SlideShare a Scribd company logo

OTG-Recon

Download as PPTX, PDF
Sedthakit Prasanphanich
Sedthakit Prasanphanich

OWASP Testing Guide (Recon)

Internet
1 of 101
OTG-RECON OWASP Thailand Chapter (September 2015)
$whoami >>> import speaker >>> print(fullname) Sedthakit Prasanphanich >>> print(hobby) [‘IT-Sec’, ‘Basketball’, ‘Reading’, ‘Games’, ‘Anime’] >>> print(OWASP_role) Thailand Chapter Manager (General Butler) >>> print(work) Web Security Engineer
Disclaimer • This presentation assume that you have a little tiny bits of “Information Gathering”. • If you don’t have any ideas about the previous bullet, please consult Google, Yahoo, Bing, Baidu (I’m not joking),… • If you don’t understand any jargon or gibberish word, please ask me what it is! • This presentation is not a bible. Need more info, Read the OWASP Testing Guide! • Found any errata or having any suggestion, Please subscribe to the mailing list (https://www.owasp.org/index.php/OWASP_Testing_Projec t#tab=Feedback_and_Participation)
Agenda • Smalltalk about Breaker, Security Tester, or Hacker. • OTG 101 • OTG-INFO-x WHERE x >= 0 && x <=10;
#define hacker
–Gehring, Verna (2004). The Internet In Public Life. Maryland: Rowman & Littlefield Publishers. pp. 43–56. “a person who enjoy the intellectual challenge of creatively overcoming and circumventing limitations of systems to achieve novel and clever outcomes.”
–Richard M. Stallman, 2002, and 2000 respectively “It means someone who enjoys playful cleverness, especially in programming but other media are also possible.” “hacking means exploring the limits of what is possible, in a spirit of playful cleverness. Activities that display playful cleverness have "hack value".
#import OTG 101
What is Web Application Security Testing? • a method of evaluating the security of a web application by methodically validating and verifying the effectiveness of application security controls.
What is a Test? • A test is an action to demonstrate that an application meets the security requirements of its stakeholders.
The Approach in Writing this Guide • Open: every security expert can participate with his or her experience in the project. Everything is free. • Collaborative: brainstorming is performed before the articles are written so the team can share ideas and develop a collective vision of the project. That means rough consensus, a wider audience and increased participation.
goto: Recon
Why information gathering so important? • All possible information is gathered about the target • very little footprints generally left by the attacker
–Sun Tzu “Every battle is won before it is fought”
>>> i=1 >>> while i<11: ... if i==10: ... print "OTG-INFO-010" ... else: ... print "OTG-INFO-" + "00" + str(i) ... i+=1
Conduct search engine discovery/reconnaissance for information leakage (OTG-INFO- 001)
OTG-INFO-001 • To understand what sensitive design and configuration information of the application/system/organization is exposed both directly (on the organization’s website) or indirectly (on a third party website).
HOW TO TEST? • Use a search engine to search for: • Network diagrams and configurations • Archived posts and emails by administrators and other key staff • Log on procedures and username formats • Usernames and passwords • Error message content • Development, test, UAT and staging versions of the website
Search Operators gotta know ’em all Ref: http://www.googleguide.com/advanced_operators_reference.html
Search Engines
• Baidu • binsearch.info • Bing • Duck Duck Go • ixquick/Startpage • Google • Shodan • PunkSpider • Google • Yahoo • Yandexx • etc.
Example intitle:"index of"
Want to practice some searching? goto: http://www.agoogleaday.com/
Another Example
Lazy?
GHDB The Google Hacking Database is list of useful search queries for Google. Queries are put in several categories: • Footholds • Files containing usernames • Sensitive Directories • Web Server Detection • Vulnerable Files • Vulnerable Servers • Error Messages • Files containing juicy info • Files containing passwords • Sensitive Online Shopping Info
print(Remediation) • Carefully consider the sensitivity of design and configuration information before it is posted online. • Periodically review the sensitivity of existing design and configuration information that is posted online.
Fingerprint Web Server (OTG-INFO-002)
OTG-INFO-002 • Knowing the version and type of a running web server allows testers to determine known vulnerabilities and the appropriate exploits to use during testing. • Find the version and type of a running web server to determine known vulnerabilities and the appropriate exploits to use during testing
How to Test $ nc 202.41.76.251 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Mon, 16 Jun 2003 02:53:29 GMT Server: Apache/1.3.3 (Unix) (Red Hat/Linux) Last-Modified: Wed, 07 Oct 1998 11:18:14 GMT ETag: “1813- 49b-361b4df6” Accept-Ranges: bytes Content-Length: 1179 Connection: close Content-Type: text/html
How about this?
403 HTTP/1.1 Forbidden Date: Mon, 16 Jun 2003 02:41: 27 GMT Server: Unknown-Webserver/1.0 Connection: close Content-Type: text/HTML; charset=iso-8859-1
Protocol Behaviour • HTTP HEADER FIELD ORDERING • MALFORMED REQUEST TEST
HTTP HEADER FIELD ORDERING • The first method consists of observing the ordering of the several headers in the response. Every web server has an inner ordering of the header. Consider the following answers as an example:
