SlideShare uma empresa Scribd logo

DEFCON 23 - Jason Haddix - how do i shot web

Felipe Prado
Felipe Prado

DEFCON 23 - Jason Haddix - how do i shot web

Tecnologia
1 de 84
Baixar para ler offline
1 How To Shot Web (Better hacking in 2015)
2 Jason Haddix ● Bugcrowd ● Director of Technical Ops ● Hacker & Bug hunter ● #1 on all-time leaderboard bugcrowd 2014 whoami @jhaddix
3 Hack Stuff Better (and practically) What this talk’s about... And…LOTS of memes…. only some are funny
4 Step 1: Cut a hole in a box... j/k Step 1: Started with my bug hunting methodology Step 2: Parsed some of the top bug hunters’ research (web/mobile only for now) Step 3: Create kickass preso Topics? BB philosophy shifts, discovery techniques, mapping methodology, parameters oft attacked, useful fuzz strings, bypass or filter evasion techniques, new/awesome tooling More Specifically
5 Philosophy
6 Differences from standard testing Single-sourced Crowdsourced ● looking mostly for common-ish vulns ● not competing with others ● incentivized for count ● payment based on sniff test ● looking for vulns that aren’t as easy to find ● racing vs. time ● competitive vs. others ● incentivized to find unique bugs ● payment based on impact not number of findings
7 The regular methodologies
8 Discovery
9 Find the road less traveled ^ means find the application (or parts of an application) less tested. 1. *.acme.com scope is your friend 2. Find domains via Google (and others!) a. Can be automated well via recon-ng and other tools. 3. Port scan for obscure web servers or services (on all domains) 4. Find acquisitions and the bounty acquisition rules a. Google has a 6 month rule 5. Functionality changes or re-designs 6. Mobile websites 7. New mobile app versions
10 Tool: Recon-ng script (enumall.sh) https://github.com/jhaddix/domain
11
12 LMGTFY
13 LMGTFY
14
15 https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640
16 Port scanning is not just for Netpen! A full port scan of all your new found targets will usually yield #win: ● separate webapps ● extraneous services ● Facebook had Jenkins Script console with no auth ● IIS.net had rdp open vulnerable to MS12_020 nmap -sS -A -PN -p- --script=http-title dontscanme.bro ^ syn scan, OS + service fingerprint, no ping, all ports, http titles Port Scanning!
17 Mapping
18 Mapping tips ● Google ● *Smart* Directory Brute Forcing ● RAFT lists (included in Seclists) ● SVN Digger (included in Seclists) ● Git Digger ● Platform Identification: ● Wapplyzer (Chrome) ● Builtwith (Chrome) ● retire.js (cmd-line or Burp) ● Check CVE’s ● Auxiliary ● WPScan ● CMSmap
19 Directory Bruteforce Workflow After bruteforcing look for other status codes indicating you are denied or require auth then append list there to test for misconfigured access control. Example: GET http://www.acme.com - 200 GET http://www.acme.com/backlog/ - 404 GET http://www.acme.com/controlpanel/ - 401 hmm.. ok GET http://www.acme.com/controlpanel/[bruteforce here now]
20 Mapping/Vuln Discovery using OSINT Find previous/existing problem: ● Xssed.com ● Reddit XSS - /r/xss ● Punkspider ● xss.cx ● xssposed.org ● twitter searching ● ++ Issues might already reported but use the flaw area and injection type to guide you to further injections or filter bypass.
21 Intrigue New OSINT/Mapping project, intrigue: ● 250+ bounty programs ● Crawl ● DNS info + bruteforce ● Bounty metadata (links, rewards, scope) ● API
22
23 Intrigue and Maps projects New OSINT/Mapping project, intrigue: ● 250+ bounty programs ● Crawl ● DNS info + bruteforce ● Bounty metadata (links, rewards, scope) ● API
24 Crawling Using + Ruby + Anemone + JSON + Grep $cat test_target_json.txt | grep redirect https://test_target/redirect/?url=http://twitter.com/... https://test_target/redirect/?url=http://facebook.com/... https://test_target/redirect/?url=http://pinterest.com/...
25 Intrigue Tasks Using + Ruby + Anemone + JSON + Grep ● Brute force ● Spider ● Nmap ● etc
26
27
28 Auth and Session
29 Auth (better be quick) Auth Related (more in logic, priv, and transport sections) ● User/pass discrepancy flaw ● Registration page harvesting ● Login page harvesting ● Password reset page harvesting ● No account lockout ● Weak password policy ● Password not required for account updates ● Password reset tokens (no expiry or re-use)
30 Session (better be quick) Session Related ● Failure to invalidate old cookies ● No new cookies on login/logout/timeout ● Never ending cookie length ● Multiple sessions allowed ● Easily reversible cookie (base64 most often)
31 Tactical Fuzzing - XSS
32 XSS Core Idea: Does the page functionality display something to the users? For time sensitive testing the 80/20 rule applies. Many testers use Polyglot payloads. You probably have too!
33 XSS ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT> Multi-context, filter bypass based polyglot payload #1 (Rsnake XSS Cheat Sheet)
34 XSS '">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext></|><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> Multi-context, filter bypass based polyglot payload #2 (Ashar Javed XSS Research)
35 XSS “ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// Multi-context, filter bypass based polyglot payload #3 (Mathias Karlsson)
