bare-bones appsec testing cure. be stephen deck, gse, osce ... · application testing phases 3....
TRANSCRIPT
BE
IN
FO
RM
ED
.B
E S
TR
AT
EG
IC.B
E S
EC
UR
E.
Bare-bones AppSec Testing
Stephen Deck, GSE, OSCE, CISSP
@ranger_cha
BE
IN
FO
RM
ED
.B
E S
TR
AT
EG
IC.B
E S
EC
UR
E.
OBJECTIVE
-What is AppSec?
-Web app testing methodology
-CTF web app advice
2
APPSEC AS A DISCIPLINE
-Application Security
-AppSec finds new vulnerabilities in a single
application
-Sometimes finds known config issues or vulnerable
components
-Different from pentesting
-Pentesting finds known vulns across many systems
3
WEB APP TESTING METHODOLOGY OVERVIEW
-Use OWASP Testing Guide v4
-Detailed steps for testing apps
-Way more than OWASP Top 10
-Still need to apply some to all inputs
-https://www.owasp.org/images/1/19/OTGv4.pdf
4
APPLICATION TESTING PHASES
1. Customer Information
2. Reconnaissance
3. Automated Testing
4. Manual Testing
5. Exploitation
6. Reporting
5
APPLICATION TESTING PHASES
1. Customer Information- Find “dangerous pages”- Contact forms, registration, email, etc.
- In scope systems-Presence of APIs
2. Reconnaissance- Find dangerous pages on your own-Verify scope of systems-Brute-force content
6
APPLICATION TESTING PHASES
3. Automated Testing- Exclude dangerous pages- “Fuzzes” application input parameters- Good for injection attacks
4. Manual Testing- Controlled testing of dangerous pages- Fuzzing with Intruder- Good for permissions issues
- Broken Access Control- Logic errors
-Verify automated findings
7
APPLICATION TESTING PHASES
5. Exploitation
-Attack found vulnerabilities
-Attempt to gain command execution
-Attempt to steal data
-Attempt to elevate privileges
6. Reporting
- Include HTTP requests and responses
8
REAL APPSEC VS CTF
-Real AppSec aims to find ALL vulnerabilities and misconfigurations
-CTF AppSec looks for specific information or code execution
-Enumeration is always key!
9
CTF APP TESTING PHASES
1. Recon
2. Analyze
3. Test
4. Exploit
5. Escalate
10
CTF WEB APP ADVICE - RECON
-Start a port scan with service enumeration-Know the nmap timing options- max-retries, min-parallelism, min-rate
- Try to browse to ports 80 and 443, then try odd scan results
-Start dirb/gobuster
-Start nikto
-Start brute forcing authentication pages (not today)
-Start spidering
11
NMAP EXAMPLE
August 23, 2018 12
DIRB EXAMPLE
August 23, 2018 13
NIKTO EXAMPLE
August 23, 2018 14
NIKTO EXAMPLE
August 23, 2018 15
CTF WEB APP ADVICE – ANALYZE & TEST
-Check server responses for secrets-Session tokens, flags in comments, flags in headers
- If it is small and custom…-Use paramalyzer Burp plugin-Look for - File references-Encoded/encrypted content- File uploads
-Check all response headers
16
CTF WEB APP ADVICE – ANALYZE & TEST
- If it is an off-the-shelf app…
-Check Metasploit
-Look online for more exploits
-Packetstorm
-Exploit-db
-Osvdb
-Default credentials
17
CTF WEB APP ADVICE – FILE REFERENCES
18
CTF WEB APP ADVICE – FILE REFERENCES
19
CTF WEB APP ADVICE – FILE UPLOADS
20
CTF WEB APP ADVICE – FILE UPLOADS
21
CTF WEB APP ADVICE – EXPLOIT
-Metasploit for COTS
-Rumkin for encoding
-Vulns that give command execution and arbitrary file read-Direct file references (insecure direct object reference)- File inclusion (remote/local file inclusion)-Command injection-SQLi (sqlmap, CO2 Burp plugin can help)- noSQL (look for [$eq] style parameters or try to add it)
- If there are bots, look for XSS
22
CTF WEB APP ADVICE – REMOTE FILE INCLUSION
23
CTF WEB APP ADVICE – WEBSHELLS
24
CTF WEB APP ADVICE – WEBSHELLS
25
RESOURCES
-www.vulnhub.com
-www.root-me.org
-https://www.owasp.org/images/1/19/O
TGv4.pdf
26
SUMMARY
-Sometimes find known issues, less
common
-AppSec finds new vulnerabilities
-Recon, Attack, Report
-Automation is key
27
www.directdefense.comwww.directdefense.com