OWASP DevSlop E06 – How to Hack Your Own Apps

Just another WordPress site

OWASP DevSlop E06 – How to Hack Your Own Apps

– Hi everyone and welcome to the OWASP DevSlop show DevSlop as in sloppy DevOps Today, like every week, I’m your host I’m Tanya Janca And this is Nikki Becher Nicole Becher is the other project leader for our project We started this project together and I’m her biggest fan (laughing) Yeah, why don’t you (laughing), why don’t you tell us a bit about you, Nicole – Sure, so I’ve been active in the OWASP scene for about, like maybe close to a decade, and I sort of have like realized the value of writing bad web apps or writing vulnerable applications to help people learn and train So I’ve written a few of them for my own personal use Like showing the people and teach and things like that So I kind of liked the idea of learning how to code by writing bad code, that’s sort of how I teach myself like modern programming, like newer things that are going on out there So I don’t know, that’s me I’ve been in the InfoSec space for a while I’m really passionate about it I really love working with Tanya I love teaching and helping people learn I think we’re all learning at the same time So we know everything? I don’t think so, but we can all try to figure it out – Hi everyone that’s online I’m just gonna like, I’m just gonna respond to a question So someone was saying where will it be, hi christmassec (laughing) Okay, it will be recorded and saved to aka.ms/devslopshow in about a week Basically when I get to it That’s exactly when it will happen (laughing) Okay, so we’ll just let everyone stream that Okay, so today I don’t wanna hide you There we go So today we’re gonna do like a workshop on how to hack your own apps And the first thing we wanna make sure is that like everyone has a copy of the VM I didn’t get the VM link Crap – I could– – Could you put it into the chat window and then I’ll share it with everyone? – Yup, give me a second – Thank you So the presentation we’re gonna give today is from here So all of you can follow along with our slides here if you want I know YouTube isn’t streaming I know, it’s still broken There we go Okay, awesome Okay, so we want all of you to hopefully have already downloaded that zip which is a virtual machine, which you will need to participate in this workshop Today this is interactive Now if you want you can just watch what we do However, it be kind of awesome if you could do it yourself So if you’ve already downloaded the VM, let’s import it into VirtualBox If you are using VMWare, that’s cool, but I’m not gonna give instructions of how to install it on VMWare or how to import it into VMWare because I don’t have VMWare – We’ll just say if anyone’s on a Mac and just updated it to Mojave, there’s an accessibility extension that you need to allow And unless you do that you won’t be able to use the keyboard and mouse in the VM It took me like 25 minutes of Googling to get there, but – So do you wanna put, or will you put into like the Twitch chat how to, if people have problems, where to go or something? – Yeah, it’s really only on Mojave So I don’t know if that’s like, everyone’s just pounding on my upgrade button, but yeah, I’ll just write – Okay so if you downloaded the zip, when you open the zip you’re gonna have a folder called appsec-ubuntu And then basically, do we click on the VM decay or do we click on the OVF? – The OVA, OVF, I think it’s an (sound distorts voice) – Okay, so we double click on here, and then it’s gonna say, oh, it’s gonna open up VirtualBox if you don’t already have it open It’s gonna give you an idea of what it wants You might wanna increase the RAM However, I don’t know how to do it from there And just click import This is gonna be importing It says one minute, or two minutes but it’s actually gonna take a while, and that’s why we’re doing it right now And then Nicole and I are gonna go through the sides and we’re gonna talk about some stuff Then we’re gonna show you how to do this again

in case you haven’t done it I’ve already imported it so I don’t need my, stop, stop It’s gonna be upset with me So I’m gonna cancel my import but you should not You should let it go while we’re talking to save time later, ’cause it’s really, you don’t wanna be sitting there waiting Okay, so let’s see in the chat window So I don’t see that anyone else has said anything else, Nikki Do you see other things other than like lots of nice hellos? – No, the chat window looks good I had to pause the streaming functionality because I’m on not the fastest internet right now – That’s cool, that’s cool Okay, so if anyone has any questions you can put it into the chat window from Mixer or or Twitch and then we should see it Will this be uploaded to Twitch after the stream? Yes, it will be saved to Twitch for two weeks Then we will upload a permanent copy to YouTube at this address Duh duh duh – (sound distorts voice) asked a very important question – Who asked an important question? – Which is what’s the password to the VM? – Oh, okay, the password to the VM – I put it in the chat window, but just to be clear, appsecca, all lowercase, A-P-P-S-E-C-C-A – It’s it’s the same as the name of the VM itself Super secure, right? (laughing) Okay, awesome So if there’s any questions can you let me know Nikki in case I miss them? – Yep, I’m on it, I’m on it Okay, now let’s go back So shall we start our slides? Does that sound like a good idea Okay, hi everyone, I’m Tanya, this is Nicole, as we already explained And this is our workshop that we’ve done at a ton of conferences called How To Hack Your Own Apps It’s generally aimed at software developers or people who are new to InfoSec, people who wanna know the very basics of web app hacking If you are already a penetration tester, this will probably be boring for you This is an intro, ’cause we want everyone to know how to join, how to join our industry, and if you’re interested in being a penetration tester one of the first things you need to understand how to do is how to operate a web proxy, kind of how to look at a web app, the basic ideas of, I guess, web security, right? And so that’s why we made this little workshop It started with me wanting to know this, me learning it, and then us ending up making a whole workshop out of it So welcome to How To Hack Your Own Apps Ope Okay, outline Do you wanna do the outline? – Sure, so, I think we did who we are Do we need to do it again? – No, no, it’ll This is the outline of what we’re doing, and then we’ll do the who we are thing, and we’ll just make it quick Then we’ll talk about– – So I think the goal of this workshop, yeah, the goal is really just to help sort of further the idea of what application security is, how to approach an application security situation, whether it’s a web app or how to test applications, right? So that’s sort of our goal And we’re aiming here at like a beginner, a software developer, someone who wants to get into the industry, sort of like we want to teach you what you should be thinking about when you’re looking at applications – Very cool Cool, so this is just the outline and we’re gonna have slides for this – Why we’re gonna do secure coding? I mean, I think that’s pretty clear, right? I mean Tanya’s given so many talks about pushing left, right? And so she could probably explain pushing left a little better than I can, but secure coding is like a pretty pivotal moment in pushing left, right Tanya? Wouldn’t you say? – Oh my gosh, yes We’re gonna talk about how will we do secure coding? Oh are we? (laughing) We’re gonna talk about our toolbag, right? We’re gonna create a testing plan Then we’re gonna tell you not to be little badasses on the internet with your new information Don’t hack things in a bad way Don’t use your newfound powers for evil Only use them for good And then we’re gonna do a workshop – Yep – Okay, very quickly the who we are

So we’re – Yeah, who we are, we are AppSec people, cybersecurity people I spent a lot of time as a pentester, I worked in forensics, internet response, InfoSec, cyber policy I teach a bunch of hacking classes at NYU, blah blah blah blah blah – I wish I could go to her class It would be awesome She teaches something new So every time we do a workshop she adds like five new amazing thins I didn’t know So I wish I lived closer to New York so that I could attend but I live up in Canada in the, I am a giant nerd – Technically we’re not that far away from each other You’re like above New York But it’s a pretty big state – Like if you look at a globe we’re pretty close We’re only this far away (laughing) Like I could drive to Nikki’s place in around nine hours I drive fast (laughing) So we started this project and now Franziska’s a part of it, too And she is somewhere in the chat helping us, and she’s gonna help people with technical questions And basically we do all sorts of different things as part of our project, and one of them is this show So basically every Sunday at 1 p.m One or more of us is gonna come on and do something nerdy because we wanna teach everyone all the things we can, and yeah, so we’re friends who like to teach and learn, and so that’s why we made this Okay that’s lots about us, eh? That’s lots, we can continue Okay, do you wanna talk about the workshop setup? – Sure, so I don’t know, it seems like everyone has gotten VirtualBox installed So there are some issues with VirtualBox and Docker and things like that across like the Windows universe and Windows 10 it’s really difficult to get Docker working, blah blah blah And if you have questions like that just let us know like in the chat window so we can try to troubleshoot those individually But essentially what we’re gonna be doing here is you just need a laptop that has admin privileges ’cause you need that to install VirtualBox You need a web browser The VirtualBox image itself does have a web browser in it, but you know (sound distorts voice) test applications outside You need a good wifi connection That’s a little bit of my problem right now I’m not on the fastest wifi, so if I get stuck in some really contorted face, that’s because of the internet Yeah, and I don’t know how you could pair up here Is there a way to do that in my Twitch where you could just sort of like, I guess you could use the chat window – Yeah, just use the chat window and ask for help Not only will– – Somebody’s saying right now that it’s working great in VMWare That’s great I mean, you know, – Oh good – It depends on the version of VMWare, there’s VMWare Player which is free on Windows, and then the Apple world you need VMWare Fusion which is not free although there is a 30-day trial But we were trying to avoid dealing with licensing and things like that But if you have VM installed, absolutely import an OVA file It’s the point of the OVA file, and you’re good – Cool, cool So yeah, I guess usually we do this in person, so usually you can pair up However, if you’re in the chat window and you see someone has a question and you know the answer please share it Nicole and Franziska and I will attempt to be helping you like as we’re in the workshop But, I mean, if we miss a question, please feel free to answer each other Everyone’s here for the same reason ’cause we wanna, we wanna learn new stuff Okay, so next slide Do you wanna talk about our goal? I bet you do (laughing) – Yeah, so, I mean, like I said before Beginner application security You know, InfoSec in general is kind of like an intimidating space There’s a lot of different entry points through InfoSec and if you follow along the internet you’ll meet all sorts of people, some people who can find vulnerabilities in CPU pipelines people who test applications So there’s a wide variety of talent in InfoSec And it can be a little bit overwhelming if you’re new to the field So I think what we’re trying to do here is like distill that (sound distorts voice) application security, like a beginner level so that (sound distorts voice) scary And the way we’re gonna do that is, or sort of the objectives here, we’re gonna help developers if you are one, understand the power of writing secure code So Tanya will probably reinforce pushing left, but writing secure code cheapens the vulnerability like in the long term because if you write something that’s incorrect or insecure you can fix it quicker if you know what insecure code actually looks like rather than pushing that all through dev,