36 Other XSS Observations Input Vectors Customizable Themes & Profiles via CSS Event or meeting names URI based Imported from a 3rd party (think Facebook integration) JSON POST Values (check returning content type) File Upload names Uploaded files (swf, HTML, ++) Custom Error pages fake params - ?realparam=1&foo=bar’+alert(/XSS/)+’ Login and Forgot password forms
37 SWF Parameter XSS Common Params: Common Params: onload, allowedDomain, movieplayer, xmlPath, eventhandler, callback (more on OWASP page) Common Injection Strings: %22})))}catch(e){alert(document.domain);}// "]);}catch(e){}if(!self.a)self.a=!alert(document.domain);// "a")(({type:"ready"}));}catch(e){alert(1)}//
38 SWF Parameter XSS
39 Tactical Fuzzing - SQLi
40 SQL Injection Core Idea: Does the page look like it might need to call on stored data? There exist some SQLi polyglots, i.e; SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/ Works in single quote context, works in double quote context, works in “straight into query” context! (Mathias Karlsson)
41 SQL Injection You can also leverage the large database of fuzzlists from Seclists here:
42 SQL Injection Observations Blind is predominant, Error based is highly unlikely. ‘%2Bbenchmark(3200,SHA1(1))%2B’ ‘+BENCHMARK(40000000,SHA1(1337))+’ SQLMap is king! ● Use -l to parse a Burp log file. ● Use Tamper Scripts for blacklists. ● SQLiPy Burp plugin works well to instrument SQLmap quickly. Lots of injection in web services! Common Parameters or Injection points ID Currency Values Item number values sorting parameters (i.e order, sort, etc) JSON and XML values Cookie values (really?) Custom headers (look for possible integrations with CDN’s or WAF’s) REST based Services
43 SQLmap SQLiPy
44 Best SQL injection resources DBMS Specific Resources mySQL PentestMonkey's mySQL injection cheat sheet Reiners mySQL injection Filter Evasion Cheatsheet MSSQL EvilSQL's Error/Union/Blind MSSQL Cheatsheet PentestMonkey's MSSQL SQLi injection Cheat Sheet ORACLE PentestMonkey's Oracle SQLi Cheatsheet POSTGRESQL PentestMonkey's Postgres SQLi Cheatsheet Others Access SQLi Cheatsheet PentestMonkey's Ingres SQL Injection Cheat Sheet pentestmonkey's DB2 SQL Injection Cheat Sheet pentestmonkey's Informix SQL Injection Cheat Sheet SQLite3 Injection Cheat sheet Ruby on Rails (Active Record) SQL Injection Guide
45 Tactical Fuzzing - FI & Uploads
46 Local file inclusion Core Idea: Does it (or can it) interact with the server file system? Liffy is new and cool here but you can also use Seclists: Common Parameters or Injection points file= location= locale= path= display= load= read= retrieve=
47 Malicious File Upload ++ This is an important and common attack vector in this type of testing A file upload functions need a lot of protections to be adequately secure. Attacks: ● Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web shells or... ● Execute XSS via same types of files. Images as well! ● Attack the parser to DoS the site or XSS via storing payloads in metadata or file header ● Bypass security zones and store malware on target site via file polyglots
48 Malicious File Upload ++ File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques: ● content type spoofing ● extension trickery ● File in the hole! presentaion - http://goo.gl/VCXPh6
49 Malicious File Upload ++ As referenced file polyglots can be used to store malware on servers! See @dan_crowley ‘s talk: http://goo. gl/pquXC2 and @angealbertini research: corkami. com
50 Remote file includes and redirects Look for any param with another web address in it. Same params from LFI can present here too. Common blacklist bypasses: ● escape  "/" with "/" or “//” with “//” ● try single "/" instead of "//" ● remove http i.e. "continue=//google.com" ● “//” , “|/” , “/%09/” ● encode, slashes ● ”./” CHANGE TO “..//” ● ”../” CHANGE TO “….//” ● ”/” CHANGE TO “//” Redirections Common Parameters or Injection points dest= continue= redirect= url= (or anything with “url” in it) uri= (same as above) window= next=
51 Remote file includes and redirects RFI Common Parameters or Injection points File= document= Folder= root= Path= pg= style= pdf= template= php_path= doc=
52 CSRF
53 CSRF Everyone knows CSRF but the TLDR here is find sensitive functions and attempt to CSRF. Burps CSRF PoC is fast and easy for this:
54 CSRF Many sites will have CSRF protection, focus on CSRF bypass! Common bypasses: ● Remove CSRF token from request ● Remove CSRF token parameter value ● Add bad control chars to CSRF parameter value ● Use a second identical CSRF param ● Change POST to GET Check this out...
55 CSRF Debasish Mandal wrote a python tool to automate finding CSRF bypasses called Burpy. Step 1: Enable logging in Burp. Crawl a site with Burp completely executing all functions. Step 2: Create a template...
56
57 CSRF Step 3: Run burpy on Burp log file.. Logic: 1. Parse burp log file 2. re-request everything instrumenting 4/5 attacks in previous slide 3. diff responses 4. alert on outliers 5. profit
58
59
60 CSRF Or focus on pages without the token in Burp: https://github. com/arvinddoraiswamy/mywebappscripts/blob/master/BurpExtensions/csrf_token_d etect.py
61 CSRF CSRF Common Critical functions Add / Upload file Password change Email change Transfer Money / Currency Delete File Profile edit
62 Privilege, Transport, Logic
63 Privilege Often logic, priv, auth bugs are blurred. Testing user priv: 1. admin has power 2. peon has none 3. peon can use function only meant for admin
64 Privilege 1. Find site functionality that is restricted to certain user types 2. Try accessing those functions with lesser/other user roles 3. Try to directly browse to views with sensitive information as a lesser priv user Autorize Burp plugin is pretty neat here... https://github.com/Quitten/Autorize Common Functions or Views Add user function Delete user function start project / campaign / etc function change account info (pass, CC, etc) function customer analytics view payment processing view any view with PII
65 1. Browse using high priv user 2. Login with a lower priv user 3. Burp Plugin re-requests to see if low priv can access high priv
66 Insecure direct object references IDORs are common place in bounties, and hard to catch with scanners. Find any and all UIDs ● increment ● decrement ● negative values ● Attempt to perform sensitive functions substituting another UID ○ change password ○ forgot password ○ admin only functions
67 Idor’s Common Functions , Views, or Files Everything from the CSRF Table, trying cross account attacks Sub: UIDs, user hashes, or emails Images that are non-public Receipts Private Files (pdfs, ++) Shipping info & Purchase Orders Sending / Deleting messages
68
69 Transport Most security concerned sites will enable HTTPs. It’s your job to ensure they’ve done it EVERYWHERE. Most of the time they miss something. Examples: ● Sensitive images transported over HTTP ● Analytics with session data / PII leaked over HTTP
70 Transport https://github.com/arvinddoraiswamy/mywebappscripts/tree/master/ForceSSL
71 Logic Logic flaws that are tricky, mostly manual: ● substituting hashed parameters ● step manipulation ● use negatives in quantities ● authentication bypass ● application level DoS ● Timing attacks
72 Mobile
73 Data Storage Its common to see mobile apps not applying encryption to the files that store PII. Common places to find PII unencrypted Phone system logs (avail to all apps) webkit cache (cache.db) plists, dbs, etc hardcoded in the binary
74 Quick spin-up for iOS Daniel Mayers idb tool:
75 Logs!
76 Auxiliary
77 The vulns formerly known as “noise” ● Content Spoofing or HTML injection ● Referer leakage ● security headers ● path disclosure ● clickjacking ● ++
78 How to test a web app in n minutes How can you get maximum results within a given time window?
79 Data Driven Assessment (diminishing return FTW) 1. Visit the search, registration, contact, and password reset, and comment forms and hit them with your polyglot strings 2. Scan those specific functions with Burp’s built-in scanner 3. Check your cookie, log out, check cookie, log in, check cookie. Submit old cookie, see if access. 4. Perform user enumeration checks on login, registration, and password reset. 5. Do a reset and see if; the password comes plaintext, uses a URL based token, is predictable, can be used multiple times, or logs you in automatically 6. Find numeric account identifiers anywhere in URL and rotate them for context change 7. Find the security-sensitive function(s) or files and see if vulnerable to non-auth browsing (idors), lower-auth browsing, CSRF, CSRF protection bypass, and see if they can be done over HTTP. 8. Directory brute for top short list on SecLists 9. Check upload functions for alternate file types that can execute code (xss or php/etc/etc) ~ 15 minutes
80 Things to take with you… 1. Crowdsourced testing is different enough to pay attention to 2. Crowdsourcing focuses on the 20% because the 80% goes quick 3. Data analysis can yield the most successfully attacked areas 4. A 15 minute web test, done right, could yield a majority of your critical vulns 5. Add polyglots to your toolbelt 6. Use SecLists to power your scanners 7. Remember to periodically refresh your game with the wisdom of other techniques and other approaches Follow these ninjas who I profiled: https://twitter.com/Jhaddix/lists/bninjas
81 Gitbook project: The Bug Hunters Methodology This preso ended up to be way too much to fit in an 45min talk so... we turned it into a Git project! (if you are reading this from the Defcon DVD check my twitter or Github for linkage) ● 50% of research still unparsed ● More tooling to automate ● XXE and parser attacks ● XSRF ● Captcha bypass ● Detailed logic flaws ● More mobile
82 Meme Count: 13
83 Attribution and Thanks
84 Tim Tomes - Recon-ng Joe Giron - RFI params Soroush Dalili - File in the Hole preso Mathias Karlsson - polyglot research Ashar Javed - polyglot/xss research Ryan Dewhurst & Wpscan Team Bitquark - for being a ninja, bsqli string rotlogix - liffy LFI scanner Arvind Doraiswamy - HTTPs, CSRF Burp Plugins Barak Tawily - Autorize burp plugin the RAFT list authors Ferruh Mavituna - SVNDigger Jaime Filson aka wick2o - GitDigger Robert Hansen aka rsnake - polyglot / xss Dan Crowley - polyglot research Daniel Miessler - methodology, slide, and data contributions My awesome team at Bugcrowd (Jon, Tod, Shpend, Ben, Grant, Fatih, Patrik, Kati, Kym, Abby, Casey, Chris, Sam, ++) All the bug hunting community!!!

