 Let's get rolled up and today everyone and welcome back to the conference session in the application development with the serverless and containerization track and yeah today we have with us three thumb board this being over the topic web exploiting and the offensive ways to hunt the bugs and if you have any of the questions in between the session you can just post it in the right side of your screen over the chat box. The speaker would be happy to answer all of your questions I would go ahead and start the session. Hello everyone. My name is Pritham Singh. I'm associate quality engineer with red hat, but security testing is really my passion. And as I learned about it, I realized that maybe it will be helpful for other people to know the things I have learned. So that's why I'm giving this presentation today. So let's continue with web exploitation, the offensive way to hunt bugs. Okay, so this is our today's agenda. So the goals of bug hunting or the goals of this presentation. Introduction to web application penetration testing. We call it as a VAPT vulnerability analysis penetration testing or web application penetration testing and some approaches to aggressive bug hunting or the tools that we can use to look for the security loopholes. Common attacks or the common vulnerabilities to check for in your project. So here with means of this presentation, I'll be referring the wasp top 10 project. So some of the common vulnerabilities I'm referring from wasp top 10 attacks in action. Some of the demonstrations of the POCs or the security loopholes that I have already reported in some different projects or websites, which was already fixed by the developers or the company. And at last Q&A. Next. So what is the goals of offensive bug hunting or goals of this presentation. So as I always feel feel a QA engineer or a developer, we have the power, the power to find new bugs or flaws with the code, which others could not find at the same time. To ensure that QA or development is properly done. So through means of this QA engineers can work proactively or a developer can work proactively to find some security vulnerabilities in different features of the website in functionality testing. The developer kind of after development when doing a testing normal testing in staging environment, they can also look for this kind of loopholes while doing a staging in different features of the website. So as I always feel, because as we are a QA and a developer, or sometimes the bug is in front of our eyes but as we are not security aware, we are not able to see that this is the security loophole because as a QE we are only looking for the featured bugs and as a developer we are So, yeah, after moving this methodologies and processes, we can even open source contribute in different security projects, we can collaborate even different projects as well in a different means of platforms like per crowd hacker one, scenic, etc. Next. So yeah, introduction to web application penetration testing. This is the methodology and way to look for the security loophole in web based targets or websites. So there are different platforms through means of web developer and C source inviting and encouraging different researchers to report and file a security loophole through means of those platforms, such as crowd scenic and hacker one. And there are some of the private programs, let's say red hat, Facebook and Google are some of the private programs which encourage and invite different researchers to look for the and find security loopholes and report those responsibly to those product security and information security teams different approaches to bug hunting or the tools. So, there are two tools that is available, which consists of many features integrated in single one. So the first one is Bob suit, which has integrated platform which consists of comes with the many different combination of tools, let's say spider scanner intruder repeater decoder comparator sequencer extended extenders and more. So it provides different rappers also can be written by different researchers, which you can combine and import in your Bob suit framework. And there is one more tool which is open source lay available that is as a zap, which was developed by open web application security project community who standardized and defines this was a top 10 security vulnerabilities project and standard, which helps different developers and security researchers and security engineers to minimize the security risk of their product on a website. Next. So, these are the some of the common vulnerabilities that need to look into our project or in a website. So, I have just listed 10 loop holes with the different categories let's say injection broken authentication session management cross site scripting I adore that is insecure direct object references. So, if you want to know more about this vulnerability is you can refer this link that I have added here at the bottom of the site, that is a wasp.org. So, you will get a different information from the site about this different categories of the loop holes and what kind of vulnerabilities comes under what category. So, at the end of this slide, this presentation I have demonstrated few of them. You can take a tutorial and different kind of documentation and read documentation about this different kind of flaws from this website. Next. So, let's directly jump into the demonstration part. So, now this is a tax in action, that is, I'm going to demonstrate some of the security loop holes that I have already reported in a different firms. So, yeah. So, the first bug is hosted or injection. So, sometimes we can change this vulnerability with cache poisoning web cache poisoning refer based accesses. And in real time we can also chain it with a password reset link. So, let's say we have a victim and the target is vulnerable with this attack hosted injection. So, what we can do we can directly jump into the password reset page. We can test this website that if that is vulnerable or not if it's vulnerable, then the token reset token will be sent over injected host, not on the legitimate host. Let's say if host is Google.com and attacker have injected fake host or its own host, let's say evill.com, then the token will only be redirected over evill.com, not on Google.com. So, let's see this in demonstration part. So, how to hunt for this bug. So, for just looking for this hosted injection bug just always check for the response code or different status code. Let's say two accesses and three accesses. So, approach one is if your request has host colon Google.com or a real web.com just change that host entry to evill.com and try to check the response code and try to look for and search for that the string that you have pasted or the host that you have pasted if it is getting reflected somewhere in your response. The second approach is set the host from real web to evill.com and then add ex forwarded host to real web.com. The third approach is set ex forwarded host to evill.com and then host to real web.com. So, let's now see this demonstration part, the video that I have added here. So, here my target is ftp.campaignmonitor.com and I am using Bobsoot tool to intercept its request that what request and response I am getting. So, I am added the proxy and my Bobsoot tool here in this scenario acting as a man in the middle. So, whatever the requests are going from a browser to the web server that Bobsoot tool is capturing all those and intercepting all those requests. So, let's jump into this demonstration. So, here I have just started my intercept on. I am refreshing my page. So, see here I got the request of that page here I am saying the get the get response and the host is ftp.campaignmonitor.com. So, what we need to do we need to if we need to test that if this website is vulnerable with hosted injection or not we need to try all those approaches that I have added there in the slide. So, I am trying the first methodology or the approach that I have added. So, before that I have sent that intercepted request to the repeater tab here we will get the request and response of the website itself in the single tab itself. So, I have changed the host from fmailer to triplezerowebhost.com. So, this is my one of the temporary site that temporary page that I have hosted on triplezerowebhost.com. So, we got a 200 status on the response of that I am looking for the fake host that I have added. So, see it is getting reflected here in the response tab or in the source code of that page of the website see fmailer.triplezerowebhost.com and with the complete path. So, it is reflecting somewhere in the logo company's logo see images slash logo dot svg. So, what I did I have just followed the same directory path where I have hosted my page and I have created the same directory structure and just imported one logo dot svg file which has a XSS payload. So, we will be going to see the show response in browser that how it looks like in browser. So, I am just stopping my interception. Let's refresh our browser with the original response that we got in a verb suit. So, see it is reflecting here in the company's logo. So, if we are opening it by clicking on a right. So, see it reflects me here by following the whole directory path and this page says this app is probably vulnerable to XSS attacks. So, meanwhile I change this vulnerability with host and an injection to XSS that is cross site scripting. So, through means of that attacker can fake victim to visit and redirect on our phishing website and ask for the different credentials, different assets, etc. So, yeah. So, let's hope you guys understand this. So, let's jump to the next demonstration or next demonstration of next vulnerability. So, our next bug is URL redirection or sometimes we can change this vulnerability with XSS that is cross site scripting. So, how to hunt for this URL redirection bugs. So, always look for the different one of the endpoint that I have added here. So, find any URL parameter having some kind of tendency to redirect anywhere like desk, URI, continue, window, redirect URL, return URL, something like this. The whole endpoints of the parameters I have added here or there is a second methodology is URL redirection on path fragments itself. So, the example is like this any.exampleany.com slash payloads. So, payload could be like single slash with evill.com, double slash with evill.com. You will find the different payloads in this link that I have added here in the payload link. So, let's look for the first POC that is on issue with on path fragment. So, this is the issue that I got in own cloud one of the websites scan.owncloud.com. So, here the reproduction step is visit the URL scan.owncloud.com add double slash and add bing.com or whatever the site you want to visit or you want victim to visit. So, we are just copying this link, opening it in a browser, it will redirect us to bing.com and our expectation is it should redirect or it should generate some error that this site not exist