SlideShare une entreprise Scribd logo

Reversing Engineering a Web Application - For fun, behavior and detection

Télécharger en tant que PPTX, PDF
Rodrigo Montoro
Rodrigo Montoro

This document discusses reverse engineering a web application for web application firewall (WAF) detection. It describes analyzing application traffic and structure, including parameter matching, file structure analysis, and restricting access. Statistical analysis of traffic is also suggested to identify attacks and new trends for the WAF. Challenges include vulnerabilities in code, themes, plugins and handling multiple languages.

Internet
1  sur  54
Sector 2014 Toronto, Ontario Reverse Engineering a Web Application - For Fun, Behavior & WAF Detection Rodrigo “Sp0oKeR” Montoro Sucuri Security
$ whois @spookerlabs ➢ Senior Security Administrator at Sucuri Security ➢ Author of 2 patent pending technologies ➢ Researcher ➢ Open Source enthusiast ➢ Triathlete ➢ Dad
About Sucuri Security Over 50 Security Professionals Making a Safer Web SECURITY SCANNING & ANALYSIS Checking the health over 3 Million websites every month through our free Sitecheck Scanner: http://sitecheck.sucuri.net MALWARE CLEANUP Cleaning and remediating 300 – 400 hacked or infected websites everyday. ATTACK PROTECTION Blocking over 33 million attacks and instances of malicious traffic every month EDUCATION Providing detailed and actionable security information through our blog at http://blog.sucuri.net
A Note on the Examples This talk is based on WordPress / NGINX, but the concepts can apply to any Web Application / CMS.
Motivations ➢ Trying different approach than a regular WAF ➢ Protect specific content (CMS) ➢ Malware reinfections ➢ Less rules with better detection = performance ➢ Protected against "new vulnerabilities"
Agenda ➢ Introduction ➢ Detection steps ○ Reverse Engineering a CMS’s traffic ○ Analyzing Application structure (Files / Directories) ○ Local protection & hardening ○ Statistical Data ➢ Challenges ➢ Conclusions
Introduction Normalizing concepts
Reverse Engineering “Reverse engineering is taking apart an object to see how it works in order to duplicate or enhance the object. ”
1 "equal" 2 1 "not equal" a Whitelisting
Our Scope: WAF Detection ➢ Traffic Analysis ○ Requests ○ Responses ➢ Application Structure Analysis ○ Directories ○ Headers ○ Files ➢ Behavior ○ Log correlation ○ Application ○ Honeypots REPEA T
4 Detection steps
Detection steps
Reversing Traffic
The HTTP Protocol
Traffic Analysis ➢ Methods ➢ URI ➢ Parameters ➢ Headers
Crawling the Application
GET Request
POST Request
Oh wait! Get a job from the headers...
Full Request
After basic manual analysis, a tool ... Sucuri Beta pcap traffic parser v0.0.1 (Matched) URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=d+$' URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=d+$' URI: /wordpress_lab_test/?s=sucuri with parameter s=sucuri matched regex 's=[dws]+$' URI: /wordpress_lab_test/?page_id=2 with parameter page_id=2 matched regex 'page_id=d+$' URI: /wordpress_lab_test/?s=test+2 with parameter s=test+2 matched regex 's=[dws]+$' URI: /wordpress_lab_test/?s=Sp0oKeR+Labs+Team with parameter s=Sp0oKeR+Labs+Team matched regex 's=[dws]+$' URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=d+$' URI: /wordpress_lab_test/?page_id=2 with parameter page_id=2 matched regex 'page_id=d+$' Sucuri Beta pcap traffic parser v0.0.1 (Not Matched) URI: /wordpress_lab_test/?author=1 with parameter(s) author=1 didn't match any regex URI: /wordpress_lab_test/wp-includes/js/jquery/jquery.js?ver=1.11.0 with parameter(s) ver=1.11.0 didn't match any regex URI: /wordpress_lab_test/wp-content/themes/twentyfourteen/js/functions.js?ver=20140319 with parameter(s) ver=20140319 didn't match any regex
Some simple NGINX configs if ($http_user_agent !~ <something>) { return <status_code> } if ($query_strings ~ <something>) { return <status_code> } if ($request_uri !~ <something>) { return <status_code> } if ($request_method !~ <something>) { return <status_code> } if ($http_cookie !~ <something>) { return <status_code> }
What’s wrong here?
What about here?
Summary of Flow Parsing
But ...
Something could go wrong … Counter Intelligence / Statical Data Traffic Analysis Analyzing Application Structure / Local Hardening Monitoring D E T E C T I O N F L O W Bypass rules Credentials stolen Cookie hijack Bad administrator D E T E C T I O N F L O W Analyzing Application Structure / Local Hardening Monitoring