Recomendados

SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015
Daniel Miessler
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
beched
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Find maximum bugs in limited time
Find maximum bugs in limited timeFind maximum bugs in limited time
Find maximum bugs in limited time
beched
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
beched
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 

Recomendados

SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015
Daniel Miessler
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
beched
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Find maximum bugs in limited time
Find maximum bugs in limited timeFind maximum bugs in limited time
Find maximum bugs in limited time
beched
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
beched
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filter
kuza55
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Attacks against Microsoft network web clients
Attacks against Microsoft network web clients
Positive Hack Days
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
Abraham Aranguren
 
Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!
Positive Hack Days
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
snyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
snyff
 
Efficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template EnginesEfficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template Engines
adonatwork
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
Ivan Novikov
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
Adam Caudill
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
adonatwork
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
snyff
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
Jason Harwig
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Security
jgrahamc
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
Fuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley FrameworkFuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley Framework
High-Tech Bridge SA (HTBridge)
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
kuza55
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
Abraham Aranguren
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
Rich Helton
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
Raffael Marty
 

Mais conteúdo relacionado

Mais procurados

XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Attacks against Microsoft network web clients
Attacks against Microsoft network web clients
Positive Hack Days
 
Efficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template EnginesEfficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template Engines
adonatwork
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
kuza55
 

Mais procurados (20)

Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filter
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Attacks against Microsoft network web clients
Attacks against Microsoft network web clients
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
 
Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
 
Efficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template EnginesEfficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template Engines
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Security
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
Fuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley FrameworkFuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley Framework
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 