test, and production, and then somehow getting an application scan back that says, oh hey, every parameter you’re trying to parse here is not being properly sanitized You have to go back and redo it all So that’s the goal of secure development Testing, there’s certain ways to test for security issues And again, finding them earlier makes them cheaper to fix, and that’s just what everybody wants to do Fixing, right? We all want to make sure we understand (sound distorts voice) before they even get to the scan, right? Like, that’s the whole purpose here The scan should be something that you just have to do because that’s what your company wants, but it shouldn’t be the thing that you rely on for core security of the product And then, I guess, repeat here, right? So this is a tough point I’ve dealt with this in my career many, many times Like how do you give legacy apps the security attention they need? I don’t know if we’re gonna get that far into that one, but it’s always a big challenge There are things that you’ll learn as you learn more about application security, there are some techniques that can be used for legacy apps to like create computating controls or mitigating risks, mitigate the risk in a legacy app But that’s a little bit, we’re not gonna get there today – I guess like I added the legacy apps part because I was thinking if we can teach each software developer how to use Zap, which is the tool we’re gonna showcase today, which is free from OWASP, we’ll tell you all about it and we’re gonna set it up with you, that if all of you are Zapping your apps that when you open up a legacy app that you could Zap it, right? I used to work somewhere and what we did is whenever someone opened up, I’m just gonna move it so we can see more of you (laughing) Whenever someone would open up and old, old, old legacy app to fix a bug or something the deal was that they had to run Zap on it, and then they had to fix whatever the highest thing was that they found, right? If they found any criticals or highs they had to fix all of them before they were allowed to check it back in And the hope was that if all of them understood how to do that that then they would finally legacy apps would get a tiny bit of security attention Okay, next slide Why do we write secure code? So Nicole talked about how I talk about pushing left all the time, and basically if you look at the system development life cycle like on the screen in writing it goes like this, right? Because in the English language we go from right to left when we speak and when we write And so there would be, so I’m doing this, I don’t know how I’m showing up on the screen, but imagine on the left side you will see looking for requirements and kicking off a project, and then next you’ll see– – Hey Tanya, I think your video is not videoing – Oh yeah? – Oh no I, oh yes, so I stopped videoing for you, but if you look on Twitch you can see me in the bottom right corner – Sorry I stopped videoing on Twitch, so there we go (laughing) – Okay, sorry I removed myself because it was slowing, I felt like maybe I wasn’t seeing as much of you because I was using up all of my, – Yep, okay, sorry – my streaming power Okay, so if you can see from left is the beginning and right is the end, when security shifts or push left, what we mean is that we want security to start earlier in the system development life cycle So when you make software, when you’re doing requirements, security wants to be there We want to add security-based requirements to whatever project you’re doing When you’re doing design we want to be there to threat model and to make sure you’re following like secure design concepts When you’re coding, that’s that part we’re gonna talk about today, we want security to be top of mind, and that includes like Zapping your code and looking for very obvious security vulnerabilities and just knowing secure coding ideologies And things like if you have inputs to your app, that’s the danger zone When you let someone like put something into a field and then you take it in you need to make sure that that’s the data you’re expecting to get And I’m not gonna go into detail in each thing, but in the past, security was invited at the end, right? So Nicole, penetration tester, would be hired like right before they go to prod And it’s like that should not be the first time that you are looking at security And you’re kind of wasting Nicole’s time at that point, ’cause it’s like shooting ducks Wait, fish in a barrel, not ducks in a barrel, that’s weird But also just don’t shoot animals, but like, it’s this easy, easy task for her because no one’s looked at it before So the idea is if we start security earlier, by the time you hire someone like Nicole

to come in at the end you’re like making her really work hard for her paycheck, because she has to look really hard for bugs Okay, so yeah, so that’s why we write secure code Also, do you want to talk about what CIA is? – Sure, so again, if you are new to InfoSec and you take like one week of an InfoSec class or any sort of read book or whatever, there’s this concept of CIA And it stands for confidentiality, integrity, and availability And these are like the three was that you can think of, a resource or an asset and how to protect it, right? So you have a database You’re protecting it from confidentiality attacks, right? As in, somebody gets into the database, either by a properly authenticated account or by some sort of vulnerability, and is able to see that data, and they shouldn’t be able to see that data So that’s a breach of confidentiality And there’s also then integrity And that is if someone gets into that data, even if they’re authorized user and they start changing around that data such that the integrity of the entire data structure is now called into question, right? That’s a breach of integrity And then availability is like the database is not up and nobody can access it So then therefore now it’s offline or however it’s not working So those are like the three ways you can think of information security issue, right? Like kind of almost every vulnerability (sound distorts voice) upon one or multiple of these sort of tendency, or CIA So it’s important to think like that – Cool – If anyone has any questions you can just drop ’em in the chat – Another reason we write secure code is to avoid the situation of you having to report why your data’s for sale on the dark web or why you’ve had this giant breach, why your customers are all really upset Why basically you have a broken app, right? So that’s, no one wants to have that conversation Trust me, I’ve had to have it before and it’s awful And Nicole do you want to cover pivoting points? – Right, so pivot points So I mean this is like a common tactic in like an attack chain that a pentester will use, right? So, if there is a cross-site scripting or SQL interjection vulnerability or some other like a directory that’s not properly protected on the web, and somebody figures out what that directory is and finds input fields that are sort of not being well tested or insecure Those points of insecurity can be used to pivot in other directions So like for example, with the SQL injection attack, if it was an older database that had something like XP command shell enabled, which is just a way to execute code on a database, like actually operates system code, you could then use that SQL injection as an initial point and then run some code on the actual database and then that could pivot you into the entire network, right? It’s very extreme example It’s not likely to see XP command shell on the internet these days, but you never know But yeah, essentially any vector, or any insecure vector, can actually be potentially leveraged into something else that could get larger and larger, so – So secure all the places? Okay so I wanna bring everyone’s attention to this If you are late joining us you’ll want to download this zip file which is a virtual machine, which you will open up in VirtualBox And the reason is is so that you can participate in the workshop that will be right after these slides So if you’ve downloaded it, unzip it, and open it up in VirtualBox You wanna import it You don’t wanna do a new one Or you can just double click the OVF file It also works in VMWare we’re told Okay, next slide Okay, so where are we gonna start? Do you want me to? – Yeah, I’ll take it So the primary way to test web apps is to actually be in the middle of a web app, right? So I’m sure we’re familiar, and if someone’s not familiar, just like pop it into the chat message Like, the HTTP request response cycle So we issue a request, a get request, a post request, a delete request, some sort of HTTP request, and we get a response from the web server, right? So that’s sort of how the flow works with a website And what we wanna do is we wanna be like in the middle of that, here’s the request, here’s the response, and we’re like in the middle of that So we, the request comes through our piece of software called the proxy And then the proxy forwards it along to the server, the web server, the server forwards it back to the proxy, and the proxy forwards it back to the actual web browser client So getting that place in the middle of the request response cycle is like the key tenant to application security testing,

