Upload
ahmed-sherif
View
397
Download
3
Embed Size (px)
Citation preview
BIO • Web application Penetration Tester with over 5 years
experience in the information security field . • Ahmed is currently holding a position as information security
engineer at EG-CERT , where he is responsible for conducting penetration testing for different governmental entities.
• Ahmed started his career as a web developer then moved to the information security field . He has also contributed to many security projects as well as having been co-founder of the "iScanner" project .
• has been acknowledged by many organizations for finding security issues in their websites as part of bug-bounty program such as Yahoo, Ebay, Adobe and LinkedIn.
2
Agenda • Security in Corporates . • Web Technologies . • OWASP Security Testing Methodologies . • The Most Important phase in security testing. • Camouflage . • Common web attacks . • Real World examples in well known organizations . • Play with Script Kiddies. • Demo • Questions ?
3
• use highly priced security software for :
Anti-Virus. Firewall with Deep Packet Inspections. IDS – Intrusion Detection Systems. IPS – Intrusion Prevention System. Honeypots. Dashboards , Real Time Visualizations.
4
Why ? 80% of all security breaches takes
place due to unpatched software , in other words , due to not applying security or reliability fixes from the vendor for the software installed .
6
What about other 20% ? :
Penetration Test is a proactive and authorized attempt to evaluate the security of an organization infrastructure by safely attempting to exploit system vulnerabilities, including OS,Service and application flaws, improper configuration, and even risky end-user behavior. Penetration testing is an and .
7
• This Testing Methodology approach will be based on OWASP web application Penetration Testing method .
9
Information Gathering . Configuration and Deploy Management Testing. Identity Management Testing . Authentication Testing. Authorization Testing. Session Management testing. Input Validation testing. Testing for error handling . Testing for weak cryptography. Business Logic Testing. Client Side Testing.
10
Conduct Search Engine Discovery and Reconnaissance for Information Leakage. Fingerprint Web Server. Review Webserver Metafiles for Information Leakage . Enumerate Applications on Webserver. Review Webpage Comments and Metadata for Information Leakage. Identify application entry points. Map execution paths through application. Fingerprint Web Application Framework. Fingerprint Web Application. Map Application Architecture.
12
This section describes how to test the robots.txt file for information leakage of the web application's directory or folder path(s).
Information leakage of the web application's directory or folder path(s) Create the list of directories that are to be avoided by Spiders, Robots, or Crawlers.
15
Web application discovery is a process aimed at identifying web applications on a given infrastructure.
1. Different base URL Ex: example.com/url1 Ex: Example.com/url2 Tools : DirBuster,Burp Intruder. Search Engine “site: example.com”
2. Non-standard ports web applications may be associated with arbitrary TCP ports. Ex: Example.com:8000 Tools : Nmap.
3. Virtual hosts DNS allows a single IP address to be associated with one or more symbolic names Ex: IP address 41.xx.xx.xx might be associated to DNS names www.example.com, mail.example.com.
16
Test Objectives
Understand how requests are formed and typical responses from the application
Requests: Identify where GETs are used and where POSTs are used.
Within the POST request, pay special attention to any hidden parameters.
Identify all the parameters of the query string. These usually are in a pair format, such as foo=bar.
pay attention to any additional or custom type headers not typically seen (such as debug=False).
Responses: Identify where new cookies are set (Set-Cookie header), modified, or added to. Identify where there are any redirects (3xx HTTP status code), 400 status codes, in particular 403 Forbidden, and 500 internal server errors during normal responses. Also note where any interesting headers are used. For example, "Server: BIG-IP" indicates that the site is load balanced. 18
To define type of used web application and web framework so as to have a better understanding of the security testing methodology.
There are several most common locations to look in in order to define the current framework:
HTTP headers Cookies HTML source code Specific files and folders
20
Meta Generator. Server Header X-Powered-By Header Another headers such as (X-Aspnet-version). Known Paths (wp-content for wordpress). File extensions.
26
Common web attacks Cross-Site Scripting (XSS). Cross-Site Request Forgery (CSRF). Session Management . SQL injection . Directory Traversal. Command Injection .
31
XSS is a vulnerability which is present in websites or web applications, allow hackers to insert their client side (normally JavaScript) in those web pages. Type of XSS:
Stored XSS . Reflected XSS . Dom-Based XSS.
32
Reflected attacks are those where the injected code is reflected off the web server .
When a user tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a “trusted” server.
35
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.
an attacker may force the users of a web application to execute actions of the attacker's choosing.
47
SQL injection is a code injection technique used to attack an application by sending input from a user defined source that is later interpreted and executed by the SQL database. SQL injection attacks work because the input taken from the user input is
combined unfiltered or filtered poorly with a SQL statements that is passed to the database that allows the form user to manipulate the query.
51
Attacker may exploit SQL injection vulnerability to retrieve data from database or escalate to execute commands on system.
:
Identify the vulnerability. Fingerprint Server . Enumerate data from Database . Upload Backdoor.
52
: Using SQL errors we extract data from the
system error message. Example:
“Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in”.
54
Blind SQL Injection is a type of an attack that runs valid queries on the database often using timing along with true or false parameters.
The results from the timing attacks and the true or false evaluations can help determine if the system is vulnerable.
This attack method is used when the web application is configured to NOT show generic error messages.
55
Fingerprinting Knowing the system architecture aides the attacker on crafting specific SQL injection queries that later will be used to steal data.
60
UNION SELECT UNION will allows the joining of another query to the first
query. Effectively joining them into one set.
SELECT * FROM orders WHERE id = 1 UNION SELECT 1,2,3,4,5,...,x;
61
SQLMAP SQLmap is an open source penetration testing tool that
automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
62
Status Code Meaning
1xx informational
2xx Successful
3xx Redirection
4xx Bad Request
5xx Internal Server Error
64