SlideShare une entreprise Scribd logo

The magic of passive web vulnerability analysis lava kumar

O
owaspindia

The Magic of Passive Web Vulnerability Analysis - Lava Kumar - OWASP India Conference 2012

Technologie
1  sur  24
OWASP InfoSec India Conference 2012 August 24th – 25th, 2012 The OWASP Foundation Hotel Crowne Plaza, Gurgaon http://www.owasp.org http://www.owasp.in The Magic of Passive Web Vulnerability Analysis Lavakumar Kuppan lava@ironwasp.org https://twitter.com/lavakumark https://ironwasp.org OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
About Penetration Tester 5+ years of experience Security Researcher Flash 0-day WAF bypass 0-day using HPP Multiple HTML5 based attack techniques 5th best Web Application Hacking Technique of 2010 Attack and Defense Labs – http://andlabs.org HTML5 Security Resources Repository – http://html5security.org OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
About Developer IronWASP (C# + Python + Ruby) Ravan (PHP + JavaScript) JS-Recon (JavaScript) Shell of the Future (C# + JavaScript) Imposter (C# + JavaScript) Speaker BlackHat OWASP AppSec Asia NullCon SecurityByte ClubHack OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Pentesters are focused on the big catch SQL Injection Cross-site Scripting Command Injection Code Injection etc OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 4
So the focus is mostly on Active Checks OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 5
Passive Analysis is done by the tools OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 6
What about Manual Passive Analysis? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 7
Let’s look at what Manual Passive Analysis will find (using IronWASP) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 8
Step 1 – Collecting HTTP Logs Set IronWASP as the proxy and browse the site Automated Crawling of the site Import Burp Proxy Logs OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 9
Step 2 – Make list of all Parameter Name/Value Parameters include: Query parameters Body parameters Cookie parameters Request & Response Header parameters Set-Cookie parameters Form field parameters in HTML response OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 10
Step 3 - Print out the parameter names Eg: lang user pwd id … … logged_in is_admin … … Notice anything interesting? This can be probed further manually OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 11
And used for Hidden Parameter Guessing Regular Password Change Url: http://test.site/change_pwd.php Password Change Url with inclusion of Hidden Parameter http://test.site/change_pwd.php?is_admin=1 Now ‘Change Password’ feature does not ask for old password!!! OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 12
Step 4 - Print out the parameter values Eg: en true 23944 s77eod … … Fy2010_11_report.pdf Fy2011_12_report.pdf … … http://partner.site/data.php … … SELECT id FROM Users … OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 13
Parameter Values say a lot Fy2010_11_report.pdf – possible LFI vulnerability http://partner.site/data.php - possible RFI / Open Redirect vulnerability SELECT id FROM Users – SQL queries created on the client-side and executed on the server-side !!! Ironically automated scanners might not detect this type of SQL Injection! OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 14
Check parameter values for possible encoding Do you see anything interesting in the strings below: asdljz2398sdsdsdsdkss z23sds9sd9a;sdk=awe bgf2yto6c2vjcmv0mtiz 646973636f756e743a323125 2238019jadja8498434dfdf Lsjflosow2384fkshfl OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 15
How about now? asDljz2398sdYDKus3lns z23sdE9sd9Asdk=awe bGF2YTo6c2VjcmV0MTIz –Base64 Decode-> lava::secret123 646973636f756e743a323125 –Hex Decode-> discount:21% 2238019jadja8498434dfdf lsjflosow2384fkshfl Base64 and Hex encoding are the most commonly used encoding schemes in web apps Try base64 and hex decoding all parameter values and see if they decode to ASCII strings or binary strings with embedded ASCII values There could be interesting data hidden there OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 16
Check parameter values for Hashes Make list of parameter values that are of the same format as MD5 & SHA Try cracking these hashes by using dictionary list of the other parameter values You will know if any parameter value is linked to this hash Helps you probe the connection further OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 17
CSRF token Analysis Once you know the name of the CSRF token check it against the list of Parameter names If any request contains the CSRF token in Query then it’s a problem (similar to Session ID in Url) http://test.site/action.php?create_user=test&token=JDK7kS02jso If any POST request does not contain the CSRF token in body then is probably a problem. Investigate. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 18
Clickjacking through lack of Framebusting Find out the JavaScript code that is used as Framebuster to protect against ClickJacking Check JavaScript islands in all HTML pages for this Framebuster List out all pages that don’t have it. These are probably vulnerable to Clickjacking. Investigate. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 19
Clickjacking through lack of Framebusting Find out the JavaScript code that is used as Framebuster to protect against ClickJacking Check JavaScript islands in all HTML pages for this Framebuster List out all pages that don’t have it. These are probably vulnerable to Clickjacking. Investigate. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 20
Cookies set/manipulated on the Client-side Compare key/values from the Set-Cookie response headers to the key/values in the Cookie request header Any key/values in the Cookie header that is missing from the Set-Cookie header has been set by JavaScript Indicates data storage or possible logical decision making on client-side. Investigate. Eg: Set-Cookie: discount=10%; path=/ Cookie: SessionId=oasow823djdlna33rfz; discount=13% OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 21
Check for Reflections Analyze all responses for reflection of any of the input parameters If user input is reflected back in the response then it must be tested for Cross-site Scripting This helps identify potential candidates for Stored Cross-site Scripting OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 22
Closing notes These are only indications, what you can do is only limited by your imagination A Python script that automates all discussed techniques will be made available at https://github.com/lavakumar before end of this month This script would soon be turned in to an IronWASP module with GUI Thank You! OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 23
Subscribe mailing list www.owasp.in Keep up to date! 24 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)

