test & tea : itsec testing, manual vs automated
TRANSCRIPT
IT Security testing manual VS automated
Zoltan Balazs CTO MRG Effitas
2017
Whoami
bull Irsquom NOT a CEH
bull Creator of the Zombie Browser ToolkithttpsgithubcomZ6543ZombieBrowserPack
bull Creator of the HWFW Bypass tool
bull Idea later() implemented by nation state attackers in Duqu 20httpsgithubcomMRGEffitashwfwbypass
bull Creator of the Malware Analysis Sandbox Tester toolhttpsgithubcomMRGEffitasSandbox_tester
bull Played with crappy IoT deviceshttpsjumpespjumpblogspothu201509how-i-hacked-my-ip-camera-and-foundhtml
httpsjumpespjumpblogspothu201508how-to-secure-your-home-againsthtml
Introduction
There is a saying that every software and system will be tested from a security point of view but the question is whether the owner controls when this is done and who reads the report
But the owner (or the users) will pay the price either way
Automated testing
Good at scanning multiple pages multiple parameters for the same issues
Bad at finding logical bugs authentication bypasses hellip
This is still an issue which is not found by automated scanners by default
What do you do
This is still an issue which is not found by automated scanners by default
What do you do
adminadmin
Automated scanners donrsquot brute-force user logins by default
This is still an issue which is not found by automated scanners
What do you do
This is still an issue which is not found by automated scanners
What do you do
Automated scanners donrsquot have a clue that they should try this parameter they have never seen before
What is the problem here
Is this found by scanners
loginphpusername=adminamppassword[$ne]=asdfg
array(username =gt adminpassword =gt array(rdquo$ne =gt asdfg))
Usually scanners donrsquot know NoSQL And if they know they are usually not that smart
ProTIP instead of asdfg use a long complex password so you can be sure this is not the correct password )
Try this challenge here
httpsplatformavataocomchallenges28f5fca5-6a01-11e6-bdf4-0800200c9a66
Automated scanners continued
Informational issue (not high medium low severity)
ldquoAn unknown service is running on TCP port 4444rdquo
What do you do
Automated scanners continued
Sample requestcodephpsrc=codephpamphl[0]=niceamphl[1]=textampmode=hl
Solution
Bypass whitelist by change order of parameters
php0816codephphl[0]=niceamphl[1]=textampmode=hlampsrc=solutionphp
Try it here
httpwwwwechallnetchallengephp0816indexphp
Conclusion
Use a good tool for boring repetitive tasks
And use your brain for creative hacks
And always develop new tools for new problems
Hack the planet
zoltanbalazsmrg-effitascom
httpshulinkedincominzbalazs
Twitter ndash zh4ck
wwwslidesharenetbz98
Check out avataocom to practice issues like this
Hackersuli meetup
Greetz to CrySySLab SpamAndHex
JumpESPJumpblogspotcom
Whoami
bull Irsquom NOT a CEH
bull Creator of the Zombie Browser ToolkithttpsgithubcomZ6543ZombieBrowserPack
bull Creator of the HWFW Bypass tool
bull Idea later() implemented by nation state attackers in Duqu 20httpsgithubcomMRGEffitashwfwbypass
bull Creator of the Malware Analysis Sandbox Tester toolhttpsgithubcomMRGEffitasSandbox_tester
bull Played with crappy IoT deviceshttpsjumpespjumpblogspothu201509how-i-hacked-my-ip-camera-and-foundhtml
httpsjumpespjumpblogspothu201508how-to-secure-your-home-againsthtml
Introduction
There is a saying that every software and system will be tested from a security point of view but the question is whether the owner controls when this is done and who reads the report
But the owner (or the users) will pay the price either way
Automated testing
Good at scanning multiple pages multiple parameters for the same issues
Bad at finding logical bugs authentication bypasses hellip
This is still an issue which is not found by automated scanners by default
What do you do
This is still an issue which is not found by automated scanners by default
What do you do
adminadmin
Automated scanners donrsquot brute-force user logins by default
This is still an issue which is not found by automated scanners
What do you do
This is still an issue which is not found by automated scanners
What do you do
Automated scanners donrsquot have a clue that they should try this parameter they have never seen before
What is the problem here
Is this found by scanners
