owasp appsec research 2013, 20.-23.08.2012, hamburg ... · owtf report = chess-like analysis you...
TRANSCRIPT
![Page 1: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/1.jpg)
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
OWASP AppSec EUAugust 20-23, 2013 Hamburg
OWASP OWTFSummer Storm
Abraham Aranguren
OWASP OWTF Project Leader@7a_ @owtfp
![Page 2: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/2.jpg)
Agenda• GSoC Overview
• What is OWASP OWTF?
• Status update on OWTF GSoC projects
• OWTF Reporting
• OWTF Multiprocessing
• OWTF MiTM Proxy
• OWTF Testing Framework
• OWASP Testing Guide with OWTF
• Conclusion
![Page 3: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/3.jpg)
Agenda• GSoC Overview
• What is OWASP OWTF?
• Status update on OWTF GSoC projects
• OWTF Reporting
• OWTF Multiprocessing
• OWTF MiTM Proxy
• OWTF Testing Framework
• OWASP Testing Guide with OWTF
• Conclusion
![Page 4: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/4.jpg)
Google Summer of Code (GSoC)
Overview
![Page 5: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/5.jpg)
• OWASP got 11 slots from Google
• OWASP received 84 proposals
• 73 students (87% ) could not be selected.
• Final slot breakdown:
• 4 - OWASP ZAP
• 4 - OWASP OWTF
• 1 - OWASP Hackademic
• 1 - OWASP ModSecurity
• 1 - OWASP PHP Security Project
GSoC Stats + Outcome
http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html
![Page 6: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/6.jpg)
• 14 students showed interest (email)
• 11 (79% ) students submitted a proposal
• 14 proposals were submitted (16% of 84)
• 5 OWTF proposals ended in the top 11
• 1 student was lost in de-duplication process (accepted by another org)
• 4 OWTF proposals were finally selected (36% of 11)
OWTF GSoC Overview
http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html
![Page 7: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/7.jpg)
OWTF GSoC student poll summary:
• “It’s python”
• “I like this project”
• “It’s a project I can do with my skills”
• “OWTF is the best project to learn about other tools/security”
• “Other mentors/org didn’t reply” (!)
• “Quick feedback/encouragement/advice”
Why submit for OWTF?
http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html
![Page 8: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/8.jpg)
• Reporting: Assem Chelli
• Multiprocessing: Ankush J indal
• MiTM Proxy: Bharadwaj Machiraju
• Testing Framew ork: Alessandro Fanio González
Selected OWTF Proposals
http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html
![Page 9: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/9.jpg)
Without them 3 OWTF students would have been lost (GSoC 1 dedicated mentor x student rule):
Andrés Morales, Andrés Riancho, AzeddineIslam Mennouchi, Gareth Heyes, Hani Benhabiles, Javier Marcos de Prado, Johanna Curiel, Krzysztof Kotowicz, Martin Johns
THANK YOU for stepping up!
Dedicated OWTF mentors
![Page 10: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/10.jpg)
Questions?
![Page 11: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/11.jpg)
What is OWASP OWTF?
aka The Offensive (Web) Testing Framework
![Page 12: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/12.jpg)
OWTF = Test/Exploit ASAP
![Page 13: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/13.jpg)
OWTF’s Chess-like approach
Kasparov against Deep Blue - http://www.robotikka.com
![Page 14: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/14.jpg)
OWTF Plugin Groups (-g)• w eb: Try to cover the OWASP Testing Guide
owtf.py http://demo.testfire.net (-g web: optional) w eb on lyowtf.py –l web List web plugins
• net: Somewhat like nmap scriptsowtf.py demo.testfire.net (-g net: optional) portscan + probeNOTE: if a web service is found, web plugins will also runowtf.py –l net List net plugins
• aux: Somewhat like msfcli in metasploitowtf.py -f -o Targeted_Phishing SMTP_HOST=mail.pwnlabs.es
SMTP_PORT=25 SMTP_LOGIN=victim SMTP_PASS=victim [email protected] EMAIL_PRIORITY=no EMAIL_SUBJECT='Test subject' EMAIL_BODY='test_body.txt' EMAIL_TARGET='[email protected]‘ Ph ish ing via SET
owtf.pl –l aux List aux plugins
![Page 15: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/15.jpg)
Web Plugin Types (-t)At least 50% (32 out of 64) of the tests in the OWASP Testing guide can
be legally* performed to some degree without permission
* Except in Spain, where visiting a page can be illegal ☺* This is only my interpretation and not that of my employer + might not apply to your country!
![Page 16: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/16.jpg)
OWTF Report = Chess-like AnalysisYou need to understand this to use the OWTF report efficiently ☺☺☺☺
From A lexander Kotov - "Think like a Grandmaster":1) Draw a list of candidate moves (3-4) 1st Sweep (!deep)1) Draw up a list of candidate paths of attack = rank what matters
2) A nalyse each variation only once (!) 2nd Sweep (deep)2) Analyse [ tool output + other info ] once and only once
3) A fter step 1 and 2 make a move3) After 1) and 2) exploit the best path of attack
Ever analysed X in depth to only see “ super-Y” later?
