Are you embarrassed by your Web Application Security game? Here’s how to start rockin’!

The goal of this post is to provide an overview of an awesome OWASP project which is designed to find vulnerabilities in web applications called: Zed Attack Proxy (ZAP). I have known about ZAP for a while but just thought I do a quick write up.

ZAP was selected as the second top security tool of 2014 by ToolsWatch.org. The project is extremely well documented with a user guide, FAQs, tutorials, etc., all conveniently located on its wiki. Also, since there is already so much professional documentation available for this project, this post will not pay too much attention to its features and functionality, but rather on my experience with the tool and how I got it up and running.

ZAP can run on Windows, Linux and OS/X, and it can be downloaded from here. I downloaded ZAP on my Ubuntu 13 Desktop instance. Note that Java version 7 is required for both Windows and Linux. Also, ZAP comes included in several security distributions — a list can be found here.

After you have extracted the ZAP_2.3.1_Linux.tar.gz, you just need to run the zap.sh:

zap_sh_run

Soon after that, the application will auto-start. You may be prompted to generate an SSL certificate — which you will need in order to test secure applications — however, I skipped that initially since you can always come back to it.

The last step in the installation process is similar to BURP and that is to configure your browser to use ZAP as a proxy. The ZAP team has a nice guide here on how to do this for most common browsers. I set Firefox with ZAP proxy:

firefox_proxy

After completing the step above, you are done with the installation process and are ready to kick off a scan. Here is how the home page should look like.

Home_Page

The first thing I would like to call your attention to before setting up a scan is to please make sure you have explicit permission before you scan any site. It is best to deploy a dummy web application on your local machine and use that to scan and learn.

If you have questions about where to start in ZAP, the perfect place to start would be the awesome user guide that comes with the installation. It can be accessed from Help > OWASP ZAP User Guide:

User Guide

I believe everything that is found on ZAP’s online wiki can be located in this user guide, if not more. I think that is great because as you look through the home page and menu options, it can be a bit overwhelming. But you can find answers to what all of the buttons do from the user guide as well as from here and here.

Going back to the homepage, you will see the following option:

Quick Scan

This is probably the best place to start off with your first scan. Alternatively, you could visit your demo site using the browser on which you configured ZAP proxy, and as you navigate through the site, ZAP will begin to populate the structure on the left home-page panel:

SitesAfter you have the site structure similar to the above, you can take your test in several different directions — most of which can be viewed by simply right-clicking on any of the site’s pages:

Right Click Options

If you are fairly new to web application security (like I am) chances are that whichever direction you choose to take, you will have questions. Fortunately, there are YouTube videos that you can refer to here. One video in particular that you should check out is this as it can come in handy when you want ZAP to auto-authenticate to your site’s login fields.

This concludes the introduction of a feature-packed tool from a long list of tools that I plan to explore. This already looks to be the best of the bunch. Even if you just heard of web application security, and you are looking to try one, this is a must-have for you; and its free! I am really glad that I got the chance to play with this tool and now it is part of my toolkit.  I recommend that you check it out to begin rockin’ on your Web Application Security game!

Follow me on Twitter: @azeemnow 

This is Not a Sponsored Post.

Advertisements
Tagged , ,

Have Anti-Virus Software But Still Feel Vulnerable? Read How A Simple Web Filtering Software Can Help

“We may think one layer of security will protect us – for example, antivirus. Unfortunately for that approach, history has proven that, although single-focus solutions are useful in stopping specific attacks, the capabilities of advanced malware are so broad that such protections inevitably fail.” – Jerry Shenk, Layered Security: Why It Works.

Making use of layered security for personal use is of the utmost importance as I have covered a couple of times in the past: here, here, and here. Just as I have done in the past, I will use this post to share another tool that you can explore to support your personal layered security strategy.

My never-ending curiosity to explore and test new technologies can sometimes lead me to stumble upon genuinely impressive solutions. Fortunately for you, I believe this tool falls into that category.

K9 Web Protection is the software that I have been testing for some months now, and I must say, I’ve been truly pleased with its results. The software falls under the Web Filter category, which places a restriction on websites that you can visit. Web Filtering is used in two major cases. The first is to permit parents to control the sort of content accessible to their children, offering their kids a safe environment to learn and explore online. The second is for businesses who wish to prevent their employees from accessing websites that do not pertain to their jobs.