loginphpusername=adminamppassword[$ne]=asdfg
array(username =gt adminpassword =gt array(rdquo$ne =gt asdfg))
Usually scanners donrsquot know NoSQL And if they know they are usually not that smart
ProTIP instead of asdfg use a long complex password so you can be sure this is not the correct password )
Try this challenge here
httpsplatformavataocomchallenges28f5fca5-6a01-11e6-bdf4-0800200c9a66
Automated scanners continued
Informational issue (not high medium low severity)
ldquoAn unknown service is running on TCP port 4444rdquo
What do you do
Automated scanners continued
Sample requestcodephpsrc=codephpamphl[0]=niceamphl[1]=textampmode=hl
Solution
Bypass whitelist by change order of parameters
php0816codephphl[0]=niceamphl[1]=textampmode=hlampsrc=solutionphp
Try it here
httpwwwwechallnetchallengephp0816indexphp
Conclusion
Use a good tool for boring repetitive tasks
And use your brain for creative hacks
And always develop new tools for new problems
Hack the planet
zoltanbalazsmrg-effitascom
httpshulinkedincominzbalazs
Twitter ndash zh4ck
wwwslidesharenetbz98
Check out avataocom to practice issues like this
Hackersuli meetup
Greetz to CrySySLab SpamAndHex
JumpESPJumpblogspotcom
Introduction
There is a saying that every software and system will be tested from a security point of view but the question is whether the owner controls when this is done and who reads the report
But the owner (or the users) will pay the price either way
Automated testing
Good at scanning multiple pages multiple parameters for the same issues
Bad at finding logical bugs authentication bypasses hellip
This is still an issue which is not found by automated scanners by default
What do you do
This is still an issue which is not found by automated scanners by default
What do you do
adminadmin
Automated scanners donrsquot brute-force user logins by default
This is still an issue which is not found by automated scanners
What do you do
This is still an issue which is not found by automated scanners
What do you do
Automated scanners donrsquot have a clue that they should try this parameter they have never seen before
What is the problem here
Is this found by scanners
loginphpusername=adminamppassword[$ne]=asdfg
array(username =gt adminpassword =gt array(rdquo$ne =gt asdfg))
Usually scanners donrsquot know NoSQL And if they know they are usually not that smart
ProTIP instead of asdfg use a long complex password so you can be sure this is not the correct password )
Try this challenge here
httpsplatformavataocomchallenges28f5fca5-6a01-11e6-bdf4-0800200c9a66
Automated scanners continued
Informational issue (not high medium low severity)
ldquoAn unknown service is running on TCP port 4444rdquo
What do you do
Automated scanners continued
Sample requestcodephpsrc=codephpamphl[0]=niceamphl[1]=textampmode=hl
Solution
Bypass whitelist by change order of parameters
php0816codephphl[0]=niceamphl[1]=textampmode=hlampsrc=solutionphp
Try it here
httpwwwwechallnetchallengephp0816indexphp
Conclusion
Use a good tool for boring repetitive tasks
And use your brain for creative hacks
And always develop new tools for new problems
Hack the planet
zoltanbalazsmrg-effitascom
httpshulinkedincominzbalazs
Twitter ndash zh4ck
wwwslidesharenetbz98
Check out avataocom to practice issues like this
Hackersuli meetup
Greetz to CrySySLab SpamAndHex
JumpESPJumpblogspotcom
Automated testing
Good at scanning multiple pages multiple parameters for the same issues
Bad at finding logical bugs authentication bypasses hellip
This is still an issue which is not found by automated scanners by default
What do you do
This is still an issue which is not found by automated scanners by default
What do you do
adminadmin
Automated scanners donrsquot brute-force user logins by default
This is still an issue which is not found by automated scanners
What do you do
This is still an issue which is not found by automated scanners
What do you do
Automated scanners donrsquot have a clue that they should try this parameter they have never seen before
What is the problem here
Is this found by scanners
loginphpusername=adminamppassword[$ne]=asdfg
array(username =gt adminpassword =gt array(rdquo$ne =gt asdfg))
Usually scanners donrsquot know NoSQL And if they know they are usually not that smart
ProTIP instead of asdfg use a long complex password so you can be sure this is not the correct password )
