Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
Malik Mesellem
Defense Needed, Superbees Wanted
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
MS15-034
Web related!
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Contact Me
 Malik Mesellem
Email | malik@itsecgames.com
Twit...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Defense Needed
 Web application security is today's most ove...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Defense Needed
 Why are web applications an attractive targe...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Defense Needed
 Why are web applications an attractive targe...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
DEFENSE
is needed !
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP == defense
 bWAPP, or a buggy Web APPlication
 Delibe...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP == defense
 Web application security is not just insta...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OMG! Are we prepared for
REAL attack scenarios???
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Testimonials
Awesome! It's good to see fantastic tool...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Architecture
 Open source PHP application
 Backend ...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Features (1)
 Very easy to use and to understand
 W...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Features (2)
 Local PHP settings file
 No-authentic...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 What makes bWAPP so unique?
 Well, it has over 100 w...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Which bug do you want to hack today? (1)
 SQL, HTML,...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Which bug do you want to hack today? (2)
 Configurat...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Which bug do you want to hack today? (3)
 Cross-Site...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Which bug do you want to hack today?
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 Coming soon!
 Cryptographic attacks
 Insecure sessi...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP
 External links
 Home page - www.itsecgames.com
 Dow...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee-box
 Every bee needs a home… the bee-box
 VM pre-instal...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee-box
 bee-box is also made deliberately insecure…
 Oppor...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee-box
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee-box
 Features (1)
 Apache, Lighttpd, Nginx, MySQL and P...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee-box
 Features (2)
 Weak self-signed SSL certificate
 ‘...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 Ready, set, and hack!
 Only one thing to r...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bee/bug
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 Ready, set, and hack!
 Only one thing to r...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 Installation and configuration
 Install VM...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 General application settings
 settings.php...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 General application settings
 Opening the ...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 Settings
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 A.I.M. mode
 Authentication Is Missing, a ...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
bWAPP & bee-box
 Worst-case-scenario-options
 Reset the app...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Finally… time for a
DEMO
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Demo
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Penetration Testing
 Penetration testing, or pentesting
 Me...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Web App Penetration Testing
 Web application pentesting is f...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Web App Penetration Testing
 It’s all about identifying, exp...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Testing Methodologies
 A simple testing methodology
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Testing Methodologies
 A more advanced testing methodology
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
 OWASP, or Open Web Application Security Project
 Wor...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
 Current OWASP Projects
 Top 10 Project and Testing G...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
 OWASP Top 10 Project, lists the 10 most severe web
ap...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
 OWASP Top 10 Application Security Risks
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
 OWASP Top 10 placement
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
OWASP
 OWASP Top 10 placement
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Intercepting Proxies
 Intercepting proxies are testing tools...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Intercepting Proxies
 ZAP, Zed Attack Proxy
 OWASP project,...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Intercepting Proxies
 ZAP, Zed Attack Proxy
 Functionalitie...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Intercepting Proxies
 ZAP, Zed Attack Proxy
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Demo
 ZAP, Zed Attack Proxy
 Parameter/cookie tampering
 O...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Commercial Web Scanners
 Netsparker
 Automated ‘false posit...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Commercial Web Scanners
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Commercial Web Scanners
 Netsparker
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Ready to
Exploit
some bugs?
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Hungry Evil Bees
 Hacking, Defacing and Exploiting
 SQL Inj...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
 SQL injection is very common in web applicati...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
 Injection in the OWASP Top 10
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
 Normal operation
DATABASE
SQL interpreter
WEB...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
DATABASE
SQL interpreter
WEB APP
HTML | SQL
BROWSER
HTML (GET...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
 Simple injections
 '--
 ' or 'a'='a
 ' or ...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
 Union injections
 ' UNION SELECT field1, fie...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
SQL Injection
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Blind SQL Injection
 Blind SQL injection occurs when the dat...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Blind SQL Injection
 Example: Time-based SQL injection
 bla...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Automated SQL Injection
 sqlmap
 Open source penetration te...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Demo
 SQL Injection
 Bypassing login forms
 Manually extra...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Cross-Site Scripting
 Cross-Site Scripting, or XSS, occurs w...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Cross-Site Scripting
 Types of XSS flaws
 Reflected XSS
 S...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Cross-Site Scripting
 XSS in the OWASP Top 10
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Demo
 Cross-Site Scripting
 Detecting XSS
 Phishing & sess...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Denial-of-Service
 Denial-of-Service attack, or DoS attack
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Denial-of-Service
 Newer layer 7 DoS attacks are more powerf...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Denial-of-Service
 Layer 7 DoS methods
 HTTP Slow Headers
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Demo
 Denial-of-Service
 HTTP Slow POST
 MS15-034 (>SSRF)
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Web Shells
 Web shells are malicious web pages that provide ...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Web Shells
 External attack vectors
 (Blind) SQL Injection
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Demo
 Web Shell
 Web shell creation
 Remote shell access
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
 Contents
 Defense Needed
 bWAPP & bee-box
...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Superbees Wanted
 Hi little bees, during this talk we
 Defa...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
 And we have so much more bugs…
 Time to improve your web s...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
Contact Me
 Malik Mesellem
Email | malik@itsecgames.com
Twit...
What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
What is bWAPP?
Malik Mesellem
Defense Needed, Superbees Wanted
Nächste SlideShare
Wird geladen in …5
×

SANS 2015 - Superbees Wanted

1.855 Aufrufe

Veröffentlicht am

Event: SANS 2015
Topic: Superbees Wanted
Location: Orlando, Florida (US)
Organizer: SANS

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

SANS 2015 - Superbees Wanted

  1. 1. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. What is bWAPP? Malik Mesellem Defense Needed, Superbees Wanted
  2. 2. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
  3. 3. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. MS15-034 Web related!
  4. 4. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Contact Me  Malik Mesellem Email | malik@itsecgames.com Twitter | twitter.com/MME_IT LinkedIn | be.linkedin.com/in/malikmesellem Blog | itsecgames.blogspot.com
  5. 5. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  WebApp Pentesting  Hungry Evil Bees  Superbees Wanted
  6. 6. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  WebApp Pentesting  Hungry Evil Bees  Superbees Wanted
  7. 7. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Defense Needed  Web application security is today's most overlooked aspect of securing the enterprise  Hackers are concentrating their efforts on websites and web applications  Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism
  8. 8. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Defense Needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  9. 9. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Defense Needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  10. 10. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. DEFENSE is needed !
  11. 11. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  WebApp Pentesting  Hungry Evil Bees  Superbees Wanted
  12. 12. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP == defense  bWAPP, or a buggy Web APPlication  Deliberately insecure web application, includes all major known web vulnerabilities  Helps security enthusiasts, developers and students to discover and to prevent issues  Prepares one for successful penetration testing and ethical hacking projects
  13. 13. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP == defense  Web application security is not just installing a firewall, or scanning a site for ‘potential’ issues  Black-box penetration testing, simulating real attack scenarios, is still needed!  Confirms potential vulnerabilities, and excludes false positives  Guarantees that your defense measures are working effectively  bWAPP helps to improve your security-testing skills…
  14. 14. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.
  15. 15. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. OMG! Are we prepared for REAL attack scenarios???
  16. 16. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Testimonials Awesome! It's good to see fantastic tools staying up to date ... Ed Skoudis Founder of Counter Hack I just installed bWAPP 1.6 into the next release of SamuraiWTF ... Its a great app ... Justin Searle Managing Partner at UtiliSec Great progress on bWAPP BTW! :) Vivek Ramachandran Owner of SecurityTube
  17. 17. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Architecture  Open source PHP application  Backend MySQL database  Linux/Windows Apache/IIS  WAMP or XAMPP
  18. 18. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Features (1)  Very easy to use and to understand  Well structured and documented PHP code  Different security levels (low/medium/high)  ‘New user’ creation (password/secret)  ‘Reset application/database’ feature  Manual intervention page  Email functionalities
  19. 19. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Features (2)  Local PHP settings file  No-authentication mode (A.I.M.)  ‘Evil Bee’ mode, bypassing security checks  ‘Evil’ directory, including attack scripts  WSDL file (Web Services/SOAP)  Fuzzing possibilities
  20. 20. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  What makes bWAPP so unique?  Well, it has over 100 web vulnerabilities  Covering all major known web bugs  Including all risks from the Top 10 project  Focus is not on one specific issue!
  21. 21. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (1)  SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP, PHP Code, Host Header and SMTP injections  Authentication, authorization and session management issues  Malicious, unrestricted file uploads and backdoor files  Arbitrary file access and directory traversals  Heartbleed and Shellshock vulnerability  Local and remote file inclusions (LFI/RFI)  Server Side Request Forgery (SSRF)
  22. 22. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (2)  Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, SNMP, WebDAV, information disclosures,...  HTTP parameter pollution and HTTP response splitting  XML External Entity attacks (XXE)  HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues  Drupal, phpMyAdmin and SQLite issues  Unvalidated redirects and forwards  Denial-of-Service (DoS) attacks
  23. 23. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today? (3)  Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)  AJAX and Web Services issues (JSON/XML/SOAP)  Parameter tampering and cookie poisoning  Buffer overflows and local privilege escalations  PHP-CGI remote code execution  HTTP verb tampering  And much more 
  24. 24. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Which bug do you want to hack today?
  25. 25. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP
  26. 26. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  Coming soon!  Cryptographic attacks  Insecure session variables  Session fixation  More authentication issues  WordPress vulnerabilities  More D-XSS
  27. 27. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP  External links  Home page - www.itsecgames.com  Download location - sourceforge.net/projects/bwapp  Blog - itsecgames.blogspot.com
  28. 28. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bee-box  Every bee needs a home… the bee-box  VM pre-installed with bWAPP  LAMP environment: Linux, Apache, MySQL and PHP  Compatible with VMware and VirtualBox  Requires zero installation
  29. 29. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bee-box  bee-box is also made deliberately insecure…  Opportunity to explore all bWAPP vulnerabilities  Gives you several ways to hack and deface bWAPP  Even possible to hack the bee-box to get full root access!  Hacking, defacing and exploiting without going to jail  You can download bee-box from here
  30. 30. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bee-box
  31. 31. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bee-box  Features (1)  Apache, Lighttpd, Nginx, MySQL and PHP installed  Several PHP extensions installed (LDAP, SQLite,…)  Vulnerable Bash, Drupal, OpenSSL and PHP-CGI  Insecure DistCC, FTP, NTP, SNMP, VNC, WebDAV  phpMyAdmin and SQLiteManager installed  Postfix installed and configured  AppArmor disabled
  32. 32. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bee-box  Features (2)  Weak self-signed SSL certificate  ‘Fine-tuned’ file access permissions  .htaccess files support enabled  Some basic security tools installed  Shortcuts to start, install and update bWAPP  An amazing wallpaper   An outdated Linux kernel…
  33. 33. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP & bee-box  Ready, set, and hack!  Only one thing to remember  Logon credentials are…
  34. 34. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bee/bug
  35. 35. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP & bee-box  Ready, set, and hack!  Only one thing to remember  Logon credentials are bee/bug  Please don’t bug me anymore…
  36. 36. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP & bee-box  Installation and configuration  Install VMware Player or Oracle VirtualBox  Extract, install, and start the bee-box VM  Configure or check the IP settings  Browse to the bWAPP web app  http://[IP]/bWAPP/  Login with bee/bug
  37. 37. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP & bee-box  General application settings  settings.php, located under the bWAPP admin folder  Connection settings  SMTP settings  A.I.M. mode  Evil bee mode  Static credentials
  38. 38. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP & bee-box  General application settings  Opening the settings file (as root)  sudo gedit /var/www/bWAPP/admin/settings.php
  39. 39. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP & bee-box  Settings
  40. 40. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP & bee-box  A.I.M. mode  Authentication Is Missing, a no-authentication mode  May be used for testing web scanners and crawlers  Procedure  Change the IP address in the settings file  Point your web scanner or crawler to http://[IP]/bWAPP/aim.php  All hell breaks loose…
  41. 41. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. bWAPP & bee-box  Worst-case-scenario-options  Reset the application  http://[IP]/bWAPP/reset.php  Reset the application + database  http://[IP]/bWAPP/reset.php?secret=bWAPP  Reinstall the database  Drop the database from phpMyAdmin  http://[IP]/bWAPP/install.php
  42. 42. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Finally… time for a DEMO
  43. 43. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Demo
  44. 44. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  WebApp Pentesting  Hungry Evil Bees  Superbees Wanted
  45. 45. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Penetration Testing  Penetration testing, or pentesting  Method of evaluating computer, network or application security by simulating an attack  Active analysis of potential vulnerabilities by using ethical hacking techniques  Penetration tests are sometimes a component of a full security audit
  46. 46. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Web App Penetration Testing  Web application pentesting is focusing on evaluating the security of a web application  Application is tested for known web vulnerabilities  Manual, automatic and semi-automatic tests  Source code analysis and web server configuration review as an option
  47. 47. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Web App Penetration Testing  It’s all about identifying, exploiting, and reporting vulnerabilities  Some considerations…  Commercial tools vs. open source tools  Not a best practice to use only one tool  Most commercial scanners don’t exploit  False positives are not allowed!  People don’t like auto-generated reports
  48. 48. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Testing Methodologies  A simple testing methodology
  49. 49. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Testing Methodologies  A more advanced testing methodology
  50. 50. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. OWASP  OWASP, or Open Web Application Security Project  Worldwide non-profit organization focused on improving the security of software  Freely-available articles, methodologies, documentation, tools, and technologies  Vendor neutral, no recommendations for commercial products or services!
  51. 51. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. OWASP  Current OWASP Projects  Top 10 Project and Testing Guide  Development and Code Review Guide  Application Security Verification Standard  Broken Web Applications (BWA)  Zed Attack Proxy (ZAP)
  52. 52. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 Project, lists the 10 most severe web application security risks  Constantly updated, latest version released in 2013  Referenced by many standards, books, tools, and organizations, including MITRE and PCI DSS  Good starting point for a web application pentest  What to test? How to test? How to prevent?
  53. 53. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 Application Security Risks
  54. 54. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 placement
  55. 55. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. OWASP  OWASP Top 10 placement
  56. 56. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Intercepting Proxies  Intercepting proxies are testing tools acting as a legitimate Man-in-the-Middle (MitM)  Located between the browser and the web application  Ability to intercept and to modify requests/responses  Provide a historical record of all requests  Include integrated tools to discover vulnerabilities, and to crawl and brute force files and directories
  57. 57. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy  OWASP project, by Simon Bennetts  Java application, released in September 2010  Fork of the Paros intercepting proxy  Pentesting tool for finding vulnerabilities  Provides automated scanning, as well as a set of tools to find security vulnerabilities manually
  58. 58. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy  Functionalities  Intercepting proxy, listening on TCP/8080  Traditional and AJAX spider  Automated and passive scanner  Fuzzing and brute force capabilities  Smartcard and client certificate support  Authentication and session support
  59. 59. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Intercepting Proxies  ZAP, Zed Attack Proxy
  60. 60. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Demo  ZAP, Zed Attack Proxy  Parameter/cookie tampering  Online password attack  Vulnerability detection
  61. 61. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Commercial Web Scanners  Netsparker  Automated ‘false positive free’ web security scanner  Identifies security issues and vulnerabilities such as SQL injection and Cross-Site Scripting (XSS)  Automatically exploits detected vulnerabilities to ensure no false positives are reported  Free ‘Community Edition’ available!
  62. 62. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Commercial Web Scanners
  63. 63. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Commercial Web Scanners  Netsparker
  64. 64. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Ready to Exploit some bugs?
  65. 65. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  WebApp Pentesting  Hungry Evil Bees  Superbees Wanted
  66. 66. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Hungry Evil Bees  Hacking, Defacing and Exploiting  SQL Injection  Cross-Site Scripting (XSS)  Client-side Attacks  Denial-of-Service (DoS)  Unrestricted File Uploads  Local Privilege Escalation
  67. 67. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. SQL Injection  SQL injection is very common in web applications  Occurs when user input is sent to a SQL interpreter as part of a query  The attacker tricks the interpreter into executing unintended SQL queries
  68. 68. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. SQL Injection  Injection in the OWASP Top 10
  69. 69. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. SQL Injection  Normal operation DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login password SELECT * FROM table WHERE login = ‘login’ AND password = ‘password’ result HTML SQL
  70. 70. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login ’ or 1=1-- SELECT * FROM table WHERE login = ‘login’ AND password = ‘’ or 1=1-- ’ result HTML SQL SQL Injection  Abnormal operation
  71. 71. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. SQL Injection  Simple injections  '--  ' or 'a'='a  ' or 'a'='a'--  ' or '1'='1  ' or 1=1--
  72. 72. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. SQL Injection  Union injections  ' UNION SELECT field1, field2 FROM table--  ' UNION SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=database()--  Stacked queries  '; DROP TABLE table;--
  73. 73. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. SQL Injection
  74. 74. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Blind SQL Injection  Blind SQL injection occurs when the database does not output data to the web page  Nearly identical to normal SQL injection, the way data is retrieved is different…  The result of the SQL injection is determined based on the application’s responses  Boolean-based or time-based  Using automated tools is a must
  75. 75. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Blind SQL Injection  Example: Time-based SQL injection  blah' UNION SELECT 1,1,1,1,1,1 FROM heroes WHERE login='neo' AND ASCII(SUBSTRING(password,1,1))=116 AND SLEEP(5)-- blah' UNION SELECT 1,1,1,1,1,1 FROM heroes WHERE login='neo' AND ASCII(SUBSTRING(password,2,1))=114 AND SLEEP(5)-- blah' UNION SELECT 1,1,1,1,1,1 FROM heroes WHERE login='neo' AND ASCII(SUBSTRING(password,3,1))=105 AND SLEEP(5)-- blah' UNION SELECT 1,1,1,1,1,1 FROM heroes WHERE login='neo' AND ASCII(SUBSTRING(password,4,1))=110 AND SLEEP(5)--
  76. 76. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Automated SQL Injection  sqlmap  Open source penetration testing tool  Automates the process of detecting and exploiting SQL injection  Developed in Python, since July 2006  Full support for MS SQL, MySQL, Oracle, PostgreSQL,…  Full support for various SQL injection techniques  Site: http://sqlmap.org/
  77. 77. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Demo  SQL Injection  Bypassing login forms  Manually extracting data  Automated SQL injection  Website defacement
  78. 78. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Cross-Site Scripting  Cross-Site Scripting, or XSS, occurs when an attacker injects a browser script into a web application  Insufficient validation of user-supplied data  Dangerous when it is stored permanently!  XSS can lead to  Website defacements  Phishing / session hijacking  Client-side exploitation
  79. 79. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Cross-Site Scripting  Types of XSS flaws  Reflected XSS  Stored XSS
  80. 80. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Cross-Site Scripting  XSS in the OWASP Top 10
  81. 81. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Demo  Cross-Site Scripting  Detecting XSS  Phishing & session hijacking  Client-side exploitation
  82. 82. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Denial-of-Service  Denial-of-Service attack, or DoS attack  An attacker attempts to prevent legitimate users from accessing the application, server or network  Consumes network bandwidth, server sockets, threads, or CPU resources  Distributed Denial-of-Service attack, or DDoS  Popular techniques used by hacktivists
  83. 83. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Denial-of-Service  Newer layer 7 DoS attacks are more powerful!  “Low-bandwidth application layer DoS”  Advantages of layer 7 DoS  Legitimate TCP/UDP connections, difficult to differentiate from normal traffic  Requires lesser number of connections, possibility to stop a web server from a single attack  Reach resource limits of services, regardless of the hardware capabilities of the server
  84. 84. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Denial-of-Service  Layer 7 DoS methods  HTTP Slow Headers  HTTP Slow POST  HTTP Slow Reading  Apache Range Header  SSL/TLS Renegotiation  XML Bombs
  85. 85. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Demo  Denial-of-Service  HTTP Slow POST  MS15-034 (>SSRF)
  86. 86. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Web Shells  Web shells are malicious web pages that provide an attacker functionality on a web server  Making use of server-side scripting languages like PHP, ASP, ASPX, JSP, CFM, Perl,...  Web shell functionalities  File transfers  Command execution  Network reconnaissance  Database connectivity
  87. 87. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Web Shells  External attack vectors  (Blind) SQL Injection  OS Command Injection  Remote File Inclusion  Unrestricted File Upload  Insecure FTP, WebDAV,…
  88. 88. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Demo  Web Shell  Web shell creation  Remote shell access  Escalating privileges...  Getting root access!
  89. 89. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. What is bWAPP?  Contents  Defense Needed  bWAPP & bee-box  Web App Pentesting  Hungry Evil Bees  Superbees Wanted
  90. 90. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Superbees Wanted  Hi little bees, during this talk we  Defaced our website  Compromised the server  Compromised a client  Made the server unreachable  Hijacked a session  Stole credentials…
  91. 91. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved.  And we have so much more bugs…  Time to improve your web security  Defense is really needed  Downloading bWAPP is a first start  Remember, every bee needs a superbee  Are you that superbee? Superbees Wanted @MME_IT #bWAPP
  92. 92. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. Contact Me  Malik Mesellem Email | malik@itsecgames.com Twitter | twitter.com/MME_IT LinkedIn | be.linkedin.com/in/malikmesellem Blog | itsecgames.blogspot.com
  93. 93. What is bWAPP? | © 2015 Malik Mesellem, all rights reserved. What is bWAPP? Malik Mesellem Defense Needed, Superbees Wanted

×