Archive for the ‘w3af’ Category

Vulnerando Sistemas con Herramientas Open Source

January 28th, 2011

El año pasado tuve el agrado de estar en las “VI Jornadas de Software Libre” en Junín, provincia de Buenos Aires. Para esta conferencia preparé una charla interesante y divertida sobre como “Vulnerar Sistemas con Herramientas Open Source“. Gracias a los organizadores de la conferencia, tenemos el video disponible aquí mismo, enjoy!

andres.riancho bonsai, conferences, open source, security, w3af , , , , , , ,

Ekoparty Security Conference 2010

September 23rd, 2010

Last week, the most important security conference of latin america was held in Buenos Aires where security specialists from all over the world had the chance to get involved with state-of-art techniques, vulnerabilities and tools in a relaxed environment. The sixth edition of ekoparty brought together over 850 security specialists from around the world in the most deep-knowledge technical conference of the region.

Among the lectures, Bonsai Information Security presented “Web Application Security Payloads”. This research led by Andres Riancho and Lucas Apa, exploits a new concept in a theorical and practical environment. Part of this research explores how to distinguish the system calls involved in a web application vulnerability and then leverage it’s power to get sensitive information in an automated way.

Lucas Apa & Andrés Riancho

ekoparty 2010 – Web Application Security Payloads

The “Web Application Security Payloads” implementation was developed as a part of the w3af framework, an Open Source Web application attack and audit framework developed by contributors around the world since 2007 and directed by Andrés Riancho.

Between some other long waited talks, Juliano Rizzo & Thai Duong presented “Padding Oracles Everywhere” where they easely exposed a 0day advanced technique to decrypt and tamper ASP.NET sensitive data.

lucas.apa bonsai, conferences, ekoparty, open source, security, w3af

w3af wins “Segurinfo 2009″ award

March 20th, 2010

premio-segurinfo-2009In the context of the 7th International Congress of Information Security, Andrés Riancho was awarded with the Segurinfo award for his efforts in the development of w3af, and Open Source tool for identifying Web application vulnerabilities. We would like to congratulate him and the rest of the project contributors for this well deserved award!

En el contexto del séptimo Congreso Internacional de Seguridad de la Información, Andrés Riancho recibió el premio Segurinfo 2009 por sus esfuerzos en el desarrollo del software de detección de vulnerabilidades Web Open Source, w3af. Queremos felicitarlo y al resto de los desarrolladores del proyecto por un muy merecido premio.

admin conferences, security, w3af , , , , ,

Second w3af training @ New York

October 13th, 2009

Bonsai and NopSec have partnered to deliver the second w3af ninja training course in New York City.

The w3af ninja training course is focused on manual and automated discovery and exploitation of web application vulnerabilities using w3af. During this course you’ll also learn how to write your own exploits and customized plugins in order to achieve your goals during a web application penetration test.

This course is an intense hands-on class in which you won’t stop learning for a minute. In each practice we’ll focus on a particular type of web application vulnerability which will be analyzed and understood manually and then it’s detection and exploitation is automated using w3af.

All around the training interesting plugin code snippets will be subject to analysis and modification, which will give you great understanding of the framework and will also give you the means to automate your future web application penetration tests.

Important information

This is a great opportunity to master the w3af framework, don’t miss it!

andres.riancho bonsai, security, w3af , , , ,

Cross Site Scripting Payloads

October 13th, 2009

Most of us are tired from the usual Cross Site Scripting vulnerabilities that get reported every day in full-disclosure, so when one of our researchers found a XSS in an Open Source project, we hesitated to publish it. After some thinking, we started to realize that maybe it would be interesting to the general public to see a customized XSS payload that would exploit the Web application, which suddenly made our newly discovered XSS vulnerability much more fun.

The vulnerability that we’re going to be exploiting is a persistent cross site scripting in Achievo . For those that do not know, Achievo is a flexible web-based resource management tool for business environments. Achievo’s resource management capabilities will enable organizations to support their business processes in a simple, but effective manner. This vulnerability was found a while ago by our research team, and has been fixed in version 1.4.0.

The vulnerability is a really basic persistent XSS, where we can write virtually anything in the title of a scheduled meeting. As the meetings from a user can be seen by other users, and most interestingly administrators, the XSS can be exploited to elevate privileges in the application.

With the objective of writing the XSS payload, I developed a JavaScript export feature, that allows w3af users to export any HTTP request to JavaScript, that will reproduce the same request when a user loads the script in a browser.

w3af's JavaScript Export

Using the newly created feature, we were able to easily create a JavaScript payload, that when accessed by an Achievo administrator will perform the following tasks:

  • Create a new application profile
  • Apply administrator privileges to the profile
  • Assign the newly created profile to a common user

You can find the customized XSS payload by clicking here. In order to exploit this vulnerability, a user would need to change the first four variables in the script, upload the script to a publicly accessible web server, and then point the Cross Site Scripting to that resource. After some time, and if an Achievo administrator browses through the schedule, the configured user will elevate their privileges to administrator.

In this case it was impossible (because of the application not having that particular feature) to actually upload new files to the web server, but in many other Web applications, it would have been completely possible to create a XSS payload that would use the administrator privileges to upload a specially crafted file to the web server, which would then provide operating system access to the intruder.

With the creation of tools like w3af’s JavaScript export feature, and the huge amount of XSS vulnerabilities found every day, we think that the time for customized XSS payloads written in minutes instead of hours, has arrived!

andres.riancho security, w3af , , , ,