![Page 17: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/17.jpg)
Demo 1: Admin interfaceWatch it: http://www.youtube.com/watch?v=z0n5dYa0WR4
Pre-Engagement: No permission to test preparation
1) Run passive plugins legit + no traffic to targetSitefinity CMS found
2) Identify best path of attack: • Sitefinity default admin password• Public sitefinity shell upload exploits
Engagement: Permission to test exploitation
Try best path of attack first
![Page 18: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/18.jpg)
Demo 1: Outcome1 minute after getting permission
![Page 19: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/19.jpg)
Demo 1: Outcome5 minutes after getting permission
![Page 20: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/20.jpg)
Demo 2: CrossdomainWatch it: http://www.youtube.com/watch?v=ni3Htb4Ya-U
Attack preparation (pre-engagement safe) preparation1) Run semi-passive plugins legitMissconfigured crossdomain, fingerprint wordpress version
2) Identify best path of attack: crossdomain + phishing + wordpress plugin upload + meterpreter
3) Replicate customer environment in lab4) Prep attack: Adapt public payloads to target5) Test in lab
Launching the attack exploitation1) Tested attack works flawlessly on the first shot2) Pivot3) Show impact
![Page 21: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/21.jpg)
OWTF Financials: Ideas plz ☺Funding granted so far (THANK YOU Brucon + Google!):• €5,000 – Brucon 5x5http://blog.brucon.org/2013/02/the-5by5-race-is-on.html• $2,000 – GSoC ($500 x student)
What should we do with that money?
![Page 22: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/22.jpg)
Questions?
![Page 23: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/23.jpg)
Status updateon
OWTF GSoC Projects
![Page 24: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/24.jpg)
OWTF Reportingby
Assem ChelliDedicated Mentor: Gareth Heyes (@garethheyes)
Co-mentors: Azeddine Islam Mennouchi, Hani Benhabiles, Johanna Curiel, Abraham Aranguren
![Page 25: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/25.jpg)
•Old report limitations
•Reporting goals
•Pre-implementation research
•Prototype voting/feedback
•Upcoming features
Reporting Agenda
![Page 26: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/26.jpg)
Old Report != Sexy
●Online sample: http://goo.gl/iZshVJ
![Page 27: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/27.jpg)
Old report limitations• Complicated + hard to understand
• Poor loading time of “big” reports (i.e. 30+ websites)
• Not cross-browser compatible (Firefox only)
• Inability to suit various screen sizes
• Not visually appealing :(
• Direct HTML generation from python code
![Page 28: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/28.jpg)
Reporting Goals• UI simplification + intuitiveness• Better load time + responsiveness• Cross-browser compatibility• Improved screen size support (i.e. mobile users, etc)• Improve visual appeal with community backing• Build a skin system Users can choose/create skins• Move HTML into template files:!python = designer-friendly = more people can help us• Optimise click flow + mouse movement
![Page 29: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/29.jpg)
Pre-implementation researchTwitter bootstrap gives us:• Browser compatibility• Pre-configured layouts• Pre-defined styles• Icon sets• jQuery plugin integration• Responsiveness + Simplicity
![Page 30: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/30.jpg)
Pre-implementation researchJ inja2 gives us:• A python templating engine• Python-like expressions• Templates evaluated in a sandbox
![Page 31: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/31.jpg)
Prototype Voting/Feedback
Demo 3:Online Survey Results
https://docs.google.com/file/d/0B5P-99g5h0-6Znd5ajZKbVJqbU0
Want to vote? ☺ Shortcut: http://7-a.org + search “voting”Survey: https://docs.google.com/forms/d/1w613Y-rwPMw454k2oAd2MuOle8zDg6YNejaMLg29CUQ/viewform
![Page 32: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/32.jpg)
Demo 4: Voted PrototypePlay with it! http://assem-ch.github.io/owtf-report-prototypes/Prototypes/BS_default_white_default/index.html
![Page 33: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/33.jpg)
Upcoming Features (WIP)
● Implement skin system
● Implement chosen prototype
● Extraction of CSS/HTML into templates
● Sub-report loading via AJAX
● Default plugin vulnerability rankings
![Page 34: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/34.jpg)
Questions?
