SlideShare a Scribd company logo

OTG-Recon

Download as PPTX, PDF
Sedthakit Prasanphanich, profile picture
Sedthakit Prasanphanich

The document provides information about conducting information gathering and reconnaissance of web applications. It discusses testing techniques for gathering information such as: - Using search engines to find sensitive design and configuration details exposed directly or indirectly online - Fingerprinting the web server to determine the type and version for known vulnerabilities - Reviewing web server metafiles like robots.txt for information leakage - Enumerating applications running on the webserver through different techniques - Reviewing webpage comments and metadata for sensitive information exposure The document provides examples and tools for each technique and emphasizes the importance of information gathering for understanding the target application before conducting attacks. It also discusses potential remediations like access control, header obfuscation and custom web server compilation

Internet
Related topics:
Security Testing
1 of 101
Downloaded 49 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
OTG-RECON OWASP Thailand Chapter (September 2015)
$whoami >>> import speaker >>> print(fullname) Sedthakit Prasanphanich >>> print(hobby) [‘IT-Sec’, ‘Basketball’, ‘Reading’, ‘Games’, ‘Anime’] >>> print(OWASP_role) Thailand Chapter Manager (General Butler) >>> print(work) Web Security Engineer
Disclaimer • This presentation assume that you have a little tiny bits of “Information Gathering”. • If you don’t have any ideas about the previous bullet, please consult Google, Yahoo, Bing, Baidu (I’m not joking),… • If you don’t understand any jargon or gibberish word, please ask me what it is! • This presentation is not a bible. Need more info, Read the OWASP Testing Guide! • Found any errata or having any suggestion, Please subscribe to the mailing list (https://www.owasp.org/index.php/OWASP_Testing_Projec t#tab=Feedback_and_Participation)
Agenda • Smalltalk about Breaker, Security Tester, or Hacker. • OTG 101 • OTG-INFO-x WHERE x >= 0 && x <=10;
#define hacker
–Gehring, Verna (2004). The Internet In Public Life. Maryland: Rowman & Littlefield Publishers. pp. 43–56. “a person who enjoy the intellectual challenge of creatively overcoming and circumventing limitations of systems to achieve novel and clever outcomes.”
–Richard M. Stallman, 2002, and 2000 respectively “It means someone who enjoys playful cleverness, especially in programming but other media are also possible.” “hacking means exploring the limits of what is possible, in a spirit of playful cleverness. Activities that display playful cleverness have "hack value".
#import OTG 101
What is Web Application Security Testing? • a method of evaluating the security of a web application by methodically validating and verifying the effectiveness of application security controls.
What is a Test? • A test is an action to demonstrate that an application meets the security requirements of its stakeholders.
The Approach in Writing this Guide • Open: every security expert can participate with his or her experience in the project. Everything is free. • Collaborative: brainstorming is performed before the articles are written so the team can share ideas and develop a collective vision of the project. That means rough consensus, a wider audience and increased participation.
goto: Recon
Why information gathering so important? • All possible information is gathered about the target • very little footprints generally left by the attacker
–Sun Tzu “Every battle is won before it is fought”
>>> i=1 >>> while i<11: ... if i==10: ... print "OTG-INFO-010" ... else: ... print "OTG-INFO-" + "00" + str(i) ... i+=1
Conduct search engine discovery/reconnaissance for information leakage (OTG-INFO- 001)
OTG-INFO-001 • To understand what sensitive design and configuration information of the application/system/organization is exposed both directly (on the organization’s website) or indirectly (on a third party website).
HOW TO TEST? • Use a search engine to search for: • Network diagrams and configurations • Archived posts and emails by administrators and other key staff • Log on procedures and username formats • Usernames and passwords • Error message content • Development, test, UAT and staging versions of the website
Search Operators gotta know ’em all Ref: http://www.googleguide.com/advanced_operators_reference.html
Search Engines
• Baidu • binsearch.info • Bing • Duck Duck Go • ixquick/Startpage • Google • Shodan • PunkSpider • Google • Yahoo • Yandexx • etc.
Example intitle:"index of"
Want to practice some searching? goto: http://www.agoogleaday.com/
Another Example
Lazy?
GHDB The Google Hacking Database is list of useful search queries for Google. Queries are put in several categories: • Footholds • Files containing usernames • Sensitive Directories • Web Server Detection • Vulnerable Files • Vulnerable Servers • Error Messages • Files containing juicy info • Files containing passwords • Sensitive Online Shopping Info
print(Remediation) • Carefully consider the sensitivity of design and configuration information before it is posted online. • Periodically review the sensitivity of existing design and configuration information that is posted online.
Fingerprint Web Server (OTG-INFO-002)
OTG-INFO-002 • Knowing the version and type of a running web server allows testers to determine known vulnerabilities and the appropriate exploits to use during testing. • Find the version and type of a running web server to determine known vulnerabilities and the appropriate exploits to use during testing
How to Test $ nc 202.41.76.251 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Mon, 16 Jun 2003 02:53:29 GMT Server: Apache/1.3.3 (Unix) (Red Hat/Linux) Last-Modified: Wed, 07 Oct 1998 11:18:14 GMT ETag: “1813- 49b-361b4df6” Accept-Ranges: bytes Content-Length: 1179 Connection: close Content-Type: text/html
How about this?
403 HTTP/1.1 Forbidden Date: Mon, 16 Jun 2003 02:41: 27 GMT Server: Unknown-Webserver/1.0 Connection: close Content-Type: text/HTML; charset=iso-8859-1
Protocol Behaviour • HTTP HEADER FIELD ORDERING • MALFORMED REQUEST TEST
HTTP HEADER FIELD ORDERING • The first method consists of observing the ordering of the several headers in the response. Every web server has an inner ordering of the header. Consider the following answers as an example:
Comparison Response from Apache 1.3.23 $ nc apache.example.com 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 15 Jun 2003 17:10: 49 GMT Server: Apache/1.3.23 Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT ETag: 32417-c4- 3e5d8a83 Accept-Ranges: bytes Content-Length: 196 Connection: close Content-Type: text/HTML Response from IIS 5.0 $ nc iis.example.com 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Content-Location: http:/iis.example.com/Default.htm Date: Fri, 01 Jan 1999 20:13: 52 GMT Content-Type: text/HTML Accept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 20:13: 52 GMT ETag: W/e0d362a4c335be1: ae1 Content-Length: 133
Malformed requests test • Another useful test to execute involves sending malformed requests or requests of nonexistent pages to the server. Consider the following HTTP responses.
MALFORMED REQUEST TEST Response from Apache 1.3.23 $ nc apache.example.com 80 GET / JUNK/1.0 HTTP/1.1 200 OK Date: Sun, 15 Jun 2003 17:17: 47 GMT Server: Apache/1.3.23 Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT ETag: 32417-c4- 3e5d8a83 Accept-Ranges: bytes Content-Length: 196 Connection: close Content-Type: text/HTML Response from IIS 5.0 $ nc iis.example.com 80 GET / JUNK/1.0 HTTP/1.1 400 Bad Request Server: Microsoft-IIS/5.0 Date: Fri, 01 Jan 1999 20:14: 34 GMT Content-Type: text/HTML Content-Length: 87
Can’t remember?
Automated Test • HTTPrint (way too classics) • Netcraft • hmap • nmap with ‘-sV’ options • blindelephant (Version 2 is coming soon) • Shodan • etc.
print(Remediation) • Custom compile Webserver (For #hardcores) • Protect the presentation layer web server behind a hardened reverse proxy. • Obfuscate the presentation layer web server headers.
Review Webserver Metafiles for Information Leakage (OTG-INFO- 003)
OTG-INFO-003 • This section describes how to test the robots.txt file for information leakage of the web application’s directory or folder path(s). • the list of directories that are to be avoided by Spiders, Robots, or Crawlers can also be created as a dependency for Map execution paths through application (OTG-INFO-007) • Information leakage of the web application’s directory or folder path(s). • Create the list of directories that are to be avoided by Spiders, Ro- bots, or Crawlers
Example of Robots.txt killer-robot.txt User-Agent: T-1000 User-Agent: T-800 Disallow: /+LarryPage Disallow: /+SergeyBrin Ref: http://www.google.com/killer-robots.txt
Fine, Real robots.txt from http://www.google.com
What else?
Meta tag • <META> tags are located within the HEAD section of each HTML Document and should be consistent across a web site in the likely event that the robot/spider/crawler start point does not begin from a document link other than webroot i.e. a “deep link”[5]. • Web spiders/robots/crawlers can intentionally ignore the “<META NAME=”ROBOTS”” tag as the robots.txt file convention is preferred. Hence, <META> Tags should not be considered the primary mechanism, rather a complementary control to robots.txt.
Meta Example Example of Meta tags Ref: https://anantshri.info/articles/web_app/image002.png
Enumerate Applications on Webserver (OTG- INFO-004)
OTG-INFO-004 A paramount step in testing for web application vulnerabilities is to find out which particular applications are hosted on a web server. In addition, many applications are often misconfigured or not updated, due to the perception that they are only used “internally” and therefore no threat exists.
TL;DR • Enumerate the applications within scope that exist on a web server • Some server may have more than one applications running
HOW TO TEST? 1. Different base URL 2. Non-standard ports 3. Virtual hosts
Base URL • Take a deep breath, and • keep typing in the url bar (address bar for the retro) • http://www.example.com/url1 • http://www.example.com/url2 • http://www.example.com/url3
not a lucky guy?
How to identify via base URL? • if mis-configured, and allow directory browsing, we can find spot them. • Dictionary searching (Forced Browsing in ZAP) • Use Vulnerability scanner to help
Non-standard port • Normally, HTTP, and HTTPS use TCP port 80, 443 respectively • But, are you sure?
#nmap #FTW Ref: https://nmap.org/movies/matrix/trinity-nmapscreen- hd-crop-1200x728.jpg
Virtual Host
–The Three musketeers “All for one, and one for all.”
$(whereis my_neighbor_host)? • DNS zone transfer (too classic) • DNS inverse query (depends on target’s config) • Robtex • etc.
#Robtex #Example Ref: https://www.robtex.com/en/advisory/dns/org/icann/www/
Review webpage comments and metadata for information leakage (OTG-INFO- 005)
OTG-INFO-005 It is very common, and even recommended, for programmers to include detailed comments and metadata on their source code. However, comments and metadata included into the HTML code might reveal internal information that should not be available to potential attackers. Comments and metadata review should be done in order to determine if any information is being leaked.
TL;DR again • Just pay attention in any interesting Comment and meta HTML tag
HOW TO TEST • Check HTML Source code for any comment! • Examine the Meta tag
#comment #CTF Ref: http://ctf.infosecinstitute.com/levelone.php
Why meta tag again? • some may provide the application profiling • some alter HTTP response headers which can used to conduct injection attacks
Identify application entry points (OTG-INFO-006)
OTG-INFO-006 Enumerating the application and its attack surface is a key precursor before any thorough testing can be undertaken, as it allows the tester to identify likely areas of weakness. This section aims to help identify and map out areas within the application that should be investigated once enumeration and mapping have been completed.