Semelhante a DEFCON 23 - Jason Haddix - how do i shot web

Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days
 
Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permission
Yury Chemerkin
 
C#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalC#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 Final
Rich Helton
 
How to Improve Your Technical Test Ability - AADays 2015 Keynote
How to Improve Your Technical Test Ability - AADays 2015 KeynoteHow to Improve Your Technical Test Ability - AADays 2015 Keynote
How to Improve Your Technical Test Ability - AADays 2015 Keynote
Alan Richardson
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 

Semelhante a DEFCON 23 - Jason Haddix - how do i shot web (20)

Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permission
 
C#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalC#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 Final
 
Advanced Web Scraping or How To Make Internet Your Database #seoplus2018
Advanced Web Scraping or How To Make Internet Your Database #seoplus2018Advanced Web Scraping or How To Make Internet Your Database #seoplus2018
Advanced Web Scraping or How To Make Internet Your Database #seoplus2018
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
More about PHP
More about PHPMore about PHP
More about PHP
 
Skyfall flisol-campinas-2013
Skyfall flisol-campinas-2013Skyfall flisol-campinas-2013
Skyfall flisol-campinas-2013
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Coding for production
Coding for productionCoding for production
Coding for production
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
How to Improve Your Technical Test Ability - AADays 2015 Keynote
How to Improve Your Technical Test Ability - AADays 2015 KeynoteHow to Improve Your Technical Test Ability - AADays 2015 Keynote
How to Improve Your Technical Test Ability - AADays 2015 Keynote
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 

