Offensive Wfuzz for Web Bug Hunters

thank you for being here and i know it's quite late and it's been a long day so i hope you have a good coffee and you don't fail asleep um i'm charlie mendes i'm the main developer of wfas and principal security engineer at sky scanner and we have open positions so if you like [Laughter] devops security and cloud security please let me know after the talk uh yeah and please when you buy a skyscraper flight please click on the website not go to the airline otherwise we don't get money so yeah i'm going to talk to about wfas so welcome to offensive wfas forward hunters i don't know how i end up with 50 slides

so i think i'm gonna skip some examples and i'm gonna go fast no videos and let's see how it goes so a bit of history the wfas has been around for for ages and first versions were developed like in 2006 by amazon colleagues at s21 sec buying uh well back in san crubat and it was maintained for several years until until 2011 so i took over while i was doing pentestine in london and since then well i took some breaks in the middle but since then i've been like committing new features to the tool uh until now and well what is the default i don't know if anyone knows what's um raise your hand you know only one two

three okay so it's basically a web faster so what it does is replaces the fast keyword but by the payload that you supply and what is web fasting web fasting basically is like um fast and unknown value um we'll try to know what is an unknown value by sending a lot of different uh values basically okay [Music] so what is wfas used for so if you look in the internet it's gonna be compare well mainly for content discovery and it's going to be compared with drb tierbuster gobaster or this search also barbie intruder but also as a side note derby was also called by ramon pinuala back in estonia one six and also i think in 2005 or

something like that uh also is quite old and dear buster is i think has been like any new update since 2009 or something like that so it's surprisingly people is still using all these old tools for this and okay so it's was a content discovery tool what is content discovery really so content discovery is trying to find unknown directories or files in a web server and so to do that you basically have like a huge dictionary and you go through all the dictionary and try to understand if if there is a resource there in the web server and the success of this technique is based on how good is your dictionary basically so is wfas a content discovery tool well

it is i'm going to show an example here and we are using the web app well the demo website of the web inspect i think is this one so basically it's a fake bank with a bunch of vulnerabilities and i don't know if you see anything from back there and but this is how wfas looks like i don't know if i can do this well anyway so so here we are looking for directories we have the url there and how this works okay so you have the url there and the fast keyword so and then you supply a dictionary in this case quick hicks from checklist and so the device is going to go through

all of each core of the dictionary and here you have a table this is the output output of the audio files where you have all the responses and some information like the code the lines the word and the characters of the of the content of the other response and this is the payload that we use and when you are doing when you are using this technique is quite important to filter the results because otherwise as i said before the dictionaries are huge and you are going to end up with a massive output and it's not going to fit in even in the screen and so that's why here we are using what we are filtering

the co filtering the codes by 404 so we are only showing the ones that are not 404 uh well if you look here there are some interesting dictionaries like admin backup db this seems like tomcat admin panel so you get the idea and well after this it's a matter of going through all these uh results and see what is there so in this case uh this is the admin panel and well it is the user and password of data of the bank and well you can imagine what you can do from here but i'm gonna go to the next um examples so yeah it's a content discovery tool but it does many more things than that

and well there are other examples in the i'm not going to go through all the things that you can do but there are other examples in the docs like fasting cookies fuzzing headers and using other payloads and coding and so on uh but where w5 sits really it's like in in the between your fully automated tool and manual pen testing so you would you would use well you fast when you want to know what data you are sending back and forth or if you don't trust the automatic tool that you are using or if you have an api and you want to send some crafted data or you want to understand what is behind if

there is a proxy cdn and so on so here you see well this is also from the documentation see the advanced documentation and key things here is that it has a filter language we are going to go through these in the examples and you can utilize the previous results so we can do that like by saving the session and well um this is my point of view of what you fast and it seems that some people agree so thank you ponysec he says that this is like a swimmy swiss army knife of web security i don't know why this guy is doing without doing too fast but he's happy and well some others not uh i don't know what happens with this

