100 OWASP Top 10 Hacking Web Applications with Burp Suite Chad Furman

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

cool well hello everybody my name is all Chad Furman I am a full stack web developer slash tech lead /er a person / only developer and my project I love it very much if you're curious about what it's like to work from the comfort of your living room working with the latest technologies and web application development definitely check out hired a clever detective is I'm just a developer there but I like a company and I think you would do so that said today we are going to not be talking about building websites but breaking and why breaking them is good why it works why it's fun and why you should do it if you own the website so we're going to start talking about a group of people who really like breaking and fixing websites the open web application security graduate now you may or may not know this but there was a conference that just kind of ended Oh Microsoft which I just like holding if you want how about now whoo Wow there we go hello okay well I guess let's back up try this one more time so Chad Furman web application developer clever text lots of fun work from home latest web technologies JavaScript lots of cool stuff highly recommend open web application security project these guys are really dedicated and they are actually all of us right anyone can join and participate in this group you can go to chapters the memberships and all that great stuff they just did a conference where they revised a whole bunch of old project for the latest vulnerabilities and all of that great stuff will will talk about a couple of them but primarily the things that you should really know about when we're talking about oh wasps are the top ten which we'll get to in a second proactive controls and specifically application security verification standard these are kind of like guides that you can use to help you avoid a lot of the problems associated with vulnerable web applications other things that can really be helpful in finding the vulnerabilities are like dependency check which looks for vulnerabilities in your libraries and such and that that attack proxy we're going to be using burp suite but zap is bio wasp onto another similar tool lots of great stuff with a lot a lot check out their websites org lots of good stuff there so when we talk about a vulnerable web application the only reason web applications are vulnerable or because they are dynamic and they take and user input and they don't treat that user input with the appropriate degree of scrutiny what we talk about dynamic applications we're talking about PHP Ruby JavaScript anything that can basically take in the script and execute it and we're not just talking about HTML and CSS although once you get user input into the mix even those can be a little bit dangerous people do this for a variety of reasons this being make bad user input to hack websites but for the most part we do it because we're trying to generate value for our clients we want to know how can we keep our businesses our clients our project face how can we keep them secure and how can we really make them successful and I kind of borrowed that line from this gentleman Robert roburt from the amherst security meetup which if you're ever in Massachusetts I highly recommend before we talk about breaking websites just some things that you should really know if you want to kind of be safe on the internet and avoid what we're really going to talk about just some things you can really keep in mind but for the most part the guides that I mentioned the application security verification standard there's other ones online like fallible link security checklist good practices very obviously sanitize your input going into your database and make sure that you don't display untrusted input without filtering out all that general stuff keep up on your training keep learning everyone here is awesome great because we need a favor internet that we're going to really be successful as well on many levels so speaking of a safer internet when you actually want to test the security of some component you're going to kind of go through a certain set of goals okay the first goal is to really map out your target you're going to do that with a set of tools ranging from kind of looking at the data that's available to actively getting in there a so phase one you're just going to kind of survey lancets where are the servers rate what what are the applications available all of that stuff they're going to do that a little bit scanning automated tools can really help you find some vulnerabilities but at the end of the day you're going to have to get access to the data and we're not going to talk too much about maintaining access or covering our tracks but we will show some examples of breaking websites to get at very data using these either the top ten so I hope it's not too too small I know the fate of programmers is to suffer I say issues but I think that we can all read this the general idea is that there's ten issues ranked in order of commonality and it changes and we'll go through the variations really quick but in general you've got injection attacks which allow people to inject code commands get them to run everything from database commands to harbouring for some commands cross-site scripting is kind of a form of injection but not really right you've got JavaScript that you are injecting onto the page of the user that then runs and does a number of things which we will talk about broken off kind of confusing when we get to some of the other items but broken off specifically is about your identity and taking on the identity of other people in ways the application didn't expect you to insecure direct object references that's like you've got a backup file something like that in your public HTML directory people download it they have your entire code cross-site request forgery you're just kind of making an action on somebody else's website from your own website on behalf of the user who came to your website and was logged in over there don't worry too much about it we'll talk about that this configuration I mean I don't want to spend a lot of time on these but I'm going to go through them once because we're going to go through them a lot in detail so just keep going security miss configuration has changed a couple of times but in general it's you know there's error messages things being exposed in the server of course open vulnerable applications that haven't they had been upgraded I can talk cryptographic storage so you know don't store your passwords and plaintext credit card information it's not in plain text right have you jump ahead really quick a nine is the in transit so there's the IRS them in transit from twenty times failure to restrict URL access is kind of more commonly referred to now as function level access control but the general idea is access a URL as a not authenticated user that allows you to do privileged activities and unvalidated redirects and forwards may seem harmless but they can allow you to do social engineering that can result in backdoors and people's computers as well as many other things like trigger your XSS attacks and stuff so 2013 2 changed very slightly general idea is that all the things are so kind of the same but sensitive data exposure great that's kind of our combination of at risk and in transit crypto missing functional access control like I said expanded components with known vulnerabilities was explicitly extracted from security misconfigurations because people do that update your stuff 2017 there's a draft in place they're still kind of working on it the points that we're going to touch on are taken from the 2013 because this has been finalized but in general they added the idea of automatic monitoring web application firewalls as well as really making sure that your API is are protected because API is tend to be very vulnerable so before we get into the code and stuff let's take a look at burp suite this is the tool that we're going to be using so burp suite is a proxy tool that we can use to really intercept our traffic in transit and monitor it and manipulate it for goals so the idea here is you start out I happen to know that my target is 10 guys here that 2.4 I'm going to add that target to scope yes I don't want any other data I'm going to make sure that I show on the in scope items and there we go so my proxy is already on we have a little checkbox here we've got the information already configured in my web browser so all of my Firefox traffic is going to go through burp suite and we will see what that looks like in the process of doing that we will build out a sitemap which will give us some more information this is a very connaissance stage trying to really get a feel for what pages exist what endpoints exist what things we can really play around with so in doing that we would then go you know if you're running a baited scan you've got the scanner tab which kind of benefits from the spider it'll spider the entire web and kind of scan it as it goes there's the intruder tab which allows us to really target specific fields with things like brute force or dictionary attacks including URL fields if you're looking for common files or directories you have the repeater which of course allows you to repeat a request now this is extremely powerful because you can also duplicate the request in your browser really build out your cross-site request forgery tools kind of with just the access or a right-click button so you've got some stuff here too that we'll get into so the sequencer is good for kind of like decrypting your session tokens and things like that if they're not actually random decoder is good for switching between base64 hex ASCII whatever you need this is if you have two giant blocks of text and you're sure that they're different but you're not quite sure how this can help you figure it out it's a compare and of course burp is extremely extensible all the entire API is documented if you want to write you can write in rubies and write in Python there's a whole bunch of apps that already exist so that's kind of burp suite in a high-level overview so let's keep going because we've still got a lot to cover but before I dive into actually doing this stuff let's take a moment and just kind of see a show of hands how many people here write code ok cool how many people here specifically work on websites awesome ok so I will go into some of the basics a little bit we've kind of got a maybe I'd say 1/8 of the room that's really comfortable with web application development which is fine so the idea here is when you want to search or would you want to log in you send a data via an HTTP request that results in a variable being constructed on the server that contains your data from there that variable can be used to construct commands one of the most common commands of course is select something where something is equal to something so in this case select user where password is equal to whatever password they've entered now of course I don't recommend to that password should be hashed you should hash the password compare the hashes but this is a vulnerable example so you can go beyond that but before we do let's take a look at what this might look like so I have my little cheat sheet here because I will fasting area otherwise copy this and by the way my cheat sheet in my slides are available online so if we go to by the way this new til atte application that we're using in the background I believe was originally created by iron geek okay we've got his reference information in here so uh thank you for that so let's take a look at user info data extraction page so here great the idea is if we had an account we could login we could see our data and for the sake of consistency let's do that so our name is cat house rated is equally secured dog in frogs so now we have a user it's going to display share remember my password I will forget that and let's back up because menus so we've got cat and dog as we login we can see it right so there's my signature and all that great stuff well this is select from database where user equals cat and password equals dog well if we change this to be a single