Web Hacking 101: Hands-on with Burp Suite

whatever you guys were ready all right we're just really quick sure we have David here talking about web security again this is a three o'clock session again the fire drill was just a figment of your imagination all right quick show of hands how many people have exploited cross-site scripting and/or sequel injection no I met like legitimately with permission No okay fewer have fewer hands your hands okay so for the rest of you you're in the right spot for it for those of you that this is old hat well I'm just going to show you an environment where you can play around and not get yourself in trouble it's called a web security dojo your own

personal web app Fight Club and if you want to grab the the PDF that's fine there are notes maybe some technical notes for some of the demos down in the in the notes but you won't see them unless you use a real PDF viewer not your browser all right what is the web security dojo and how do we get started that's pretty much what we're going to talk about they accidentally posted on the website a half day for our hands on class if we were in fact having a for our hands on this would be the first part we get this environment set up so y'all could hack your web apps we don't need any untrusted CTF networks you know

it's just all local hosts and so that's what I want to talk about the environment so essentially after today's talk you go home you got the whole weekend there you go so if you have a device that makes noise maybe put it on silent and the question answer protocol I like to people introduce people to this it's similar to TCP and that it has a three-way handshake you raise your hand I acknowledge you you transmit your question so but it's also like UDP it's an unreliable protocol you're not guaranteed a response so we'll we'll try this q IP it's patent-pending so we'll see if that works and if I don't know the answer Gyan knows the answer legal

disclaimer follow that link and you'll see legal disclaimer from liar liar stop breaking the law so yeah I just don't do that and so if you learn something new and you're all excited you think you're gonna try it on your bank uh please don't or use your brother-in-law's computer okay a little bit about me that's me stepping out of the monolith from 2001 any Penn Staters whoo all right I'll be sure to speak slow and use small words no I was good why jerk yes I've been doing this for a bit and I work for maven security we do things and yeah that's pretty much it so let's talk about web security dojo spoiler alert

it's totally free it's open source we're looking for people to contribute so it is the world's first and best self-contained open source environment for web application security penetration testing training so essentially you take a whole bunch of vulnerable web apps fake storefronts and things and you put them all together in a single VM along with the tools that are commonly used to test audit exploit web applications you sprinkle in some documentation and you have the web security dojo and it was developed by myself and some co-workers over the many years because we'd go to a conference shady things going on the network we're like you know what we just need to be able to hand people a VM and

just do the training rather than plugging into a network so that's that's what started the web security dojo many years ago so it comes in two flavors for the masses there's a pre-installed via an OVA file industry standard hopefully just import into your virtual machine player of choice and there's also a script file that you can run and it'll just download packages over top of onto so you can roll your own see how we do it or you could just use the virtual machine it's biggest selling point is that you're ready to go dive right into the training what is this sequel injection you speak of you don't have to worry about configuring numerous man-in-the-middle proxy tools who all

are contending for some reason for port 8000 and one or I'm sorry 8080 so we've Deek inflicted all the tools and everything just works nicely so you have zap you've got burp you've got several tools and we've put them on separate ports so when you get in there you can just get right to the subject rather than setting everything up and so that you can find it at dojo maven security comm which will lead to SourceForge it's that old I know we're not cool enough to be on github or bitbucket so we're SourceForge and so but all the links are at the dojo Davis secure comm and it's brought to you mostly by maven but we are looking for contributors

especially if you have any area expertise in source code analysis we'd like to put on some source code targets where you would analyze the source code and patch it things like that but right now it's mostly all just what you would think of with Web Apps testing scanning for sequel injection and common flaws found on the OWASP top 10 so unfortunately no one can be told what the dojo is you simply have to see it for yourself so I'm going to go ahead and just dive on into my VM the install process is real easy you stand load a giant file it's called a dot OVA once you have a virtual machine player installed you

double-click the OVA file and it just imports into your your player which I already did earlier and I hit the start button and now I've got my little VM and I am going to take the what is at the red pill which one I'm gonna dive into this I'm gonna go full screen and so I'm just gonna hit my my host key which is down in the lower right corner it's the right control key when I hit that and f4 fullscreen alright and away goes my host operating system and now I'm inside this virtual machine which is Ubuntu X who going to actually and it's a little lighter weight and here we go all right this is a web security dojo so

what you have up in the system menu and there's notes in the slides that kind of outline some of this but I just want to show you you've got all your lovely targets some of them require extra memory things like that so they're not started by default you have to go in here and start them up so for example let's go to the casino let's go I'll start up the casino so this will start the process up start up a web server and it will redirect our browser this is a customized version of hackney casino made a little bit more family-friendly for those of you who remember when this first came out so we spiced it up we we