Comparison Response from Apache 1.3.23 $ nc apache.example.com 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 15 Jun 2003 17:10: 49 GMT Server: Apache/1.3.23 Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT ETag: 32417-c4- 3e5d8a83 Accept-Ranges: bytes Content-Length: 196 Connection: close Content-Type: text/HTML Response from IIS 5.0 $ nc iis.example.com 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Content-Location: http:/iis.example.com/Default.htm Date: Fri, 01 Jan 1999 20:13: 52 GMT Content-Type: text/HTML Accept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 20:13: 52 GMT ETag: W/e0d362a4c335be1: ae1 Content-Length: 133
Malformed requests test • Another useful test to execute involves sending malformed requests or requests of nonexistent pages to the server. Consider the following HTTP responses.
MALFORMED REQUEST TEST Response from Apache 1.3.23 $ nc apache.example.com 80 GET / JUNK/1.0 HTTP/1.1 200 OK Date: Sun, 15 Jun 2003 17:17: 47 GMT Server: Apache/1.3.23 Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT ETag: 32417-c4- 3e5d8a83 Accept-Ranges: bytes Content-Length: 196 Connection: close Content-Type: text/HTML Response from IIS 5.0 $ nc iis.example.com 80 GET / JUNK/1.0 HTTP/1.1 400 Bad Request Server: Microsoft-IIS/5.0 Date: Fri, 01 Jan 1999 20:14: 34 GMT Content-Type: text/HTML Content-Length: 87
Can’t remember?
Automated Test • HTTPrint (way too classics) • Netcraft • hmap • nmap with ‘-sV’ options • blindelephant (Version 2 is coming soon) • Shodan • etc.
print(Remediation) • Custom compile Webserver (For #hardcores) • Protect the presentation layer web server behind a hardened reverse proxy. • Obfuscate the presentation layer web server headers.
Review Webserver Metafiles for Information Leakage (OTG-INFO- 003)
OTG-INFO-003 • This section describes how to test the robots.txt file for information leakage of the web application’s directory or folder path(s). • the list of directories that are to be avoided by Spiders, Robots, or Crawlers can also be created as a dependency for Map execution paths through application (OTG-INFO-007) • Information leakage of the web application’s directory or folder path(s). • Create the list of directories that are to be avoided by Spiders, Ro- bots, or Crawlers
Example of Robots.txt killer-robot.txt User-Agent: T-1000 User-Agent: T-800 Disallow: /+LarryPage Disallow: /+SergeyBrin Ref: http://www.google.com/killer-robots.txt
Fine, Real robots.txt from http://www.google.com
What else?
Meta tag • <META> tags are located within the HEAD section of each HTML Document and should be consistent across a web site in the likely event that the robot/spider/crawler start point does not begin from a document link other than webroot i.e. a “deep link”[5]. • Web spiders/robots/crawlers can intentionally ignore the “<META NAME=”ROBOTS”” tag as the robots.txt file convention is preferred. Hence, <META> Tags should not be considered the primary mechanism, rather a complementary control to robots.txt.
Meta Example Example of Meta tags Ref: https://anantshri.info/articles/web_app/image002.png
Enumerate Applications on Webserver (OTG- INFO-004)
OTG-INFO-004 A paramount step in testing for web application vulnerabilities is to find out which particular applications are hosted on a web server. In addition, many applications are often misconfigured or not updated, due to the perception that they are only used “internally” and therefore no threat exists.
TL;DR • Enumerate the applications within scope that exist on a web server • Some server may have more than one applications running
HOW TO TEST? 1. Different base URL 2. Non-standard ports 3. Virtual hosts
Base URL • Take a deep breath, and • keep typing in the url bar (address bar for the retro) • http://www.example.com/url1 • http://www.example.com/url2 • http://www.example.com/url3
not a lucky guy?
How to identify via base URL? • if mis-configured, and allow directory browsing, we can find spot them. • Dictionary searching (Forced Browsing in ZAP) • Use Vulnerability scanner to help
Non-standard port • Normally, HTTP, and HTTPS use TCP port 80, 443 respectively • But, are you sure?
#nmap #FTW Ref: https://nmap.org/movies/matrix/trinity-nmapscreen- hd-crop-1200x728.jpg
Virtual Host
–The Three musketeers “All for one, and one for all.”
$(whereis my_neighbor_host)? • DNS zone transfer (too classic) • DNS inverse query (depends on target’s config) • Robtex • etc.
#Robtex #Example Ref: https://www.robtex.com/en/advisory/dns/org/icann/www/
Review webpage comments and metadata for information leakage (OTG-INFO- 005)
OTG-INFO-005 It is very common, and even recommended, for programmers to include detailed comments and metadata on their source code. However, comments and metadata included into the HTML code might reveal internal information that should not be available to potential attackers. Comments and metadata review should be done in order to determine if any information is being leaked.
TL;DR again • Just pay attention in any interesting Comment and meta HTML tag
HOW TO TEST • Check HTML Source code for any comment! • Examine the Meta tag
#comment #CTF Ref: http://ctf.infosecinstitute.com/levelone.php
Why meta tag again? • some may provide the application profiling • some alter HTTP response headers which can used to conduct injection attacks
Identify application entry points (OTG-INFO-006)
OTG-INFO-006 Enumerating the application and its attack surface is a key precursor before any thorough testing can be undertaken, as it allows the tester to identify likely areas of weakness. This section aims to help identify and map out areas within the application that should be investigated once enumeration and mapping have been completed.
TL;DR again • Understand how requests are formed and typical responses from the application
HOW TO TEST? • Step 0: Understand HTTP Protocol • Look into the Request and Response
Any tools to intercept? • any intercepting proxy(Burp, Zed, fiddler, etc.) • Tamper Data (Web Browser plugins) • Live HTTP Header (Web Browser plugins)
Example • GET example GET https:/x.x.x.x/shoppingApp/buyme .asp?CUSTOMERID=100&ITEM =z101a&PRICE=62.50&IP=x.x.x. x Host: x.x.x.x Cookie: SESSIONID=Z29vZCBqb2IgcGF kYXdhIG15IHVzZXJuY- W1lIGlzIGZvbyBhbmQgcGFzc3d vcmQgaXMgYmFy • POST Example POST https:/x.x.x.x/KevinNotSoGoodApp/authe nticate.asp?- service=login Host: x.x.x.x Cookie: SESSIONID=dGhpcyBpcyBhIGJhZCBhc HAgdGhhdCB- zZXRzIHByZWRpY3RhYmxlIGNvb2tpZX MgYW5kIG1pbmUgaX- MgMTIzNA== CustomCookie=00my00trusted00ip00is0 0x.x.x.x00 • Body of the POST message: user=admin&pass=pass123&debug=true &fromtrustIP=true =
Map execution paths through application (OTG- INFO-007)
James_Bond(){007} Ref: http://1.bp.blogspot.com/- pyBGbYAWLPI/UsWtagebozI/AAAAAAAAAvI/jAHHopVTrC4/s160 0/every-james-bond-ever.png
OTG-INFO- $(James_Bond) Before commencing security testing, understanding the structure of the application is paramount. Without a thorough understanding of the layout of the application, it is unlkely that it will be tested thoroughly.
Still want shorter version? • Map the target application and understand the principal workflows.
HOW TO TEST? There are several ways to approach the testing and measurement of code coverage: • Path - test each of the paths through an application that includes combinatorial and boundary value analysis testing for each decision path. • Data flow (or taint analysis) - tests the assignment of variables via external interaction (normally users). • Race - tests multiple concurrent instances of the application manipulating the same data.
We need support! • OWASP-ZAP • Burpsuite
#ZAP Automatic Spidering
Fingerprint Web Application Framework (OTG-INFO-008)
OTG-INFO-008 Web framework or Content Management System fingerprinting is an important subtask of the information gathering process. Knowing the type of framework can automatically give a great advantage if such a framework has already been tested by the penetration tester. It is not only the known vulnerabilities in unpatched versions but specific misconfigurations in the framework and known file structure that makes the fingerprinting process so important.
Cut to the chase To define type of used web framework so as to have a better understanding of the security testing methodology.
How? and Where? • HTTP Headers • Cookies • HTML source code • Specific files and folders
HTTP HEADER HTTP/1.1 200 OK Server: nginx/1.0.14 Date: Sat, 07 Sep 2013 08:19:15 GMT Content- Type: text/html;charset=ISO-8859-1 Connection: close Vary: Accept-Encoding X-Powered-By: Mono
Cookies GET /cake HTTP /1.1 Host: defcon-moscow.org User-Agent: Mozilla75.0 |Macintosh; Intel Mac OS X 10.7; rv: 22.0) Gecko/20100101Firefox/22.0 Accept: text/html, application/xhtml + xml, application/xml; q=0.9, */*; q=0 , 8 Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Accept - Encoding: gzip, deflate DNT: 1 Cookie: CAKEPHP=rm72kprivgmau5fmjdesbuqi71; Connection: Keep- alive Cache-Control: max-age=0
HTML source code Find certain pattern in the
Specific Files and Folders For Example • /wp-admin/ • modules/Drupal5-urdu-po/ • templates/joomlaport_metro/
Any assistance? • Whatweb • Blindelephant (Version 2 is coming soon) • AppSpector • Wappalyzer
#Wappalyzer
$(Remediation) • obfuscate all HTTP-head- ers that disclose information the technologies used • change cookie names by making changes in the corresponding configuration files. • Manually check the contents of the HTML code and remove every- thing that explicitly points to the framework. • Remove Meta Generator Tags • Do not use default scripts on the page or obfuscate them if they must be used.
Fingerprint Web Application (OTG-INFO-009)
OTG-INFO-009 Apart from the Web Application Framework, Identify the web application and version to determine known vulnerabilities and the appropriate exploits to use during testing.
Is it like 008? • IMHO, similar to 008 but different objective • 008 aims to draw what kind of framework they are using (Name of the CMS) • 009 aims to find which version of the web application they are using (version of the CMS, DB, Programming languge)
>show me the example $(whatweb amazon.com && whatweb blognone.com
$(Remediation) • Goto:OTG-INFO-008/remediation
Map Application Architecture (OTG-INFO- 010)
OTG-INFO-010 The complexity of interconnected and heterogeneous web server infrastructure can include hundreds of web applications and makes con- figuration management and review a fundamental step in testing and deploying every single application. In fact it takes only a single vulnerability to undermine the security of the entire infrastructure, and even small and seemingly unimportant problems may evolve into severe risks for another application on the same server. To address these problems, it is of utmost importance to perform an in-depth review of configuration and known security issues. Before performing an in- depth review it is necessary to map the network and application architecture. The different elements that make up the infrastructure need to be determined to understand how they interact with a web application and how they affect security…….ZZzzzzzZZzz
TL;DR • determine the architecture of the application to find any impact against the application security
HOW? • Ask the developers or system architecture • navigating an application. • Keep guessing by using the technique in 001-009 to determine the architectures. • some strange input may returned the protection systems e.g., %00
Why? For example: • On more complex setups, such as an online bank system, multiple servers might be involved. These may include a reverse proxy, a front-end web server, an application server and a database server or LDAP server.
Q&A