Analyzing Application Structure (Files / Directories)
File Structure ➢ Files ➢ Directories ➢ Permissions ➢ Monitoring
WordPress Tarball Lot of files …. index.php wp-activate.php wp-admin/ wp-blog-header.php wp-comments-post.php wp-config.php wp-content/ wp-cron.php wp-includes/ wp-load.php wp-login.php wp-mail.php wp-settings.php wp-trackback.php xmlrpc.php
The Basic WP Structure ➢ config files & installation files ➢ Administration directories (/wp-admin/) ➢ Core files (/wp-includes/) ➢ Themes, plugins, uploads … (/wp-content/) ➢ xmlrpc.php
xmlrpc.php ➢ Comments (Spammers) ➢ PingBacks (DDoS Attacks) ➢ User-Auth (wp.GetUsersBlogs) (Brute Force) Some fun, redirect to a honeypot <IfModule mod_alias.c> Redirect 301 /xmlrpc.php http://honeypot/xmlrpc.php </IfModule>
XMLRPC Login Attempt
Brute forcing
Pingback $ curl -D - "www.anywordpresssite.com/xmlrpc.php" -d '<methodCall><methodName>pingback.ping</metho dName><params><param><value><string>http://victi m.com</string></value></param><param><value><st ring>www.anywordpresssite.com/postchosen</string> </value></param></params></methodCall>'
/wp-admin/ “Access”
Restriction Samples /uploads/ Options -Indexes <Files *.php> deny from all </Files> /wp-admin/ <files *> order allow,deny deny from all allow from 1.2.3.4 </files> <files xmlrpc.php> order Deny,Allow deny from all </Files> /wp-includes/ <Files *.php> deny from all </Files> /wp-content/ <Files *.php> deny from all </Files> / <Files *.txt> deny from all </Files> <Files *.log> deny from all </Files> location ~* ^/wp-content/ uploads/.*.(php|pl|py|jsp|asp|htm|html| shtml|sh|cgi)$ { types { } default_type text/plain; } location ~* wp-admin/includes { deny all; } location ~* wp-includes/theme-compat/ { deny all; } location ~* wp-includes/js/tinymce/langs/.*.php { deny all; } location /wp-includes/ { internal; }
Local protection, monitoring & hardening
Mitigating Attack Surface
Realtime Monitoring w/ OSSEC <localfile> <log_format>apache</log_format> <location>/var/log/httpd/access_log</location> </localfile> <!-- Frequency that syscheck is executed - set to every 4 hours --> <frequency>14400</frequency> <!-- Directories to check (perform all possible verifications) --> <directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories realtime="yes" check_all="yes">/bin,/sbin</directories> <directories realtime="yes" report_changes="yes" restrict=".htaccess|.php|.html|.js">/var/www/html/</directories> <alert_new_files>yes</alert_new_files> <scan_on_start>no</scan_on_start> <auto_ignore>no</auto_ignore> <alert_new_files>yes</alert_new_files>
Threshold ideas ➢ Too many 404 ➢ GET per time same IP Source ➢ POST per time same IP Source
Special File Permissions ( bit paranoid =) ) spooker@spookerhome:/tmp/wordpress$ echo "Malware Content" >> test.php spooker@spookerhome:/tmp/wordpress$ cat test.php Malware Content spooker@spookerhome:/tmp/wordpress$ ls -lah test.php -rw-rw-r-- 1 spooker spooker 16 Set 12 14:12 test.php spooker@spookerhome:/tmp/wordpress$ lsattr test.php ----i--------e-- test.php spooker@spookerhome:/tmp/wordpress$ echo "Malware Content" >> test.php bash: test.php: Permission denied spooker@spookerhome:/tmp/wordpress$ ls -lah test.php -rw-rw-r-- 1 spooker spooker 16 Set 12 14:12 test.php spooker@spookerhome:/tmp/wordpress$ A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
Statistical Data
… where false positives become good information =) A Unique Place...
Counter Intelligence ➢ Behavior ➢ Alerts ➢ New trends ➢ Honeypots / New Attacks
Behavior: How you look at problems User-Agent: Something ABCD WXYZ User-Agent: My UA with ABCD PBC User-Agent: ABCD is a malicious
GEO IP Block: Top Attack Countries
Top Methods
HTTP Version 1.0
Quick history (Spambot Stealrat) Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)
In summary...
The Challenges ➢ Bad codes ➢ Themes ➢ Plugins (33.5K+) ➢ Languages
Looking to the Future ➢ Integration with SCAP (Security Content Automation Protocol) checks ➢ Create an OpenSource tool to regex traffic ○ Database of regexes per Application ➢ Build a rule set for CMS (WordPress, Joomla, Drupal, vBulletin, Magento …) under OWASP Projects
Rodrigo “Sp0oKeR” Montoro rodrigo.montoro@sucuri.net @spookerlabs / @sucuri_security http://blog.sucuri.net http://www.sucuri.net Contact

Recommandé

LogStash - Yes, logging can be awesome
LogStash - Yes, logging can be awesomeLogStash - Yes, logging can be awesome
LogStash - Yes, logging can be awesomeJames Turnbull
 
On secure application of PHP wrappers
On secure application of PHP wrappersOn secure application of PHP wrappers
On secure application of PHP wrappersPositive Hack Days
 
SPARQLing cocktails
SPARQLing cocktailsSPARQLing cocktails
SPARQLing cocktailsTimea Turdean
 
Awesome Traefik - Ingress Controller for Kubernetes - Swapnasagar Pradhan
Awesome Traefik - Ingress Controller for Kubernetes - Swapnasagar PradhanAwesome Traefik - Ingress Controller for Kubernetes - Swapnasagar Pradhan
Awesome Traefik - Ingress Controller for Kubernetes - Swapnasagar PradhanAjeet Singh Raina
 
Your rest api using laravel
Your rest api using laravelYour rest api using laravel
Your rest api using laravelSulaeman .
 
05 File Handling Upload Mysql
05 File Handling Upload Mysql05 File Handling Upload Mysql
05 File Handling Upload MysqlGeshan Manandhar
 
Approach to find critical vulnerabilities
Approach to find critical vulnerabilitiesApproach to find critical vulnerabilities
Approach to find critical vulnerabilitiesAshish Kunwar
 
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuMengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuAlferizhy Chalter
 

Recommandé

LogStash - Yes, logging can be awesome
LogStash - Yes, logging can be awesomeLogStash - Yes, logging can be awesome
LogStash - Yes, logging can be awesomeJames Turnbull
 
On secure application of PHP wrappers
On secure application of PHP wrappersOn secure application of PHP wrappers
On secure application of PHP wrappersPositive Hack Days
 
SPARQLing cocktails
SPARQLing cocktailsSPARQLing cocktails
SPARQLing cocktailsTimea Turdean
 
Awesome Traefik - Ingress Controller for Kubernetes - Swapnasagar Pradhan
Awesome Traefik - Ingress Controller for Kubernetes - Swapnasagar PradhanAwesome Traefik - Ingress Controller for Kubernetes - Swapnasagar Pradhan
Awesome Traefik - Ingress Controller for Kubernetes - Swapnasagar PradhanAjeet Singh Raina
 
Your rest api using laravel
Your rest api using laravelYour rest api using laravel
Your rest api using laravelSulaeman .
 
05 File Handling Upload Mysql
05 File Handling Upload Mysql05 File Handling Upload Mysql
05 File Handling Upload MysqlGeshan Manandhar
 
Approach to find critical vulnerabilities
Approach to find critical vulnerabilitiesApproach to find critical vulnerabilities
Approach to find critical vulnerabilitiesAshish Kunwar
 
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuMengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuAlferizhy Chalter
 
Ch3(working with file)
Ch3(working with file)Ch3(working with file)
Ch3(working with file)Chhom Karath
 
Php File Operations
Php File OperationsPhp File Operations
Php File Operationsmussawir20
 
Fileice
FileiceFileice
Fileicefrancescobettin1
 
Httprewardgalaxy.comref=544212
Httprewardgalaxy.comref=544212Httprewardgalaxy.comref=544212
Httprewardgalaxy.comref=544212Sabancı Sabancı
 
Modware
ModwareModware
Modwarebosc
 
Hijack This
Hijack ThisHijack This
Hijack ThisKitty
 
Secondary authorization code.txt (0.04 kb)
Secondary authorization code.txt (0.04 kb)Secondary authorization code.txt (0.04 kb)
Secondary authorization code.txt (0.04 kb)francescobettin1
 
TypeScriptで書くAngularJS @ GDG神戸2014.8.23
TypeScriptで書くAngularJS @ GDG神戸2014.8.23TypeScriptで書くAngularJS @ GDG神戸2014.8.23
TypeScriptで書くAngularJS @ GDG神戸2014.8.23Okuno Kentaro
 
モダンAngularJS @ GDG中国2014.12.6
モダンAngularJS @ GDG中国2014.12.6モダンAngularJS @ GDG中国2014.12.6
モダンAngularJS @ GDG中国2014.12.6Okuno Kentaro
 
Error xaction etl_ktr
Error xaction etl_ktrError xaction etl_ktr
Error xaction etl_ktrhurac
 
B03-GenomeContent-Intermine
B03-GenomeContent-IntermineB03-GenomeContent-Intermine
B03-GenomeContent-IntermineBioinformatics Open Source Conference
 
Php file upload, cookies & session
Php file upload, cookies & sessionPhp file upload, cookies & session
Php file upload, cookies & sessionJamshid Hashimi
 
There's Nothing so Permanent as Temporary
There's Nothing so Permanent as TemporaryThere's Nothing so Permanent as Temporary
There's Nothing so Permanent as TemporaryPositive Hack Days
 
Jsonp null-meet-02-2015
Jsonp null-meet-02-2015Jsonp null-meet-02-2015
Jsonp null-meet-02-2015Sunil Kumar
 
톰캣 #05+a-배치-parallel deployment
톰캣 #05+a-배치-parallel deployment톰캣 #05+a-배치-parallel deployment
톰캣 #05+a-배치-parallel deploymentGyuSeok Lee
 
Expect the unexpected: Prepare for failures in microservices
Expect the unexpected: Prepare for failures in microservicesExpect the unexpected: Prepare for failures in microservices
Expect the unexpected: Prepare for failures in microservicesBhakti Mehta
 
Veselík 1
Veselík 1Veselík 1
Veselík 1Mária Čierna
 
Spring Batch
Spring BatchSpring Batch
Spring Batchmaknihamdi
 
Stormshield Visibility Center
Stormshield Visibility CenterStormshield Visibility Center
Stormshield Visibility CenterNRC
 
Considerations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack CloudConsiderations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack CloudMark Voelker
 
Interesting Places in Poland
Interesting Places in PolandInteresting Places in Poland
Interesting Places in Polandwojcik_agnieszka
 
Big Data Europe: Simplifying Development and Deployment of Big Data Applications
Big Data Europe: Simplifying Development and Deployment of Big Data ApplicationsBig Data Europe: Simplifying Development and Deployment of Big Data Applications
Big Data Europe: Simplifying Development and Deployment of Big Data ApplicationsBigData_Europe
 

Contenu connexe

Tendances

Ch3(working with file)
Ch3(working with file)Ch3(working with file)
Ch3(working with file)Chhom Karath
 
Php File Operations
Php File OperationsPhp File Operations
Php File Operationsmussawir20
 
Httprewardgalaxy.comref=544212
Httprewardgalaxy.comref=544212Httprewardgalaxy.comref=544212
Httprewardgalaxy.comref=544212Sabancı Sabancı
 
Modware
ModwareModware
Modwarebosc
 
Hijack This
Hijack ThisHijack This
Hijack ThisKitty
 
Secondary authorization code.txt (0.04 kb)
Secondary authorization code.txt (0.04 kb)Secondary authorization code.txt (0.04 kb)
Secondary authorization code.txt (0.04 kb)francescobettin1
 
