how to find zero day vulnerabilities

Day

How to

Vulnerabilities

Meet ...

Imran Raghu&

They work as ...

Web application security engineers

They train people in ...

They also contribute to...

Null Open Security Community

And to ...

Open Web Application Security Project

OK, Lets start

Before we do that ..

The following presentation can cause severe exposure to high octane gyan

(knowledge) and could leave participants exhausted with wild ideas

Also You may end up in ...

With lots of ...

and

And of course, Knowledge ...

Ok, Lets begin

What is Zero day ? Zero-day attacks occur during the

vulnerability window that exists in the time between when a vulnerability is first exploited and when software developers start to develop a counter to that threat

Source : wikipedia

Vulnerabilities in famous applications

Vulns in Drupal

Vulns in Wordpress

Vulns in Joomla

How its generally done ?

Source code AuditingFuzzing

Target : 0 day vulnerability

Methodology

Know your enemy

Set up the Attacking environment

Study the architecture

Source Code Auditing

Requirements

Lots and lots of patience

Attitude of

Notebook and Pen ;)

Source code Auditing

Analyze the entry points Identify vulnerable Functions Analyze Input Validations. Cross check the findings

The entry points

More ...

Few more ...

Exec call

RIPS output

What is Fuzzing ?

Fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems.

What exactly it is ?

1. No Rules for fuzzing

2. No guarantee for fuzzing

Fuzzing Methods

1. Sending random data

2. Manual protocol mutation

3. Bruteforce testing

4. Automatic protocol generation testing

Fuzzing life cycle

1. To find bug

2. To find 0 day/write exploit

3. Fuzzer death

Fuzzing process

1. Identify target

2. Identify inputs

3. Generate fuzz data

4. Execute fuzz data

5. Monitor for exceptions

6. Determine exploitability

Fuzzing Payloads Find the entry points SQL Injection XSS CSRF Command Injection Click Jacking with Drag and drop

JBroFuzz

Tools for Source code auditing

The mighty grepRIPSRATS

Tools for Fuzzing

JBroFuzz

Burp Suite

WebScarab

Further Reading

[1]. OWASP Testing Guide

[2]. OWASP Development Guide

[3]. OWASP.org

So you know now* what is a zero day ?

* what is the methodology used ?

* Information gathering of the application or product

* Discovered or previous vulnerabilities of product

* Study the architecture of product

* Identify the input points

* Source code review

* Source code review (one demo) demo of RIPS and grep

* Fuzzing

* Fuzzing (one demo) demo of JBroFuzz

* Tools used for code review and Fuzzing

Questions ?

हकैर हकै्या ? हकैर

Thanks

imran.mohammed@owasp.org

raghunath24@gmail.com