D spiced it so we could use it in Utah so there there used to be a skimpy yeah whatever so so there's a target right there and so that's one of the things that dojo has along with spoilers documentation a little word of advice don't go straight for the documentation all right go through the exercises don't go straight to the answer because then you end up with false confidence you're like I really know how to do this when they're step-by-step guides yeah it's not gonna help you but if you give up or you don't want to double-check you can certainly open these up and some of them are better than others this documents pretty decent and it walks you through

all of the various flaws obviously it's an older target and it walks you through some of the challenges that are built into this so some of the targets are simulating real applications other targets are in fact a little bit more conducive to education because they sort of guide you through a little bit for example web webgoat ng this is another one that has to start up to conserve memory and it just tells you right there you can log in as guest and I've already done that so my browser has it and it kind of walks you through the environment and see I think there's a generic you know you just follow the they want to

show you how there's various things like you can show hints you can show the solution you can look at the source code underneath in case you want to try to figure out why it's vulnerable from that but in the end if and when you complete the lesson you get a little green checkmark yay so it's gamified it's not quite badges but it's cool right and I think I believe there's an admin interface to this particular target called webgoat where you could roll it out to a classroom of students and sort of track everyone's score but in this case web code web security dojo is designed just for sort of standalone one student there's no centralized

scoreboard for this yet but maybe there should be for classroom with students all right so that's that's one target lots of targets but targets are nice but we need where's and so it's under tools and so here all the tools pre-loaded hey how come you didn't include XYZ well this is this is more than you need quite frankly I mean if you've got you know Perl Python and burp burp suite or will do SAP since it's open source I said that this was all open source that's not quite true burp suite is not open source but we do have permission to redistribute the the free version so so we'll start up the open web application

security project Zed attack proxy as a tool and what we're going to do with this I'm going to introduce you to some various security concepts just I'm just going to show you sequel injection and cross-site scripting just and how they sort of explore that within this environment let's see what else is worth noting about the dojo I want to go back to my slides which I've conveniently preloaded into where did I preload that I thought I had it in here so where I do I have it inside the VM so I don't have to switch out oh I see it's probably go back to the slides and see what we're missing

oh great and so these are some of the things I'm skipping over but when you go back and you download the slide just kind of walks you through some key features of the dojo and so trying to think what's new and exciting so we have like I said it's coupon 216 it is now 64-bit operating system which helps you with some of the tools like burp suite has some features that will only work anyway there's a change log up on SourceForge as to what's new to me the most exciting thing is the ability to snap so when you start tools like say let's start up already started zap where is it here it is I can because you want to do

this in real life anyway this put stuff side by side or preferably have multiple monitors you've got your browser you've got your man in the middle proxies you've got stuff you're taking notes on so if you're in this line of work and you don't have multiple monitors I will write you with doctors no for your boss to sign off on that so it is a requirement alright so I keep losing track of the slides there we go so let's let's talk about cross-site scripting for a moment all right so simply put cross-site scripting is where a user sends malicious data and it reflects back off the server to them you said well who would do that who would

literally hack themselves well the attacker tricks the victim into sending the data that's a reflected attack where I post a link and say hell you should really click this link so they click it and it goes off to some kludgy web app that takes that users input that's somewhere in that request reflects it back to the victim and does bad things so the user literally hacks himself they don't know it that's the reflected attack and it kind of looks a little bit like this well we'll talk about some other kinds of attacks in a moment so here's this simple example where you do a query for a term you say hey I'm looking for the term John it says oh

