- 本月热门
-
JavaScript Best Practices(JS最佳实践) by Christian Heilmann@Yahoo(2009) -
AngularJS the performance parts(AngularJS性能:过去现在和未来) by toddmotto -
NoSQL and Postgres简介 by 萧少聪@EDB -
高效的ES6 (ECMAScript 6入门教程) by teppeis(日) -
微信背后的产品观-不要听从“产品经理”的需求 by 张小龙@腾讯 -
CSS Checker 检查你的CSS语法错误 by Michael[tm] Smith -
Scalable JavaScript Application Architecture(可扩展的JavaScript应用架构) by Nicholas C. Zakas@slicknet -
Why your bestemployees leave(如何留住公司最好的员工) by PeopleSparkHQ -
10 COMPANY THE CULTURE KILLERS(企业文化的10大杀手) by Officevibe -
异地多活数据流基础设施DRC by 延瑛@阿里巴巴
第1页
How To Shot Web
(Better hacking in 2015)
(Better hacking in 2015)
第2页
whoami
Jason Haddix ● Bugcrowd ● Director of Technical Ops ● Hacker & Bug hunter ● #1 on all-time leaderboard bugcrowd 2014
@jhaddix
Jason Haddix ● Bugcrowd ● Director of Technical Ops ● Hacker & Bug hunter ● #1 on all-time leaderboard bugcrowd 2014
@jhaddix
第3页
What this talk’s about...
Hack Stuff Better (and practically)
And…LOTS of memes…. only some are funny
Hack Stuff Better (and practically)
And…LOTS of memes…. only some are funny
第4页
More Specifically
Step 1: Cut a hole in a box... j/k
Step 1: Started with my bug hunting methodology Step 2: Parsed some of the top bug hunters’ research (web/mobile only for now) Step 3: Create kickass preso
Topics? BB philosophy shifts, discovery techniques, mapping methodology, parameters oft attacked, useful fuzz strings, bypass or filter 4 evasion techniques, new/awesome tooling
Step 1: Cut a hole in a box... j/k
Step 1: Started with my bug hunting methodology Step 2: Parsed some of the top bug hunters’ research (web/mobile only for now) Step 3: Create kickass preso
Topics? BB philosophy shifts, discovery techniques, mapping methodology, parameters oft attacked, useful fuzz strings, bypass or filter 4 evasion techniques, new/awesome tooling
第5页
Philosophy
第6页
Differences from standard testing
Single-sourced
● looking mostly for common-ish vulns
● not competing with others
● incentivized for count ● payment based on sniff
test
Crowdsourced
● looking for vulns that aren’t as easy to find
● racing vs. time ● competitive vs. others ● incentivized to find
unique bugs ● payment based on
impact not number of findings
Single-sourced
● looking mostly for common-ish vulns
● not competing with others
● incentivized for count ● payment based on sniff
test
Crowdsourced
● looking for vulns that aren’t as easy to find
● racing vs. time ● competitive vs. others ● incentivized to find
unique bugs ● payment based on
impact not number of findings
第7页
The regular methodologies
第8页
Discovery
第9页
Find the road less traveled
^ means find the application (or parts of an application) less tested.
1. *.acme.com scope is your friend 2. Find domains via Google (and others!)
a. Can be automated well via recon-ng and other tools.
3. Port scan for obscure web servers or services (on all domains)
4. Find acquisitions and the bounty acquisition rules a. Google has a 6 month rule
5. Functionality changes or re-designs 6. Mobile websites 9 7. New mobile app versions
^ means find the application (or parts of an application) less tested.
1. *.acme.com scope is your friend 2. Find domains via Google (and others!)
a. Can be automated well via recon-ng and other tools.
3. Port scan for obscure web servers or services (on all domains)
4. Find acquisitions and the bounty acquisition rules a. Google has a 6 month rule
5. Functionality changes or re-designs 6. Mobile websites 9 7. New mobile app versions
第10页
Tool: Recon-ng script (enumall.sh)
10 https://github.com/jhaddix/domain
10 https://github.com/jhaddix/domain
第11页
11
第12页
LMGTFY
第13页
LMGTFY
第14页
14
第15页
https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640
第16页
Port Scanning!
Port scanning is not just for Netpen!
