Web-Application Penetration Testing - List of Vulnerable Web Applications

Hi all of you out there….

This blog is dedicated to all those who want to learn and test their penetration testing skills.

Being a web application security enthusiast, I will be concentrating on “setting up web-app pentesting lab”.

IMPORTANT – Many make mistake of testing live applications which are present in the wild internet. This can cause a huge trouble to the person testing the website (without legal disclaimer) . This can bring a “full-stop” on his/her information career. Perform Pentest only on web applications where you have proper permissions to do so.

Normally a person new to the web-app pentesting can have a question which states following :-
“If testing live application without prior permission is not legal, then how can I learn and test my skills?”

Well there is a simple solution to this question.

Set up your own lab and start pentesting.
At first, this may sound a little bit cumbersome but believe me, it’s not at all that hard.

What do you have to do when setting up a lab ?

Some may think that they will have to code and develop their own web application and then start pentesting it. If you are thinking such, then please chill…You don’t need to do any coding. (If you know coding then its definitely a plus point but if you don't know then don't worry, you don't need it here in set up) 

There are ready-made “vulnerable” web applications available on Internet. You just need to download them and do a little bit setting on your laptop/PC and then you are all set to go.

I will mention some of the “vulnerable” web application here.  

-----------------------------------------------------------------------------------------------------------

-DVWA : Damn Vulnerable Web Application

This is a web application which is designed with vulnerabilities already built into it.

For a newbie, this is a perfect application to get started with. 

There are particular tabs provided for each vulnerabilities, you just need to visit the tab and exploit that particular vulnerability.

There are appropriate security settings (low, medium, high) built into this application. 

There is also an "Intrusion Detection System" of PHP namely PHPIDS included in this appplication. By default, it is disabled.
If you want to really test your skills, then set the "security" to "high" and enable PHPIDS. ;-)

Download DVWA

-----------------------------------------------------------------------------------------------------------

NOWASP (Mutillidae)

Main thing I like about this web-app, is the way it has implemented the vulnerabilities.

The vulnerabilities are placed according to the rankings of OWASP TOP 10.

If you get stuck somewhere, don't worry. There is an option of "help" provided for easing your task.

Download Mutillidae

-----------------------------------------------------------------------------------------------------------

OWASP-WebGoat

OWASP webgoat is another test web-app that can be used to learn and enhance your skills.

The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

This application is based on J2EE. If you want to try the .NET version then you can visit OWASP WebGoat .NET

Download WebGoat

-----------------------------------------------------------------------------------------------------------

Hackxor

If you think that you don't want to go "step-by-step" vulnerability exploitation, as it is the case in above web applications, then you can try out "Hackxor".It is a webapp hacking game, where players must locate and exploit vulnerabilities to progress through the story. It is a web app with a plot and a focus on realism&difficulty. Hackxor contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc

Download Hackxor

-----------------------------------------------------------------------------------------------------------

Exploit.co.il

Another good vulnerable web application is "exploit.co.il".
This "Vulnerable Web app" is designed as a learning platform to test various SQL injection Techniques
This is a fully functional web site with a content management system based on fckeditor.

Download exploit.co.il

-----------------------------------------------------------------------------------------------------------

Bodgeit 

This is a good "vulnerable" web application which gives you the look and feel as if you are exploiting live application.

You can learn a lot with Bodgeit. 

Like the above examples, this download will also come as a zipped file. Just extract it and start using.

Download Bodgeit

-----------------------------------------------------------------------------------------------------------

WackoPicko

This vulnerable web application was designed particularly for the cause of testing various automated security scanners. This research was named as "Why Johnny can't Pentest? ". (I request you to read this research paper)

WackoPicko is a simulation of picture sharing web app. Find vulnerabilities and see the pics which are not intended for normal user to see.. ;-) It's fun to exploit this web app.

Download WackoPicko

-----------------------------------------------------------------------------------------------------------

Hackademic

The OWASP Hackademic Challenges project implements realistic scenarios with known vulnerabilities in a safe, controllable environment.

Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective

Download Hackademic

------------------------------------------------------------------------------------------------------------

This are few web applications that I found interesting. 

It is safe from legal perspective and at the same time you will get to learn a lot from them.

Above examples are simple ones and you will get a zipped file in download. You just need to extract and use appropriate server environment. I used XAMPP

If you are not aware about setting up XAMPP then click here.  This link will help you in setting up XAMPP. 

