Legal and efficient web app testing without permission

Legal And Efficient
Web App Testing
Without Permission
HackPra, April 11th 2012

Abraham Aranguren
@7a_ @owtfp
abraham.aranguren@owasp.org
http://7-a.org
http://owtf.org

Agenda
• Intro
- Why + How without permission
- OWTF basics
• Practical Cheating:
- OWASP + OWTF Walk-through
• Conclusion
• Q&A

About me
• Spanish dude
• Uni: Degree, InfoSec research + honour mark
• IT: Since 2000, defensive sec as netadmin / developer
• (Offensive) InfoSec: Since 2007
• OSCP, CISSP, GWEB, CEH, MCSE, etc.
• Web App Sec and Dev/Architect
• Infosec consultant, blogger, OWTF, GIAC, BeEF

The pen testing problem

http://scottthong.wordpress.com

Attacker Tactics
From “Open Source Information Gathering” by Chris Gates, Brucon 2009

http://carnal0wnage.attackresearch.com/

Pentester disadvantage
Pentesters vs Bad guys
• Pentesters have time/scope constraints != Bad guys
• Pentesters have to write a report != Bad guys

Complexity is increasing
More complexity = more time needed to test properly

Customers are rarely willing to:
“Pay for enough / reasonable testing time“

A call for efficiency:
• We must find vulns faster
• We must be more efficient
• .. or bad guys will find the vulns, not us

Can we learn from history?

Has this
Huge disadvantage
problem been solved before?

Ancient “Top Attackers”
Individually outstanding due to:
• Artificial selection: Babies killed if “defective” (!)
• Military training (“Agoge”): Ages 7-18
• Final test: Survive in the countryside with only a knife
• Spartan Law: No retreat, No surrender (i.e. victory or death)

Globally outstanding due to solid tactic: “Hoplite phalanx”
• Shield wall + Spear points
• Frontally very strong + used successfully for centuries

http://scottthong.wordpress.com / http://en.wikipedia.org/wiki/Sparta

How would you beat them?

How could a room full of (sedentary? ☺) Geeks
beat a room full of Spartans?

Ok, more realistic scenario ☺:
• Your troops must fight the Spartans
• You have the same number of soldiers
• Your soldiers are not that great
• How can you WIN?

Ancient “Pentest Cheating”
Battle of Lechaeum: Spartans defeated by “lamers”!

Tactic “Cheating”:
• Don’t fight, thow things!: Javelins + bows = Athenians WON
• Phalanx weak against: “shooters”, cavalry, flank/back attacks

http://www.ancientgreekbattles.net / http://en.wikipedia.org/wiki/Phalanx_formation /
http://en.wikipedia.org/wiki/Battle_of_Lechaeum

Why not take this to the next level?

Why not legitimately?
• Shoot “before the battle” without permission
• Shoot while we analyse information in parallel
• Prepare more shootings without being noticed

A Pentester “cheating try”
Offensive (Web) Testing Framework = Multi-level “cheating” tactics

OWTF Chess-like approach

Kasparov against Deep Blue - http://www.robotikka.com

OWTF > Web: Aux Plugins
Metasploit-like automation for external tools, custom tests and more

OWTF “Cheating”: Talk Scope
At least 48.5% (32 out of 66) of the tests in the OWASP Testing guide can be
legally* performed at least partially without permission

* Except in Spain, where visiting a page can be illegal ☺
* This is only my interpretation and not that of my employer + might not apply to your country!

Classic Pentest Stages
1. Pre-engagement: No permission “OWTF Cheat tactics” = Start here
2. Engagement: Permission Official test start = Active Testing here

OWTF 101
Step 1- Run it
Pre-engagement safe CLI OWTF options without permission
o owtf.py –t passive http://target.com
o owtf.py –t semi_passive http://target.com  semi_passive + grep
o owtf.py –t quiet http://target.com  passive + semi_passive + grep

OWTF 101 (cont.)
Step 2- Human Analysis in parallel
Pentester all-out “cheating” via OWTF continuous reporting:
• Pentester works on the report interface
• Start human analysis from “minute 1”: No “waiting until X for scan to finish”
• Tools run in background via OWTF: No tool babysitting + No wasted energy
• Refresh report for newer results
• The human and the tools complement each other: “Fighting together as a team”

Context consideration:
Case 1 robots.txt Not Found
…should Google index a site like this?