and so we are gonna learn how to set up a proxy And a lot of the proxies, and there’s two main ones, and I think there’s a later slide on this There’s Burp, which is a commercial proxy, and there’s OWASP Zap which is free and open source, right? Now I think they’re both built in Java So there’s not much difference there There’s other proxies, too There’s something called Pappy, which is a command line proxy But these are the main ones, right? And so we’re gonna go through setting that up, how to make sure that is working to intercept SSL traffic, because SSL traffic’s a little different So yeah, so (sound distorts voice) proxy is like the main core thing that we’re gonna figure out today And then within some of these proxies you’ll be able to run some scripts and scanning to like test for certain types of things Like we can look for, do we see passwords in plain text? We could look for do we see any reflective cross-site scripting or things like that? And you can automate some of that, right? So like more like, especially with Zap, there is like a way to automate Zap into your CICD build pipeline So if you wanted to basically push code, I don’t known through Jenkins or whatever (sound distorts voice) and then the pipeline will then run Zap or Zap scan against your web app, you could do that So Zap is definitely getting more automated, which is great because I think like we probably all agree that (sound distorts voice) security testing is where we all need to get to, right? It’s not gonna find everything, but as long as we have like a process that automatically does this it’s better than having to manually do it Because anything that’s manual, I guess, becomes sort of like a pain in the neck, right? So, and it’s easy for us to not want to do it if it’s manual But it’s automated, it just does it, right? It’s just like, it’s great – You know what? Can I interrupt for a second – Yeah, please – We’re gonna have Simon Bennetts on the show, the project leader for OWASP Zap, and he’s gonna implement it as part of our pipeline Patty, so I named out pipeline Patty, which publishes our devslop.co website Oh I’m just gonna open it so everyone can see Devslop.co This is our website And it’s our proof of, I know it’s ugly, it’s ’cause I’m not good at graphic design, but it’s, this is published with our pipeline So it’s pretty cool that Simon’s gonna come on and like give us the low down And he’s gonna help us implement it, which is pretty awesome – Yeah and that’s one of the premiere OWASP projects, so I think it’s in the Mozilla, right? Am I misspeaking? – The Mozilla foundation sponsors it Basically they pay work time for him to work on it, which is completely amazing – Right, so yeah, and it’s very well maintained and gets updated a lot There’s even like a Docker version of it now – It’s a really high quality product, and it’s free I mean, for free it’s like, well, you know, Burp I think is like 300 bucks a year or something, it’s annual, I think it is – Yeah, which I have to say is extremely reasonable as a price when you look at how much other things cost – And Burp is great, too – And Burp is also really good – And Burp has a plugin ecosystem which is truly amazing So – Zap has one, too – That’s true, you’re right – But both are awesome – I’m more familiar with Burp plugins than Zap plugins (sound distorts voice) It’s just about where you are in your life and career and how much you wanna spend – Yeah, so the last topic on this thing is so we’re hoping that after this workshop if you’re software developer that you’ll test your own code in the coding phase of the software development life cycle, and then as you’re testing you’re gonna learn So you’re gonna continue to improve yourself and get more and more awesome, because you’re not gonna make the same coding mistake five times in a row, right? You’re gonna see, oh, I don’t have the security headers Oh I really should And then from then on you’re just gonna use those security headers and you’re not gonna have those problems So we’re hoping that this brings you to a place where you just improve constantly Which is a good deal – Totally – Do you wanna talk about Zap or do you want me to talk about Zap? – You do it – Okay, so we talked about OWASP, which is the Open Web Applications Security Project, which is an international nonprofit that involves hundreds of thousands of AppSec nerds, enthusiasts, experts, and newbies, who all volunteer and do different things Some of them just come to meetings, which is cool, and learn We have chapters all over the world And we have projects And what you are watching right now is a project, the DevSlop, sloppy DevOps project where Nicole, Franziska, myself, and Ron Vandana,

a bunch of us, all learn about how to do DevSecOps, how to automate as much as possible of AppSec And one of the tools that we’re excited about from OWASP is called Zap, the Zed Attack Proxy It’s open source, it’s free, everything from OWASP is free basically, except for conferences and training, because those cost a fortune to run So the reason why we chose Zap is not only because it’s free, but it’s really easy to use for beginners, but it is a high quality enough product that professional pentesters have it in their toolbox Zap can be automated as part of your build server or your pipeline which we will show in a later episode, and we are just only going to talk about intro functionality today We are not gonna, we don’t have enough time Okay Next Do you wanna do the disclaimer or should I do the disclaimer? – Sure, I’ll do the disclaimer Yeah, I mean it’s just pretty simple right? Like some of these tools that we’re gonna go through today, I mean they’re very, they can be very benign tools like we’re just gonna learn here and figure out how to get in the middle of our websites here, to see if the data flows But there are things in Zap that you can run, you can sort of potentially run a brute force kind of attack, like spider websites in ways that generate too much traffic You could try to brute force directories You could do all sorts of things that people could perceive as being not good, right? So I think that the real goal of the disclaimer is to just like, if you’re gonna run Zap or run any automated security tool or any manual security tool on something that is not yours or that you do not have permission to do, you probably should not do that, and you probably should either get the permission or not do it and run it in your own personal lab It’s very difficult, sometimes, there’s obviously an interest and everyone’s curious and everyone wants to learn, but we really just wanna make sure that people understand the risks and just launching things like this all over the internet, and somebody could see this all come their way and think that they’re actually being under attack or someone’s scanning them and it’s turning into this whole big thing You just don’t wanna get in that situation So the disclaimer here is it’s kind of just a don’t be stupid disclaimer I mean, that’s pretty much what it boils down to – Yeah, this is a hacking tool, so don’t aim it at things that you don’t have permission to aim it at, which is why we gave you a virtual machine So everything inside that virtual machine you can smash the crap out of And that’s why they’re made, is for you to smash the crap out of them But don’t go and aim this at like Amazon.com or some mom and pop flower shop Don’t attack things and if someone gives you permission to attack something make sure that you have it in writing, right? Like especially if it’s outside of your organization Like if your friend is like, oh yeah, you can totally go and hack my site Make sure that they have the authority to say that and make sure they put it in writing because we don’t want anyone to take our workshop and then get arrested Basically, that’s it We want everyone to just have fun and learn and we want no one to get arrested, the end So behave Okay, so our test plan, we are going to set up Zap We’re gonna turn on our proxy so that we’re intercepting things so that everything is going through the proxy, which is Zap – Hi Anita (laughing) We wanna make sure everything is going through the proxy, so we’re gonna turn it on Then we’re gonna set our target to make sure we are only scanning the things we intend to scan Then we’re gonna do something called enumeration We’re gonna spider Nicole it’s loud – [Nicole] Sorry, I’m just opening the window – That’s okay We’re gonna set our target so we only scan the thing we need to We’re gonna enumerate which means it’s gonna go through all of the different URLs, like the sub-URLs, within your domain that you’ve set Then we’re gonna do manual exploration, also abuse of this website, and then we’re gonna do an active scan, which is where Zap takes over and it’s learned from all the things we’ve done and it executes scripts against your site So demo Shall we do some demo? – Sure – Okay So I’m hoping at this point that everyone has managed to download this and that they have opened it in VirtualBox So let’s start up the VM The password to the VM Oh I should add this Yep, I know you’re doing that Password is appsecca So I’m just going to put this