TypeScriptで書くAngularJS @ GDG神戸2014.8.23
TypeScriptで書くAngularJS @ GDG神戸2014.8.23TypeScriptで書くAngularJS @ GDG神戸2014.8.23
TypeScriptで書くAngularJS @ GDG神戸2014.8.23Okuno Kentaro
 
モダンAngularJS @ GDG中国2014.12.6
モダンAngularJS @ GDG中国2014.12.6モダンAngularJS @ GDG中国2014.12.6
モダンAngularJS @ GDG中国2014.12.6Okuno Kentaro
 
Error xaction etl_ktr
Error xaction etl_ktrError xaction etl_ktr
Error xaction etl_ktrhurac
 
Php file upload, cookies & session
Php file upload, cookies & sessionPhp file upload, cookies & session
Php file upload, cookies & sessionJamshid Hashimi
 
There's Nothing so Permanent as Temporary
There's Nothing so Permanent as TemporaryThere's Nothing so Permanent as Temporary
There's Nothing so Permanent as TemporaryPositive Hack Days
 
Jsonp null-meet-02-2015
Jsonp null-meet-02-2015Jsonp null-meet-02-2015
Jsonp null-meet-02-2015Sunil Kumar
 
톰캣 #05+a-배치-parallel deployment
톰캣 #05+a-배치-parallel deployment톰캣 #05+a-배치-parallel deployment
톰캣 #05+a-배치-parallel deploymentGyuSeok Lee
 

Tendances (15)

Ch3(working with file)
Ch3(working with file)Ch3(working with file)
Ch3(working with file)
 
Php File Operations
Php File OperationsPhp File Operations
Php File Operations
 
Fileice
FileiceFileice
Fileice
 
Httprewardgalaxy.comref=544212
Httprewardgalaxy.comref=544212Httprewardgalaxy.comref=544212
Httprewardgalaxy.comref=544212
 
Modware
ModwareModware
Modware
 
Hijack This
Hijack ThisHijack This
Hijack This
 
Secondary authorization code.txt (0.04 kb)
Secondary authorization code.txt (0.04 kb)Secondary authorization code.txt (0.04 kb)
Secondary authorization code.txt (0.04 kb)
 
TypeScriptで書くAngularJS @ GDG神戸2014.8.23
TypeScriptで書くAngularJS @ GDG神戸2014.8.23TypeScriptで書くAngularJS @ GDG神戸2014.8.23
TypeScriptで書くAngularJS @ GDG神戸2014.8.23
 
モダンAngularJS @ GDG中国2014.12.6
モダンAngularJS @ GDG中国2014.12.6モダンAngularJS @ GDG中国2014.12.6
モダンAngularJS @ GDG中国2014.12.6
 
Error xaction etl_ktr
Error xaction etl_ktrError xaction etl_ktr
Error xaction etl_ktr
 
B03-GenomeContent-Intermine
B03-GenomeContent-IntermineB03-GenomeContent-Intermine
B03-GenomeContent-Intermine
 
Php file upload, cookies & session
Php file upload, cookies & sessionPhp file upload, cookies & session
Php file upload, cookies & session
 
There's Nothing so Permanent as Temporary
There's Nothing so Permanent as TemporaryThere's Nothing so Permanent as Temporary
There's Nothing so Permanent as Temporary
 
Jsonp null-meet-02-2015
Jsonp null-meet-02-2015Jsonp null-meet-02-2015
Jsonp null-meet-02-2015
 
톰캣 #05+a-배치-parallel deployment
톰캣 #05+a-배치-parallel deployment톰캣 #05+a-배치-parallel deployment
톰캣 #05+a-배치-parallel deployment
 

En vedette

Expect the unexpected: Prepare for failures in microservices
Expect the unexpected: Prepare for failures in microservicesExpect the unexpected: Prepare for failures in microservices
Expect the unexpected: Prepare for failures in microservicesBhakti Mehta
 
Stormshield Visibility Center
Stormshield Visibility CenterStormshield Visibility Center
Stormshield Visibility CenterNRC
 
Considerations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack CloudConsiderations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack CloudMark Voelker
 
Interesting Places in Poland
Interesting Places in PolandInteresting Places in Poland
Interesting Places in Polandwojcik_agnieszka
 
Big Data Europe: Simplifying Development and Deployment of Big Data Applications
Big Data Europe: Simplifying Development and Deployment of Big Data ApplicationsBig Data Europe: Simplifying Development and Deployment of Big Data Applications
Big Data Europe: Simplifying Development and Deployment of Big Data ApplicationsBigData_Europe
 
Microsoft Microservices
Microsoft MicroservicesMicrosoft Microservices
Microsoft MicroservicesChase Aucoin
 
Elks for analysing performance test results - Helsinki QA meetup
Elks for analysing performance test results - Helsinki QA meetupElks for analysing performance test results - Helsinki QA meetup
Elks for analysing performance test results - Helsinki QA meetupAnoop Vijayan
 
From 10 Users to 10 Milion in 10 Days - Adam Lev, Tamar Labs - DevOpsDays Tel...
From 10 Users to 10 Milion in 10 Days - Adam Lev, Tamar Labs - DevOpsDays Tel...From 10 Users to 10 Milion in 10 Days - Adam Lev, Tamar Labs - DevOpsDays Tel...
From 10 Users to 10 Milion in 10 Days - Adam Lev, Tamar Labs - DevOpsDays Tel...DevOpsDays Tel Aviv
 