Or should robots.txt exist and be like this?
User-agent: *
Disallow: /

Case 1 robots.txt Not Found - Semi passive
• Direct request for robots.txt
• Without visiting entries

Case 2 robots.txt Found – Passive
• Indirect Stats, Downloaded txt file for review, “Open All in Tabs”

OWTF HTML Filter challenge: Embedding of untrusted third party HTML
Defence layers:
1) HTML Filter: Open source challenge
Filter 6 unchallenged since 04/02/2012, Can you hack it? ☺
http://blog.7-a.org/2012/01/embedding-untrusted-html-xss-challenge.html
2) HTML 5 sanboxed iframe
3) Storage in another directory = cannot access OWTF Review in localStorage

Start reporting!: Take your notes with fancy formatting
Step 1 – Click the “Edit” link

Step 2 – Start documenting findings + Ensure preview is ok

Start reporting!: Paste PoC screenshots

The magic bar ;) – Useful to generate the human report later

Passive Plugin
Step 1- Browse output files to review the full raw tool output:

Step 2 – Review tools run by the passive Search engine discovery plugin:

Was your favourite tool not run?
Tell OWTF to run your tools on: owtf_dir/profiles/resources/default.cfg (backup first!)

Tool output can also be reviewed via clicking through the OWTF report directly:

The Harvester:
•Emails
•Employee Names
•Subdomains
•Hostnames

http://www.edge-security.com/theHarvester.php

Metadata analysis:
• TODO: Integration with FOCA when CLI callable via wine (/cc @chemaalonso ☺)
• Implemented: Integration with Metagoofil

http://www.edge-security.com/metagoofil.php

Inbound proxy not stable yet but all this happens automatically:
• robots.txt entries added to “Potential URLs”
• URLs found by tools are scraped + added to “Potential URLs”
During Active testing (later):
• “Potential URLs” visited + added to “Verified URLs” + Transaction log

All HTTP transactions logged by target in transaction log
Step 1 – Click on “Transaction Log”

Step 2 – Review transaction entries

Step 3 – Review raw transaction information (if desired)

Step 1 - Make all direct OWTF requests go through Outbound Proxy:
Passes all entry points to the tactical fuzzer for analysis later

Step 2 - Entry points can then also be analysed via tactical fuzzer:

Goal: What is that server running?

Manually verify request for fingerprint:

Whatweb integration with non-aggresive parameter (semi passive detection):

https://github.com/urbanadventurer/WhatWeb

Fingerprint header analysis: Match stats

Convenient vulnerability search box (1 box per header found ☺):
Search All Open all site searches in tabs

Exploit DB - http://www.exploit-db.com

NVD - http://web.nvd.nist.gov - CVSS Score = High

OSVDB - http://osvdb.org - CVSS Score = High

http://www.securityfocus.com - Better on Google

http://www.exploitsearch.net - All in one

http://toolbar.netcraft.com - Passive banner grab,etc.

•CMS
•Widgets
•Libraries
•etc

http://builtwith.com

Search in the headers without touching the site:

http://www.shodanhq.com/

Passive suggestions
- Prepare your test in a terminal window to hit “Enter” on “permission minute 1”

What else can be done with a fingerprint?

Environment replication
Download it .. Sometimes from project page ☺

Also check http://www.oldapps.com/, Google, etc.

Static Analyis, Fuzz, Try exploits, ..

RIPS for PHP: http://rips-scanner.sourceforge.net/
Yasca for most other (also PHP): http://www.scovetta.com/yasca.html

Legal and efficient web app testing without permission

http://www.robtex.com - Passive DNS Discovery

http://whois.domaintools.com

http://centralops.net

Has Google found error messages for you?

The link is generated with OWTF with that box ticked: Important!

https://www.ssllabs.com/ssldb/analyze.html

Pretty graphs to copy-paste to your OWTF report ☺

https://www.ssllabs.com/ssldb/analyze.html

Do not forget about Strict-Transport-Security!
sslstrip chances decrease dramatically:
Only 1st time user visits the site!