Don't go into much deep. 

If you are not comfortable with setting up XAMPP, then let me know in comments. I will try my best to help you out.

Hope this blog helps you and boost up your infosec career. 

Thank you..

OWASP Top 10 - 2013 | Shivang Desai

An abstract to OWASP TOP 10 (2013).

Nowadays I am on an urge to give a kick start to my Information Security Career and I have just started with web application security.

On the note to web application security, the best way to start is OWASP.  You can start with www.owasp.org and get a complete inside of what and how to perform web application security.

OWASP – Open Web Application Security Project.

OWASP categorizes web application vulnerabilities and rank them in order according to the impact that particular vulnerability can cause.

OWASP has categorized top 10 vulnerabilities of 2013 and the list is as mentioned below.

Number	TOP-10	AttackVector (Exploitability)	SecurityWeakness Prevalence(P), Detectability(D)	Technical Impact
A1	Injection	Easy	P-Common, D-Average	Severe
A2	Broken Authentication and Session Mngmt.	Average	P-Widespread, D-Average	Severe
A3	Cross Site Scripting	Average	P- Widespread, D-Easy	Moderate
A4	Insecure Direct Object Reference	Easy	P- Common, D-Easy	Moderate
A5	Security Misconfiguration	Easy	P- Widespread, D-Easy	Moderate
A6	Sensitive Data Exposure	Difficult	P- Uncommon, D-Average	Severe
A7	Missing function Level Access Control	Easy	P- Common, D-Average	Moderate
A8	Cross Site Request Forgery (CSRF)	Average	P- Common, D-Easy	Moderate
A9	Using Components with Known Vulnerabilities	Average	P- Widespread, D-Difficult	Moderate
A10	Unvalidated Redirects and Forwards.	Average	P- Uncommon, D-Easy	Moderate

Let’s see abstract of vulnerabilities.

 1.   Injection

At first instance, a newbie may think of SQL-Injection but this first category of OWASP is not only about SQL-Injection but it is not the case. Injection may be found in SQL, LDAP or XPath queries, OS Commands, Program arguments, XML parsers etc. The injection found in SQL is considered is SQL-Injection.
https://www.owasp.org/index.php/Top_10_2013-A1

2.  Broken Authentication and Session Management

Developers always build authentication and session management schemes but building it correctly is difficult and as a result, these custom schemes have flaws in them.

Major flaws can be found in areas such as “logout”, “password management”, “remember me”, “timeouts”, “secret questions”, “account update”, etc. These flaws can even be exploited using XSS, which is the next attack according to OWASP top 10.
https://www.owasp.org/index.php/Top_10_2013-Broken_Authentication_and_Session_Management

3.  Cross Site Scripting (XSS)

XSS is considered as a serious flaw and has numbered third in OWASP top 10 list, which was formerly at second rank.

XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content.

There are three main types of XSS.
-Stored XSS (also called Persistent XSS).
-Reflected XSS.
-DOM based XSS.
https://www.owasp.org/index.php/Top_10_2013-Cross-Site_Scripting_(XSS)

4. Insecure Direct Object References.

Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw.
https://www.owasp.org/index.php/Top_10_2013-Insecure_Direct_Object_References

5.  Security Misconfigurations.

Security misconfiguration can cause at complete application stack including platform, web server, application server, framework and custom code.
Occasionally this flaw leads to complete system compromise.
https://www.owasp.org/index.php/Top_10_2013-Security_Misconfiguration

6.  Sensitive Data Exposure.

The name itself explains the meaning of this attack. In this attack, the sensitive data of the client and company can be exposed. The sensitive data may consist of login credentials as well as credit card numbers.

This attack may be performed by any individual who have access to sensitive data or the back up of that data. The attacker may even exploit this vulnerability if the encryption is weak.

The external attacker may have trouble to perform this attack due to limited access.
https://www.owasp.org/index.php/Top_10_2013-Sensitive_Data_Exposure

7.  Missing function level Access Control

Applications do not always protect application’s functions properly and this becomes the attack vector for the attackers.

Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack.
https://www.owasp.org/index.php/Top_10_2013-Missing_Function_Level_Access_Control

8. Cross Site Request Forgery ( CSRF )

CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
https://www.owasp.org/index.php/Top_10_2013-Cross-Site_Request_Forgery_(CSRF)

9. Using Components with known vulnerabilities.

Most of the times it happens that the vulnerabilities are patched but few components, say for example a particular router or a particular framework, still consist of vulnerabilities. Developers are not aware about the vulnerabilities in the components they are using. Due to this scenario, the component consisting of vulnerability is focused to outside world and this increases the risk for a particular web application.
https://www.owasp.org/index.php/Top_10_2013-Using_Components_with_Known_Vulnerabilities

10. Unvalidated Redirects and Forwards.

Applications frequently redirect users to other pages, or use internal forwards in a similar manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page.
https://www.owasp.org/index.php/Top_10_2013-Unvalidated_Redirects_and_Forwards

DOS vs DDOS | Shivang Desai

Hey guys,

You must have surely seen sometimes that your favorite website is either down or not working properly.
It may be due to the DOS or DDOS attack.
But what is basically DOS and DDOS attack. Lets check out an abstract introduction which can clear out the basic definition of these both types of attack and difference between them.

DOS basically stands for "Denial-Of-Service". In this attack, the victim website ( or you can say, victims website's server) is flooded with huge tons of requests which leaves it hell busy and as a result the website cannot handle anymore legitimate requests.
The latest DOS attack of 2010 had the capability to send 100 gigabits per second. Well its too much.

DDOS attack's intention is same as that of DOS attack but there are few differences between them.

DDOS stands for Distributed-Denial-Of-Service. It exhibits the same principle as that of DOS attack but the main difference in DDOS attack is that the attack takes place from different resources.

You can say that DOS attack is one-to-one relationship and DDOS is many-to-one.
In DDOS attack, many computers attack the victim at the same time and with massive amount of requests which leaves the victim helpless.

The computers behind DDOS attack are distributed over the globe and could be anywhere.
These computers basically become the part of something called botnets.

Hope this short and simple introduction will make you atleast aware about what is DOS and DDOS.

Thanks and enjoy the weekend.... :-)

Surf safe....Be Safe...

Chinese Cyber Army | Shivang Desai

Hey folks,

The days of simple hacking are fading off and hacking has taken the route of Cyber-Warfare.

Earlier we used to see the news saying ‘xyz’ website got hacked or was defaced by some ‘abc’ hacker.

No matter this is still the scenario but now government has also taking part in hacking and this has given rise to cyber-warfare.

China’s Cyber Army

Nowadays China is drastically growing in fishy hacking stuffs. 

The Indian govt. faced an attack recently. The attack vector was a simple email which was received to senior govt. officials. As soon as they clicked the email, the data that resided on the computer’s ‘C:/ProgramFiles’ was sent somewhere. 

After deep research by Rahul Sasi and his team (Garage for hackers) at nullCon, found that the command and control centre of this malware was located in China.

This was the first scenario and the second reason that forced me to write this blog is the penetration of Chinese Army in India. They penetrated 10 km inside the Indian boundary and Chinese govt. denies on it…. Oh C’mon man! Grow up.

Looking at these scenarios, I thought to write a blog on Chinese Cyber-Army .

Unlike US, China keeps its Cyber activities into secrecy.

First question that would come in mind is “what is Chinese Cyber Army”?

It’s simple. It could be termed as a group of hackers in China who basically performs Cyber-Espionage.

The fact lies here is that China is itself involved in it but denies and states that they are totally unaware about these groups.

Let China deny on it but at the same time, there are some de-facto data which can prove that China is involved in cyber-espionage.

Have you ever heard about “PLA”? It stands for People’s Liberation Army.

The PLA is the world's largest military force, with strength of approximately 2,250,000 personnel.
The PLA comprises five main service branches, consisting of :
PLA Ground Force, 
PLA Navy (PLAN), 
PLA Air Force (PLAAF), 
Second Artillery Corps (strategic missile force), and
the PLA Reserve Force.

Yeah, you guessed correctly. This white building is the image of 12-storied headquarter of PLA. It’s also considered as Unit-61398.

According to the strong proofs by American Intelligence, it has been proved that 90% of the attacks on U.S organizations, corporations and government agencies originate in and around this white building.

The detailed report(http://intelreport.mandiant.com/) provided by well-known information security firm, Mandiant, talks about Chinese hacking groups named “Comment Crew” and “Shanghai Group”. The firm was not able to place the hackers inside the 12-story building, but makes a case there is no other plausible explanation for why so many attacks come out of one comparatively small area.

Kevin Mandia, the founder and chief executive of Mandiant, says that “Either the attacks are coming from the Unit 61398 or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.