A full port scan of all your new found targets will usually yield #win:
● separate webapps ● extraneous services ● Facebook had Jenkins Script console with no auth ● IIS.net had rdp open vulnerable to MS12_020
nmap -sS -A -PN -p- --script=http-title dontscanme.bro
^ syn scan, OS + service fingerprint, no ping, all ports, 16 http titles
Port scanning is not just for Netpen!
A full port scan of all your new found targets will usually yield #win:
● separate webapps ● extraneous services ● Facebook had Jenkins Script console with no auth ● IIS.net had rdp open vulnerable to MS12_020
nmap -sS -A -PN -p- --script=http-title dontscanme.bro
^ syn scan, OS + service fingerprint, no ping, all ports, 16 http titles
第17页
Mapping
第18页
Mapping tips
● Google ● *Smart* Directory Brute Forcing
● RAFT lists (included in Seclists) ● SVN Digger (included in Seclists) ● Git Digger ● Platform Identification: ● Wapplyzer (Chrome) ● Builtwith (Chrome) ● retire.js (cmd-line or Burp) ● Check CVE’s ● Auxiliary ● WPScan ● CMSmap
● Google ● *Smart* Directory Brute Forcing
● RAFT lists (included in Seclists) ● SVN Digger (included in Seclists) ● Git Digger ● Platform Identification: ● Wapplyzer (Chrome) ● Builtwith (Chrome) ● retire.js (cmd-line or Burp) ● Check CVE’s ● Auxiliary ● WPScan ● CMSmap
第19页
Directory Bruteforce Workflow
After bruteforcing look for other status codes indicating you are denied or require auth then append list there to test for misconfigured access control.
Example:
GET http://www.acme.com - 200 GET http://www.acme.com/backlog/ - 404 GET http://www.acme.com/controlpanel/ - 401 hmm.. ok GET http://www.acme.com/controlpanel/[bruteforce here now]
After bruteforcing look for other status codes indicating you are denied or require auth then append list there to test for misconfigured access control.
Example:
GET http://www.acme.com - 200 GET http://www.acme.com/backlog/ - 404 GET http://www.acme.com/controlpanel/ - 401 hmm.. ok GET http://www.acme.com/controlpanel/[bruteforce here now]
第20页
Mapping/Vuln Discovery using OSINT
Find previous/existing problem: ● Xssed.com ● Reddit XSS - /r/xss ● Punkspider ● xss.cx ● xssposed.org ● twitter searching ● ++
Issues might already reported but use the flaw area and injection type to guide you to further injections or filter bypass.
Find previous/existing problem: ● Xssed.com ● Reddit XSS - /r/xss ● Punkspider ● xss.cx ● xssposed.org ● twitter searching ● ++
Issues might already reported but use the flaw area and injection type to guide you to further injections or filter bypass.
第21页
New Project: Maps
New OSINT/Mapping project
● 250+ bounty programs ● Crawl ● DNS info + bruteforce ● Bounty metadata (links, rewards, scope) ● API -> Intrigue
http://github.com/bugcrowdlabs/maps
New OSINT/Mapping project
● 250+ bounty programs ● Crawl ● DNS info + bruteforce ● Bounty metadata (links, rewards, scope) ● API -> Intrigue
http://github.com/bugcrowdlabs/maps
第22页
22
第23页
Using the Maps Project: Crawling
Using + Ruby + Anemone + JSON + Grep
$cat test_target_json.txt | grep redirect
https://test_target/redirect/?url=http://twitter.com/... https://test_target/redirect/?url=http://facebook.com/... https://test_target/redirect/?url=http://pinterest.com/...
Using + Ruby + Anemone + JSON + Grep
$cat test_target_json.txt | grep redirect
https://test_target/redirect/?url=http://twitter.com/... https://test_target/redirect/?url=http://facebook.com/... https://test_target/redirect/?url=http://pinterest.com/...