guy but he's not happy with the all of us so i'm gonna go for another example and to see how you can use uh barf session and for that we are going to use the value fast payload while you fast payload is a command line tool that allows you to query a session that you have previously stored and make queries basically and try to explore the queries or the http requests and responses that you have in that session so imagine here that you have well we are going to use this uh also demo site this one is from aquanetix and imagine that you are doing your web assessment you have your barbed session with all the requests and responses here

and without barb to store all these in a file so we can use this file and and and query this file before in the old versions of the off bar you could do this by going to the menu and save state and so on but now this is gone because the new version has uh this project management and so on so still we can use this and we can use all the requests and responses that that are stored here

so okay let's read from the bar session and i'm gonna assume here because i don't think you see anything whoa i break it

okay i'm not gonna assume yeah so here we are using the bar lock payload we are setting the file to read which is the bar lock that we were saying bar to store and you don't see anything more okay this is not working anyway so the good thing about this is that there is like this filtering so here uh we are telling value fast payload to show all the requests that have a get or post parameter and what all the unique requests that have any also get parameter so here you can see all the requests that have that um keep this in mind because we are going to use it for another example but this is a simple example that you can

use with those you you have will you fast payload and well you can use this you can use this for any other thing like i don't know if you want to understand your application or you want to parse any content or or so on okay so in next example i'm gonna show you how to exploit a sql injection in old school way so i don't know if you've been doing pen testing like 10 years ago but back then um like trying to find sql injection was quite easy you only had to put like a quote in every parameter and the application gave you like nicely an error so well this is my my sequel error

so you knew that there was a sql injection here but if you want to do this for every page and every parameter you're going to end up having to do cool or going through the website and put a code in every parameter so it's quite painful so we are going to do that automatically and we are using wfas for that of course so now we have the same query as before so these are the previous requests that we had before and then we are saying value fast to with any get parameter to append a quote at the end we are also using a plugin that parses their responses and looks for for errors so here you can see well i don't know if

you can see from behind but there are all the same requests before but there is a quote here and then you can see the sql the mysql error so like in 15 seconds 16 we have gone through all the parameters and pages of of the website and we know where what is a secret injection i mean this is a silly example but uh it's the idea how we can use volume fast to automate the stuff okay this example i'm gonna skip it because i don't think i have enough time okay so now we are gonna get a little bit more evil and we exploit that we are going to exploit the vulnerability in the wild

so don't do this at home or if you do it don't use your home ip address so i don't know how many of you use conflict confluence at work and so i don't know then maybe so of this 10 how many of you know that there is there is a remote code execution that was published like the 20th of march okay half of them go and run if you don't know it if you didn't know it okay i'm not gonna go for all i'm not gonna read this at advisory but you can go to the url so what is the vulnerability about um basically is a path travel that allows you well that makes the widget controller

whatever that is with the controller of confluence to parse a template and the good thing but here is the parameter of the template so you can put anything here the good thing is that you can put any remote template and inside the template you can execute java code so you end up like executing code in the in the web server well in the confluence server okay so we have this new shiny vulnerability how do we get targets for what confluence servers to so to exploit the vulnerability i guess everyone knows shodhan if not is like a web search engine that well you can use to search um computers connected to the internet here we are using

well this is the confluence header it says x dash confluence and according to showdown there are like 26 000 confluence servers in the world at least with this query okay so now we have this vulnerability we have this amount of targets and how do we exploit all these uh service automatically so uh luckily there is a new well i really caught this payload this week for for this demo so there is a shield and payload in the audio fast that you can use and so okay let's look for confluence service with with this payload so what we are doing here this is the payload and we are telling shondan to give us all the ids or host names

that we think that that are confluence here there is the path of this um well the vulnerable path of the monarchy that we talked about in the two slides above uh before and we send some random post data because we are like testing like a bunch of of servers we are go we want to go fast so we are not we are going to ignore all the errors and we are having a delay of one second the connection delay uh by default is like 90 seconds but because we are going like brute force in all these supposedly all these 26 000 servers we want to go fast and also uh what we are following if there is any

