Presented at
AppSec USA 2017,
Sept. 22, 2017, 10:30 a.m.
(45 minutes)
What if you could turbocharge your web hacking without having to sacrifice efficiency? Since pure automation misses so much important information, why not use powerful alerts created from real threat intelligence? What if you had these powerful alerts in as a plugin in a tool that that is so ubiquitous in web hacking that it's synonymous to its very definition? What if this plugin not only told wyou where to look for vulnerabilities, but also gave you curated resources for additional exploitation and methodology? What if you could organize your web hacking methodology inside of your tool? Well, dream no more! HUNT is a new Burp Suite extension that aims to arm web hackers with parameter level suggestions on where to look for certain classes of vulnerabilities such as SQL Injection, Command Injection, Local/Remote File Inclusion, and more! The data that drives this plugin are parsed from hundreds of real-world assessments which provide the user with the means to effectively root out critical issues. Not only will HUNT help you assess large, hard targets more thoroughly, but it also aims to organize common web hacking methodologies right inside of Burp Suite. As an open source project, we will go over the data driven design of HUNT and its core functionality.
Detailed Outline
HUNT's core idea is to parse large data sets of web application flaws and transforming the results into a meaningful testing tool. We've taken one of the largest known vulnerability data sets, the bounty data at Bugcrowd, and scrubbed it all down to vulnerability class and parameter name. With this data, we can infer patterns in web application vulnerability locations.
Today, one of the things we struggle with as an industry is manual testing for large, complex applications. With the amount of surface area to cover on assessments, we are forced to rely on automation. And while automation is great, it fails to apply the years of experience we have as pentesters in identifying edge-cases in web vulnerabilities that cannot be easily found by anything other than a human.
HUNT will log and alert commonly vulnerable areas for manual testers to look at based on the collective knowledge of hackers all over the world. This will help break down complex applications into meaningful and testable areas. We are not aiming to replace scanners in this fashion, but instead, we are making sure web hacking gets the manual tester love that it truly deserves.
The tool covers critical vulnerability classes that can be meaningfully parsed at the moment:
SQL Injection
Local/Remote File Includes
Directory Traversal
OS Command Injection
Server Side Request Forgery
File Upload Vulnerabilities
Insecure Direct Object References
Server Side Template Injection
Sections of the Talk
The Problem
Web hacking training lacks detailed tribal knowledge of vulnerability location
Sites are larger and more complex than ever and even harder to test thoroughly with current manual testing techniques and methodologies
No in-tool workflow for web hacking methodologies
The Data
Understanding the data set
Learning about data and patterns discerned
Give examples of the data of vulnerable parameters
Examples: file, document, folder, style, pdf
The Tool
Explore HUNT's install and GUI
Explore some sample alerts live
Explore HUNT's methodology and tester references
Explore HUNT's methodology organization tab
Talk about the future and contribution
Presenters:
-
JP Villanueva
- Trust & Security Engineer - Bugcrowd
JP Villanueva is a Trust & Security Engineer at Bugcrowd. Before Bugcrowd, JP spent 2 years as an Application Security Engineer and another 2 years as a Solutions Architect at WhiteHat Security helping customers become more secure. JP has also presented at local OWASP chapters, Interop DarkReading, BlackHat Arsenal, and Defcon. In his free time, JP enjoys playing and collecting classic video games as well as hacking on bug bounty programs.
Links:
Similar Presentations: