify the web server platform. Apache, IIS? ! If it's an old/outdated install, look for exploits o Is there an admin portals available? ! cPanel, Apache Tomcat Manager, etc... o Are there test and default credentials available? o Search for backup, default and obsolete files. o Is directory browsing enabled? What about directory rights? o Look for dangerous HTTP methods ! ie...PUT, DELETE, TRACE o Are they vulnerable to directory traversal, Shellshock, Heartbleed, etc...? o Use Nmap to see what ports/services are open to the public. Is it just 80 & 443? Or, are their other things available too? Check them out. o Look at SSL/TLS settings for known and weak cipher vulnerabilities and expired or untrusted certificates. ! Use SSLScan in Kali or "TestSSLServer.jar". Qualys SSL Labs is a good online resource too but there could be a potential disclosure issue. o SSL Enforcement - Can you access HTTPS areas by HTTP? There are many different areas of a web application that need to be looked at in order to conduct a thorough penetration assessment. Check out the methodology from OWASP as well as several checklists that are available to ensure that you're covering all aspects. For questions, please contact me on Twitter at @brentwdesign or email me at BrentWhite@Solutionary.com

More Related Content

What's hot (20)

PPTX
Security Code Review 101
Paul Ionescu
 
PDF
Attacking and Defending Mobile Applications
Jerod Brennen
 
PPTX
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
Nishant Das Patnaik
 
PPTX
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
PDF
Cloud Foundry API for Fun and Ops
Chris DeLashmutt
 
PPTX
Intro to Pentesting Jenkins
Brian Hysell
 
PDF
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Jerod Brennen
 
PPTX
Pentesting Modern Web Apps: A Primer
Brian Hysell
 
PDF
Entomology 101
snyff
 
PDF
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
PDF
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
DefconRussia
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
PPTX
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
PPTX
Burpsuite yara
Rinaldi Rampen
 
PPTX
Cross Site Scripting (XSS) Defense with Java
Jim Manico
 
PDF
WTF is Penetration Testing
NetSPI
 
PPT
Automation In Android & iOS Application Review
Blueinfy Solutions
 
PDF
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 
PPTX
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
lokeshpidawekar
 
PPT
Web2.0 : an introduction
Anant Shrivastava
 
Security Code Review 101
Paul Ionescu
 
Attacking and Defending Mobile Applications
Jerod Brennen
 
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
Nishant Das Patnaik
 
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Cloud Foundry API for Fun and Ops
Chris DeLashmutt
 
Intro to Pentesting Jenkins
Brian Hysell
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Jerod Brennen
 
Pentesting Modern Web Apps: A Primer
Brian Hysell
 
Entomology 101
snyff
 
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
DefconRussia
 
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Burpsuite yara
Rinaldi Rampen
 
Cross Site Scripting (XSS) Defense with Java
Jim Manico
 
WTF is Penetration Testing
NetSPI
 
Automation In Android & iOS Application Review
Blueinfy Solutions
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
lokeshpidawekar
 
Web2.0 : an introduction
Anant Shrivastava
 

Similar to DEF CON 23 - BRENT - white hacking web apps wp (20)

PPTX
DEF CON 23 - Hacking Web Apps @brentwdesign
brentwdesign
 
PDF
Hacking Web Apps by Brent White
EC-Council
 
PPT
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
PDF
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
PPTX
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
PPT
BSidesJXN 2017 - Improving Vulnerability Management
Andrew McNicol
 
PPT
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
BUSHRASHAIKH804312
 
PPT
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
PDF
Web Application Security: Introduction to common classes of security flaws an...
Thoughtworks
 
PDF
Tw noche geek quito webappsec
Thoughtworks
 
PDF
Tech w23
SelectedPresentations
 
PDF
CNIT 129S: Ch 4: Mapping the Application
Sam Bowne
 
PPTX
08- pen-testing Web applications attacks.pptx
wassimahmad9
 
PDF
Web Applications Assessment Tools: Comparison and Discussion
EECJOURNAL
 
PPT
Hack applications
enrizmoore
 
PDF
CNIT 129S Ch 4: Mapping the Application
Sam Bowne
 
PPTX
Web application vulnerability assessment
Ravikumar Paghdal
 
PDF
ProActive Security
Ibnisina Sina
 
PDF
ProActive Security
Ibnisina Sina
 
PDF
Web hackingtools 2015
ColdFusionConference
 
DEF CON 23 - Hacking Web Apps @brentwdesign
brentwdesign
 
Hacking Web Apps by Brent White
EC-Council
 
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
BSidesJXN 2017 - Improving Vulnerability Management
Andrew McNicol
 
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
BUSHRASHAIKH804312
 
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
Web Application Security: Introduction to common classes of security flaws an...
Thoughtworks
 
Tw noche geek quito webappsec
Thoughtworks
 
Tech w23
SelectedPresentations
 
CNIT 129S: Ch 4: Mapping the Application
Sam Bowne
 
08- pen-testing Web applications attacks.pptx
wassimahmad9
 
Web Applications Assessment Tools: Comparison and Discussion
EECJOURNAL
 
Hack applications
enrizmoore
 
CNIT 129S Ch 4: Mapping the Application
Sam Bowne
 
Web application vulnerability assessment
Ravikumar Paghdal
 
ProActive Security
Ibnisina Sina
 
ProActive Security
Ibnisina Sina
 
Web hackingtools 2015
ColdFusionConference
 

More from Felipe Prado (20)

PDF
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
 
PDF
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
Felipe Prado
 
PDF
DEF CON 24 - Tamas Szakaly - help i got ants
Felipe Prado
 
PDF
DEF CON 24 - Ladar Levison - compelled decryption
Felipe Prado
 
PDF
DEF CON 24 - Clarence Chio - machine duping 101
Felipe Prado
 
PDF
DEF CON 24 - Chris Rock - how to overthrow a government
Felipe Prado
 
PDF
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
Felipe Prado
 
PDF
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
Felipe Prado
 
PDF
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
Felipe Prado
 
PDF
DEF CON 24 - Gorenc Sands - hacker machine interface
Felipe Prado
 
PDF
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
Felipe Prado
 
PDF
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
Felipe Prado
 
PDF
DEF CON 24 - Rich Mogull - pragmatic cloud security
Felipe Prado
 
PDF
DEF CON 24 - Grant Bugher - Bypassing captive portals
Felipe Prado
 
PDF
DEF CON 24 - Patrick Wardle - 99 problems little snitch
Felipe Prado
 
PDF
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
Felipe Prado
 
PDF
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
Felipe Prado
 
PDF
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
PDF
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
Felipe Prado
 
PDF
DEF CON 24 - Antonio Joseph - fuzzing android devices
Felipe Prado
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
Felipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
Felipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
Felipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
Felipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
Felipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
Felipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
Felipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
Felipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
Felipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
Felipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
Felipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
Felipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
Felipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
Felipe Prado
 

Recently uploaded (20)

PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PDF
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 

