W3AF Lab Tutorials

Transcript

1. 0wn the web audit and attack with w3af

2. Agenda - what is w3af - blind SQLi - hidden

   pages - cross-site scripting - file upload vulnerabilities - server side include injections

3. what is w3af? Web Application Attack and Audit Framework

4. what is w3af? Easy to Use "Framework to find and

   exploit Web Applications" - w3af.sourceforge.net

5. what is w3af? Vulnerability scanner and exploitation tool for web

   applications Provides information about security vulnerabilities to aid in penetration testing Includes both a graphical and command-line user interface Open-sourced

6. how to run? point. click. own the web.

7. how to run? point. click. own the web.

8. how to run? point. click. own the web.

9. how to run? $ cd /pentest/web/w3af $ svn update $

   ./w3af_gui in your backtrack vm

10. what can it do? audit find vulnerables for exploit auth

    login where auto-scanners won't work (facebook/etc.) bruteforce crack login forms discovery find new URLs, servers, etc. evasion evade Intrusion Prevention System detection grep analyze source code for dates, credit cards etc... mangle modify requests made 'on the fly' output configure how results will be displayed plugin categories

11. what can't it do? w3af is NOT a replacement for

    a smart person detection is easy. exploitation is hard. don't use it blindly
12. None

13. what we'll focus on discovery what is on the server?

    how is everything connected? audit how do we attack? what can we get?

14. what can w3af detect? hidden pages blind SQLi cross-site scripting

    file upload vulnerabilities server side include injections

15. hidden pages sites may not explicitly link to pages

16. hidden pages sites may not explicitly link to pages ►

    temporary or debug pages ► member only pages ► pages unindexed from search engines

17. how can i discover these pages then? discovery plugins!

18. hidden pages discovery plugins explore pages for links /robots.txt This

    file is used to command web crawlers to ignore certain paths or directories. Google and Bing spiders explicitly ignore these pages. w3af can sneak past this
19. None

20. what is blind SQLi? like SQLi, but results of query

    are invisible. all you see is an indication of an error we can still exploit - but crafting payloads is slow.

21. what is blind SQLi? http://www.vulnerable.com/hax.php?page=1 normal query page loads

22. what is blind SQLi? http://www.vulnerable.com/hax.php?page=1 normal query sqli query http://www.vulnerable.com/hax.php?page=1'

    ORDER BY 1;# page loads page loads

23. what is blind SQLi? http://www.vulnerable.com/hax.php?page=1 normal query sqli query http://www.vulnerable.com/hax.php?page=1'

    ORDER BY 1;# page loads http://www.vulnerable.com/hax.php?page=1' ORDER BY 2;# page loads page loads

24. what is blind SQLi? http://www.vulnerable.com/hax.php?page=1 normal query sqli query http://www.vulnerable.com/hax.php?page=1'

    ORDER BY 1;# page loads http://www.vulnerable.com/hax.php?page=1' ORDER BY 2;# http://www.vulnerable.com/hax.php?page=1' ORDER BY 3;# page loads page loads page loads

25. what is blind SQLi? http://www.vulnerable.com/hax.php?page=1 normal query sqli query http://www.vulnerable.com/hax.php?page=1'

    ORDER BY 1;# page loads http://www.vulnerable.com/hax.php?page=1' ORDER BY 2;# http://www.vulnerable.com/hax.php?page=1' ORDER BY 3;# http://www.vulnerable.com/hax.php?page=1' ORDER BY 4;# page loads page errors now, we know there are 3 columns page loads page loads

26. 3 columns = 4 queries

27. 3 columns = 4 queries 49 columns = 50 queries

28. 3 columns = 4 queries 49 columns = 50 queries

29. 3 columns = 4 queries 49 columns = 50 queries

    thank goodness for w3af blind SQLi plugin!
30. None

31. blind sqli : find vulnerabilities

32. blind sqli : extract data

33. None
34. None

35. XSS Cross-site scripting carried out on websites accounted for roughly

    84% of all security vulnerabilities documented by Symantec as of 2007 So, it's kind of a big deal...

36. XSS Cross-site scripting carried out on websites accounted for roughly

    84% of all security vulnerabilities documented by Symantec as of 2007 So, it's kind of a big deal... but what can W3AF do about it?

37. fuzz requests, look for xss results useful to bypass filters

38. file upload vulnerability Uploading files to a web server can

    be dangerous if... • File types are not verified ◦ Should you be allowed to upload shell scripts? • Uploaded files are executable ◦ Should uploaded files be allowed to run on the server? • Files reside within a server's home directory ◦ Should uploaded files be accessible?

39. file upload vulnerability What if files uploaded to a server

    are sensitive? If files are saved directly on the web server, then w3af can easily find them using discovery plugins. w3af may even be able to give you a remote shell into the server if files are executable!

40. server side include injection SSI follows this very basic syntax

    inside html comments <!--#directive parameter="value"--> directives => instruction. parameters => what to perform the instruction on <!--#include file="foo.shtml"-->

41. server side include injection if forms exist w3af can detect

    and inject commands <!--#exec cmd="ls" --> List all the files in the webpage's current directory

42. server side include injection