SHOW:
|
|
- or go back to the newest paste.
| 1 | - | #################### |
| 1 | + | ####################################### |
| 2 | - | # Ultimate App Sec # |
| 2 | + | # Source Code Analysis For Pentesters # |
| 3 | - | #################### |
| 3 | + | ####################################### |
| 4 | ||
| 5 | The video from the previous version of the class: | |
| 6 | https://s3.amazonaws.com/StrategicSec-Videos/2015/2015-12-30+09.08+Source+Code+Analysis+For+Pentesters.mp4 | |
| 7 | ||
| 8 | - | http://www.slideshare.net/akilan27/ilugc-curl |
| 8 | + | |
| 9 | - | http://www.slideshare.net/cory_scott/tactical-application-security-getting-stuff-done-black-hat-briefings-2015 |
| 9 | + | Day 1 Class video: |
| 10 | https://s3.amazonaws.com/StrategicSec-Videos/2016/SourceCodeAnalysisForPentesters/2016-10-31+19.33+Source+Code+Analysis+For+Pentesters.mp4 | |
| 11 | ||
| 12 | - | Download the course lab manual: |
| 12 | + | |
| 13 | - | https://s3.amazonaws.com/StrategicSec-Files/UltimateAppSec/Ultimate-App-Sec-V2.pdf |
| 13 | + | |
| 14 | https://s3.amazonaws.com/StrategicSec-Files/UltimateAppSec/UltimateAppSec-Week1.pptx | |
| 15 | ||
| 16 | - | Day 1 (12 Oct class video): |
| 16 | + | |
| 17 | - | https://s3.amazonaws.com/StrategicSec-Videos/UltimateAppSec/2015-10-12+18.03+Ultimate+Web+App+Sec.mp4 |
| 17 | + | |
| 18 | ||
| 19 | ||
| 20 | - | Day 2 (14 Oct class video): |
| 20 | + | |
| 21 | - | https://s3.amazonaws.com/StrategicSec-Videos/UltimateAppSec/2015-10-14+18.03+Ultimate+Web+App+Sec.mp4 |
| 21 | + | Latin (romance language) C |
| 22 | ||
| 23 | ||
| 24 | - | Day 3 (21 Oct class video): |
| 24 | + | Spanish Italian French Portugese Romainian |
| 25 | - | https://s3.amazonaws.com/StrategicSec-Videos/UltimateAppSec/2015-10-21+18.07+Ultimate+Web+App+Sec.mp4 |
| 25 | + | |
| 26 | ||
| 27 | ||
| 28 | - | Day 4: (9 Nov class video): |
| 28 | + | C++ Java PHP Perl C# |
| 29 | - | https://s3.amazonaws.com/StrategicSec-Videos/UltimateAppSec/2015-11-09+18.08+Ultimate+Web+App+Sec.mp4 |
| 29 | + | |
| 30 | ||
| 31 | Syntax (the way you say things changes between the languages) | |
| 32 | - | Web App Pentester Night School 2016 |
| 32 | + | |
| 33 | - | https://s3.amazonaws.com/StrategicSec-Videos/2016/2016-02-01+18.15+Web+App+Pentester+Night+School+January+2016.mp4 |
| 33 | + | |
| 34 | - | https://s3.amazonaws.com/StrategicSec-Videos/2016/2016-02-03+18.10+Web+App+Pentester+Night+School+January+2016.mp4 |
| 34 | + | |
| 35 | def salestax() | |
| 36 | x * .07 | |
| 37 | ||
| 38 | ||
| 39 | def propertytax() | |
| 40 | x * .07 | |
| 41 | ||
| 42 | ||
| 43 | ||
| 44 | 1. Input validation | |
| 45 | Make sure the data coming in is EXACTLY what you want | |
| 46 | ||
| 47 | 2. Output validation | |
| 48 | Make sure the data going is EXACTLY what you want | |
| 49 | - | Start with simple Firefox Addons: |
| 49 | + | |
| 50 | 3. Session validation | |
| 51 | - | - ShowIP https://addons.mozilla.org/en-US/firefox/addon/showip/ |
| 51 | + | Make sure who's running it is EXACTLY who you expect to be running it |
| 52 | - | - Server Spy https://addons.mozilla.org/en-US/firefox/addon/server-spy/ |
| 52 | + | |
| 53 | - | - FoxyProxy https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ |
| 53 | + | |
| 54 | - | - Tamper Data https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ |
| 54 | + | |
| 55 | - | - Wapalyzer https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/ |
| 55 | + | |
| 56 | Homework: | |
| 57 | - | A good list of web app testing add ons for Firefox: |
| 57 | + | Python video tutorial series (43 videos): |
| 58 | - | https://addons.mozilla.org/en-us/firefox/collections/adammuntner/webappsec/ |
| 58 | + | https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA |
| 59 | Your task is to create a word document with screenshots that proves you have performed 25 of the videos in the playlist listed above. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Source-Code-Analysis-For-Pentesters-Python-Homework.docx) | |
| 60 | ||
| 61 | ||
| 62 | C Programming video tutorial series (58 videos): | |
| 63 | https://www.youtube.com/playlist?list=PL6gx4Cwl9DGAKIXv8Yr6nhGJ9Vlcjyymq | |
| 64 | Your task is to create a word document with screenshots that proves you have performed 25 of the videos in the playlist listed above. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Source-Code-Analysis-For-Pentesters-C-Homework.docx) | |
| 65 | ||
| 66 | - | ################################## |
| 66 | + | |
| 67 | - | # Basic: Web Application Testing # |
| 67 | + | Java Programming video tutorial series (87 videos): |
| 68 | - | ################################## |
| 68 | + | https://www.youtube.com/playlist?list=PLFE2CE09D83EE3E28 |