Recommandé

Aspnet 4 new features
Aspnet 4 new featuresAspnet 4 new features
Aspnet 4 new features
Erkan BALABAN
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
Jim Manico
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
Jim Manico
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Educar para una nueva ciudadanía Orientaciones estratégicas 2015 - 2018
Educar para una nueva ciudadanía Orientaciones estratégicas 2015 - 2018Educar para una nueva ciudadanía Orientaciones estratégicas 2015 - 2018
Educar para una nueva ciudadanía Orientaciones estratégicas 2015 - 2018
Liceo Lic Mario Vindas Salazar
 
Class 3
Class 3Class 3
Class 3
Alexandre Linhares
 
Victory Over Neck And Back Pain Dr Shriniwas Kashalikar
Victory Over Neck And Back Pain Dr Shriniwas KashalikarVictory Over Neck And Back Pain Dr Shriniwas Kashalikar
Victory Over Neck And Back Pain Dr Shriniwas Kashalikar
shivsr5
 
Ita a2 ms les extra 15 5-2013
Ita a2 ms les extra 15 5-2013Ita a2 ms les extra 15 5-2013
Ita a2 ms les extra 15 5-2013
SpaanIt
 

Recommandé

Aspnet 4 new features
Aspnet 4 new featuresAspnet 4 new features
Aspnet 4 new features
Erkan BALABAN
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
Jim Manico
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
Jim Manico
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Educar para una nueva ciudadanía Orientaciones estratégicas 2015 - 2018
Educar para una nueva ciudadanía Orientaciones estratégicas 2015 - 2018Educar para una nueva ciudadanía Orientaciones estratégicas 2015 - 2018
Educar para una nueva ciudadanía Orientaciones estratégicas 2015 - 2018
Liceo Lic Mario Vindas Salazar
 
Class 3
Class 3Class 3
Class 3
Alexandre Linhares
 
Victory Over Neck And Back Pain Dr Shriniwas Kashalikar
Victory Over Neck And Back Pain Dr Shriniwas KashalikarVictory Over Neck And Back Pain Dr Shriniwas Kashalikar
Victory Over Neck And Back Pain Dr Shriniwas Kashalikar
shivsr5
 
Ita a2 ms les extra 15 5-2013
Ita a2 ms les extra 15 5-2013Ita a2 ms les extra 15 5-2013
Ita a2 ms les extra 15 5-2013
SpaanIt
 
Our school presentation
Our school presentationOur school presentation
Our school presentation
Popi Magaliou
 
Expo informatica
Expo informaticaExpo informatica
Expo informatica
Lixa M
 
Maio
MaioMaio
Maio
Marlou
 
Wise Old man
Wise Old manWise Old man
Wise Old man
Andrew Isles
 
Ita b2 ms 14 10-15
Ita b2 ms 14 10-15Ita b2 ms 14 10-15
Ita b2 ms 14 10-15
SpaanIt
 