Recommended

OWASP OTG-configuration (OWASP Thailand chapter november 2015)
OWASP OTG-configuration (OWASP Thailand chapter november 2015)OWASP OTG-configuration (OWASP Thailand chapter november 2015)
OWASP OTG-configuration (OWASP Thailand chapter november 2015)Noppadol Songsakaew
 
Owasp testing guide owasp summit 2011 (matteo meucci)
Owasp testing guide owasp summit 2011 (matteo meucci) Owasp testing guide owasp summit 2011 (matteo meucci)
Owasp testing guide owasp summit 2011 (matteo meucci) Matteo Meucci
 
Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 

Recommended

OWASP OTG-configuration (OWASP Thailand chapter november 2015)
OWASP OTG-configuration (OWASP Thailand chapter november 2015)OWASP OTG-configuration (OWASP Thailand chapter november 2015)
OWASP OTG-configuration (OWASP Thailand chapter november 2015)Noppadol Songsakaew
 
Owasp testing guide owasp summit 2011 (matteo meucci)
Owasp testing guide owasp summit 2011 (matteo meucci) Owasp testing guide owasp summit 2011 (matteo meucci)
Owasp testing guide owasp summit 2011 (matteo meucci) Matteo Meucci
 
Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsecThoughtworks
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Micah Hoffman
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
Syntribos API Security Test Automation
Syntribos API Security Test AutomationSyntribos API Security Test Automation
Syntribos API Security Test AutomationMatthew Valdes
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationSecurity Bootcamp
 
Kali kinux1
Kali kinux1Kali kinux1
Kali kinux1Mohammad Mafi
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Vasile
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Vasile
 
Owasp universal-http-do s
Owasp universal-http-do sOwasp universal-http-do s
Owasp universal-http-do sE Hacking
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of BreachesKarthik Bhat
 
Machine learning & security. Detect atypical behaviour in logs
Machine learning & security. Detect atypical behaviour in logsMachine learning & security. Detect atypical behaviour in logs
Machine learning & security. Detect atypical behaviour in logsAlexander Melnychuk
 
Brisk WebApp penetration tester
Brisk WebApp penetration testerBrisk WebApp penetration tester
Brisk WebApp penetration testerBriskInfosec Solutions
 

More Related Content

What's hot

DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsecThoughtworks
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Micah Hoffman
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
Syntribos API Security Test Automation
Syntribos API Security Test AutomationSyntribos API Security Test Automation
Syntribos API Security Test AutomationMatthew Valdes
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationSecurity Bootcamp
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Vasile
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Vasile
 
Owasp universal-http-do s
Owasp universal-http-do sOwasp universal-http-do s
Owasp universal-http-do sE Hacking
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of BreachesKarthik Bhat
 

What's hot (20)

DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsec
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures
 
Syntribos API Security Test Automation
Syntribos API Security Test AutomationSyntribos API Security Test Automation
Syntribos API Security Test Automation
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
 
Kali kinux1
Kali kinux1Kali kinux1
Kali kinux1
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
 
Owasp universal-http-do s
Owasp universal-http-do sOwasp universal-http-do s
Owasp universal-http-do s
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of Breaches
 

Viewers also liked

Machine learning & security. Detect atypical behaviour in logs
Machine learning & security. Detect atypical behaviour in logsMachine learning & security. Detect atypical behaviour in logs
Machine learning & security. Detect atypical behaviour in logsAlexander Melnychuk
 
Future Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudFuture Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudSedthakit Prasanphanich
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Futureamiable_indian
 
Machine Learning 101
Machine Learning 101Machine Learning 101
Machine Learning 101Talha Obaid
 

Viewers also liked (6)

Machine learning & security. Detect atypical behaviour in logs
Machine learning & security. Detect atypical behaviour in logsMachine learning & security. Detect atypical behaviour in logs
Machine learning & security. Detect atypical behaviour in logs
 
Brisk WebApp penetration tester
Brisk WebApp penetration testerBrisk WebApp penetration tester
Brisk WebApp penetration tester
 
Future Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudFuture Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloud
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Future
 
Machine Learning 101
Machine Learning 101Machine Learning 101
Machine Learning 101
 
Big Data Security and Governance
Big Data Security and GovernanceBig Data Security and Governance
Big Data Security and Governance
 

Similar to OTG-Recon

The 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyThe 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyTEST Huddle
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basicMksYi
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...rschuppe
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpFelipe Prado
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 
Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Anton Chuvakin
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
PHP from the point of view of a webhoster
PHP from the point of view of a webhosterPHP from the point of view of a webhoster
PHP from the point of view of a webhosterDominic Lüchinger
 
Log File Analysis: The most powerful tool in your SEO toolkit
Log File Analysis: The most powerful tool in your SEO toolkitLog File Analysis: The most powerful tool in your SEO toolkit
Log File Analysis: The most powerful tool in your SEO toolkitTom Bennet
 

Similar to OTG-Recon (20)

The 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyThe 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a Proxy
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
ruxc0n 2012
ruxc0n 2012ruxc0n 2012
ruxc0n 2012
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
gofortution
gofortutiongofortution
gofortution
 
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wp
 
PyMultitor
PyMultitorPyMultitor
PyMultitor
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
PHP from the point of view of a webhoster
PHP from the point of view of a webhosterPHP from the point of view of a webhoster
PHP from the point of view of a webhoster
 
Log File Analysis: The most powerful tool in your SEO toolkit
Log File Analysis: The most powerful tool in your SEO toolkitLog File Analysis: The most powerful tool in your SEO toolkit
Log File Analysis: The most powerful tool in your SEO toolkit
 
Web security
Web securityWeb security
Web security
 

Recently uploaded

Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Internet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptxInternet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptxErYashwantJagtap
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 

Recently uploaded (17)

Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Internet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptxInternet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptx
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 