However, in addition to the above-mentioned, from my experience using this software on a daily basis, I have come across other benefits:

  • Real-time malware protection“helps identify and block illegal or undesirable content in real time, including malware-infected sites. You also benefit from the WebPulse cloud service, a growing community of more than 62 million users who provide more than six billion real-time Web content ratings per day.”
    • You can learn more about web filtering and intelligence here.
  • Automatic content ratings“New websites and web pages are created every minute, and no one person can possibly rate or categorize all of them. To ensure protection against new or previously unrated websites, Blue Coat’s patent-pending Dynamic Real-Time Rating™ (DRTR) technology automatically determines the category of an unrated web page, and allows or blocks it according to your specifications.”

Another advantage of the K9 Web Protection is that it is backed by Blue Coat (acquired by Symantec in 2016),  the leader in Web Security “with an impressive portfolio of integrated technologies serving as a trusted platform to deliver Cloud Generation Security to more than 15,000 customers worldwide.”

This solution is truly an “enterprise-class security software designed for home computers.” Also, did I mention that it’s free! “As part of the Blue Coat Community Outreach Program, K9 Web Protection is free for home use. You can also purchase a license to use K9 Web Protection for business, government, non-profit, or other use.”

I will do a quick overview of the installation and usage of the software, but you can find a well-documented quick start guide and user manual here:

Installation and Usage Overview:

installk9

  • The installation process should take a couple of minutes to complete as it is self-explanatory.
  • Upon completion, the application’s interface will open in your browser:

K9_Browser_admin_page

  • To view or modify any of the configurations, you will be prompted to enter the password you created during installation.
  • Here are some of the options and details you can access from the Setup page:

k9_block_categories.PNG

  • Web Categories to Block: choosing one of the available levels allows you to block selected categories of websites.
  • Time Restrictions: 3 options are available to block web access depending on the time of day. Unrestricted places no restrictions on web access. NightGuard blocks all web access during contiguous blocks of time every day. Custom enables you to choose days of the week and time periods to block all web access.
  • Web Site Exceptions: Allows you to create lists of websites to “always block” or “always allow.” Blocking Effects: “Bark When Blocked” plays a barking sound when a web page is blocked. Make sure the sound is enabled and not muted. Show Admin Options displays options on blocked web pages which enable administrators to view the blocked web page. Enable Time Out allows you to block all web access if too many web pages are blocked in a given period of time
  • URL Keywords: Allows you to enter keywords which, if found in a URL, cause a “block page” to display. Safe Search: “Redirect to K9 Safe Search” will redirect searches to various search engines through K9’s Safe Search. This provides a safer search experience than other search engines provide. Force Safe Search will prevent users from disabling Safe Search functionality provided by various websites.
  • Other Settings: “Update to Beta” enables you to get advance copies of new K9 Web Protection software undergoing development. Blue Coat distributes Beta versions so that K9 gets used in “real world” environments before being released as a final version. Please note that Beta versions might be incomplete and less stable than final versions. “Filter Secure Traffic” enables K9 to block secure websites (i.e. sites that use the HTTPS protocol).
  • Password/Email: Allows you to change your K9 administrator password or e-mail address.
  • K9 Update: Installs software updates if available.
  • View Activity Summary: This tab shows a summary of all “Web Activity” on your computer: To view more details, click the “Category” or “Requests” links. On these pages, you have the option of grouping the data by month or by day. To view Administrative Events details, click the “View All” link. (Some of these activities are as a result of automatic browser and toolbar updates, for example, and might display URL formats with which you are not familiar.) By selecting “Clear Logs”, all your activity data will be cleared; however, three days’ worth of administrative events will be retained.k9_activity_summary

As you can see from the above, the information provided here is extremely granular and it allows you to not only get an easy view of your browsing behavior but also the behaviors of the various system and application components. I have been using this solution in conjunction with other traditional protective mechanisms, such as anti-virus, and the benefits have been massive.

