Archive for June, 2009

Web Application Security Training in Buenos Aires

June 5th, 2009

Bonsai’s information security trainings are usually delivered in-company, but after receiving numerous requests we organized our first open training where employees from different organizations can attend.

The training course is going to be delivered in four classes of three and a half hours, from 18:30 to 22:00 on Tuesdays; starting July the 14th, and is going to be delivered by Andrés Riancho.

More information about the Web Application Security Training in Buenos Aires can be found here.

andres.riancho bonsai, security, w3af , , , , , ,

Exploiting HTTP Content Negotiation

June 4th, 2009

A couple of days ago I sent an email to the w3af-users mailing list about a nice little trick that can be used to get a partial directory listing using mod_negotiation’s HTTP content negotiation feature. After half an hour or coding, and some minutes of testing, I had a new discovery plugin for w3af that could exploit this feature.

Before going into detail about this technique I have to say that by no means I have the credit for discovering it, Stefano Di Paola pointed me that he blogged about it in 2007; and I found out about it reading the report of a commercial Web Application Scanner which was handed to me by a client. It seems that this is one of those not-so-known vulnerabilities that resurface from time to time.

The idea about this post is to make this vulnerability widely known and show that there is an automated way of exploiting it with w3af. This can be really helpful when performing the information gathering phase of a Web Application Penetration Test in order to find new resources like backup files (, old versions of scripts with extensions that won’t be interpreted by Apache (users.php.old), etc.

Enough with the introduction, here is the trick:

GET /backup HTTP/1.0
Accept: foobar/xyz
User-Agent: w3af
Connection: Close

HTTP/1.1 406 Not Acceptable
content-length: 770
vary: negotiate,accept
server: Apache/2.2.8 (Ubuntu)
tcn: list
connection: close
date: Thu, 04 Jun 2009 13:37:35 GMT
content-type: text/html; charset=iso-8859-1
   {"backup.php.bak" 1 {type application/x-trash} {length 0}},
   {"backup.php.old" 1 {type application/x-trash} {length 0}},
   {"backup.tgz" 1 {type application/x-gzip} {length 0}},
   {"" 1 {type application/zip} {length 0}}

What is basically happening here is that we are sending a specially crafted request to the “/backup” resource, with an invalid “Accept” header. Apache receives this request, which is then forwarded to mod_negotiation. This module lists the contents of the “/” directory, and creates a list with the alternates for the backup resource thats then returned in the alternates header.

The only problem with this technique is that it will only include a file as an alternate if the file has a known extension. Known extensions in Apache are defined (at least in Ubuntu) by /etc/mime.types and by the AddType directives in Apache’s config file. To understand why this is a problem, here is the directory listing for the webroot of the test environment:

[email protected]:/var/www$ ls backup*
backup.php~  backup.php.bak  backup.php.lala
backup.php.old  backup.tgz

You should notice that the backup.php~ and backup.php.lala weren’t included in the alternates response header.

There is a very detailed post from Matt Tesauro describing this technique, which was written based on his tests performed with mod_negotiation and mod_spelling that is also worth reading.


The objective of this exploit is to gather information about new and unknown resources in a very performant way. When mod_negotiation is disabled, and no directory listing is available, the only way to get a full list of the files inside a directory is by bruteforcing them. Bruteforce attacks can take a lot of time, and are mostly useless if performed blindly.

Using this technique, I created a new discovery plugin called “content_negotiation” that will perform these steps:

  1. Identify if mod_negotiation is enabled
  2. For every file found by the discovery.webSpider plugin, list alternate resources.
  3. For every directory found by the discovery.webSpider plugin, perform a small bruteforce with common file names.
w3af>>> plugins
w3af/plugins>>> discovery content_negotiation, webSpider
w3af/plugins>>> back
w3af>>> target
w3af/config:target>>> set target


w3af/config:target>>> back
w3af>>> start
HTTP Content negotiation is enabled in the remote web server.
This could be used to bruteforce file names and find new
resources. This information was found in the request with id 27.
New URL found by webSpider plugin:


New URL found by content_negotiation plugin:


New URL found by content_negotiation plugin:


New URL found by content_negotiation plugin:


The plugin is publically available in the SVN version of w3af , test it with your web server, and comment on this blog post or in the w3af-users mailing list about your experiences with it. If you have ideas on how to improve the plugin, or different ways of exploiting this mod_negotiation feature I would love to hear about them!

I’m sure that attendees in our Web Application Security Training course will love to play with this new w3af plugin :)

andres.riancho open source, security, w3af , , ,

CONFidence and OWASP CtF

June 3rd, 2009

For the 2009 edition of CONFidence and OWASP Europe, Bonsai helped with the development and organization of the Capture the Flag event. This post is a general description of the capture the flag, and a “statistical analysis” of the results.

The game

The CtF levels were divided into three different categories: Web, Networking and Forensics. Each category had 5 levels with increasing difficulty that awarded the player with 300 to 750 points. One of the features of this CtF was that players were able to play any level at any time, if players got stuck with the second level of the Web challenge but had a good idea about how to solve the fifth level of the same category, they were able to do it.

In order to be awarded with the points, players had to solve each level to get the magic_token: a twelve character long password that proves they solved the level. Magic tokens had then to be entered in the CtF scoring system together with the player’s username and password created at sign up.

The access to the CtF was open during the whole conference time, giving the players the opportunity to play at any time and place (WiFi access was provided also). In most cases CtF players created teams and solved the different levels together to have more chances to win the prices. In most cases you would think that creating a big team increases your chances of winning, which was true for OWASP conference where first and second place were awarded to teams of more than five players; but in CONFidence a team of two managed to win the CtF!


The servers

To be able to run the CtF game, Andrzej Targosz provided us with two different servers:

  1. CtF scoring system: A simple Pentium IV box with 512MB of RAM, where we installed a stable Debian.
  2. CtF vmware server: A much more robust server, with 3GB of RAM and two dual 2.4Ghz core processors, where we installed a stable Debian with VMware server to be able to run all the different levels that gave the user some kind of interaction with the operating system.

The VMware server was needed in order to host the different levels. In some levels the players had to get remote command execution and we wanted to be totally sure that there was no way to read the source code of other levels or gain any other advantage by getting root in the servers.

At the end we had a total of seven virtual machines running smoothly in the VMware server. The levels that required a virtual machine were Web 2, 3, 4, 5 and Networking (1,2,3), 4 and 5.

The results

For each conference we had three winners. The material prices aren’t important, what these guys care about are the bragging rights, so here are the names of the winning teams at the OWASP conference:

  1. defrag_brains (6150)
  2. tripkaci (4900)
  3. FluxReiners (4200)

And the winners from CONFidence conference:

  1. the0wners (6000)
  2. yellowfrogs (5700)
  3. korzen (5284)

The following statistics were created from the joint results of both CtF games:

Easiest levels

Easiest levels

Hardest levels
Harder Levels

Stay tuned, more information about the different levels, including the source code is going to be posted here!

The conclusion

The whole experience of organizing the CtF was excellent. I learned a lot of nice technical tricks from the players, who interacted with me at all times ( I think they were trying to social engineer me to give them tips) and I made a couple of new friends.

I would like to thank Jaroslaw Sajko, the co-organizer of the CtF for all his hard work on the servers.

andres.riancho conferences , , , , ,