What's new in oracle ORAchk & EXAchk 12.2.0.1.2
What's new in oracle ORAchk & EXAchk 12.2.0.1.2What's new in oracle ORAchk & EXAchk 12.2.0.1.2
What's new in oracle ORAchk & EXAchk 12.2.0.1.2Gareth Chapman
 
A BRIEF OVERVIEW ON WILDLIFE MANAGEMENT
A BRIEF OVERVIEW ON WILDLIFE MANAGEMENTA BRIEF OVERVIEW ON WILDLIFE MANAGEMENT
A BRIEF OVERVIEW ON WILDLIFE MANAGEMENTPintu Kabiraj
 
Heterogenous Persistence
Heterogenous PersistenceHeterogenous Persistence
Heterogenous PersistenceJervin Real
 
AppSensor - Near Real Time Event Detection and Response
AppSensor - Near Real Time Event Detection and ResponseAppSensor - Near Real Time Event Detection and Response
AppSensor - Near Real Time Event Detection and Responsejtmelton
 
Cloud adoption patterns April 11 2016
Cloud adoption patterns April 11 2016Cloud adoption patterns April 11 2016
Cloud adoption patterns April 11 2016Kyle Brown
 
Sitios turísticos de valledupar
Sitios turísticos de valleduparSitios turísticos de valledupar
Sitios turísticos de valleduparelkin
 
6 Million Ways To Log In Docker - NYC Docker Meetup 12/17/2014
6 Million Ways To Log In Docker - NYC Docker Meetup 12/17/20146 Million Ways To Log In Docker - NYC Docker Meetup 12/17/2014
6 Million Ways To Log In Docker - NYC Docker Meetup 12/17/2014Christian Beedgen
 
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015StampedeCon
 

En vedette (20)

Expect the unexpected: Prepare for failures in microservices
Expect the unexpected: Prepare for failures in microservicesExpect the unexpected: Prepare for failures in microservices
Expect the unexpected: Prepare for failures in microservices
 
Veselík 1
Veselík 1Veselík 1
Veselík 1
 
Spring Batch
Spring BatchSpring Batch
Spring Batch
 
Stormshield Visibility Center
Stormshield Visibility CenterStormshield Visibility Center
Stormshield Visibility Center
 
Considerations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack CloudConsiderations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack Cloud
 
Interesting Places in Poland
Interesting Places in PolandInteresting Places in Poland
Interesting Places in Poland
 
Big Data Europe: Simplifying Development and Deployment of Big Data Applications
Big Data Europe: Simplifying Development and Deployment of Big Data ApplicationsBig Data Europe: Simplifying Development and Deployment of Big Data Applications
Big Data Europe: Simplifying Development and Deployment of Big Data Applications
 
Microsoft Microservices
Microsoft MicroservicesMicrosoft Microservices
Microsoft Microservices
 
Elks for analysing performance test results - Helsinki QA meetup
Elks for analysing performance test results - Helsinki QA meetupElks for analysing performance test results - Helsinki QA meetup
Elks for analysing performance test results - Helsinki QA meetup
 
Diabetes mellitus
Diabetes mellitusDiabetes mellitus
Diabetes mellitus
 
From 10 Users to 10 Milion in 10 Days - Adam Lev, Tamar Labs - DevOpsDays Tel...
From 10 Users to 10 Milion in 10 Days - Adam Lev, Tamar Labs - DevOpsDays Tel...From 10 Users to 10 Milion in 10 Days - Adam Lev, Tamar Labs - DevOpsDays Tel...
From 10 Users to 10 Milion in 10 Days - Adam Lev, Tamar Labs - DevOpsDays Tel...
 
What's new in oracle ORAchk & EXAchk 12.2.0.1.2
What's new in oracle ORAchk & EXAchk 12.2.0.1.2What's new in oracle ORAchk & EXAchk 12.2.0.1.2
What's new in oracle ORAchk & EXAchk 12.2.0.1.2
 
A BRIEF OVERVIEW ON WILDLIFE MANAGEMENT
A BRIEF OVERVIEW ON WILDLIFE MANAGEMENTA BRIEF OVERVIEW ON WILDLIFE MANAGEMENT
A BRIEF OVERVIEW ON WILDLIFE MANAGEMENT
 
Heterogenous Persistence
Heterogenous PersistenceHeterogenous Persistence
Heterogenous Persistence
 
Arquitecturas de microservicios - Medianet Software
Arquitecturas de microservicios - Medianet SoftwareArquitecturas de microservicios - Medianet Software
Arquitecturas de microservicios - Medianet Software
 
AppSensor - Near Real Time Event Detection and Response
AppSensor - Near Real Time Event Detection and ResponseAppSensor - Near Real Time Event Detection and Response
AppSensor - Near Real Time Event Detection and Response
 
Cloud adoption patterns April 11 2016
Cloud adoption patterns April 11 2016Cloud adoption patterns April 11 2016
Cloud adoption patterns April 11 2016
 
Sitios turísticos de valledupar
Sitios turísticos de valleduparSitios turísticos de valledupar
Sitios turísticos de valledupar
 
6 Million Ways To Log In Docker - NYC Docker Meetup 12/17/2014
6 Million Ways To Log In Docker - NYC Docker Meetup 12/17/20146 Million Ways To Log In Docker - NYC Docker Meetup 12/17/2014
6 Million Ways To Log In Docker - NYC Docker Meetup 12/17/2014
 
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
 

Similaire à Reversing Engineering a Web Application - For fun, behavior and detection

Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101Ievgenii Katsan
 
Sherlock Homepage (Maarten Balliauw)
Sherlock Homepage (Maarten Balliauw)Sherlock Homepage (Maarten Balliauw)
Sherlock Homepage (Maarten Balliauw)Visug
 
