NOWASP Mutillidae 2.3.x An open-source web pen-testing environment for security training, practice, instruction, and you Jeremy Druin Information Security.

Slides:



Advertisements
Similar presentations
Webgoat.
Advertisements

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
OWASP Web Vulnerabilities and Auditing
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Vulnerability Assessment Course Applications Assessment.
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
GreenSQL Yuli Stremovsky /MSN/Gtalk:
The 10 Most Critical Web Application Security Vulnerabilities
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Introduction to Application Penetration Testing
Workshop 3 Web Application Security Li Weichao March
OWASP Zed Attack Proxy Project Lead
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.
WaveMaker Visual AJAX Studio 4.0 Training Authentication.
Copyright 2000 eMation SECURITY - Controlling Data Access with
Attacks Against Database By: Behnam Hossein Ami RNRN i { }
Troubleshooting Windows Vista Security Chapter 4.
Attacking Applications: SQL Injection & Buffer Overflows.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier.
AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.
Hands-On with RailsGoat WEB APPLICATION SECURITY TESTING.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
Web Applications Testing By Jamie Rougvie Supported by.
Crash Course in Web Hacking
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
MIS Week 5 Site:
Aaron Corso COSC Spring What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
1 E-Site - FTP Services Setup / install guide. 2 About FTP services can run on any desired port(s) Runs as a windows service Works for all sites installed.
Xerox Analyst Training
Group 18: Chris Hood Brett Poche
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Chapter 7: Identifying Advanced Attacks
TOPIC: Web Security (Part-4)
WEB APPLICATION TESTING
World Wide Web policy.
Marking Scheme for Semantic-aware Web Application Security
Introduction to Application Penetration Testing
OWASP WebGoat v5 16 April 2010.
Lecture 2 - SQL Injection
Cyber Operation and Penetration Testing Social Engineering Attack and Web-based Exploitation Cliff Zou University of Central Florida.
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

NOWASP Mutillidae 2.3.x An open-source web pen-testing environment for security training, practice, instruction, and you Jeremy Druin Information Security Specialist, GSEC, GPEN, GWAPT Twitter: @webpwnized

Agenda What is NOWASP Mutillidae? Where is NOWASP Mutillidae used? Where can I get NOWASP Mutillidae? How do I install NOWASP Mutillidae? How to I set NOWASP Mutillidae up? How do I use NOWASP Mutillidae? Demonstration Publications Where do I receive updates on videos and new releases?

What is NOWASP Mutillidae? Actually Vulnerable (User not asked to enter “magic” statement) Free Deliberately Vulnerable Web Application Open Source Did I say free?

Vulnerabilities It turns out it is scary easy to write horrible code… * Documentation of vulnerabilities on Sourceforge SQL Injection Cross site scripting O/S Command injection JSON injection HTML injection JavaScript Injection DOM injection Cascading style sheet injection Log injection Reflected Cross Site Scripting via GET, POST, Cookies, and HTTP Headers Stored Cross Site Scripting Cross Site Request Forgery Authentication Bypass via SQL injection Privilege Escalation via Cookie Injection Unencrypted database credentials Directory Browsing JavaScript validation bypass Application Exception Un-validated Redirects and Forwards Phishing Click-jacking CBC bit flipping (latest) Brute force “secret admin pages” PHP server configuration disclosure Application path disclosure Platform path disclosure Information disclosure via HTML comments robots.txt information disclosure Parameter addition HTTP Parameter Pollution Buffer overflow Denial of Service Loading of any arbitrary file Method Tampering Forms caching

Features : Two Levels of Hints Hints are provided in “Hint Level 1” and “Hint Level 2” Automatically disabled in “Security Level 5” (unless you hack it)

Features : Two Levels of Hints “Hint Level 2” contains tutorial-style hints for the most popular topics Level 2 Hints

Features:3 Security Levels By default, the system does not apply security controls Security Level 0: SQL Injection attempted on login page

Features:3 Security Levels In security level 1, JavaScript validation is applied and the “Show Hints” button is removed from the menu bar. Note: Hints can be re-enabled by exploiting a vulnerability Security Level 1: SQL Injection attempted on login page

Features:3 Security Levels In Security Level 5, the system will execute a different set of PHP scripts attempting to protect the site Security Level 5: SQL Injection attempted on login page

Features: Self-adjusting “Bubble” Hints “Bubble” Hints will pop-up when the cursor hovers over some vulnerable areas. Hint Level 0: “username” field on View Details page