For instance, sometimes, while surfing the internet, I would see a certain URL get blocked or a visit history to a certain category in a website without a recollection of visiting that website. However, after investigations, I found that some components of a software installed on my computer or an extension in my browser is the reason behind that activity.

“The malware ecosystem has changed drastically in the past 10 years, to the point that the old precautions are just no longer enough” – Malwarebytes LABS. I have been using K9 Web Protection on many of my personal computers because I have been impressed with it, so I thought to share it here. I believe it provides that extra layer of protection that we can all appreciate in a world where cyber threats are on the rise. In addition, I believe this solution is a wonderful option for those that are less familiar with common cyber threat vectors (i.e. parents) and can easily fall for phishing emails or click on an adware as they browse the internet.

As we have known for some time, “there is no single solution for the information security problems we face today. A combination of many different kinds of security tools is required to protect you from modern threats…” and I believe K9 Web Protection is among the best tools we have today, so you should definitely equip yourself with it if you are going to create a safe web environment for yourself, your kids, your employees, and everyone around you!

 

This is Not a Sponsored Post.

 

 

Tagged , , ,

Start-up Security Guide – DIY Style

Inspired by this blog by Isaiah Sarju and this presentation given during the 2017 Denver Startup Week, I am sharing my own version: A DIY (do it yourself) Cybersecurity Guide for Startups!

This guide includes some of my favorite resources that I believe can serve as a great starting point for founders to use and build a strong security foundation for their startups.

Please make sure you check-out Isaiah’s post and the Denver presentation above; both of these are extremely thoughtful and valuable pieces!

Category Resources
Start Here Security Planner, DIY Cybersecurity, Take-Five (financial fraud focus), APWG, SSD
Multi-Factor Authentication Availability TwoFactorAuth
Password Manager Quick Guide, Password Strength Test, Identify Compromised Account
Browser Extensions Privacy Badger, HTTPS Everywhere,
Application Security OWASP, Checklist/EBooks, Secure Coding Course, DIY Hack
Sensitive Info Sharing Wire, Wire’s Audit, Signal, Signal’s Audit
System Encryption PC, MAC: Src1, Src2 Portal Media: Src1, Src2
OS Update PC, MAC
VPN Background, Comparison
Separate Work & Personal on a Budget VirtualBox, VMWare Player, Workstation Pro, MAC Fusion, Trial Virtual Machines, Live OS
The principle of Least Privilege Windows 10, Windows 7, MAC OS
Backup Everything PC, MAC
Who’s Watching Privacy Screens, Webcam Covers
Prevent Accidental Data Exchange SyncStop
Report Abuse / Take Down Request AWS, Azure, Google Cloud, Salesforce, Cloudflare
Check/Request Domain Category Google, Windows Defender, Norton, Symantec, McAfee, Palo Alto, Web of Trust
Internet Crime Complaint Center IC3
Public Security Page Security Page
Phishing Report APWG
Security Education/Awareness Stop.Think.Connect, Interactive Game, Safe Online,
Sector-based Information Sharing and Analysis Centers ISACs
Cyber Readiness Index by Country CRI

If you found this helpful please let me know by sending me your comment and feedback below!

I plan to keep this a live list so if you know of a resource that is not already listed but will benefit others, feel free to share and I will make sure to include it!

Also, as you may know, Phishing remains as the most common tactic used by attackers to compromise both companies and individuals.
“Three out of ten people will open a phishing email while one of those will proceed to click on the link, possible infecting not only their own computer but the whole firm”. – Ref.

As part of this post, I am offering a practical, hands-on training on how you can triage and respond to Phishing attacks to protect yourself, your employees and ultimately your company.

Complete the form below and let me know if you would like to learn more!

Tagged , ,

How to get a fabulous Intrusion Detection System with Full Packet capture on a shoestring budget!

Recently, I have been involved in configuring an Intrusion Detection System IDS (IDS) with full packet capture using the SecurityOnion distribution (distro) in the production environment. Previously, I had set up a SOHO IDS environment when I was learning during the first Compromise, Detect and Respond (CDR) project. But that IDS deployment was done using a different distro and it also did not have the full packet capture capabilities. So in order to better familiarize myself with SecurityOnion, I decided to do a quick post about it.