Mais de Felipe Prado

Mais de Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Último

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

DEFCON 23 - Jason Haddix - how do i shot web

  • 1. 1 How To Shot Web (Better hacking in 2015)
  • 2. 2 Jason Haddix ● Bugcrowd ● Director of Technical Ops ● Hacker & Bug hunter ● #1 on all-time leaderboard bugcrowd 2014 whoami @jhaddix
  • 3. 3 Hack Stuff Better (and practically) What this talk’s about... And…LOTS of memes…. only some are funny
  • 4. 4 Step 1: Cut a hole in a box... j/k Step 1: Started with my bug hunting methodology Step 2: Parsed some of the top bug hunters’ research (web/mobile only for now) Step 3: Create kickass preso Topics? BB philosophy shifts, discovery techniques, mapping methodology, parameters oft attacked, useful fuzz strings, bypass or filter evasion techniques, new/awesome tooling More Specifically
  • 6. 6 Differences from standard testing Single-sourced Crowdsourced ● looking mostly for common-ish vulns ● not competing with others ● incentivized for count ● payment based on sniff test ● looking for vulns that aren’t as easy to find ● racing vs. time ● competitive vs. others ● incentivized to find unique bugs ● payment based on impact not number of findings
  • 9. 9 Find the road less traveled ^ means find the application (or parts of an application) less tested. 1. *.acme.com scope is your friend 2. Find domains via Google (and others!) a. Can be automated well via recon-ng and other tools. 3. Port scan for obscure web servers or services (on all domains) 4. Find acquisitions and the bounty acquisition rules a. Google has a 6 month rule 5. Functionality changes or re-designs 6. Mobile websites 7. New mobile app versions
  • 10. 10 Tool: Recon-ng script (enumall.sh) https://github.com/jhaddix/domain
  • 11. 11
  • 14. 14
  • 16. 16 Port scanning is not just for Netpen! A full port scan of all your new found targets will usually yield #win: ● separate webapps ● extraneous services ● Facebook had Jenkins Script console with no auth ● IIS.net had rdp open vulnerable to MS12_020 nmap -sS -A -PN -p- --script=http-title dontscanme.bro ^ syn scan, OS + service fingerprint, no ping, all ports, http titles Port Scanning!
  • 18. 18 Mapping tips ● Google ● *Smart* Directory Brute Forcing ● RAFT lists (included in Seclists) ● SVN Digger (included in Seclists) ● Git Digger ● Platform Identification: ● Wapplyzer (Chrome) ● Builtwith (Chrome) ● retire.js (cmd-line or Burp) ● Check CVE’s ● Auxiliary ● WPScan ● CMSmap
  • 19. 19 Directory Bruteforce Workflow After bruteforcing look for other status codes indicating you are denied or require auth then append list there to test for misconfigured access control. Example: GET http://www.acme.com - 200 GET http://www.acme.com/backlog/ - 404 GET http://www.acme.com/controlpanel/ - 401 hmm.. ok GET http://www.acme.com/controlpanel/[bruteforce here now]
  • 20. 20 Mapping/Vuln Discovery using OSINT Find previous/existing problem: ● Xssed.com ● Reddit XSS - /r/xss ● Punkspider ● xss.cx ● xssposed.org ● twitter searching ● ++ Issues might already reported but use the flaw area and injection type to guide you to further injections or filter bypass.
  • 21. 21 Intrigue New OSINT/Mapping project, intrigue: ● 250+ bounty programs ● Crawl ● DNS info + bruteforce ● Bounty metadata (links, rewards, scope) ● API
  • 22. 22
  • 23. 23 Intrigue and Maps projects New OSINT/Mapping project, intrigue: ● 250+ bounty programs ● Crawl ● DNS info + bruteforce ● Bounty metadata (links, rewards, scope) ● API
  • 24. 24 Crawling Using + Ruby + Anemone + JSON + Grep $cat test_target_json.txt | grep redirect https://test_target/redirect/?url=http://twitter.com/... https://test_target/redirect/?url=http://facebook.com/... https://test_target/redirect/?url=http://pinterest.com/...
  • 25. 25 Intrigue Tasks Using + Ruby + Anemone + JSON + Grep ● Brute force ● Spider ● Nmap ● etc
  • 26. 26
  • 27. 27
  • 29. 29 Auth (better be quick) Auth Related (more in logic, priv, and transport sections) ● User/pass discrepancy flaw ● Registration page harvesting ● Login page harvesting ● Password reset page harvesting ● No account lockout ● Weak password policy ● Password not required for account updates ● Password reset tokens (no expiry or re-use)
  • 30. 30 Session (better be quick) Session Related ● Failure to invalidate old cookies ● No new cookies on login/logout/timeout ● Never ending cookie length ● Multiple sessions allowed ● Easily reversible cookie (base64 most often)
  • 32. 32 XSS Core Idea: Does the page functionality display something to the users? For time sensitive testing the 80/20 rule applies. Many testers use Polyglot payloads. You probably have too!
  • 34. 34 XSS '">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext></|><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> Multi-context, filter bypass based polyglot payload #2 (Ashar Javed XSS Research)
  • 35. 35 XSS “ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// Multi-context, filter bypass based polyglot payload #3 (Mathias Karlsson)
