How to do it?

Discuss the many weaknesses of browser security and ways to mitigate the threat

Re: How to do it?

Post by LoGiCaL__ on Thu Apr 07, 2011 11:53 am
([msg=56080]see Re: How to do it?[/msg])

And it is not illegal to pen-test your own webpage.


Well for the most part no, it's not. It depends. If you have your own web server set up, then by any and all means necessary go ahead and do what you feel. For some servers that you are just using their space, or renting out, it depends on the server/network admins terms of service.

**edit**

caracarn001 got to it just before I did lol.
User avatar
LoGiCaL__
Addict
Addict
 
Posts: 1060
Joined: Sun May 30, 2010 12:33 pm
Blog: View Blog (0)


Re: How to do it?

Post by jgreen45 on Thu Apr 07, 2011 12:03 pm
([msg=56081]see Re: How to do it?[/msg])

Assassian360 wrote: or you could find a free web host and dump your things on there. And it is not illegal to pen-test your own webpage.


Having said that, when i was looking around for a free hosts, I noticed that there is a strict 'No-Hacking policy' on many of the free hosts. That could be a problem. :(
I can't come to bed...
Someone is WRONG on the internet


http://xkcd.com/386/
User avatar
jgreen45
Poster
Poster
 
Posts: 106
Joined: Wed Feb 25, 2009 6:18 pm
Blog: View Blog (0)


Re: How to do it?

Post by Assassian360 on Thu Apr 07, 2011 8:31 pm
([msg=56104]see Re: How to do it?[/msg])

It really comes down to what sort of pen-testing you are actually doing. If you are just looking for potential vulnerabilities in your own site, than there is nothing inherently wrong with it. If you are trying to pen-test your site in such a way that is actually meaning a pen-test on your site's host than that would be illegal.

Anyone worrying about whether what they are doing is illegal or not can just run a local server on their own machine. They are easy to setup and configure for the most part.
Assassian360
Poster
Poster
 
Posts: 135
Joined: Sat Jun 26, 2010 1:37 am
Blog: View Blog (0)


Re: How to do it?

Post by Goatboy on Thu Apr 07, 2011 8:46 pm
([msg=56105]see Re: How to do it?[/msg])

Assassian360 wrote:It really comes down to what sort of pen-testing you are actually doing. If you are just looking for potential vulnerabilities in your own site, than there is nothing inherently wrong with it. If you are trying to pen-test your site in such a way that is actually meaning a pen-test on your site's host than that would be illegal.

I wouldn't even say that. It really depends on the ToS. HTS lets people test security here and we make that very clear. A free web-host would almost certainly frown on this, because an attack on a user's page could compromise everything. Even if you only mean to test your own site, they will probably see it as a malicious act against them. I'd go with your advice of hosting your own server, so you can control all the rules (and the variables).
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2807
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: How to do it?

Post by iistapp on Fri Apr 08, 2011 4:00 am
([msg=56132]see Re: How to do it?[/msg])

So once I got XAMPP up and running, could I just get the source code of a random page that I know is vulnerable and run for example paros, and I will eventually find whats vulnerable, or have I got this all wrong in theory?

Or do I need to actually set up my own web page for this to work?

If so, I'm sort of lost, as I can't figure out how to actually use paros proberly, I'm not sure how I even run it in a proper way, so I guess I have to do some more reading and testing and see what I can figure out.

This is sort of a side project for now, but I hope I will make some progress sooner or later, because this really makes me get the feeling that I want to learn this, as it's very interesting and I think I will have need for this later in life :)

Once again, thanks Goatboy for helping me, and answering my questions in such a good way that even I managed to understand it in a proper way, hehe. I hope I soonish can post some progress to show of what I've learned
User avatar
iistapp
Poster
Poster
 
Posts: 135
Joined: Tue Apr 21, 2009 9:44 am
Location: Norway
Blog: View Blog (0)


Re: How to do it?