TL;DR again • Understand how requests are formed and typical responses from the application
HOW TO TEST? • Step 0: Understand HTTP Protocol • Look into the Request and Response
Any tools to intercept? • any intercepting proxy(Burp, Zed, fiddler, etc.) • Tamper Data (Web Browser plugins) • Live HTTP Header (Web Browser plugins)
Example • GET example GET https:/x.x.x.x/shoppingApp/buyme .asp?CUSTOMERID=100&ITEM =z101a&PRICE=62.50&IP=x.x.x. x Host: x.x.x.x Cookie: SESSIONID=Z29vZCBqb2IgcGF kYXdhIG15IHVzZXJuY- W1lIGlzIGZvbyBhbmQgcGFzc3d vcmQgaXMgYmFy • POST Example POST https:/x.x.x.x/KevinNotSoGoodApp/authe nticate.asp?- service=login Host: x.x.x.x Cookie: SESSIONID=dGhpcyBpcyBhIGJhZCBhc HAgdGhhdCB- zZXRzIHByZWRpY3RhYmxlIGNvb2tpZX MgYW5kIG1pbmUgaX- MgMTIzNA== CustomCookie=00my00trusted00ip00is0 0x.x.x.x00 • Body of the POST message: user=admin&pass=pass123&debug=true &fromtrustIP=true =
Map execution paths through application (OTG- INFO-007)
James_Bond(){007} Ref: http://1.bp.blogspot.com/- pyBGbYAWLPI/UsWtagebozI/AAAAAAAAAvI/jAHHopVTrC4/s160 0/every-james-bond-ever.png
OTG-INFO- $(James_Bond) Before commencing security testing, understanding the structure of the application is paramount. Without a thorough understanding of the layout of the application, it is unlkely that it will be tested thoroughly.
Still want shorter version? • Map the target application and understand the principal workflows.
HOW TO TEST? There are several ways to approach the testing and measurement of code coverage: • Path - test each of the paths through an application that includes combinatorial and boundary value analysis testing for each decision path. • Data flow (or taint analysis) - tests the assignment of variables via external interaction (normally users). • Race - tests multiple concurrent instances of the application manipulating the same data.
We need support! • OWASP-ZAP • Burpsuite
#ZAP Automatic Spidering
Fingerprint Web Application Framework (OTG-INFO-008)
OTG-INFO-008 Web framework or Content Management System fingerprinting is an important subtask of the information gathering process. Knowing the type of framework can automatically give a great advantage if such a framework has already been tested by the penetration tester. It is not only the known vulnerabilities in unpatched versions but specific misconfigurations in the framework and known file structure that makes the fingerprinting process so important.
Cut to the chase To define type of used web framework so as to have a better understanding of the security testing methodology.
How? and Where? • HTTP Headers • Cookies • HTML source code • Specific files and folders
HTTP HEADER HTTP/1.1 200 OK Server: nginx/1.0.14 Date: Sat, 07 Sep 2013 08:19:15 GMT Content- Type: text/html;charset=ISO-8859-1 Connection: close Vary: Accept-Encoding X-Powered-By: Mono
Cookies GET /cake HTTP /1.1 Host: defcon-moscow.org User-Agent: Mozilla75.0 |Macintosh; Intel Mac OS X 10.7; rv: 22.0) Gecko/20100101Firefox/22.0 Accept: text/html, application/xhtml + xml, application/xml; q=0.9, */*; q=0 , 8 Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Accept - Encoding: gzip, deflate DNT: 1 Cookie: CAKEPHP=rm72kprivgmau5fmjdesbuqi71; Connection: Keep- alive Cache-Control: max-age=0
HTML source code Find certain pattern in the
Specific Files and Folders For Example • /wp-admin/ • modules/Drupal5-urdu-po/ • templates/joomlaport_metro/
Any assistance? • Whatweb • Blindelephant (Version 2 is coming soon) • AppSpector • Wappalyzer
#Wappalyzer
$(Remediation) • obfuscate all HTTP-head- ers that disclose information the technologies used • change cookie names by making changes in the corresponding configuration files. • Manually check the contents of the HTML code and remove every- thing that explicitly points to the framework. • Remove Meta Generator Tags • Do not use default scripts on the page or obfuscate them if they must be used.
Fingerprint Web Application (OTG-INFO-009)
OTG-INFO-009 Apart from the Web Application Framework, Identify the web application and version to determine known vulnerabilities and the appropriate exploits to use during testing.
Is it like 008? • IMHO, similar to 008 but different objective • 008 aims to draw what kind of framework they are using (Name of the CMS) • 009 aims to find which version of the web application they are using (version of the CMS, DB, Programming languge)
>show me the example $(whatweb amazon.com && whatweb blognone.com
$(Remediation) • Goto:OTG-INFO-008/remediation
Map Application Architecture (OTG-INFO- 010)
OTG-INFO-010 The complexity of interconnected and heterogeneous web server infrastructure can include hundreds of web applications and makes con- figuration management and review a fundamental step in testing and deploying every single application. In fact it takes only a single vulnerability to undermine the security of the entire infrastructure, and even small and seemingly unimportant problems may evolve into severe risks for another application on the same server. To address these problems, it is of utmost importance to perform an in-depth review of configuration and known security issues. Before performing an in- depth review it is necessary to map the network and application architecture. The different elements that make up the infrastructure need to be determined to understand how they interact with a web application and how they affect security…….ZZzzzzzZZzz
TL;DR • determine the architecture of the application to find any impact against the application security
HOW? • Ask the developers or system architecture • navigating an application. • Keep guessing by using the technique in 001-009 to determine the architectures. • some strange input may returned the protection systems e.g., %00
Why? For example: • On more complex setups, such as an online bank system, multiple servers might be involved. These may include a reverse proxy, a front-end web server, an application server and a database server or LDAP server.
Q&A

