Git-Mirrors/sec-pentesting-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/sec-pentesting-toolkit.git synced 2025-06-04 21:29:50 -04:00
Code Issues Projects Releases Packages Wiki Activity

crypto

Browse source
This commit is contained in:
bt3gl 2014-11-20 12:01:48 -05:00
parent e36532ca5e
commit 37268762e1
2 changed files with 228 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

30
Cryptography/README.md
View file

@ -1,5 +1,8 @@
# Cryptography
* Often data is just encoded in base64 or hex. Other thimes it's just compressed (gzip).
## MD5
@ -225,7 +228,34 @@ $ ./openssl s_client --no_tls1 --no_ssl3 --connect <WEBSITE>:443
* For Identification and verification of encoding supported by the Website we can use **EcoScan34**.
---
## Block Cipher Encryption
* Electronic code book (ECB) mode.
* Simplest and default block cipher mode.
* Message is split into blocks and each is encrypted separately.
* Disavantage: identical plaintext block encrypts to identical cipher text block (for example, figures).
### Attacking Randomness
* Good Randomness is vital for cryptographic operations.
* Two common attack against a PRNG :
- PRGN state is reconstructed from its output.
- Same PRNG is used more than once.
* Statistically random is not secure random!
- if a PRNG is seeded with a value the attacker can influence, the state of the PRNG is likely compromised.
* Seed race condition attacks:
- System clock often used to seed PRNG
- Submit 10's or 100's of rquests at a time. Seed a PRNG with the same system clock and the output will be the same.
----

198
Web_Security/README.md
View file

@ -263,6 +263,32 @@ Set-Cookie: SID=472ndsw;expires=DATE;path=/;domain=SITE,HttpOnly
- Burp Suite
- FireBug] in Firefox
----
## Same-Origin Policy
### DOM Same-Origin Policy
* JavaScript executing in context of one document should not be allowed to access context of another document, unless: **protocol, hostname and port all match**. This defines a document's origin.
* IE doesn't always observer port number.
* Wildcard * policies is ill-advised: explose content on your domain to script access from any/all origins.
### Cross-Domain Policies
* Extend SOP beyond a document's origin.
* Permit applets originating from another domain access to resources.
* Permit issuing arbritary HTTP requests with whitelisted headers.
### CORS - Cross Origin Resource Sharing
* Browser allows XMLHttpRequest's to acess response data return from cross-origin requests when:
- Response contains Acess-Control-Allow -Origin header
- Requst's Origin value is defined in set
----
## OWASP TOP 10
@ -307,6 +333,12 @@ SELECT user_id FROM user_data WHERE name='john' and password='password'
## CSRF
* Tricks victim's browsers into performing unsuspecting actions.
* Server doesn't verify request was imitated from the expect client-side origin.
* Browser naively submits credentials when attempting to retrieve resources.
* Identification and verification manual of CSRF can be done by checking in the website's forms (usually where most often find this vulnerability).
* To check this, you will need to copy an original request (GET / POST) on a form and then make a change in the parameters and re-send the same request modified. If the server does not return an error, it can be considered that it is vulnerable to
@ -314,6 +346,22 @@ CSRF.
* To perform this task, we can use the tools **csrftester** or **burp** proxy.
* Can be used to exploit admin-only vulnerabilities (router admin pages, etc).
* A simple mitigation, often hard to implement: include secret user/session specific value with request.
### Example of CSRF
1. User logs into account at bank.com
2. In another tab, user visit a site that sources an image from:
```
<img src="http://bank.com/xfer.do?frmACCT=user&toAcct=Attackker&amt=10000"/>
```
3. User's browser sends a GET request from the image.
4. User just transfered 100k into Joe's account.
----
## XSS
@ -446,6 +494,156 @@ qr / ((could not|cannot|unable to) (open|find|access|read)|(path|file) not found
---
## Authentication
* Applications can verify identity based on:
- Something the user knows: password, passphrase, pin, etc.
- Something the user has: smartcard, security token, mobile device/
- Something the user is or does: fingerprint, voice recognition.
* Common authentication methods:
- HTTP authentication
- Form-based
- Kerberos/NTLM
- Single Sign-on (SSO)
- Certificate based
### Basic Authentication
* Credentials are Base64 enconded: in the format username:password
* Each subsequent request includes credentials with the Authorization HTTP request header.
* For example, admin:admin is YWRtaW46YWRtaW4=:
```
GET /home.jsp HTTP/1.1
Host: www.acme.com
User-Agent: Mozilla/4.0
Authorization: Basic YWRtaW46YWRtaW4=
```
* Password brute force: if no lockout, automate: **Hydra, Brutus**.
### Bypassing Authentication
#### Server-Side
* Predicting session tokens: what's the character composition of cookie?
* Session hijacking via fixation/trapping: same session cookie used pre and post authentication?
* Exploiting an injection flaw in login routine: SQL Injection.
#### Client-Side
* Does application set persistent authentication cookies: remember me or look for Expires attribute of Set-Cookie header.
* Back button to steal cached credentials (credentials stored in browser memory).
### Weak Authentication
* Does application authenticate requests across all resources?
* Issue direct requests to resources (forceful browsing): guess common file names.
* Inventory resources authenticated & request anonymously.
- Authenticate, crawl through UI, and record requests, responses.
- Re-issue those requests unauthenticated and diff responses.
-----
## Authorization
* System of determining whether a user is allowed to access a particular resource.
* Role-based authorization.
* Access decision can be made at:
- resource level
- function/method-level
- record-level
### Authorization Attacks
* Vertical:
- Elevate to a more privileged user
- access restricted functionality
- edit records intend to be read only
* Horizontal:
- access another user's data
* Parameter manipulation: insecure direct object reference (DB record id's exposed to user).
* Failure to restrict URL access:
- protect sensitive functionality by disabling the display of links, buttons, URL, and hiddel URL or parameters.
- forceful browsing is a common attack technique: typically results in vertical escalation, administrative interfaces.
---
## Attacking Web Servers
### XML Web Services
* Facilitate machine to machine interaction:
- usually implemented as middleware, though sometimes called directly by the client.
- often implemented using **Simple Object Access Protocol (SOAP)**.
- request and Response structure defined by *8Web Service Definition language (WSDL).
### Attacking web services
1. Locate the web service endpoint.
* pay attention to proxy logs
* look for common web service endpoints: .asmx, .svc, /axis, /axis2
2. Obtain metadata.
* Try appending **? WSDL** or **.wsdl** to endpoint URL.
```
<portType>: Operations performed by the web service
<message>: Messages used by the web service
<types>: datatypes used by the web service
<binding>: protocol used by the web service
```
3. Invoke the web service:
* Issue SOAP requests directly to end point (SoapUI)
* Fuzz inputs just like any other parameter: same vulnerabilities.
### Exploiting XML Parsers
* Web services often vulnerable to common attacks on XML parsers.
* Entity expansion attacks:
- Denial of service against XML parser.
- Infinite recursion occurs during parsing.
* XML External Entity attacks:
- Information disclosure to almost anything.
### XML External Entity Attacks:
1. Define an XML entity in the DTD
2. Reference defined entity in XML body.
3. Parser will read /etc/passwd contents into e1:
```
<!DOCTYPE test [<!ENTITY x3 System "/etc/passwrd">]>
<body>
<e1>&x3;</e1>
</body>
```
----
-----------------
[FireBug]: http://getfirebug.com/
[Burp Suite]: http://portswigger.net/burp/