Not found example:

Found example:

HTML content analysis: HTML Comments

Efficient HTML content matches analysis

Step 1 - Click
Step 2 – Human Review of Unique matches

Efficient HTML content matches analysis

Step 1 - Click
Step 2 –Review Unique matches (click on links for sample match info)

Want to see all? then click

HTML content analysis: CSS and JavaScript Comments (/* */)

HTML content analysis: Single line JavaScript Comments (//)

HTML content analysis: PHP source code

HTML content analysis: ASP source code

If you find an admin interface don’t forget to ..
Google for default passwords:

Disclaimer: Permission is required for this

Is the login page on “http” instead of “https”?

Pro Tip: When browsing the site manually ..
… look carefully at pop-ups like this:

Consider (i.e. prep the attack):
Firesheep: http://codebutler.github.com/firesheep/
SSLStrip: https://github.com/moxie0/sslstrip

Mario was going to report a bug to Mozilla and found another!

Abuse user/member public search functions:
• Search for “” (nothing) or “a”, then “b”, ..
• Download all the data using 1) + pagination (if any)
• Merge the results into a CSV-like format
• Import + save as a spreadsheet
• Show the spreadsheet to your customer

Analyse the username(s) they gave you to test:
• Username based on numbers?
USER12345
• Username based on public info? (i.e. names, surnames, ..)
name.surname
• Default CMS user/pass?

Part 1 – Remember Password: Autocomplete
Good Bad
Via 1) <form … autocomplete=“off”> <form action="/user/login"
Or Via 2) <input … autocomplete=“off”> method="post">
<input type="password" name="pass" />

Manual verification for password autocomplete (i.e. for the customer)
Easy “your grandma can do it” test:
1. Login
2. Logout
3. Click the browser Back button twice*
4. Can you login again –without typing the login or password- by re-
sending the login form?

Can the user re-submit the login form via the back button?
* Until the login form submission

Other sensitive fields: Pentester manual verification
• Credit card fields
• Password hint fields
• Other

Part 2 - Password Reset forms
Manually look at the questions / fields in the password reset form
• Does it let you specify your email address?
• Is it based on public info? (name, surname, etc)
• Does it send an email to a potentially dead email address you can
register? (i.e. hotmail.com)

Goal: Is Caching of sensitive info allowed?

Manual verification steps: “your grandma can do it” ☺ (need login):
1. Login
2. Logout
3. Click the browser Back button
4. Do you see logged in content or a this page has expired error / the login
page?

Manual analysis tools:
• Commands: curl –i http://target.com
• Proxy: Burp, ZAP, WebScarab, etc
• Browser Plugins:

https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
https://addons.mozilla.org/en-US/firefox/addon/firebug/

HTTP/1.1 headers
Good Bad
Cache-Control: no-cache Cache-control: private

HTTP/1.0 headers
Good Bad
Pragma: no-cache Pragma: private
Expires: <past date or illegal (e.g. 0)> Expires: <way too far in the future>

The world
Good Bad
https://accounts.google.com No caching headers = caching allowed
Cache-control: no-cache, no-store HTTP/1.1 200 OK
Pragma: no-cache Date: Tue, 09 Aug 2011 13:38:43 GMT
Expires: Mon, 01-Jan-1990 00:00:00 GMT Server: ….
X-Powered-By: ….
Connection: close
Content-Type: text/html; charset=UTF-8

Repeat for Meta tags
Good Bad
<META HTTP-EQUIV="Cache-Control" <META HTTP-EQUIV="Cache-Control"
CONTENT="no-cache"> CONTENT=“private">

Step 1 – Find CAPTCHAs: Passive search

Offline Manual analysis:
• Download image and try to break it
• Are CAPTCHAs reused?
• Is a hash or token passed? (Good algorithm? Predictable?)
• Look for vulns on CAPTCHA version
CAPTCHA breaking tools
PWNtcha - captcha decoder - http://caca.zoy.org/wiki/PWNtcha
Captcha Breaker - http://churchturing.org/captcha-dist/

Manually Examine cookies for weaknesses offline

Base64 Encoding (!= Encryption ☺) Decoded value
MTkyLjE2OC4xMDAuMTpvd2FzcHVzZ owaspuser:192.168.100.1:
XI6cGFzc3dvcmQ6MTU6NTg= a7656fafe94dae72b1e1487670148412

http://hackvertor.co.uk/public

Lots of decode options, including:
• auto_decode
• auto_decode_repeat
• d_base64
• etc.

http://hackvertor.co.uk/public

F5 BIG-IP Cookie decoder:

http://blog.taddong.com/2011/12/cookie-decoder-f5-big-ip.html

• Secure: not set= session cookie leaked= pwned
• HttpOnly: not set = cookies stealable via JS
• Domain: set properly
• Expires: set reasonably
• Path: set to the right /sub-application
• 1 session cookie that works is enough ..

Manually check when verifying credentials during pre-engagement:
Login and analyse the Session ID cookie (i.e. PHPSESSID)
Good Bad (normal + by default)
Before: 10a966616e8ed63f7a9b741f80e65e3c Before: 10a966616e8ed63f7a9b741f80e65e3c
After: Nao2mxgho6p9jisslen9v3t6o5f943h After: 10a966616e8ed63f7a9b741f80e65e3c

IMPORTANT: You can also set the session ID via JavaScript (i.e. XSS)

Session ID:
• In URL
• In POST
• In HTML

Example from the field:
http://target.com/xxx/xyz.function?session_num=7785

Look at unauthenticated cross-site requests:

http://other-site.com/user=3&report=4
Referer: site.com

Change ids in application: (ids you have permission for!)
http://site.com/view_doc=4

Headers Enabling/Disabling Client-Side XSS filters:
• X-XSS-Protection (IE-Only)
• X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)

Review JavaScript code on the page:

<script>
document.write("Site is at: " + document.location.href + ".");
</script>

Sometimes active testing possible in your browser
(no trip to server = not an attack = not logged):
http://target.com/...#vulnerable_param=xss

http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html

1. Browse Site
2. Time requests
3. Get top X slowest requests
4. Slowest = Best DoS target

Google searches: inurl:wsdl site:example.com

Public services search:
http://seekda.com/
http://www.wsindex.org/
http://www.soapclient.com/

WSDL analysis
Sensitive methods in WSDL?
i.e. Download DB, Test DB, Get CC, etc.
http://www.example.com/ws/FindIP.asmx?WSDL

<wsdl:operation name="getCreditCard" parameterOrder="id">
<wsdl:input message="impl:getCreditCardRequest" name="getCreditCardRequest"/>
<wsdl:output message="impl:getCreditCardResponse" name="getCreditCardResponse"/>
</wsdl:operation>

Same Origin Policy (SOP) 101
1. Domain A’s page can send a request to Domain B’s page from Browser
2. BUT Domain A’s page cannot read Domain B’s page from Browser

http://www.ibm.com/developerworks/rational/library/09/rationalapplicationdeveloperportaltoolkit3/

• Request == Predictable Pwned “..can send a request to Domain B” (SOP)
CSRF Protection 101:
•Require long random token (99% hidden anti-CSRF token) Not predictable
•Attacker cannot read the token from Domain B (SOP) Domain B ignores request

Potentially Good Bad
Anti-CSRF token present: Verify with permission No anti-CSRF token

Similar to CSRF:
Is there an anti-replay token in the request?

Potentially Good Bad
Anti-CSRF token present: Verify with permission No anti-CSRF token

1) Passive search for Flash/Silverlight files + policies:

Flash file search: Silverlight file search:

Static analysis: Download + decompile Flash files
$ flare hello.swf

Flare: http://www.nowrap.de/flare.html
Flasm (timelines, etc): http://www.nowrap.de/flasm.html

Static analysis tools

Adobe SWF Investigator
http://labs.adobe.com/technologies/swfinvestigator/

SWFScan

SWFScan: http://www.brothersoft.com/hp-swfscan-download-253747.html

Active testing ☺
1) Trip to server = need permission
http://target.com/test.swf?xss=foo&xss2=bar