there's lots of results for that but if the search term looks a lot like JavaScript the website reflects back is this oh you just searched for and when the browser gets to that little bit of text that looks just like JavaScript well it is JavaScript so your browser doesn't render it it executes it because it loves code that's what it's made for modern browsers won't well ie in chrome don't like this so much they protect you well they make it easier to be a bad web app coder by by stopping this kind of stuff but it works fine in Firefox so but as a simple example that's a reflected cross-site scripting and the idea is you would not simply do

a stupid alert box but if you're an attacker you would send remote script and in that little just whatever that is 25 characters you can sham a whole lot of badness and in fact there's the browser exploitation framework that's all injects Java if you can inject JavaScript into somebody's browser it hooks their browser and you can maintain persistence as they open new tabs and you can do all sorts of bad things in fact what was was a bad rabbit that was using some JavaScript as well inject it like this does anyone know well then take my word for it okay if you go to you know open bug bounty or you see a whole list of websites that have known

that are known to be vulnerable to cross-site scripting as part of an open bug bounty so there's lots of impacts besides reflected there's an even worse case scenario where you don't send the data it's already there waiting for you like in a forum somebody posts something well first let me let me show you reflected real quick so let's let's see if we can find reflected and exploit it using the tools that we have at hand so let me go to the homepage here welcome to the dojo and there's a convenient links all of these targets are ready to go you don't need to fire them up so we're just going to serve to dvwa there's a young person

present so I will say it's called the darn vulnerable web app okay and that's that I'm gonna log into this and this is one of those more educational ones where it's obvious like what vulnerability you're gonna find you can find reflected cross-site scripting right here my name is Nathan and it repeats it so you say oh I bet I could put in a piece of script and look simple alert box we've literally you know find this during assessments we flag it they fix it we go back and we find out that they're literally just blocking the alert command and and it's just like okay well I'm getting paid either way but you know there's the prompt command there's all

sorts of ways that badness can happen where we're just injecting the simple script but again this is not the issue this is just for demonstration testing purposes it's when you can inject you know remote code in here or a remote source and so maybe we'll take a look at that in a moment but the question is rather than doing this manually can we find a tool that'll do it automatically so I wanted to introduce you to the to zap real quick let's just search for something normal all right let's so this is part of the magic of dojo web security dojo is that we have little tools built in to let you go ahead and

proxy your browser traffic automatically through that attack proxy okay so we're now going through that zap is on the right hand side of the screen that writes in and let's see my name is Eid and lo and behold we're capturing traffic down here let me go full we can see that traffic was captured tools like this are useful for inist for an auditor tester you're not really tricking a victim into going through your man-in-the-middle at this point this is just for doing assessments you can have your browser trust this tools certificate generation process so when you surf encrypted sites you don't get any warnings because you've trusted the CA that this tool generates we haven't

enabled that quite yet for this I mean you could do it manually but I'm not gonna waste time all of the targets on dojo are currently unencrypted so let's see where is that request that I searched for my name I told them these these tools were not designed by UI experts by the way so you know what are you gonna do Oh interesting I don't even see the traffic at all that's unfortunate let me try again hi Bob alright so here's here's the request right I searched and so I want to know is this particular request vulnerable so in this particular tools app you can just right click select audit or attack depending on how you're getting paid and

we could do an active scan and you can just and and under the alerts tab or you can hit this little it's too late it's already done it's so fast it's a localhost it's not very congested with traffic I suppose so it's over before you know it but it ran all of these various plugins and extensions to do various kinds of checks this is what we call low-hanging fruit if you don't pass this kind of scanner attack you're somebody wasn't trying on the coding side I'll but let's go under alerts and sure enough it flagged it as cross-site scripting reflected and I think you can double click and it will give you a little description of what the problem

is how to fix it basically RTFM and I point you to some resources down here but it also kind of has a little proof of concept right there so you can right-click and you can say you know what can you do me a favor there's a new feature in this latest version of zap where you can just spawn sandbox browsers sandbox browsers with their own cookie jar and automatically trust the certificate so there's no more pesky warnings for encrypted sites but we can't necessarily do that for this target because this target is authenticated so if we try it let's see open in Firefox we will hit the login page because we don't we don't have any

