kentuckiana-issa-2012-conference-presentation-nowasp ... - FTP

greenpepperwhinnyΑσφάλεια

3 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

95 εμφανίσεις

NOWASP Mutillidae
2.3.x

An open
-
source web pen
-
testing
environment for security training, practice,
instruction, and you

Jeremy Druin

Information
Security Specialist, GSEC, GPEN,
GWAPT

Twitter: @webpwnized

Agenda


What is
NOWASP
Mutillidae?


Where is
NOWASP
Mutillidae used?


Where can I get NOWASP Mutillidae?


How do I install NOWASP Mutillidae?


How to I set
NOWASP Mutillidae
up?


How do I use
NOWASP
Mutillidae?


Demonstration


Publications


Where do I receive updates on videos and new releases?

What is NOWASP Mutillidae
?


What is NOWASP Mutillidae
?


Actually
Vulnerable (User not asked to enter “magic” statement)


Free


Deliberately
Vulnerable Web Application


Open Source



Did I say free?

Vulnerabilities


SQL Injection


Cross site scripting


O/S Command injection


JSON injection


HTML injection


JavaScript Injection


DOM injection


Cascading style sheet injection


Log injection


Reflected Cross Site Scripting via GET, POST,
Cookies, and HTTP Headers


Stored Cross Site Scripting


Cross Site Request Forgery


Authentication Bypass via SQL injection


Privilege Escalation via Cookie Injection


Unencrypted database credentials


Directory Browsing


JavaScript
validation bypass

It turns out it is
scary easy
to write horrible code…

* Documentation
of vulnerabilities on Sourceforge


Application Exception


Un
-
validated
Redirects and Forwards


Phishing


Click
-
jacking


CBC
bit
flipping (latest)


Brute
force “secret admin pages”


PHP
server configuration disclosure


Application path disclosure


Platform path disclosure


Information disclosure via HTML comments


robots.txt
information disclosure


Parameter addition


HTTP Parameter Pollution


Buffer
overflow


Denial
of Service


Loading of any arbitrary
file


Method
Tampering


Forms caching

Features :
Two Levels of Hints


Hints are provided
in “Hint Level
1” and
“Hint Level
2”


Automatically disabled in “Security Level 5” (unless you hack it)

Features : Two Levels of Hints



Hint Level
2” contains tutorial
-
style hints for the most popular
topics

Level 2 Hints

Features:3 Security Levels


By default, the system does not apply security controls

Security Level 0:
SQL Injection
attempted on
login
page

Features:3 Security Levels


In security level 1, JavaScript validation is applied and the “Show Hints” button is removed
from the menu bar.


Note: Hints can be re
-
enabled by exploiting a vulnerability

Security Level 1:
SQL Injection
attempted on
login page

Features:3 Security Levels


In Security Level 5, the system will execute a different set of PHP
scripts attempting to protect the site

Security Level 5:
SQL Injection
attempted on
login page

Features: Self
-
adjusting “Bubble”
Hints


“Bubble” Hints will pop
-
up when the cursor hovers over some
vulnerable areas.

Hint Level 0:
“username” field
on View Details
page

Features: Self
-
adjusting “Bubble”
Hints


“Bubble” Hints automatically change with Hint Level

Hint Level 1:
“username” field
on View Details
page

Features: Self
-
adjusting “Bubble”
Hints


“Bubble” Hints automatically change with Hint Level

Hint Level 2:
“username” field
on View Details
page

Features: Enforce SSL


“Enforce SSL” feature added to allow practicing SSL attacks such as the
use of SSLStrip


Note: SSL encryption itself provided by Apache server

Features:
Capture
Data


A data capture page is provided


Hint: In CTF, get Admins to visit

Features:
Captured
Data


Captured data is stored to database and local file

Previously
captured
record

Features: Automated Database Setup /
Error Detection


System will automatically create database, tables, views, and
procedures plus supply “startup” data (i.e. accounts, cc table, etc.)