2) But … your browser is yours:
No trip to server = no permission needed

#
http://target.com/test.swf ?xss=foo&xss2=bar

Good news: Unlike DOM XSS, the # trick will always work for Flash Files

Some technologies allow settings that relax SOP:
• Adobe Flash (via policy file)
• Microsoft Silverlight (via policy file)
• HTML 5 Cross Origin Resource Sharing (via HTTP headers)
Cheating: Reading the policy file or HTTP headers != attack

http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html

Policy file retrieval for analysis

CSRF by design read tokens = attacker WIN

Flash / Silverlight - crossdomain.xml

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

Bad defence example: restrict pushing headers accepted by Flash:
All headers from any domain accepted

<allow-http-request-headers-from domain="*" headers="*" />

Flash: http://kb2.adobe.com/cps/403/kb403185.html

CSRF by design read tokens = attacker WIN

Silverlight - clientaccesspolicy.xml

<?xml version="1.0" encoding="utf-8"?><access-policy><cross-domain-
access><policy>
<allow-from http-request-headers="SOAPAction">
<domain uri="*"/>
</allow-from>
<grant-to><resource path="/" include-subpaths="true"/></grant-to>
</policy></cross-domain-access></access-policy>

Silverlight: http://msdn.microsoft.com/en-us/library/cc197955%28v=vs.95%29.aspx

UI Redressing protections:
• X-Frame-Options (best)
• X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)
• JavaScript Frame busting (bypassable sometimes)
Good Bad
X-Frame-Options: Deny

Andrew Horton’s “Clickjacking for Shells”:
http://www.morningstarsecurity.com/research/clickjacking-wordpress

Krzysztof Kotowicz’s “Something Wicked this way comes”:
http://www.slideshare.net/kkotowicz/html5-something-wicked-this-way-comes-
hackpra
https://connect.ruhr-uni-bochum.de/p3g2butmrt4/

Marcus Niemietz’s “UI Redressing and Clickjacking”:
http://www.slideshare.net/DefconRussia/marcus-niemietz-ui-redressing-and-
clickjacking-about-click-fraud-and-data-theft

Too much info?
Use the filter to drill to what you care about:

Business Conclusion
• Web app security > Input validation
• We see no traffic != we are not targeted
• No IDS alerts != we are safe
• Your site can be tested without you noticing
• Test your security before others do

Pen tester Conclusion
• No permission != cannot start
• A lot of work can be done in advance

This work in advance helps with:
• Increased efficiency
• Deal better with tight deadlines
• Better pre-engagement
• Better test quality
• Best chance to get in

Bottom line
Do not wait for “Tool X” or Permission

Phil Stevens - http://www.strengthguild.com/ http://www.ironradio.org/

Bottom line
Try harder!

Benedikt Magnusson - 1015lbs / 461kg World Record Deadlift
2nd April 2011

Special thanks to
Adi Mutu (@an_animal), Krzysztof Kotowicz (@kkotowicz),
Marc Wickenden (@marcwickenden), Marcus Niemietz (@mniemietz),
Mario Heiderich (@0x6D6172696F), Michael Kohl (@citizen428), Nicolas
Grégoire (@Agarri_FR), Sandro Gauci (@sandrogauci)

OWASP Testing Guide contributors

Finux Tech Weekly – Episode 17 – mins 31-49
http://www.finux.co.uk/episodes/mp3/FTW-EP17.mp3
Finux Tech Weekly – Episode 12 – mins 33-38
http://www.finux.co.uk/episodes/mp3/FTW-EP12.mp3
http://www.finux.co.uk/episodes/ogg/FTW-EP12.ogg
Exotic Liability – Episode 83 – mins 49-53
http://exoticliability.libsyn.com/exotic-liability-83-oh-yeah

Q&A
Abraham Aranguren
@7a_ @owtfp
abraham.aranguren@owasp.org
http://7-a.org
http://owtf.org

Project Site (links to everything): http://owtf.org
• Try OWTF: https://github.com/7a/owtf/tree/master/releases
• Try a demo report: https://github.com/7a/owtf/tree/master/demos
• Documentation: https://github.com/7a/owtf/tree/master/readme
• Contribute: https://github.com/7a/owtf

Legal and efficient web app testing without permission

More Related Content

What's hot (20)

Similar to Legal and efficient web app testing without permission (20)

Recently uploaded (20)

Legal and efficient web app testing without permission