quote space or equals one equals one space - hyphen space great syntax is important if we do that what we will have in the end is something that looks like this select you know where where user equals ambassador equals no no there's two quotes next to each other that is key what we are doing is we are two terminating the field and then we are adding on an additional SQL command that is a tautology it is always true when password of blank or true which is true and because of that we're able to get the results that you will see in a second take careful note there is a space after the - - the - - is a comment it says everything that would come after this line if we're in the middle of a query let's ignore it we just don't care it's a comment great that way we can add our code and not care about anything else that follows so when we do this doesn't really matter see what the password is we get every one because we have where value is blank or true which is always true so we get everything now interestingly enough and this will lead very nicely into broken session broken off great we have the admin password admin user is the first user in your database you don't want to do this it's very common and because it's so common we can do things we're logging in with an injection attack that is a tautology will result in the first user that it finds being who we login as and you guesses who that is so now we are fayed men okay well let's pause there because I could just keep going and I will but let's review for a moment so we had a simple query simple injection great we'll come back to this in a second but the idea here is there are more complicated injection attack and what your ultimate ly going to want to do is either create a shell with slept in two out file and then accessing that out file which we might have time for it or you do a union statement with an additional select now if you do Union statement with an additional select and this is probably the side I'm going to spend the most time on by the way if you do a union thing with a select the fields have to match the number of fields have to match so you do that by adding in null select null set null common all etc etc until the error State on the page switches to the success fee at which point you know that you have the correct number of field then you success excessively replace each null with a in single quotes until you find a field that displays a string from where on the page at which point when you have that field you can select a concatenated statement of values from any table so you can pull out all of their columns and a single records for any table including the information schema in MySQL which contains information about tables databases if you can get a list of all of the schema information in the database and then pull out whatever you want there's actually a tool that will do this for you called SQL map if you use SQL map and you pointed at a vulnerable endpoint you run a command it will not only dump the database schema but dump the entire contents of the database and you just kind of let it go so yeah but just a side note insert injections are different from select injections the classic example of little is little Bobbie tables right the xkcd comic where the students the moms like it's called you really name your kid Robert drop table students so yeah and I hope you learn to ask a core user input but the thing is right in my SQL you can't just put a semicolon and then build more commands on top of it which is why this particular attack won't work in that scenario with MySQL database what you can do is select with string concatenation or insert with string concatenation and then successively sexify and decimal if I ate character chunks of the data that you want so in that way you can still painfully extract whatever data you need from the database within certain sections spread something interesting to look into but uh we did a demo of SQL injection that was very basic and we might have time to come back and do some of the more fun stuff but before we continue let's talk about command injection so in general it's very similar the command here is to execute a logging statement that just logs whatever event is being submitted by the user but if the user submits ampersand ampersand command it's going to be UNIX command concatenation great so then it's going to run both commands and in this case what we do is we first start out with netcat how many people here know what netcat is yeah if you don't know when that cat is it's a cool tool that allows you to basically send whatever data you want over the wire you can actually even use the - neat flag to get whatever data coming back and pipe it into another program like - for like a really nice remote access Trajan because M see - L - D means listen locally on four or five thousand and then you inject the command to connect to my server and port 5000 and everything that we did just entered into bash let's take a look at what that looks like I like this one here we're going to do MC - OH - P I have going to list when we're going to queue up the command so when this gentleman here connects for us we will see so we want command injection that's just going to be so if we just do you know one dude google it what happens if we just taken google without anything else going to run it's going to spit out some data so then likewise if we type in English and ago hmm what do we get yes yes hey so then if we were to do anything find anything I'll tell your that to Fred hasn't catchy come on come on get to it run perfect we take a look here we see that has executed her LS command so what happened as we injected a connect back command that connected to our server it got the LS command from our waiting listening that CAD daemon type to give a favor and sort of the output we actually have running command here so if we did LS rush home etc etc etc so we a shall on the server as the user of the web application pat yourself on the back that was fun moving on command injection SQL injection what else do we go so burn authentication session management we all kind of saw us hack into