into the chat window so everyone can see Yeah, I know you’re upset Okay, we don’t need the WGet right now Okay, so oh yeah the demo, let’s go back to this Okay, so yours won’t have this open and yours won’t have this open The first thing we wanna do is we wanna ensure that we have turned on the web server So we are going to launch a web server and a web app so just ignore everything that is in this window Actually, no, I’m just gonna type – Yeah, so what’s in the VM is, there’s a few vulnerable web apps that are actually installed in the VM and they run locally And then there’s like some Zap and proxy tools and things like that that are also built in to this VM So that’s why we have the VM And because one of the apps that we’re working on today is using rails we need to just make sure that our Ruby environment is set up properly so we can actually launch the rail service Your other app in there is built in as several Docker containers So that was why people mentioned before (mumbles) Docker The other app that we’re gonna eventually do here in this, our what are we calling this? Podcast, webcast? – It’s like a video show, streaming, a livestream Yeah, the DevSlop Live Show – Okay, yeah I like that Yeah that is the right word So in the next livestream or maybe the one after, upcoming livestream we’re gonna work on the other application which requires Docker But it’s in the same VM So that was like what we’re, that’s why Docker came up So what we’re gonna do now is we’re gonna sort of, all of that data that Tanya is typing and pasting, we’re basically just getting our rails environment set up So we’re using Ruby version 1.9.3 So we’re just gonna type that in, and we’re gonna change directories into the actual directory of where the application is And then we’re just gonna launch the web server, and everything should be good It should be four commands Not a big deal And then copying pasting works just fine – Yeah, I’m just copying and pasting all of it into the conversation to make sure that everyone can just copy and paste it and they don’t have to try to type it out So let’s go here into my VM Man my computer’s upset with how many things I’m trying to simultaneously run It’s like no, help me ‘Cause it’s streaming Nicole and streaming me back to Nicole and streaming me out to restream.io, it’s recording, it’s running a virtual machine, and then on the virtual machine it’s running a ton of stuff And it’s got Safari and Chrome doing all of their types of bleeding that they do – Yeah, Chrome’s open, it’s end of story – Maybe I should close Chrome Do we need Chrome? Yeah we need that – Yeah, it’s only two tabs It shouldn’t be that bad – Okay, so we’re going to go to the terminal You can open the terminal from going on the side, do you see where my thing is right here So click this, it will open a terminal that will look just like this and at it we are going to type the following Source /home/– – No, no you don’t wanna copy You just have to edit paste in the terminal Control V or command V or whatever it is is not gonna work So just go to the top menu where it says Terminal, yup, right there, Edit, Paste – Oh – Then go shift control V – Thank you Okay, there we go We’re gonna go back here and copy Sorry that all of you don’t have this on your desktop Sometimes coordination is complicated ‘Cause I added it to mine but didn’t think to ask Nicole to add it to everyone else’s – Sometimes when you reboot this, I guess it should rewrite it so that it’s in the profile But you still have to start the service anyway – Yeah, no matter what – This isn’t that bad – No it’s not that bad (mumbles) It could be much worse – I guess this is a good argument for Docker – For sure – For people who’ve run into Docker problems There’s actually no perfect way to do this So Tanya and I have tried many different techniques to get vulnerable web apps onto other people’s machines, and I was convinced that Docker was like the ultimate way until somebody showed up with Windows 10 Home and I realized that you cannot run Docker on something that doesn’t have hyperv on it And Windows 10 Home doesn’t have that And therefore, that was the end of that – Okay, so now it is booting up our web server

And we’re doing this so that then we can go look at that webpage Everything should be internal on this virtual machine So you are going to use Zap within the virtual machine to attack the web app that is running within the virtual machine with the idea that you aren’t ever gonna get into trouble Okay, so – We’re attacking local, we’re just doing local to local testing here Nothing’s going out over the internet – Yeah, exactly I’m just gonna refresh this and see if anyone has any questions – I’m on it, no I think they’re good – You’re on it? Okay perfect, thank you Okay, so now let’s open up our Firefox Sorry it’s going so slow, it’s me it’s not you And we are going to go to localhost:3000 And we’re gonna press enter Hopefully you all have this live now This is the website that we will be testing Let’s go up here and make this not full screen How did we do that last time? – The last most bubble, up, not, yeah– – But doesn’t that make it full screen then? Let’s see – I think it’s either or – Oh perfect, okay Not full screen, awesome Okay, so this is our website We’re pretty excited about our website It does a whole bunch of things, but at this point we just want to make sure it’s up The next thing that we need to do is we need to launch Zap Where is Zap you ask? Zap is this question mark right here Because we couldn’t figure out how to get the icon working, however, it’s there, it works, that’s all that matters So we’re gonna turn on Zap We’re gonna load it up right now by clicking it Perfect It’s gonna take a minute or two to launch because my computer is dying (laughing) This is what Zap looks like, what you see on the screen there I wonder if there’s anything that I can kill at this point to make it go faster – I’m looking at you Visual Studio – Yeah, okay, I’m gonna– – No I’m just kidding No no no, I don’t know if that’s it It could just be a memory issue within the VM I don’t know how much memory that thing has – Can I close Safari do you think? If you’re gonna handle the streaming I guess? Actually maybe I should keep it open in case– – Like I said, I’m not sure that’s gonna help I think (sound distorts voice) – We’re okay – We’re all patient people here I think – Cool, thank you Okay, so the first thing that Zap will do every time it opens is say do you want to persist your Zap session? Because we are just learning we wouldn’t bother, but if I was on a professional engagement I would always click yes, save everything I wanna persist this If it crashes I wanna make sure I can reopen it But because I’m just playing around today I’m gonna click no but I generally always click yes So we’re gonna hit the start button So this is a fresh install of Zap, which means we have to do two things before we can start scanning The first thing is is we need to install an SSL search into our web browser to ensure that it respects OWASP Zap while you’re scanning Basically, if it’s gonna go in between it needs to decrypt and recrypt things, re-encrypt things And so we have to add a certificate from Zap into our web browser So to do that let’s go to Tools – Yeah, and if we didn’t do this we would get SSL errors that say this certificate is untrusted, you can’t proceed – It gets so– Yeah, it gets pissed off So we’re gonna go to options, and we are going to go down to Dynamic SSL Certificates So then, assuming you have, so if you don’t have anything here click generate and then you will But we already have something there, then we’re gonna click Save We’re saving it into the folder appsec.ca, or appsecca

And it’s named owasp_zap_root_ca.cer Cer is for certificate So we’re gonna click Save And then we’re gonna click OK Now we’re gonna go back to our Firefox and we’re gonna import that cert Wait, what is it doing? Okay, great, your Firefox is critically out of date (laughing) We should update that before we, we’re not gonna update it now because if I have ever learned anything it’s that you never ever update right before you do a workshop or presentation Because then everything that you have ready will be broken But we should do that before we give this workshop again Okay, so x that out Sorry Nicole can you mute yourself if you’re not speaking? Because you’re, it’s just like loud – I got it, I got it – I like the sound of your voice, just to be clear Okay, so we’re gonna go to the hamburger here, the three lines, and then we’re gonna go down to Preferences Oops, okay, so hamburger on the right top and then Preferences Now we’re gonna go to security and privacy And we’re gonna go down, down, down, just keep going down all the way to the bottom until you see Certificates So again, we’re in Preferences And then Privacy and Security on the left here Then you scroll all the way down to Certificates So now we’re gonna view our certificates We wanna add an authority So we’re gonna click import And we are gonna import the owasp_zap_root_ca.cer Again, we’re doing this so that the browser knows it can trust Zap So we click Open, and we are going to check all of the boxes Even though we’re not gonna do email, I’m just gonna click yes to all of them ’cause I don’t want any problems, and I trust Zap And then we’re gonna click OK And then we’re gonna get out of here and we’re gonna click OK again We have one more thing that we need to do before we can use Zap We need to turn on the proxy If you recall, Zap works because there’s the browser and then there’s Zap and then it goes out onto the internet or your network or wherever it’s going to the web browser Don’t start jumping Visual Studio, I swear I’ll close you Serious threat You know what, maybe I should just close it Okay, close I’ll come back to you devslop.co, I swear (laughing) Okay, so let’s go to General Again, we’re in the Preferences, which we get to from the little hamburger over here And then you come to this main page, General, it’s the first one on the left side menu and we’re gonna scroll down, we’re gonna scroll down, all the way down to the bottom And then we see Network Proxy We’re gonna click over here in the Settings and what we wanna do is we wanna click manual proxy configuration, and we need to set up these things, 127.0.0.1 What is that? That’s your local host So we’re saying don’t go onto the internet Don’t go out anywhere We’re saying let it proxy through yourself And the port we’re choosing is port 8080 Then we’re clicking this box here So use these proxy servers for all protocols So this includes SSL, or TLS, which is what we actually use now So you wanna make sure that if it’s doing HTTP or HTTPS that it’s gonna use these proxy settings So we’re saying use the loop back, which is what Zap uses, go on port 8080, again, which is what Zap and Burp and so many other web proxies use