More Related Content

PPTX
OWASP OTG-configuration (OWASP Thailand chapter november 2015)
Noppadol Songsakaew
 
PDF
Owasp testing guide owasp summit 2011 (matteo meucci)
Matteo Meucci
 
PDF
Matteo Meucci OWASP Testing Guide v4
Matteo Meucci
 
PPTX
SANS @Night Talk: SQL Injection Exploited
Micah Hoffman
 
PPTX
[Wroclaw #2] Web Application Security Headers
OWASP
 
PPTX
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
PPTX
[Wroclaw #7] Security test automation
OWASP
 
KEY
DVWA BruCON Workshop
testuser1223
 
OWASP OTG-configuration (OWASP Thailand chapter november 2015)
Noppadol Songsakaew
 
Owasp testing guide owasp summit 2011 (matteo meucci)
Matteo Meucci
 
Matteo Meucci OWASP Testing Guide v4
Matteo Meucci
 
SANS @Night Talk: SQL Injection Exploited
Micah Hoffman
 
[Wroclaw #2] Web Application Security Headers
OWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
[Wroclaw #7] Security test automation
OWASP
 
DVWA BruCON Workshop
testuser1223
 

What's hot (20)

PPTX
DVWA(Damn Vulnerabilities Web Application)
Soham Kansodaria
 
PDF
My tryst with sourcecode review
Anant Shrivastava
 
PDF
[Wroclaw #7] Why So Serial?
OWASP
 
PPTX
Waf bypassing Techniques
Avinash Thapa
 
PDF
Tw noche geek quito webappsec
Thoughtworks
 
PPTX
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
PPTX
Everyone Matters In Infosec 2014
Micah Hoffman
 
PDF
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
PDF
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
PDF
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
PPTX
Android pentesting the hackers-meetup
kunwaratul hax0r
 
PDF
[OWASP Poland Day] Web App Security Architectures
OWASP
 
PPTX
Syntribos API Security Test Automation
Matthew Valdes
 
PPTX
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Security Bootcamp
 
PPTX
Kali kinux1
Mohammad Mafi
 
PPTX
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
PPTX
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Vasile
 
PPTX
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Vasile
 
PPT
Owasp universal-http-do s
E Hacking
 
PPTX
Software Development in the Age of Breaches
Karthik Bhat
 
DVWA(Damn Vulnerabilities Web Application)
Soham Kansodaria
 
My tryst with sourcecode review
Anant Shrivastava
 
[Wroclaw #7] Why So Serial?
OWASP
 
Waf bypassing Techniques
Avinash Thapa
 
Tw noche geek quito webappsec
Thoughtworks
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
Everyone Matters In Infosec 2014
Micah Hoffman
 
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
Android pentesting the hackers-meetup
kunwaratul hax0r
 
[OWASP Poland Day] Web App Security Architectures
OWASP
 
Syntribos API Security Test Automation
Matthew Valdes
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Security Bootcamp
 
Kali kinux1
Mohammad Mafi
 
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Vasile
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Vasile
 
Owasp universal-http-do s
E Hacking
 
Software Development in the Age of Breaches
Karthik Bhat
 
Ad

Viewers also liked (6)