Sherlock Homepage - A detective story about running large web services (VISUG...
Sherlock Homepage - A detective story about running large web services (VISUG...Sherlock Homepage - A detective story about running large web services (VISUG...
Sherlock Homepage - A detective story about running large web services (VISUG...Maarten Balliauw
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12Michelangelo van Dam
 
Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012Michelangelo van Dam
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Failsafe Mechanism for Yahoo Homepage
Failsafe Mechanism for Yahoo HomepageFailsafe Mechanism for Yahoo Homepage
Failsafe Mechanism for Yahoo HomepageKit Chan
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014Amazon Web Services
 
Sherlock Homepage - A detective story about running large web services - NDC ...
Sherlock Homepage - A detective story about running large web services - NDC ...Sherlock Homepage - A detective story about running large web services - NDC ...
Sherlock Homepage - A detective story about running large web services - NDC ...Maarten Balliauw
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Extreme APIs for a better tomorrow
Extreme APIs for a better tomorrowExtreme APIs for a better tomorrow
Extreme APIs for a better tomorrowAaron Maturen
 
[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to Test[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to TestZsolt Fabok
 

Similaire à Reversing Engineering a Web Application - For fun, behavior and detection (20)

Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101
 
Wikilims Road4
Wikilims Road4Wikilims Road4
Wikilims Road4
 
Sherlock Homepage (Maarten Balliauw)
Sherlock Homepage (Maarten Balliauw)Sherlock Homepage (Maarten Balliauw)
Sherlock Homepage (Maarten Balliauw)
 
Sherlock Homepage - A detective story about running large web services (VISUG...
Sherlock Homepage - A detective story about running large web services (VISUG...Sherlock Homepage - A detective story about running large web services (VISUG...
Sherlock Homepage - A detective story about running large web services (VISUG...
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
 
Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12
 
Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Failsafe Mechanism for Yahoo Homepage
Failsafe Mechanism for Yahoo HomepageFailsafe Mechanism for Yahoo Homepage
Failsafe Mechanism for Yahoo Homepage
 
Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
 
Sherlock Homepage - A detective story about running large web services - NDC ...
Sherlock Homepage - A detective story about running large web services - NDC ...Sherlock Homepage - A detective story about running large web services - NDC ...
Sherlock Homepage - A detective story about running large web services - NDC ...
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Extreme APIs for a better tomorrow
Extreme APIs for a better tomorrowExtreme APIs for a better tomorrow
Extreme APIs for a better tomorrow
 
[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to Test[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to Test
 

Plus de Rodrigo Montoro

Mitre ATT&CK - Quando Risco, Ataque e Defesa falam a mesma linguagem
Mitre ATT&CK - Quando Risco, Ataque e Defesa falam a mesma linguagemMitre ATT&CK - Quando Risco, Ataque e Defesa falam a mesma linguagem
Mitre ATT&CK - Quando Risco, Ataque e Defesa falam a mesma linguagemRodrigo Montoro
 
Aumentando Visibilidade com Facebook OSQUERY
Aumentando Visibilidade com Facebook OSQUERYAumentando Visibilidade com Facebook OSQUERY
Aumentando Visibilidade com Facebook OSQUERYRodrigo Montoro
 
NSM (Network Security Monitoring) - Tecland Chapeco
NSM (Network Security Monitoring) - Tecland ChapecoNSM (Network Security Monitoring) - Tecland Chapeco
NSM (Network Security Monitoring) - Tecland ChapecoRodrigo Montoro
 
Lost in Translation - Blackhat Brazil 2014
Lost in Translation - Blackhat Brazil 2014Lost in Translation - Blackhat Brazil 2014
Lost in Translation - Blackhat Brazil 2014Rodrigo Montoro
 
Analisando pacotes for fun and packet - Conceito de Network Security Monitori...
Analisando pacotes for fun and packet - Conceito de Network Security Monitori...Analisando pacotes for fun and packet - Conceito de Network Security Monitori...
Analisando pacotes for fun and packet - Conceito de Network Security Monitori...Rodrigo Montoro
 
SCAP ( Security Content Automation Protocol ) na BSides São Paulo 2014
SCAP ( Security Content Automation Protocol ) na BSides São Paulo 2014SCAP ( Security Content Automation Protocol ) na BSides São Paulo 2014
SCAP ( Security Content Automation Protocol ) na BSides São Paulo 2014Rodrigo Montoro
 

Plus de Rodrigo Montoro (7)

Mitre ATT&CK - Quando Risco, Ataque e Defesa falam a mesma linguagem
Mitre ATT&CK - Quando Risco, Ataque e Defesa falam a mesma linguagemMitre ATT&CK - Quando Risco, Ataque e Defesa falam a mesma linguagem
Mitre ATT&CK - Quando Risco, Ataque e Defesa falam a mesma linguagem
 
Aumentando Visibilidade com Facebook OSQUERY
Aumentando Visibilidade com Facebook OSQUERYAumentando Visibilidade com Facebook OSQUERY
Aumentando Visibilidade com Facebook OSQUERY
 
Bsides threat hunting
Bsides threat huntingBsides threat hunting
Bsides threat hunting
 
NSM (Network Security Monitoring) - Tecland Chapeco
NSM (Network Security Monitoring) - Tecland ChapecoNSM (Network Security Monitoring) - Tecland Chapeco
NSM (Network Security Monitoring) - Tecland Chapeco
 
Lost in Translation - Blackhat Brazil 2014
Lost in Translation - Blackhat Brazil 2014Lost in Translation - Blackhat Brazil 2014
Lost in Translation - Blackhat Brazil 2014
 
Analisando pacotes for fun and packet - Conceito de Network Security Monitori...
Analisando pacotes for fun and packet - Conceito de Network Security Monitori...Analisando pacotes for fun and packet - Conceito de Network Security Monitori...
Analisando pacotes for fun and packet - Conceito de Network Security Monitori...
 
