web application pentesting mit opensource werkzeugen
play

Web Application Pentesting mit OpenSource-Werkzeugen Christian - PowerPoint PPT Presentation

Mar 10, 2023 •219 likes •1.17k views

Frankfurter Entwicklertag 2017 Web Application Pentesting mit OpenSource-Werkzeugen Christian Schneider | @cschneider4711 CHRISTIAN SCHNEIDER Christian Schneider @cschneider4711 Developer, Whitehat Hacker & Trainer Focus on Java

  1. Frankfurter Entwicklertag 2017 Web Application Pentesting 
 mit OpenSource-Werkzeugen Christian Schneider | @cschneider4711 CHRISTIAN SCHNEIDER

  2. Christian Schneider — @cschneider4711 Developer, Whitehat Hacker & Trainer Focus on Java & Web Security Penetration Tests Security Reviews Security Architecture Consulting Security Training CHRISTIAN SCHNEIDER www.Christian-Schneider.net

  3. Quick Poll Working in Development? Working in Operations? Working in Security? Ever used Pentesting Tools? CHRISTIAN SCHNEIDER

  4. What’s in this talk? Tools for Fingerprinting Tools for Web Application Pentesting Tools for Operating System Checks Disclaimer: 
 Only use the presented tools and techniques on targets where you have explicit permission to pentest! CHRISTIAN SCHNEIDER

  5. What’s in this talk? Tools for Fingerprinting Tools for Web Application Pentesting Tools for Operating System Checks Disclaimer: 
 Only use the presented tools and techniques on targets where you have explicit permission to pentest! CHRISTIAN SCHNEIDER

  6. FINGERPRINTING Finding low-hanging fruits of your target… CHRISTIAN CHRISTIAN SCHNEIDER SCHNEIDER

  7. Basic Webserver Fingerprinting nikto https://cirt.net/Nikto2 CHRISTIAN SCHNEIDER

  8. Nikto: Web Server Fingerprinting & Scanning • Commandline script (Perl) • Scans webserver for thousands of potentially dangerous files Checks for outdated versions and version-specific problems • • Update rules before scan: • ./nikto -update • Output formats of results: TXT, CSV, HTML, XML CHRISTIAN SCHNEIDER

  9. Simple webserver scan: ./nikto -h example.com + Server: Apache/2.2.9 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color + The anti-clickjacking X-Frame-Options header is not present . + OpenSSL/0.9.8l appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current. + mod_ssl/2.2.14 appears to be outdated (current is at least 2.8.31) (may depend on server version) + Apache/2.2.9 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. + /manager/status: Default Tomcat Server Status interface found + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in the Apache conf file or restrict access to allowed sources. CHRISTIAN SCHNEIDER

  10. Simple webserver scan: ./nikto -h example.com + Server: Apache/2.2.9 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color + The anti-clickjacking X-Frame-Options header is not present . + OpenSSL/0.9.8l appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current. + mod_ssl/2.2.14 appears to be outdated (current is at least 2.8.31) (may depend on server version) + Apache/2.2.9 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. + /manager/status: Default Tomcat Server Status interface found + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in the Apache conf file or restrict access to allowed sources. CHRISTIAN SCHNEIDER

  11. SSL / TLS scanning testssl.sh https://testssl.sh CHRISTIAN SCHNEIDER

  12. Checking HTTPS config: ./testssl.sh example.com --> Testing ~standard cipher lists Null Ciphers not o ff ered (OK) Anonymous NULL Ciphers not o ff ered (OK) Anonymous DH Ciphers not o ff ered (OK) 40 Bit encryption not o ff ered (OK) 56 Bit encryption not o ff ered (OK) Export Ciphers (general) not o ff ered (OK) Low (<=64 Bit) not o ff ered (OK) DES Ciphers not o ff ered (OK) Medium grade encryption o ff ered (NOT ok) Triple DES Ciphers not o ff ered (OK) High grade encryption o ff ered (OK) CHRISTIAN SCHNEIDER

  13. Direct scans for SSL / TLS vulnerabilities --> Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK) (timed out) CCS (CVE-2014-0224) not vulnerable (OK) Secure Renegotiation (CVE-2009-3555) not vulnerable (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) NOT ok: uses gzip HTTP compression POODLE, SSL (CVE-2014-3566) not vulnerable (OK) TLS_FALLBACK_SCSV (RFC 7507), experim. Downgrade attack prevention supported (OK) FREAK (CVE-2015-0204) not vulnerable (OK) LOGJAM (CVE-2015-4000), experimental not vulnerable (OK) BEAST (CVE-2011-3389) no CBC ciphers for TLS1 (OK) RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): RC4-SHA RC4-MD5 CHRISTIAN SCHNEIDER

  14. OWASP O-Saft as alternative Great commandline tool for testing SSL/TLS certificates also of different protocols than HTTP like SMTP , POP3, IMAP , LDAP , RDP , XMPP , … https://www.owasp.org/index.php/O-Saft CHRISTIAN SCHNEIDER

  15. WEB APPLICATION PENTESTING Attacking on the web layer… CHRISTIAN CHRISTIAN SCHNEIDER SCHNEIDER

  16. Web Application Scanning OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project CHRISTIAN SCHNEIDER

  17. ZAP is the Pentester’s IDE • Passive Scanning (Proxy / Spider) • Active Scanning (Proxy / Spider) • Intercepting Proxy (HTTP & HTTPS) • Spider (classic & AJAX) • Fuzzing • Extensible via Plugins • Highly scriptable • Headless mode & REST-API available CHRISTIAN SCHNEIDER

  18. ZAP is the Pentester’s IDE Sitemap Tree Request / Response History, Scan Results, Running Scans, Active Sessions, etc. CHRISTIAN SCHNEIDER

  19. ZAP Quick-Start Mode "Quick-Start Mode" - useful for public parts only (i.e. no login) • • Just enter URL and let ZAP actively crawl and attack the website (permission required of course) CHRISTIAN SCHNEIDER

  20. First findings are appearing… CHRISTIAN SCHNEIDER

  21. This only attacks the public parts … How can we let ZAP spider inside the authenticated parts of the web application? CHRISTIAN SCHNEIDER

  22. Spidering within the authenticated parts… • Multiple ways exist to let ZAP spider the authenticated parts: • Configure authentication within ZAP 
 —> works for standard login dialog submits • Individually script authentication within ZAP 
 —> flexible (and sometimes complex) scripted in JavaScript 
 —> can be recorded as Zest-Script • Manually guide ZAP (via browser) through the login 
 —> easiest approach 
 —> works with any login style 
 —> plus has a benefit we need later on… CHRISTIAN SCHNEIDER

  23. Spidering within the authenticated parts… • Multiple ways exist to let ZAP spider the authenticated parts: • Configure authentication within ZAP 
 —> works for standard login dialog submits • Individually script authentication within ZAP 
 —> flexible (and sometimes complex) scripted in JavaScript 
 —> can be recorded as Zest-Script • Manually guide ZAP (via browser) through the login 
 —> easiest approach 
 —> works with any login style 
 —> plus has a benefit we need later on… CHRISTIAN SCHNEIDER

  24. Proxy your browser of choice through ZAP 1. Configure a local proxy port in ZAP & adjust your browser’s proxy settings 2. Access the application as usually with your browser: perform a login & logout CHRISTIAN SCHNEIDER

  25. Define the " Context " of the application to spider • Defines the outer boundaries of where ZAP can do it’s "evil" work… CHRISTIAN SCHNEIDER

  26. Exclude the " Logout URL " from spider (and scanner) • Login & Logout via browser in target application to let ZAP see the logout request CHRISTIAN SCHNEIDER

  27. … and delete the logout node to not spider from it CHRISTIAN SCHNEIDER

  28. Ensure you have a valid web session "logged-in" • Ensure browser (proxying through ZAP) is logged in & session ID is noticed by ZAP and marked as active CHRISTIAN SCHNEIDER

  29. … now let ZAP spider (includes a passive scan) CHRISTIAN SCHNEIDER

  30. Spider Log shows requests & exclusions … CHRISTIAN SCHNEIDER

  31. Sitemap tree gets filled from spidering … CHRISTIAN SCHNEIDER

  32. 
 Still we miss some parts within 
 the web application sitemap… How can we get scanner coverage 
 for JavaScript-heavy web applications? 
 What about forms where valid business 
 data needs to be submitted? CHRISTIAN SCHNEIDER

  33. Enrich ZAP’s sitemap by manual surfing to the white spots Login with browser to manually surf within the authenticated parts • • If you have UI test automation: Reuse it via proxy to get more coverage passive & active scanning of proxied traffic by ZAP Service-Tests (REST, SOAP) OWASP ZAP UI-Tests Application Server (Selenium, etc.) Web Browser Manual CHRISTIAN SCHNEIDER Surfing

  34. Pro-Tip: Persist recorded 
 ZAP session for later reuse • Don’t forget to persist ZAP session 
 file of collected requests • Reuse in future scans • Only needs to be extended when 
 new UI dialogs are implemented CHRISTIAN SCHNEIDER

  35. Now that we’ve got coverage, 
 let’s start the active attacks … During active scans ZAP sends multiple payload variants per request parameter and checks responses for evidence… CHRISTIAN SCHNEIDER

  36. Again ensure you have a valid logged-in web session in ZAP • ZAP needs to know which observed session-id it should use 
 for the attacks… CHRISTIAN SCHNEIDER

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OpenStack: The OpenSource Clouds Application in High Energy Physics That Titles Overstated

OpenStack: The OpenSource Clouds Application in High Energy Physics That Titles Overstated

OpenStack: The OpenSource Clouds Application in High Energy Physics That Titles Overstated OpenStack: The OpenSource Clouds Potential Application in Data Intensive Research That Titles Overstated OpenStack: The OpenSource

461 views • 33 slides
Hacking Lucene for Custom Search Results Doug Turnbull OpenSource Connections OpenSource

Hacking Lucene for Custom Search Results Doug Turnbull OpenSource Connections OpenSource

Hacking Lucene for Custom Search Results Doug Turnbull OpenSource Connections OpenSource Connections Hello Me @softwaredoug dturnbull@o19s.com Us http://o19s.com - Trusted Advisors in Search, Discovery &amp; Analytics OpenSource

479 views • 44 slides
S t e p h e n K i n g ' s P r a c t i c a l A d v i c e f o r T e

S t e p h e n K i n g ' s P r a c t i c a l A d v i c e f o r T e

S t e p h e n K i n g ' s P r a c t i c a l A d v i c e f o r T e c h Wr i t e r s Rikki Endsley @ rikki opensource.com : @ Twitter rikkiends opensource.com/stephen-king What, Why, Who, How What

366 views • 26 slides
Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years

Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years

Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years This talk is based on private research Before that experience as windows/linux/network admin, a little as web developer and so on...

1.06k views • 49 slides
Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com &lt;http://www.cymru.com&gt; Penetration Testing Agenda Pentesting Basics Pentesting Defined Vulnerability Scanning vs. Penetration testing Pentesting

879 views • 83 slides
goes to Zabbix : true opensource monitoring solution Zabbix : true opensource monitoring

goes to Zabbix : true opensource monitoring solution Zabbix : true opensource monitoring

goes to Zabbix : true opensource monitoring solution Zabbix : true opensource monitoring solution Open Core Zabbix : true opensource monitoring solution Open FAKE Core Zabbix &lt;-&gt; KDE Zabbix team members use KDE Zabbix

361 views • 14 slides
Pentesting Virtualization Claudio Criscione @paradoxengine c.criscione@securenetwork.it /me

Pentesting Virtualization Claudio Criscione @paradoxengine c.criscione@securenetwork.it /me

Virtually Pwned Pentesting Virtualization Claudio Criscione @paradoxengine c.criscione@securenetwork.it /me Claudio Criscione The need for security Breaking virtualization means hacking the underlying layer accessing systems

781 views • 46 slides
Blender What is Blender exactly? Blender is OpenSource 3D package This means that it

Blender What is Blender exactly? Blender is OpenSource 3D package This means that it

Blender What is Blender exactly? Blender is OpenSource 3D package This means that it provides full pipeline for 3D production Modelling Rendering Animation Postproduction Blender is intended for expert user, somewhat

550 views • 18 slides
Pentesting iPhone &amp; iPad Apps Hack In Paris 2011 June 17 Who are we? Flora Bottaccio

Pentesting iPhone &amp; iPad Apps Hack In Paris 2011 June 17 Who are we? Flora Bottaccio

Pentesting iPhone &amp; iPad Apps Hack In Paris 2011 June 17 Who are we? Flora Bottaccio Security Analyst at ADVTOOLS Sebastien Andrivet Director, co-founder of ADVTOOLS ADVTOOLS Swiss company founded in 2002 in Geneva

727 views • 39 slides
TACKYDROID Pentesting Android Applications in Style THIS TALK IS ABOUT AN APP WE ARE MAKING

TACKYDROID Pentesting Android Applications in Style THIS TALK IS ABOUT AN APP WE ARE MAKING

TACKYDROID Pentesting Android Applications in Style THIS TALK IS ABOUT AN APP WE ARE MAKING This talk IS NOT about Android platform itself This talk IS about how we want to contribute auditing apps that run on Android systems With

975 views • 74 slides
Are we there Yet?? (The long journey of Migrating from close source to opensource solution)

Are we there Yet?? (The long journey of Migrating from close source to opensource solution)

Are we there Yet?? (The long journey of Migrating from close source to opensource solution) Marco (the Grinch) Tusa Percona About me Open source enthusiast Consulting team manager Principal Architect Working in DB world from 25

819 views • 55 slides
Feedbacks on 10y of pentesting and DFIR How to increase your detection capabilities Julien

Feedbacks on 10y of pentesting and DFIR How to increase your detection capabilities Julien

Feedbacks on 10y of pentesting and DFIR How to increase your detection capabilities Julien Bachmann @milkmix_ 24 April 2017 OWASP, Geneva INTRO 1 24/04/2017 OWASP, Geneva ABOUT ME 3 Julien Bachmann Current CTO @ Hacknowledge Swiss

677 views • 40 slides
OPENSOURCE MEETS ENTERPRISE HOW DRUPAL AND SAP HYBRIS CAN TEAM UP Digital Transformation +

OPENSOURCE MEETS ENTERPRISE HOW DRUPAL AND SAP HYBRIS CAN TEAM UP Digital Transformation +

OPENSOURCE MEETS ENTERPRISE HOW DRUPAL AND SAP HYBRIS CAN TEAM UP Digital Transformation + Enterprise TRACK SUPPORTED BY 17/3/2018 Jan Pilarzeck Managing Partner at trio-group Entrepreneur &amp; Consultant, former developer Married, 2 kids

599 views • 46 slides
Modelling of chemical batch reactor for the course CFD with OpenSource Software Rajukiran Antham

Modelling of chemical batch reactor for the course CFD with OpenSource Software Rajukiran Antham

Contents Introduction Geometry cfMesh Modelling of rotation Implementaion of scalar transport equation Tutorial Modelling of chemical batch reactor for the course CFD with OpenSource Software Rajukiran Antham Applied Mechanics/Fluid

332 views • 16 slides
Combination of MRFsimpleFoam and conjugateHeatFoam CFD with OpenSource Software Hamed Jamshidi

Combination of MRFsimpleFoam and conjugateHeatFoam CFD with OpenSource Software Hamed Jamshidi

conjugateHeatFoam MRFSimpleFoam MRFconjugateHeatFoam Case Setup Case Run Combination of MRFsimpleFoam and conjugateHeatFoam CFD with OpenSource Software Hamed Jamshidi Fluid Dynamics Devision, Applied Mechanics Department, Chalmers

690 views • 48 slides
Toward an OpenSource Founda1on Ontology Represen1ng the Longmans Defining Vocabulary: The

Toward an OpenSource Founda1on Ontology Represen1ng the Longmans Defining Vocabulary: The

Toward an OpenSource Founda1on Ontology Represen1ng the Longmans Defining Vocabulary: The COSMO Ontology OWL Version Patrick Cassidy MICRA, Inc., Plainfield, NJ cassidy@micra.com Presented at OIC2008, Fairfax Virginia December 4, 2008

628 views • 43 slides
Sequencing of Targeted Therapies Susan OBrien, MD UC Irvine Health Outcomes of CLL Patients

Sequencing of Targeted Therapies Susan OBrien, MD UC Irvine Health Outcomes of CLL Patients

Sequencing of Targeted Therapies Susan OBrien, MD UC Irvine Health Outcomes of CLL Patients Treated With Sequential Kinase Inhibitor Therapy: A Real World Experience Mato AR, Nabhan C, Barr PM, Ujjani CS, Hill BT, Lamanna N, Skarbnik AP,

795 views • 31 slides
Hi-C Differential Analysis: A new method using tree representation based on Contiguity

Hi-C Differential Analysis: A new method using tree representation based on Contiguity

Pratical case and Data State of the art Differential Analysis method based on CCHAC Conclusion Hi-C Differential Analysis: A new method using tree representation based on Contiguity Constrained Hierarchical Agglomerative Clustering (CCHAC)

644 views • 28 slides
Solving the Multi-Commodity Flow Problem using a Multi-Objective Genetic Algorithm Noel Farrugia,

Solving the Multi-Commodity Flow Problem using a Multi-Objective Genetic Algorithm Noel Farrugia,

Solving the Multi-Commodity Flow Problem using a Multi-Objective Genetic Algorithm Noel Farrugia, Johann A. Briffa, Victor Buttigieg Department of Communications and Computer Engineering University Of Malta Introduction Compared to 2015,

485 views • 21 slides
Local Search &amp; Optimization CE417: Introduction to Artificial Intelligence Sharif University

Local Search &amp; Optimization CE417: Introduction to Artificial Intelligence Sharif University

Local Search &amp; Optimization CE417: Introduction to Artificial Intelligence Sharif University of Technology Spring 2018 Soleymani Artificial Intelligence: A Modern Approach , 3 rd Edition, Chapter 4 Some slides have been adopted from

782 views • 48 slides
Statistical Zaps and New Oblivious Transfer Protocols Vipul Goyal Abhishek Jain Zhengzhong Jin

Statistical Zaps and New Oblivious Transfer Protocols Vipul Goyal Abhishek Jain Zhengzhong Jin

1 Statistical Zaps and New Oblivious Transfer Protocols Vipul Goyal Abhishek Jain Zhengzhong Jin Giulio Malavolta Carnegie Mellon University Carnegie Mellon Johns Hopkins Johns Hopkins University of California, University University

1.66k views • 128 slides
thin clients: thin clients: back to the future back to the future &lt;Jason Nieh&gt;

thin clients: thin clients: back to the future back to the future &lt;Jason Nieh&gt;

thin clients: thin clients: back to the future back to the future &lt;Jason Nieh&gt; nieh@cs.columbia.edu &lt;Jason Nieh&gt; nieh@cs.columbia.edu Computers in the future may weigh no more than 1.5 tons. a Popular Mechanics editorial

837 views • 82 slides
Th The e Bo Boom omeran erang g EF EFFEC FECT Using Session Puzzling to Attack Apps from

Th The e Bo Boom omeran erang g EF EFFEC FECT Using Session Puzzling to Attack Apps from

Th The e Bo Boom omeran erang g EF EFFEC FECT Using Session Puzzling to Attack Apps from the Backend Shay Chen, CTO @sectooladdict Hacktics ASC, Ernst &amp; Young November 22 nd , 2013 About Formerly a boutique company that

714 views • 67 slides
Overview Access control lists Capability lists Locks and keys Rings-based

Overview Access control lists Capability lists Locks and keys Rings-based

Overview Access control lists Capability lists Locks and keys Rings-based access control Propagated access control lists May 31, 2005 ECS 235, Computer and Information Slide #1 Security Access Control Lists Columns

1.24k views • 80 slides

More recommend