![Page 35: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/35.jpg)
OWTF Multiprocessingby
Ankush J indalDedicated Mentor: Andrés Riancho (@w3af)
Co-mentor: Abraham Aranguren
![Page 36: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/36.jpg)
●Multiprocessing goals
●Pre-implementation research
●Development challenges
●Net plugins demo
●Upcoming features
Multiprocessing Agenda
![Page 37: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/37.jpg)
Multiprocessing Goals●Reduce scanning time
●Port of OSCP scripts into OWTF net plugins
●Scan multiple targets in parallel
●Rational usage of disk/RAM/CPU
●Stability + Reliability = !crash
●Identify + parallelise bottleneck components:
Plugin execution, Reporting
![Page 38: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/38.jpg)
Pre-Implementation Research●Tested candidate libraries:
●Results:
1.Shared memory led to incorrect results in legacy code
2.Multiprocessing performed better or approx. the same
3.Threading = GIL FUD on multiple-core machines ☺
●Conclusion:
Multiprocessing for plugins, Threading for smaller tasks
YesYesNoShared Memory
gevent(d istributed)
Thread ingM u ltiprocessingL ibrary
![Page 39: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/39.jpg)
Challenges during development●OWTF resets config on the fly via “SwitchToTarget”Solved via memory separation in multiprocessing
●Concurrent DB queries + no shared memory + File DB:Solved via dedicated DB process + messaging system + file locks for integrity
(Processes perform DB reads+writes via messages)
●I mplemented ncurses interface to stop OWTF
●Debugging unusual behaviour on concurrent processes ☺
Config = Target 2Config = Target 1
Process 2Process 1
![Page 40: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/40.jpg)
Demo 5: Net PluginsWatch it: http://youtu.be/_I_Wv6VuyQk
Port of the OSCP scripts into OWTF:
●Ping sweep + DNS zone transfers + port scanning
●Port scanning via nmap using “waves” (--portwaves)owtf.py --portwaves=10,100,1000 target.com
First scan “top 10” ports, then “remaining until top 100”, ..
●Firing relevant net plugins depending on ports open
Net plugins implement:
●Vulnerability probing of network services (i.e. ftp, smtp,..)
![Page 41: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/41.jpg)
Upcoming Features●Plugin profiling for better resource usage:Monitor resources to determine “launchable” plugins depending on [load + expected resource consumption]
●Reporter process:To run in parallel + reduce report re-assembly iterations(i.e. instead of re-assemble once x plugin execution)
●Identify + parallelise other bottleneck components
![Page 42: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/42.jpg)
Questions?
![Page 43: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/43.jpg)
OWTF MiTM Proxyby
Bharadw aj M ach irajuDedicated Mentor: Krzysztof Kotowicz (@kkotowicz)Co-mentors: Javier Marcos de Prado, Martin Johns,
Abraham Aranguren
![Page 44: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/44.jpg)
●MiTM Proxy Goals
●Pre-implementation research
●Development challenges
●Examples of working functionality ☺
●Performance benchmarks
●Upcoming features
MiTM Proxy Agenda
![Page 45: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/45.jpg)
MiTM Proxy Goals●Extended grep plugin coverage:
1) Data from manual browsing
2) Data from proxified tools
●Tool proxification (if launched from OWTF)
●SSL MiTM
●Proxy cache: Avoid redundant requests
●Request Throttling based on target responsiveness
(i.e. avoid unintended DoS)
● I ntelligent request retries
(i.e. ensure HTTP response retrieval where possible)
![Page 46: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/46.jpg)
Pre-Implementation Research●Goal:
Select best python proxy framework best starting point
●Test Cases:
Speed, HTTP Verb support, HTTP/1.1, HTTPS support, etc.
●Framew orks:
Twisted, Mitmproxy, Tornado, Honeyproxy
●Verdict: Tornado
Best [ performance + feature-set + reusability ]
![Page 47: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/47.jpg)
Pre-Implementation Research
MiTM Proxy
Pre-Implementation
Research Dochttps://docs.google.com/file/d/0B5P-99g5h0-
6NjJDaF9BUGpVY28
![Page 48: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/48.jpg)
Development Challenges●Tornado: Is a python web framework (!proxy)
● SSL MiTM: on-the-fly certificate generation, etc.
● Proxy cache: Race condition handling
● Tool Proxification: Not all tools could be proxified
BUT Tool Proxification for tools with proxy CLI options IS working ☺
Client is more limited than server. Solution: Use tornado’s async curl client
Server + Client = Proxy
Not built to make proxy servers
Scalability: Tens of thousands of connections
ConsPros
![Page 49: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/49.jpg)
Proxy SSL MiTM is working ☺
![Page 50: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/50.jpg)
Proxy Cache is working ☺
![Page 51: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/51.jpg)
Race-condition handling is working ☺
![Page 52: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/52.jpg)
Performace Benchmarks
![Page 53: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/53.jpg)
Upcoming features● I mproved grep plugins: Run on all transactions
● Request Throttling based on target responsiveness
(i.e. avoid unintended DoS)
● I ntelligent request retries
(i.e. ensure HTTP response retrieval where possible)
● Cookie based authentication
At proxy level = Ability to scan authenticated portions of a website.
● Plug-n-Hack support: Upcoming Mozilla standard DONE
![Page 54: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/54.jpg)
Questions?
