The document introduces bWAPP, a deliberately insecure web application used to teach web application security. It includes all major known web vulnerabilities and is used to help security enthusiasts, developers and students discover and prevent security issues. The document discusses how bWAPP works, its features, and how penetration testers can use it along with the bee-box virtual machine to test for vulnerabilities as part of the web application security testing process.
Welcome! Nice to meet you.It’s an honor to be here, talking about bWAPP at SANS 2014 Orlando.
Some impressions of my stay in Orlando...An almost empty swimming pool.
Because everyone is going to Netwars.
Magic happens here...
My name is Malik Mesellem (from Belgium).I have always had a passion for Ethical Hacking and Penetration Testing (actually from since I was a teenager…).I am obsessed with Windows and web application (in)security.In 2010, I decided to start my own company: MME BVBA.We are specialized in IT security audits, penetration testing, ethical hacking, and InfoSec training.I give master classes and lectures for several institutions. For Belgium, I am a mentor for the SANS Institute and an OWASP ZAP evangelist (evantjelist).And of course, I am the founder and creator of bWAPP…
My name is Malik Mesellem (from Belgium).I have always had a passion for Ethical Hacking and Penetration Testing (actually from since I was a teenager…).I am obsessed with Windows and web application (in)security.In 2010, I decided to start my own company: MME BVBA.We are specialized in IT security audits, penetration testing, ethical hacking, and InfoSec training.I give master classes and lectures for several institutions. For Belgium, I am a mentor for the SANS Institute and an OWASP ZAP evangelist (evantjelist).And of course, I am the founder and creator of bWAPP…
Today I will talk about web security and web application penetration testing with bWAPP.We start our presentation with an overview of why web applications are an attractive target.Then, I will show how bWAPP can help you to ‘improve’ your web security.I will explain the concepts of web application penetration testing and last but not least...We will exploit some vulnerabilities, so expect live demo’s (if there’s time enough)!
OK! Let’s kick off...
Web application security is today's most overlooked aspect of securing the enterprise.These days, hackers are concentrating their efforts on our (precious) websites and web applications.Websites and web applications are a very attractive target for cyber criminality, cyber warfare and hacktivism...
They are an attractive target because…They are 24/7 available via the InternetSometimes, mission-critical business applicationsare published on the Internet through a web interface, and there is often direct access to backend data and to the internal network (using pivoting techniques)You should also know that traditional firewalls and SSL provide no protection against web attacks, and sysadmins know little about these sophisticated application-level attacksIn addition, many applications are also custom-made, meaning that they are probably vulnerable
Meet the bad guys!
It’s definitely time to improve our web security! Defense is really needed…
bWAPP, or a buggy web application, is a free and open source deliberately insecure web application. It is made for testing and educational purposes.It includes all major known web vulnerabilities.It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects.I started with the bWAPP project in Christmas Holidays 2012. As a penetration tester, I was looking for a lab environment to test and improve my web application pentesting skills. There are many deliberately insecure web applications, but most of them lack diversity and flexibility… so that’s why I started to create my own vulnerable application, bWAPP.For me, it was also a good practice to learn how to deal with these web vulnerabilities: to learn some secure coding techniques and hardening best practices.
This is the bWAPP main page, or portal, after a successful login.
Web application security is not just installing a firewall, or scanning a website for ‘potential’ issues…Black-box penetration testing, simulating real attack scenarios, is still needed!It confirms potential vulnerabilities and excludes false positives, but it also guarantees that your defense measures are working effectively.bWAPP can help you to improve your web application security-testing skills…
It’s all about testing, testing, and testing…Would you be at ease with a pilot who has just read the manual of his plane, and skipped the testing phase?This guy is definitely not prepared for REAL attack scenarios
Some testimonials of ‘notorious’ people working in InfoSec.As you can see, they are all very happy with bWAPP . Look at this guy (Ed)...
Some testimonials of ‘notorious’ people working in InfoSec.As you can see, they are all very happy with bWAPP . Look at this guy (Ed)...
Let’s talk about the architecture, the core of bWAPP...bWAPP is a PHP application that uses a backend MySQL database.It can be hosted on Linux, Windows (or even on Mac) with Apache or IIS.It is also supported on WAMP or XAMPP.Another possibility is to download the bee-box… (more on that later)
Some features...It’s very easy to use and to understandThePHP code is well structured and documented, despite my terrible programming knowledge It has different security levels: starting with security level low, ending with security level highThere’s an option to create new users. Every bWAPP user has a password and a secret…A ‘resetapplication’ and ‘reset database’featureA manual intervention page, with a CAPTCHAEmail functionalities, for testing issues like SMTP and host header injections
More features...We have a local PHP settings fileA no-authentication and ‘Evil Bee’ modeThere’s even an ‘evil’ directory, with some nice attack scripts…We have a WSDL file. How to deal with that?And there are fuzzing possibilities… for detecting valid web pages or sessions…
I can hear you thinking…What makes bWAPP so unique?Well, it has over 70 web bugs! It covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project.The focus is not just on one specific issue, like SQL injection or Cross-Site Scripting. No, we are trying to cover a wide range of vulnerabilities.The OWASP Top 10 provides an accurate snapshot of the current threat landscape in application security and reflects the collaborative efforts and insights of thousands of accomplished security engineers. To reflect the ongoing changes in technology and common online business practices, the list is periodically updated.
An overview of some included vulnerabilities...It has injection vulnerabilities like...
As you can see, we have it all!
Just select your bug and hack it!
So bWAPP is a test platform for improving your security-testing skills. bWAPP is not an application that tells you ‘how’ to test!If desired, we have a complete cheat sheet containing all the bWAPP solutions! This cheat sheet is also for free, the only thing we ask is to follow us on Twitter to stay updated on bWAPP. We also have an exclusive web security training course: Attacking & Defending Web Apps with bWAPP.
Some external links...There’s our homepage: the homepage of the ITSEC GAMES projectWe have the download location: the bWAPP source code is hosted on Sourceforge, there is also a Git (repository)And we have our blog, unfortunately not updated in a while , we are still looking for volunteers...
Every bee needs a home, meet our bee-box… (please,don’t confuse with the Belgacombbox)The bee-box is a custom Linux Ubuntu virtual machine (VM), pre-installed with bWAPP.It’s actually a LAMP environment.It is compatible with VMware Player, Workstation, Fusion, and with Oracle VirtualBox.bee-box requires zero installation!
The bee-box is also made deliberately insecure… (yes of course!)With the bee-box you have the opportunity to exploreall bWAPP vulnerabilities!The bee-box gives you several ways to hack and deface the bWAPP website. Currently there are 13 differentweb defacement possibilities!It's even possible to hack the bee-box to get full root access using a local privilege escalation exploit… awesome!Hacking, defacing and exploiting without going to jail... how cool is that?bee-box can also be downloaded from Sourceforge.
To play with bWAPP, local access on the bee-box is not needed. The only thing you need to do is to configure an IP address and some optional settings. Once it has a valid IP address, it is possible to access the bWAPP website from outside.
Some bee-box features...
bWAPP and bee-box are both part of the ‘ITSEC GAMES’ project. The ‘ITSEC GAMES’ are a funny approach to IT security education.IT security, ethical hacking, training and fun... all these ingredients are mixed together!Our objectives are to teach InfoSec courses from an educational and recreational point of view.We offer a wide range of InfoSec courses and workshops. Definitely a must for everysysadmin!
There’s just 1 thing to remember, the logon credentials are...
bee/bugIs that clear enough?
So pleasedon’t bug meanymore with questions about how to login to bWAPP…
Unfortunately we have more credentials to remember...This slide is for whizkids only ...That’s my brother, the mastermind behind bWAPP.He was even on Belgian television a few months ago...
The installation and configuration steps are pretty easy...
bWAPP uses form-based authentication, that may be an obstacle for some tools, sometimes a pain to configure…That’s why I implemented the A.I.M. mode.A.I.M., or ‘Authentication Is Missing’, is a no-authentication mode.It may be used for testing web scanners and crawlers, it bypasses authentication obstacles.Here are the steps to crawl all pages, and to detect all vulnerabilities without authentication:Change the IP address in the settings file to the IP address of the machine from where you are running the scanPoint your webscanner,crawler or attack tool to ‘aim.php’ pagePush the button: all hell breaks loose…
General application settings…There is a settings file: ‘settings.php’, located under the bWAPP admin folder.Some configurable settings are:Database connection and SMTP settingsThe A.I.M. mode (more on that on the next slide)The ‘Evil bee’ mode (bypasses the bWAPP security levels)Static credentials, used on some pages
An overview of the settings file...
Some worst case scenario options, our last hope...
Finally, time for a demo...
This is the main login form.Do you remember the credentials?That’s right: bee/bugFrom here it’s also possible to choose your security level....Here we have an overview of all vulnerabilities...They are arranged according to the OWASP Top 10 Project.
Let’s talk about web application penetration testing...
Penetration testing, or pentesting, is a method of evaluating computer, network or application security by simulating an attack.It is an active analysis of potential vulnerabilities.Ethical hacking techniques are confirming the potential vulnerabilities, excluding any false positives!Penetration tests are sometimes a component of afull security audit.
Web application pentesting is focusing on evaluatingthe security of a web application.The application is tested for known web vulnerabilities.Manual, automatic and semi-automatic tests are used.A source code analysis and a web server configuration review are optional (these are white-box testing techniques).
It’s all about identifying, exploiting, and reporting vulnerabilities!Some considerations…
A simple testing methodology could start with reconnaissance, vulnerability mapping, and exploitation. In this order, clockwise.
A more advanced testing methodology can flow in all directions, clockwise and counterclockwise.
Also very important is ‘what’ to test... OWASP can help us with that...OWASP, or the Open Web Application Security Project, is a worldwide non-profit organization focused on improving the security of software.They have freely-available articles, methodologies, documentation, tools, and technologies.OWASP is vendor neutral, they make no recommendations for commercial products or services!
Here are some active OWASP projects, starting with the OWASP Top 10 Project and the Testing Guide…---The OWASP Top 10 Project lists the 10 most severe web application security risks.TheTesting Guide shows you how to verify the security of your running application (ideal for pentesters).The Development Guide shows your project how to architect and build asecure application, and the Code Review Guide tells you how to verify the security of your application's source code.The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. It covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues.The Application Security Verification Standardcan be used to establish a level of confidence in the security of web applications. A level (~ score) is assigned to the web application: the ASVS defines four levels of verification, with each level increasing in breadth (= breedte) as the application moves up the levels.The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection.The Broken Web Applications (BWA) Project produces a VM running a variety of applications with known vulnerabilities (like bWAPP). Our bWAPP application will be included in the next version of BWA! Isn’t that cool? The Zed Attack Proxy, or ZAP, is an intercepting proxy…
The OWASP Top 10 Project lists the 10 most severe web application security risks.It is constantly updated, the latest version was released in 2013.The Top 10 Project is a good starting point for a web application penetration test. It covers aspects like ‘What to test?’, ‘How to test?’, and ‘How to prevent?’
An overview of the OWASP security risks.On one, we have injection vulnerabilities.On two, we have authentication and session management issues.On three, we have Cross-Site Scripting, and so on…
This slide shows you the differences between the OWASP Top 10 2010 and OWASP Top 10 2013.We have some minor changes.Injections like SQLi, HTMLi,... are still on number 1...
So where to place the OWASP Top 10 Project in our testing methodology?
Well, that’s next to our vulnerability mapping phase... we will test the web application for vulnerabilities listed in the Top 10 Project.
An indispensable platform for a penetration tester is a distribution with all the attack tools included.An example is Kali Linux, formerly known as BackTrack.Kali Linux is a Debian-derived Linux distribution, designed for digital forensics and penetration testing.It’s maintained and funded by Offensive Security.
Many web application pentesting tools are included...
Animportant tool to test the security of a web application is an intercepting proxy.It is acting as a Man-in-the-Middle, located between the browser and the web application.With an intercepting proxy we have the ability to intercept and to modify the HTTP requests and responses.Some intercepting proxies also include integrated tools to discover vulnerabilities,and to crawl and brute force files and directories.
An example of an open source intercepting proxy is ZAP, or the Zed Attack Proxy.ZAP is an active OWASP project.The application is written in Java by a team of volunteers.We can also use ZAP as a pentesting tool for finding vulnerabilities: it provides automated scanning, as well as a set of tools to find security vulnerabilities manually.
Some functionalities...
I’ll demonstrate some features of ZAP on our bWAPP platform......A very powerful open source tool!
Let’s install ZAP,and exploresome features of ZAP on our bWAPP platform......A very powerful open source tool!
An alternative is to use a commercial web vulnerability scanner, like Netsparker.Very easy to use, and it also knows how to deal with modern web technologies like AJAX, HTML5 and Web Services.They even have a free ‘Community Edition’ for detecting SQL injection and Cross-Site Scripting (XSS). Very handy!
Here are the results of a bWAPP scan with Netsparker.
As you can see, a lot of vulnerabilities were detected.
Let's run an authenticated scan with Netsparker to detect injection issues.
We will do an exercise on Netsparker.Let's run a non-authenticated and authenticated scan with Netsparker to detect some vulnerabilities in bWAPP.I have a trial edition for you…
OK!Are you ready to exploit some bugs?
I will try to cover...
Let’s start with injections!Injection flaws occur when an application sends untrusted data to an interpreter.They are often found in SQL, OS commands, Xpath,XML parsers, SMTP headers, program arguments, etc.Injections are easy to discover when examining code, but rather difficult to discover via pentesting!Scanners and fuzzers can help in finding injection flaws.
Injection can result in...
According to the OWASP Top 10 Project, injection vulnerabilities are ranked number one.
SQL injection is very common in web applications.It occurs when user input is sent to a SQL interpreteras part of a query.The attacker tricks the interpreter into executing unintended SQL queries.
According to the OWASP Top 10 Project, injection vulnerabilities are ranked number one.
This image illustrates how a traditional login form works.A user is required to provide a valid ‘login’ and ‘password’.Check the insecure SQL query…
What if the user enters [’ or 1=1--], manipulating and breaking the original SQL query? You should know that [or 1=1] is always TRUE...Well, he will be able to login without a valid password!That’s a common example of SQL injection.
Let’s check the code...
Some simple SQL injection strings... used to bypass login forms.
Union injections: joining data from 2 different tables in the database.And stacked queries: executing multiple independent SQL queries.
Here is an ‘effective’ example of a stacked query... it is definitely his lucky day
We also have Blind Sql Injection...Blind SQL injection is a type of SQL injection attackthat asks the backend database true or false questions.It is often used when the web application is configured to show generic messages: when the database does not output data to the web page, or when the code vulnerable to SQL injection is not displayed.It is nearly identical to normal SQL injection, but the way the datais retrieved from the database differs…
Here is an example of boolean-based SQL injection.
And here is an example of time-based SQL injection.We are playing with the SQL SLEEP command...
Let’s do some SQL injection...
Let’s do some SQL injection...
Another injection issue is HTML injection.Itoccurs when a user inserts HTML code via a specific input field or parameter.A website is vulnerable because it does not validate the user-supplied data.HTML injection is very dangerous when it is stored permanently!HTML injections can lead to website defacements, phishing attacks and even client-side exploitation.Please, don’t underestimate the power of HTML injection!
A quick demo...
Cross-Site Scripting, or XSS, occurs when an attacker injects a script into a web application.The script doesn’t run on the website, but in a victim’s browser.The website just delivers the script to the victim.A website is vulnerable because it does not validate the user-supplied data.XSS is very dangerous when it is stored permanently!Usually JavaScript is injected, but it may also include HTML, Flash, or any other type of code that the browser may execute.XSScan lead to website defacements, phishing attacks, session hijacking, and even client-side exploitation. So please, don’t underestimate the power of XSS!