第24页
New Tool: Intrigue
OSINT framework, simple to integrate. Features like:
● DNS Subdomain Brute force ● Web Spider ● Nmap Scan ● etc
Code @ http://github.com/intrigueio/intrigue-core
OSINT framework, simple to integrate. Features like:
● DNS Subdomain Brute force ● Web Spider ● Nmap Scan ● etc
Code @ http://github.com/intrigueio/intrigue-core
第25页
25
第26页
26
第27页
Auth and Session
第28页
Auth (better be quick)
Auth Related (more in logic, priv, and transport sections)
● User/pass discrepancy flaw ● Registration page harvesting ● Login page harvesting ● Password reset page harvesting ● No account lockout ● Weak password policy ● Password not required for account updates ● Password reset tokens (no expiry or re-use)
Auth Related (more in logic, priv, and transport sections)
● User/pass discrepancy flaw ● Registration page harvesting ● Login page harvesting ● Password reset page harvesting ● No account lockout ● Weak password policy ● Password not required for account updates ● Password reset tokens (no expiry or re-use)
第29页
Session (better be quick)
Session Related ● Failure to invalidate old cookies ● No new cookies on login/logout/timeout ● Never ending cookie length ● Multiple sessions allowed ● Easily reversible cookie (base64 most often)
Session Related ● Failure to invalidate old cookies ● No new cookies on login/logout/timeout ● Never ending cookie length ● Multiple sessions allowed ● Easily reversible cookie (base64 most often)
第30页
Tactical Fuzzing - XSS
第31页
XSS
Core Idea: Does the pagefunctionalitydisplay something to the users?
For time sensitive testing the 80/20 rule applies. Many testers use Polyglot payloads. You probably have too!
Core Idea: Does the pagefunctionalitydisplay something to the users?
For time sensitive testing the 80/20 rule applies. Many testers use Polyglot payloads. You probably have too!
第32页
XSS
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))
</SCRIPT>
Multi-context, filter bypass based polyglot payload #1 (Rsnake XSS Cheat Sheet)
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))
</SCRIPT>
Multi-context, filter bypass based polyglot payload #1 (Rsnake XSS Cheat Sheet)
第33页
XSS
'">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"
></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http:
//i.imgur.com/P8mL8.jpg">
Multi-context, filter bypass based polyglot payload #2 (Ashar Javed XSS Research)
'">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"
></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http:
//i.imgur.com/P8mL8.jpg">
Multi-context, filter bypass based polyglot payload #2 (Ashar Javed XSS Research)
第34页
XSS
“ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
Multi-context polyglot payload (Mathias Karlsson)
“ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
Multi-context polyglot payload (Mathias Karlsson)
第35页
Other XSS Observations
Input Vectors Customizable Themes & Profiles via CSS Event or meeting names URI based Imported from a 3rd party (think Facebook integration) JSON POST Values (check returning content type) File Upload names Uploaded files (swf, HTML, ++) Custom Error pages fake params - ?realparam=1&foo=bar’+alert(/XSS/)+’ Login and Forgot password forms
Input Vectors Customizable Themes & Profiles via CSS Event or meeting names URI based Imported from a 3rd party (think Facebook integration) JSON POST Values (check returning content type) File Upload names Uploaded files (swf, HTML, ++) Custom Error pages fake params - ?realparam=1&foo=bar’+alert(/XSS/)+’ Login and Forgot password forms
第36页
SWF Parameter XSS
Common Params: Common Params: onload,allowedDomain,movieplayer,xmlPath, eventhandler, callback (more on OWASP page)
Common Injection Strings: \%22})))}catch(e){alert(document.domain);}// "]);}catch(e){}if(!self.a)self.a=!alert(document.domain);// "a")(({type:"ready"}));}catch(e){alert(1)}//
Common Params: Common Params: onload,allowedDomain,movieplayer,xmlPath, eventhandler, callback (more on OWASP page)
Common Injection Strings: \%22})))}catch(e){alert(document.domain);}// "]);}catch(e){}if(!self.a)self.a=!alert(document.domain);// "a")(({type:"ready"}));}catch(e){alert(1)}//
第37页
SWF Parameter XSS
第38页
Tactical Fuzzing - SQLi
第39页
SQL Injection
Core Idea: Does the page look like it might need to call on stored data? There exist some SQLi polyglots, i.e;
SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/
Works in single quote context, works in double quote context, works in “straight into query” context! (Mathias Karlsson)
Core Idea: Does the page look like it might need to call on stored data? There exist some SQLi polyglots, i.e;
SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/
Works in single quote context, works in double quote context, works in “straight into query” context! (Mathias Karlsson)
第40页
SQL Injection
You can also leverage the large database of fuzzlists from Seclists here:
You can also leverage the large database of fuzzlists from Seclists here:
第41页
SQL Injection Observations
Blind is predominant, Error based is highly unlikely.
