[OWASP-Philadelphia] 11/27 Meeting Summary
rarrison at gmail.com
Fri Nov 30 16:56:32 UTC 2012
Thank you for this email.
On Fri, Nov 30, 2012 at 9:28 AM, Justin C. Klein Keane <
jukeane at sas.upenn.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hello all,
> if you didn't make it to Tuesday night's meeting you missed out on a
> great presentation by Shannon Schriver and Garrett Fails, both senior
> associates at Price Watterhouse Coopers, on attack vectors and
> vulnerability trends they see as consultants on penetration tests. It
> was great to have the PWC folks troop over from their offices at 20th
> and Market and hopefully we'll see them again at future meetings (and
> perhaps get to use some of their swank downtown office conference room
> space instead of dingy basement classrooms at Penn's School of
> Design ;).
> Shannon and Garrett both work on web application assessments and
> penetration testing involving application and physical security as
> well as social engineering engagements. Their presentation covered
> current vulnerability trends they observe on actual engagements,
> focusing on local file include (or direct object reference)
> vulnerabilities, security misconfiguration to include the exposure of
> administrative consoles for web services, and SQL injection including
> advanced exploitation techniques.
> There were almost 20 folks in attendance from a broad range of
> industries including students, consultants and security professionals.
> Shannon and Garrett started by going over the OWASP top 10 quickly,
> focusing specifically on query injection, arbitrary script injection,
> session management and insecure direct object reference. Garrett
> pointed out that although security misconfiguration shows up on the
> OWASP top 10, it's a persistent problem that certainly isn't
> restricted only to the web application realm. They also discussed how
> often they find resources to which URL's exist that are exempted from
> the normal security safeguards that are supposed to protect resources
> they expose. This can happen in a number of situations and is only
> becoming more common as AJAX and web 2.0 push web services into
> application functionality.
> Shannon and Garrett pointed out that one of the most common problems
> they find in organizations they work with is lack of understanding of
> their resources. This includes both misunderstanding about the IP
> address space associated with the organization as well as not having
> an accurate or complete asset inventory. Unknown web servers often
> expose security issues and can allow penetration testers (or
> attackers) a foothold within an organization. Shannon and Garrett
> suggested attempting to tie an inventory with a version control regime
> in order to enforce tighter controls on organizational assets but
> admitted in the age of embedded web servers and cloud services that it
> is often difficult to discover applications. They proposed a scan for
> web ports within an organization followed up by legwork and manual
> processes to identify servers, stakeholders, and applications
> associated with those services.
> Shannon and Garrett then went on to discuss how the use of default
> credentials often exposes services, and how the use of default
> credentials is extremely common in accidentally (or unwittingly)
> deployed services, development environments, and other systems that
> are designed for a short lifespan. Out of the box web services, or
> web services embedded in products often suffer from this vulnerability.
> The presenters also emphasized that debugging or otherwise verbose
> output was often extremely advantageous to an attacker but otherwise
> useless to end users. In providing additional information that can
> only be of value to malicious users, such as web server trace
> information, debugging information in comments, or verbose error
> messages (such as SQL error messages revealing server types and
> version), administrators make the job of attackers much easier without
> adding any value to end users.
> Shannon and Garrett then shifted gears and began the first of their
> three demonstrations of real world engagements and associated
> problems. The first of these was a local file include vulnerability
> in a Perl based web service that not only allowed for system resource
> enumeration but also allowed for arbitrary code execution. The two
> demonstrated the methods used to discover the vulnerability as well as
> techniques used to exploit the vulnerability and write executable
> files to the filesystem.
> The next example was an unprotected JBoss administrative console.
> This console allowed penetration testers to upload and deploy
> backdoors via WAR files. This functionality exists by design in
> servers like JBoss and Tomcat, but is supposed to be protected. In
> their demonstration Shannon and Garrett showed how they could leverage
> access to the server administration console to fingerprint the system
> and deploy malicious tools that could allow them to expand access
> within an organization, perform reconnaissance, or simply use the
> server for nefarious purposes.
> The final example was of SQL injection in a Microsoft SQL Server
> based application. The presenters demonstrated how the injection
> could be enumerated and then exploited with SQLMap. Finally Shannon
> showed how Metasploit could be used to cause the SQL Server to send
> Windows authentication hashes to an external machine, which could then
> be used to leverage legitimate access.
> I'd like to thank Shannon and Garrett again for taking the time to
> come and present to Philadelphia OWASP. I think the presentation was
> super helpful and personally received great feedback. Hope to see
> everyone at the next meeting! In the meantime please send me any
> questions, comments, feedback or offers to volunteer time, talent or
> meeting space.
> - --
> Justin C. Klein Keane, MA MCIT
> Senior Information Security Specialist
> University of Pennsylvania, School of Arts & Sciences
> The PGP signature on this email can be verified using the public key at
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
> -----END PGP SIGNATURE-----
> OWASP-Philadelphia mailing list
> OWASP-Philadelphia at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Philadelphia