Truncated screenshot of automated
database set up after clicking “Setup
DB” button

Features: Automated Recovery


Clicking “Reset DB” will restore system and re
-
populate database tables


Pull the rip cord and start over


Use Cases


Practice Web Pen
-
Testing


Pages specifically designed to practice SANS SEC
-
542 exercises , W3AF,
sqlmap
,
G
rendel
S
can,
Cenzic

Hailstorm, Rat Proxy, Beef, many more tools…


… and most important: manual testing


Corporate Internal/External Training


SANS SEC
-
542 (Instructor: Tim “LanMaster53” Tomes)


Some big
companies


University Labs/Instruction


Evaluate Web Application Vulnerability Scanners


“Our scanner is obviously the best. Just look how expensive it is!”


“Perhaps. Let’s measure…”


Web App Sec Demonstrations


OWASP, ISSA, etc.


Capture the Flag


Lolz

Where can I get NOWASP Mutillidae
?


Download
:
Sourceforge


http://sourceforge.net/projects/mutillidae/files
/



Preinstalled


SamuraiWTF

2.0


http://samurai.inguardians.com
/


Metasploitable
-
2


https://
community.rapid7.com/docs/DOC
-
1875


OWASP
Broken Web Apps (BWA
)


https://
www.owasp.org/index.php/OWASP_Broken_Web_Applicatio
ns_Project


How do I install NOWASP Mutillidae?


Easy
to install
on
Linux or
Windows


Can be virtualized on Virtual Box and VMWare


Linux


LAMP
,
Samurai WTF


How
to upgrade to latest
Mutillidae
on
Samurai WTF 2


http
://
www.youtube.com/watch?v=obOLDQ
-
66oQ


How to
install
latest Mutillidae on Samurai WTF
2


http://
www.youtube.com/watch?v=y
-
Cz3YRNc9U


Windows


XAMPP
,
WAMP


Quick start guide to installing Mutillidae on Windows


http://
www.youtube.com/watch?v=1hF0Q6ihvjc

How to I set NOWASP Mutillidae up?


Set
up
database via “Reset
DB
”.


Note: Some systems require changing a line in php.ini (instructions
provided)

How do I use NOWASP Mutillidae
?


Instructional Videos:
webpwnized YouTube channel


http://
www.youtube.com/user/webpwnized


Currently approximately 50 videos related to web pen testing


~85 videos overall

How do I use NOWASP Mutillidae
?


Menu order vulnerabilities by OWASP 2010 then type

How do I use NOWASP Mutillidae
?


Besides “Hints” and “Bubbles Hints” there is a file with 1,000+
lines of pre
-
tested hacks against various pages


File: <installation
directory>/
mutillidae
/documentation/mutillidae
-
test
-
scripts.txt


Where do I receive updates on instructional
videos and new
releases?


New instructional video postings (YouTube)


New releases of
NOWASP
Mutillidae


Twitter: @webpwnized


URL:
http://en.twitter.com/webpwnized

References


Vulnerability Documentation


http://iweb.dl.sourceforge.net/project/mutillidae/documentation/listing
-
of
-
vulnerabilities
-
in
-
mutillidae.txt


Download


http://sourceforge.net/projects/mutillidae/files/


Preinstalled: SamuraiWTF 2.0


http://samurai.inguardians.com/


Preinstalled: Metasploitable
-
2


https://community.rapid7.com/docs/DOC
-
1875


Preinstalled: OWASP Broken Web Apps (BWA)


https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project



How to upgrade to latest Mutillidae on Samurai WTF 2


http://www.youtube.com/watch?v=obOLDQ
-
66oQ


How to install latest Mutillidae on Samurai WTF 2


http://www.youtube.com/watch?v=y
-
Cz3YRNc9U


Quick start
guide to installing Mutillidae on Windows


http://
www.youtube.com/watch?v=1hF0Q6ihvjc


Instructional Videos: YouTube webpwnized channel


http://
www.youtube.com/user/webpwnized


New releases of
NOWASP Mutillidae


Twitter: @
webpwnized


URL:
http://
en.twitter.com/webpwnized