Post by Goatboy on Fri Apr 08, 2011 4:19 am
([msg=56133]see Re: How to do it?[/msg])

Paros does not find vulnerabilities for you. That is up to you. The main functions of Paros are as follows:

Intercepting Proxy: Paros acts as a proxy between your browser and the Internet. When you visit a page, your request first goes to Paros, which logs and forwards it to the website. The request is similarly logged and forwarded back to you. This means you can view exactly what is being sent and received. You can also edit either one. For sending, this makes it easier to fine-tune your attack by controlling precisely what HTTP headers, variables, etc. get sent. You can edit your response, but there aren't nearly as many cases where that would be useful. Generally, you will use this to map out exactly what is being sent in each request/response.

Spider: After you have walked through the web site yourself, you might want to discover all of the publicly-available content. You could do this manually by visiting every link, but you might miss a few. Paros takes care of this by automatically following the links it finds, creating a tree-like map of what is discovered. This can be dangerous, however, because if it finds a logout link or any other undesirable function, it will follow it.

Vulnerability Scanner: I lied earlier. Paros can find some vulns, but in my experience this has been completely unreliable. Paros will look for things like default files/directories, admin/login pages, etc., but if custom 404 pages are created, it is not intelligent enough to figure this out. You get a ton of false positives. I would avoid this function in most cases, as it can quickly lead you down the wrong path.

Those are the three that I know of. The program has not been updated since 2004, so unless they are developing a newer version in secret, that's all it can do. Burp Proxy and Webscarab are both more functional, but the interface might be a tad overwhelming at first. Stick to Paros until you get a good feel for what's going on under the hood, then switch over.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2807
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: How to do it?

Post by iistapp on Fri Apr 08, 2011 4:39 am
([msg=56135]see Re: How to do it?[/msg])

So with an intercepting proxy you don't really find vulns, you just get sort of a map of the whole page, and have to work your way out of that?

Can't say I'm on the developing level yet, but who knows in the future, hehe.
User avatar
iistapp
Poster
Poster
 
Posts: 135
Joined: Tue Apr 21, 2009 9:44 am
Location: Norway
Blog: View Blog (0)


Re: How to do it?

Post by Goatboy on Fri Apr 08, 2011 4:46 am
([msg=56136]see Re: How to do it?[/msg])

Vulns are not something you can just see. A typical process might go like this:

1.) See a search form
2.) Enter SQL injection test string
3.) It works as you expect, so you formulate a complex attack payload
4.) Payload works, you are in

None of this would be revealed to you by Paros. The "map" of the page is already given to you by your browser when you visit a page. Paros simply shows the details that made that page, along with other useful bits of information. It's up to you to test each area to determine if and how it can be exploited.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2807
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: How to do it?

Post by iistapp on Fri Apr 08, 2011 4:52 am
([msg=56138]see Re: How to do it?[/msg])

I used an SQL injection in one of the missions, but I found that by doing quite a lot of googleing, so people who do this on a "daily" basis, do they have like huge libraries of sql injection strings that they look up? If so, do they just randomly try these out on the page, or are there some more magic to this?
User avatar
iistapp
Poster
Poster
 
Posts: 135
Joined: Tue Apr 21, 2009 9:44 am
Location: Norway
Blog: View Blog (0)


Re: How to do it?

Post by pretentious on Fri Apr 08, 2011 7:26 am
([msg=56140]see Re: How to do it?[/msg])

iistapp wrote:I used an SQL injection in one of the missions, but I found that by doing quite a lot of googleing, so people who do this on a "daily" basis, do they have like huge libraries of sql injection strings that they look up? If so, do they just randomly try these out on the page, or are there some more magic to this?

I'm going to assume that you just guessed your way through realistic 2. I know i did ;) If you actually learn what the query is doing, it all makes sense. I can't speak for the 'people who do this on a "daily" basis' but i'm assuming that their approaches are quite well thought out and logical.
Goatboy wrote:1.) See a search form
2.) Enter SQL injection test string
3.) It works as you expect, so you formulate a complex attack payload
4.) Payload works, you are in

Well there you go
Goatboy wrote:Oh, that's simple. All you need to do is dedicate many years of your life to studying security.

IF you feel like exchanging ASCII arrays, let me know ;)
pretentious wrote:Welcome to bat country
User avatar
pretentious
Contributor
Contributor
 
Posts: 644
Joined: Wed Mar 03, 2010 12:48 am
Blog: View Blog (0)


PreviousNext

Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests