[OWASP-Philadelphia] 11/27 Meeting Summary

Justin C. Klein Keane jukeane at sas.upenn.edu
Fri Nov 30 14:28:48 UTC 2012

Hash: SHA1

Hello all,

  if you didn't make it to Tuesday night's meeting you missed out on a
great presentation by Shannon Schriver and Garrett Fails, both senior
associates at Price Watterhouse Coopers, on attack vectors and
vulnerability trends they see as consultants on penetration tests.  It
was great to have the PWC folks troop over from their offices at 20th
and Market and hopefully we'll see them again at future meetings (and
perhaps get to use some of their swank downtown office conference room
space instead of dingy basement classrooms at Penn's School of
Design ;).

  Shannon and Garrett both work on web application assessments and
penetration testing involving application and physical security as
well as social engineering engagements.  Their presentation covered
current vulnerability trends they observe on actual engagements,
focusing on local file include (or direct object reference)
vulnerabilities, security misconfiguration to include the exposure of
administrative consoles for web services, and SQL injection including
advanced exploitation techniques.

  There were almost 20 folks in attendance from a broad range of
industries including students, consultants and security professionals.

  Shannon and Garrett started by going over the OWASP top 10 quickly,
focusing specifically on query injection, arbitrary script injection,
session management and insecure direct object reference.  Garrett
pointed out that although security misconfiguration shows up on the
OWASP top 10, it's a persistent problem that certainly isn't
restricted only to the web application realm.  They also discussed how
often they find resources to which URL's exist that are exempted from
the normal security safeguards that are supposed to protect resources
they expose.  This can happen in a number of situations and is only
becoming more common as AJAX and web 2.0 push web services into
application functionality.

  Shannon and Garrett pointed out that one of the most common problems
they find in organizations they work with is lack of understanding of
their resources.  This includes both misunderstanding about the IP
address space associated with the organization as well as not having
an accurate or complete asset inventory.  Unknown web servers often
expose security issues and can allow penetration testers (or
attackers) a foothold within an organization.  Shannon and Garrett
suggested attempting to tie an inventory with a version control regime
in order to enforce tighter controls on organizational assets but
admitted in the age of embedded web servers and cloud services that it
is often difficult to discover applications.  They proposed a scan for
web ports within an organization followed up by legwork and manual
processes to identify servers, stakeholders, and applications
associated with those services.

  Shannon and Garrett then went on to discuss how the use of default
credentials often exposes services, and how the use of default
credentials is extremely common in accidentally (or unwittingly)
deployed services, development environments, and other systems that
are designed for a short lifespan.  Out of the box web services, or
web services embedded in products often suffer from this vulnerability.

  The presenters also emphasized that debugging or otherwise verbose
output was often extremely advantageous to an attacker but otherwise
useless to end users.  In providing additional information that can
only be of value to malicious users, such as web server trace
information, debugging information in comments, or verbose error
messages (such as SQL error messages revealing server types and
version), administrators make the job of attackers much easier without
adding any value to end users.

  Shannon and Garrett then shifted gears and began the first of their
three demonstrations of real world engagements and associated
problems.  The first of these was a local file include vulnerability
in a Perl based web service that not only allowed for system resource
enumeration but also allowed for arbitrary code execution.  The two
demonstrated the methods used to discover the vulnerability as well as
techniques used to exploit the vulnerability and write executable
files to the filesystem.

  The next example was an unprotected JBoss administrative console.
This console allowed penetration testers to upload and deploy
backdoors via WAR files.  This functionality exists by design in
servers like JBoss and Tomcat, but is supposed to be protected.  In
their demonstration Shannon and Garrett showed how they could leverage
access to the server administration console to fingerprint the system
and deploy malicious tools that could allow them to expand access
within an organization, perform reconnaissance, or simply use the
server for nefarious purposes.

  The final example was of SQL injection in a Microsoft SQL Server
based application.  The presenters demonstrated how the injection
could be enumerated and then exploited with SQLMap.  Finally Shannon
showed how Metasploit could be used to cause the SQL Server to send
Windows authentication hashes to an external machine, which could then
be used to leverage legitimate access.

  I'd like to thank Shannon and Garrett again for taking the time to
come and present to Philadelphia OWASP.  I think the presentation was
super helpful and personally received great feedback.  Hope to see
everyone at the next meeting!  In the meantime please send me any
questions, comments, feedback or offers to volunteer time, talent or
meeting space.


- -- 
Justin C. Klein Keane, MA MCIT
Senior Information Security Specialist
University of Pennsylvania, School of Arts & Sciences

The PGP signature on this email can be verified using the public key at
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/


More information about the OWASP-Philadelphia mailing list