We’re using it for all protocols And then we’re gonna click OK You need to remember this screen because if you want to get out onto the real internet you’re going to need to return Let me repeat that, you need to remember this screen because if you don’t want to use Zap you have to turn off the proxy So if you’re trying to use Zap you need to have the proxy on, and if you are not using Zap and you want to use your web browser you have to turn it off so it stops trying to go through Zap and you click no proxy So we’re using– – So also just to add to that, there are two good extensions here to make this much less painless I mean much more painless, much less painful, sorry There’s something called FoxyProxy, which I’m gonna link in the Twitch chat, and this is a Firefox add on So if you have FoxyProxy enabled it allows you to quickly switch from like, you could give it a name like Zap and then you give it a name like No Proxy, and it’ll just, you can switch back and forth And if you are on Chrome there’s something called SwitchySharp I’m gonna pull (sound distorts voice) it’s like really annoying to have to dig through all these preferences to figure out where it is So I’m a big fan of these tools – Oh yeah, FoxProxy is awesome Whenever I do security testing it’s generally in Firefox because it trusts me to make my own decisions unlike Chrome that’s like I don’t think you should go there I’m like, no, no, I wanna go there Chrome’s like no, I don’t think you’re smart enough to make that decision, which is good for regular users It’s good for regular users – And Chrome also has like a way of filtering out reflected cross-site scripting So if you’re doing an application security, like manual test in Chrome, and you try to launch up some sort of XSS attack that you might never actually see it because Chrome will prevent it Firefox hasn’t gotten there yet or it just doesn’t wanna include that in its sort of design model So you could see it a little bit better But Chrome has some added security things that could get in the way So I’m with you Tanya – So it’s really awesome if you are a regular user, you should use Chrome If you’re surfing the internet you should use Chrome But if you are going to do security testing I like Firefox personally And I’d have to say that Edge is in the same bucket as Chrome It’s gonna do all these protections for you, which is good for people who are really smart who use the internet who are not doing security testing Okay, so just to clarify, we are turning no the proxy, we’re clicking OK And we got there by going to the hamburger, going to General, scrolling down to the bottom, clicking Network Proxy, clicking Settings, and then turning on the proxy Okay, so now we can get out of the settings and we are going to hit refresh on this We only hit refresh, Zap, which is behind there, should see it So let’s hit refresh (gasping) Did you see this? Oh yeah that’s right It would appear that Zap is now paying attention, and it’s like hello cyclone web transfers (laughing) It’s immediately looking at all sorts of stuff Yeah go – So Tanya has successfully gotten Zap in the middle here, so that’s exactly what you wanna see On the left it’ll say sites and you’ll see like, the actual host or the URL for the site And then if Tanya was browsing all over the internet right now, if she went to like Google or wherever else, all of those sites will just list up and queue off in the left side So it’s pretty convenient but if you have a lot of tabs open and you’re proxying on like your main web browser, it’s gonna get hairy in here really quickly So you should probably, if you’re testing, limit all of the testing data to a specific browser – Oh yeah – So you know, clear it out – Yeah, another reason that I like Firefox over Chrome for security testing is specifically because Chrome calls home five billion times per second, and so you’ll see it like here and here, like all over the place like all sorts of calls and it can be kind of confusing, and yeah, I personally like that Okay, so if we go back briefly for like two seconds to our slides we went over tools Oh yeah, we need to do the test plan So we need to, we’ve turned on interception, now we’re gonna set our target So setting our target’s really easy Press the control button or the Apple button or whatever the button Okay, so for me it’s the Apple button If you’re in Windows it’s probably the control button You’re gonna go onto the sub menu that says attack and then you are gonna click, wait, wait, no, no we’re not How do we, oh, Include in Context Go to Include in Context, oops, and then go to Default Context I choose the Default Context, I choose the Default Context so that,

like everything is in there If you were going to be testing a whole bunch of different things and doing something complex you might want a bunch of different contexts The point of the context is to set your scope We are only going to be testing this We’re not gonna test anything else Nicole, can you mute yourself again? – [Nicole] Yeah, I’m just, yeah – Your keyboard is like wicked loud Thank you Okay so we wanna make sure that we are only including in our context things that we actually wanna scan so we don’t scan things by accident that we didn’t mean to So now that we’ve set our context let’s go back to our test plan We wanna enumerate We wanna spider our URL So let’s go back here and let’s press the Apple button, or whatever, the control button if you’re in Windows We’re gonna click attack And we’re going to click the spider button Spider’s gonna come out and look like this You’re going to make sure that what you are scanning is the URL that you believe you should be scanning and nothing else You’re gonna scan in your default context, so you’re like this is the scope that I intend to scan and that’s it You wanna do recursive unless it’s a content management site In which case then it will be creating its own things that becomes a giant mess But this app is like a true web app, and it does not create content itself recursively as you use it So it won’t get into a crazy loop You have other options here, but basically for today this is all we need So we’re gonna click Start Scan What it’s doing right now, in this like three seconds that it takes to run it is it is going through every single different part from this URL to see if there is anything there that is unaware of It wants to have a list of all of the stuff So look, there’s a get, there’s an about page, we have some assets We have some JQuery, of course we do This is all the stuff that it thinks that we have Let’s open up the, and up here, wait, wait, wait Okay And then we have a login get Mmmmm, that’s interesting If we look at our alerts page, Zap has already found that some things are disconcerting It hasn’t touched anything It’s just looking at the responses and the requests to see what’s happening So, X-Frame Options Header is not set I definitely suggest you set this It thinks that there’s a private IV disclosure Oh look, there– – Oh there is – There is one, oh my gosh Nikki I thought it was like an example but dun dun dun Use– – So – Yeah go – [Nicole] Yeah and the cool thing here is like, there is like in the description field there’s like helpful little hints here, right? So like you might say what is a private IP address? And Zap is like, okay, a private IP address is anything that starts with 10.x, 172.x, or 192, 168 So those addresses are not routable on a public internet, right? They’re essentially private address space or define RFC comments on, so you can’t use those on the public internet So whenever you see those on a web server or on a website, right, there’s all sorts of assets that have to get pulled down when you hit a website, right? There’s like CSS files, JavaScripts, whatever, images All sorts of files Like ad networks and things like that So sometimes when developers like are, make websites they have local paths that they’re using, like relative mobile paths And those could be an internal IP address, right? And in this case it’s exactly what’s going on here So the developer, which was me, screwed up, and left a local IP address in there And that was a relative path to that PDF It would give me (mumbles) So what’s the danger here right? Like who cares, right? What the danger here is like we were talking about pivoting and like enumerating more information about a specific target or a web app I now know that the internal IP address structure is 10.0.2.15 or 10.0.2.x, whatever So I know a little bit more about like the internal network that I am potentially looking at here So it’s just information disclosure Like it’s (sound distorts voice) applications – I’m sorry, you cut out there for a second, Nicole Could you repeat the last sentence?

Someone was messaging me saying they couldn’t There we go – [Nicole] Basically you just wanna make sure you don’t include local IP addresses in any of your web paths, right? It’s considered a vulnerability because it can allow an attacker or an adversary to just understand a bit more about the structure of your network, and so that’s why it’s ranked low and has the yellow flag It’s not critical This is not gonna cause destruction, but it’s just one of those things you just wanna be mindful about So it turns out that we are not seeing the comments from Mixer and restream.ca Sorry about that everyone, that completely sucks Okay, so lots of people are trying to download it and it’s not working Hmmmm And so it’s streaming It’s far behind where we are, which is fine You are frozen, Nicole, dammit I feel like I’m streaming too many things – [Nicole] Yeah, I’m gonna try to – Yeah So let’s see, can I see live what’s happening No no don’t do it, update, no don’t do that – [Nicole] I’m following all the Twitch comments, but those are not consolidated comments? Is that what– – Yeah, these are on Mixer, the other link that I sent you in the chat – [Nicole] Got it, I’m there, too, sorry – No, no it’s okay, thank you So someone else, someone’s having trouble with VMWare, and then other people are just having trouble downloading the VM Sorry we missed all of you and your comments, folks And I don’t know why I can’t see the comments here – [Nicole] Oh man, I need a Microsoft account for this (sound distorts voice) – Proxy settings Okay proxy settings, 127.0.0.1 for HTTP and SSL Port 8080 Okay, so restream chat kinda sucks Thank you, Franziska for trying Restream.io, like your chat thing is, like why was this not updating? Why did I not get to see any of this until just now? Rrrrrr Okay, so in short I need a moderator Got it Okay I’m trying to decide what the best course of action is, if we should go to the next step or if we should just help everyone get up to where we are I’m just gonna briefly go over the proxy settings again for anyone that missed them We go to the hamburger We go down to Preferences We go all the way down to the bottom, and that’s in General on the left, the top left that’s in blue We go to Network Proxy which is at the bottom of the general in the Preferences and we click on Settings And you want it to look like this If you can, take a screenshot of this right now and then you just have it So you wanna click on manual proxy configuration Your proxy is at 127.0.0.1, which is your loop back address, also known as localhost You wanna click this check box so that everything is using the loop back You want your port to be 8080 and you click OK Then we come back up here We’re gonna close this You should be able to refresh this, then, and you should be seeing it You should be seeing it here in your list of sites If you’re not seeing it there you are having a problem Please ask in the chat, we’re trying to look at all the chats now If you are having trouble downloading it you can install something called WGet It’s W-G-E-T I think I saved, I shared a link to the page where you can download that No I closed it, okay