cookies it's our clear cookie jar so well eventually that will open I suppose once I authenticate I can then use this browser it wasn't guest guess it was some admin password hey that's my login so let's try that again open in browser we'll use firefox if each in a sandbox that would be impressive it is Wow well forget that so so I'm just going to use the system browser I need to see if this actually did exploit so let me just say open in system browser and it uses all my cookies I'm authenticated to this application BAM okay yeah that's definitely reflected cross-site scripting no problem it's that as a valid finding I suppose if it wasn't we could go in here and

mark it you know as as a false positive so that's simple reflect across site scripting now how much would you pay but wait there's more there's persistent cross-site scripting this is where you the attacker goes into an application and submits data that other users are gonna see eventually the first thing I think of as a forum you post some comments and other people can see it so let's play the role of the attacker for a moment conveniently go to the lesson called stored cross-site scripting and you know where this is going do you like JavaScript oh wow these fields are really small I'm not sure all right so some free JavaScript all right script just put in another put

an alert box again if we want now here's the thing if you were scanning this right off the bat you'd scan it oh it does reflect back immediately you know it doesn't happen but anyway it's sitting right there and any victim who goes to this page is going to get hit by it so you know we can we can go to QuickStart and we can launch Chrome and we can go to the site and trigger it targets dot local did you mean targets out local yeah I did that's why I typed it all right admin passwords or going here we go to this stored and oh it's interesting so it seems like the very last one I okay

yeah so normally you would have to click on a forum post to open it but in this case yeah it just triggers anybody going to this so why is persistent so bad because all of your victims by definition are fully authenticated and it could be that the victim is an admin that the data you've implanted appears in a back-end queue like a feedback you somebody submitted a trouble ticket let's read what they have to say BAM it's JavaScript or other client-side code but mostly JavaScript mmm this is a screenshot of an actual web go web goat exercise on persistence back-end systems are that let's the worst case scenario but how are you going to know if you're

scanning and you can't see the end result so that that's something some of these free tools don't necessarily handle off the bat or at least the ones inside of dojo but there's commercial tools that will do that where they'll put in a web beacon as the plant and they'll just wait for the victim to trigger that little request to an image that's specially marked so when the request goes in your scanner knows well that was when I injected this URL for this form element and therefore we know exactly where the vulnerability is I believe the Netflix security team released a tool several years back does anyone remember what it was called sleepy puppy and which I thought was

cool and I guess the idea is you you know these things are sleeping in the background and admin gets into the admin console and triggers these little nothing more than Wed web bugs really web beacons typically used by marketers to track you from the cradle to the grave and but in this case we can we can see that the idea is if I can implant even HTML I could have probably implanted JavaScript or something else so that would have affected an admin so that's the worst case scenario something as simple as this yeah this will write up your own little piece of code to make your own or use sleepy puppy again this is where the

the notes on the slides come in handy well let's I can't but I if you download the PDF there's there's some references write your own mm-hmm how to manually test I could talk about that and the quick way is just to use that I just showed you that very quickly just kind of scan through because there's just too many form elements and sometimes form elements there it's user input but you wouldn't you wouldn't consider it user input but ultimately it's getting logged somewhere and someone's generating a report and they're processing data that came from your browser or from your tool and so fuzz all the things fuzz meaning you know the inject noise into a system

hoping to produce an error it's a old what analog reverse engineering technique blackbox testing so so fuzz all the things you want to inject all the things and that's where the scanners come in handy to automate some of that and I think I've already shown you this demo showed you how you can open it in the system browser versus open and browser and those are both new inside of zap oh you say well this is lame man I'm leet I've seen every episode of mr. robot twice yo so what do you got for me well you can literally go down and you can go to the security setting it it's too bad websites aren't really like this

where you could say hey man we better set we better set the security too high and now the little script Kitty textbook you know if I ever see one more alert box I'm gonna puke example does not work oh oh no what can I cook okay you know and so if you want to exercise your PHP source code analysis skills this particular target is helpful because they show you oh we're gonna we're gonna match and replace all these things oh okay and then you could try to figure it out there's you know there might be a way to get past it there's probably is and then he I believe he believed he said that this

