Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP?
Malik Mesellem
Defense Needed, Superbees Wanted
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
About Me
 Malik Mesellem
Email | malik@itsecgames.com
Linked...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP and bee-bo...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP and bee-bo...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Defense Needed
 Web application security is today's most ove...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Defense Needed
 Why are web applications an attractive targe...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Defense Needed
 Why are web applications an attractive targe...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
DEFENSE
is needed !
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP and bee-bo...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP == defense
 bWAPP, or a buggy Web APPlication
 Delibe...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 Web application security is not just installing a fir...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 Testimonials
Awesome! It's good to see fantastic tool...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 Architecture
 Open source PHP application
 Backend ...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 Features (1)
 Very easy to use and to understand
 W...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 Features (2)
 Local PHP settings file
 No-authentic...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 What makes bWAPP so unique?
 Well, it has over 70 we...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 Which bug do you want to hack today?
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 Which bug do you want to hack today? (1)
 SQL, HTML,...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 Which bug do you want to hack today? (2)
 Configurat...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 Which bug do you want to hack today? (3)
 Cross-Site...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP
 External links
 Home page - www.itsecgames.com
 Dow...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bee-box
 Every bee needs a home… the bee-box
 VM pre-instal...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bee-box
 bee-box is also made deliberately insecure…
 Oppor...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bee-box
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bee-box
 Features (1)
 Apache, MySQL and PHP installed
 Se...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bee-box
 Features (2)
 Weak self-signed SSL certificate
 ‘...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP and bee-box
 Both are part of the ITSEC GAMES project
...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP and bee-box
 Ready, set, and hack!
 There’s just one ...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bee/bug
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP and bee-box
 Ready, set, and hack!
 There’s just one ...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP and bee-box
 Installation and configuration
 Install ...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP and bee-box
 General application settings
 settings.p...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP and bee-box
 Settings
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP and bee-box
 A.I.M.
 Authentication Is Missing, a no-...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
bWAPP and bee-box
 Worst-case-scenario-options
 Reset the a...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Finally, time for
a DEMO
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Demo
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP and bee-bo...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Penetration Testing
 Penetration testing, or pentesting
 Me...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Web App Penetration Testing
 Web application pentesting is f...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Web App Penetration Testing
 It’s all about identifying, exp...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Testing Methodologies
 A simple testing methodology
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Testing Methodologies
 A more advanced testing methodology
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
OWASP
 OWASP, or Open Web Application Security Project
 Wor...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
OWASP
 Current OWASP Projects
 Top 10 Project and Testing G...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
OWASP
 OWASP Top 10 Project, lists the 10 most severe web
ap...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
OWASP
 OWASP Top 10 Application Security Risks
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
OWASP
 OWASP Top 10 placement
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Introduction to Kali Linux
 Kali Linux is a Debian-derived L...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Introduction to Kali Linux
 Includes many web app pentesting...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Intercepting Proxies
 Intercepting proxies are testing tools...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Intercepting Proxies
 ZAP, Zed Attack Proxy
 OWASP project,...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Intercepting Proxies
 ZAP, Zed Attack Proxy
 Functionalitie...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Intercepting Proxies
 ZAP, Zed Attack Proxy
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Demo
 ZAP, Zed Attack Proxy
 Parameter/cookie tampering
 O...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Commercial Web Scanners
 Netsparker
 Automated ‘false posit...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Commercial Web Scanners
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Commercial Web Scanners
 Netsparker
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Ready to
Exploit
some bugs?
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP and bee-bo...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
SQL Injection
 SQL injection is very common in web applicati...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
SQL Injection
 Injection in the OWASP Top 10
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
SQL Injection
 Normal operation
DATABASE
SQL interpreter
WEB...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
DATABASE
SQL interpreter
WEB APP
HTML | SQL
BROWSER
HTML (GET...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
SQL Injection
 Simple injections
 '--
 ' or 'a'='a
 ' or ...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
SQL Injection
 Union injections
 ' UNION SELECT field1, fie...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
SQL Injection
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Demo
 SQL Injection
 Bypassing login forms
 Manually extra...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
HTML Injection
 HTML injection occurs when a user inserts HT...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Demo
 HTML Injection
 Website defacement
 Phishing attack
...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Denial-of-Service
 Denial-of-Service attack, or DoS attack
...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Denial-of-Service
 Newer layer 7 DoS attacks are more powerf...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Denial-of-Service
 Layer 7 DoS methods
 HTTP Slow Headers
...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Demo
 Denial-of-Service
 HTTP Slow POST
 XML Bombs
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Unrestricted File Uploads
 Malicious, or Unrestricted File U...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Unrestricted File Uploads
 Web shells are malicious web page...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Unrestricted File Uploads
 External attack vectors for using...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Demo
 Unrestricted File Uploads
 Shell access
 Escalating ...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP and bee-bo...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
 And we have so much more bugs to exploit…
 It’s definitely...
What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
Contact Me
 Malik Mesellem
Email | malik@itsecgames.com
Link...
Nächste SlideShare
Wird geladen in …5
×