or something like that but there is a vulnerable from the server side that it is not checking or validating from the server side on a server header or a server host entry that where we are redirecting actually or if something like this exist in our code or not but there is no such kind of validation from the server side that's why it is vulnerable with URL direction on path fragment. So, let's jump over the next open redirection with redirect parameter. So, this is our second target that is repostnetwork.com. So, there is a parameter that is redirect is equals to admin.repostnetwork.com. So, looking for this loophole, always search for the different parameters that is redirect URL, return URL, next back URL something like this. So, I got this redirect is equals to parameter. So, this will redirect me to that admin.parameter after getting logged in into this website. So, I am just trying to change the mechanism. I just added the avail.com instead of legit URL and refresh the page and now I am trying to log in into this website. So, you will see that the URL is now looks like avail.com in the redirect is equals to parameter. So, I am just authenticating myself in the website. So, there is no server side validation for this website also that where we are redirecting actually. So, see, I am just trying to log in myself in this website and now see there is no such validation and this redirected me to avail.com without any server side validation or without any validation for the external behavior. So, this is one of the second URL redirection issue. So, let's jump over the next demonstration. So, the next vulnerability is application level doors that is denial of service issue. So, sometimes this impacts from the client side and from the server side itself also. So, let's jump over the background concept. Application level doors can affect the server and client due to no limit to the number of character input or due to lack of input validation. So, sometimes if we are passing enough number of data or huge number of data through means of any endpoint. So, if there is a no validation from the server side on the number of characters or the data that we are inputting on the different endpoints. So, sometimes it leads to memory exhaustion and same denial of service because from the server side there should be some implementation on mechanism should get implement from such endpoint that should restrict the different endpoints. So, the different endpoints let's say this command field user name, mobile number, password change options, etc. So, let's say there is an example any side.com we have some endpoints let's say let's take example of one of the endpoint let's say mobile number. And if there is no such restriction on a mobile number characters let's say mobile number usually having a 10 digit number right. And if we are specifying a 4k character of data and there is no such restriction from the server side that what data we are importing for the mobile number. So, this will leads to memory exhaustion and could also lead to denial of service. Okay, so let's check this demonstration part. So, there is a target is coels.com there is one e-commerce site. So, here I got this issue in the password reset page or a password reset functionality. So, I am already logged in into this website. Now, I am just going on settings page. I am trying to change my password. I just added my current password the legit one. I am just keeping my interception on. Now, I am trying to capture the request. So, this is my request ID this generated. I am sending this request to repeater tab. Now, I am just searching for the password that I have entered. So, this is my payload or the character that I am going to enter. So, this could also maybe 4k amount of data 4000 character or 5000 character something like that. So, this is a huge character that I am inputting through means of that new password endpoint and the same I will be going to entered on the confirm password. Let's see what it generates. See, it is generating the 200 status code, but it is generating this. We are sorry, the page you are looking for may be non-existent because it is happening because the server is not able to handle such amount of data from the server side. And this is happening and this is going down. Temporarily it is going down, but this code leads to denial of service for the other customers. See, we are getting this error. We are sorry, the page you are looking for may be temporarily unavailable or no longer exists. So, this is this issue or the vulnerability we got in password reset page of one of the e-commerce site. So, yeah, next. So, yeah, just to conclude this. So, just to conclude this presentation. The next step for you is if you are new to the tools like burpsuit or OASAP ZAP, I think ZAP, which was developed by open web application security project community. So, just check out those site and tools and start playing with those and the tutorials of the different web or the issues of the vulnerabilities, common vulnerabilities, OASAP top 10 vulnerabilities. If you are a QV or a developer, try out these approaches or mechanisms and include such test cases in your development or testing. So that we can work proactively to start hunting this security loopholes. Right. If you want to know more about different bugs or POCs, we can connect over below mentioned social media or my bug crowd handle profile where I have actively hunting for those security loopholes on this bug crowd platform. Yeah, that's it.