level should be totally secure and if you find a flaw you should definitely contact him but so yeah you could you could set it let's set it to medium reflected let's see if zap can't get past medium level security let's search for David so we captured the request in our man in the middle just in case I probably blew past that we're proxying all of our traffic is going through this tool sitting right next to us so we can see it all come and go it's like matrix time you can slow down the traffic and kind of manipulate it so you can stop it outright in this case we're just letting it flow and we're gonna replay it but we

could literally stop it and manipulate it before it even leaves our our network card right and so but I'm not going to do that let's find the traffic under histories be towards the end oh beef beef oops why [Music] I think I am on fire I forgot that uh some uh yeah okay there's there are some cheese there's some bad code hidden here I forgot and so it's beaconing out to to uh yeah so that's what that's what this is e t--'s phoning home we've clearly been compromised forgot about that I'll show you that later me see if I can filter based on can I do let's kill that alright hmm why we're still doing that

wow this one nice

so here we have a request I want to see if it's vulnerable on medium active scan I really could select the policy to be just cross-site scripting but we'll just scan for all the things and thats that was pretty quick that's actually done already it was going to alerts and I don't think it found it the second time through there's only one instance of it here there should probably be two here's our original requests so yeah I don't think this will work anymore if we do open in system browser there demo is not going to work anymore so we look at the source code and see how they fixed it oh and they replace the word script with

what they just blank it out oh okay but they only do that once so okay I'll just put in screw and I'm gonna interrupt myself with script because they're gonna remove that for me that's that's awfully convenient and I got to fix that typo here but essentially when we've seen this before where they're they're removing oh we're gonna filter out things but we're not gonna do it in an iterative way and we're just gonna like remove it and put your string back together I forget what blue means but okay 20 minutes 10 minutes alright so let's do that and now hey it still works because they filtered out the thing for me so lots of bad defenses you can play with

that get your foo on let's move on blah blah blah sequel injection yeah this is where we make the Benjamins okay essentially user input is going to make its ways eventually in some cases to a database call structured query language if we can manipulate it such that our data fits in and modifies the logic the syntax of that statement well we can interact with the database perhaps plenty of ways to fix this but what are we on 17 years I think since sequel injection became like discovered and discussed and it still helping me pay the bills so all right we haven't fixed it yet is just an example of a sequel statement calling the check of a user

and user name and password match you know maybe during a login and some clever cricket looked at this and said well wait a minute what if my UID doesn't just equal regular tax but I include a single quote which is a meta character in the context of sequel right it's a special character it has significance or one equals one - - so you take this in red this is a standard type of lookup and you add the bad data in green and lo and behold you're saying select star from users where user ID equals blank which is like nobody so this is gonna fail or true non set false or true is true - - means I'll just

ignore the rest of that stuff I don't know what that is and this is called sequel called sequel a sequel bypass sequel login bypass it has the pesky habit of allowing you to basically log in as the first user in the database which tends to be the administrator whoops so signal injection is hard there was a tool that came out I can't remember what was called but the guy really went to town on the documentation and he had like four pages of schematics of schema of how first you do this and then you do that and how his tool was kind of automating this process of figuring out whether it was vulnerable sequel injection and how to exploit it

but that's hard you know so we're just gonna use tools and I'm going to show you a quick tool I only have a few minutes to do it so we probably should just get to it check the notes on manual things that you can do but I'm all for leveraging the tools essentially I want to introduce you to your new best friend remember you need permission in writing to use some of this stuff but the big the number one choice is sequel map there's no number two a single map or you have a DBA right there who knows how to type really fast because sequel map automates a lot of it and it's smarter than you in most cases

so let me show you what that looks like first can we find sequel injection in one of our targets probably since there's an exercise called sequel injection right there now we can do blind it doesn't well that's weird submit okay so we just perform some sort of request legitimately but we captured it because we're proxying everything we go to this tool and say hey you know that request I just made where was it [Music] sequel injection oh it's a post reclass hey can you do me a favor and can you just like attack this for me let's see let's see submit ID I got to click on it right click and say hey attack this tell me if

it's vulnerable and spoiler alert it's vulnerable to sequel injection which is probably why it's under see ya and so and it shows you it even tells you even pulls out some Intel and says it's my sequel of 5.0 and some various other things and the exact context of how it was able to exploit it what I'm gonna do is I'm going to take this legitimate request who not that one dang I don't want that I want history okay this one and I want to save it to a text file save as raw request the whole request not just the header is not just the body but both and let's just call it conveniently well I'm gonna call it that

save it yeah so I'm gonna save into a text file and feed it to a tool I have a command line here equal mat remember kids get your parents permission before into using sequel map oh that's funny I can't actually find it so we'll go under tools and tools will open up will open up a command line and show you right where it's at so okay so we got sequel map and I'm gonna read in a file and I believe it was here what was it called again SQL I raw and I want it to list the databases a DBS and so it's gonna listen if you don't remember anything else when sequel map asks you a question just

accept the default unless you really sure you know what you're doing but we have encountered plenty of cases where some thoughtful consideration you disagree with it and you get better results but those are far and few between it looks like it's my sequel do you want to skip testing other payloads I'm sorry I resize the screen but what it's the default answer is in caps oh yes for the remaining test you want me to include all tests for my sequel and that ups the level or the the number of things to test for and it maybe increases the riskiness of some of the tests I'm okay with risky testing on my loopback here so yes and it goes through and it tries

a bunch of things and eventually slowly not so slowly figures out exactly how its vulnerable and it pulls out a list of the databases that are on this box oh hey there's a parameter called ieads vulnerable do you want testing the others man I'd only need one you have to defend all I only need to find one oh hey so there we go and it tells you how its vulnerable and here's the databases you know what I want the database called dvwa and I want to list all the tables there's two tables guestbook and users I want the table users and I want to dump dump all the things oh it's it says oh hey you know mmm you

can't really see it but it it's it says that it thinks it found some hashes do you want to store them for offline processing no because it's gonna offer to processing right now hit yes and it cracks the passwords tada and so that was a little fast cuz I had run it earlier otherwise it would have taken like a whole 30 seconds and so it it not only pulled the data out of the database it took the hashes and ran them through a simple password cracker against trivial type of passwords and was able to find the clear text password out of the hash the unsalted hashes anywho hmm lots of cool stuff in the notes always

followed her advice da da da da in conclusion break the web app walk away sad simple folks download play with dojo there's a lot of cool targets and guides so just have your own you know one-man CTF this weekend and and feel free to contribute or you know tell us how we can make it better it's pretty much it it's all I've got are there any questions let skip the round applause besides filigrana floss David you have time for that there are two questions anyone with question check check check okay so for any of the cross-site scripting vulnerabilities like reflected or stored could you elaborate a little more on what kind of impact that could

have rather than just displaying the alert box like send off the users credentials to a server would it would it like in fact their computer with malware what could you do what's right so the impact from cross-site scripting especially if it's persistent or even if it's not there's a tool on here called beef the browser exploitation framework I know I think it was already running but so it can basically become an a man in the middle on the browser and and track the victim so if they're an administrator you can start sort of controlling the browser and seeing what they see and basically you're now inside the firewall if it's an admin that you've injected into so it's it can be

bad very bad depending on the level of the victim so but it's it's a lot worse than most people think maybe because the demos are always a little pop-up rather than man in the middle which I didn't get the show but there's the there's tool there frameworks out there bad rabbit supposedly was doing something like this hooking your browser so even when you open up new tabs it's like it's still injecting those tabs as well and kind of tracking you unless you shut down the entire browser and then there's other persistence techniques as well was there another question Oh young lady right here you know how there's app and burp sweep and things like that

if it didn't tell you which one to use for each challenge how could you find out which one is the best to use well the best tool is your brain and stay in school know but um so it's whatever you want to use burp suite doesn't really get great until it's the paid version the free versions doesn't do that Auto scanning thing that zap does but in in the end those are only helpful for finding low-hanging fruit if it's a very critical function you should manually be looking at the traffic asking yourself you know what what could I do how could this be exploited even from a business logic perspective you know it's things like that so there's scanners only cover

certain things but when in doubt use burp suite let's give another round of applause to David we have the lease exploit team here's a challenge plane thanks camp your talk I think I'm smarter free to talk thanks a lot okay that's real alright thank you guys alright I'll be here if you have any other questions but there's another speaker right no