Just in case you are not familiar with SecurityOnion, you can check out their awesome page here. I am not going to try to explain much about the distro itself because my explanation will not do it enough justice. Besides, their website has a whole lot more information than I can provide. They do a great job in explaining how you can start from scratch and have a system up and running in no time. They even go over how you can customize it for your specific environment and maintain the system going forward.

I followed the installation steps here and the post-installation guide here and within an hour, give or take, I had the IDS up and running (including the time it took to download the 1.3GB ISO image over my home connection). And just like my previous labs, the whole setup here was very simple: I used my laptop’s VMware Workstation for the SecurityOnion and placed the network interface in promiscuous mode to capture traffic from the host and also from other virtual machines—and, yes, using this method results in a significant packet loss, but you get the idea.

NETWORK PROMISCUOUS MODE

Enabling and verifying promiscuous mode configuration

After finishing the IDS configuration, my Snorby screen looked like the above. You will notice that there isn’t much activity here compared to what we saw during the first CDR project. The main reason for this is that in the previous setup we had Metasploit running and we were playing around with some exploits, but this setup is pretty vanilla. But still, it’s pretty sweet to be able to get basic IDS up and running easily and quickly.

So, in order to generate some interesting IDS alerts, I set up TOR in my test environment, and as you can see, it has triggered some high severity events:
Sample Alert

Now we can select any of the above alerts to view the packet details. Here are the steps for that: Select the event that you want to analyze > Select “Packet Capture Options” on the top right-hand corner > select “Custom” and then “Fetch Packet“.

Packet Analysis

After you have completed the above steps, you will be presented with a new page: “capME!”

CapME

After logging into the new interface above, you will be able to view the assembled packet behind the event. Pretty cool, huh?!

But our IDS interface is only displaying events that have some potential malicious behavior associated with them. However, there are a whole lot of packets stored in the back end of our SecurityOnion server that we can review via the following path: /nsm/sensor_data/seconion-virtual-machine-eth0/dailylogs:

DailyLogs

You will now see logs broken up into multiple files. Depending on the volume, you may see several files for each day. In my case, there are only two files (2014-11-27 is the latest and has the most amount of data).

We can open the snot.log.xxxxxxxxx file using a number of tools, e.g. Wireshark, TCPdump, SiLK, Netwitness, etc. I opened mine using Wireshark (depending on the file size and your machine’s power, this may take some time).

TOR traffic was definitely the loudest, making up most of the logs:

Encrypted Traffic

And when we try to reassemble it, this is what we get:

TCP Stream_Encrypted

Enabling and verifying promiscuous mode configuration

But by looking at the Protocol Stats, we notice that there is a bunch of other traffic in this capture as well:

Traffic Protocol Statistics Wireshark Protocol Hierarchy ]

Now, we will do some SiLK kung-fu and see what we can pull out of this capture.
The first step is to open the snot.log.xxxxxxxxx file using Wireshark (or any similar tool) and save it as a new .pcap file. In the second step, I used SiLK’s rwp2yaf2sillk to convert our newly created .pcap file into flow format.

# rwp2yaf2silk –in=1417046408.pcap –out=1417046408.silk

Now, we will go through the basic analysis on our capture using various SiLK commands.

5 largest senders of bytes of data:largest-senders

5 TCP connection per source and destination IP:5-tcp-connections

Show all records from the capture with either a source or destination IP of TOR:specific-ip-find

TCP flows with a source IP of our VM and determines the top 5 destination ports by the number of flow records:top-5-destination-ports

Per above output, the majority of our destination ports are 443, with the second largest being port 9001 with 15 total records. Let’s see the amount of data associated with this port:unique-port

Now, as the last step, we will go back to Wireshark and see if we can find the data that is going to port 9001:TCP Port eq 9001Based on the above, it seems like the traffic generated on port 9001 (default TOR port) are simply connection synchronization attempts followed by erupt connection resets.

Anyway, this concludes my quick walk through to setting up IDS with full packet capture using the SecurityOnion distro. I also used Wireshark and SiLK to do a basic triage of the packets. Super cool!