DEF CON 23 - BRENT - white hacking web apps wp

  • 1. "Hacking Web Apps" – Brent White / @brentwdesign Abstract: Understanding how to exploit vulnerabilities within a web application is beneficial to both breakers and fixers. It is a core skill for penetration testers, and it provides significant insight into secure coding practices for developers. This talk covers all aspects of executing a web application penetration test. We will start with the discovery phase utilizing OSINT sources; such as, search engines, sub-domain brute-forcing and other methods to help you get a good idea of target’s "footprint", all the way to fuzzing parameters to find potential SQL injection vulnerabilities. I will also discuss several of the tools and techniques that I commonly use. After this talk, you should have a good understanding of what is needed to break into web applications like a professional. Detailed Outline: Before you can start tearing into a web application for a customer, there are a few things that need to happen. There are rules and goals that need to be established for the assessment. This generally happens during the scoping and kick-off discussions. Since scoping and contracts make me sleepy, I will omit the details. The kick-off call is where the rubber starts hitting the road, and exists to bridge the gap between the legal contract and the final report using the Rules of Engagement document, also known as the RoE. The RoE answers the questions of who, when and what and identifies the boundaries between what is and is not allowed during the actual assessment. After the contents of this document have been agreed upon, you are good to go on executing the assessment. === Evidence Gathering === At the end of every assessment, a report is expected. The more evidence you collect and the better it’s organized can really help shorten the time it takes to write the report as well as improve upon the value of it. Before I start anything, I set up documents to keep evidence, notes and progress. Here are a few tips: • KeepNote is my program of choice. ("Dradis" is another popular choice in Kali.) o Available for Linux, Windows and Mac. o Allows you to paste screenshots, create multiple embedded pages and folders. o I'll group things based on vulnerability: Folder named "Default Server Pages" and each page will be the host & port. o I'll also color-code the folder based on risk-rating. (personal preference) o Allows for easy exporting of the KeepNote notebook as .html files & easy copy/paste into your program of choice while report writing. • Document the HTTP GET Request and Response for each vulnerability. • Document any unscheduled downtime. • Document changes in test data.
  • 2. o Creation of additional accounts, passwords, or client-provided data. o Intentional or inadvertent modification of any static data resource. o Log all monetary transactions. • Do not share screenshots or data/specifics of a great "hack" or "idiotic" vulnerability online. • Make sure to get relevant, legible screenshots of the vulnerability. • Call out or highlight the specific payload during the write-up, so the client can see exactly what was sent. Don't just leave it as URL or Base_64 encoded, etc... • List all known affected pages and parameters for a vulnerability. Not just the one sample that shows the vuln, but everything else you found. • Have a methodology and checklist to go by so that you're not forgetting or missing something during each assessment. OWASP has a good methodology and checklist. === Discovery / OSINT === I like to start my assessments by utilizing the power of "Open-Source Intelligence" (OSINT) to see what information I can find about the web application that others might already know. Here are just a few OSINT resources and tools: • Search engines, Pastebin, ShodanHQ, etc... for anything related to the application. o This is a manual and time-consuming process, but not one to be ignored! o You're looking for anything related to that application // emails, logins, dev help forums. o Any leaked creds, known previous hacks? o Sites like urlvoid.com to check for known active malware/threats for the domain. o I have found DB-type, schemes and test credentials through old development- help forums that were STILL valid! • "Discover" by Lee Baird o Active/Passive scanning for domains, people, domain-squatting, black-listed DNS reporting. o Integrates many tools such as dnsrecon, theharvester, goofile, goog-mail, goohost, can start a Metasploit listener, parse XML and more. • "The Harvester" by Christian Martorella / Edge-Security Research o Scrapes data from Bing, Google, Google Profiles, Ask, Jigsaw, LinkedIn, and Yahoo. == Automated Scanning (Low-hanging fruit) == "Why do you run automated tools? You're supposed to be a hacker." Good question. Automated tools are a God-send as consultants usually have a very limited time to complete the project. They are very helpful at covering a wide range of tests and content discovery in a very short amount of time. However, You can't just run automated scanners and spit out a report. That's just a vulnerability scan, and a piss poor one at that. Even though the scanners help, they don't contain the human element of manual testing and can't find everything. You can't just rely on the scanner, but it's a great addition to the assessment. Here is a list of automated scanners that I like to use: • Nessus o Looks at the host and web app. Covers everything from SSL/TLS layer, content discovery, basic CGI vulns and more. • IBM App Scan o More web app focused for things such as SQL/LDAP injections, CSRF and XSS, etc...