Narrativa audiovisual-jesus-garcia-jimenez
Narrativa audiovisual-jesus-garcia-jimenezNarrativa audiovisual-jesus-garcia-jimenez
Narrativa audiovisual-jesus-garcia-jimenez
manual comic
 
Современные подходы к SAST
Современные подходы к SASTСовременные подходы к SAST
Современные подходы к SAST
Vladimir Kochetkov
 
ESTALMAT: una gran oportunidad de colaboración y patrocinio
ESTALMAT: una gran oportunidad de colaboración y patrocinioESTALMAT: una gran oportunidad de colaboración y patrocinio
ESTALMAT: una gran oportunidad de colaboración y patrocinio
Pablo Martínez-Almeida González
 
30 días de bilingüismo: Episodio 3 - Mitos de la eduación bilingüe
30 días de bilingüismo: Episodio 3 - Mitos de la eduación bilingüe30 días de bilingüismo: Episodio 3 - Mitos de la eduación bilingüe
30 días de bilingüismo: Episodio 3 - Mitos de la eduación bilingüe
SpaanIt
 
Henri lefebvre la-produccion-del-espacio
Henri lefebvre la-produccion-del-espacioHenri lefebvre la-produccion-del-espacio
Henri lefebvre la-produccion-del-espacio
manual comic
 
Using Low Cost of Ownership Direct Bonding Technologies For MEMS Application
Using Low Cost of Ownership Direct Bonding Technologies For MEMS ApplicationUsing Low Cost of Ownership Direct Bonding Technologies For MEMS Application
Using Low Cost of Ownership Direct Bonding Technologies For MEMS Application
Invensas
 
WUD 2009 - Akcelerator Designu
WUD 2009 - Akcelerator DesignuWUD 2009 - Akcelerator Designu
WUD 2009 - Akcelerator Designu
World Usability Day Tour 2009
 
Juegos de logica
Juegos de logicaJuegos de logica
Juegos de logica
liandola
 
La magia de photoshop
La magia de photoshopLa magia de photoshop
La magia de photoshop
liandola
 
Public exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s wayPublic exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s way
titanlambda
 
Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...
owaspindia
 
Real time evaluation of national network exposure to emerging threats - fyodo...
Real time evaluation of national network exposure to emerging threats - fyodo...Real time evaluation of national network exposure to emerging threats - fyodo...
Real time evaluation of national network exposure to emerging threats - fyodo...
owaspindia
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
Damilola Longe, CISSP, CCSP, MSc
 

Contenu connexe

En vedette

Expo informatica
Expo informaticaExpo informatica
Expo informatica
Lixa M
 

En vedette (14)

Our school presentation
Our school presentationOur school presentation
Our school presentation
 
Expo informatica
Expo informaticaExpo informatica
Expo informatica
 
Maio
MaioMaio
Maio
 
Wise Old man
Wise Old manWise Old man
Wise Old man
 
Ita b2 ms 14 10-15
Ita b2 ms 14 10-15Ita b2 ms 14 10-15
Ita b2 ms 14 10-15
 
Narrativa audiovisual-jesus-garcia-jimenez
Narrativa audiovisual-jesus-garcia-jimenezNarrativa audiovisual-jesus-garcia-jimenez
Narrativa audiovisual-jesus-garcia-jimenez
 
Современные подходы к SAST
Современные подходы к SASTСовременные подходы к SAST
Современные подходы к SAST
 
ESTALMAT: una gran oportunidad de colaboración y patrocinio
ESTALMAT: una gran oportunidad de colaboración y patrocinioESTALMAT: una gran oportunidad de colaboración y patrocinio
ESTALMAT: una gran oportunidad de colaboración y patrocinio
 
30 días de bilingüismo: Episodio 3 - Mitos de la eduación bilingüe
30 días de bilingüismo: Episodio 3 - Mitos de la eduación bilingüe30 días de bilingüismo: Episodio 3 - Mitos de la eduación bilingüe
30 días de bilingüismo: Episodio 3 - Mitos de la eduación bilingüe
 
Henri lefebvre la-produccion-del-espacio
Henri lefebvre la-produccion-del-espacioHenri lefebvre la-produccion-del-espacio
Henri lefebvre la-produccion-del-espacio
 