Tagged , ,

Meltdown and Spectre

I am sure by now you have heard/read/watched about these two security vulnerabilities: Meltdown and Spectre. However, if you have not, here is a good place to start: A Simple Explanation of the Differences Between Meltdown and Spectre

In a nutshell, almost all of the major technologies are affected: Apple, Microsoft, Intel, Amazon, ARM, Google, RedHat, VMware, SUSE and more.

What you need to do:

  • Identify the affected technologies in your environment and if you have not already received advisories from those vendors, contact them for updates and guidance.
    • Start with the anti-virus (AV) vendor. The reason you need to start with them is that due to the special nature of these vulnerabilities, your anti-virus (AV) technology needs to be updated before Microsoft patches can be applied. Microsoft is pushing updates to only those systems that are running a compatible version of anti-virus.
    • You can check the status of your AV using this Google Doc thanks to @GossiTheDog https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true
  • Applying these patches will impact the performance of the CPU. The level of impact varies based on your system configuration and capacity, however, there have been reports of 15-30% performance impact. For this reason, it is important that you accommodate for the performance hit before pushing updates.
    • To limit the performance impact of unplanned patching, Microsoft has added a manual step. After the patch is installed, you need to manually enable a registry key. Without updating the registry key the system remains vulnerable; Reference.
  • Microsoft has released KB4056892 patch for Windows 10. Patches for Windows 7 and 10 are expected to be released on January 9th.
  • All of the commonly used browsers are also affected. However, patches for some of these are already available and are expected to be released for others soon: Firefox, Safari, Chrome.
    • In case of Chrome version 63 (released in Decmber 2017), there is the option to enable Site Isolation feature. This feature can be enabled by entering the following in Chrome: chrome://flags/#enable-site-per-process; Reference.

In summary, here are the steps:

  1. Contact technology vendors and review their advisories
  2. Plan in advance for any performance impact
  3. Apply patches in the development environment first and test!
    • it is important to deploy patches in accordance with your AV’s recommendation. There are public reports of the system crash (BSOD) due to incompatible AV.

As of this writing, following CVE identifications have been assigned: CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754. These can be used to track remediation efforts.

This is a developing story and it is advised that you closely monitor communications from your technology vendors.

Additional references:

Tagged , ,

KRACK WPA2 Wi-Fi Vulnerability

A serious security vulnerability in wireless (Wi-Fi) protocol has been identified: KRACK, short for Key Reinstallation Attack. Comprehensive details on the vulnerability and proof-of-concept exploitation video can be found on vulnerability’s official website:  https://www.krackattacks.com/

Great vulnerability summary and what to do:

Monitor & Remediate: 

Assigned CVEs:

  • CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the four-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the four-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the four-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
  • CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
  • CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
  • CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
  • CVE-2017-13087: reinstallation of the group key (GTK) while processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) while processing a Wireless Network Management (WNM) Sleep Mode Response frame.

List of Affected Vendors:

*Nix Distributions:

Additional References:

 

Tagged , ,

Petya Response Summary

Wanted to share a quick response plan for the recent Petya ransomware breakout:

  • Apply Microsoft security updates released in March 2017 bulletin: MS17-010
  • Most Firewall and IDS/IPS vendors have released signatures for the SMB vulnerability exploit, however, if you do not have auto-updates enabled you to want to do a manual update
  • Disable the support of SMBv1 protocol. A detailed write-up here: https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect/
  • Some variants of Petya have been reported to use WMIC & Microsoft PSExec to laterally move within the environment.
    • Petya scans the local /24 to discover enumerate ADMIN$ shares on other systems, then copies itself to those hosts and executes the malware using PSEXEC. This is only possible if the infected user has the rights to write files and execute them on the system hosting the share.
    • Petya uses the Windows Management Instrumentation Command-line (WMIC) tool to connect to hosts on the local subnet and attempts to execute itself remotely on those hosts. It can use Mimikatz to extract credentials from the infected system and use them to execute itself on the targeted host.
    • Blocking ADMIN$ share via GPO should address lateral movement concerns
  • If you cannot block, monitor ingress/egress traffic on 455/137/138/139
  • If you use tax accounting software, MEDoc read this: http://www.bbc.co.uk/news/technology-40428967

Most of the recent ransomware campaigns are taking advantage of vulnerabilities disclosed by the Shadow Brokers in April 2017. In addition to MS17-010 (EternalBlue), all of the related vulnerabilities should be patched as soon as possible:

  • Code Name: Solution
    • “EternalBlue” : Addressed by MS17-010
    • “EmeraldThread” : Addressed by MS10-061
    • “EternalChampion” : Addressed by CVE-2017-0146 & CVE-2017-0147
    • “ErraticGopher” : Addressed prior to the release of Windows Vista 
    • “EsikmoRoll” : Addressed by MS14-068 
    • “EternalRomance” : Addressed by MS17-010 
    • “EducatedScholar” : Addressed by MS09-050 
    • “EternalSynergy” : Addressed by MS17-010 
    • “EclipsedWing” : Addressed by MS08-067

Petya campaign is still developing and it is important to monitor the developments. One of the best ways to monitor the situation is via Twitter under the following hashtags: #Petya #NotPetya #Ransomware

References:

Tagged , ,

BlackLight Forensics Software

BlackBag BlackLight

I had no idea just how tightly BlackLight would grab my attention and then keep its hold. Yet, here I am. While I’ve heard positive feedback from people in the information security community regarding BlackBag’s forensic software products, I have not had the opportunity to use one of their products on my own. Thus, I was thrilled to review BlackBag’s BlackLight product.

For those who are not familiar, BlackBag’s BlackLight is a piece of comprehensive forensics analysis software that supports all major platforms, including Windows, Android, iPhone, iPad, and Mac. In addition to analysis, it can logically acquire Android and iPhone/iPad devices. You can also run the software on both Windows and Mac OS X.

In this particular review, I used the latest version of BlackLight (2016 release 3). I decided to use it on Mac. The main reason I chose Mac was that most of the analysis that I have performed thus far has been with the traditional Windows Forensic Recovery of Evidence Device (FRED) and I figured this would be a great opportunity to try something different.

Installing BlackLight on Mac was a breeze. I simply downloaded the installation file from BlackBag’s website and entered the license key upon initial file execution. The single installation file took care of all of the dependencies needed for the software, which I was glad to see.

BlackLight Actionable Intel

BlackLight Actionable Intel

Here were the configurations for my Mac: MacBook Pro running Sierra OS version 10.12.2. The hardware included Intel Core i7 with 2.5 GHz with 16GB memory and a standard hard disk drive.

With the review, I wanted to make a use-case in which I would perform basic processing and analysis of a traditional disk image using BlackLight running on Mac. Without any real experience with BlackLight, I focused on usability and intuitiveness.

Processing

For this review, used a 15GB physical image of Windows XP SP3 E01 Disk. I processed this image through BlackLight with all of the ingestion options available in the software and to my surprise, it took under 10 minutes to complete.

What was even more impressive was that it had a very little performance impact on my system. In fact, as the image was being processed in the background, I continued to perform normal operations such as browsing the web and using Open Office software with no problem. Continue reading at forensicfocus.com by clicking here!

Tagged , ,

Advanced Forensic Toolkit (FTK) Course Review

For a few years, I had been using Access Data’s FTK (Forensic Toolkit) software without any formal training. I had managed to work my way through the fundamentals on my own, but I always sensed that there was much on which I was missing out.

emailvisualization

FTK  Email Analysis Visualization

It was only after I recently attended the Advance FTK class offered by AccessData (Syntricate) that I realized the enormity of what had been right under my nose the whole time.

You can read my complete review of this course at Forensic Focus or by clicking here.

Tagged ,

Burp and Samurai-Web Testing Framework

The other day I came across a social media post that was about utilizing Burp Suite to identify vulnerabilities in web applications. I had heard of Burp before but never really had the chance to play around with it – until now.

Just like a lot of other security tools, Burp has a community version along with its commercial product. I decided to download the free edition from here in my home lab.  The installation process is straightforward and in no time you have Burp up and running. Here is how the initial interface looks like:

Burp

Right when I finished my installation of  Burp, I realized that I did not have a web application running in my lab that I could use to test Burp against. Bummer! Now I had to decide between setting up a web server myself or finding a commercial distribution that came pre-built with one. This was a no-brainer – and within minutes I found a few distributions that were designed for testing and learning web application security; such as SamuraiWTF, WebGoat and Kali Web Application Metapackages. I decided to go with SamuraiWTF.