a web application using SQL and becoming the admin but what is we just kind of wanted to watch and see what happens when we connect as a regular user so listen area alright let's log out who are weak at dogs can't uh huh say Oh am i blocking myself and so one of the things you have to watch for when you use burp suite is that it's very easy to leave your like proxy and your flipped around and then all of your traffic just stops glowing mmm oh because because and when you do penetration tests be very careful not to do this in production on my command Hong the entire server who is no longer taking any requests because I had just the netcat daemon listening in its process great so I broke the web server so don't do that to production you have to be careful with this and only do on your own website because it can have fun intended consequences okay so there we go back on logging in but before we do let's actually turn on our interceptor missile again so count hmm get dog so in this case it's going to immediately halt and we're going to see okay we've got using an equal cat password equals dog login page submit an equal bargain blah blah blah right this is very basic very simple without horribly interesting this let's continue so we forward that along oh and we look which listen we get a response back that contains a cookie header username equals cat you ID equals 17 okay well let's fund this one to our repeater forward this one alarm so this is the response actually I'm wrong we don't want the response but what we do want are successive page requests that contain that cookie that we just get so the turn manner flipped off so we can see that requests come through well come back on okay Tom fresh okay so this time this is off going to the favori we're sending the same request basically we are going to take the repeater and we're going to change this UID okay I mean why not very very reason I can't change this UID my favorite unity to be is easier number one because I'm important so I'm gonna say go okay well that's Q it's an HTTP well I don't want it in HTTP a one in my grouser so I'm going to copy that URL I'm going to paste it into my proxy browser here and make sure the intercept gets turned off so that I can actually succeed nice there we go for the logged in as the admin again great all we did was change our cookie parameter from UID 17 to UID 1 were logged in likewise we could iterate through all of the IDS in the database one of the reasons why universe holy unique identifiers are awesome you you IDs because we're non-sequential so it much much harder to iterate over something that's not sequential so it's really hard to guess what the admin using ID would be moving on first foray into working session authentication how was it this one okay so one of the things you can really do is add some secure flags to your cookies right so if it was HTTP it'd be a lot harder to you could only get cookies over an HTTP connection with the secure flag so I couldn't sniff that and transit I would actually have to be kind of on the site manipulating that data and likewise HTTP only so we'll see in a second with JavaScript you can access those cookies HTTP only makes it so that you can only get them via an HTTP request you can't get them on the page and forced by browser policy so let's talk about what that javascript is so cross-site scripting attacks who here loves JavaScript yeah I love JavaScript I think it's awesome it's super powerful you can use it everywhere you could do great things make a lot of money great language why don't you recommended one of the things you can do and like toad was actually a little bit cut off here is you can create elements on the dom or the document object model in this case you can create an image tag you can set its SRC attribute to be a domain that you control with a dynamic property set some document that cookie so you get the session ID you get a user ID you get whatever you need to login to them send to you because their page displayed them an image that doesn't exist so we will do that we're not going to do phishing and Malware just because i don't really want to like reconstruct the entire website in HTML put it in this javascript tag and then rewrite the document to whatever we want but that's what you would do you can do that to get people like oh in order to access our website it contrasts calm you have to download our new Authenticator app right oops okay cool backdoor um so you can also do router hacking so if you visit a website with malicious JavaScript on it and your router version is vulnerable that website connects to your to your router if you saved your authentication or whatever and then changes whatever it wants to cross-site request forgery because it can set your dns to be them and then they name the middle all of your track so combinations the vulnerabilities can really escalate beef and I'm a vegan so browser exploitation framework B is a really powerful tool that I will recommend let's talk about JavaScript and what that looks like we've got a little oops reference here pen test tool lookup so we're going to go back to that page let's see so on Mount I'm doing good I'm good we want really simple really straightforward example here oh I know a really good one Margo so we created an account as cat dog that dog cat is much more malicious so dog cat is going to set his signature - this is class this is called the word XSS and in this case we're going to do document.cookie anybody think they know what this does it will alert the cookie onto the screen they will tell you what our authenticated cookie is every time you see that code and you happen to see that code when you log in oh okay broke the site here yeah are your expression so I guess interesting you didn't like my alert so but as you can see we have obviously injected code and see if we can log out so my JavaScript obviously needed a little bit of work there why don't I stick with the example that's actually in the slides and also demonstrate and perhaps cross-site request forgery in the process so this this command here at the bottom looks kind of messy right we've