  • 36. 36 Other XSS Observations Input Vectors Customizable Themes & Profiles via CSS Event or meeting names URI based Imported from a 3rd party (think Facebook integration) JSON POST Values (check returning content type) File Upload names Uploaded files (swf, HTML, ++) Custom Error pages fake params - ?realparam=1&foo=bar’+alert(/XSS/)+’ Login and Forgot password forms
  • 37. 37 SWF Parameter XSS Common Params: Common Params: onload, allowedDomain, movieplayer, xmlPath, eventhandler, callback (more on OWASP page) Common Injection Strings: %22})))}catch(e){alert(document.domain);}// "]);}catch(e){}if(!self.a)self.a=!alert(document.domain);// "a")(({type:"ready"}));}catch(e){alert(1)}//
  • 40. 40 SQL Injection Core Idea: Does the page look like it might need to call on stored data? There exist some SQLi polyglots, i.e; SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/ Works in single quote context, works in double quote context, works in “straight into query” context! (Mathias Karlsson)
  • 41. 41 SQL Injection You can also leverage the large database of fuzzlists from Seclists here:
  • 42. 42 SQL Injection Observations Blind is predominant, Error based is highly unlikely. ‘%2Bbenchmark(3200,SHA1(1))%2B’ ‘+BENCHMARK(40000000,SHA1(1337))+’ SQLMap is king! ● Use -l to parse a Burp log file. ● Use Tamper Scripts for blacklists. ● SQLiPy Burp plugin works well to instrument SQLmap quickly. Lots of injection in web services! Common Parameters or Injection points ID Currency Values Item number values sorting parameters (i.e order, sort, etc) JSON and XML values Cookie values (really?) Custom headers (look for possible integrations with CDN’s or WAF’s) REST based Services
  • 44. 44 Best SQL injection resources DBMS Specific Resources mySQL PentestMonkey's mySQL injection cheat sheet Reiners mySQL injection Filter Evasion Cheatsheet MSSQL EvilSQL's Error/Union/Blind MSSQL Cheatsheet PentestMonkey's MSSQL SQLi injection Cheat Sheet ORACLE PentestMonkey's Oracle SQLi Cheatsheet POSTGRESQL PentestMonkey's Postgres SQLi Cheatsheet Others Access SQLi Cheatsheet PentestMonkey's Ingres SQL Injection Cheat Sheet pentestmonkey's DB2 SQL Injection Cheat Sheet pentestmonkey's Informix SQL Injection Cheat Sheet SQLite3 Injection Cheat sheet Ruby on Rails (Active Record) SQL Injection Guide
  • 45. 45 Tactical Fuzzing - FI & Uploads
  • 46. 46 Local file inclusion Core Idea: Does it (or can it) interact with the server file system? Liffy is new and cool here but you can also use Seclists: Common Parameters or Injection points file= location= locale= path= display= load= read= retrieve=
  • 47. 47 Malicious File Upload ++ This is an important and common attack vector in this type of testing A file upload functions need a lot of protections to be adequately secure. Attacks: ● Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web shells or... ● Execute XSS via same types of files. Images as well! ● Attack the parser to DoS the site or XSS via storing payloads in metadata or file header ● Bypass security zones and store malware on target site via file polyglots
  • 48. 48 Malicious File Upload ++ File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques: ● content type spoofing ● extension trickery ● File in the hole! presentaion - http://goo.gl/VCXPh6
  • 49. 49 Malicious File Upload ++ As referenced file polyglots can be used to store malware on servers! See @dan_crowley ‘s talk: http://goo. gl/pquXC2 and @angealbertini research: corkami. com
  • 50. 50 Remote file includes and redirects Look for any param with another web address in it. Same params from LFI can present here too. Common blacklist bypasses: ● escape  "/" with "/" or “//” with “//” ● try single "/" instead of "//" ● remove http i.e. "continue=//google.com" ● “//” , “|/” , “/%09/” ● encode, slashes ● ”./” CHANGE TO “..//” ● ”../” CHANGE TO “….//” ● ”/” CHANGE TO “//” Redirections Common Parameters or Injection points dest= continue= redirect= url= (or anything with “url” in it) uri= (same as above) window= next=
  • 51. 51 Remote file includes and redirects RFI Common Parameters or Injection points File= document= Folder= root= Path= pg= style= pdf= template= php_path= doc=
  • 53. 53 CSRF Everyone knows CSRF but the TLDR here is find sensitive functions and attempt to CSRF. Burps CSRF PoC is fast and easy for this:
  • 54. 54 CSRF Many sites will have CSRF protection, focus on CSRF bypass! Common bypasses: ● Remove CSRF token from request ● Remove CSRF token parameter value ● Add bad control chars to CSRF parameter value ● Use a second identical CSRF param ● Change POST to GET Check this out...
  • 55. 55 CSRF Debasish Mandal wrote a python tool to automate finding CSRF bypasses called Burpy. Step 1: Enable logging in Burp. Crawl a site with Burp completely executing all functions. Step 2: Create a template...
  • 56. 56
  • 57. 57 CSRF Step 3: Run burpy on Burp log file.. Logic: 1. Parse burp log file 2. re-request everything instrumenting 4/5 attacks in previous slide 3. diff responses 4. alert on outliers 5. profit
  • 58. 58
  • 59. 59
  • 60. 60 CSRF Or focus on pages without the token in Burp: https://github. com/arvinddoraiswamy/mywebappscripts/blob/master/BurpExtensions/csrf_token_d etect.py
  • 61. 61 CSRF CSRF Common Critical functions Add / Upload file Password change Email change Transfer Money / Currency Delete File Profile edit