redirect we are following the redirect and we are saving the session okay so well this is the well a part of the output of wfas after running this command and well here you see or maybe done but i'm going to tell you so you see connection errors you see 404s [Music] 405. so basically you see a bunch of responses from different servers you see engine x apache and i think that's it well different versions of apache but um there is an interesting thing here so this is the color of the reddit column and this is the payload that we use so these are the host names and ips that sheldon gave us and if you look at some of some of these

redirects and for example example this one so here we have this ip we made the query what the http request to this ip and nicely the web server is telling us what is redirecting us to https confluence dot blah blah blah so nicely the web server is telling us that it's a confluence server and so keep that in mind because well another thing i'm not showing because that was only part of the output but at some point there was an exception and well this is because i'm using a public well api key that is around the internet i haven't paid for showdown i mean you should pay i have my my key but for this example i i

didn't use it i didn't want to lose all my credits but the problem with this is someone has done the same and there are no match crates in in that case so but shodan gave us like 100 results instead of the 26 000 the first page which is 100 results is for free so okay we have 100 confluent servers 100 results and as i said we have a bunch of responses and okay as commented before the ones that we think so i mean we have to exploit this this web service and we want to exploit the confluence servers so which which ones do you think are going to be confluence servers so like easy guess i'm going to go after the

ones that says confluence in the in the url in the hostname so out of the 100 that we get and we got from shodhan out of the 26 000 we have like six or seven here so do you think we are gonna get any anyone that is gonna be vulnerable and maybe yes no okay so let's play them and what we are doing here is um well this is the template parameter well this is all the post data that we are sending is the one that was in the advisory and here we are specifying the template and we are asking for web.xml which is a configuration of of the web server it's always there so if it's a

confluence server it's going to be there and we are going well we are using a proxy i want i don't i didn't want to use my home address and basically it and we run this we are storing the session i don't even see the the screenshot from here so um and yeah we run this and if you look at this column here this is like the characters of of the response and you see that some of them are quite huge like quite big like a hundred what 800 keys case or something like that so i mean it looks promising uh it looks like the web xml is there and you have to trust me here or maybe

not um because we only did the request we haven't filtered away which ones are burnable so to filter which ones are vulnerable well the web.xml starts with attack that it says web app and finish with another attack that says webapp so we are going through all the responses and look for the ones that have this content so out of there seven we have i think one is repeated but we have like four uh burnable service

well um but not that we tried really hard i mean we didn't try to resolve the ideas we didn't try to get from the certificate they see the ssl certificate the host name and things like that so we did this really quickly and and with a basic uh showdown query uh but yeah we had like four potential potential they are vulnerable and i'm gonna show you here i mean if you don't trust me um this is a cool request which is using the same as the one in wfas but instead of getting the web.xml template we are getting a edc password so this is the atc password of this conference

okay if you look at this i mean this is like a kind of a complex well complex i mean to write this it's kind of painful um we have more time okay i'm gonna go fast so this is like the http request i mean to write this is kind of painful uh so the audio fast has the concept of recipe so you can down all the command line options to a file then you share the file with whoever you want like i don't know if you instead of writing a report you send this recipe to your customer or you put it in a exploiting github and then you use the recycle recipe and you choose the file and you

you can also use whatever you want i mean other options the url for example for any other server and this is the same example but using the rcp and this is the same confluence server that is we are filtering again but it wasn't a recipe and this is the vulnerable confluence server well i'm gonna go fast here but there is a library so you want to script the audio fast you can use this this is like four lines to do like uh brute force in all the artists of of this website and some ideas if you want to start in uh web uh well in bad bounties uh this is a good hub with all the

domains that are part of a bounty this is harvester to do some scene this is photon and bar to do crawling or look at whatever is there and these are one of the well the top 10 techniques of 2018 and of course use the audio fast and that's it and thank you for listening and if you have any questions [Applause]