  • 3. • BurpSuite Pro o Built-in "Active" scanner, content spider and content discovery brute-forcer tools. o Tools for fuzzing parameters, crafting requests and much more. o Extensions available such as CSRF Scanner, XSS Validator and more. • Nikto o Great for finding default pages, logins, known vulnerable scripts, CGI testing and more. Nikto is actually built in to Nessus, but can add a great deal of time to the Nessus scan if enabled, especially if there are multiple applications and hosts being scanned at the same time. o I prefer to un this separately, outside of Nessus. It gives me more control. • WPScan (for WordPress sites) o Identifies known vulnerabilities in WordPress, enumerates themes and plug-ins and can also enumerate usernames. o Also other content-management system scanners out there for Joomla, Drupal and more. • "DirBuster" by OWASP for directory and file discovery o I also load lists into BurpSuite Pro for discovery. o BurpSuite Pro also has a "Discover Content" and "Content Spidering" options to find linked content as well as brute-force content discovery. • There are many more pre-installed options in Kali. Find them at: Kali Linux > Web Applications > Web Vulnerability Scanners • Other scanners available are Saint and Nexpose. Automated Scanner Pro Tips: • You want to verify the settings of the automated scanner. Don't just blindly click "scan" after entering a URL. • Make sure that you're not using something that's checking for Denial-of-Service (DoS) unless specifically requested by the client. • Number of threads/connections at a time? Don't flood the host. • Add any pages/functions the client has asked you to avoid. (Password reset page, sign-up page, "Contact" form, etc...) • Might need to specify a specific "Page not found" or Error 404 page to help weed out false-positives for file discovery. • Configure the log-in process and credentials for authenticated scans. • You must take the time to verify the results and weed out any false-positives. == Manual testing == • Automated Scanner results o Document the vulnerabilities that are legitimate. Can you take it further than the scanner? ! For example, if the scanner suspects SQL injection, see if you can exploit that with something like SQLMap. • Explore the application through a proxy program like BurpSuite Pro. o Manually explore the app while the "Spider" and "Content Discovery" tools are running. o OWASP's "DirBuster" is a brute force tool to find files and directories. • Review the server response to help verify what the server is running (IIS, Apache) • Look for parameters to fuzz o How do they handle characters and commands outside of the normal actions?
  • 4. o Parameters can be directly in the URL. They are also found in HTTP GET and POST requests • Try Cross-site Scripting (XSS) payloads, Cross-site Request Forgery (CSRF), SQL/LDAP injection, Local File Inclusion (LFI) and Remote File Inclusion (RFI) o BurpSuite Pro has lists available that you can load for file discovery, XSS, SQLi, usernames and more. There are also several places to download your own lists, or make your own. o "Xenotix" by OWASP is a XSS tester. o Save the POST or GET request and execute with SQLMap to search for SQL injection • Is sensitive info being passed through the URL in a GET request? o Usernames, Passwords, Session ID, etc... • Look for valuable comments in the source code of the HTTP Responses o I've found internal IPs, database names, usernames, "hidden" admin URLs, database calls in JavaScript and more! o This is certainly a manual process and is time-consuming. However, a thorough and consistent review will pay off. • Authentication - can it by bypassed or broken? o Can you access URLs and functions as an unauthenticated user that you could while logged in? o Can you re-use the session token after logging off? Is there a "log off" feature? o Can you have multiple sessions as the same user at the same time? o What are the password requirements? Can you set your password to "password"? o Can you re-use a previous password? • Look at the host, not just the web app o Identify the web server platform. Apache, IIS? ! If it's an old/outdated install, look for exploits o Is there an admin portals available? ! cPanel, Apache Tomcat Manager, etc... o Are there test and default credentials available? o Search for backup, default and obsolete files. o Is directory browsing enabled? What about directory rights? o Look for dangerous HTTP methods ! ie...PUT, DELETE, TRACE o Are they vulnerable to directory traversal, Shellshock, Heartbleed, etc...? o Use Nmap to see what ports/services are open to the public. Is it just 80 & 443? Or, are their other things available too? Check them out. o Look at SSL/TLS settings for known and weak cipher vulnerabilities and expired or untrusted certificates. ! Use SSLScan in Kali or "TestSSLServer.jar". Qualys SSL Labs is a good online resource too but there could be a potential disclosure issue. o SSL Enforcement - Can you access HTTPS areas by HTTP? There are many different areas of a web application that need to be looked at in order to conduct a thorough penetration assessment. Check out the methodology from OWASP as well as several checklists that are available to ensure that you're covering all aspects. For questions, please contact me on Twitter at @brentwdesign or email me at [email protected]