Infosecurity 2014 - Superbees Wanted

626 Aufrufe

Veröffentlicht am

Event: Infosecurity 2014
Topic: Superbees Wanted
Location: Brussels Expo

  • Als Erste(r) kommentieren

Infosecurity 2014 - Superbees Wanted

  1. 1. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP? Malik Mesellem Defense Needed, Superbees Wanted
  2. 2. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. About Me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com
  3. 3. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP and bee-box  Web App Pentesting  Exploiting Vulnerabilities  Superbees Wanted
  4. 4. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP and bee-box  Web App Pentesting  Exploiting Vulnerabilities  Superbees Wanted
  5. 5. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Web application security is today's most overlooked aspect of securing the enterprise  Hackers are concentrating their efforts on websites and web applications  Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism
  6. 6. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  7. 7. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Defense Needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  8. 8. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. DEFENSE is needed !
  9. 9. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP and bee-box  Web App Pentesting  Exploiting Vulnerabilities  Superbees Wanted
  10. 10. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP == defense  bWAPP, or a buggy Web APPlication  Deliberately insecure web application, includes all major known web vulnerabilities  Helps security enthusiasts, developers and students to discover and to prevent issues  Prepares one for successful penetration testing and ethical hacking projects
  11. 11. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP
  12. 12. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Web application security is not just installing a firewall, or scanning a site for ‘potential’ issues  Black-box penetration testing, simulating real attack scenarios, is still needed!  Confirms potential vulnerabilities, and excludes false positives  Guarantees that your defense measures are working effectively  bWAPP helps to improve your security-testing skills…
  13. 13. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.
  14. 14. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Testimonials Awesome! It's good to see fantastic tools staying up to date ... - Ed Skoudis Founder of Counter Hack I just installed bWAPP 1.6 into the next release of SamuraiWTF ... Its a great app ... - Justin Searle Managing Partner at UtiliSec Great progress on bWAPP BTW! :) - Vivek Ramachandran Owner of SecurityTube
  15. 15. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Architecture  Open source PHP application  Backend MySQL database  Hosted on Linux/Windows with Apache/IIS  Supported on WAMP or XAMPP
  16. 16. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Features (1)  Very easy to use and to understand  Well structured and documented PHP code  Different security levels (low/medium/high)  ‘New user’ creation (password/secret)  ‘Reset application/database’ feature  Manual intervention page  Email functionalities
  17. 17. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Features (2)  Local PHP settings file  No-authentication mode (A.I.M.)  ‘Evil Bee’ mode, bypassing security checks  ‘Evil’ directory, including attack scripts  WSDL file (Web Services/SOAP)  Fuzzing possibilities
  18. 18. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  What makes bWAPP so unique?  Well, it has over 70 web bugs!  Covering all major known web vulnerabilities  Including all risks from the OWASP Top 10 project
  19. 19. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today?
  20. 20. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (1)  SQL, HTML, SSI, OS Command, XML, XPath, LDAP, PHP Code, Host Header and SMTP injections  Authentication, authorization and session management issues  Malicious, unrestricted file uploads and backdoor files  Arbitrary file access and directory traversals  PHP-CGI remote code execution  Local and remote file inclusions (LFI/RFI)  Server Side Request Forgery (SSRF)
  21. 21. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (2)  Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, WebDAV, information disclosures,...  HTTP parameter pollution and HTTP response splitting  XML External Entity attacks (XXE)  HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues  Unvalidated redirects and forwards  Denial-of-Service (DoS) attacks
  22. 22. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (3)  Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)  AJAX and Web Services issues (JSON/XML/SOAP)  Parameter tampering and cookie poisoning  HTTP verb tampering  Local privilege escalation  And much more 
  23. 23. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP
  24. 24. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP  External links  Home page - www.itsecgames.com  Download location - sourceforge.net/projects/bwapp  Blog - itsecgames.blogspot.com
  25. 25. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Every bee needs a home… the bee-box  VM pre-installed with bWAPP  LAMP environment: Linux, Apache, MySQL and PHP  Compatible with VMware and VirtualBox  Requires zero installation
  26. 26. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  bee-box is also made deliberately insecure…  Opportunity to explore all bWAPP vulnerabilities  Gives you several ways to hack and deface bWAPP  Even possible to hack the bee-box to get full root access!  Hacking, defacing and exploiting without going to jail  You can download bee-box from here
  27. 27. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box
  28. 28. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Features (1)  Apache, MySQL and PHP installed  Several PHP extensions installed  Vulnerable PHP-CGI  phpMyAdmin installed  Postfix installed and configured  Insecure FTP and WebDAV configurations  AppArmor disabled