OTG-Recon

  • 2. $whoami >>> import speaker >>> print(fullname) Sedthakit Prasanphanich >>> print(hobby) [‘IT-Sec’, ‘Basketball’, ‘Reading’, ‘Games’, ‘Anime’] >>> print(OWASP_role) Thailand Chapter Manager (General Butler) >>> print(work) Web Security Engineer
  • 3. Disclaimer • This presentation assume that you have a little tiny bits of “Information Gathering”. • If you don’t have any ideas about the previous bullet, please consult Google, Yahoo, Bing, Baidu (I’m not joking),… • If you don’t understand any jargon or gibberish word, please ask me what it is! • This presentation is not a bible. Need more info, Read the OWASP Testing Guide! • Found any errata or having any suggestion, Please subscribe to the mailing list (https://www.owasp.org/index.php/OWASP_Testing_Projec t#tab=Feedback_and_Participation)
  • 4. Agenda • Smalltalk about Breaker, Security Tester, or Hacker. • OTG 101 • OTG-INFO-x WHERE x >= 0 && x <=10;
  • 6. –Gehring, Verna (2004). The Internet In Public Life. Maryland: Rowman & Littlefield Publishers. pp. 43–56. “a person who enjoy the intellectual challenge of creatively overcoming and circumventing limitations of systems to achieve novel and clever outcomes.”
  • 7. –Richard M. Stallman, 2002, and 2000 respectively “It means someone who enjoys playful cleverness, especially in programming but other media are also possible.” “hacking means exploring the limits of what is possible, in a spirit of playful cleverness. Activities that display playful cleverness have "hack value".
  • 9. What is Web Application Security Testing? • a method of evaluating the security of a web application by methodically validating and verifying the effectiveness of application security controls.
  • 10. What is a Test? • A test is an action to demonstrate that an application meets the security requirements of its stakeholders.
  • 11. The Approach in Writing this Guide • Open: every security expert can participate with his or her experience in the project. Everything is free. • Collaborative: brainstorming is performed before the articles are written so the team can share ideas and develop a collective vision of the project. That means rough consensus, a wider audience and increased participation.
  • 13. Why information gathering so important? • All possible information is gathered about the target • very little footprints generally left by the attacker
  • 14. –Sun Tzu “Every battle is won before it is fought”
  • 15. >>> i=1 >>> while i<11: ... if i==10: ... print "OTG-INFO-010" ... else: ... print "OTG-INFO-" + "00" + str(i) ... i+=1
  • 16. Conduct search engine discovery/reconnaissance for information leakage (OTG-INFO- 001)
  • 17. OTG-INFO-001 • To understand what sensitive design and configuration information of the application/system/organization is exposed both directly (on the organization’s website) or indirectly (on a third party website).
  • 18. HOW TO TEST? • Use a search engine to search for: • Network diagrams and configurations • Archived posts and emails by administrators and other key staff • Log on procedures and username formats • Usernames and passwords • Error message content • Development, test, UAT and staging versions of the website
  • 19. Search Operators gotta know ’em all Ref: http://www.googleguide.com/advanced_operators_reference.html
  • 21. • Baidu • binsearch.info • Bing • Duck Duck Go • ixquick/Startpage • Google • Shodan • PunkSpider • Google • Yahoo • Yandexx • etc.
  • 23. Want to practice some searching? goto: http://www.agoogleaday.com/
  • 25. Lazy?
  • 26. GHDB The Google Hacking Database is list of useful search queries for Google. Queries are put in several categories: • Footholds • Files containing usernames • Sensitive Directories • Web Server Detection • Vulnerable Files • Vulnerable Servers • Error Messages • Files containing juicy info • Files containing passwords • Sensitive Online Shopping Info
  • 27. print(Remediation) • Carefully consider the sensitivity of design and configuration information before it is posted online. • Periodically review the sensitivity of existing design and configuration information that is posted online.
  • 29. OTG-INFO-002 • Knowing the version and type of a running web server allows testers to determine known vulnerabilities and the appropriate exploits to use during testing. • Find the version and type of a running web server to determine known vulnerabilities and the appropriate exploits to use during testing
  • 30. How to Test $ nc 202.41.76.251 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Mon, 16 Jun 2003 02:53:29 GMT Server: Apache/1.3.3 (Unix) (Red Hat/Linux) Last-Modified: Wed, 07 Oct 1998 11:18:14 GMT ETag: “1813- 49b-361b4df6” Accept-Ranges: bytes Content-Length: 1179 Connection: close Content-Type: text/html
  • 32. 403 HTTP/1.1 Forbidden Date: Mon, 16 Jun 2003 02:41: 27 GMT Server: Unknown-Webserver/1.0 Connection: close Content-Type: text/HTML; charset=iso-8859-1
  • 33. Protocol Behaviour • HTTP HEADER FIELD ORDERING • MALFORMED REQUEST TEST
  • 34. HTTP HEADER FIELD ORDERING • The first method consists of observing the ordering of the several headers in the response. Every web server has an inner ordering of the header. Consider the following answers as an example:
  • 35. Comparison Response from Apache 1.3.23 $ nc apache.example.com 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 15 Jun 2003 17:10: 49 GMT Server: Apache/1.3.23 Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT ETag: 32417-c4- 3e5d8a83 Accept-Ranges: bytes Content-Length: 196 Connection: close Content-Type: text/HTML Response from IIS 5.0 $ nc iis.example.com 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Content-Location: http:/iis.example.com/Default.htm Date: Fri, 01 Jan 1999 20:13: 52 GMT Content-Type: text/HTML Accept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 20:13: 52 GMT ETag: W/e0d362a4c335be1: ae1 Content-Length: 133