SCAP ( Security Content Automation Protocol ) na BSides São Paulo 2014
SCAP ( Security Content Automation Protocol ) na BSides São Paulo 2014SCAP ( Security Content Automation Protocol ) na BSides São Paulo 2014
SCAP ( Security Content Automation Protocol ) na BSides São Paulo 2014
 

Dernier

2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptxAsmae Rabhi
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolinonuriaiuzzolino1
 

Dernier (20)

2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolino
 

Reversing Engineering a Web Application - For fun, behavior and detection

  • 1. Sector 2014 Toronto, Ontario Reverse Engineering a Web Application - For Fun, Behavior & WAF Detection Rodrigo “Sp0oKeR” Montoro Sucuri Security
  • 2. $ whois @spookerlabs ➢ Senior Security Administrator at Sucuri Security ➢ Author of 2 patent pending technologies ➢ Researcher ➢ Open Source enthusiast ➢ Triathlete ➢ Dad
  • 3. About Sucuri Security Over 50 Security Professionals Making a Safer Web SECURITY SCANNING & ANALYSIS Checking the health over 3 Million websites every month through our free Sitecheck Scanner: http://sitecheck.sucuri.net MALWARE CLEANUP Cleaning and remediating 300 – 400 hacked or infected websites everyday. ATTACK PROTECTION Blocking over 33 million attacks and instances of malicious traffic every month EDUCATION Providing detailed and actionable security information through our blog at http://blog.sucuri.net
  • 4. A Note on the Examples This talk is based on WordPress / NGINX, but the concepts can apply to any Web Application / CMS.
  • 5. Motivations ➢ Trying different approach than a regular WAF ➢ Protect specific content (CMS) ➢ Malware reinfections ➢ Less rules with better detection = performance ➢ Protected against "new vulnerabilities"
  • 6. Agenda ➢ Introduction ➢ Detection steps ○ Reverse Engineering a CMS’s traffic ○ Analyzing Application structure (Files / Directories) ○ Local protection & hardening ○ Statistical Data ➢ Challenges ➢ Conclusions
  • 8. Reverse Engineering “Reverse engineering is taking apart an object to see how it works in order to duplicate or enhance the object. ”
  • 9. 1 "equal" 2 1 "not equal" a Whitelisting
  • 10. Our Scope: WAF Detection ➢ Traffic Analysis ○ Requests ○ Responses ➢ Application Structure Analysis ○ Directories ○ Headers ○ Files ➢ Behavior ○ Log correlation ○ Application ○ Honeypots REPEA T
  • 15. Traffic Analysis ➢ Methods ➢ URI ➢ Parameters ➢ Headers
  • 19. Oh wait! Get a job from the headers...
  • 21. After basic manual analysis, a tool ... Sucuri Beta pcap traffic parser v0.0.1 (Matched) URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=d+$' URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=d+$' URI: /wordpress_lab_test/?s=sucuri with parameter s=sucuri matched regex 's=[dws]+$' URI: /wordpress_lab_test/?page_id=2 with parameter page_id=2 matched regex 'page_id=d+$' URI: /wordpress_lab_test/?s=test+2 with parameter s=test+2 matched regex 's=[dws]+$' URI: /wordpress_lab_test/?s=Sp0oKeR+Labs+Team with parameter s=Sp0oKeR+Labs+Team matched regex 's=[dws]+$' URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=d+$' URI: /wordpress_lab_test/?page_id=2 with parameter page_id=2 matched regex 'page_id=d+$' Sucuri Beta pcap traffic parser v0.0.1 (Not Matched) URI: /wordpress_lab_test/?author=1 with parameter(s) author=1 didn't match any regex URI: /wordpress_lab_test/wp-includes/js/jquery/jquery.js?ver=1.11.0 with parameter(s) ver=1.11.0 didn't match any regex URI: /wordpress_lab_test/wp-content/themes/twentyfourteen/js/functions.js?ver=20140319 with parameter(s) ver=20140319 didn't match any regex
  • 22. Some simple NGINX configs if ($http_user_agent !~ <something>) { return <status_code> } if ($query_strings ~ <something>) { return <status_code> } if ($request_uri !~ <something>) { return <status_code> } if ($request_method !~ <something>) { return <status_code> } if ($http_cookie !~ <something>) { return <status_code> }
  • 25. Summary of Flow Parsing
  • 27. Something could go wrong … Counter Intelligence / Statical Data Traffic Analysis Analyzing Application Structure / Local Hardening Monitoring D E T E C T I O N F L O W Bypass rules Credentials stolen Cookie hijack Bad administrator D E T E C T I O N F L O W Analyzing Application Structure / Local Hardening Monitoring
  • 28. Analyzing Application Structure (Files / Directories)
  • 29. File Structure ➢ Files ➢ Directories ➢ Permissions ➢ Monitoring
  • 30. WordPress Tarball Lot of files …. index.php wp-activate.php wp-admin/ wp-blog-header.php wp-comments-post.php wp-config.php wp-content/ wp-cron.php wp-includes/ wp-load.php wp-login.php wp-mail.php wp-settings.php wp-trackback.php xmlrpc.php
  • 31. The Basic WP Structure ➢ config files & installation files ➢ Administration directories (/wp-admin/) ➢ Core files (/wp-includes/) ➢ Themes, plugins, uploads … (/wp-content/) ➢ xmlrpc.php
  • 32. xmlrpc.php ➢ Comments (Spammers) ➢ PingBacks (DDoS Attacks) ➢ User-Auth (wp.GetUsersBlogs) (Brute Force) Some fun, redirect to a honeypot <IfModule mod_alias.c> Redirect 301 /xmlrpc.php http://honeypot/xmlrpc.php </IfModule>
  • 35. Pingback $ curl -D - "www.anywordpresssite.com/xmlrpc.php" -d '<methodCall><methodName>pingback.ping</metho dName><params><param><value><string>http://victi m.com</string></value></param><param><value><st ring>www.anywordpresssite.com/postchosen</string> </value></param></params></methodCall>'
  • 37. Restriction Samples /uploads/ Options -Indexes <Files *.php> deny from all </Files> /wp-admin/ <files *> order allow,deny deny from all allow from 1.2.3.4 </files> <files xmlrpc.php> order Deny,Allow deny from all </Files> /wp-includes/ <Files *.php> deny from all </Files> /wp-content/ <Files *.php> deny from all </Files> / <Files *.txt> deny from all </Files> <Files *.log> deny from all </Files> location ~* ^/wp-content/ uploads/.*.(php|pl|py|jsp|asp|htm|html| shtml|sh|cgi)$ { types { } default_type text/plain; } location ~* wp-admin/includes { deny all; } location ~* wp-includes/theme-compat/ { deny all; } location ~* wp-includes/js/tinymce/langs/.*.php { deny all; } location /wp-includes/ { internal; }
  • 40. Realtime Monitoring w/ OSSEC <localfile> <log_format>apache</log_format> <location>/var/log/httpd/access_log</location> </localfile> <!-- Frequency that syscheck is executed - set to every 4 hours --> <frequency>14400</frequency> <!-- Directories to check (perform all possible verifications) --> <directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories realtime="yes" check_all="yes">/bin,/sbin</directories> <directories realtime="yes" report_changes="yes" restrict=".htaccess|.php|.html|.js">/var/www/html/</directories> <alert_new_files>yes</alert_new_files> <scan_on_start>no</scan_on_start> <auto_ignore>no</auto_ignore> <alert_new_files>yes</alert_new_files>
  • 41. Threshold ideas ➢ Too many 404 ➢ GET per time same IP Source ➢ POST per time same IP Source
  • 42. Special File Permissions ( bit paranoid =) ) spooker@spookerhome:/tmp/wordpress$ echo "Malware Content" >> test.php spooker@spookerhome:/tmp/wordpress$ cat test.php Malware Content spooker@spookerhome:/tmp/wordpress$ ls -lah test.php -rw-rw-r-- 1 spooker spooker 16 Set 12 14:12 test.php spooker@spookerhome:/tmp/wordpress$ lsattr test.php ----i--------e-- test.php spooker@spookerhome:/tmp/wordpress$ echo "Malware Content" >> test.php bash: test.php: Permission denied spooker@spookerhome:/tmp/wordpress$ ls -lah test.php -rw-rw-r-- 1 spooker spooker 16 Set 12 14:12 test.php spooker@spookerhome:/tmp/wordpress$ A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
  • 44. … where false positives become good information =) A Unique Place...
  • 45. Counter Intelligence ➢ Behavior ➢ Alerts ➢ New trends ➢ Honeypots / New Attacks
  • 46. Behavior: How you look at problems User-Agent: Something ABCD WXYZ User-Agent: My UA with ABCD PBC User-Agent: ABCD is a malicious
  • 47. GEO IP Block: Top Attack Countries
  • 50. Quick history (Spambot Stealrat) Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)
  • 52. The Challenges ➢ Bad codes ➢ Themes ➢ Plugins (33.5K+) ➢ Languages
  • 53. Looking to the Future ➢ Integration with SCAP (Security Content Automation Protocol) checks ➢ Create an OpenSource tool to regex traffic ○ Database of regexes per Application ➢ Build a rule set for CMS (WordPress, Joomla, Drupal, vBulletin, Magento …) under OWASP Projects
  • 54. Rodrigo “Sp0oKeR” Montoro rodrigo.montoro@sucuri.net @spookerlabs / @sucuri_security http://blog.sucuri.net http://www.sucuri.net Contact