Try this challenge here
httpsplatformavataocomchallenges28f5fca5-6a01-11e6-bdf4-0800200c9a66
Automated scanners continued
Informational issue (not high medium low severity)
ldquoAn unknown service is running on TCP port 4444rdquo
What do you do
Automated scanners continued
Sample requestcodephpsrc=codephpamphl[0]=niceamphl[1]=textampmode=hl
Solution
Bypass whitelist by change order of parameters
php0816codephphl[0]=niceamphl[1]=textampmode=hlampsrc=solutionphp
Try it here
httpwwwwechallnetchallengephp0816indexphp
Conclusion
Use a good tool for boring repetitive tasks
And use your brain for creative hacks
And always develop new tools for new problems
Hack the planet
zoltanbalazsmrg-effitascom
httpshulinkedincominzbalazs
Twitter ndash zh4ck
wwwslidesharenetbz98
Check out avataocom to practice issues like this
Hackersuli meetup
Greetz to CrySySLab SpamAndHex
JumpESPJumpblogspotcom
This is still an issue which is not found by automated scanners by default
What do you do
This is still an issue which is not found by automated scanners by default
What do you do
adminadmin
Automated scanners donrsquot brute-force user logins by default
This is still an issue which is not found by automated scanners
What do you do
This is still an issue which is not found by automated scanners
What do you do
Automated scanners donrsquot have a clue that they should try this parameter they have never seen before
What is the problem here
Is this found by scanners
loginphpusername=adminamppassword[$ne]=asdfg
array(username =gt adminpassword =gt array(rdquo$ne =gt asdfg))
Usually scanners donrsquot know NoSQL And if they know they are usually not that smart
ProTIP instead of asdfg use a long complex password so you can be sure this is not the correct password )
Try this challenge here
httpsplatformavataocomchallenges28f5fca5-6a01-11e6-bdf4-0800200c9a66
Automated scanners continued
Informational issue (not high medium low severity)
ldquoAn unknown service is running on TCP port 4444rdquo
What do you do
Automated scanners continued
Sample requestcodephpsrc=codephpamphl[0]=niceamphl[1]=textampmode=hl
Solution
Bypass whitelist by change order of parameters
php0816codephphl[0]=niceamphl[1]=textampmode=hlampsrc=solutionphp
Try it here
httpwwwwechallnetchallengephp0816indexphp
Conclusion
Use a good tool for boring repetitive tasks
And use your brain for creative hacks
And always develop new tools for new problems
Hack the planet
zoltanbalazsmrg-effitascom
httpshulinkedincominzbalazs
Twitter ndash zh4ck
wwwslidesharenetbz98
Check out avataocom to practice issues like this
Hackersuli meetup
Greetz to CrySySLab SpamAndHex
JumpESPJumpblogspotcom
This is still an issue which is not found by automated scanners by default
What do you do
adminadmin
Automated scanners donrsquot brute-force user logins by default
This is still an issue which is not found by automated scanners
What do you do
This is still an issue which is not found by automated scanners
What do you do
Automated scanners donrsquot have a clue that they should try this parameter they have never seen before
What is the problem here
Is this found by scanners
loginphpusername=adminamppassword[$ne]=asdfg
array(username =gt adminpassword =gt array(rdquo$ne =gt asdfg))
Usually scanners donrsquot know NoSQL And if they know they are usually not that smart
ProTIP instead of asdfg use a long complex password so you can be sure this is not the correct password )
Try this challenge here
httpsplatformavataocomchallenges28f5fca5-6a01-11e6-bdf4-0800200c9a66
Automated scanners continued
Informational issue (not high medium low severity)
ldquoAn unknown service is running on TCP port 4444rdquo
What do you do
Automated scanners continued
Sample requestcodephpsrc=codephpamphl[0]=niceamphl[1]=textampmode=hl
Solution
Bypass whitelist by change order of parameters
php0816codephphl[0]=niceamphl[1]=textampmode=hlampsrc=solutionphp
Try it here
httpwwwwechallnetchallengephp0816indexphp
Conclusion
Use a good tool for boring repetitive tasks
And use your brain for creative hacks
And always develop new tools for new problems
Hack the planet
zoltanbalazsmrg-effitascom
httpshulinkedincominzbalazs
Twitter ndash zh4ck
wwwslidesharenetbz98
Check out avataocom to practice issues like this
Hackersuli meetup
Greetz to CrySySLab SpamAndHex
JumpESPJumpblogspotcom
This is still an issue which is not found by automated scanners
What do you do
This is still an issue which is not found by automated scanners
What do you do
Automated scanners donrsquot have a clue that they should try this parameter they have never seen before
What is the problem here
Is this found by scanners
loginphpusername=adminamppassword[$ne]=asdfg
array(username =gt adminpassword =gt array(rdquo$ne =gt asdfg))
Usually scanners donrsquot know NoSQL And if they know they are usually not that smart
ProTIP instead of asdfg use a long complex password so you can be sure this is not the correct password )
Try this challenge here
httpsplatformavataocomchallenges28f5fca5-6a01-11e6-bdf4-0800200c9a66
Automated scanners continued
Informational issue (not high medium low severity)
ldquoAn unknown service is running on TCP port 4444rdquo
What do you do
Automated scanners continued
Sample requestcodephpsrc=codephpamphl[0]=niceamphl[1]=textampmode=hl
Solution
Bypass whitelist by change order of parameters
php0816codephphl[0]=niceamphl[1]=textampmode=hlampsrc=solutionphp
Try it here
httpwwwwechallnetchallengephp0816indexphp
Conclusion
Use a good tool for boring repetitive tasks
And use your brain for creative hacks
And always develop new tools for new problems
Hack the planet
zoltanbalazsmrg-effitascom
httpshulinkedincominzbalazs
Twitter ndash zh4ck
wwwslidesharenetbz98
Check out avataocom to practice issues like this
Hackersuli meetup
Greetz to CrySySLab SpamAndHex
JumpESPJumpblogspotcom
This is still an issue which is not found by automated scanners
What do you do
Automated scanners donrsquot have a clue that they should try this parameter they have never seen before
What is the problem here
Is this found by scanners
loginphpusername=adminamppassword[$ne]=asdfg
array(username =gt adminpassword =gt array(rdquo$ne =gt asdfg))
Usually scanners donrsquot know NoSQL And if they know they are usually not that smart
ProTIP instead of asdfg use a long complex password so you can be sure this is not the correct password )
Try this challenge here
httpsplatformavataocomchallenges28f5fca5-6a01-11e6-bdf4-0800200c9a66
Automated scanners continued
Informational issue (not high medium low severity)
ldquoAn unknown service is running on TCP port 4444rdquo
What do you do
Automated scanners continued
Sample requestcodephpsrc=codephpamphl[0]=niceamphl[1]=textampmode=hl
Solution
Bypass whitelist by change order of parameters
php0816codephphl[0]=niceamphl[1]=textampmode=hlampsrc=solutionphp
Try it here
httpwwwwechallnetchallengephp0816indexphp
Conclusion
Use a good tool for boring repetitive tasks
And use your brain for creative hacks
And always develop new tools for new problems
Hack the planet
zoltanbalazsmrg-effitascom
httpshulinkedincominzbalazs
Twitter ndash zh4ck
wwwslidesharenetbz98
Check out avataocom to practice issues like this
Hackersuli meetup
Greetz to CrySySLab SpamAndHex
JumpESPJumpblogspotcom
What is the problem here
Is this found by scanners
loginphpusername=adminamppassword[$ne]=asdfg
array(username =gt adminpassword =gt array(rdquo$ne =gt asdfg))
Usually scanners donrsquot know NoSQL And if they know they are usually not that smart
ProTIP instead of asdfg use a long complex password so you can be sure this is not the correct password )
Try this challenge here
httpsplatformavataocomchallenges28f5fca5-6a01-11e6-bdf4-0800200c9a66
Automated scanners continued
Informational issue (not high medium low severity)
ldquoAn unknown service is running on TCP port 4444rdquo
What do you do
Automated scanners continued
Sample requestcodephpsrc=codephpamphl[0]=niceamphl[1]=textampmode=hl
Solution
Bypass whitelist by change order of parameters
php0816codephphl[0]=niceamphl[1]=textampmode=hlampsrc=solutionphp
Try it here
httpwwwwechallnetchallengephp0816indexphp
Conclusion
Use a good tool for boring repetitive tasks
And use your brain for creative hacks
And always develop new tools for new problems
Hack the planet
zoltanbalazsmrg-effitascom
httpshulinkedincominzbalazs
Twitter ndash zh4ck
wwwslidesharenetbz98
Check out avataocom to practice issues like this
Hackersuli meetup
Greetz to CrySySLab SpamAndHex
JumpESPJumpblogspotcom
Is this found by scanners
loginphpusername=adminamppassword[$ne]=asdfg
array(username =gt adminpassword =gt array(rdquo$ne =gt asdfg))
Usually scanners donrsquot know NoSQL And if they know they are usually not that smart
ProTIP instead of asdfg use a long complex password so you can be sure this is not the correct password )
Try this challenge here
httpsplatformavataocomchallenges28f5fca5-6a01-11e6-bdf4-0800200c9a66
Automated scanners continued
Informational issue (not high medium low severity)
ldquoAn unknown service is running on TCP port 4444rdquo
What do you do
Automated scanners continued
Sample requestcodephpsrc=codephpamphl[0]=niceamphl[1]=textampmode=hl
Solution
Bypass whitelist by change order of parameters
php0816codephphl[0]=niceamphl[1]=textampmode=hlampsrc=solutionphp
Try it here
httpwwwwechallnetchallengephp0816indexphp
Conclusion
Use a good tool for boring repetitive tasks
And use your brain for creative hacks
And always develop new tools for new problems
Hack the planet
zoltanbalazsmrg-effitascom
httpshulinkedincominzbalazs
Twitter ndash zh4ck
wwwslidesharenetbz98
Check out avataocom to practice issues like this
Hackersuli meetup
Greetz to CrySySLab SpamAndHex
JumpESPJumpblogspotcom
Automated scanners continued
Informational issue (not high medium low severity)
ldquoAn unknown service is running on TCP port 4444rdquo
What do you do
Automated scanners continued
Sample requestcodephpsrc=codephpamphl[0]=niceamphl[1]=textampmode=hl
Solution
Bypass whitelist by change order of parameters
php0816codephphl[0]=niceamphl[1]=textampmode=hlampsrc=solutionphp
Try it here
httpwwwwechallnetchallengephp0816indexphp
Conclusion
Use a good tool for boring repetitive tasks
And use your brain for creative hacks
And always develop new tools for new problems
Hack the planet
zoltanbalazsmrg-effitascom
httpshulinkedincominzbalazs
Twitter ndash zh4ck
wwwslidesharenetbz98
Check out avataocom to practice issues like this
Hackersuli meetup
Greetz to CrySySLab SpamAndHex
JumpESPJumpblogspotcom
Automated scanners continued
Sample requestcodephpsrc=codephpamphl[0]=niceamphl[1]=textampmode=hl
Solution
Bypass whitelist by change order of parameters
php0816codephphl[0]=niceamphl[1]=textampmode=hlampsrc=solutionphp
Try it here
httpwwwwechallnetchallengephp0816indexphp
Conclusion
Use a good tool for boring repetitive tasks
And use your brain for creative hacks
And always develop new tools for new problems
Hack the planet
zoltanbalazsmrg-effitascom
httpshulinkedincominzbalazs
Twitter ndash zh4ck
wwwslidesharenetbz98
Check out avataocom to practice issues like this
Hackersuli meetup
Greetz to CrySySLab SpamAndHex
JumpESPJumpblogspotcom
Sample requestcodephpsrc=codephpamphl[0]=niceamphl[1]=textampmode=hl
Solution
Bypass whitelist by change order of parameters
php0816codephphl[0]=niceamphl[1]=textampmode=hlampsrc=solutionphp
Try it here
httpwwwwechallnetchallengephp0816indexphp
Conclusion
Use a good tool for boring repetitive tasks
And use your brain for creative hacks
And always develop new tools for new problems
Hack the planet
zoltanbalazsmrg-effitascom
httpshulinkedincominzbalazs
Twitter ndash zh4ck
wwwslidesharenetbz98
Check out avataocom to practice issues like this
Hackersuli meetup
Greetz to CrySySLab SpamAndHex
JumpESPJumpblogspotcom
Solution
Bypass whitelist by change order of parameters
php0816codephphl[0]=niceamphl[1]=textampmode=hlampsrc=solutionphp
Try it here
httpwwwwechallnetchallengephp0816indexphp
Conclusion
Use a good tool for boring repetitive tasks
And use your brain for creative hacks
And always develop new tools for new problems
Hack the planet
zoltanbalazsmrg-effitascom
httpshulinkedincominzbalazs
Twitter ndash zh4ck
wwwslidesharenetbz98
Check out avataocom to practice issues like this
Hackersuli meetup
Greetz to CrySySLab SpamAndHex
JumpESPJumpblogspotcom
Conclusion
Use a good tool for boring repetitive tasks
And use your brain for creative hacks
And always develop new tools for new problems
Hack the planet
zoltanbalazsmrg-effitascom
httpshulinkedincominzbalazs
Twitter ndash zh4ck
wwwslidesharenetbz98
Check out avataocom to practice issues like this
Hackersuli meetup
Greetz to CrySySLab SpamAndHex
JumpESPJumpblogspotcom
Hack the planet
zoltanbalazsmrg-effitascom
httpshulinkedincominzbalazs
Twitter ndash zh4ck
wwwslidesharenetbz98
Check out avataocom to practice issues like this
Hackersuli meetup
Greetz to CrySySLab SpamAndHex
JumpESPJumpblogspotcom