BE

IN

FO

RM

ED

.B

E S

TR

AT

EG

IC.B

E S

EC

UR

E.

Bare-bones AppSec Testing

Stephen Deck, GSE, OSCE, CISSP

@ranger_cha

BE

IN

FO

RM

ED

.B

E S

TR

AT

EG

IC.B

E S

EC

UR

E.

OBJECTIVE

-What is AppSec?

-Web app testing methodology

-CTF web app advice

2

APPSEC AS A DISCIPLINE

-Application Security

-AppSec finds new vulnerabilities in a single

application

-Sometimes finds known config issues or vulnerable

components

-Different from pentesting

-Pentesting finds known vulns across many systems

3

WEB APP TESTING METHODOLOGY OVERVIEW

-Use OWASP Testing Guide v4

-Detailed steps for testing apps

-Way more than OWASP Top 10

-Still need to apply some to all inputs

-https://www.owasp.org/images/1/19/OTGv4.pdf

4

APPLICATION TESTING PHASES

1. Customer Information

2. Reconnaissance

3. Automated Testing

4. Manual Testing

5. Exploitation

6. Reporting

5

APPLICATION TESTING PHASES

1. Customer Information- Find “dangerous pages”- Contact forms, registration, email, etc.

- In scope systems-Presence of APIs

2. Reconnaissance- Find dangerous pages on your own-Verify scope of systems-Brute-force content

6

APPLICATION TESTING PHASES

3. Automated Testing- Exclude dangerous pages- “Fuzzes” application input parameters- Good for injection attacks

4. Manual Testing- Controlled testing of dangerous pages- Fuzzing with Intruder- Good for permissions issues

- Broken Access Control- Logic errors

-Verify automated findings

7

APPLICATION TESTING PHASES

5. Exploitation

-Attack found vulnerabilities

-Attempt to gain command execution

-Attempt to steal data

-Attempt to elevate privileges

6. Reporting

- Include HTTP requests and responses

8

REAL APPSEC VS CTF

-Real AppSec aims to find ALL vulnerabilities and misconfigurations

-CTF AppSec looks for specific information or code execution

-Enumeration is always key!

9

CTF APP TESTING PHASES

1. Recon

2. Analyze

3. Test

4. Exploit

5. Escalate

10

CTF WEB APP ADVICE - RECON

-Start a port scan with service enumeration-Know the nmap timing options- max-retries, min-parallelism, min-rate

- Try to browse to ports 80 and 443, then try odd scan results

-Start dirb/gobuster

-Start nikto

-Start brute forcing authentication pages (not today)

-Start spidering

11

NMAP EXAMPLE

August 23, 2018 12

DIRB EXAMPLE

August 23, 2018 13

NIKTO EXAMPLE

August 23, 2018 14

NIKTO EXAMPLE

August 23, 2018 15

CTF WEB APP ADVICE – ANALYZE & TEST

-Check server responses for secrets-Session tokens, flags in comments, flags in headers

- If it is small and custom…-Use paramalyzer Burp plugin-Look for - File references-Encoded/encrypted content- File uploads

-Check all response headers

16

CTF WEB APP ADVICE – ANALYZE & TEST

- If it is an off-the-shelf app…

-Check Metasploit

-Look online for more exploits

-Packetstorm

-Exploit-db

-Osvdb

-Default credentials

17

CTF WEB APP ADVICE – FILE REFERENCES

18

CTF WEB APP ADVICE – FILE REFERENCES

19

CTF WEB APP ADVICE – FILE UPLOADS

20

CTF WEB APP ADVICE – FILE UPLOADS

21

CTF WEB APP ADVICE – EXPLOIT

-Metasploit for COTS

-Rumkin for encoding

-Vulns that give command execution and arbitrary file read-Direct file references (insecure direct object reference)- File inclusion (remote/local file inclusion)-Command injection-SQLi (sqlmap, CO2 Burp plugin can help)- noSQL (look for [$eq] style parameters or try to add it)

- If there are bots, look for XSS

22

CTF WEB APP ADVICE – REMOTE FILE INCLUSION

23

CTF WEB APP ADVICE – WEBSHELLS

24

CTF WEB APP ADVICE – WEBSHELLS

25

RESOURCES

-www.vulnhub.com

-www.root-me.org

-https://www.owasp.org/images/1/19/O

TGv4.pdf

26

SUMMARY

-Sometimes find known issues, less

common

-AppSec finds new vulnerabilities

-Recon, Attack, Report

-Automation is key

27

www.directdefense.comwww.directdefense.com