Notes de l'éditeur

  1. Regex splunk material
  2. When crawling remember about simulate a regular user =) Burp to spider and tcpdump saving pcap
  3. Many thousands ways to modify a variable, why not check if only one way and so drop the rest ? Comment about HTTP version Referer Number of headers
  4. Pwd as blacklisted most common password POST won't cache info Comment about HTTP version Referer User-Agent (talk about size) Number of headers
  5. Non match traffic will be drop when deploying but we could deploy after some tune in monitor mode Save a regular traffic to site and TEST against our parser. Customer could send a pcap with traffic so we could previous tune rules for them.
  6. Comment about if problems Talk about POST methods
  7. Comment about default bypass, cookie hijack or regular stolen user/pass
  8. remember to talk about Gregg CMS 101 talk that looks into readme, changelog to detect versions
  9. Besides protecting some files, those protection will make your directory/files not accessible if infected. Advantage about nginx protection its harder to hack nginx file
  10. No 100% security What to do if protection fails and attacker has local acccess ?
  11. Talk about CMS hacking 101 Changing 404.php file using admin interface
  12. Talk about CMS 101 AppSec hacking
  13. 19 bytes
  14. Most of ours blocks are made by GEOIP
  15. Comment about default bypass, cookie hijack or regular stolen user/pass