PPTX
Machine learning & security. Detect atypical behaviour in logs
Alexander Melnychuk
 
PDF
Brisk WebApp penetration tester
BriskInfosec Solutions
 
PPTX
Future Prediction: Network Intrusion Detection System in the cloud
Sedthakit Prasanphanich
 
PDF
IDS - Fact, Challenges and Future
amiable_indian
 
PDF
Machine Learning 101
Talha Obaid
 
PDF
Big Data Security and Governance
DataWorks Summit/Hadoop Summit
 
Machine learning & security. Detect atypical behaviour in logs
Alexander Melnychuk
 
Brisk WebApp penetration tester
BriskInfosec Solutions
 
Future Prediction: Network Intrusion Detection System in the cloud
Sedthakit Prasanphanich
 
IDS - Fact, Challenges and Future
amiable_indian
 
Machine Learning 101
Talha Obaid
 
Big Data Security and Governance
DataWorks Summit/Hadoop Summit
 
Ad

Similar to OTG-Recon (20)

PDF
The 3 Top Techniques for Web Security Testing Using a Proxy
TEST Huddle
 
PPT
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
CASCouncil
 
PPTX
Web Hacking With Burp Suite 101
Zack Meyers
 
PDF
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
PDF
20190516 web security-basic
MksYi
 
PPT
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Jeremiah Grossman
 
PDF
ruxc0n 2012
mimeframe
 
PPTX
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
PPT
gofortution
gofortution
 
PDF
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...
rschuppe
 
PDF
DEF CON 23 - BRENT - white hacking web apps wp
Felipe Prado
 
PDF
PyMultitor
Tomer Zait
 
PDF
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 
PPT
Application Logging Good Bad Ugly ... Beautiful?
Anton Chuvakin
 
PDF
Secure coding guidelines
Zakaria SMAHI
 
PPTX
Lesson 6 web based attacks
Frank Victory
 
PDF
When the internet bleeded : RootConf 2014
Anant Shrivastava
 
ODP
PHP from the point of view of a webhoster
Dominic Lüchinger
 
PDF
Log File Analysis: The most powerful tool in your SEO toolkit
Tom Bennet
 
PPSX
Web security
kareem zock
 
The 3 Top Techniques for Web Security Testing Using a Proxy
TEST Huddle
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
CASCouncil
 
Web Hacking With Burp Suite 101
Zack Meyers
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
20190516 web security-basic
MksYi
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Jeremiah Grossman
 
ruxc0n 2012
mimeframe
 
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
gofortution
gofortution
 
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...
rschuppe
 
DEF CON 23 - BRENT - white hacking web apps wp
Felipe Prado
 
PyMultitor
Tomer Zait
 
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 
Application Logging Good Bad Ugly ... Beautiful?
Anton Chuvakin
 
Secure coding guidelines
Zakaria SMAHI
 
Lesson 6 web based attacks
Frank Victory
 
When the internet bleeded : RootConf 2014
Anant Shrivastava
 
PHP from the point of view of a webhoster
Dominic Lüchinger
 
Log File Analysis: The most powerful tool in your SEO toolkit
Tom Bennet
 
Web security
kareem zock
 

Recently uploaded (20)

PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
PDF
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
PPTX
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PDF
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
PPTX
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
Funds Management Learning Material for Beg
NKKumar16
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
tcp ip networks nd ip layering assotred slides
pakadamfdp
 