Cross-Site Scripting, or XSS, occurs when an attacker injects a script into a web application.The script doesn’t run on the website, but in a victim’s browser.The website just delivers the script to the victim.A website is vulnerable because it does not validate the user-supplied data.Usually JavaScript is injected, but it may also include HTML, Flash, or any other type of code that the browser may execute.
We distinguish two types of XSS flaws: Reflected and Stored.With Reflected XSS, a user is tricked into clicking on a link containing the JavaScript code, or tricked into browsing to a malicious website containing the code.With Stored XSS, the JavaScript code is stored permanently on the vulnerable website. More dangerous!
According to the OWASP Top 10 Project, Cross-Site Scripting vulnerabilities are ranked number three.
XSS is easy to detect...We will hijack a user session...
We will...XSS is easy to detect...
XSS is easy to detect...We will hijack a user session...
Denial-of-Service attacks, or DoS attacks.With a DoS attack an attacker attempts to prevent legitimate users from accessing the application, server or network.This happens by consuming network bandwidth, server sockets, threads, or CPUresources.Another type of DoS attack is a Distributed Denial-of-Service attack, or DDoS attack.DoS and DDoS attacks are popular techniques used by hacktivists.
Newer layer 7 DoS attacks are more powerful!They are often called “Low-bandwidth application layer DoS”.It’s possible to make a server unreachable with only 1 web client.Here, we are stressing the web application or web server (and not the hardware or network).
Some layer 7 DoS methods...
I have good news... our bee-box is vulnerable to some DoS attacks!
I have good news... our bee-box is vulnerable to some DoS attacks!
Let’s talk aboutUnrestricted File Uploads, and web shells.File upload flawsoccur when an attacker can upload files without any restrictions, or bybypassing weak restrictions.The first step in many attacks is to get some code to the system.An unrestricted file upload flawhelps the attacker… now the attack only needs to find a way to get the code executed.
Let’s talk about evil web shells.Web shells are malicious web pages that provide an attacker functionality on a web server.They make use of server-side scripting languages likePHP, ASP, ASPX, JSP, CFM, Perl,...Some web shell functionalities...
Here are some external attack vectors for using and uploading web shells...You can test each of these vulnerabilities on our bWAPP platform!
Our last demo for today...We will generate a payload, a web shell, and we will upload the web shell using a file upload flaw in bWAPP......We have shell access again!...From our shell, it is even possible to escalate our privileges... and to get root access!
Another hands-on lab...
Another web issue... File Inclusions.File inclusion flaws occur when an attacker includesa file, usually through a script on the web server.Again, the vulnerability occurs due to the use of user-supplied input without proper validation.There are 2 types of file inclusion flaws: Local File Inclusion (LFI) and Remote File Inclusion (RFI)
Let’s check the PHP code...
File inclusion can lead to...
According to the OWASP Top 10 Project, file inclusion vulnerabilities are ranked number seven.
Our last exercise for today......We have shell access again!...From our shell, it is even possible to escalate our privileges... and to get root access!
So during this presentation we defaced our website, compromised the server, even compromised a client, made the server unreachable, hijacked a session, and stole somecredentials…
So during this presentation/workshop we defaced your website, compromised your server, compromised your clients, made your server unreachable, hijacked your session, and stole your credentials…
And we have so much more bugs to exploit…It’s definitely time to improve your web security.Defense is needed: firewalls and vulnerabilityscanners are not the ultimate solution. Testing, penetration testing, is required!It confirms potential vulnerabilities, excludes false positives, and guarantees that your defense measures are working effectively.Downloading bWAPP is a first start, it will help you to improve your web application security-testing skills!Remember: every bee needs a superbee. Are you that superbee?
Thank you very much for attending this presentation!Are there any questions?
Thank you very much for attending this presentation!Are there any questions?