  29. 29. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee-box  Features (2)  Weak self-signed SSL certificate  ‘Fine-tuned’ file access permissions  .htaccess files support enabled  Some basic security tools installed  Shortcuts to start, install and update bWAPP  An amazing wallpaper   An outdated Linux kernel…
  30. 30. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP and bee-box  Both are part of the ITSEC GAMES project  A funny approach to IT security education  IT security, ethical hacking, training and fun...  All ingredients mixed together   Educational and recreational InfoSec training
  31. 31. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP and bee-box  Ready, set, and hack!  There’s just one thing to remember  The logon credentials are…
  32. 32. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bee/bug
  33. 33. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP and bee-box  Ready, set, and hack!  There’s just one thing to remember  The logon credentials are bee/bug  So please don’t bug me anymore
  34. 34. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP and bee-box  Installation and configuration  Install VMware Player or Oracle VirtualBox  Extract, install, and start the bee-box VM  Configure or check the IP settings  Browse to the bWAPP web app  http://[IP]/bWAPP/  Login with bee/bug
  35. 35. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP and bee-box  General application settings  settings.php, located under the bWAPP admin folder  Connection settings  SMTP settings  A.I.M. mode  Evil bee mode  Static credentials
  36. 36. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP and bee-box  Settings
  37. 37. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP and bee-box  A.I.M.  Authentication Is Missing, a no-authentication mode  May be used for testing web scanners and crawlers  Procedure  Change the IP address in the settings file  Point your web scanner or crawler to http://[IP]/bWAPP/aim.php  All hell breaks loose…
  38. 38. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. bWAPP and bee-box  Worst-case-scenario-options  Reset the application  http://[IP]/bWAPP/reset.php  Reset the application + database  http://[IP]/bWAPP/reset.php?secret=bWAPP  Reinstall the database  Drop the database from phpMyAdmin  http://[IP]/bWAPP/install.php
  39. 39. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Finally, time for a DEMO
  40. 40. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo
  41. 41. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP and bee-box  Web App Pentesting  Exploiting Vulnerabilities  Superbees Wanted
  42. 42. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Penetration Testing  Penetration testing, or pentesting  Method of evaluating computer, network or application security by simulating an attack  Active analysis of potential vulnerabilities by using ethical hacking techniques  Penetration tests are sometimes a component of a full security audit
  43. 43. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Web App Penetration Testing  Web application pentesting is focusing on evaluating the security of a web application  Application is tested for known web vulnerabilities  Manual, automatic and semi-automatic tests  Source code analysis and web server configuration review as an option
  44. 44. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Web App Penetration Testing  It’s all about identifying, exploiting, and reporting vulnerabilities  Some considerations…  Commercial tools vs. open source tools  Not a best practice to use only one tool  Most commercial scanners don’t exploit  False positives are not allowed!  People don’t like auto-generated reports
  45. 45. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Testing Methodologies  A simple testing methodology
  46. 46. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Testing Methodologies  A more advanced testing methodology
  47. 47. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP, or Open Web Application Security Project  Worldwide non-profit organization focused on improving the security of software  Freely-available articles, methodologies, documentation, tools, and technologies  Vendor neutral, no recommendations for commercial products or services!
  48. 48. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  Current OWASP Projects  Top 10 Project and Testing Guide  Development and Code Review Guide  Application Security Verification Standard  Broken Web Applications (BWA)  Zed Attack Proxy (ZAP)
  49. 49. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 Project, lists the 10 most severe web application security risks  Constantly updated, latest version released in 2013  Referenced by many standards, books, tools, and organizations, including MITRE and PCI DSS  Good starting point for a web application pentest  What to test? How to test? How to prevent?
  50. 50. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 Application Security Risks
  51. 51. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 placement
  52. 52. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Introduction to Kali Linux  Kali Linux is a Debian-derived Linux distribution  Designed for digital forensics and penetration testing  Formerly known as BackTrack  Maintained and funded by Offensive Security  Support for x86 and ARM
  53. 53. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Introduction to Kali Linux  Includes many web app pentesting tools  Burp Suite  DirBuster  Metasploit  Nikto  sqlmap  w3af  WebSploit  ZAP
  54. 54. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  Intercepting proxies are testing tools acting as a legitimate Man-in-the-Middle (MitM)  Located between the browser and the web application  Ability to intercept and to modify requests/responses  Provide a historical record of all requests  Include integrated tools to discover vulnerabilities, and to crawl and brute force files and directories
  55. 55. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy  OWASP project, by Simon Bennetts  Java application, released in September 2010  Fork of the Paros intercepting proxy  Pentesting tool for finding vulnerabilities  Provides automated scanning, as well as a set of tools to find security vulnerabilities manually
