B-Sides Orlando 2014 - Superbees Wanted

What is bWAPP?

Defense Needed, Superbees Wanted

Malik Mesellem

What is bWAPP? | 2014 Malik Mesellem, all rights reserved.

1

About MeMalik Mesellem

Email| [email protected]

LinkedIn | be.linkedin.com/in/malikmesellem

Twitter | twitter.com/MME_IT

Blog| itsecgames.blogspot.com


2

What is bWAPP?Contents

Defense Needed

bWAPP & bee-box

Web App Pentesting

Hungry Evil Bees

Superbees Wanted


3


Defense Needed

bWAPP & bee-box

Web App Pentesting

Hungry Evil Bees

Superbees Wanted


4

Defense NeededWeb application security is today's most overlooked aspect of securing the enterprise

Hackers are concentrating their efforts on websites and web applications

Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism


5

Defense NeededWhy are web applications an attractive target?

Easily available via the Internet (24/7)

Mission-critical business applications with sensitive data

Often direct access to backend data

Traditional firewalls and SSL provide no protection

Many applications are custom-made == vulnerable


6

Defense NeededWhy are web applications an attractive target?

Easily available via the Internet (24/7)

Mission-critical business applications with sensitive data

Often direct access to backend data

Traditional firewalls and SSL provide no protection

Many applications are custom-made == vulnerable


7

DEFENSEis needed !


8


Defense Needed

bWAPP & bee-box

Web App Pentesting

Hungry Evil Bees

Superbees Wanted


9

bWAPP == defensebWAPP, or a buggy Web APPlication

Deliberately insecure web application, includes allmajor known web vulnerabilities

Helps security enthusiasts, developers and studentsto discover and to prevent issues

Prepares one for successful penetration testing and ethical hacking projects


10

bWAPP


11

bWAPPWeb application security is not just installing a firewall, or scanning a site for potential issues

Black-box penetration testing, simulating real attack scenarios, is still needed!

Confirms potential vulnerabilities, and excludes false positives

Guarantees that your defense measures are working effectively

bWAPP helps to improve your security-testing skills


12


13

OMG! Are we prepared forREAL attack scenarios???


14


15


16

bWAPPTestimonialsAwesome! It's good to see fantastic tools staying up to date ...

- Ed SkoudisFounder of Counter HackI just installed bWAPP 1.6 into the next release of SamuraiWTF ... Its a great app ...

- Justin SearleManaging Partner at UtiliSec

Great progress on bWAPP BTW! :)

- Vivek RamachandranOwner of SecurityTube


17

bWAPPTestimonialsAwesome! It's good to see fantastic tools staying up to date ...

- Ed SkoudisFounder of Counter HackI just installed bWAPP 1.6 into the next release of SamuraiWTF ... Its a great app ...

- Justin SearleManaging Partner at UtiliSec

Great progress on bWAPP BTW! :)

- Vivek RamachandranOwner of SecurityTube


18

bWAPPArchitecture

Open source PHP application

Backend MySQL database

Hosted on Linux/Windows Apache/IIS

Supported on WAMP or XAMPP


19

bWAPPFeatures (1)

Very easy to use and to understand

Well structured and documented PHP code

Different security levels (low/medium/high)

New user creation (password/secret)

Reset application/database feature

Manual intervention page

Email functionalities


20

bWAPPFeatures (2)

Local PHP settings file

No-authentication mode (A.I.M.)

Evil Bee mode, bypassing security checks

Evil directory, including attack scripts

WSDL file (Web Services/SOAP)

Fuzzing possibilities


21

bWAPPWhat makes bWAPP so unique?

Well, it has over 70 web bugs!

Covering all major known web vulnerabilities

Including all risks from the OWASP Top 10 project


22

bWAPPWhich bug do you want to hack today? (1)

SQL, HTML, SSI, OS Command, XML, XPath, LDAP, PHP Code,Host Header and SMTP injections

Authentication, authorization and session management issues

Malicious, unrestricted file uploads and backdoor files

Arbitrary file access and directory traversals

PHP-CGI remote code execution

Local and remote file inclusions (LFI/RFI)

Server Side Request Forgery (SSRF)


23


Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, WebDAV, information disclosures,...

HTTP parameter pollution and HTTP response splitting

XML External Entity attacks (XXE)

HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) andweb storage issues

Unvalidated redirects and forwards

Denial-of-Service (DoS) attacks


24


Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)

AJAX and Web Services issues (JSON/XML/SOAP)

Parameter tampering and cookie poisoning

HTTP verb tampering

Local privilege escalation

And much more


25

bWAPPWhich bug do you want to hack today?


26

bWAPP


27

bWAPPExternal links

Home page - www.itsecgames.com

Download location - sourceforge.net/projects/bwapp

Blog - itsecgames.blogspot.com


28

bee-boxEvery bee needs a home the bee-box

VM pre-installed with bWAPP

LAMP environment: Linux, Apache, MySQL and PHP

Compatible with VMware and VirtualBox

Requires zero installation


29

bee-boxbee-box is also made deliberately insecure

Opportunity to explore all bWAPP vulnerabilities

Gives you several ways to hack and deface bWAPP

Even possible to hack the bee-box to get full root access!

Hacking, defacing and exploitingwithout going to jail

You can downloadbee-box from here


30

bee-box


31

bee-boxFeatures (1)

Apache, MySQL and PHP installed

Several PHP extensions installed

Vulnerable PHP-CGI

phpMyAdmin installed

Postfix installed and configured

Insecure FTP and WebDAV configurations

AppArmor disabled


32

bee-boxFeatures (2)

Weak self-signed SSL certificate

Fine-tuned file access permissions

.htaccess files support enabled

Some basic security tools installed

Shortcuts to start, install and update bWAPP

An amazing wallpaper

An outdated Linux kernel


33

bWAPP & bee-boxBoth are part of the ITSEC GAMES project

A funny approach to IT security education

IT security, ethical hacking, training and fun...

All ingredients mixed together

Educational and recreational InfoSec training


34

bWAPP & bee-boxReady, set, and hack!

Theres just one thing to remember

The logon credentials are


35

bee/bug


36

bWAPP & bee-boxReady, set, and hack!

Theres just one thing to remember

The logon credentials are bee/bug

So please dont bug me anymore


37

bWAPP & bee-boxMore credentials (for wizkids only!)

bWAPP web app

bee/bug

bee-box VM

bee/bug

su: bug

MySQL database

root/bug


38

bWAPP & bee-boxInstallation and configuration

Install VMware Player or Oracle VirtualBox

Extract, install, and start the bee-box VM

Configure or check the IP settings

Browse to the bWAPP web app

http://[IP]/bWAPP/

Login with bee/bug


39

bWAPP & bee-boxGeneral application settings

settings.php, located under the bWAPP admin folder

Connection settings

SMTP settings

A.I.M. mode

Evil bee mode

Static credentials


40

bWAPP & bee-boxSettings


41

bWAPP & bee-boxA.I.M.

Authentication Is Missing, a no-authentication mode

May be used for testing web scanners and crawlers

Procedure

Change the IP address in the settings file

Point your web scanner or crawler to

http://[IP]/bWAPP/aim.php

All hell breaks loose


42

bWAPP & bee-boxWorst-case-scenario-options

Reset the application

http://[IP]/bWAPP/reset.php

Reset the application + database

http://[IP]/bWAPP/reset.php?secret=bWAPP

Reinstall the database

Drop the database from phpMyAdmin

http://[IP]/bWAPP/install.php


43

bWAPP & bee-boxHost file (optional)

Change the host file on the local machine


44

bWAPP & bee-boxPostfix (optional)

Reconfigure and restart Postfix on the bee-box

sudo gedit /etc/postfix/main.cf

sudo /etc/init.d/postfix restart


45

Finally time for aDEMO


46

Demo


47


Defense Needed

bWAPP & bee-box

Web App Pentesting

Hungry Evil Bees

Superbees Wanted


48

Penetration TestingPenetration testing, or pentesting

Method of evaluating computer, network or application security by simulating an attack

Active analysis of potential vulnerabilities by usingethical hacking techniques

Penetration tests are sometimes a component of afull security audit


49

Web App Penetration TestingWeb application pentesting is focusing on evaluatingthe security of a web application

Application is tested for known web vulnerabilities

Manual, automatic and semi-automatic tests

Source code analysis and web server configuration review as an option


50

Web App Penetration TestingIts all about identifying, exploiting, and reporting vulnerabilities

Some considerations

Commercial tools vs. open source tools

Not a best practice to use only one tool

Most commercial scanners dont exploit

False positives are not allowed!

People dont like auto-generated reports


51

Testing MethodologiesA simple testing methodology


52

Testing MethodologiesA more advanced testing methodology


53

OWASPOWASP, or Open Web Application Security Project

Worldwide non-profit organization focused on improving the security of software

Freely-available articles, methodologies, documentation, tools, and technologies

Vendor neutral, no recommendations for commercial products or services!


54

OWASPCurrent OWASP Projects

Top 10 Project and Testing Guide

Development and Code Review Guide

Application Security Verification Standard

Broken Web Applications (BWA)

Zed Attack Proxy (ZAP)


55

OWASPOWASP Top 10 Project, lists the 10 most severe web application security risks

Constantly updated, latest version released in 2013

Referenced by many standards, books, tools, and organizations, including MITRE and PCI DSS

Good starting point for a web application pentest

What to test? How to test? How to prevent?