Using Low Cost of Ownership Direct Bonding Technologies For MEMS Application
Using Low Cost of Ownership Direct Bonding Technologies For MEMS ApplicationUsing Low Cost of Ownership Direct Bonding Technologies For MEMS Application
Using Low Cost of Ownership Direct Bonding Technologies For MEMS Application
 
WUD 2009 - Akcelerator Designu
WUD 2009 - Akcelerator DesignuWUD 2009 - Akcelerator Designu
WUD 2009 - Akcelerator Designu
 
Juegos de logica
Juegos de logicaJuegos de logica
Juegos de logica
 
La magia de photoshop
La magia de photoshopLa magia de photoshop
La magia de photoshop
 

Similaire à The magic of passive web vulnerability analysis lava kumar

Public exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s wayPublic exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s way
titanlambda
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
Timings API: Performance Assertion during the functional testing
Timings API: Performance Assertion during the functional testing Timings API: Performance Assertion during the functional testing
Timings API: Performance Assertion during the functional testing
PetrosPlakogiannis
 
Spring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSificationSpring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSification
Nenad Bogojevic
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
ClubHack
 

Similaire à The magic of passive web vulnerability analysis lava kumar (20)

Public exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s wayPublic exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s way
 
Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...
 
Real time evaluation of national network exposure to emerging threats - fyodo...
Real time evaluation of national network exposure to emerging threats - fyodo...Real time evaluation of national network exposure to emerging threats - fyodo...
Real time evaluation of national network exposure to emerging threats - fyodo...
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
 
Triangle Node Meetup : APIs in Minutes with Node.js
Triangle Node Meetup : APIs in Minutes with Node.jsTriangle Node Meetup : APIs in Minutes with Node.js
Triangle Node Meetup : APIs in Minutes with Node.js
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Timings API: Performance Assertion during the functional testing
Timings API: Performance Assertion during the functional testing Timings API: Performance Assertion during the functional testing
Timings API: Performance Assertion during the functional testing
 
Spring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSificationSpring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSification
 
Java @ Cloud - Setor Público SP
Java @ Cloud - Setor Público SPJava @ Cloud - Setor Público SP
Java @ Cloud - Setor Público SP
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
The Era of Module Bundlers
The Era of Module BundlersThe Era of Module Bundlers
The Era of Module Bundlers
 
Getting the end point security right! - k. k. mookhey
Getting the end point security right! - k. k. mookheyGetting the end point security right! - k. k. mookhey
Getting the end point security right! - k. k. mookhey
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
 
MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB SoCal 2020: Migrate Anything* to MongoDB AtlasMongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
 
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
 
CQRS and Event Sourcing
CQRS and Event Sourcing CQRS and Event Sourcing
CQRS and Event Sourcing
 

Dernier

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Dernier (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