| 69 | Your task is to create a word document with screenshots that proves you have performed 25 of the videos in the playlist listed above. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Source-Code-Analysis-For-Pentesters-Java-Homework.docx) | |
| 70 | - | Most people are going to tell you reference the OWASP Testing guide. |
| 70 | + | |
| 71 | - | https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents |
| 71 | + | |
| 72 | ||
| 73 | - | I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website. |
| 73 | + | |
| 74 | --------------------------------------------------------------------------------------------------------------------------- | |
| 75 | ||
| 76 | - | The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site. |
| 76 | + | |
| 77 | - | |
| 77 | + | VMWare & Class Virtual Machine |
| 78 | - | 1. Does the website talk to a DB? |
| 78 | + | ------------------------------ |
| 79 | - | - Look for parameter passing (ex: site.com/page.php?id=4) |
| 79 | + | |
| 80 | - | - If yes - try SQL Injection |
| 80 | + | |
| 81 | ||
| 82 | - | 2. Can I or someone else see what I type? |
| 82 | + | |
| 83 | - | - If yes - try XSS |
| 83 | + | |
| 84 | Download the course virtual machines: | |
| 85 | - | 3. Does the page reference a file? |
| 85 | + | ------------------------------------- |
| 86 | - | - If yes - try LFI/RFI |
| 86 | + | |
| 87 | username: strategicsec | |
| 88 | - | Let's start with some manual testing against 54.213.252.28 |
| 88 | + | |
| 89 | ||
| 90 | ||
| 91 | - | Start here: |
| 91 | + | |
| 92 | - | http://54.213.252.28/ |
| 92 | + | ############################################################### |
| 93 | # Rough Auditing Tool for Security (RATS) # | |
| 94 | # https://code.google.com/p/rough-auditing-tool-for-security/ # | |
| 95 | - | There's no parameter passing on the home page so the answer to question 1 is NO. |
| 95 | + | ############################################################### |
| 96 | - | There is however a search box in the top right of the webpage, so the answer to question 2 is YES. |
| 96 | + | cd ~/toolz |
| 97 | mkdir rats | |
| 98 | - | Try an XSS in the search box on the home page: |
| 98 | + | cd rats |
| 99 | - | <script>alert(123);</script> |
| 99 | + | wget https://rough-auditing-tool-for-security.googlecode.com/files/rats-2.4.tgz |
| 100 | tar -zxvf rats-2.4.tgz | |
| 101 | - | Doing this gives us the following in the address bar: |
| 101 | + | cd rats-2.4 |
| 102 | - | http://54.213.252.28/BasicSearch.aspx?Word=<script>alert(123);</script> |
| 102 | + | ./configure && make |
| 103 | sudo make install | |
| 104 | - | Ok, so we've verified that there is XSS in the search box. |
| 104 | + | |
| 105 | ||
| 106 | - | Let's move on to the search box in the left of the page. |
| 106 | + | |
| 107 | rats -h | |
| 108 | - | Let's give the newsletter signup box a shot |
| 108 | + | |
| 109 | ||
| 110 | - | Moving on to the login page. |
| 110 | + | # -i 'report functions that accept external input' |
| 111 | - | http://54.213.252.28/login.aspx |
| 111 | + | # -l 'force the specified langauge to be used' (perl, ruby, python, c, php) |
| 112 | # --context 'Display the line of code that caused the problem report' | |
| 113 | - | I entered a single quote (') for both the user name and the password. I got the following error:
|
| 113 | + | # --resultsonly 'No header, footer, or status information' |
| 114 | ||
| 115 | - | ----------------------------------------------------------------- |
| 115 | + | |
| 116 | - | 'Users//User[@Name=''' and @Password=''']' has an invalid token. |
| 116 | + | wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c |
| 117 | - | Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. |
| 117 | + | |
| 118 | rats -i -l C --context propecia.c | |
| 119 | - | Exception Details: System.Xml.XPath.XPathException: 'Users//User[@Name=''' and @Password=''']' has an invalid token. |
| 119 | + | |
| 120 | ||
| 121 | - | Source Error: |
| 121 | + | |
| 122 | cd /home/strategicsec/toolz/rats/rats-2.4 | |
| 123 | ||
| 124 | - | Line 112: doc.Load(Server.MapPath("") + @"\AuthInfo.xml");
|
| 124 | + | ls | grep xml |
| 125 | - | Line 113: string credential = "Users//User[@Name='" + UserName + "' and @Password='" + Password + "']"; |
| 125 | + | |
| 126 | - | Line 114: XmlNodeList xmln = doc.SelectNodes(credential); |
| 126 | + | cat rats-c.xml | less |
| 127 | - | Line 115: //String test = xmln.ToString(); |
| 127 | + | |
| 128 | - | Line 116: if (xmln.Count > 0) |
| 128 | + | |
| 129 | rats -i -l C --db rats-c.xml --context propecia.c | |
| 130 | - | ----------------------------------------------------------------- |
| 130 | + | |
| 131 | rats -i -l C --context --resultsonly propecia.c | |
| 132 | ||
| 133 | - | Hmm....System.Xml.XPath.XPathException.....that's not SQL. |
| 133 | + | rats -i -l Python --context --resultsonly ../../MultiInjector.py |