Other Security firms also tracked the “Comment Crew” and reached at the result that this group was state-sponsored.

When this report was officially published in New-York Times, the officials at the Chinese embassy in Washington again insisted that their government does not engage in computer hacking, and that such activity is illegal. LOL..

You must be thinking that how can someone directly point on a country and say that it is directly involved in cybercriminal activities. But let me tell you that this is not the first time that China has showed its smartness.

Let’s see some example :

Larry Wu-Tai Chin worked in the U.S. intelligence community for close to 35 years, all the while providing the PRC (People’s Republic of China) with sensitive classified information. Chin was recruited as a spy by a Chinese Communist Official in 1948, while he was employed as an interpreter at the U.S. Consulate in Shanghai.

Peter Lee

Lee was a Chinese born physicist who worked at Los Alamos nuclear weapons laboratory, and later for TRW, a major California defense contractor. Lee pleaded guilty to lying on Security Clearance forms, and to passing classified national defense information to Chinese scientists on business trips to Beijing.

Chi Mak

Chi Mak is a Chinese-born engineer who worked for L-3 Communications, a California based defense contractor. Chi worked as a support engineer on Navy quiet drive propulsion technology. According to recovered documents, Chi was instructed by his Chinese contacts to join "more professional associations and participate in more seminars with 'special subject matters' and to compile special conference materials on disk

There are many of such examples which insignificantly state that it’s better to be aware of China. http://en.wikipedia.org/wiki/Chinese_intelligence_operations_in_the_United_States

Despite of many evidences, still it is being hard to prove the exact meaning of Chinese Cyber Army. It can’t be exactly said that China is surely involved into it but I will be waiting for the same to be proved.

That’s all for today but will be posting more evidences on Chinese Cyber Army.

Want to know who's watching you on internet ??

Hey guys out there, it’s been long  time am back to write a blog.

Was just (and still) stuck with some college and placements issues....... Aah problems are always going to follow you. Just chill and make a way out.

To be out of stress and tensions , I thought to surf on net and do a little bit of timepass.

 
The word “net” means the great “INTERNET” which I consider as a different world, which is very much similar to our world in which we live. I like to say the internet world as Cyber-World.

Now coming back to the topic , I want to directly focus on what is the main intention of this blog.

I want to start the problem with a small introduction to a real world problem.

In a real world , if someone(stranger) is following you or keeping a watch on you, then “HOW” would you able to know??

Answer is straight forward and that is you can identify them easily as they can be around you always.

Now let’s take this problem into the Cyber-World(The world of internet) and ask yourself the same question. “If someone is following you or keeping a watch on you, then “HOW” would you able to know?”

I guess your faces would be like these…..hahaha... I don't know about you but my reaction at first was the same like these kids...... ;-)

Well  , there are different ways to solve this issue and I will show you one of them.

You will need following.

    1)      A computer or laptop…….:-D

    2)      An internet connection. 

    3)      Mozilla Firefox.

Open “FIREFOX” browser ,open "google.com" and type “collusion add on” in the search bar.

Click on the first link as shown above and you will get somewhat as shown below..

Just click on “Add to Firefox”  and it will get installed.  (YOU SHOULD BE IN FIREFOX and NOT IN ANY OTHER BROWSER like CHROME or INTERNET EXPLORER)

Now after installing it in your  firefox browser , you will get a small icon at the bottom right of your browser as shown below..

This add-on's name is “Collusion” .
It helps you to know that who is keeping eye on you and your data when you are online(surfing on net) .

There are many websites , some legal and some illegal , which keeps track of your data and keeps tracking your activities.

“Collusion add-on” will show you that who is tracking your activities and who is keeping watch on your data…

I will try to explain you this addon on basis of my usage of “Collusion”

For clarity , here’s activity screenshot from my laptop.

The highlighted circles shows the websites that you actually visited.

The grey type circles represent the sites that you have not visited.

The lines between circles show our cookies and all stuff that is passed between them.

When you click on these circles , this add-on will show you the information related to that site.

Look at the image above………

I have just visited 7 to 8 websites and the number of websites that started tracking my data are more than 20……What the Heck !!!! Aren’t you shocked ….?
Why would you shock as these websites are actually tracking my data….  :-D :-D

But my dear buddies….Right now you are reading this blog , which means you are on the internet , so someone must have already started watching you…..Be-Aware....!!

