nowasp mutillidae 2 3 x n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
NOWASP Mutillidae 2.3.x PowerPoint Presentation
Download Presentation
NOWASP Mutillidae 2.3.x

Loading in 2 Seconds...

  share
play fullscreen
1 / 26
callum-rocha

NOWASP Mutillidae 2.3.x - PowerPoint PPT Presentation

119 Views
Download Presentation
NOWASP Mutillidae 2.3.x
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. NOWASP Mutillidae 2.3.x An open-source web pen-testing environment for security training, practice, instruction, and you Jeremy Druin Information Security Specialist, GSEC, GPEN, GWAPT Twitter: @webpwnized

  2. Agenda • What is NOWASP Mutillidae? • Where is NOWASP Mutillidae used? • Where can I get NOWASP Mutillidae? • How do I install NOWASP Mutillidae? • How to I set NOWASP Mutillidae up? • How do I use NOWASP Mutillidae? • Demonstration • Publications • Where do I receive updates on videos and new releases?

  3. What is NOWASP Mutillidae? • What is NOWASP Mutillidae? • Actually Vulnerable (User not asked to enter “magic” statement) • Free • Deliberately Vulnerable Web Application • Open Source • Did I say free?

  4. Vulnerabilities It turns out it is scary easy to write horrible code… * Documentation of vulnerabilities on Sourceforge • SQL Injection • Cross site scripting • O/S Command injection • JSON injection • HTML injection • JavaScript Injection • DOM injection • Cascading style sheet injection • Log injection • Reflected Cross Site Scripting via GET, POST, Cookies, and HTTP Headers • Stored Cross Site Scripting • Cross Site Request Forgery • Authentication Bypass via SQL injection • Privilege Escalation via Cookie Injection • Unencrypted database credentials • Directory Browsing • JavaScript validation bypass • Application Exception • Un-validated Redirects and Forwards • Phishing • Click-jacking • CBC bit flipping (latest) • Brute force “secret admin pages” • PHP server configuration disclosure • Application path disclosure • Platform path disclosure • Information disclosure via HTML comments • robots.txt information disclosure • Parameter addition • HTTP Parameter Pollution • Buffer overflow • Denial of Service • Loading of any arbitrary file • Method Tampering • Forms caching

  5. Features : Two Levels of Hints • Hints are provided in “Hint Level 1” and “Hint Level 2” • Automatically disabled in “Security Level 5” (unless you hack it)

  6. Features : Two Levels of Hints • “Hint Level 2” contains tutorial-style hints for the most popular topics Level 2 Hints

  7. Features:3 Security Levels • By default, the system does not apply security controls Security Level 0: SQL Injection attempted on login page

  8. Features:3 Security Levels • In security level 1, JavaScript validation is applied and the “Show Hints” button is removed from the menu bar. • Note: Hints can be re-enabled by exploiting a vulnerability Security Level 1: SQL Injection attempted on login page

  9. Features:3 Security Levels • In Security Level 5, the system will execute a different set of PHP scripts attempting to protect the site Security Level 5: SQL Injection attempted on login page

  10. Features: Self-adjusting “Bubble” Hints • “Bubble” Hints will pop-up when the cursor hovers over some vulnerable areas. Hint Level 0: “username” field on View Details page

  11. Features: Self-adjusting “Bubble” Hints • “Bubble” Hints automatically change with Hint Level Hint Level 1: “username” field on View Details page

  12. Features: Self-adjusting “Bubble” Hints • “Bubble” Hints automatically change with Hint Level Hint Level 2: “username” field on View Details page

  13. Features: Enforce SSL • “Enforce SSL” feature added to allow practicing SSL attacks such as the use of SSLStrip • Note: SSL encryption itself provided by Apache server

  14. Features: Capture Data • A data capture page is provided • Hint: In CTF, get Admins to visit

  15. Features: Captured Data • Captured data is stored to database and local file Previously captured record

  16. Features: Automated Database Setup / Error Detection • System will automatically create database, tables, views, and procedures plus supply “startup” data (i.e. accounts, cc table, etc.) Truncated screenshot of automated database set up after clicking “Setup DB” button

  17. Features: Automated Recovery • Clicking “Reset DB” will restore system and re-populate database tables • Pull the rip cord and start over

  18. Use Cases • Practice Web Pen-Testing • Pages specifically designed to practice SANS SEC-542 exercises , W3AF, sqlmap, Grendel Scan, Cenzic Hailstorm, Rat Proxy, Beef, many more tools… • … and most important: manual testing • Corporate Internal/External Training • SANS SEC-542 (Instructor: Tim “LanMaster53” Tomes) • Some big companies • University Labs/Instruction • Evaluate Web Application Vulnerability Scanners • “Our scanner is obviously the best. Just look how expensive it is!” • “Perhaps. Let’s measure…” • Web App Sec Demonstrations • OWASP, ISSA, etc. • Capture the Flag • Lolz

  19. Where can I get NOWASP Mutillidae? • Download: Sourceforge • http://sourceforge.net/projects/mutillidae/files/ • Preinstalled • SamuraiWTF 2.0 • http://samurai.inguardians.com/ • Metasploitable-2 • https://community.rapid7.com/docs/DOC-1875 • OWASP Broken Web Apps (BWA) • https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

  20. How do I install NOWASP Mutillidae? • Easy to install on Linux or Windows • Can be virtualized on Virtual Box and VMWare • Linux • LAMP, Samurai WTF • How to upgrade to latest Mutillidae on Samurai WTF 2 • http://www.youtube.com/watch?v=obOLDQ-66oQ • How to install latest Mutillidae on Samurai WTF 2 • http://www.youtube.com/watch?v=y-Cz3YRNc9U • Windows • XAMPP, WAMP • Quick start guide to installing Mutillidae on Windows • http://www.youtube.com/watch?v=1hF0Q6ihvjc

  21. How to I set NOWASP Mutillidae up? • Set up database via “Reset DB”. • Note: Some systems require changing a line in php.ini (instructions provided)

  22. How do I use NOWASP Mutillidae? • Instructional Videos: webpwnized YouTube channel • http://www.youtube.com/user/webpwnized • Currently approximately 50 videos related to web pen testing • ~85 videos overall

  23. How do I use NOWASP Mutillidae? • Menu order vulnerabilities by OWASP 2010 then type

  24. How do I use NOWASP Mutillidae? • Besides “Hints” and “Bubbles Hints” there is a file with 1,000+ lines of pre-tested hacks against various pages • File: <installation directory>/mutillidae/documentation/mutillidae-test-scripts.txt

  25. Where do I receive updates on instructional videos and new releases? • New instructional video postings (YouTube) • New releases of NOWASP Mutillidae • Twitter: @webpwnized • URL: http://en.twitter.com/webpwnized

  26. References • Vulnerability Documentation • http://iweb.dl.sourceforge.net/project/mutillidae/documentation/listing-of-vulnerabilities-in-mutillidae.txt • Download • http://sourceforge.net/projects/mutillidae/files/ • Preinstalled: SamuraiWTF 2.0 • http://samurai.inguardians.com/ • Preinstalled: Metasploitable-2 • https://community.rapid7.com/docs/DOC-1875 • Preinstalled: OWASP Broken Web Apps (BWA) • https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project • How to upgrade to latest Mutillidae on Samurai WTF 2 • http://www.youtube.com/watch?v=obOLDQ-66oQ • How to install latest Mutillidae on Samurai WTF 2 • http://www.youtube.com/watch?v=y-Cz3YRNc9U • Quick start guide to installing Mutillidae on Windows • http://www.youtube.com/watch?v=1hF0Q6ihvjc • Instructional Videos: YouTube webpwnized channel • http://www.youtube.com/user/webpwnized • New releases of NOWASP Mutillidae • Twitter: @webpwnized • URL: http://en.twitter.com/webpwnized