Last week, the most important security conference of latin america was held in Buenos Aires where security specialists from all over the world had the chance to get involved with state-of-art techniques, vulnerabilities and tools in a relaxed environment. The sixth edition of ekoparty brought together over 750 security specialists from around the world in the most deep-knowledge technical conference of the region. Among the lectures, Bonsai Information Security presented “Web Application Security Payloads”. This research led by Andres Riancho and Lucas Apa, exploits a new concept in a theorical and practical environment. Part of this research explores how to distinguish the system calls involved in a web application vulnerability and then leverage it’s power to get sensitive information in an automated way. The “Web Application Security Payloads” implementation was developed as a part of the w3af framework, an Open Source Web application attack and audit framework developed by contributors around the world since 2007 and directed by Andrés Riancho. Between some other long waited talks, Juliano Rizzo & Thai Duong presented “Padding Oracles Everywhere” where they easely exposed a 0day advanced technique to decrypt and tamper ASP.NET sensitive data.

1. Web ApplicationSecurity Payloads Andrés Riancho – Lucas Apa Ekoparty 2010 http://www.bonsai-sec.com/

2. lucas@bonsai-sec.com$ whoami Consultant@ BonsaiInformation Security PenetrationTesting y VulnerabilityResearch Web Application Security enthusiast

3. andres@bonsai-sec.com$ whoami Founder@ BonsaiInformation Security Director of Web Security @ Rapid7 Programmer(python!) Open SourceEvangelist Deepknowledge in networking, design and IPS evasion. Project leader: open sourcew3af

4. w3af w3af is a Web ApplicationAttack and AuditFramework Open Sourcetool(GPLv2.0) todetect and exploitWeb vulnerabilities. Pluginbasedarchitecture, easely extensible. Developmentstarted late 2006 on my spare time, and growingtillpresent, moment in whichwehavemultiplecontributors round theglobe and a full time developeronour office.

6. Actual Situation ExploitationframeworkslikeMetasploitprovidesmainly “payloads” to use speciallyonthebest case, in otherwords, whenthereiscontrol ontheexecutionflow. (“exploitforbuffer overflow”). Web applicationsallowsus, dependingonthevulnerability, tointeractwiththesystem in a particular way: Local fileread Filewrite SQL Commandsexecution OS Commandsexecution Tillnow, Whichsteps of post-exploitation can wemake in anautomatizedway in anenvironmentwherewecan´texecute OS systemcommands?

7. Actual Situation Additionally, Web vulnerabilities are mutating every time faster making their post exploitation leading to have no starting or final objective defined. Manydifferentautomatizedtools are focusing in the particular, in exploiting a vulnerabilityemphasizingonthehow. Notdefinedwhichinformationisgoingtobecompromised. Thevulnerabilities expires orchanges.

8. Web Application Security Payloads

9. Small pieces of coderunning in w3af afterexploitingoneor more knownvulnerabilities. Everypayloadisindependent of thediscoveredvulnerabilities. Bythemeanstheexploitexports “SystemCalls”, that are thenusedbypayloads: Design

10. Design Payloads are in general 100 lines of codethat uses somesystemcalls, likeforexample“running_vm”:

11. ~53Payloadsdeveloped

12. Demo #1:“users”

13. Sinergy between payloads

14. Demo #2:Sinergy between payloads: “users_config_files”

15. Demo #3:Integration with w3af:“get_source_code”

16. Conclusions and pendingwork Conceptualizethis idea as anstandar in automatizedpost-explotación over Web Applications. Develop more payloadsforWindows environments. Research about syscall hooking and remote syscall delivery by Web Applications Payloads. SyscallHierachyPriority: whenexists more thanonesyscall, whichonewe use tocommunicatewiththeremotesystem? Faster? More privileged? Contributewiththe global communitydiscovering new attacktechniquesthroughminimalistic post-exploitationapproaches, expandingtheinformationtheygather.

17. ¿Doubts?¿Questions?

18. Thankyou!