Transcription
Stephen Deck, GSE, OSCE, CISSP@ranger chaBE INFORMED. BE STRATEGIC. BE SECURE.Bare-bones AppSec Testing
OBJECTIVE- What is AppSec?- Web app testing methodology- CTF web app advice2
APPSEC AS A DISCIPLINE- Application Security- AppSec finds new vulnerabilities in a singleapplication- Sometimes finds known config issues or vulnerablecomponents- Different from pentesting- Pentesting finds known vulns across many systems3
WEB APP TESTING METHODOLOGY OVERVIEW-Use OWASP Testing Guide v4-Detailed steps for testing apps-Way more than OWASP Top 10-Still need to apply some to all 4
APPLICATION TESTING PHASES1.2.3.4.5.6.Customer InformationReconnaissanceAutomated TestingManual TestingExploitationReporting5
APPLICATION TESTING PHASES1. Customer Information- Find “dangerous pages”- Contact forms, registration, email, etc.- In scope systems- Presence of APIs2. Reconnaissance- Find dangerous pages on your own- Verify scope of systems- Brute-force content6
APPLICATION TESTING PHASES3. Automated Testing- Exclude dangerous pages- “Fuzzes” application input parameters- Good for injection attacks4. Manual Testing- Controlled testing of dangerous pages- Fuzzing with Intruder- Good for permissions issues- Broken Access Control- Logic errors- Verify automated findings7
APPLICATION TESTING PHASES5. Exploitation- Attack found vulnerabilities- Attempt to gain command execution- Attempt to steal data- Attempt to elevate privileges6. Reporting- Include HTTP requests and responses8
REAL APPSEC VS CTF- Real AppSec aims to find ALL vulnerabilities andmisconfigurations- CTF AppSec looks for specific information or codeexecution- Enumeration is always key!9
CTF APP TESTING PHASES1.2.3.4.5.ReconAnalyzeTestExploitEscalate10
CTF WEB APP ADVICE - RECON- Start a port scan with service enumeration- Know the nmap timing options- max-retries, min-parallelism, min-rate- Try to browse to ports 80 and 443, then try odd scan results- Start dirb/gobuster- Start nikto- Start brute forcing authentication pages (not today)- Start spidering11
NMAP EXAMPLEAugust 23, 201812
DIRB EXAMPLEAugust 23, 201813
NIKTO EXAMPLEAugust 23, 201814
NIKTO EXAMPLEAugust 23, 201815
CTF WEB APP ADVICE – ANALYZE & TEST- Check server responses for secrets- Session tokens, flags in comments, flags in headers- If it is small and custom - Use paramalyzer Burp plugin- Look for- File references- Encoded/encrypted content- File uploads- Check all response headers16
CTF WEB APP ADVICE – ANALYZE & TEST- If it is an off-the-shelf app - Check Metasploit- Look online for more exploits- Packetstorm- Exploit-db- Osvdb- Default credentials17
CTF WEB APP ADVICE – FILE REFERENCES18
CTF WEB APP ADVICE – FILE REFERENCES19
CTF WEB APP ADVICE – FILE UPLOADS20
CTF WEB APP ADVICE – FILE UPLOADS21
CTF WEB APP ADVICE – EXPLOIT- Metasploit for COTS- Rumkin for encoding- Vulns that give command execution and arbitrary file read- Direct file references (insecure direct object reference)- File inclusion (remote/local file inclusion)- Command injection- SQLi (sqlmap, CO2 Burp plugin can help)- noSQL (look for [ eq] style parameters or try to add it)- If there are bots, look for XSS22
CTF WEB APP ADVICE – REMOTE FILE INCLUSION23
CTF WEB APP ADVICE – WEBSHELLS24
CTF WEB APP ADVICE – WEBSHELLS25
www.owasp.org/images/1/19/OTGv4.pdf26
SUMMARY-Sometimes find known issues, lesscommon-AppSec finds new vulnerabilities-Recon, Attack, Report-Automation is key27
www.directdefense.com
APPLICATION TESTING PHASES 3. Automated Testing - Exclude dangerous pages - “Fuzzes” application input parameters - Good for injection attacks 4. Manual Testing - Controlled testing of dangerous pages - Fuzzing with Intruder - Good for permissions issues - Broken