got some single quotes some braces parentheses or whatever why is it such a mess well the reason is because that's how it has to be in order to get executed just take a look at why um Callie so we've got dirt and we've got our proxy um well let's go back to I'm Justin tools look up here perfect scripting okay cool so this request if we were to intercept this request do a search for web Sakura Phi and HTTP history we've got web scarify here the goal is to see our input show up on the page so let's try again telephone rather than just let it go through and send it to the ear Peter and let's say go so we entered to lady one and look up to all we've got a whole bunch of stuff so this is going to be slow going if we go this route but if we send it to the intruder and we say in our positions we've got position one and lookup tools we don't care about the session ID or the page name at the moment and we are going to do believe it's going to be close to vomit ACK and in the payload positions right we have two payload positions we're going to say a simple list so the first one's going to be frog and the second one I don't I make that a lot easier cat talk probably go to use like unique strings and all of the fields across the applications not ones that measure user name but this is good enough for now so we've got chat dog in position one and we've got frog in position two so then at this point if we go to options and you say okay well we want to make sure that we see any results that contain the Frog cat I actually added and Doug okay well we've started the attack so in this case the window pops up in a Saluki I tried your list in the different payloads and I actually found cat on all of the pages and dog in a couple of spots so that's probably because my username was cat right so like I said don't do that but actually screwed us up in this situation I'm going to go back to payload number one get rid of cats only dog and frog all I care about hood dog shows up on this page so dog was payload one great that was the idea of the tool that we were looking up programmers ago the ID yeah that's safe echo that out onto the page what could possibly go wrong well let's see where is dog on this page shows up in the header that's in the request and then where is it in the response okay so in the response the ID entered into this crazy little blob of JavaScript so that's where everything comes from we're breaking out of this string injecting the script tag and then creating the string again so that's why it's so messy so go back to our repeater let's say okay well now I know that this little guy here to the lady number one needs to be my JavaScript so I need to get a URL fake version of my JavaScript so I want to okay if I have to paste the code on first I want to go to my cheat sheet down here so in order for this to work beef has to be running and to make sure it be for any okay it's running and then if we go to beef anybody ever heard of bacon joyous by the way I'm program using their meat product okay so here we are real ogden beef so that's all interesting stuff well what do we see we see online browsers offline browsers nothing ok well let's continue the back to our web application over here so this is kind of running and waiting for us to inject some data so we've got our JavaScript that we want to inject you take a look at entry so we advocate and our current script tag we load a strip that includes our beef hook and then we just start everything back up and just make stuff up and so we copy that I actually have cat there twice it should probably just don't want we're going to just make sure this URL encoded should is copy please paste that blob in there okay thanks requests this and our web browser as we can and now when we run this gentleman I repeat request okay so it's being probably cracked lead so it load so JavaScript executes yes so now we have a browser hooked by beef at that point in time all bets are off because you could do some crazy stuff with beef and I'm not really going to go into it too much but just the one day I talked about already hooks domain get cookies XQ and okay so there's my PHP session ID there's my beef hook ID right so I saw the cookies with beef XSS powerhouse really cool tool meat flavored so let's okay so the rest of this stuff is going to be relatively quick I hope I think I've got plenty of time and time for questions please hold questions in the back of your mind take notes don't do some questions are great insecure direct object references so in a way us manipulating that user ID is a form of insecure direct object reference the object happens to exist in the database other forms of direct object references if you happen to put backups or if you do editing on your server you have editor backups right your config files aren't properly password protected HT access and interesting on that interestingly enough temp great flash temp is there a way for the user to access a file that they have been able to upload to the server I'm going to mention Flash temp very very specific reason I'm going to have to put the microphone for this one I think so bear with me let's see what we got the idea here is we're going to go back and revisit SQL injection really quick we're going to take some of that fun SQL stuff that we skipped over specifically back doors and let's see if I can find it [Music] PHP this one so I happen to know that this one isn't going to work so we are able to detect through certain error messages on the page that the top two the execution of these scripts is you know /var WW so that's my public HTML folder I'm going to try to write the bat first I already know that's going to fail I can't write to that folder but I can write the backdoor dot PHP so again let's review this really quick great we're breaking out over SQL statement there are five columns in this SQL statement originally so we have five fields in our attack one of those fields is a nested SQL statement that actually isn't displaying anything but selecting a set PhD string a constant into a specific file at a location that we know about this attack relies on a couple of vulnerabilities in the application not just one it relies on direct object references through the URL on which I will show what that means so we've got back to injection we've got user info [Music] I'm still logged in link ID them so today we'll of info okay so let's inject our command [Music] hey daddy's on password shirt shirt ah now just to make sure that you know we're doing this try okay that works that shouldn't work by the way um you've got a time back door that's HP I think it was T C so it doesn't like the Hat [Music] okay all right well they're going to have to move on from that one portion why isn't that working you don't know but the general idea and I bet you we can verify it if I go directly into the virtual machine so backyard I PHP gets uploaded to the server and if should technically work but I don't know why it's not oh I know no I don't want to waste time on it moving forward um it's just an SQL injection attack that created a PHP file that technically we have accessed wasn't able to show that we have access to it that PHP file will take whatever you put in the command line executed into the shell on the server benefits of live demos on living on oh yeah we touched on all of this so uh by the way with the birth intruder you can actually set a list of common files and then set your injection parameter to be in the URL and it can find some of this stuff for you so security this configuration outdated versions of software so it's just going to be real quick let's take a look at burps headers there some of these requests we can see in the headers down here in response headers so the server is powered by you know Apache two point two point eight five point two point four PHP version are there any vulnerabilities for these things this is kind of a security miss configuration in and of itself that you're actually revealing since this data is definitely a form of sensitive data exposure but if we do PHP 5.2 24 CDT hopefully and connected to the Internet so on and so forth so you can see that there are some very severe vulnerabilities and the very low pH deep security miss configuration confirmed [Music] you can do an nmap scan you can see what course exists you want to make sure that the web server isn't actually running is a user that has access to other parts of the system ideally in some sort of a jail where they don't have commands like LS and that kind of stuff because they don't need it clear web server using that's all sensitive data I'm sorry it's security mitigation some sort of data exposure so this is going to kind of get more into the fact that we could see the passwords on the page right when we actually did our SQL attack we saw all the passwords in plain text so if your passwords are encrypted or any sort of data is unencrypted if you have security keys or anything like that they get added to your repo and you think that you can just delete them and push again and they're gone right if it's still in your get history I mean sensitive data exposure is is in lots of places but in general make sure you know what data is sensitive and what data is we've already kind of demonstrated this with the password being in plain text with our SQL injection I'm going to move ahead visiting function level access controller this one's kind of cute in this use case so it's like very convoluted but in general if you have an API endpoint that can do something that only an atom users should be able to do on anyone can do it that's not good so in this case would be private browsing so if we look we're not logged in we look in this menu here down here so set up and reset the database disabled it's not add can't click on disabled in the user a granted they also happen to give us a beautiful reset DB button or a to the top I'm not logged in but of course I can execute this page wipe the entire database like I've very convoluted but specifically this page is supposed to be restricted though it's not this one page is supposed to be restricted to admin only as UI element indicated but we were able to execute it without any trouble and of course in the modern day and age that's aggressive how many people have built a REST API that has an endpoint that they knew wasn't protected but it was obscure enough so you know nobody will find it I never get that ever um sometimes sometimes you can hear a legacy code and stuff just set up a certain way we have to find the vulnerabilities Olympics what else we get almost done you guys are doing great cross-site request forgery please kind of fun the only reason I like this one so much is because burp suite gives us a nice tool for really making it happen I'm almost out of time but this will be hopefully the last somewhat minute wise times and soon the adventure we do so if we were to just say for example we wanted somebody else to trigger the reset database but say it's only available to admin users and we need them to do it for a penetration test to be successful the buzz I should probably be careful microphone talk into the microphone there we go credit browser so we want the reset password button euro we want to catch invert so that we can build a thing number now invert will send it we come to repeater November repeater there's a way might even be able to do this from the other you generate cross-site request forgery proof-of-concept okay so we do this with any request what we're going to get the HTML page that will allow us to basically execute the CSRF to demonstrate how it works so we copy this URL of course turn off the proxy almost out of time you guys are awesome I'm hopefully going to paste the question so if I click this button right it going to trigger an action on the other website that's the whole bread and butter of cross-site request forgery and that action is series of the database so if I was logged in as the admin and this page wasn't protected by some sort of security token like a nonce that said the requests originated from the original site then this vulnerability would exist in the database would have been erased [Music] known vulnerable components we did that one write PHP version was vulnerable you can also find