But just look up WGet There is a little app that you can download, and then you can take that same link that we shared earlier, this link – [Nicole] Yeah, and if anyone’s having trouble, if you just put a WGet in front of that URL, WGet is like the command line browser If you just pop that into your host’s terminal, I don’t know if that works on Windows I doubt it does – It doesn’t really– – Does it? – It didn’t work on my terminal Like when I did – [Nicole] Did you have WGet installed? – No exactly, so you have to install WGet first – [Nicole] All right, that’s a whole thing, sorry – Yeah, that’s okay We are learning as we do this – [Nicole] I don’t know, maybe we could just, is Chrome native on, Chrome native (mumbles) – So we’re used to being in person with people and we just hand them a USB key, and then we can actually see what’s wrong with their screens so that this all goes a lot better However, sometimes you just have to make due with what you do when you do a workshop So I guess next time we need even more of us to run the workshop and maybe one of us should be in charge of Twitch and one of us in charge of Mixer and one of us in charge of a lot of talking Okay, I’m gonna continue on so that some people at home you might have to look at the recording later, I’m sorry But I bet a lot of people right now are like I’m totally with you and I’m bored So I’m gonna continue So if we go back to our plan, we have now enumerated We have enumerated and we have spidered our URL and now we’re gonna do some manual exploration of the site Oh actually, one other thing we wanna do, is we wanna make sure we’re doing passive scanning So right click on localhost again, or does it already do, oh it just automatically does passive scanning Oh yeah, it’s not like Burp where you have to tell it to do it Nikki your typing is loud again – [Nicole] Sorry guys – It’s okay – Stupid keyboard – I know your keyboard is vocal, but man can you ever, you can really type – [Nicole] It’s a good thing I’m not using my Cherry MX brown switch keyboard You would have hung up on me by now (laughing) – Okay, so now we’re gonna do some manual exploration of our site So let’s go to our site You need to go to each part of the functionality of your site The reason that you do this, let’s see if we can make this bigger, the reason you do this is so that Zap can see everything ‘Cause Zap can’t get into everywhere So let’s see if we can, we’re gonna copy this Oh crap I pressed the wrong key again Okay I pressed control C instead of, yeah, I pressed Apple C Okay, so press control C, and then let’s go into our users account Oh we’re already logged in, that’s amazing So let’s try logging out Okay good So let’s try logging in now We’re gonna use the username and password that’s on the site Let’s sign in And then the password is all lowercase password because we are classy We’re gonna click sign in Oh don’t save this No one wants that Don’t save it So hi, Armand Schneider Okay, so let’s go look at our account Let’s look at my bank account, ’cause I’m Armand So we have a, oh we have a picture, too, that’s awesome So just enter your bank account number, give it a name, and we will download the rest Okay, so my account, and let’s give our own bank account number, so it’s gonna be this And I’m gonna submit it – That was good typing – Thank you Okay, so it added my bank account I made it nice and long to be annoying And let’s look at what else is in

Let’s look across Okay Oh, it’s so nice that you put money in my account, Nikki That was really thoughtful of you – [Nicole] Yeah, (sound distorts voice) (laughing) – So the reason why we’re doing this is because Zap needs to see every part of your app, and it can’t necessarily figure this stuff out on its own So you would do all of the functionality of your app specifically so that Zap can examine it And while you’re doing it you would do abusive things For instance, you would put a ton of characters in the account name and you’d put something like a single quote and then you’d see what it would do So let’s put a single quote and submit that and see what it does Oooo, bank account cannot be added Are you sure that your account number is alphanumeric? No I’m not so let’s put a bunch of single quotes in there And then let’s put an account number K, so there’s our account number You would go through these things and just act like a jerk, right? And the reason that you’re adding things in like this is because you wanna see if you can make your application act in a way other than it’s supposed to So let’s go look at the all users page So obviously if you’re running a bank account, or a bank, you wouldn’t want everyone to be able to see everyone’s information That doesn’t make any sense, right? But this is the worst bank on the internet Pardon? – [Nicole] Sorry, I said (sound distorts voice) blockchain – Unless it’s the blockchain So let’s check out Rita Let’s check out her and see what information we can see So it just tells us that the person’s name is Rita and gives us a picture so that’s it So let’s go back Oh, and she’s user number three Hmmm What if we make user number two, what happens? Oh look, it shows us someone else, that’s really interesting These are the type of things you would wanna take notice of Because you don’t want users to be able to go through and check every single thing about your app – [Nicole] Right, I think that’s actually the insecure direct object reference vulnerability in the OWASP Top 10 – It definitely is, Nicole We’re gonna have– – So drop that– – We’re gonna have the team from the OWASP Top 10 come on the show in a few weeks I’m pretty pumped We haven’t picked a date yet, but I wanna talk about the top 10 Okay so, behind this, so Nicole and I have developed software for a long time We know how to code And when we look at this immediately we think what is behind this? Select image and first name, last name from table users where table like single quote percent sign and then whatever we paste in here, that’s probably what’s happening So if we add extra stuff into it what could happen? Well, let’s add a single quote here and see what happens Did I press– – [Nicole] So while we’re waiting for that, I’m just gonna also give you guys another tool, another few tools that are really good for identifying the type of technology that may exist on web application – I’ll be right back – [Nicole] So that’s also a big component of testing a web app Like you gotta kinda understand like, what is this running on? Where is it? Like what is it? Is it like rails? Is it Angular? Is it Node? Is it .NET? Is it PHP? You know, all of that kind of stuff And so you sort of wanna figure that out immediately, right? And there are certain obvious ways to figure that out, right? That obviously, like, we know that this is rails because we started it up But if you didn’t know there are two good tools, and they both work in Chrome and Firefox And one is called BuiltWith, and I’m gonna paste those all into our chat windows, and the other one is called Wappalyzer, I think that’s how you say it, and what those do is they basically let me just finish my paste, they will basically try to enumerate a little bit about what’s going on on the web application So like for example, I’m in Mixer right now, right? And I have these extensions running And Mixer is an Angular trademark, right? It’s running on Angular I can see that ’cause Wappylyzer is telling me that So these are just good ways to like try to figure out a little bit more about what’s going on in the web app You know, there’s nothing wrong with doing this You’re just sort of trying to figure out technology behind it So just a little helpful hint Sometimes the server will tell you Sometimes the server (mumbles) will say hey, I am .NET’s version 4.0.1.2,

you know, something like that And then you can tell that way But if it doesn’t say that you might be able– – Oh Nicole you cut out – [Nicole] Oh sorry and my phone just died Yeah, I’m just saying, just try those plugins You’ll figure it out what they do, but they’ll just tell you a little bit about the technology on the web app and then you can use that to try to figure out what sort of vulnerabilities to test for – Cool So I just wanted to point out that we added a single quote, and now instead of just getting a photo and a name, we’re also getting some headers for email, statement, admin, and remember_me token So if you add a single quote into something and then all of a sudden it acts different, life is bad So if you put a single quote and then you put two single quotes, something’s going on Right, so that means that we are, oh look at this It gave us the remember_me token That’s very bad This is your session ID which can be used to impersonate you Let’s see what else we can do with this So so let’s look for Tanya or wait, wait, wait, let’s look for Tanya and then let’s and our SQL and then say or one equals one and then let’s end comment the rest of it So if it was select star from, select photo and name from table users where name like and then it’ll say Tanya and then it’ll close it and then it’ll say or So you find Tanya or true And then we’re gonna end the statement Let’s see what happens Uh-oh So that’s not good Let’s see what else we can do The reason why, Nicole your typing’s crazy loud – [Nicole] All right, all right (laughing) – Okay so this is an uncaught error message This is the SQL database telling us basically how to make our hack better This is really, really bad This is really scary You always wanna catch your errors not only so you don’t have just garbage on the screen and it’s embarrassing to the user, but the other reason why you wanna catch your errors is so things like this don’t happen where it gives, like look at all the details it’s giving us And we could click on the stack trace and everything, but basically all we need is this SQL error and then we go back So let’s fix it Let’s make it better – [Nicole] Yeah, so just to continue with the SQL injection, so what Tanya just did here was she basically put in an always truthful kind of query, so you know, if anyone has ever written SQL before you sort of know that the convention is select all or select a field from a table where some conditional is met, right? So this conditional here is where username equals Tanya, right? So the word Tanya is in there But then Tanya also added an apostrophe or a single tick mark, right? And what that does is that basically truncates the string So it closes out that one string of Tanya and then she’s continuing to write her own SQL at that point So she’s writing or, a conditional, one equals one, right? Or another apostrophe And that second apostrophe is just (mumbles) because on the server side there is an apostrophe in the server code so you wanna make that work well Before when she got that error message she was missing that last apostrophe, which is why you got that error message So (sound distorts voice) and then whenever you see like an error message that spits out anything SQL related, that most likely means that there’s a SQL injection vulnerability on their website, right? A SQL injection, I think for the last decade, has been OWASP number one on the top 10 It is a very destructive vulnerability It can be totally levered up into a very destructive exploit as well because with that you can manipulate the databases to give you all of the data that you want in the databases, and you could potentially execute code on that database server itself So you’re basically, at this point, Tanya is executing SQL code on a web app That is not, that is not a good thing for a web app – Yeah, against your database I’m talking to your database You do not want, well Nicole and I are nice white hat AppSec types of hackers