OTG-Recon

  • 2. $whoami >>> import speaker >>> print(fullname) Sedthakit Prasanphanich >>> print(hobby) [‘IT-Sec’, ‘Basketball’, ‘Reading’, ‘Games’, ‘Anime’] >>> print(OWASP_role) Thailand Chapter Manager (General Butler) >>> print(work) Web Security Engineer
  • 3. Disclaimer • This presentation assume that you have a little tiny bits of “Information Gathering”. • If you don’t have any ideas about the previous bullet, please consult Google, Yahoo, Bing, Baidu (I’m not joking),… • If you don’t understand any jargon or gibberish word, please ask me what it is! • This presentation is not a bible. Need more info, Read the OWASP Testing Guide! • Found any errata or having any suggestion, Please subscribe to the mailing list (https://www.owasp.org/index.php/OWASP_Testing_Projec t#tab=Feedback_and_Participation)
  • 4. Agenda • Smalltalk about Breaker, Security Tester, or Hacker. • OTG 101 • OTG-INFO-x WHERE x >= 0 && x <=10;
  • 6. –Gehring, Verna (2004). The Internet In Public Life. Maryland: Rowman & Littlefield Publishers. pp. 43–56. “a person who enjoy the intellectual challenge of creatively overcoming and circumventing limitations of systems to achieve novel and clever outcomes.”
  • 7. –Richard M. Stallman, 2002, and 2000 respectively “It means someone who enjoys playful cleverness, especially in programming but other media are also possible.” “hacking means exploring the limits of what is possible, in a spirit of playful cleverness. Activities that display playful cleverness have "hack value".
  • 9. What is Web Application Security Testing? • a method of evaluating the security of a web application by methodically validating and verifying the effectiveness of application security controls.
  • 10. What is a Test? • A test is an action to demonstrate that an application meets the security requirements of its stakeholders.
  • 11. The Approach in Writing this Guide • Open: every security expert can participate with his or her experience in the project. Everything is free. • Collaborative: brainstorming is performed before the articles are written so the team can share ideas and develop a collective vision of the project. That means rough consensus, a wider audience and increased participation.
  • 13. Why information gathering so important? • All possible information is gathered about the target • very little footprints generally left by the attacker
  • 14. –Sun Tzu “Every battle is won before it is fought”
  • 15. >>> i=1 >>> while i<11: ... if i==10: ... print "OTG-INFO-010" ... else: ... print "OTG-INFO-" + "00" + str(i) ... i+=1
  • 16. Conduct search engine discovery/reconnaissance for information leakage (OTG-INFO- 001)
  • 17. OTG-INFO-001 • To understand what sensitive design and configuration information of the application/system/organization is exposed both directly (on the organization’s website) or indirectly (on a third party website).
  • 18. HOW TO TEST? • Use a search engine to search for: • Network diagrams and configurations • Archived posts and emails by administrators and other key staff • Log on procedures and username formats • Usernames and passwords • Error message content • Development, test, UAT and staging versions of the website
  • 19. Search Operators gotta know ’em all Ref: http://www.googleguide.com/advanced_operators_reference.html
  • 21. • Baidu • binsearch.info • Bing • Duck Duck Go • ixquick/Startpage • Google • Shodan • PunkSpider • Google • Yahoo • Yandexx • etc.
  • 23. Want to practice some searching? goto: http://www.agoogleaday.com/
  • 25. Lazy?
  • 26. GHDB The Google Hacking Database is list of useful search queries for Google. Queries are put in several categories: • Footholds • Files containing usernames • Sensitive Directories • Web Server Detection • Vulnerable Files • Vulnerable Servers • Error Messages • Files containing juicy info • Files containing passwords • Sensitive Online Shopping Info
  • 27. print(Remediation) • Carefully consider the sensitivity of design and configuration information before it is posted online. • Periodically review the sensitivity of existing design and configuration information that is posted online.
  • 29. OTG-INFO-002 • Knowing the version and type of a running web server allows testers to determine known vulnerabilities and the appropriate exploits to use during testing. • Find the version and type of a running web server to determine known vulnerabilities and the appropriate exploits to use during testing
  • 30. How to Test $ nc 202.41.76.251 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Mon, 16 Jun 2003 02:53:29 GMT Server: Apache/1.3.3 (Unix) (Red Hat/Linux) Last-Modified: Wed, 07 Oct 1998 11:18:14 GMT ETag: “1813- 49b-361b4df6” Accept-Ranges: bytes Content-Length: 1179 Connection: close Content-Type: text/html
  • 32. 403 HTTP/1.1 Forbidden Date: Mon, 16 Jun 2003 02:41: 27 GMT Server: Unknown-Webserver/1.0 Connection: close Content-Type: text/HTML; charset=iso-8859-1
  • 33. Protocol Behaviour • HTTP HEADER FIELD ORDERING • MALFORMED REQUEST TEST
  • 34. HTTP HEADER FIELD ORDERING • The first method consists of observing the ordering of the several headers in the response. Every web server has an inner ordering of the header. Consider the following answers as an example:
  • 35. Comparison Response from Apache 1.3.23 $ nc apache.example.com 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 15 Jun 2003 17:10: 49 GMT Server: Apache/1.3.23 Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT ETag: 32417-c4- 3e5d8a83 Accept-Ranges: bytes Content-Length: 196 Connection: close Content-Type: text/HTML Response from IIS 5.0 $ nc iis.example.com 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Content-Location: http:/iis.example.com/Default.htm Date: Fri, 01 Jan 1999 20:13: 52 GMT Content-Type: text/HTML Accept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 20:13: 52 GMT ETag: W/e0d362a4c335be1: ae1 Content-Length: 133