SamuraiWTF gives you the option to run from a live disk or install it in a VM. I decided to install the VM. Here is a good guide to the installation process. I give my VM instance 4GB RAM and 3 cores; more than enough horsepower.

This distribution comes pre-installed with Mutillidae, which is a “free, open source, deliberately vulnerable web-application providing a target for web-security enthusiasts”. This was perfect for what I was looking for. Setting up the Mutillidae in pretty simple – all I had to do was change my network configurations to NAT and that was it. However, if you need more information on configuration here are some great video guides on Mutillidae; in fact, I used some of these myself while configuring Burp to work with Mutilliade.

After finishing all of the above prep work, I was ready to run Burp!

For those who are not familiar with Burp, it’s an interception proxy which sits between your browser and the web server and by doing so it is able to intercept requests/responses and provides you the ability to manipulate the content. To do so you have to configure Burp as your proxy. On your VM, this would be your localhost (Proxy Tab > Options):

Proxy

Likewise, you would have to configure your browser to that same proxy. Here is my proxy configuration on Firefox:

Firefox Proxy Configuration

Now as you navigate through your Mutilliadae webpage, all your requests should go through Burp. One thing you have to do is turn on the Intercept option in Burp. It’s under Proxy > Intercept.

What this allows you to do is see the request as its made but gives you the control to either forward it to the web server or simply drop the request (like a typical MiTM). For example, on the login page of Mutilliade i used admin name and admin123 password. And as soon as I hit “Login” I saw the request being made from my browser to the web server in Burp:

Burp Intercept

In the screenshot above, you can see the two options: Forward and Drop. If you hit forward, the web server will receive this request from your browser and will respond as it would normally. In this case, the account I used to log in did not exist:

Web Server Respose

Burp has the capability to also capture the responses. It is an option that you can turn on by going to Proxy > Options and towards the middle of the page you will see “Intercept Server Responses”. By turning this on you will be able to see and control both sides of the requests:

Request and Response

If you look at Target > Site Map; on the left pane you will see a list of all the sites that you have visited with the Burp proxy on:

History Map

One advantage of the above feature is that it allows you to go back and revisit requests and responses. The sites that are in grey color are those that are available on the target web page but you have not visited them.

Another neat feature is that if you do not want to visit each page individually you can run the “Spider” feature which will map the whole target page for you.

Spider

If you go under Spider > Control you are able to see the status of the Spider as it runs:

Spider Status

When you intercept request or response, you have the ability to send that to other features of Burp. You are able to view these additional options by right-clicking on the intercept:

Intercept Additional Options

Towards the bottom of the official Burp Suite guide page here you can see a brief description of most of the options shown in the screenshot above. The one I found really neat is the “Repeater” option which allows you to modify and re-transmit requests repeatedly without having the need to perform new intercepts each time.

This concludes my brief journey of getting started with Burp using SamuraiWTF. There is a whole lot more than I had the chance to explore but here is a great reference for advanced topics.

Below  is a quick blurb on some of Burps features:

Spider: crawls the target and saves the numerous web pages that are on the target.

Intruder: automated attack feature which tries to automagically determine which parameters can be targeted i.e. fuzzing.

Fuzzing options: Sniper (fuzz each position one-by-one), Battering Ram (all positions on the target receive one payload), Pitchfork (each target position is fuzzed in parallel) Cluster Bomb (repeats through payloads for multiple positions at once).

Proxy: used to capture requests & responses to either just monitor or manipulate and replay.

Scope: controls what (pages, sites) is in/out of the test “scope”.

Repeater: manually resubmit requests/responses; allows modification.

Sequencer: used to detect predictability of session tokens using various built-in tests i.e. FIPS 140-2.

Decoder: allows encoding/decoding of the target data i.e. BASE64, Hex, Gzip, ASCII, etc.

Comparer: allows side-by-side analysis between two requests/responses.

Cheers!

Tagged , ,
Advertisements
Advertisements