You don’t want hackers talking to your database But, but with that let’s talk to the database Oh no (laughing) – [Nicole] So somebody just asked if developers still make this mistake It seems so well known And this is sort of like, I totally feel you, it is so well known And you kinda think you’re never gonna find this in the real world I thought this for years Like the SQL injection’s going away It’s never gonna happen again People know And there’s all these libraries that sort of help you not make this mistake by accident I see it all the time It is like still out there It’s still number one in the OWASP Top 10 I am just as surprised by it as you are But you know, databases are such an important component of driving most web apps, and even if a framework does prevent SQL injection vulnerabilities, sometimes you have to go outside the framework and you have to get things done quickly or you don’t realize that one certain field, it could just be one little minor field on a get or post request that is not being properly sanitized, and that’s one, that’s all you need is one field, just one field So you still see it and you still have to test for it And if you’re a pentester or you’re an aspiring pentester this is like you have to test for this regardless So your job is to make sure that this doesn’t exist, right? I mean if it does exist it’s great for you, it’s a lot of fun to play around with this kind of stuff But to make sure that it doesn’t exist you still have to go through these motions of testing to make sure it does not exist And I think as we move forward in our live streaming here we might do like a Sunday class about SQL Map, which is like the predominant tool in testing for SQL injection and exploiting SQL or actually leveraging it into a full blown exploit where you can dump the entire database, the tables, usernames, passwords, and things like that So we’ll schedule that, too – It’s super powerful and also super fun (laughing) Okay, so now let’s get back to Zap So let’s assume that we have gone through every single input and been as abusive as possible because we have limited time today So let’s go back to Zap That is the question mark on the left here So the last step, if we go back to our plan, is we need to do an active scan So we turned on the interception with our proxy We set our target so we know we’re only scanning the thing we mean to We’ve enumerated, we’ve cataloged all the things in the URL We’ve now done manual exploration and abuse of the site and now we’re gonna attack So we right click, I mean, we Apple click depending upon which computer you’re on and then we’re gonna click Active Scan So you need to check this box The first time you start Zap you won’t have this You need to click this box so that you have all of these things come up here You’re gonna check that your scope is the thing you intend to scan and nothing else is in there, right? And then we’re gonna go to policy Ignore the rest When you learn more about Zap you can do things in the rest But for now what we wanna do is we wanna go to policy And the thing we wanna check here today is that our Default Alert Threshold is set to medium You can have high, low, or medium Low means just alert on anything that might be anything High means only alert on something if you’re absolutely sure that it is a vulnerability But we’re gonna click on medium because we wanna find a lot of stuff but we don’t want it to be too much And the other thing is the attack strength So you have low, medium, high, and insane I think that the insane has been changed to oh what is the new word for that? So that it makes more sense of what it is So high, low, medium, high, or intensive Which means, and it takes a long time So because we’re gonna save time today, so I suggest on your own running it on the highest mode, but for today we’re just gonna click medium And then– – Tanya – Yep – [Nicole] Just go back to the scope for a second? Yep, somebody pointed out that it should be 3000 not 8000 – Oh – So – Oh – That is the correct You are right – Oh my gosh Actually let’s just click cancel Oh it’s because it’s looking at It’s ’cause it’s looking at Pixies – [Nicole] Yeah, Pixies – Okay so – We do have another web app running on 8000 but we’re only focusing on 3000 right now – Okay, so thank you, – Thanks guys – very much for making sure we don’t hack the wrong thing I’d like to note that’s the most important thing ever Yeah (laughing) Oh my gosh What a lesson, eh?

Okay, so again we’ve set our policy and it’s medium and medium I know those are the defaults, but I just wanted to tell you that those are things that in the future that you may wanna adjust So if you are gonna run this at home, because it’s just local within your VM you might wanna turn up the settings But we are saving time So we’re gonna click Start Scan So it is going to run And what it is doing, it’s taking all the information that we previously gave it Typing sounds (laughing) – Yup, yup, thanks – And it is running scripts against your application, and it’s looking to see if it can find things So when we did that injection, so if we go down here to Alerts, we’re gonna click the Alerts button We’re trying to click the Alerts button, I’m not sure what’s happening My VM might be freezing At some point it’s gonna let us turn on our Alerts Okay, well, it’ll happen – [Nicole] It’s gonna get there once it’s done scrolling I’ve seen that before – I know, but it’s only at 2% Oh there we go, okay perfect So here when your scan is done it’s gonna show you all of your problems that it has found It is not gonna find, because it’s an automated tool, it’s not gonna find every single thing that’s wrong with your app You still need someone with an evil brain and lots of knowledge to find everything, but what you’re trying to do as a software developer or as someone that’s new, you’re trying to find all the easy stuff Because if you could find it in five minutes, that means bad people can find it in five minutes, right? So these are the things that you absolutely need to fix So if we look, it thinks that it has found path traversal, which it probably has It certainly thinks that it has found application error disclosure, which means not catching your errors, which it definitely, definitely is vulnerable of And again, we see our X-Frame Options Header, our security head is not set Another security header is not set There’s a lot of problems with this web app and it’s not even done scanning yet So what you are going to do is you are going to keep running the scanner until it’s done Just a second, let me go over to the active scan and see where we’re at Okay, it’s just frozen now Awesome Okay, so I’m not frozen anymore so let’s go into active scan, are you gonna let me? No you’re not, okay A second Oops Let’s see if I can get my cursor back It’ll be fun Okay, so there’s my cursor I’m going to go down here I believe that actually I already have a copy of our, our report so we can just review it now, a second, so we’re gonna go File, Open File No don’t go there We’re gonna go to Presentations We’re gonna do to DevSlop We are going to go to I think this one And I think our report should be here It’s not Okay, so that’s unhelpful Maybe it’s in here – [Nicole] Does it look like it’s hanging or what’s going on there? – I don’t know – [Nicole] Let’s see – Oh good It’s starting again now Yeah, it appears to be not super responsive – [Nicole] Yeah, I think your computer is like, yo – Okay – Oh there, it’s going – It’s going, but I don’t want it to run this whole thing ’cause that’s gonna take a long time So if I could get my scanner, if I could get my cursor back I’ll stop it But you, in the audience, should probably let it continue Trying to stop it, trying to stop it This is what happens with workshops It’s always like some sort of technical thing that goes wrong Okay, well it’s getting to 10% so that’s better However, what is this? Okay great Okay, Nicole, do you have a copy of our report? I know I have a copy of the–

– [Nicole] I’m looking right now – I know I have a copy of it ’cause just seeing the report is really important Open File Maybe it’s on my desktop I thought I moved it out of my desktop, though, so that I would not have like so much crap on my desktop Pixi – Pixi, oh Pixi Zap report – We could look at that but it’s not quite accurate 52% (laughing) I definitely know that– – [Nicole] I guess we could talk about what it’s doing while it’s actually scanning – Yeah definitely I invite you to talk about it Also, try to re-stream See if we can see you – [Nicole] Yeah I’m gonna try that again Let’s see – Here it is duh duh duh, found it This is the final report But do you wanna talk about what it’s doing first? And then let’s see– – [Nicole] Sure (sound distorts voice) it’s actually a really good PowerPoint on this I’m gonna upload – Okay (car alarm honking) – [Nicole] Oh sorry you guys, I live in New York City (car alarm honking) Sorry for the car alarm – Do you want me to talk until the car alarm’s off? And then you could like mute – [Nicole] Oh I think it’s off now – It’s off, perfect – Yeah Yeah so what it’s doing in active scan is it’s basically initiating a ton of requests to the website, and it’s looking for fields, and how does it find fields? Like how would you find fields? You would look for the form tag, right? Because the form tag is what is the tag that would hold all those fields, right? A form as to go somewhere, it has to get submitted Whatever and look for fields in form tags, look up fields in URL, variables like a get variable So what it will do is it will test every field And it will try to throw all sorts of junk in these fields It’ll try to throw in some cross-site scripting, and to test your cross-site scripting you wanna see if it’ll execute the script tag or a bold tag or an italic tag, something that the web browser will actually execute on the client side So it goes through a lot of like iterations in doing that This is why it takes so long, right? And it will also look for a common, like a robots.txt file It’ll look to see if it could like traverse directories, like ../…/../etc password Things like that If your web server isn’t properly configured, then it could actually get out that far and go see Or if it’s running as root and it can see documents like that on your file system So it does like a variety of those, and I’m gonna upload this PowerPoint that goes into a lot of how it does this But that’s what it’s doing – Cool, cool It seems like it has stopped being frozen again And we can see, so, car sec is the next presentation (laughing) Car sec – (mumbles) that’s cool – Thank you to the Weasels Twitch for pointing out that we were hacking the wrong site, ’cause that could be very bad Okay, so let’s make this smaller again and let’s go back to here Okay, so we’ve managed to get our VM to stop because I have just too many things running on my machine and it’s gonna explode soon I’m using a microphone so hopefully you can’t hear my fan going on high It sounds like my computer is gonna take off I’m sure that that’s not good for it, but anyway Oh, I see you again, Nicole Hi, what’s up – Yeah, hopefully it stays, I don’t know – Okay, so once your scan is done running, you are gonna click on the report button, the field at the top of Zap, sorry, the menu at the top of Zap, and under Report menu you’re going to choose Generate HTML Report You’re going to click that button You’re gonna tell it where to save it Let’s name it MyReport We’re gonna click save Once you are done running the report it is gonna look, well it’s gonna open it up for you, however, actually let’s just take a look at it here since it’s running So it will find more stuff, just so you know, it’s also gonna find an SQL injection because, as we saw, that’s in there, and it does find it As a reminder one more time,

this does not find every single thing (car alarm honking) You still need someone with a lot of security knowledge to ensure that your entire app is safe, but you wanna do this so you catch all the low-hanging fruit So yes, this is not the most beautiful report you will ever see, but this app is free and free with accurate content is much more important than having a pretty app, or a pretty report Okay, so it says we have one high, two medium, and six low And then zero informational I’d like to note you should read the informational because sometimes the information’s really helpful and sometimes it turns out that a bunch of informational things together with a low equal a medium Okay, so the first one is path transversal Do we wanna talk about that one? (car alarm honking) – I do but I’m just gonna wait until this (sound distorts voice) So, yeah So paths traversal was what we were describing before (sound distorts voice) you could like traverse like a web app and you could do things like /../ and like break out of the actual website and like move around So you can traverse pathing So that’s what that is I’m just trying to read ’cause it sees it on a JavaScript Guess it worked Huh So the other thing with a lot of automated scanning is that there could be false positives, and we should get into what that means, like a false positive Automated scanner is only as good as an automated scanner can be, right? It’s just sort of making decisions to try to figure out, like it’s best effort kinda thing So does it find everything? No, it’ll never find everything You can never rely on automated scan to find everything But it can point you and orient you in good directions that are useful for you to continue the project But it does find false positives Like I was looking at a gigantic app scan report recently, and you now it told me that it found social security numbers on the app (sound distorts voice) social security number So it just had (sound distorts voice) nine digits and claimed that was a social security number It was not So that’s like an example of a false positive So there can be false positives in reports You should never rely on automated scanning reports to just be completely truthful, it’s trying to be truthful but it might get things a little bit wrong So that’s just something to look out for – Something else I wanna point out in this report is that it gives you a description and then it gives you the URL that it found it on And this means you can try the attack yourself so you can see if it worked or not Then it tells you how many instances there are And then it tells you a solution, so something that you can do to fix it It gives you references which are awesome ‘Cause this will tell you more about how to fix it There’s almost always something on the OWASP.org website with details of how to fix it, which I find super duper helpful If we continue through the report, ’cause the most important part, I feel, of this report is what’s wrong? Where is the problem? And how do I fix it? Right? So here it’s telling us we’re missing a security header and we are missing it everywhere Everywhere possible that it could be missing, it’s missing And then most importantly it gives a reference that you can follow with details of how to fix it It’s really helpful You can’t ever tell a developer here’s a problem and then not give them any hints on how to fix it because, well you can, but you’re not gonna be popular and you’re not gonna be being very helpful It also found application error disclosure, which we saw when we made the SQL database error and it spilled out onto the screen And we saw that that was extremely bad because it told us a lot of SQL information of how to launch a better attack So in this case, it’s saying that it thinks it’s medium However, I feel, because of the specialness, of this situation where it’s telling us essentially the technical information we need so we can launch a better attack that this would be high or critical And yeah, so when you read the level that it’s telling you, it’s telling you in general that that’s what they think it is, but you might have a business risk situation where it’s actually much more intense than that It’s telling us again we’re missing a header again So basically we’re missing every security header that anyone could be missing We’ve done a couple episodes about security headers We’ll do a few more Franziska’s writing an awesome, super detailed blog post about it,

and then I’m gonna write like a small summary blog post about it, so you can have lots of detail or just brief detail, because we feel security headers are really important and that they are basically the seat belts of the internet They’re not sexy, they’re not exciting, but if you get in the habit of using them they will help you out in certain emergency situations If we scroll down a bit more I think there’s one or two more things Okay, so again we’re missing another header Cross-site scripting protection So not every browser respects this header, but it’s really important for your app to turn it on This means if the user’s turned it off you turn it back on, and it basically helps to protect for cross-site scripting attacks in case someone is using your website in a phishing attack and adding a scripting into it, it tells the browser, no, don’t launch that, that looks really bad It does not protect against all cross-site scripting attacks I think that’s basically the end of the report It’s just gonna tell us we’re missing more headers Oh, and the internal private IP address disclosure, which we had talked about earlier But the reason why we’re going over this report is we want you to know the Zap is going to not only tell you where it thinks there’s problems, it’s gonna tell you how it thinks you should solve them So always look at the references and the solution, like remove the private IP address from your response body So that’s good Is there anything else you wanna add to this, Nicole, before we go on and kind of finish the workshop up? – No I think I’m good (car alarm honking) Oh this car alarm, oh my god – I’m so sorry – I think I’m good, I’m good – Okay cool So let’s finish up So if we go back, so we’ve done our entire test plan We did the entire demo which does not include remediation We’re not actually remediating the things here What we’re doing is we’re actually telling you how you can find the answer to remediate The OWASP Wiki is the best place to find answers, so if you do a search on whatever your preferred browser is, whatever your preferred search tool is and just look up OWASP and then whatever the thing is that you’re worried about You know, path traversal or SQL injection or whatever, there’s probably a cheat sheet And again, that’s an OWASP project that we’re gonna discuss in the near future on the site But the point is is we want you to know where to find answers Okay, so my favorite slide You are not a hacker, yet So Zap is not fool-proof It’s not gonna find every single problem and there will be some false positives, results that it gives you that truly aren’t actually a problem It’s up to you to use your newfound knowledge to decide what you think is real and what’s not The point of this exercise is for us to find all of the simple things to find and fix them early in the system development life cycle, as early as possible, because it costs less and it’s easier to fix it then If you want a really high level of security assurance, you definitely wanna also hire a penetration tester You wanna do as many things as you can, right? So you running this automated tool is not gonna find everything But over time you will get better and better and find more things and we encourage you to do that We also encourage you not to use this tool for any illegal purposes Please don’t use this newfound knowledge to be a jerk Use this newfound knowledge to be helpful Use the resources that we pointed you to like the OWASP Wiki We know it’s ugly, we know 1994 called and they want their Wiki back; however, the information on it’s really awesome And we’re hoping that you fixed the bugs that you find Oh, so we did the workshop And oh, okay, so that’s it That’s our last slide, Nikki, because the other half of this is Pixi, which we will have to do on another day Is there anything that you wanna leave the audience with and then I’ll do a summary and then I’ll say we’ll do the happy goodbye wave – Yeah, I mean I think like learning proxies, I mean we only scratched the surface here with that web app testing So I think the best way to do this is to find as many web apps as you can There’s a ton of them out in the internet, and you can link those as well, like where you could find vulnerable software to test And just mess around, like on software you have That’s the best way to learn this stuff, is find vulnerable web apps, put a proxy in front of it, play around with the tools and sort of just like commit to a learning, like progressive learning here I mean nobody knows how to do this by themselves We all learn, we all taught ourselves this stuff So it’s just that the curiosity you wanna sort of maintain so you can kind of figure out where to go next And remember, like you just Google your way through it

and ask questions and Google And this is the way to get to be a much better and more competent applications security tester – Definitely, definitely So thanks for coming to the OWASP DevSlop Sunday show We stream every Sunday at 1 p.m. Eastern Standard Time, and basically we do AppSec, CloudSec, just like general OWASPy nerdiness We’re trying to cover a bunch of the major OWASP projects This is Zap we covered today But we’re gonna cover it again in more depth, don’t worry There will be more Zap I’m Tanya Janca, this is Nicole Becher, and we are two of the project leaders for the DevSlop project And today we gave you a super duper, soft, gentle intro to how to hack your own apps And we hope that you use this knowledge for awesome stuff in the future Yeah, and that’s it Thanks for joining us We really appreciate it Do you wanna do– – Yeah, thank you guys – Shall we do the happy goodbye wave? – Do it, yeah let’s do it – Okay, bye everybody, thank you Thank you for–