  56. 56. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy  Functionalities  Intercepting proxy, listening on TCP/8080  Traditional and AJAX spider  Automated and passive scanner  Fuzzing and brute force capabilities  Smartcard and client certificate support  Authentication and session support
  57. 57. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy
  58. 58. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  ZAP, Zed Attack Proxy  Parameter/cookie tampering  Online password attack  Detecting vulnerabilities
  59. 59. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners  Netsparker  Automated ‘false positive free’ web security scanner  Identifies security issues and vulnerabilities such as SQL injection and Cross-Site Scripting (XSS)  Automatically exploits detected vulnerabilities to ensure no false positives are reported  Site: https://www.netsparker.com/
  60. 60. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners
  61. 61. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Commercial Web Scanners  Netsparker
  62. 62. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Ready to Exploit some bugs?
  63. 63. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP and bee-box  Web App Pentesting  Exploiting Vulnerabilities  Superbees Wanted
  64. 64. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  SQL injection is very common in web applications  Occurs when user input is sent to a SQL interpreter as part of a query  The attacker tricks the interpreter into executing unintended SQL queries
  65. 65. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  Injection in the OWASP Top 10
  66. 66. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  Normal operation DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login password SELECT * FROM table WHERE login = ‘login’ AND password = ‘password’ result HTML SQL
  67. 67. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login ’ or 1=1-- SELECT * FROM table WHERE login = ‘login’ AND password = ‘’ or 1=1-- ’ result HTML SQL SQL Injection  Abnormal operation
  68. 68. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  Simple injections  '--  ' or 'a'='a  ' or 'a'='a'--  ' or '1'='1  ' or 1=1--
  69. 69. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection  Union injections  ' UNION SELECT field1, field2 FROM table--  ' UNION SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=database()--  Stacked queries  '; DROP TABLE table;--
  70. 70. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. SQL Injection
  71. 71. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  SQL Injection  Bypassing login forms  Manually extracting data  Automated SQL injection
  72. 72. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. HTML Injection  HTML injection occurs when a user inserts HTML code via a specific input field or parameter  Insufficient validation of user-supplied data  Dangerous when it is stored permanently!  HTML injections can lead to  Website defacements  Phishing attacks  Client-side exploitation
  73. 73. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  HTML Injection  Website defacement  Phishing attack  Client-side exploitation
  74. 74. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Denial-of-Service  Denial-of-Service attack, or DoS attack  An attacker attempts to prevent legitimate users from accessing the application, server or network  Consumes network bandwidth, server sockets, threads, or CPU resources  Distributed Denial-of-Service attack, or DDoS  Popular techniques used by hacktivists
  75. 75. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Denial-of-Service  Newer layer 7 DoS attacks are more powerful!  “Low-bandwidth application layer DoS”  Advantages of layer 7 DoS  Legitimate TCP/UDP connections, difficult to differentiate from normal traffic  Requires lesser number of connections, possibility to stop a web server from a single attack  Reach resource limits of services, regardless of the hardware capabilities of the server
  76. 76. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Denial-of-Service  Layer 7 DoS methods  HTTP Slow Headers  HTTP Slow POST  HTTP Slow Reading  Apache Range Header  SSL/TLS Renegotiation  XML Bombs
  77. 77. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  Denial-of-Service  HTTP Slow POST  XML Bombs
  78. 78. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Unrestricted File Uploads  Malicious, or Unrestricted File Uploads  File upload flaws occur when an attacker can upload files without any restrictions, or bypassing weak restrictions  The first step in many attacks is to get some code to the system to be attacked!  Using an unrestricted file upload helps the attacker…  The attack only needs to find a way to get the code executed
  79. 79. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Unrestricted File Uploads  Web shells are malicious web pages that provide an attacker functionality on a web server  Making use of server-side scripting languages like PHP, ASP, ASPX, JSP, CFM, Perl,...  Web shell functionalities  File transfer  Command execution  Network reconnaissance  Database connectivity
  80. 80. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Unrestricted File Uploads  External attack vectors for using web shells  Unrestricted File Uploads  Remote File Inclusion  SQL Injection  OS Command Injection  Insecure FTP, WebDAV,…
  81. 81. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Demo  Unrestricted File Uploads  Shell access  Escalating privileges...  Getting r00t access!
  82. 82. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP and bee-box  Web App Pentesting  Exploiting Vulnerabilities  Superbees Wanted
  83. 83. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved.  And we have so much more bugs to exploit…  It’s definitely time to improve your web security  Defense is needed, and testing is required!  Downloading bWAPP is a first start  Remember: every bee needs a superbee  Are you that superbee? Superbees Wanted @MME_IT #bWAPP
  84. 84. What is bWAPP? | © 2014 Malik Mesellem, all rights reserved. Contact Me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com

×