vulnerabilities in the frameworks that they're using to build stuff and sometimes the server's themselves have like the the critical vulnerabilities from before because they just have an upgrade and somebody forgot about the box in the corner and it becomes a pivot so the last one and we're not really going to talk too much about this one you're going to have to use your imagination but the idea is that this URL has the end point after the redirect in it the user can set the page that they're being redirected to once they visit the URL some people will just look and they'll see Oh 10.0 at 2.4 oh that's my bank okay I'm going to log in okay but it even though it they redirected them to a new website the domain name change everything looks the same because the hacker made it that way but they can trick them into doing lots of different stuff oh you guys are awesome we made it all the way through um so let's uh let's see if there's any questions yes question is how would you conduct a web application contest so what I would start by doing is identifying as many of the components of the application as possible we map it all out to the server infrastructure down right everything you know down to tech stack detail all the versions of things that you find down to the versions of the j/s libraries that you can pull from comment from the headers get it all details as best as possible run an automated scan just let it crawl the website so you would have confined for low-hanging fruit and then go in and be like okay these pages have dynamic variables I'm going to input unique strings and all of these different pages and all of these different fields and then go through and map out where all of these fields display and I'm going to see if I can inject any of these individual fields to change the output on those pages and from there it's a matter of you know making sure once you're in that you can stay and it can always that you access tokens and make sure that nobody can find you while you're inside and at that point in time you've successfully thwarted all attempts to protect that server in your penetration testing exceeded yes yes have a testing environment have a Fanbox environment that isn't production make sure that you limit your the question is should you have a sandbox environment don't pencast your production service because you can break them yes you should have a sandbox environment absolutely any other questions - don't be shy I promise I don't fight yes so I would I would say so these are the things that I have found in my penetration test right so I am the developer so what I have to do is I have to say okay these are the things that I know are bad they I know their vulnerabilities that I've just had to kind of coat around in order to meet business deadlines and those are my high priority ones these are the ones that I know are critical they're there they have to be thick start there get rid of them then the automated scan produces a result great hit the high and medium level items in that scan to the best of your ability and then go through things like the application security verification standard and find items that are applicable to your site and get them in your sprint with tickets and deadlines and somebody responsible for it and at that point in time you have progress and it's kind of an ongoing thing right you're going to push new code okay push new code code go through development test pass get the staging QA hit say they do some light security testing on it bugs goes back to development rate gets through security tests passed as a product so there it's a continuous ongoing thing here are our business priorities here is our sensitive data and mission-critical stuff let's make sure that's the secure ism you know how to make it first and then move on to whatever else we know exists and hit the items in order of priority yes sir there are so many there are so many SQL map is really good depends on what you're trying to break into if you're trying to specifically get into your own web application to really test fit security there are you know zap that attack proxy is one Olaf has other XSS hunting tools necessary infrastructure scanning tools and nap just kind of see what's there maybe hit it with armitage just to see if Armitage can find anything hopefully it doesn't it's like a my display powered thing so use the tools at your disposal best of your ability but if something is just going in and clicking on stuff yeah are there any other penetration testing framework so Kali is kind of an operating system that includes a lot of different tools I use Kali because it has a skew el map it has a free version of birth it has a lot of things it's got word list it's got password crackers it's all nice you can get you could take a bun too and throw in I think it's called a back bun - or black box or something like that just a set of repo to give you security to a little bun - so if you want to go that route you can get met hunter for your phone which is Kali also basically but in general if you just a tool so if you have a set of security tools you fall in love with for one reason or another then you can just install them in whatever operating system you want there's a lot of tools out there Yesi so the free version and I was using the professional version but you're not really going to notice a difference for what we just did the professional version gives you a automated scanner which I didn't really go into and it also gives you the some more extensions and some faster intruder iterations for brute-forcing attacks but for the most part the free version is what you need and Zapp comes with an automated scanner and is 100% free so the Zetas tak practically biola highly recommend you check out the Olaf website are we done [Music] one more question if we have time here we have signed in the land so we're done you [Music]

Info

Channel: Adrian Crenshaw

Views: 38,873

Rating: undefined out of 5

Keywords: hacking, security, infosec, irongeek, ANYCon, Albany, New, Your

Id: 2p6twRRXK_o

Channel Id: undefined

Length: 58min 11sec (3491 seconds)

Published: Fri Jun 16 2017