![Page 55: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/55.jpg)
OWTF Testing Frameworkby
A lessandro Fan io González
Dedicated Mentor: Andrés Morales Zamudio (@andresmz)Co-mentor: Abraham Aranguren
![Page 56: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/56.jpg)
Testing Framework Agenda●Importance of testing
●Testing framework goals
●Pre-implementation research
●Development challenges
●Initial focus: Unit testing
●New focus: Functional testing
●Upcoming features
![Page 57: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/57.jpg)
Importance of testing●Improve code quality
●Ensure everything works as expected
●Prevent unintentional bugs:
While developing new features or fixing other bugs
●Provide stability to the project
![Page 58: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/58.jpg)
Testing Framework Goals●Writing OWTF tests = As easy as possible
●Ensure OWTF integrity after code changes:
1. Automated tests to verify OWTF modules behave as expected (un it tests)
2. Automated tests to verify OWTF security test output is as expected (functional tests)
![Page 59: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/59.jpg)
Pre-implementation researchGoals: Determine best starting point
1. Select best testing/mocking library for unit tests
2. Select best mock web server for functional tests
Tests:
1. Feature-set comparison among many mocking libraries
2. Reuse of Bharadwaj’s research (for mock web server)
Results:
1. Best mock library for OWTF = Flexmock
2. Best mock web server for OWTF = Tornado
![Page 60: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/60.jpg)
Development Challenges
●Understand internal OWTF components
●Extend the testing library to complete features
●Make the testing framework easy to use:
Generate classes and methods dynamically, using metaclasses and introspection
●Fix broken tests due to fast-moving codebase
Due to initial un it testing focus
![Page 61: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/61.jpg)
Initial focus: Unit testingImportant metric for unit testing = code coverage
Test coverage:
Number of executed lines of code after running all tests
When we run the entire test suite:
1. An HTML code coverage report is generated
2. Lines executed x file can be viewed in the report
Current OWTF code coverage = 58%
![Page 62: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/62.jpg)
New focus: Functional testing
Pro: Will find bugs due to third-party tools/incompatibilities
Con: Can’t find bugs due to third-party tools/incompatibilities
Con: No code coverage metricsPro: Code coverage metrics (i.e. are we at 100% or not?)
Pro: Easier to write (i.e. closer to command-line usage)
Con: Harder to write (i.e. you kinda have to love/know TDD ☺)
Pro: Code independent (i.e. refactoring != broken test)
Con: Code dependent (i.e. refactoring = broken test)
Pro: Easier to create tests for security edge cases (i.e. unusual web server behaviour)
Con: Difficult to create tests for security edge cases (i.e. unusual web server behaviour)
Con: Not isolatedPro: IsolatedCon: SlowerPro: Fast
Functional test approachUnit test approach
![Page 63: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/63.jpg)
Demo 6: A testing exampleWatch it: http://youtu.be/ypLwjzORKfQ
Functional testing:
●Set the web server to return a custom robots.txt file, and start the server
●Write tests (almost) as if you were using OWTF from the command line: run the Spiders_Robots_and_Crawlers plugin
●Assert that the URLs contained in robots.txt are in the OWTF output
Unit testing:
●Show code coverage report from initial project focus
![Page 64: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/64.jpg)
Upcoming features
Functional tests for:
1. w eb plugins: OWASP Testing Guide coverage
2. net and aux plugins: PTES coverage
●Automated Continuous I ntegration:
Run tests automatically after each commit
![Page 65: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/65.jpg)
Questions?
![Page 66: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/66.jpg)
OWASP Testing Guidewith
OWASP OWTF
![Page 67: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/67.jpg)
Context consideration:Case 1 robots.txt N ot Found
…should Google index a site like this?
Or should robots.txt exist and be like this?User-agent: *D isallow: /
![Page 68: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/68.jpg)
Case 1 robots.txt N ot Found - Semi passive• D irect request for robots.txt• Without visiting entries
![Page 69: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/69.jpg)
Case 2 robots.txt Found – Passive• Indirect Stats, Downloaded txt file for review, “Open A ll in Tabs”
![Page 70: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/70.jpg)
OWTF H TM L Filter challenge: Embedding of untrusted third party H TM LDefence layers:1) H TM L Filter: Open source challengeFilter 6 unchallenged since 04/02/2012, Can you hack it? ☺http://blog.7-a.org/2012/01/embedding-untrusted-html-xss-challenge.html2) H TM L 5 sanboxed iframe3) Storage in another directory = cannot access OWTF Review in localStorage
![Page 71: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/71.jpg)
Start reporting!: Take your notes with fancy formattingStep 1 – Click the “Edit” link
Step 2 – Start documenting findings + Ensure preview is ok
![Page 72: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/72.jpg)
Start reporting!: Paste PoC screenshots
![Page 73: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/73.jpg)
The magic bar ;) – Useful to generate the human report later
![Page 74: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/74.jpg)
Step 1- Browse output files to review the full raw tool output:
Step 2 – Review tools run by the passive Search engine discovery plugin:
Was your favourite tool not run?Tell OWTF to run your tools on: owtf_dir/profiles/resources/default.cfg (backup first!)
Passive Plugin
![Page 75: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/75.jpg)
Tool output can also be reviewed via clicking through the OWTF report directly:
![Page 76: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/76.jpg)
The H arvester:•Emails•Employee N ames•Subdomains•H ostnames
http://www.edge-security.com/theH arvester.php
![Page 77: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/77.jpg)
M etadata analysis:• TODO: Integration with FOCA when CLI callable via wine (/cc @chemaalonso ☺) • Implemented: Integration with M etagoofil
http://www.edge-security.com/metagoofil.php
![Page 78: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/78.jpg)
Inbound proxy not stable yet but all this happens automatically:robots.txt entries added to “Potential URLs”URLs found by tools are scraped + added to “Potential URLs”During A ctive testing (later):“Potential URLs” visited + added to “Verified URLs” + Transaction log
![Page 79: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/79.jpg)
A ll H TTP transactions logged by target in transaction logStep 1 – Click on “Transaction Log”
Step 2 – Review transaction entries
![Page 80: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/80.jpg)
Step 3 – Review raw transaction information (if desired)
![Page 81: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/81.jpg)
Step 1 - M ake all direct OWTF requests go through Outbound Proxy:Passes all entry points to the tactical fuzzer for analysis later
Step 2 - Entry points can then also be analysed via tactical fuzzer:
![Page 82: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/82.jpg)
M anually verify request for fingerprint:
Goal: What is that server running?
![Page 83: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/83.jpg)
Whatweb integration with non-aggresive parameter (semi passive detection):
https://github.com/urbanadventurer/WhatWeb
![Page 84: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/84.jpg)
Fingerprint header analysis: M atch stats
![Page 85: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/85.jpg)
Convenient vulnerability search box (1 box per header found ☺):Search A ll Open all site searches in tabs
![Page 86: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/86.jpg)
Exploit DB - http://www.exploit-db.com
![Page 87: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/87.jpg)
N VD - http://web.nvd.nist.gov - CVSS Score = H igh
![Page 88: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/88.jpg)
OSVDB - http://osvdb.org - CVSS Score = H igh
![Page 89: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/89.jpg)
http://www.securityfocus.com - Better on Google
![Page 90: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/90.jpg)
http://www.exploitsearch.net - A ll in one
![Page 91: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/91.jpg)
Passive Fingerprint analysis
![Page 92: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/92.jpg)
http://toolbar.netcraft.com - Passive banner grab,etc.
![Page 93: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/93.jpg)
http://builtwith.com
•CM S•Widgets•Libraries•etc
![Page 94: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/94.jpg)
http://www.shodanhq.com/
Search in the headers without touching the site:
![Page 95: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/95.jpg)
Passive suggestions- Prepare your test in a terminal window to hit “Enter” on “permission minute 1”
![Page 96: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/96.jpg)
What else can be done with a fingerprint?
![Page 97: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/97.jpg)
A lso check http://www.oldapps.com/, Google, etc.
Environment replicationDownload it .. Sometimes from project page ☺
![Page 98: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/98.jpg)
RIPS for PH P: http://rips-scanner.sourceforge.net/Yasca for most other (also PH P):
http://www.scovetta.com/yasca.html
Static A nalyis, Fuzz, Try exploits, ..
![Page 99: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/99.jpg)
Questions?
![Page 100: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/100.jpg)
![Page 101: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/101.jpg)
http://www.robtex.com - Passive DN S Discovery
![Page 102: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/102.jpg)
http://whois.domaintools.com
![Page 103: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/103.jpg)
http://centralops.net
![Page 104: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/104.jpg)
http://centralops.net
![Page 105: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/105.jpg)
H as Google found error messages for you?
![Page 106: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/106.jpg)
Check errors via Google Cache
![Page 107: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/107.jpg)
![Page 108: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/108.jpg)
https://www.ssllabs.com/ssldb/analyze.html
The link is generated with OWTF with that box ticked: Important!
![Page 109: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/109.jpg)
https://www.ssllabs.com/ssldb/analyze.html
Pretty graphs to copy-paste to your OWTF report ☺
![Page 110: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/110.jpg)
Do not forget about Strict-Transport-Security! sslstrip chances decrease dramatically:Only 1st time user visits the site!
![Page 111: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/111.jpg)
N ot found example:
Found example:
![Page 112: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/112.jpg)
H TM L content analysis: H TM L Comments
![Page 113: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/113.jpg)
Step 2 – H uman Review of Unique matches
Efficient H TM L content matches analysis
Step 1 - Click
![Page 114: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/114.jpg)
Step 2 –Review Unique matches (click on links for samplematch info)
Efficient H TM L content matches analysis
Step 1 - Click
Want to see all? then click
![Page 115: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/115.jpg)
H TM L content analysis: CSS and JavaScript Comments (/* */)
![Page 116: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/116.jpg)
H TM L content analysis: Single line JavaScript Comments (//)
![Page 117: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/117.jpg)
H TM L content analysis: PH P source code
![Page 118: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/118.jpg)
H TM L content analysis: A SP source code
![Page 119: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/119.jpg)
![Page 120: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/120.jpg)
![Page 121: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/121.jpg)
Questions?
![Page 122: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/122.jpg)
![Page 123: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/123.jpg)
If you find an admin interface don’t forget to ..Google for default passwords:
![Page 124: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/124.jpg)
Disclaimer: Permission is required for this
![Page 125: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/125.jpg)
![Page 126: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/126.jpg)
![Page 127: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/127.jpg)
http://centralops.net
![Page 128: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/128.jpg)
Is the login page on “http” instead of “https”?
![Page 129: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/129.jpg)
Pro Tip: When browsing the site manually ..… look carefully at pop-ups like this:
Consider (i.e. prep the attack):
Firesheep: http://codebutler.github.com/firesheep/SSLStrip: https://github.com/moxie0/sslstrip
![Page 130: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/130.jpg)
M ario was going to report a bug to M ozilla and found another!
![Page 131: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/131.jpg)
A buse user/member public search functions:• Search for “” (nothing) or “a”, then “b”, ..• Download all the data using 1) + pagination (if any)• M erge the results into a CSV-like format• Import + save as a spreadsheet• Show the spreadsheet to your customer
![Page 132: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/132.jpg)
A nalyse the username(s) they gave you to test:• Username based on numbers?USER12345• Username based on public info? (i.e. names, surnames, ..)name.surname• Default CM S user/pass?
![Page 133: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/133.jpg)
Part 1 – Remember Password: A utocomplete
<form action="/user/login" method="post"><input type="password" name="pass" />
Via 1) <form … autocomplete=“off”>Or Via 2) <input … autocomplete=“off”>
BadGood
![Page 134: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/134.jpg)
M anual verification for password autocomplete (i.e. for the customer)Easy “your grandma can do it” test: 1. Login2. Logout3. Click the browser Back button twice*4. Can you login again –without typing the login or password- by re-
sending the login form?
Can the user re-submit the login form via the back button?* Until the login form submission
Other sensitive fields: Pentester manual verification• Credit card fields• Password hint fields• Other
![Page 135: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/135.jpg)
M anually look at the questions / fields in the password reset form• Does it let you specify your email address?• Is it based on public info? (name, surname, etc)• Does it send an email to a potentially dead email address you can
register? (i.e. hotmail.com)
Part 2 - Password Reset forms
![Page 136: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/136.jpg)
Goal: I s Caching of sensitive info allowed?
M anual verification steps: “your grandma can do it” ☺ (need login): 1. Login2. Logout3. Click the browser Back button4. Do you see logged in content or a this page has expired error / the login
page?
M anual analysis tools:• Commands: curl –i http://target.com• Proxy: Burp, ZA P, WebScarab, etc• Browser Plugins:
https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/https://addons.mozilla.org/en-US/firefox/addon/firebug/
![Page 137: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/137.jpg)
H TTP/1.1 headers
Cache-control: privateCache-Control: no-cache
BadGood
H TTP/1.0 headers
Pragma: privateExpires: <way too far in the future>
Pragma: no-cacheExpires: <past date or illegal (e.g. 0)>
BadGood
BadGood
N o caching headers = caching allowedhttps://accounts.google.com
H TTP/1.1 200 OKDate: Tue, 09 A ug 2011 13:38:43 GM TServer: ….X-Powered-By: ….Connection: closeContent-Type: text/html; charset=UTF-8
Cache-control: no-cache, no-storePragma: no-cacheExpires: M on, 01-Jan-1990 00:00:00 GM T
The world
![Page 138: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/138.jpg)
![Page 139: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/139.jpg)
Repeat for M eta tags
<M ETA H TTP-EQUIV="Cache-Control" CON TEN T=“private">
<M ETA H TTP-EQUIV="Cache-Control" CON TEN T="no-cache">
BadGood
![Page 140: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/140.jpg)
Step 1 – Find CA PTCH A s: Passive search
![Page 141: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/141.jpg)
Offline M anual analysis: • Download image and try to break it• A re CA PTCH A s reused?• Is a hash or token passed? (Good algorithm? Predictable?)• Look for vulns on CA PTCH A versionCA PTCH A breaking toolsPWN tcha - captcha decoder - http://caca.zoy.org/wiki/PWN tchaCaptcha Breaker - http://churchturing.org/captcha-dist/
![Page 142: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/142.jpg)
M anually Examine cookies for weaknesses offline
owaspuser:192.168.100.1: a7656fafe94dae72b1e1487670148412
M TkyLjE2OC4xM DA uM Tpvd2FzcH VzZXI6cGFzc3dvcmQ6M TU6N Tg=
Decoded valueBase64 Encoding (!= Encryption ☺)
![Page 143: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/143.jpg)
Questions?
![Page 144: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/144.jpg)
http://hackvertor.co.uk/public
![Page 145: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/145.jpg)
http://hackvertor.co.uk/public
Lots of decode options, including:• auto_decode• auto_decode_repeat• d_base64• etc.
![Page 146: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/146.jpg)
http://blog.taddong.com/2011/12/cookie-decoder-f5-big-ip.html
F5 BIG-IP Cookie decoder:
![Page 147: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/147.jpg)
• Secure: not set= session cookie leaked= pwned• H ttpOnly: not set = cookies stealable via JS• Domain: set properly• Expires: set reasonably• Path: set to the right /sub-application• 1 session cookie that works is enough ..
![Page 148: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/148.jpg)
![Page 149: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/149.jpg)
M anually check when verifying credentials during pre-engagement:Login and analyse the Session ID cookie (i.e. PH PSESSID)
Before: 10a966616e8ed63f7a9b741f80e65e3cA fter: 10a966616e8ed63f7a9b741f80e65e3c
Before: 10a966616e8ed63f7a9b741f80e65e3cA fter: N ao2mxgho6p9jisslen9v3t6o5f943h
Bad (normal + by default)Good
IM PORTA N T: You can also set the session ID via JavaScript (i.e. XSS)
![Page 150: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/150.jpg)
Session ID:• In URL• In POST• In H TM L
Example from the field:http://target.com/xxx/xyz.function?session_num=7785
Look at unauthenticated cross-site requests:
http://other-site.com/user=3&report=4Referer: site.com
Change ids in application: (ids you have permission for!)http://site.com/view_doc=4
![Page 151: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/151.jpg)
H eaders Enabling/Disabling Client-Side XSS filters:• X-XSS-Protection (IE-Only)• X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)
![Page 152: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/152.jpg)
Review JavaScript code on the page:
<script> document.write("Site is at: " + document.location.href + "."); </script>
Sometimes active testing possible in your browser(no trip to server = not an attack = not logged):http://target.com/...#vulnerable_param=xss
http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
![Page 153: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/153.jpg)
Did Google find SQLi for you?
![Page 154: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/154.jpg)
<!--#exec cmd="/bin/ls /" --> <!--#IN CLUDE VIRTUA L="/web.config"-->
![Page 155: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/155.jpg)
1. Browse Site2. Time requests3. Get top X slowest requests4. Slowest = Best DoS target
![Page 156: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/156.jpg)
Google searches: inurl:wsdl site:example.com
Public services search: http://seekda.com/http://www.wsindex.org/http://www.soapclient.com/
![Page 157: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/157.jpg)
WSDL analysisSensitive methods in WSDL?i.e. Download DB, Test DB, Get CC, etc.http://www.example.com/ws/FindIP.asmx?WSDL
<wsdl:operation name="getCreditCard" parameterOrder="id"><wsdl:input message="impl:getCreditCardRequest" name="getCreditCardRequest"/><wsdl:output message="impl:getCreditCardResponse"
name="getCreditCardResponse"/></wsdl:operation>
![Page 158: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/158.jpg)
Same Origin Policy (SOP) 101
http://www.ibm.com/developerworks/rational/library/09/rationalapplicationdeveloperportaltoolkit3/
1. Domain A ’s page can send a request to Domain B’s page from Browser2. BUT Domain A ’s page cannot read Domain B’s page from Browser
![Page 159: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/159.jpg)
N o anti-CSRF tokenA nti-CSRF token present: Verify with permission
BadPotentially Good
• Request == Predictable Pwned “..can send a request to Domain B” (SOP)CSRF Protection 101:•Require long random token (99% hidden anti-CSRF token) N ot predictable•A ttacker cannot read the token from Domain B (SOP) Domain B ignores request
![Page 160: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/160.jpg)
Similar to CSRF:Is there an anti-replay token in the request?
N o anti-CSRF tokenA nti-CSRF token present: Verify with permission
BadPotentially Good
![Page 161: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/161.jpg)
1) Passive search for Flash/Silverlight files + policies:
Silverlight fi le search:Flash fi le search:
![Page 162: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/162.jpg)
Static analysis: Download + decompile Flash fi les
Flare: http://www.nowrap.de/flare.htmlFlasm (timelines, etc): http://www.nowrap.de/flasm.html
$ flare hello.swf
![Page 163: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/163.jpg)
SWFScan
SWFScan: http://www.brothersoft.com/hp-swfscan-download-253747.html
Static analysis tools
A dobe SWF Investigatorhttp://labs.adobe.com/technologies/swfinvestigator/
![Page 164: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/164.jpg)
Good news: Unlike DOM XSS, the #trick will always work for Flash Files
A ctive testing ☺1) Trip to server = need permissionhttp://target.com/test.swf?xss=foo&xss2=bar
2) But … your browser is yours:N o trip to server = no permission needed
http://target.com/test.swf#?xss=foo&xss2=bar
![Page 165: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/165.jpg)
Some technologies allow settings that relax SOP:• A dobe Flash (via policy file)• M icrosoft Silverlight (via policy file)• H TM L 5 Cross Origin Resource Sharing (via H TTP headers)Cheating: Reading the policy file or H TTP headers != attack
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html
![Page 166: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/166.jpg)
Policy file retrieval for analysis
![Page 167: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/167.jpg)
Flash: http://kb2.adobe.com/cps/403/kb403185.html
CSRF by design read tokens = attacker WIN
<cross-domain-policy><allow-access-from domain="*"/></cross-domain-policy>
Bad defence example: restrict pushing headers accepted by Flash: A ll headers from any domain accepted
<allow-http-request-headers-from domain="*" headers="*" />
Flash / Silverlight - crossdomain.xml
![Page 168: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/168.jpg)
Silverlight: http://msdn.microsoft.com/en-us/library/cc197955%28v=vs.95%29.aspx
CSRF by design read tokens = attacker WIN
<?xml version="1.0" encoding="utf-8"?><access-policy><cross-domain-access><policy><allow-from http-request-headers="SOA PA ction">
<domain uri="*"/></allow-from><grant-to><resource path="/" include-subpaths="true"/></grant-to>
</policy></cross-domain-access></access-policy>
Silverlight - clientaccesspolicy.xml
![Page 169: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/169.jpg)
N eed help?
![Page 170: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/170.jpg)
Workshop exercise1) Install swtftools:wget http://www.swftools.org/swftools-0.9.2.tar.gztar xvfz swftools-0.9.2.tar.gzcd swftools-0.9.2sh ./configuremakemake installwhereis swfdump Check that we have swfdump installed nowswfdump: /usr/local/bin/swfdump
![Page 171: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/171.jpg)
Workshop exercise (continued)2) A nalyse vulnerable file:wget http://demo.testfire.net/vulnerable.swf Download vulnerable fileswfdump -a vulnerable.swf > vulnerable.txt Disassemble flash filegrep -B1 GetVariable vulnerable.txt| tr " " "\ n"| grep '("'| sort –u GetFlashVars("empty_mc")("externalInterfaceVar")("flash")("font")("fontTxtFieldExists")("fontVar")("getUrlBlankVar")("getUrlJSParam")("getUrlParentV ar") Used in this example…
![Page 172: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/172.jpg)
Workshop exercise (continued)3) Verify using the “#” trick (payload not sent to target):
http://demo.testfire.net/vulnerable.swf#?getUrlParentV ar=javascript:alert(‘pwned!’)C
lick on “Get URL (parent)” for example above
A nd you get:XSS ☺
![Page 173: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/173.jpg)
![Page 174: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/174.jpg)
UI Redressing protections:• X-Frame-Options (best)• X-Content-Security-Policy (FF >= 4.0 + Chrome >= 13)• JavaScript Frame busting (bypassable sometimes)
X-Frame-Options: Deny
BadGood
![Page 175: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/175.jpg)
A ndrew H orton’s “Clickjacking for Shells”: http://www.morningstarsecurity.com/research/clickjacking-wordpress
Krzysztof Kotowicz’s “Something Wicked this way comes”:http://www.slideshare.net/kkotowicz/html5-something-wicked-this-way-comes-hackprahttps://connect.ruhr-uni-bochum.de/p3g2butmrt4/
M arcus N iemietz’s “U I Redressing and Clickjacking”:http://www.slideshare.net/DefconRussia/marcus-niemietz-ui-redressing-and-clickjacking-about-click-fraud-and-data-theft
![Page 176: OWASP AppSec Research 2013, 20.-23.08.2012, Hamburg ... · OWTF Report = Chess-like Analysis You need to understand this to use the OWTF report efficiently ☺ From Alexander Kotov-"Think](https://reader033.vdocuments.net/reader033/viewer/2022051602/5b0dc2247f8b9a685a8ea32d/html5/thumbnails/176.jpg)
Special thanks to
Finux Tech Weekly – Episode 17 – mins 31-49http://www.finux.co.uk/episodes/mp3/FTW-EP17.mp3Finux Tech Weekly – Episode 12 – mins 33-38http://www.finux.co.uk/episodes/mp3/FTW-EP12.mp3http://www.finux.co.uk/episodes/ogg/FTW-EP12.oggExotic L iability – Episode 83 – mins 49-53http://exoticliability.libsyn.com/exotic-liability-83-oh-yeah
A di M utu (@an_animal), A lessandro Fanio González, A nant Shrivastava, A ndrés M orales, A ndrés Riancho (@w3af), A nkush Jindal, A ssem Chelli,
A zeddine Islam M ennouchi, Bharadwaj M achiraju, Chris John Riley, Gareth H eyes (@garethheyes), H ani Benhabiles, Javier M arcos de Prado,
Johanna Curiel, K rzysztof Kotowicz (@kkotowicz), M arc Wickenden(@marcwickenden), M arcus N iemietz (@mniemietz), M ario H eiderich(@0x6D6172696F), M artin Johns, M ichael Kohl (@citizen428), N icolas
Grégoire (@A garri_FR), Sandro Gauci (@sandrogauci), OWA SP TestingGuide contributors
A ll those OWTF students that tried to participate in the GSoC even ifthey couldn’t make it this time