‘%2Bbenchmark(3200,SHA1(1))%2B’ ‘+BENCHMARK(40000000,SHA1(1337))+’
SQLMap is king!
● Use -l to parse a Burp log file. ● Use Tamper Scripts for blacklists. ● SQLiPy Burp plugin works well to instrument SQLmap quickly.
Lots of injection in web services!
Common Parameters or Injection points ID Currency Values Item number values sorting parameters (i.e order, sort, etc) JSON and XML values Cookie values (really?) Custom headers (look for possible integrations with CDN’s or WAF’s) REST based Services
Blind is predominant, Error based is highly unlikely.
‘%2Bbenchmark(3200,SHA1(1))%2B’ ‘+BENCHMARK(40000000,SHA1(1337))+’
SQLMap is king!
● Use -l to parse a Burp log file. ● Use Tamper Scripts for blacklists. ● SQLiPy Burp plugin works well to instrument SQLmap quickly.
Lots of injection in web services!
Common Parameters or Injection points ID Currency Values Item number values sorting parameters (i.e order, sort, etc) JSON and XML values Cookie values (really?) Custom headers (look for possible integrations with CDN’s or WAF’s) REST based Services
第42页
SQLmap SQLiPy
第43页
Best SQL injection resources
mySQL MSSQL ORACLE POSTGRESQL Others
DBMS Specific Resources
PentestMonkey's mySQL injection cheat sheet Reiners mySQL injection Filter Evasion Cheatsheet
EvilSQL's Error/Union/Blind MSSQL Cheatsheet PentestMonkey's MSSQL SQLi injection Cheat Sheet
PentestMonkey's Oracle SQLi Cheatsheet
PentestMonkey's Postgres SQLi Cheatsheet
Access SQLi Cheatsheet PentestMonkey's Ingres SQL Injection Cheat Sheet pentestmonkey's DB2 SQL Injection Cheat Sheet pentestmonkey's Informix SQL Injection Cheat Sheet SQLite3 Injection Cheat sheet Ruby on Rails (Active Record) SQL Injection Guide
mySQL MSSQL ORACLE POSTGRESQL Others
DBMS Specific Resources
PentestMonkey's mySQL injection cheat sheet Reiners mySQL injection Filter Evasion Cheatsheet
EvilSQL's Error/Union/Blind MSSQL Cheatsheet PentestMonkey's MSSQL SQLi injection Cheat Sheet
PentestMonkey's Oracle SQLi Cheatsheet
PentestMonkey's Postgres SQLi Cheatsheet
Access SQLi Cheatsheet PentestMonkey's Ingres SQL Injection Cheat Sheet pentestmonkey's DB2 SQL Injection Cheat Sheet pentestmonkey's Informix SQL Injection Cheat Sheet SQLite3 Injection Cheat sheet Ruby on Rails (Active Record) SQL Injection Guide
第44页
Tactical Fuzzing - FI & Uploads
第45页
Local file inclusion
Core Idea: Does it (or can it) interact with the server file system?
Liffy is new and cool here but you can also use Seclists:
Common Parameters or Injection points file=
location=
locale=
path=
display=
load=
read=
45 retrieve=
Core Idea: Does it (or can it) interact with the server file system?
Liffy is new and cool here but you can also use Seclists:
Common Parameters or Injection points file=
location=
locale=
path=
display=
load=
read=
45 retrieve=
第46页
Malicious File Upload ++
This is an important and common attack vector in this type of testing
A file upload functions need a lot of protections to be adequately secure.
Attacks:
● Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web shells or...
● Execute XSS via same types of files. Images as well! ● Attack the parser to DoS the site or XSS via storing payloads in metadata or file header ● Bypass security zones and store malware on target site via file polyglots
This is an important and common attack vector in this type of testing
A file upload functions need a lot of protections to be adequately secure.
Attacks:
● Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web shells or...
● Execute XSS via same types of files. Images as well! ● Attack the parser to DoS the site or XSS via storing payloads in metadata or file header ● Bypass security zones and store malware on target site via file polyglots
第47页
Malicious File Upload ++
File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques: ● content type spoofing ● extension trickery ● File in the hole! presentaion - http://goo.gl/VCXPh6
File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques: ● content type spoofing ● extension trickery ● File in the hole! presentaion - http://goo.gl/VCXPh6
第48页
Malicious File Upload ++
As referenced file polyglots can be used to store malware on servers!
See @dan_crowley ‘s talk: http://goo. gl/pquXC2
and @angealbertini research: corkami. com
As referenced file polyglots can be used to store malware on servers!
See @dan_crowley ‘s talk: http://goo. gl/pquXC2
and @angealbertini research: corkami. com
第49页
Remote file includes and redirects
Look for any param with another web address in it. Same params from LFI can present here too.
Common blacklist bypasses:
● escape "/" with "\/" or “//” with “\/\/” ● try single "/" instead of "//" ● remove http i.e. "continue=//google.com" ● “/\/\” , “|/” , “/%09/” ● encode, slashes ● ”./” CHANGE TO “..//” ● ”../” CHANGE TO “….//” ● ”/” CHANGE TO “//”
Redirections Common Parameters or Injection points
dest= continue= redirect= url= (or anything with “url” in it) uri= (same as above) window= next=
Look for any param with another web address in it. Same params from LFI can present here too.
Common blacklist bypasses:
● escape "/" with "\/" or “//” with “\/\/” ● try single "/" instead of "//" ● remove http i.e. "continue=//google.com" ● “/\/\” , “|/” , “/%09/” ● encode, slashes ● ”./” CHANGE TO “..//” ● ”../” CHANGE TO “….//” ● ”/” CHANGE TO “//”
Redirections Common Parameters or Injection points
dest= continue= redirect= url= (or anything with “url” in it) uri= (same as above) window= next=
第50页
Remote file includes and redirects
RFI Common Parameters or Injection points
File= Folder= Path= style= template= php_path= doc=
document= root= pg= pdf=
RFI Common Parameters or Injection points
File= Folder= Path= style= template= php_path= doc=
document= root= pg= pdf=
第51页
CSRF
第52页
CSRF
Everyone knows CSRF but the TLDR here is find sensitive functions and attempt to CSRF. Burps CSRF PoC is fast and easy for this:
Everyone knows CSRF but the TLDR here is find sensitive functions and attempt to CSRF. Burps CSRF PoC is fast and easy for this:
第53页
CSRF
Many sites will have CSRF protection, focus on CSRF bypass!
Common bypasses:
● Remove CSRF token from request ● Remove CSRF token parameter value ● Add bad control chars to CSRF parameter value ● Use a second identical CSRF param ● Change POST to GET
Check this out...
Many sites will have CSRF protection, focus on CSRF bypass!
Common bypasses:
● Remove CSRF token from request ● Remove CSRF token parameter value ● Add bad control chars to CSRF parameter value ● Use a second identical CSRF param ● Change POST to GET
Check this out...
第54页
CSRF
Debasish Mandal wrote a python tool to automate finding CSRF bypasses called Burpy.
Step 1: Enable logging in Burp. Crawl a site with Burp completely executing all functions.
Step 2: Create a template...
Debasish Mandal wrote a python tool to automate finding CSRF bypasses called Burpy.
Step 1: Enable logging in Burp. Crawl a site with Burp completely executing all functions.
Step 2: Create a template...
第55页
55
第56页
56
第57页
57
第58页
CSRF
Or focus on pages without the token in Burp: https://github.
com/arvinddoraiswamy/mywebappscripts/blob/master/BurpExtensions/csrf_token_d etect.py
Or focus on pages without the token in Burp: https://github.
com/arvinddoraiswamy/mywebappscripts/blob/master/BurpExtensions/csrf_token_d etect.py
第59页
CSRF
CSRF Common Critical functions
Add / Upload file Password change
Email change
Transfer Money / Currency
Delete File
Profile edit
CSRF Common Critical functions
Add / Upload file Password change
Email change
Transfer Money / Currency
Delete File
Profile edit
第60页
Privilege, Transport, Logic
第61页
Privilege
Often logic, priv, auth bugs are blurred. Testing user priv: 1. admin has power 2. peon has none 3. peon can use function only meant for
admin
Often logic, priv, auth bugs are blurred. Testing user priv: 1. admin has power 2. peon has none 3. peon can use function only meant for
admin
第62页
Privilege
1. Find site functionality that is restricted to certain user types
2. Try accessing those functions with lesser/other user roles
3. Try to directly browse to views with sensitive information as a lesser priv user
Autorize Burp plugin is pretty neat here...
https://github.com/Quitten/Autorize
Common Functions or Views Add user function Delete user function start project / campaign / etc function change account info (pass, CC, etc) function customer analytics view payment processing view any view with PII
1. Find site functionality that is restricted to certain user types
2. Try accessing those functions with lesser/other user roles
3. Try to directly browse to views with sensitive information as a lesser priv user
Autorize Burp plugin is pretty neat here...
https://github.com/Quitten/Autorize
Common Functions or Views Add user function Delete user function start project / campaign / etc function change account info (pass, CC, etc) function customer analytics view payment processing view any view with PII
第63页
1. Browse using high priv user 2. Login with a lower priv user 3. Burp Plugin re-requests to see if low priv can access high priv
第64页
Insecure direct object references
IDORs are common place in bounties, and hard to catch with scanners.
Find any and all UIDs ● increment ● decrement ● negative values ● Attempt to perform sensitive functions
substituting another UID ○ change password ○ forgot password ○ admin only functions
IDORs are common place in bounties, and hard to catch with scanners.
Find any and all UIDs ● increment ● decrement ● negative values ● Attempt to perform sensitive functions
substituting another UID ○ change password ○ forgot password ○ admin only functions
第65页
Idor’s
Common Functions , Views, or Files Everything from the CSRF Table, trying cross account attacks Sub: UIDs, user hashes, or emails Images that are non-public Receipts Private Files (pdfs, ++) Shipping info & Purchase Orders Sending / Deleting messages
Common Functions , Views, or Files Everything from the CSRF Table, trying cross account attacks Sub: UIDs, user hashes, or emails Images that are non-public Receipts Private Files (pdfs, ++) Shipping info & Purchase Orders Sending / Deleting messages
第66页
66
第67页
Transport
Most security concerned sites will enable HTTPs. It’s your job to ensure they’ve done it EVERYWHERE. Most of the time they miss something. Examples: ● Sensitive images transported over HTTP ● Analytics with session data / PII leaked over HTTP
Most security concerned sites will enable HTTPs. It’s your job to ensure they’ve done it EVERYWHERE. Most of the time they miss something. Examples: ● Sensitive images transported over HTTP ● Analytics with session data / PII leaked over HTTP
第68页
Transport
https://github.com/arvinddoraiswamy/mywebappscripts/tree/master/ForceSSL
https://github.com/arvinddoraiswamy/mywebappscripts/tree/master/ForceSSL
第69页
Logic
Logic flaws that are tricky, mostly manual:
● substituting hashed parameters ● step manipulation ● use negatives in quantities ● authentication bypass ● application level DoS ● Timing attacks
Logic flaws that are tricky, mostly manual:
● substituting hashed parameters ● step manipulation ● use negatives in quantities ● authentication bypass ● application level DoS ● Timing attacks
第70页
Mobile
第71页
Data Storage
Its common to see mobile apps not applying encryption to the files that store PII.
Common places to find PII unencrypted Phone system logs (avail to all apps) webkit cache (cache.db) plists, dbs, etc hardcoded in the binary
Its common to see mobile apps not applying encryption to the files that store PII.
Common places to find PII unencrypted Phone system logs (avail to all apps) webkit cache (cache.db) plists, dbs, etc hardcoded in the binary
第72页
Quick spin-up for iOS
Daniel Mayers idb tool:
Daniel Mayers idb tool:
第73页
Logs!
第74页
Auxiliary
第75页
The vulns formerly known as “noise”
● Content Spoofing or HTML injection ● Referer leakage ● security headers ● path disclosure ● clickjacking ● ++
● Content Spoofing or HTML injection ● Referer leakage ● security headers ● path disclosure ● clickjacking ● ++
第76页
How to test a web app in n minutes
How can you get maximum results within a given time window?
How can you get maximum results within a given time window?
第77页
Data Driven Assessment (diminishing return FTW)
1. Visit the search, registration, contact, password reset, and comment forms and hit them with your polyglot strings
2. Scan those specific functions with Burp’s built-in scanner 3. Check your cookie, log out, check cookie, log in, check cookie. Submit old
cookie, see if access. 4. Perform user enumeration checks on login, registration, and password
reset. 5. Do a reset and see if; the password comes plaintext, uses a URL based
token, is predictable, can be used multiple times, or logs you in automatically 6. Find numeric account identifiers anywhere in URLs and rotate them for context change 7. Find the security-sensitive function(s) or files and see if vulnerable to non-auth browsing (idors), lower-auth browsing, CSRF, CSRF protection bypass, and see if they can be done over HTTP. 8. Directory brute for top short list on SecLists 9. Check upload functions for alternate file types that can execute code (xss or php/etc/etc) 77 ~ 15 minutes
1. Visit the search, registration, contact, password reset, and comment forms and hit them with your polyglot strings
2. Scan those specific functions with Burp’s built-in scanner 3. Check your cookie, log out, check cookie, log in, check cookie. Submit old
cookie, see if access. 4. Perform user enumeration checks on login, registration, and password
reset. 5. Do a reset and see if; the password comes plaintext, uses a URL based
token, is predictable, can be used multiple times, or logs you in automatically 6. Find numeric account identifiers anywhere in URLs and rotate them for context change 7. Find the security-sensitive function(s) or files and see if vulnerable to non-auth browsing (idors), lower-auth browsing, CSRF, CSRF protection bypass, and see if they can be done over HTTP. 8. Directory brute for top short list on SecLists 9. Check upload functions for alternate file types that can execute code (xss or php/etc/etc) 77 ~ 15 minutes
第78页
Things to take with you…
1. Crowdsourced testing is different enough to pay attention to 2. Crowdsourcing focuses on the 20% because the 80% goes quick 3. Data analysis can yield the most successfully attacked areas 4. A 15 minute web test, done right, could yield a majority of your critical vulns 5. Add polyglots to your toolbelt 6. Use SecLists to power your scanners 7. Remember to periodically refresh your game with the wisdom of other techniques and
other approaches
Follow these ninjas who I profiled: https://twitter.com/Jhaddix/lists/bninjas
1. Crowdsourced testing is different enough to pay attention to 2. Crowdsourcing focuses on the 20% because the 80% goes quick 3. Data analysis can yield the most successfully attacked areas 4. A 15 minute web test, done right, could yield a majority of your critical vulns 5. Add polyglots to your toolbelt 6. Use SecLists to power your scanners 7. Remember to periodically refresh your game with the wisdom of other techniques and
other approaches
Follow these ninjas who I profiled: https://twitter.com/Jhaddix/lists/bninjas
第79页
Gitbook project: The Bug Hunters Methodology
This preso ended up to be way too much to fit in an 45min talk so... we turned it into a Git project! (if you are reading this from the Defcon DVD check my twitter or Github for linkage)
● 50% of research still unparsed ● More tooling to automate ● XXE and parser attacks ● SSRF ● Captcha bypass ● Detailed logic flaws ● More mobile
This preso ended up to be way too much to fit in an 45min talk so... we turned it into a Git project! (if you are reading this from the Defcon DVD check my twitter or Github for linkage)
● 50% of research still unparsed ● More tooling to automate ● XXE and parser attacks ● SSRF ● Captcha bypass ● Detailed logic flaws ● More mobile
第80页
Meme Count:
第81页
Attribution and Thanks
第82页
Tim Tomes - Recon-ng Joe Giron - RFI params Soroush Dalili - File in the Hole preso Mathias Karlsson - polyglot research Ashar Javed - polyglot/xss research Ryan Dewhurst & Wpscan Team Bitquark - for being a ninja, bsqli string rotlogix - liffy LFI scanner Arvind Doraiswamy - HTTPs, CSRF Burp Plugins Barak Tawily - Autorize burp plugin the RAFT list authors Ferruh Mavituna - SVNDigger Jaime Filson aka wick2o - GitDigger Robert Hansen aka rsnake - polyglot / xss Dan Crowley - polyglot research Daniel Miessler - methodology, slide, and data contributions My awesome team at Bugcrowd (Jon, Tod, Shpend, Ben, Grant, Fatih, Patrik, Kati, Kym, Abby, Casey, Chris, Sam, ++) 82 All the bug hunting community!!!