  • 36. Malformed requests test • Another useful test to execute involves sending malformed requests or requests of nonexistent pages to the server. Consider the following HTTP responses.
  • 37. MALFORMED REQUEST TEST Response from Apache 1.3.23 $ nc apache.example.com 80 GET / JUNK/1.0 HTTP/1.1 200 OK Date: Sun, 15 Jun 2003 17:17: 47 GMT Server: Apache/1.3.23 Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT ETag: 32417-c4- 3e5d8a83 Accept-Ranges: bytes Content-Length: 196 Connection: close Content-Type: text/HTML Response from IIS 5.0 $ nc iis.example.com 80 GET / JUNK/1.0 HTTP/1.1 400 Bad Request Server: Microsoft-IIS/5.0 Date: Fri, 01 Jan 1999 20:14: 34 GMT Content-Type: text/HTML Content-Length: 87
  • 39. Automated Test • HTTPrint (way too classics) • Netcraft • hmap • nmap with ‘-sV’ options • blindelephant (Version 2 is coming soon) • Shodan • etc.
  • 40. print(Remediation) • Custom compile Webserver (For #hardcores) • Protect the presentation layer web server behind a hardened reverse proxy. • Obfuscate the presentation layer web server headers.
  • 41. Review Webserver Metafiles for Information Leakage (OTG-INFO- 003)
  • 42. OTG-INFO-003 • This section describes how to test the robots.txt file for information leakage of the web application’s directory or folder path(s). • the list of directories that are to be avoided by Spiders, Robots, or Crawlers can also be created as a dependency for Map execution paths through application (OTG-INFO-007) • Information leakage of the web application’s directory or folder path(s). • Create the list of directories that are to be avoided by Spiders, Ro- bots, or Crawlers
  • 43. Example of Robots.txt killer-robot.txt User-Agent: T-1000 User-Agent: T-800 Disallow: /+LarryPage Disallow: /+SergeyBrin Ref: http://www.google.com/killer-robots.txt
  • 44. Fine, Real robots.txt from http://www.google.com
  • 46. Meta tag • <META> tags are located within the HEAD section of each HTML Document and should be consistent across a web site in the likely event that the robot/spider/crawler start point does not begin from a document link other than webroot i.e. a “deep link”[5]. • Web spiders/robots/crawlers can intentionally ignore the “<META NAME=”ROBOTS”” tag as the robots.txt file convention is preferred. Hence, <META> Tags should not be considered the primary mechanism, rather a complementary control to robots.txt.
  • 47. Meta Example Example of Meta tags Ref: https://anantshri.info/articles/web_app/image002.png
  • 49. OTG-INFO-004 A paramount step in testing for web application vulnerabilities is to find out which particular applications are hosted on a web server. In addition, many applications are often misconfigured or not updated, due to the perception that they are only used “internally” and therefore no threat exists.
  • 50. TL;DR • Enumerate the applications within scope that exist on a web server • Some server may have more than one applications running
  • 51. HOW TO TEST? 1. Different base URL 2. Non-standard ports 3. Virtual hosts
  • 52. Base URL • Take a deep breath, and • keep typing in the url bar (address bar for the retro) • http://www.example.com/url1 • http://www.example.com/url2 • http://www.example.com/url3
  • 53. not a lucky guy?
  • 54. How to identify via base URL? • if mis-configured, and allow directory browsing, we can find spot them. • Dictionary searching (Forced Browsing in ZAP) • Use Vulnerability scanner to help
  • 55. Non-standard port • Normally, HTTP, and HTTPS use TCP port 80, 443 respectively • But, are you sure?
  • 58. –The Three musketeers “All for one, and one for all.”
  • 59. $(whereis my_neighbor_host)? • DNS zone transfer (too classic) • DNS inverse query (depends on target’s config) • Robtex • etc.
  • 61. Review webpage comments and metadata for information leakage (OTG-INFO- 005)
  • 62. OTG-INFO-005 It is very common, and even recommended, for programmers to include detailed comments and metadata on their source code. However, comments and metadata included into the HTML code might reveal internal information that should not be available to potential attackers. Comments and metadata review should be done in order to determine if any information is being leaked.
  • 63. TL;DR again • Just pay attention in any interesting Comment and meta HTML tag
  • 64. HOW TO TEST • Check HTML Source code for any comment! • Examine the Meta tag
  • 66. Why meta tag again? • some may provide the application profiling • some alter HTTP response headers which can used to conduct injection attacks
  • 68. OTG-INFO-006 Enumerating the application and its attack surface is a key precursor before any thorough testing can be undertaken, as it allows the tester to identify likely areas of weakness. This section aims to help identify and map out areas within the application that should be investigated once enumeration and mapping have been completed.
  • 69. TL;DR again • Understand how requests are formed and typical responses from the application
  • 70. HOW TO TEST? • Step 0: Understand HTTP Protocol • Look into the Request and Response
  • 71. Any tools to intercept? • any intercepting proxy(Burp, Zed, fiddler, etc.) • Tamper Data (Web Browser plugins) • Live HTTP Header (Web Browser plugins)
  • 72. Example • GET example GET https:/x.x.x.x/shoppingApp/buyme .asp?CUSTOMERID=100&ITEM =z101a&PRICE=62.50&IP=x.x.x. x Host: x.x.x.x Cookie: SESSIONID=Z29vZCBqb2IgcGF kYXdhIG15IHVzZXJuY- W1lIGlzIGZvbyBhbmQgcGFzc3d vcmQgaXMgYmFy • POST Example POST https:/x.x.x.x/KevinNotSoGoodApp/authe nticate.asp?- service=login Host: x.x.x.x Cookie: SESSIONID=dGhpcyBpcyBhIGJhZCBhc HAgdGhhdCB- zZXRzIHByZWRpY3RhYmxlIGNvb2tpZX MgYW5kIG1pbmUgaX- MgMTIzNA== CustomCookie=00my00trusted00ip00is0 0x.x.x.x00 • Body of the POST message: user=admin&pass=pass123&debug=true &fromtrustIP=true =
  • 73. Map execution paths through application (OTG- INFO-007)
  • 75. OTG-INFO- $(James_Bond) Before commencing security testing, understanding the structure of the application is paramount. Without a thorough understanding of the layout of the application, it is unlkely that it will be tested thoroughly.
  • 76. Still want shorter version? • Map the target application and understand the principal workflows.
  • 77. HOW TO TEST? There are several ways to approach the testing and measurement of code coverage: • Path - test each of the paths through an application that includes combinatorial and boundary value analysis testing for each decision path. • Data flow (or taint analysis) - tests the assignment of variables via external interaction (normally users). • Race - tests multiple concurrent instances of the application manipulating the same data.
  • 78. We need support! • OWASP-ZAP • Burpsuite
  • 81. OTG-INFO-008 Web framework or Content Management System fingerprinting is an important subtask of the information gathering process. Knowing the type of framework can automatically give a great advantage if such a framework has already been tested by the penetration tester. It is not only the known vulnerabilities in unpatched versions but specific misconfigurations in the framework and known file structure that makes the fingerprinting process so important.
  • 82. Cut to the chase To define type of used web framework so as to have a better understanding of the security testing methodology.
  • 83. How? and Where? • HTTP Headers • Cookies • HTML source code • Specific files and folders
  • 84. HTTP HEADER HTTP/1.1 200 OK Server: nginx/1.0.14 Date: Sat, 07 Sep 2013 08:19:15 GMT Content- Type: text/html;charset=ISO-8859-1 Connection: close Vary: Accept-Encoding X-Powered-By: Mono
  • 85. Cookies GET /cake HTTP /1.1 Host: defcon-moscow.org User-Agent: Mozilla75.0 |Macintosh; Intel Mac OS X 10.7; rv: 22.0) Gecko/20100101Firefox/22.0 Accept: text/html, application/xhtml + xml, application/xml; q=0.9, */*; q=0 , 8 Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Accept - Encoding: gzip, deflate DNT: 1 Cookie: CAKEPHP=rm72kprivgmau5fmjdesbuqi71; Connection: Keep- alive Cache-Control: max-age=0
  • 86. HTML source code Find certain pattern in the
  • 87. Specific Files and Folders For Example • /wp-admin/ • modules/Drupal5-urdu-po/ • templates/joomlaport_metro/
  • 88. Any assistance? • Whatweb • Blindelephant (Version 2 is coming soon) • AppSpector • Wappalyzer
  • 90. $(Remediation) • obfuscate all HTTP-head- ers that disclose information the technologies used • change cookie names by making changes in the corresponding configuration files. • Manually check the contents of the HTML code and remove every- thing that explicitly points to the framework. • Remove Meta Generator Tags • Do not use default scripts on the page or obfuscate them if they must be used.
  • 92. OTG-INFO-009 Apart from the Web Application Framework, Identify the web application and version to determine known vulnerabilities and the appropriate exploits to use during testing.
  • 93. Is it like 008? • IMHO, similar to 008 but different objective • 008 aims to draw what kind of framework they are using (Name of the CMS) • 009 aims to find which version of the web application they are using (version of the CMS, DB, Programming languge)
  • 94. >show me the example $(whatweb amazon.com && whatweb blognone.com
  • 97. OTG-INFO-010 The complexity of interconnected and heterogeneous web server infrastructure can include hundreds of web applications and makes con- figuration management and review a fundamental step in testing and deploying every single application. In fact it takes only a single vulnerability to undermine the security of the entire infrastructure, and even small and seemingly unimportant problems may evolve into severe risks for another application on the same server. To address these problems, it is of utmost importance to perform an in-depth review of configuration and known security issues. Before performing an in- depth review it is necessary to map the network and application architecture. The different elements that make up the infrastructure need to be determined to understand how they interact with a web application and how they affect security…….ZZzzzzzZZzz
  • 98. TL;DR • determine the architecture of the application to find any impact against the application security
  • 99. HOW? • Ask the developers or system architecture • navigating an application. • Keep guessing by using the technique in 001-009 to determine the architectures. • some strange input may returned the protection systems e.g., %00
  • 100. Why? For example: • On more complex setups, such as an online bank system, multiple servers might be involved. These may include a reverse proxy, a front-end web server, an application server and a database server or LDAP server.
  • 101. Q&A

Editor's Notes

  1. you can find it from exploit-db website
  2. order of Date and Server
  3. dirbuster BurpIntruder Forced Browse
  4. MSN search: http:/search.msn.com syntax: “ip:x.x.x.x” (without the quotes) Webhosting info: http:/whois.webhosting.info/ syntax: http:/ whois.webhosting.info/x.x.x.x DNSstuff: http:/www.dnsstuff.com/ (multiple services available) http:/www.net-square.com/mspawn.html (multiple queries on domains and IP addresses, requires installation) tomDNS: http:/www.tomdns.net/index.php (some services are still private at the time of writing) SEOlogs.com: http:/www.seologs.com/ip-domains.html (reverse-IP/domain lookup)
  5. Gray Box, Meet with Developers
  6. However, these methods take a long time to find out all the visible path and flow. Automatic Spider is coming into the picture