web application assesments: reconnaisance and profiling
TRANSCRIPT
![Page 1: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/1.jpg)
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundationhttp://www.owasp.org
Web Application Assesments: Reconnaisance and Profiling
Vicente Aguilera DíazOWASP Spain Chapter LeaderCISA,CISSP,ITIL,CEH|I,OPST,[email protected] 6th, 2008
Faro (Portugal)
![Page 2: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/2.jpg)
2OWASP
About the instructor
Vicente Aguilera DíazCISA, CISSP, ITIL, CEH Instructor, OPST, OPSACo-founder of Internet Security AuditorsOWASP Spain Chapter LeaderContributor at OWASP Testing Guide v2, WASC Threat Classification v2, WASC Articles and OISSG ISSAF projects.Technical council member of the spanish magazine RedSeguridadRewarded in 2008 by the spanish magazine SICPublication of vulnerabilities (Oracle,Squirrelmail, ...) and speaker at security conferences (OWASP, RedIRIS, HackMeeting, FIST, IGC) about WebAppSec
![Page 3: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/3.jpg)
3OWASP
Easy to remember...
Vicente Aguilera Díaz
Cristina Cameron
![Page 4: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/4.jpg)
4OWASP
Agenda
1. Introduction2. Web Application Discovery3. Information Gathering4. Attack Vectors Analysis 5. Examples in the real world6. References
![Page 5: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/5.jpg)
5OWASP
Agenda
1. Introduction2. Web Application Discovery3. Information Gathering4. Attack Vectors Analysis 5. Examples in the real world6. References
![Page 6: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/6.jpg)
6OWASP
1. Introduction
Reconnaissance is the initial phase of any application pentestRequires the most time of an attack processInvolves manual and automated techniquesMore information = attacks with more successAny information is usefulIt's necessary to understand the applicationBefore executing an attack is necessary to develop a methodically plan
![Page 7: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/7.jpg)
7OWASP
1. Introduction
Scope of this presentation
Exploit!ApplicationDiscovery
InformationGathering
Attack VectorsAnalysis
I want to attacka webapp
TargetIdentification
Reconnaisance and Profiling
Specific TestingDesign
Pentester
Hacker
![Page 8: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/8.jpg)
8OWASP
1. Introduction
Physical world example: “The terrible event of New York of September 11, 2001”
1996: a terrorist presented the idea to Osama bin Laden.(*) [I want to attack a webapp]
1999: target selections and arrange travel for the hijackers.(*) [Application Discovery]
2000: terrorists took flying lessons. (*) [Information Gathering]
The terrorists carried out maps, photos and videos, as well as analysis. (*) [Attack Vectors Analysis]
2001: The attack is running in a few hours. (*) [Exploit]
Years of preparation to carry out an attack within hours!(*)http://en.wikipedia.org/wiki/September_11_attacks
![Page 9: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/9.jpg)
9OWASP
1. Introduction
Key stages:Stage I: Web Application DiscoveryStage II: Information GatheringStage III: Attack Vectors Analysis
![Page 10: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/10.jpg)
10OWASP
Agenda
1. Introduction2. Web Application Discovery3. Information Gathering4. Attack Vectors Analysis 5. Examples in the real world6. References
![Page 11: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/11.jpg)
11OWASP
2. Stage I: Web Application Discovery
For a pentest is necessary to test all web applications accessibles through the targetA web server can hide different applications. How?
1. Different base URL2. Non-standard ports3. Virtual hosts
![Page 12: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/12.jpg)
12OWASP
2. Stage I: Web Application Discovery
Hidden applications based on different base URLSuppose that http[s]://www.example.com return:
"No web server configured at this address" (or a similar message).
But there may be accessible applications:http[s]://www.example.com/app1http[s]://www.example.com/somepath/app2http[s]://www.example.com/some-strange-URL
![Page 13: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/13.jpg)
13OWASP
2. Stage I: Web Application Discovery
Hidden applications based on different base URLHow to discovery these applications?
Taking advantage of directory browsingReferences from other(s) web page(s)Analyzing the application codeProbing for URLs candidates.
For example:– /admin/– /downloads/– /partners/
Resources enumeration/discovery tools:– DirBuster
![Page 14: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/14.jpg)
14OWASP
2. Stage I: Web Application Discovery
Hidden applications based on non-standard portsThe application can not be in the 80 or 443 portsFor example:
http[s]://www.example.com:35000
![Page 15: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/15.jpg)
15OWASP
2. Stage I: Web Application Discovery
Hidden applications based on non-standard portsHow to discovery these applications?
Require a full scan of the whole 64k TCP port address spaceExample: nmap –PN –sT –sV –p0-65535 <ip>Observe the response to a request (using a HTTP method) on the port detected will allow confirm the discovery
![Page 16: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/16.jpg)
16OWASP
2. Stage I: Web Application Discovery
Hidden applications based on virtual hostsA single IP address can have associate one or more symbolic names. For example, the IP address 192.168.1.61 might be associated to DNS names:
www.example.comwebmail.example.comintranet.example.com
![Page 17: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/17.jpg)
17OWASP
2. Stage I: Web Application Discovery
Hidden applications based on virtual hostsHow to discovery these applications?
DNS zone transfersdig @dns domain -t AXFR
DNS inverse queriesdig @dns -x <IP>
Web-based DNS searcheshttp://searchdns.netcraft.com/?host=microsoft.comhttp://whois.webhosting.info/x.x.x.xhttp://search.msn.com (syntax: "ip:x.x.x.x")
Googling
![Page 18: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/18.jpg)
18OWASP
2. Stage I: Web Application Discovery
A penetration test or an application-focused assessment must identify all the applications available, and select those that are part of scope to analyzeEach application discovered can have known vulnerabilities and known attack strategies that can be exploited in order to gain remote control or data exploitationSecurity through obscurity is a weak security controlIt is necessary to implement additional security layers at different levelsAs result of this stage, we have a list of webapp targets:
IP(s), domain(s), URL(s)
![Page 19: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/19.jpg)
19OWASP
Agenda
1. Introduction2. Web Application Discovery3. Information Gathering4. Attack Vectors Analysis 5. Examples in the real world6. References
![Page 20: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/20.jpg)
20OWASP
3. Stage II: Gathering Information
Main purpose:To create a base of knowledge useful in later stages (attacks?)
The information should be as accurate as possibleThe information obtained will allow drive the attacksThe questions are...
Which issues should be reviewed?How obtain useful information?
![Page 21: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/21.jpg)
21OWASP
3. Stage II: Gathering Information
Which issues should be reviewed?Relatives to:
PlatformApplicationUsersAttack surface
How to obtain useful infomation?Through:
Search enginesInformation repositories (including people!)
– http://www.nettrace.com.au/resource/search/people.html The target application
![Page 22: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/22.jpg)
22OWASP
3. Stage II: Gathering Information
PlatformTechnologiesWeb/Application serversAuthentication type and resourcesDatabase fingerprintingOS fingerprintingThird-party components
![Page 23: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/23.jpg)
23OWASP
3. Stage II: Gathering Information
Platform : TechnologiesTechnologies analysis
For example: ASP.NET, JSP, PHP, Javascript, CGIsHow?
File extension– .aspx : .NET application
Error messages– .NET errors : .NET application– Stack Traces : Java– Source code revelation
Code Analysis– public code (and private downloaded code!)
Cookies: JSPSESSIONID, PHPSESSIONID
![Page 24: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/24.jpg)
24OWASP
3. Stage II: Gathering Information
Platform : Web/Application serversWeb/Application servers analysis
For example: IIS/6.0, Tomcat, WebLogic Server 10 How?
HTTP Headers analysis– Headers specifics– Response codes and code messages
Error pagesTools:
– netcat– HTTPrint
![Page 25: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/25.jpg)
25OWASP
3. Stage II: Gathering Information
Platform : Authentication type and resourcesAuthentication type and resources analysis
For example: form based, HTTP basic, NTLMWhich information is used?Resources:
For example: – /admin/ – /intranet/login.jsp
How?Application browsingResources discoveryHTTP Headers analysis
![Page 26: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/26.jpg)
26OWASP
3. Stage II: Gathering Information
Platform : Database fingerprintingDatabase usage/type analysis
For example: SQL Server, Oracle, MySQLHow?
Error messagesProbing different SQL injections
– Database specificsPublic documentation about the webapp?Database fingerprinting tools
![Page 27: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/27.jpg)
27OWASP
3. Stage II: Gathering Information
Platform : OS FingerprintingOS Fingerprinting analysis
For example: Windows 2000 SP2, Linux, CISCO IOSHow?
Simple: forcing the system to display the bannerTCP-based techniquesTools
– www.netcraft.com– p0f– nmap
![Page 28: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/28.jpg)
28OWASP
3. Stage II: Gathering Information
Platform / Third-party componentsThird-party components analysis
For example: banners, embedded codeHow?
Browsing the application
![Page 29: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/29.jpg)
29OWASP
3. Stage II: Gathering Information
ApplicationStandard softwarePurpose Web based administrationClient/Server side validationFeatures related to authenticationSession stateAnti-automation systemsError handling
![Page 30: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/30.jpg)
30OWASP
3. Stage II: Gathering Information
Application : Standard softwareStandard software analysis
For example: Drupal, Wordpress, phpBBHow?
Search for known resources at known locationsError messages pagesClient code analysis
![Page 31: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/31.jpg)
31OWASP
3. Stage II: Gathering Information
Application : PurposePurpose analysis
For example: Web Banking, Ticket Sales, CRMHow?
Browsing the applicationClient code analysisResources enumeration/discovery
![Page 32: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/32.jpg)
32OWASP
3. Stage II: Gathering Information
Application : Web based administrationWeb based administration analysis
For example: /backdoor, /adminHow?
Browsing the applicationEvade access restrictionsCreating an account in the applicationrobots.txt
![Page 33: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/33.jpg)
33OWASP
3. Stage II: Gathering Information
Application : Client/Server side validationClient/Server side validation analysis
For example: only client side validationHow?
Removing restrictions on the client sideForcing entry parameters to certain values
![Page 34: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/34.jpg)
34OWASP
3. Stage II: Gathering Information
Application : Features related to authenticationFeatures related to authentication analysis
For example: password recovery, user registrationHow?
Browsing the applicationCreating an account in the applicationAnalyzing which funcionalities allow to auth a user
![Page 35: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/35.jpg)
35OWASP
3. Stage II: Gathering Information
Application : Session stateSession state analysis
For example: session cookie, hidden field, URLHow?
Analyzing requests in authenticated modeReviewing application cookiesClient code analysis
![Page 36: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/36.jpg)
36OWASP
3. Stage II: Gathering Information
Application : Anti-automation systemsAnti-automation systems analysis
For example: captchas, lock accountHow?
Identify which features can be executed by an automated processIdentify the mechanism(s) that not allow an automated process
![Page 37: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/37.jpg)
37OWASP
3. Stage II: Gathering Information
Application : Error handlingError handling analysis
For example: customized error pages, display controlled/not controlled error messages,
How?Analyzing error scenariosProvoking error situations that may not be controlled by the application
![Page 38: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/38.jpg)
38OWASP
3. Stage II: Gathering Information
UsersRolesApplication users typology
![Page 39: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/39.jpg)
39OWASP
3. Stage II: Gathering Information
Users : RolesRoles analysis
For example: administrator, manager, demo, standard user
How?Analyzing client codeSpoofing usersEvade access restrictions
![Page 40: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/40.jpg)
40OWASP
3. Stage II: Gathering Information
Users : Application users typologyApplication users typology analysis
For example: internal users, partners, publicHow?
Browsing the applicationAnalyzing client code
![Page 41: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/41.jpg)
41OWASP
3. Stage II: Gathering Information
Attack Surface AnalysisElements:
CodeEntry pointsServicesProtocols
![Page 42: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/42.jpg)
42OWASP
3. Stage II: Gathering Information
Attack Surface Analysis : CodeAlways will find vulnerabilities in the codeMore code = more vulnerabilities The aim of this stage is to identify/enumerate all the accessible code The public code and the code accessible by remote users is particularly sensitive
![Page 43: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/43.jpg)
43OWASP
3. Stage II: Gathering Information
Attack Surface Analysis : Entry pointsIt's necessary to identify all the entry points to the applicationMore entry points = more attack vectors Some examples of entry points:
URL parameterHidden fieldCookie
![Page 44: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/44.jpg)
44OWASP
3. Stage II: Gathering Information
Attack Surface Analysis : ServicesThe excess of services increases the exposure areaIt's interesting to detect the privileges level with which you access these servicesThe aim of this stage is to identify/enumerate all the services availables and their privilege level
![Page 45: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/45.jpg)
45OWASP
3. Stage II: Gathering Information
Attack Surface Analysis : ProtocolsThe most importants:
TCP / UDPUPD increases the attack surfaceThe aim of this stage is to identify/enumerate all the protocols availables
![Page 46: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/46.jpg)
46OWASP
Agenda
1. Introduction2. Web Application Discovery3. Information Gathering4. Attack Vectors Analysis5. Examples in the real world6. References
![Page 47: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/47.jpg)
47OWASP
4. Stage III: Attack Vectors Analysis
On the basis of information gathered in previous phases, it is possible to identify the attack vectors most likely to succeedStandard software?Disk access?Database access?Which information is used to authenticate a user?Anti-automation systems?Third-party components?Relationships with other systems?Critical operations?
![Page 48: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/48.jpg)
48OWASP
Agenda
1. Introduction2. Web Application Discovery3. Information Gathering4. Attack Vectors Analysis 5. Examples in the real world6. References
![Page 49: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/49.jpg)
49OWASP
5. Examples in the real world
Exploiting real vulnerabilities in real applications from the Real Santa Eulália Hotel:
IMAP/SMTP Injection in SquirrelmailCSRF in Gmail??? in Oracle
![Page 50: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/50.jpg)
50OWASP
5. Examples in the real world
IMAP/SMTP Injection in SquirrelmailSuppose that we have obtained the next information from the previous stages:
Application Discovery:http://x.x.x.x/sm/login.php
Information Gathering:Squirrelmail 1.4.4
Attack Vectors Analysis:IMAP/SMTP Injection
![Page 51: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/51.jpg)
51OWASP
5. Examples in the real world
IMAP/SMTP Injection in SquirrelmailRemember...
IMAP/SMTP Injection:allows for arbitrary injection of IMAP or SMTP commands to the mail servers through a web application improperly validating user supplied data.
![Page 52: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/52.jpg)
52OWASP
5. Examples in the real world
IMAP/SMTP Injection in SquirrelmailSome examples of attacks:
Exploitation of vulnerabilities in the IMAP/SMTP protocolApplication restrictions evasionAnti-automation process evasionInformation leaksRelay/SPAM
The attack process: Identify vulnerable parametersUnderstanding the parameter and the contextIMAP/SMTP command injection
![Page 53: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/53.jpg)
53OWASP
5. Examples in the real world
IMAP/SMTP Injection in SquirrelmailDetection and exploit!DEMO
Executing arbitrary IMAP commands (blind injection?)Evading restrictions (CAPTCHA)Port scanning internal systems
![Page 54: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/54.jpg)
54OWASP
5. Examples in the real world
CSRF in GmailSuppose that we have obtained the next information from the previous stages:
Application Discovery:https://www.google.com/accounts/ServiceLogin
Information Gathering:Google webmail
Attack Vectors Analysis:CSRF (Cross-site Request Forgery)
![Page 55: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/55.jpg)
55OWASP
5. Examples in the real world
CSRF in GmailRemember...
CSRF (Cross-site Request Forgery):forces a logged-on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim.
![Page 56: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/56.jpg)
56OWASP
5. Examples in the real world
CSRF in GmailDetection and exploit!DEMO
What has happened to your Gmail password?
![Page 57: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/57.jpg)
57OWASP
5. Examples in the real world
??? in OracleI can not reveal details of this vulnerability because it's an UNPUBLISHED vulnerability What allow the exploitation of this vulnerability?
Access to the target file system Possible execution of arbitrary operating system commands
![Page 58: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/58.jpg)
58OWASP
5. Examples in the real world
??? in OracleDownloading the /etc/passwd and /etc/hosts files:
![Page 59: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/59.jpg)
59OWASP
Agenda
1. Introduction2. Web Application Discovery3. Information Gathering4. Attack Vectors Analysis 5. Examples in the real world6. References
![Page 60: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/60.jpg)
60OWASP
6. References
Professional Pen Testing for Web ApplicationsAndres Andreu
The Security Development LifecycleMichael Howard and Steve Lipner
MX Injection: Capturing and Exploiting Hidden Mail Servershttp://www.webappsec.org/projects/articles/121106.shtml
OWASP Development Guidehttp://www.owasp.org/index.php/Category:OWASP_Guide_Project
OWASP Testing Guidehttp://www.owasp.org/index.php/Category:OWASP_Testing_Project
and ALL the OWASP Projects!http://www.owasp.org
![Page 61: Web Application Assesments: Reconnaisance and Profiling](https://reader031.vdocuments.net/reader031/viewer/2022020702/61fb1a732e268c58cd5a3002/html5/thumbnails/61.jpg)
61OWASP
Thank's!
Any question?
All your comments will be appreciated