Andrés Riancho ariancho cybsec.com w3af – A framework to own the Web CanSecWest 2008 Vancouver, Canada.

Slides:



Advertisements
Similar presentations
A framework to 0wn the Web Copyright 2008 CYBSEC. All rights reserved. Andrés Riancho OWASP Poland
Advertisements

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
Client and Server-Side Vulnerabilities Stephen Reese.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
OWASP Xenotix XSS Exploit Framework
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Penetration testing – W3AF Tool
Browser Exploitation Framework (BeEF) Lab
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
4/13/2010.  CSS Meeting  Stephen Crane on Programming Contests  1pm  Building 8 room /11/10.
IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE Panagiotis Loumpardias Konstantinos Chimos.
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
JD’s ToolBox – Fire and Water Toolkit Next Generation Web Assessment Technology NT OBJECTives, Inc.
Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.
Python and REST Kevin Hibma. What is REST? Why REST? REST stands for Representational State Transfer. (It is sometimes spelled "ReST".) It relies on a.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Mike Gerschefske. Hacking is illegal (most of the time)  Understand the laws  Port Scanning can be considered illegal  Post 9/11 can be act of terrorism.
Application Security Testing A practitioner’s rambling advice & musings.
Grid Chemistry System Architecture Overview Akylbek Zhumabayev.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
A Tale of Two Bugs. This Fall has been bad Let’s look at two CVE AKA “Shellshock” CVE AKA “Drupalgeddon”
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.
W3af S. Qi,X. Ma,Y. Zhang,B Zhao,Y Zhu EC521 Fall 2014.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Enumeration. Definition Scanning identifies live hosts and running services Enumeration probes the identified services more fully for known weaknesses.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.
CGS 3066: Web Programming and Design Spring 2016 Introduction to Server-Side Programming.
Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.
Top 10 Hacking Tool Welcome TO hackaholic Kumar shubham.
CGS 3066: Web Programming and Design Spring 2017
Javascript worms By Benjamin Mossé SecPro
Distributed Control and Measurement via the Internet
Manuel Brugnoli, Elisa Heymann UAB
WEB APPLICATION TESTING
World Wide Web policy.
Cross-Site Scripting Travis Deyarmin.
Network Exploitation Tool
Metasploit a one-stop hack shop
ADVANCED PERSISTENT THREATS (APTs) - Simulation
PHP / MySQL Introduction
Department of Computer Science, Florida State University
Intro to Ethical Hacking
Mobile Pen Testing w/ drozer
Intro to Ethical Hacking
Tiers vs. Layers.
Google App Engine Ying Zou 01/24/2016.
Web Application Penetration Testing ‘17
Lecture 2 - SQL Injection
Zach Garcia Keith Reiter
Python and REST Kevin Hibma.
PHP Forms and Databases.
Web Application Development Using PHP
Protecting Browsers from Extension Vulnerabilities
SHELLSHOCK ATTACK.
Presentation transcript:

Andrés Riancho ariancho cybsec.com w3af – A framework to own the Web CanSecWest 2008 Vancouver, Canada

2 w3af ● w3af stands for Web Application Attack and Audit Framework ● A vulnerability scanner ● An exploitation tool ● An Open Source project (GPLv2) ● A script that evolved into a serious project CYBSEC Security Systems

3 Main features ● Finds common and uncommon web application vulnerabilities. ● Cross platform (written in python). ● Uses Tactical exploitation techniques to discover new URLs and vulnerabilities ● pyGTK and console user interface w3af.sf.net

4 Main features ● Web Service support ● Exploits [blind] SQL injections, OS commanding, remote file inclusions, local file inclusions, XSS, unsafe file uploads and more! ● WML Support (WAP) ● Really easy to extend ● Synergy among plugins CYBSEC Security Systems

5 Main features ● Ability to find vulnerabilities in query string, post data, URL filename ( ), headers, file content (when uploading files with forms) JSON and web services. ● Number of plugins: 120+ and growing w3af.sf.net

6 Architecture ● w3af is divided in two main parts, the core and the plugins. ● The core coordinates the process and provides features that plugins consume. ● Plugins share information with each other using a knowledge base. ● Design patterns and objects everywhere ! CYBSEC Security Systems

7 Architecture ● 8 different types of plugins exist: – discovery – audit – grep – attack w3af.sf.net - output - mangle - evasion - bruteforce

8 Plugins | Discovery They find new URLs and create the corresponding fuzzable requests; examples of discovery plugins are: – webSpider – urlFuzzer – googleSpider – pykto CYBSEC Security Systems

9 Plugins | Audit They take the output of discovery plugins and find vulnerabilities like: – [blind] SQL injection – XSS – webDav misconfigurations – Response splitting As vulnerabilities are found, they are saved as vuln objects in the knowledge base. w3af.sf.net

10 Plugins | Attack These plugins read the vuln objects from the KB and try to exploit them. Examples of attack plugins are: – mySqlWebShell – davShell – sqlmap – xssBeef – remote file include shell CYBSEC Security Systems

11./w3af w3af.sf.net

12 Virtual daemon ● Ever dreamed about using metasploit payloads to exploit web applications ? NOW you can do it ! ● How it works: – I coded a metasploit plugin, that connects to a virtual daemon and sends the payload. – The virtual daemon is runned by a w3af attack plugin, it receives the payload and creates a tiny ELF / PE executable CYBSEC Security Systems

13 Virtual daemon ● How this works (contd.): – The attack plugin knows how to exec remote commands, and the virtual daemon knows how to upload the ELF/PE using “echo” or some other inband or outband method. – A new scheduled task is created to run the payload, and the metasploit plugin is ordered to wait – The payload is run on the remote server. w3af.sf.net

14 Virtual daemon ● How this works (contd.): – Normal communication between metasploit and the exploited service follows. CYBSEC Security Systems

15 Virtual daemon w3af - Virtual daemon payload w3af – Attack plugin ELF / PE Reverse Shell (interactive!) Metasploit Framework Web Application w3af.sf.net

16 Virtual daemon demo! CYBSEC Security Systems

17 w3afAgent ● A reverse “VPN” that allows you to continue intruding into the target network. ● How does it work? – I send the w3afAgent client to the target host using a transfer handler (wget, tftp, echo) – The client connects back to w3af, where the w3afAgent server runs a SOCKS daemon. w3af.sf.net

18 w3afAgent Web Application w3afAgent Client w3af w3afAgent Client Reverse connection w3afAgent Server w3afAgent Client Data forwarded using reverse connection w3afAgent Server SSH client with socks support SSH server in DMZ CYBSEC Security Systems

19 import __future__ ● Javascript support ● More stable core ● More attack plugins, refactoring of attacks. ● Better pyGTK user interface ● Better management report generation ● Long descriptions for vulnerabilities w3af.sf.net

20 Project information ● Site – ● Mailing list and sourceforge home – ● It's open source, you should contribute! ● Project leader contact – andres.riancho gmail.com – ariancho cybsec.com CYBSEC Security Systems

21 Project sponsors Platinum sponsor w3af.sf.net Gold sponsor

22 Questions? Feature requests ? ideas? Bug reports? contributions Rants about web2.0? i want flash support! Web Services hacking.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.