– Specialize in Web Application Defense/WAF Research • WebDefend (Commercial) • ModSecurity (Open Source) • OWASP – Lead the ModSecurity Core Rule Set (CRS) Project – Contributor for AppSensor Project • Author – The Web Application Defender’s Cookbook (Wiley, Dec. 2012)
• Automation to identify injection points – NetSparker – Arachni – Sqlmap – Havij • Manual testing in a web browser to develop working SQLi payloads – An iterative process of trial and error 1. Send initial payloads and observe DB responses 2. Use obfuscation tactics (comments, encodings, etc…) 3. Send payload and observe DB response 4. Repeat steps 2 - 3
The Browser Exploit Framework • Penetration testing tool that focuses on the web browser • Mainly used to demonstrate how internal web clients can become compromised • Written in Ruby • Lead Developer is Michele Orru (Trustwave SpiderLabs) – Exploiting Internal Network Vulns via the Browser using BeEF Bind – Thursday October 25, 2012 3:00pm - 3:45pm – NTObjectives Room - Texas Ballroom II http://beefproject.com/
the tell-tail signs of BeEF hook in config.yaml file – From - hook_file: "/hook.js" – To - hook_file: "/img-min.js" • Modify the UI Text – From – "Online Browsers" – To – "Online Attackers"
data going to clients – SecContentInjection Directive – SecStreamOutBodyInspection Directive – @rsub operator – STREAM_OUTPUT_BODY variable – Prepend/Append actions • Use these capabilities to transparently add HoneyTrap data to applications
Disallow: /scripts.old • Fake HTML comments – <!-- old file is located at login.bak --> • Fake Cookies – Set-Cookie: user_role=1; expires=Tue, 11-Mar-2014 18:28:03 GMT; path=/; domain=.yoursite.com • Fake Hidden Form Field – <input type="hidden" name="debug" value="false">
vendors do this today – Inject code for client device fingerprinting – Inspecting the browser/ system for malicious code • We are focusing on enumerating information about the attacker – Geo Location – Network information – Keystroke logging