Features: Self-adjusting “Bubble” Hints “Bubble” Hints automatically change with Hint Level Hint Level 1: “username” field on View Details page

Features: Self-adjusting “Bubble” Hints “Bubble” Hints automatically change with Hint Level Hint Level 2: “username” field on View Details page

Features: Enforce SSL “Enforce SSL” feature added to allow practicing SSL attacks such as the use of SSLStrip Note: SSL encryption itself provided by Apache server

Features: Capture Data A data capture page is provided Hint: In CTF, get Admins to visit

Features: Captured Data Captured data is stored to database and local file Previously captured record

Features: Automated Database Setup / Error Detection System will automatically create database, tables, views, and procedures plus supply “startup” data (i.e. accounts, cc table, etc.) Truncated screenshot of automated database set up after clicking “Setup DB” button

Features: Automated Recovery Clicking “Reset DB” will restore system and re-populate database tables Pull the rip cord and start over

Use Cases Practice Web Pen-Testing Pages specifically designed to practice SANS SEC-542 exercises , W3AF, sqlmap, Grendel Scan, Cenzic Hailstorm, Rat Proxy, Beef, many more tools… … and most important: manual testing Corporate Internal/External Training SANS SEC-542 (Instructor: Tim “LanMaster53” Tomes) Some big companies University Labs/Instruction Evaluate Web Application Vulnerability Scanners “Our scanner is obviously the best. Just look how expensive it is!” “Perhaps. Let’s measure…” Web App Sec Demonstrations OWASP, ISSA, etc. Capture the Flag Lolz

Where can I get NOWASP Mutillidae? Download: Sourceforge http://sourceforge.net/projects/mutillidae/files/ Preinstalled SamuraiWTF 2.0 http://samurai.inguardians.com/ Metasploitable-2 https://community.rapid7.com/docs/DOC-1875 OWASP Broken Web Apps (BWA) https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

How do I install NOWASP Mutillidae? Easy to install on Linux or Windows Can be virtualized on Virtual Box and VMWare Linux LAMP, Samurai WTF How to upgrade to latest Mutillidae on Samurai WTF 2 http://www.youtube.com/watch?v=obOLDQ-66oQ How to install latest Mutillidae on Samurai WTF 2 http://www.youtube.com/watch?v=y-Cz3YRNc9U Windows XAMPP, WAMP Quick start guide to installing Mutillidae on Windows http://www.youtube.com/watch?v=1hF0Q6ihvjc

How to I set NOWASP Mutillidae up? Set up database via “Reset DB”. Note: Some systems require changing a line in php.ini (instructions provided)

How do I use NOWASP Mutillidae? Instructional Videos: webpwnized YouTube channel http://www.youtube.com/user/webpwnized Currently approximately 50 videos related to web pen testing ~85 videos overall

How do I use NOWASP Mutillidae? Menu order vulnerabilities by OWASP 2010 then type

How do I use NOWASP Mutillidae? Besides “Hints” and “Bubbles Hints” there is a file with 1,000+ lines of pre-tested hacks against various pages File: <installation directory>/mutillidae/documentation/mutillidae-test-scripts.txt

Where do I receive updates on instructional videos and new releases? New instructional video postings (YouTube) New releases of NOWASP Mutillidae Twitter: @webpwnized URL: http://en.twitter.com/webpwnized

References Vulnerability Documentation Download http://iweb.dl.sourceforge.net/project/mutillidae/documentation/listing-of-vulnerabilities-in-mutillidae.txt Download http://sourceforge.net/projects/mutillidae/files/ Preinstalled: SamuraiWTF 2.0 http://samurai.inguardians.com/ Preinstalled: Metasploitable-2 https://community.rapid7.com/docs/DOC-1875 Preinstalled: OWASP Broken Web Apps (BWA) https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project How to upgrade to latest Mutillidae on Samurai WTF 2 http://www.youtube.com/watch?v=obOLDQ-66oQ How to install latest Mutillidae on Samurai WTF 2 http://www.youtube.com/watch?v=y-Cz3YRNc9U Quick start guide to installing Mutillidae on Windows http://www.youtube.com/watch?v=1hF0Q6ihvjc Instructional Videos: YouTube webpwnized channel http://www.youtube.com/user/webpwnized New releases of NOWASP Mutillidae Twitter: @webpwnized URL: http://en.twitter.com/webpwnized