Archive for May, 2009

CONFidence and OWASP – Poland

May 25th, 2009

CONFidence and OWASP Europe were great. The venue was amazing (it was my first time in Poland) and both conferences were perfectly organized. I would like to thank Andrzej Targosz, the CONFidence organizer, for all his help and support during both conferences, without his help, nothing of this would have happen.

This trip was completely different from my previous ones, because (among other things) I slept in a hostel in the same room with six guys from Slovakia, one from Singapore and one from Austria; and run the Capture the Flag for both conferences together with Jaroslaw Sajko.

In my previous posts I listed the talks that I was interested in, so now I’m going to use that as a base to talk about the conferences. Here are my thoughts about CONFidence:

  • Social engineering for penetration testers, by Sharon Conheady. It was one of the most interesting talks I’ve attended  in both conferences. She works as a social engineer, and her talk was interesting from the beginning to the end (hmm, maybe she social engineered me to blog this?).
  • Public transport SMS ticket hacking, by Pavol Luptak. At first I was expecting something related to hardware hacking, but Pavol (one of the six Slovaks from the hostel) showed us a way to cheat the SMS ticketing system using some easy software based tricks. Good job!
  • VAASeline: VNC Attack Automation Suite, by Rich Smith. Some friends attended this talk, and told me it was really good, but I had to be at the CTF booth because some bugs were found in one of the levels.

About OWASP Europe:

  • The Truth about Web Application Firewalls: What the vendors do not want you to know by Wendel Guglielmetti Henrique, Trustwave & Sandro Gauci, EnableSecurity. This was by far the best talk in OWASP, I was really interested in this subject, and the speakers gave a great presentation. Sandro and Wendel showed the audience different ways to bypass WAF’s, and performed a demo of some tools that the have been working on.
  • Advanced SQL injection exploitation to operating system full control by Bernardo Damele the creator of sqlmap.    Bernardo’s presentation was both detailed and technical, he showed the audience how to gain OS access from SQL injections in different DBMS. Note to self: update the sqlmap version that runs in w3af.
  • When Security Isn’t Free: The Myth of Open Source Security by Rob Rachwald, Fortify. Failed to attend, this time, I think that I was talking with Sandro and Wendel about wafw00f ;)
  • Exploiting Web 2.0 – Next Generation Vulnerabilities by Shreeraj Shah, Blueinfy. Failed to attend (one more time).
  • I thought you were my friend Evil Markup, browser issues and other obscurities by Mario Heiderich, Business-IN. His presentation was awesome, he showed the audience a lot of little tricks that can be used to bypass different types of filters and execute javascript in the victim browser.

The talks were amazing, but as I always say… the real value of the these conferences is not in the talks, is in the people you meet there.

andres.riancho conferences, security, w3af , , , , , , ,

moth – A VMware image with vulnerable web applications

May 7th, 2009

Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:

  • Testing Web Application Security Scanners
  • Testing Static Code Analysis tools (SCA)
  • Giving an introductory course to Web Application Security

The motivation for creating this tool came after reading “anantasec-report.pdf” which is included in the release file which you are free to download. The main objective of this tool is to give the community a ready to use testbed for web application security tools. For almost every web application vulnerability in existance, there is a test script available in moth.

Other tools like this are available but they lack one very important feature: a list of vulnerabilities included in the Web Applications! In our case, we used the results gathered in the anantasec report to solve this issue without any extra work.

There are three different ways to access the web applications and vulnerable scripts:

  • Directly
  • Through mod_security
  • Through PHP-IDS (only if the web application is written in PHP)

Both mod_security and PHP-IDS have their default configurations and they show a log of the offending request when one is found. This is very useful for testing web application scanners, and teaching students how web application firewalls work. The beauty is that a user may access the same vulnerable script using the three methods; which helps a lot in the learning process.

Click here to download moth from sourceforge.

andres.riancho open source , , , , , , , ,

w3af ninja training @ New York

May 5th, 2009

Bonsai and NopSec have partnered to deliver a w3af ninja training course in New York City.

The w3af ninja training course is focused on manual and automated discovery and exploitation of web application vulnerabilities using w3af. During this course you’ll also learn how to write your own exploits and customized plugins in order to achieve your goals during a web application penetration test.

This course is an intense hands-on class in which you won’t stop learning for a minute. In each practice we’ll focus on a particular type of web application vulnerability which will be analyzed and understood manually and then it’s detection and exploitation is automated using w3af.

All around the training interesting plugin code snippets will be subject to analysis and modification, which will give you great understanding of the framework and will also give you the means to automate your future web application penetration tests.

Important information

This is a great opportunity to master the w3af framework, don’t miss it!

andres.riancho bonsai, security, w3af , , , , , ,