  • 63. 63 Privilege Often logic, priv, auth bugs are blurred. Testing user priv: 1. admin has power 2. peon has none 3. peon can use function only meant for admin
  • 64. 64 Privilege 1. Find site functionality that is restricted to certain user types 2. Try accessing those functions with lesser/other user roles 3. Try to directly browse to views with sensitive information as a lesser priv user Autorize Burp plugin is pretty neat here... https://github.com/Quitten/Autorize Common Functions or Views Add user function Delete user function start project / campaign / etc function change account info (pass, CC, etc) function customer analytics view payment processing view any view with PII
  • 65. 65 1. Browse using high priv user 2. Login with a lower priv user 3. Burp Plugin re-requests to see if low priv can access high priv
  • 66. 66 Insecure direct object references IDORs are common place in bounties, and hard to catch with scanners. Find any and all UIDs ● increment ● decrement ● negative values ● Attempt to perform sensitive functions substituting another UID ○ change password ○ forgot password ○ admin only functions
  • 67. 67 Idor’s Common Functions , Views, or Files Everything from the CSRF Table, trying cross account attacks Sub: UIDs, user hashes, or emails Images that are non-public Receipts Private Files (pdfs, ++) Shipping info & Purchase Orders Sending / Deleting messages
  • 68. 68
  • 69. 69 Transport Most security concerned sites will enable HTTPs. It’s your job to ensure they’ve done it EVERYWHERE. Most of the time they miss something. Examples: ● Sensitive images transported over HTTP ● Analytics with session data / PII leaked over HTTP
  • 71. 71 Logic Logic flaws that are tricky, mostly manual: ● substituting hashed parameters ● step manipulation ● use negatives in quantities ● authentication bypass ● application level DoS ● Timing attacks
  • 73. 73 Data Storage Its common to see mobile apps not applying encryption to the files that store PII. Common places to find PII unencrypted Phone system logs (avail to all apps) webkit cache (cache.db) plists, dbs, etc hardcoded in the binary
  • 74. 74 Quick spin-up for iOS Daniel Mayers idb tool:
  • 77. 77 The vulns formerly known as “noise” ● Content Spoofing or HTML injection ● Referer leakage ● security headers ● path disclosure ● clickjacking ● ++
  • 78. 78 How to test a web app in n minutes How can you get maximum results within a given time window?
  • 79. 79 Data Driven Assessment (diminishing return FTW) 1. Visit the search, registration, contact, and password reset, and comment forms and hit them with your polyglot strings 2. Scan those specific functions with Burp’s built-in scanner 3. Check your cookie, log out, check cookie, log in, check cookie. Submit old cookie, see if access. 4. Perform user enumeration checks on login, registration, and password reset. 5. Do a reset and see if; the password comes plaintext, uses a URL based token, is predictable, can be used multiple times, or logs you in automatically 6. Find numeric account identifiers anywhere in URL and rotate them for context change 7. Find the security-sensitive function(s) or files and see if vulnerable to non-auth browsing (idors), lower-auth browsing, CSRF, CSRF protection bypass, and see if they can be done over HTTP. 8. Directory brute for top short list on SecLists 9. Check upload functions for alternate file types that can execute code (xss or php/etc/etc) ~ 15 minutes
  • 80. 80 Things to take with you… 1. Crowdsourced testing is different enough to pay attention to 2. Crowdsourcing focuses on the 20% because the 80% goes quick 3. Data analysis can yield the most successfully attacked areas 4. A 15 minute web test, done right, could yield a majority of your critical vulns 5. Add polyglots to your toolbelt 6. Use SecLists to power your scanners 7. Remember to periodically refresh your game with the wisdom of other techniques and other approaches Follow these ninjas who I profiled: https://twitter.com/Jhaddix/lists/bninjas
  • 81. 81 Gitbook project: The Bug Hunters Methodology This preso ended up to be way too much to fit in an 45min talk so... we turned it into a Git project! (if you are reading this from the Defcon DVD check my twitter or Github for linkage) ● 50% of research still unparsed ● More tooling to automate ● XXE and parser attacks ● XSRF ● Captcha bypass ● Detailed logic flaws ● More mobile
  • 84. 84 Tim Tomes - Recon-ng Joe Giron - RFI params Soroush Dalili - File in the Hole preso Mathias Karlsson - polyglot research Ashar Javed - polyglot/xss research Ryan Dewhurst & Wpscan Team Bitquark - for being a ninja, bsqli string rotlogix - liffy LFI scanner Arvind Doraiswamy - HTTPs, CSRF Burp Plugins Barak Tawily - Autorize burp plugin the RAFT list authors Ferruh Mavituna - SVNDigger Jaime Filson aka wick2o - GitDigger Robert Hansen aka rsnake - polyglot / xss Dan Crowley - polyglot research Daniel Miessler - methodology, slide, and data contributions My awesome team at Bugcrowd (Jon, Tod, Shpend, Ben, Grant, Fatih, Patrik, Kati, Kym, Abby, Casey, Chris, Sam, ++) All the bug hunting community!!!