Injectable Exploits: Two New Tools for Pwning Web Apps and Browsers

Presented at DEF CON 17 (2009), Aug. 1, 2009, 1 p.m. (50 minutes)

Injectable exploits focus on the exploitation of major web flaws during penetration tests. Two new tools will be released that expand the foothold penetration testers can obtain through SQL injection and XSS flaws. These tools provide greater insight into the network hosting the web application and the networks in which the users are located. We will also discuss the live CD environment that includes both tools. Yokoso! is an infrastructure fingerprinting system delivered via XSS attack. This project contains two different parts; the fingerprints and modules for the various browser exploit frameworks. The fingerprints identify web applications deployed in the user's network, applications such as web administration interfaces to different IT manage systems. The modules portion contains code to perform two basic attacks. The first is history browsing which determines if the user has visited the sites of interest. This reveals if the user is an administrator or power user. The second attack module within Yokoso! Initiates requests to map the infrastructure of the user's network. Laudanum is a collection of injectable files that are prebuilt to perform various attacks within a network. These files are injected via SQL injection attacks. The individual files are placed into scheduled jobs or the web root of database servers. This is accomplished by exploiting SQL injection flaws within the web application. Laudanum includes various attacks such as shells, proxy capabilities and data collection tools. A major feature of both tools is their scope limiting capabilities. Many similar tools lack the capability to identify target hosts before performing exploits. Both of these tools allow a penetration tester to specify target restrictions based on external IP, internal IP, and hostname. The final portion of the talk will cover SamuraiWTF. SamuraiWTF is a live CD environment focused on web penetration tests. It was released during DEF CON 16 and has had four new releases since that time. Both Yokoso! and Laudanum will be included on a new version of SamuraiWTF released at DEF CON this year.

Presenters:

  • Frank DiMaggio - Security Researcher
    Frank DiMaggio is a manager of the Intel server team with a large insurance company in the South East. He has been in a systems administration role for over 18 years, working with small and medium sized businesses in North Florida. His experience is with Microsoft, Novell and Linux Operating Systems. In his spare time he contributes to open source security projects such as BASE, SamuraiWTF and Yokoso!
  • Justin Searle - Senior Security Analyst, InGuardians
    Justin Searle, a Senior Security Analyst with InGuardians, specializes in security architecture and penetration testing. Previously, Justin served as the IT Security Architect for JetBlue Airways and has provided top-tier support for some of the largest supercomputers in the world. Justin has taught courses in hacking techniques, intrusion detection, forensics, and networking and has presented at a number of security conferences including DEF CON, ToorCon, Shmoocon, and SANS. In his spare time, he helps lead and develop several open source projects such as The Middler, SamuraiWTF, Yokoso! and Laudanum. Justin has an MBA in International Technology and holds several industry certifications.
  • Kevin Johnson - Senior Security Analyst, InGuardians
    Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E. (the Basic Analysis and Security Engine) project. The BASE project is the most popular web interface for the Snort intrusion detection system. Kevin is an instructor for SANS, teaching both the Incident Handling and Hacker Techniques class and the Web Application Penetration Testing and Ethical Hacking class, which he is the author. He has presented to many organizations, including Infragard, ISACA, ISSA, RSA and the University of Florida.

Links:

Similar Presentations: