[OWASP-Philadelphia] 11/27 Meeting Summary

Superman rarrison at gmail.com
Fri Nov 30 16:56:32 UTC 2012

Thank you for this email.

On Fri, Nov 30, 2012 at 9:28 AM, Justin C. Klein Keane <
jukeane at sas.upenn.edu> wrote:

> Hash: SHA1
> Hello all,
>   if you didn't make it to Tuesday night's meeting you missed out on a
> great presentation by Shannon Schriver and Garrett Fails, both senior
> associates at Price Watterhouse Coopers, on attack vectors and
> vulnerability trends they see as consultants on penetration tests.  It
> was great to have the PWC folks troop over from their offices at 20th
> and Market and hopefully we'll see them again at future meetings (and
> perhaps get to use some of their swank downtown office conference room
> space instead of dingy basement classrooms at Penn's School of
> Design ;).
>   Shannon and Garrett both work on web application assessments and
> penetration testing involving application and physical security as
> well as social engineering engagements.  Their presentation covered
> current vulnerability trends they observe on actual engagements,
> focusing on local file include (or direct object reference)
> vulnerabilities, security misconfiguration to include the exposure of
> administrative consoles for web services, and SQL injection including
> advanced exploitation techniques.
>   There were almost 20 folks in attendance from a broad range of
> industries including students, consultants and security professionals.
>   Shannon and Garrett started by going over the OWASP top 10 quickly,
> focusing specifically on query injection, arbitrary script injection,
> session management and insecure direct object reference.  Garrett
> pointed out that although security misconfiguration shows up on the
> OWASP top 10, it's a persistent problem that certainly isn't
> restricted only to the web application realm.  They also discussed how
> often they find resources to which URL's exist that are exempted from
> the normal security safeguards that are supposed to protect resources
> they expose.  This can happen in a number of situations and is only
> becoming more common as AJAX and web 2.0 push web services into
> application functionality.
>   Shannon and Garrett pointed out that one of the most common problems
> they find in organizations they work with is lack of understanding of
> their resources.  This includes both misunderstanding about the IP
> address space associated with the organization as well as not having
> an accurate or complete asset inventory.  Unknown web servers often
> expose security issues and can allow penetration testers (or
> attackers) a foothold within an organization.  Shannon and Garrett
> suggested attempting to tie an inventory with a version control regime
> in order to enforce tighter controls on organizational assets but
> admitted in the age of embedded web servers and cloud services that it
> is often difficult to discover applications.  They proposed a scan for
> web ports within an organization followed up by legwork and manual
> processes to identify servers, stakeholders, and applications
> associated with those services.
>   Shannon and Garrett then went on to discuss how the use of default
> credentials often exposes services, and how the use of default
> credentials is extremely common in accidentally (or unwittingly)
> deployed services, development environments, and other systems that
> are designed for a short lifespan.  Out of the box web services, or
> web services embedded in products often suffer from this vulnerability.
>   The presenters also emphasized that debugging or otherwise verbose
> output was often extremely advantageous to an attacker but otherwise
> useless to end users.  In providing additional information that can
> only be of value to malicious users, such as web server trace
> information, debugging information in comments, or verbose error
> messages (such as SQL error messages revealing server types and
> version), administrators make the job of attackers much easier without
> adding any value to end users.
>   Shannon and Garrett then shifted gears and began the first of their
> three demonstrations of real world engagements and associated
> problems.  The first of these was a local file include vulnerability
> in a Perl based web service that not only allowed for system resource
> enumeration but also allowed for arbitrary code execution.  The two
> demonstrated the methods used to discover the vulnerability as well as
> techniques used to exploit the vulnerability and write executable
> files to the filesystem.
>   The next example was an unprotected JBoss administrative console.
> This console allowed penetration testers to upload and deploy
> backdoors via WAR files.  This functionality exists by design in
> servers like JBoss and Tomcat, but is supposed to be protected.  In
> their demonstration Shannon and Garrett showed how they could leverage
> access to the server administration console to fingerprint the system
> and deploy malicious tools that could allow them to expand access
> within an organization, perform reconnaissance, or simply use the
> server for nefarious purposes.
>   The final example was of SQL injection in a Microsoft SQL Server
> based application.  The presenters demonstrated how the injection
> could be enumerated and then exploited with SQLMap.  Finally Shannon
> showed how Metasploit could be used to cause the SQL Server to send
> Windows authentication hashes to an external machine, which could then
> be used to leverage legitimate access.
>   I'd like to thank Shannon and Garrett again for taking the time to
> come and present to Philadelphia OWASP.  I think the presentation was
> super helpful and personally received great feedback.  Hope to see
> everyone at the next meeting!  In the meantime please send me any
> questions, comments, feedback or offers to volunteer time, talent or
> meeting space.
> Cheers,
> - --
> Justin C. Klein Keane, MA MCIT
> Senior Information Security Specialist
> University of Pennsylvania, School of Arts & Sciences
> The PGP signature on this email can be verified using the public key at
> https://sites.sas.upenn.edu/kleinkeane
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
> tVR0sikc1tQjjLlj1lrIvQRgdtzd3yQfp1tLhZcSz9m8/Xuht0iZ7JxAkifnOYHm
> bPZCauvCmg1li9A3++0ivIj3t8L/3cJwjV2kOJDHHP5XNGfTfD75JBPZh6/jgEy4
> CuEzY6Lpwq8vtfCArCfrAJp3rsjpZ4eXq+B5paH6gmggiyPb2PgiUomeYzt5ePoy
> XE0vMYdiXroOc2V2bKCUpiom6ekFbNqrwuz5fxjPXMJvXIvgUCnTlbOAgQpgTgRn
> XH+JDQe4TCm7txW0JLr7x2u63ThzM5hFRZtiZQgOkd+u2GWjbFVbPP5H6+nV97l1
> IHy/S1t2KplVBrj6ttl0WztDUIJCD9Oj8+Vb4z6pRLhXZYnHxJC5IJnDES7dawpb
> HG7MG8yg/H9IvAFKnVD4hR7eke+lN/EnVzoaciKDDPTkhOz1nh+0uXrqg5WoCGVh
> Ccg0aOFJSb40hYOecXSW3IEOQs/tddykqvfMaNfzANgSJcx/fBp2eiJe61kZ1sVW
> FWvpDm4k3EWU3VvfIkkTCpotILahQb7BsIokZk2iSfu89HqA5THQIKRnZTBgND6l
> 2Gy5YYnHsQjUVjFQIhb+VL4hVj5sHta9+0eYIBX6IXnl5VdOs+cjlzrWnT9uv3/s
> wc4O0qdIDcL1h8k4eTNN
> =rxbJ
> _______________________________________________
> OWASP-Philadelphia mailing list
> OWASP-Philadelphia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-philadelphia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-philadelphia/attachments/20121130/b5daf3b2/attachment-0001.html>

More information about the OWASP-Philadelphia mailing list