The magic of passive web vulnerability analysis lava kumar

  • 1. OWASP InfoSec India Conference 2012 August 24th – 25th, 2012 The OWASP Foundation Hotel Crowne Plaza, Gurgaon http://www.owasp.org http://www.owasp.in The Magic of Passive Web Vulnerability Analysis Lavakumar Kuppan lava@ironwasp.org https://twitter.com/lavakumark https://ironwasp.org OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 2. About Penetration Tester 5+ years of experience Security Researcher Flash 0-day WAF bypass 0-day using HPP Multiple HTML5 based attack techniques 5th best Web Application Hacking Technique of 2010 Attack and Defense Labs – http://andlabs.org HTML5 Security Resources Repository – http://html5security.org OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 3. About Developer IronWASP (C# + Python + Ruby) Ravan (PHP + JavaScript) JS-Recon (JavaScript) Shell of the Future (C# + JavaScript) Imposter (C# + JavaScript) Speaker BlackHat OWASP AppSec Asia NullCon SecurityByte ClubHack OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 4. Pentesters are focused on the big catch SQL Injection Cross-site Scripting Command Injection Code Injection etc OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 4
  • 5. So the focus is mostly on Active Checks OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 5
  • 6. Passive Analysis is done by the tools OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 6
  • 7. What about Manual Passive Analysis? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 7
  • 8. Let’s look at what Manual Passive Analysis will find (using IronWASP) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 8
  • 9. Step 1 – Collecting HTTP Logs Set IronWASP as the proxy and browse the site Automated Crawling of the site Import Burp Proxy Logs OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 9
  • 10. Step 2 – Make list of all Parameter Name/Value Parameters include: Query parameters Body parameters Cookie parameters Request & Response Header parameters Set-Cookie parameters Form field parameters in HTML response OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 10
  • 11. Step 3 - Print out the parameter names Eg: lang user pwd id … … logged_in is_admin … … Notice anything interesting? This can be probed further manually OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 11
  • 12. And used for Hidden Parameter Guessing Regular Password Change Url: http://test.site/change_pwd.php Password Change Url with inclusion of Hidden Parameter http://test.site/change_pwd.php?is_admin=1 Now ‘Change Password’ feature does not ask for old password!!! OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 12
  • 13. Step 4 - Print out the parameter values Eg: en true 23944 s77eod … … Fy2010_11_report.pdf Fy2011_12_report.pdf … … http://partner.site/data.php … … SELECT id FROM Users … OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 13
  • 14. Parameter Values say a lot Fy2010_11_report.pdf – possible LFI vulnerability http://partner.site/data.php - possible RFI / Open Redirect vulnerability SELECT id FROM Users – SQL queries created on the client-side and executed on the server-side !!! Ironically automated scanners might not detect this type of SQL Injection! OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 14
  • 15. Check parameter values for possible encoding Do you see anything interesting in the strings below: asdljz2398sdsdsdsdkss z23sds9sd9a;sdk=awe bgf2yto6c2vjcmv0mtiz 646973636f756e743a323125 2238019jadja8498434dfdf Lsjflosow2384fkshfl OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 15
  • 16. How about now? asDljz2398sdYDKus3lns z23sdE9sd9Asdk=awe bGF2YTo6c2VjcmV0MTIz –Base64 Decode-> lava::secret123 646973636f756e743a323125 –Hex Decode-> discount:21% 2238019jadja8498434dfdf lsjflosow2384fkshfl Base64 and Hex encoding are the most commonly used encoding schemes in web apps Try base64 and hex decoding all parameter values and see if they decode to ASCII strings or binary strings with embedded ASCII values There could be interesting data hidden there OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 16
  • 17. Check parameter values for Hashes Make list of parameter values that are of the same format as MD5 & SHA Try cracking these hashes by using dictionary list of the other parameter values You will know if any parameter value is linked to this hash Helps you probe the connection further OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 17
  • 18. CSRF token Analysis Once you know the name of the CSRF token check it against the list of Parameter names If any request contains the CSRF token in Query then it’s a problem (similar to Session ID in Url) http://test.site/action.php?create_user=test&token=JDK7kS02jso If any POST request does not contain the CSRF token in body then is probably a problem. Investigate. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 18
  • 19. Clickjacking through lack of Framebusting Find out the JavaScript code that is used as Framebuster to protect against ClickJacking Check JavaScript islands in all HTML pages for this Framebuster List out all pages that don’t have it. These are probably vulnerable to Clickjacking. Investigate. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 19
  • 20. Clickjacking through lack of Framebusting Find out the JavaScript code that is used as Framebuster to protect against ClickJacking Check JavaScript islands in all HTML pages for this Framebuster List out all pages that don’t have it. These are probably vulnerable to Clickjacking. Investigate. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 20
  • 21. Cookies set/manipulated on the Client-side Compare key/values from the Set-Cookie response headers to the key/values in the Cookie request header Any key/values in the Cookie header that is missing from the Set-Cookie header has been set by JavaScript Indicates data storage or possible logical decision making on client-side. Investigate. Eg: Set-Cookie: discount=10%; path=/ Cookie: SessionId=oasow823djdlna33rfz; discount=13% OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 21
  • 22. Check for Reflections Analyze all responses for reflection of any of the input parameters If user input is reflected back in the response then it must be tested for Cross-site Scripting This helps identify potential candidates for Stored Cross-site Scripting OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 22
  • 23. Closing notes These are only indications, what you can do is only limited by your imagination A Python script that automates all discussed techniques will be made available at https://github.com/lavakumar before end of this month This script would soon be turned in to an IronWASP module with GUI Thank You! OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 23
  • 24. Subscribe mailing list www.owasp.in Keep up to date! 24 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)