56

OWASPOWASP Top 10 Application Security Risks


57

OWASPOWASP Top 10 - 2010 2013


58

OWASPOWASP Top 10 placement


59

Introduction to Kali LinuxKali Linux is a Debian-derived Linux distribution

Designed for digital forensics and penetration testing

Formerly known as BackTrack

Maintained and funded by Offensive Security

Support for x86 and ARM


60

Introduction to Kali LinuxIncludes many web app pentesting tools

Burp Suite

DirBuster

Metasploit

Nikto

sqlmap

w3af

WebSploit

ZAP


61

Hands-On LabKali Linux - Installation and basic usage

Strongly advised to disable AV

Extract, install, and start the VM

VM on Bridged ( NAT)

Login with root/toor

Check/configure IP and language settings

dhclient eth0 -v

Explore Kali Linux and its toolsWhen facing problems,ask for a LiveDVD...


62

Intercepting ProxiesIntercepting proxies are testing tools acting as a legitimate Man-in-the-Middle (MitM)

Located between the browser and the web application

Ability to intercept and to modify requests/responses

Provide a historical record of all requests

Include integrated tools to discover vulnerabilities,and to crawl and brute force files and directories


63

Intercepting ProxiesZAP, Zed Attack Proxy

OWASP project, by Simon Bennetts

Java application, released in September 2010

Fork of the Paros intercepting proxy

Pentesting tool for finding vulnerabilities

Provides automated scanning, as well as a set of toolsto find security vulnerabilities manually


64


Functionalities

Intercepting proxy, listening on TCP/8080

Traditional and AJAX spider

Automated and passive scanner

Fuzzing and brute force capabilities

Smartcard and client certificate support

Authentication and session support


65



66

DemoZAP, Zed Attack Proxy

Parameter/cookie tampering

Online password attack

Vulnerability detection


67

Hands-On LabZAP, Zed Attack Proxy

Parameter/cookie tampering

Online password attack

Vulnerability detection


68

Commercial Web ScannersNetsparker

Automated false positive free web security scanner

Identifies security issues and vulnerabilities such as SQL injection and Cross-Site Scripting (XSS)

Automatically exploits detected vulnerabilities to ensure no false positives are reported

Site: https://www.netsparker.com/


69

Commercial Web Scanners


70

Commercial Web ScannersNetsparker


71

Hands-On LabNetsparker

Non-authenticated scan

Authenticated scan


72

Ready toExploitsome bugs?


73


Defense Needed

bWAPP & bee-box

Web App Pentesting

Hungry Evil Bees

Superbees Wanted


74

Hungry Evil BeesHacking, Defacing and Exploiting

SQL / HTML / SSI Injection

Cross-Site Scripting (XSS)

Denial-of-Service (DoS)

PHP-CGI Remote Code Exec

Unrestricted File Uploads

File Inclusions (LFI/RFI)

Local Privilege Escalation


75

Hands-On LabSQL Injection

Bypassing login forms

Manually extracting data

Testing for blind SQL injection

Automated SQL injection

Website defacement


76

Hands-On LabHTML Injection

Website defacement

Page redirection

Phishing attack

Client-side exploitation


77

Hands-On LabSSI Injection

Disclosing sensitive files

Website defacement

Shell access


78

Hands-On LabCross-Site Scripting

Detecting XSS

Session hijacking


79

Hands-On LabDenial-of-Service

HTTP Slow POST

XML Bomb


80

Hands-On LabPHP-CGI Remote Code Execution

API and PHP version verification

Source code disclosure

Website defacement

OWASP ZAP

Metasploit


81

Hands-On LabUnrestricted File Uploads

Web shell creation

Shell access, evading firewalls

Website defacement


82

Hands-On LabFile Inclusions

Disclosing sensitive files

Website defacement

Shell access, evading firewalls

Escalating privileges...


83


Defense Needed

bWAPP & bee-box

Web App Pentesting

Hungry Evil Bees

Superbees Wanted


84

Superbees WantedHi little bees, during this workshop we

Defaced your website 5 times

Compromised your server

Compromised your clients

Made your server unreachable

Hijacked your session

Stole your credentials


85

And we have so much more bugs to exploit

Definitely time to improve your web security

Defense is needed, and testing is required!

Downloading bWAPP is a first start

Remember: every bee needs a superbee

Are you that superbee?Superbees Wanted

@MME_IT#bWAPP


86

Contact MeMalik Mesellem

Email| [email protected]

LinkedIn | be.linkedin.com/in/malikmesellem

Twitter | twitter.com/MME_IT

Blog| itsecgames.blogspot.com


87

Cheat SheetHi little bees we have a cheat sheet for you

Containing all bWAPP solutions

Follow us on Twitter, and ask for our cheat sheet

You will definitely become a superbee!

@MME_IT#bWAPP


88

TrainingAttacking & Defending Web Apps with bWAPP

2-day comprehensive web security course

Focus on attack and defense techniques!

More info: http://goo.gl/ASuPa1 (pdf)


89


90

Presentations & Public Speaking

B-Sides Orlando 2014 - Superbees Wanted