Blog: SANS Penetration Testing: Category - web pen testing

Blog: SANS Penetration Testing:

SANS Python Pen Testers | Exploit Heartbleed Vulnerabilities | SEC573

Pen Testers use Python to assess HeartBleed vulnerabilities.

By Mark Baggett

Unless you've been living in a cave without access to the outside world, you already know that OpenSSL 1.0.1 suffers from a serious vulnerability that allows a remote attacker to extract data from the memory of a target computer. The vulnerability was first made "public" (by varying definitions of the word "public") on April 7th. The events leading up to the disclosure are interesting. If you haven't reviewed them, the Sydney Morning Herald does a great job of outlining the events leading up to the disclosure. Check it out here:

http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html

So while it is clear as mud who knew about the vulnerability and when, it is very clear what happened

...

Winners of the SANS Spectacular Pen Test Video Contest

Ladies and gentlemen, boys and girls, friends, Romans, and countryman,

I'm delighted to announce the winners to our SANS Spectacular Pen Test Video Contest. Back in January and February, we asked folks to channel their creativity to share some great tips, insights, techniques, and inspiration with other penetration testers. You can read the contest description here.

We got some FANTASTIC entries, and we'd like to thank all who participated. Entries included numerous great technical tips, interesting "acting", noble attempts at humor, and even one Rick Roll, naturally.

So, without further ado (thanks, Ted, for your gracious input), let's announce the winners (click on each picture to see the video). We'll announce the victors in our four categories first, and then select from among them for the GRAND prize winner.

First up, our

...

Web App Tips, Tricks and Resources

[Editor's Note: Here is the fifth in our series of penetrating testing tips drawn from the UltimateSANS Pen Test Poster. This time, our focus is on specific recommendations from Kevin Johnson about web app pen test tips, tools, resources, and other recommendations. Really helpful stuff. Thanks, Kevin!

For earlier posts in this series, feel free to check out:
John Strand's tips for network pen testing.
Steve Sims' tips for exploit development.
Josh Wright's tips for mobile device pen

...

Putting the MY in phpMyAdmin

[Editor's note: In this article, Tim Medin walks us through a few steps of a recent pen test he did, wherein he exploits phpMyAdmin. The best part of this write up is that he shows the mindset of a pen tester as he methodically attacks the target system step by step. In the process, he provides some good insight into exploiting PHP flaws via a MySQL instance running on a Windows target as well. Nice! --Ed.]

A wee time ago on a pen test not far, far away, I was looking for that first toehold; the first shell that split the test wide open; my entry into the target; the toe in the door; the camel's nose in the tent; the first part of the whatever that gets into there wherever that it shouldn't be in the first place. I kicked off an nmap sweep using the http-enum script, in hopes of finding an interesting web server with an even more interesting set of directories. Here is my command:

$ nmap -sT -T3 -PS80,443,8000,8443,8800 -p 80,443,8000,8443,8080   ...

Pass-the-Hash Web Style

[Editor's Note: My goodness, there are a lot of ways to get authentication wrong in the web application world. In this article, my esteemed pants-wearing colleague, Tim Medin, describes a couple of problems we frequently find in web application penetration testing, and how to operationalize attacking them in your pen test projects. --Ed.]

We all know about the Pass-the-Hash technique as it relates to Windows systems, but what about on the web? No, I don't mean Windows web apps either. I'm talking about a different kind of pass-the-hash, one where the web app developer congratulated himself with an ingenious security feature, but almost completely missed the goal in securing the application's authentication.

Let's start off by looking at the normal flow for web app authentication:


  1. Present authentication form to user

  2. ...