That Guy always ahead us – OWASP Top 10 Vs Web Hacking Techniques

OWASP – Open Web Application Security Project, is the leading open source platform for Application Security. Beginners can find more on here :

They have released a special project called “OWASP Top 10” in Year 2003 which consisted most critical web vulnerabilities by that time. So far OWASP has published several versions of Top 10 vulnerabilities based on their statistics. Now it is a mature project in OWASP.

OWASP Top 10 :

Most organizations, developers and penetration testers use this project as a baseline for their software security, which is good and appreciable. As per the processes following in software companies, they develop secure codes, verify their business logics and test for security aspects before major releases. It’s like we are coming closer to hack proof web applications. Really?

Those days we couldn’t find trustful accessible place to get knowledge about application security. Then OWASP appeared. So people tend to build their web applications more securely and it’s still continuing.

So far we are talking about good side of these concepts. What’s the end result? We are secured!

Not at all.

When one party defending all the holes, other party should be looking for new holes. That’s what exactly happen in cyber security world. IT security professionals stop the bleeding in one edge, Hackers attack to another edge with different techniques.

We said to world that we are OWASP compliance, SANS compliance. But our applications are still hacked by others. We show the world that we have put guards on all the identified entry points. Are you still believe that they try with the same entry points?

Better you may not. Every year WhiteHat security published Top 10 web hacking techniques. Most of the time Top hacking techniques are not targeting the top web vulnerabilities. If you need examples, here are some,

Keep in mind that OWASP Top 10 list which we are currently using published in 2013. Now it’s 2016 and we are screaming attackers are one step ahead us.

Few nominated hacking techniques for 2015

• Abusing CDN’s with SSRF Flash and DNS
• Abusing XLST for Practical Attacks
• Hunting Asynchronous vulnerabilities
• Logjam and Magic Hashes

Better you google the meaning of those attacks. So where are we now?

Here are some top hacking techniques in year 2014,

• Heartbleed, ShellShock, Poodle, Rosetta Flash…

 

Am I telling OWASP, SANS are bad? Sorry you misunderstood. I’m telling that it’s not enough in this game. You can clearly see a gap between top 10 vulnerabilities and top 10 attacks. So we need be creative here, not only applying theoretical security practices to our applications and systems.

This is not a problem with OWASP or SANS, they have done enough and don’t expect everything from them. We all have limitations. Do your own home works and try to be handsome.

 

 

Hack Automation

Here we talk, automating our hacking with nessus and metasploit community. You can easily configure metasploit community into your backtrack 5 v2 by navigating,

BackTrack – Exploitation Tools – Network Exploitation Tools – Metasploit Framework – start msfpro

metasploit community

 

 

 

 

Metasploit Community Edition simplifies network discovery and penetration testing spot-checks with specific exploits, increasing the effectiveness of vulnerability scanners such as Nexpose – for free.

As my previous session we scan our target network using nessus.

nessus scan

 

 

Then save our nessus report in .nessus format. “met_community”

.nessus

 

 

 

 

 

save .nessus report

 

 

 

 

Next we move to metasploit community in backtrack.

metasploit community

 

 

 

 

 

Once you login to metasploit community, you will be shown previous projects in dashboard.

metasploit projects

 

 

 

 

We start a new project and provide relevant information.

new projects

 

 

 

 

This is the home page of our new hacking project. Still we don’t have any hosts discovered. Click import to upload our nessus scan results.

new hacking project

 

 

 

 

 

Select nessus scan report from where we save it.

nessus scan report

 

 

 

Here is the nessus report.

nessus report

 

 

 

 

While uploading nessus report to metasploit, it will be shown in progress bar.

uploading nessus report

 

 

 

After importing, we navigate to overview tab and it has identified “1 host” now.

overview

 

 

 

 

 

Click on “1 host” or Analysis tab to go detailed host information.

analysis

 

 

 

Check the host and click on vulnerabilities tab to go vulnerability list.

vulnerabilities

 

 

 

 

Click on your host name (xp-dilhack) to check available exploits and navigate to vulnerabilities tab. Select the vulnerability and click on exploit to set.

exploits

 

 

 

 

After click on exploit you have to edit some information.  Click on Run Module to launch attack.

run module

 

 

 

 

 

Now metasploit launch the attack and you can see progress of the exploitation. Our exploit open a session of victim’s machine.

session open

 

 

 

 

Click on Sessions tag.

session

 

 

 

Click on Session 3 to open new session. Here we have available actions with that session. I’ll check victim’s files by click on “Access Filesystem”.

file system

 

 

 

 

 

 

Here we are, inside the victim’s machine.

victim machine

 

 

 

 

Navigating among folders.

 

folders

 

 

 

 

How simply attacks now. just few clicks….done !!!

Sql Poizon to find vulnerable web sites

Once you learnt about Sql injection methods, you may need to analysis them practically. The problem is where I can find a vulnerable website for testing.

white hacker

The easiest way to find that is “Google dork” or we call “Google hacking database” (http://www.exploit-db.com/google-dorks/)

Anybody can manually search via Google dorks and find vulnerable sites. But Sql Poizon tool makes this more simple by automating dork search.  It has included so many dorks in different categories. Let see how this works,

1. Download Sql Poizon latest version – freeware.

sql poizon

 

 

 

2. Select any dork you need and click on Scan. Here you can select maximum number of sites and country.

select a dork

 

 

 

 

3. In result pane, will list vulnerable site urls according to your dork. To verify the urls, write click on one url and select “Send to Sqli Crawler” – All

send to sqli crawler

 

 

 

 

4. Urls will forward to Sqli Crawler to validate. Here they use simple Sql validation by putting single apostrophe at the end of url and check the error code. Click on Crawl to validate.

crawler

 

 

 

 

5. After verification of each links, sign will appear in front of link. Mostly right symbol and yellow bulb symbol sites are not vulnerable, but red cross symbol links likely to be vulnerable for Sql attacks.

vulnerable sites

 

 

 

 

Now you can test these uncommon sites with your own methods, but only for educational purpose.