  • 36. Malformed requests test • Another useful test to execute involves sending malformed requests or requests of nonexistent pages to the server. Consider the following HTTP responses.
  • 37. MALFORMED REQUEST TEST Response from Apache 1.3.23 $ nc apache.example.com 80 GET / JUNK/1.0 HTTP/1.1 200 OK Date: Sun, 15 Jun 2003 17:17: 47 GMT Server: Apache/1.3.23 Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT ETag: 32417-c4- 3e5d8a83 Accept-Ranges: bytes Content-Length: 196 Connection: close Content-Type: text/HTML Response from IIS 5.0 $ nc iis.example.com 80 GET / JUNK/1.0 HTTP/1.1 400 Bad Request Server: Microsoft-IIS/5.0 Date: Fri, 01 Jan 1999 20:14: 34 GMT Content-Type: text/HTML Content-Length: 87
  • 39. Automated Test • HTTPrint (way too classics) • Netcraft • hmap • nmap with ‘-sV’ options • blindelephant (Version 2 is coming soon) • Shodan • etc.
  • 40. print(Remediation) • Custom compile Webserver (For #hardcores) • Protect the presentation layer web server behind a hardened reverse proxy. • Obfuscate the presentation layer web server headers.
  • 41. Review Webserver Metafiles for Information Leakage (OTG-INFO- 003)
  • 42. OTG-INFO-003 • This section describes how to test the robots.txt file for information leakage of the web application’s directory or folder path(s). • the list of directories that are to be avoided by Spiders, Robots, or Crawlers can also be created as a dependency for Map execution paths through application (OTG-INFO-007) • Information leakage of the web application’s directory or folder path(s). • Create the list of directories that are to be avoided by Spiders, Ro- bots, or Crawlers
  • 43. Example of Robots.txt killer-robot.txt User-Agent: T-1000 User-Agent: T-800 Disallow: /+LarryPage Disallow: /+SergeyBrin Ref: http://www.google.com/killer-robots.txt
  • 44. Fine, Real robots.txt from http://www.google.com
  • 46. Meta tag • <META> tags are located within the HEAD section of each HTML Document and should be consistent across a web site in the likely event that the robot/spider/crawler start point does not begin from a document link other than webroot i.e. a “deep link”[5]. • Web spiders/robots/crawlers can intentionally ignore the “<META NAME=”ROBOTS”” tag as the robots.txt file convention is preferred. Hence, <META> Tags should not be considered the primary mechanism, rather a complementary control to robots.txt.
  • 47. Meta Example Example of Meta tags Ref: https://anantshri.info/articles/web_app/image002.png
  • 49. OTG-INFO-004 A paramount step in testing for web application vulnerabilities is to find out which particular applications are hosted on a web server. In addition, many applications are often misconfigured or not updated, due to the perception that they are only used “internally” and therefore no threat exists.
  • 50. TL;DR • Enumerate the applications within scope that exist on a web server • Some server may have more than one applications running
  • 51. HOW TO TEST? 1. Different base URL 2. Non-standard ports 3. Virtual hosts
  • 52. Base URL • Take a deep breath, and • keep typing in the url bar (address bar for the retro) • http://www.example.com/url1 • http://www.example.com/url2 • http://www.example.com/url3
  • 53. not a lucky guy?
  • 54. How to identify via base URL? • if mis-configured, and allow directory browsing, we can find spot them. • Dictionary searching (Forced Browsing in ZAP) • Use Vulnerability scanner to help
  • 55. Non-standard port • Normally, HTTP, and HTTPS use TCP port 80, 443 respectively • But, are you sure?
  • 58. –The Three musketeers “All for one, and one for all.”
  • 59. $(whereis my_neighbor_host)? • DNS zone transfer (too classic) • DNS inverse query (depends on target’s config) • Robtex • etc.
  • 61. Review webpage comments and metadata for information leakage (OTG-INFO- 005)
  • 62. OTG-INFO-005 It is very common, and even recommended, for programmers to include detailed comments and metadata on their source code. However, comments and metadata included into the HTML code might reveal internal information that should not be available to potential attackers. Comments and metadata review should be done in order to determine if any information is being leaked.
  • 63. TL;DR again • Just pay attention in any interesting Comment and meta HTML tag
  • 64. HOW TO TEST • Check HTML Source code for any comment! • Examine the Meta tag
  • 66. Why meta tag again? • some may provide the application profiling • some alter HTTP response headers which can used to conduct injection attacks
  • 68. OTG-INFO-006 Enumerating the application and its attack surface is a key precursor before any thorough testing can be undertaken, as it allows the tester to identify likely areas of weakness. This section aims to help identify and map out areas within the application that should be investigated once enumeration and mapping have been completed.
  • 69. TL;DR again • Understand how requests are formed and typical responses from the application
  • 70. HOW TO TEST? • Step 0: Understand HTTP Protocol • Look into the Request and Response
  • 71. Any tools to intercept? • any intercepting proxy(Burp, Zed, fiddler, etc.) • Tamper Data (Web Browser plugins) • Live HTTP Header (Web Browser plugins)
  • 72. Example • GET example GET https:/x.x.x.x/shoppingApp/buyme .asp?CUSTOMERID=100&ITEM =z101a&PRICE=62.50&IP=x.x.x. x Host: x.x.x.x Cookie: SESSIONID=Z29vZCBqb2IgcGF kYXdhIG15IHVzZXJuY- W1lIGlzIGZvbyBhbmQgcGFzc3d vcmQgaXMgYmFy • POST Example POST https:/x.x.x.x/KevinNotSoGoodApp/authe nticate.asp?- service=login Host: x.x.x.x Cookie: SESSIONID=dGhpcyBpcyBhIGJhZCBhc HAgdGhhdCB- zZXRzIHByZWRpY3RhYmxlIGNvb2tpZX MgYW5kIG1pbmUgaX- MgMTIzNA== CustomCookie=00my00trusted00ip00is0 0x.x.x.x00 • Body of the POST message: user=admin&pass=pass123&debug=true &fromtrustIP=true =
  • 73. Map execution paths through application (OTG- INFO-007)
  • 75. OTG-INFO- $(James_Bond) Before commencing security testing, understanding the structure of the application is paramount. Without a thorough understanding of the layout of the application, it is unlkely that it will be tested thoroughly.
  • 76. Still want shorter version? • Map the target application and understand the principal workflows.
  • 77. HOW TO TEST? There are several ways to approach the testing and measurement of code coverage: • Path - test each of the paths through an application that includes combinatorial and boundary value analysis testing for each decision path. • Data flow (or taint analysis) - tests the assignment of variables via external interaction (normally users). • Race - tests multiple concurrent instances of the application manipulating the same data.
  • 78. We need support! • OWASP-ZAP • Burpsuite
  • 81. OTG-INFO-008 Web framework or Content Management System fingerprinting is an important subtask of the information gathering process. Knowing the type of framework can automatically give a great advantage if such a framework has already been tested by the penetration tester. It is not only the known vulnerabilities in unpatched versions but specific misconfigurations in the framework and known file structure that makes the fingerprinting process so important.
  • 82. Cut to the chase To define type of used web framework so as to have a better understanding of the security testing methodology.
  • 83. How? and Where? • HTTP Headers • Cookies • HTML source code • Specific files and folders
  • 84. HTTP HEADER HTTP/1.1 200 OK Server: nginx/1.0.14 Date: Sat, 07 Sep 2013 08:19:15 GMT Content- Type: text/html;charset=ISO-8859-1 Connection: close Vary: Accept-Encoding X-Powered-By: Mono
  • 85. Cookies GET /cake HTTP /1.1 Host: defcon-moscow.org User-Agent: Mozilla75.0 |Macintosh; Intel Mac OS X 10.7; rv: 22.0) Gecko/20100101Firefox/22.0 Accept: text/html, application/xhtml + xml, application/xml; q=0.9, */*; q=0 , 8 Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Accept - Encoding: gzip, deflate DNT: 1 Cookie: CAKEPHP=rm72kprivgmau5fmjdesbuqi71; Connection: Keep- alive Cache-Control: max-age=0
  • 86. HTML source code Find certain pattern in the
  • 87. Specific Files and Folders For Example • /wp-admin/ • modules/Drupal5-urdu-po/ • templates/joomlaport_metro/
  • 88. Any assistance? • Whatweb • Blindelephant (Version 2 is coming soon) • AppSpector • Wappalyzer
  • 90. $(Remediation) • obfuscate all HTTP-head- ers that disclose information the technologies used • change cookie names by making changes in the corresponding configuration files. • Manually check the contents of the HTML code and remove every- thing that explicitly points to the framework. • Remove Meta Generator Tags • Do not use default scripts on the page or obfuscate them if they must be used.
  • 92. OTG-INFO-009 Apart from the Web Application Framework, Identify the web application and version to determine known vulnerabilities and the appropriate exploits to use during testing.
  • 93. Is it like 008? • IMHO, similar to 008 but different objective • 008 aims to draw what kind of framework they are using (Name of the CMS) • 009 aims to find which version of the web application they are using (version of the CMS, DB, Programming languge)
  • 94. >show me the example $(whatweb amazon.com && whatweb blognone.com
  • 97. OTG-INFO-010 The complexity of interconnected and heterogeneous web server infrastructure can include hundreds of web applications and makes con- figuration management and review a fundamental step in testing and deploying every single application. In fact it takes only a single vulnerability to undermine the security of the entire infrastructure, and even small and seemingly unimportant problems may evolve into severe risks for another application on the same server. To address these problems, it is of utmost importance to perform an in-depth review of configuration and known security issues. Before performing an in- depth review it is necessary to map the network and application architecture. The different elements that make up the infrastructure need to be determined to understand how they interact with a web application and how they affect security…….ZZzzzzzZZzz
  • 98. TL;DR • determine the architecture of the application to find any impact against the application security
  • 99. HOW? • Ask the developers or system architecture • navigating an application. • Keep guessing by using the technique in 001-009 to determine the architectures. • some strange input may returned the protection systems e.g., %00
  • 100. Why? For example: • On more complex setups, such as an online bank system, multiple servers might be involved. These may include a reverse proxy, a front-end web server, an application server and a database server or LDAP server.
  • 101. Q&A

Editor's Notes

  • #27: you can find it from exploit-db website
  • #36: order of Date and Server
  • #54: dirbuster BurpIntruder Forced Browse
  • #60: MSN search: http:/search.msn.com syntax: “ip:x.x.x.x” (without the quotes) Webhosting info: http:/whois.webhosting.info/ syntax: http:/ whois.webhosting.info/x.x.x.x DNSstuff: http:/www.dnsstuff.com/ (multiple services available) http:/www.net-square.com/mspawn.html (multiple queries on domains and IP addresses, requires installation) tomDNS: http:/www.tomdns.net/index.php (some services are still private at the time of writing) SEOlogs.com: http:/www.seologs.com/ip-domains.html (reverse-IP/domain lookup)
  • #73: Gray Box, Meet with Developers
  • #78: However, these methods take a long time to find out all the visible path and flow. Automatic Spider is coming into the picture