That's all for this time.... Will be back soon with something which needs to be shared.

......Bye....

Surf Safe.....Be Safe.

A complicated malware named "FLAME"

Hey pals,
How are you all?
I am fine and happy with vacations which are soon going to end.


Recently when I was surfing related to Cyber-war and Cyber-attacks, I came across a very important and threatening topic which was related to "Malware" .


In olden days wars were large and needed a huge army 

Now the day is not away when Cyber-Wars are going to start, actually the next pic shows that its already started.

This view is of Pentagon.

The future wars will definitely held with cyber-attacks.

My next blog will explain, how a cyber attack can bring down a complete nation.

For now I want to discuss a step that was initiated against Cyber-Security.

A complicated malware was discovered whose name is "Flame".


This malware was active since last 2 years ( may be more, exact prediction is not available yet to anyone).

FLAME

By looking at this photo don't assume that this malware has capability to burn your system into ashes. :-D.

It can cause more damage than you can think.

Till date it was believed that "Stuxnet" was the most complicated and harmful malware. I can't explain everything about stuxnet here as it would be too long, for more information on stuxnet, visit http://en.wikipedia.org/wiki/Stuxnet .

"Flame" was so well coded and designed that even the professionals were not able to detect its presence but recently due to some flaws , it was detected and they say that it may take even a complete year to understand this malware till the depth.

The approximate size of "Flame" was 20 to 22 mb and trust me, a malware with such size is considered pretty large in Cyber-security aspects.

It is believed that Swiss-Army is behind this malware but recent surveys and predictions revealed that "Flame" may be U.S or Israeli creation.

Malware analysts at the security firm Bitdefender say they’ve found a unique capability within Flame’s code that would potentially allow it to steal data even from computers that aren’t connected to the Internet or to other networked machines. Instead of simply uploading stolen data to a remote server as traditional spyware does, Flame can also move the target information–along with a copy of itself–onto a USB memory stick plugged into an infected machine, wait for an unwitting user to plug that storage device into an Internet-connected PC, infect the networked machine, copy the target data from the USB drive to the networked computer and finally siphon it to a faraway server.

Spreading itself over an infected USB device is hardly a new trick for malware. But Bitdefender’s researchers say they’ve never before seen a cyberespionage program that can also move its stolen digital booty onto the USB stick of an oblivious user and patiently wait for the opportunity to upload it to the malware’s controllers.

“It turns users into data mules,” says Bitdefender senior malware analyst Bogdan Botezatu. “Chances are, at some point, a user with an infected flash drive will plug it into a secure computer in a contained environment, and Flame will carry the target’s information from the protected environment to the outside world…It uses its ability to infect to ensure an escape route for the data. This is is somewhat revolutionary for a piece of malware.”

Flame was designed to use the same .lnk autorun vulnerability first exploited by the NSA-built Stuxnet malware to invisibly install itself on USB devices. To hide its trove of stolen data on the user’s device, Flame copies both itself and its data to a folder labelled with a single “.” symbol, which Windows fails to interpret as a folder name and thus renders as invisible to the user.

Regardless, Botezatu says Flame’s USB-piggybacking trick fits with its profile as a highly sophisticated spying tool meant to steal a target’s most protected secrets–not just another cybercriminal keylogger designed to catch credit card numbers. “Most of the infrastructure it targets is highly contained, often without Internet access,” says Botezatu. “It’s natural for Flame to have a mechanism for moving data from one environment to another that doesn’t rely on Internet or network communications.”

Flame’s USB data-smuggling is just one of its unique features that have awed researchers. The spyware also used a previously unknown cryptographic attack to spoof a digital certificate that allowed its code to appear to have been created by Microsoft. That innovation is estimated to have required cutting-edge mathematics as well as the equivalent of $200,000 worth of computing power based on renting processor time from Amazon.

Kaspersky researcher Roel Schouwenberg suggests that Flame, which predates Stuxnet, may have been designed to “kick-start” the Stuxnet operation, performing reconnaissance on the target systems to prepare for Stuxnet’s physical attack.

Finally from the survey , the following figure shows the overall effects of "Flame"

The day is not far away when nations will have war with the help of computers and networks.

The question is not Whether such cyber-wars will occur or not, the question is when such Cyber-wars will occur ? ? ? 

Have a good day..

Surf safe and be Cyber-Safe....

---------------------------------------------------------------------------------------------