Archive for category Web App

Missing in Action -> Return to Action

Posted by Matt Johansen in Personal, Random, Web App on December 30, 2010

So it has been about 6 months since I wrote a blog post and I’ve promised to myself to get back into it for the new year. I miss you all. I guess I should start by explaining my absence from the blogosphere as I had some pretty damn good reasons:

  1. I got a new job
  2. Said job was 3000 miles away
  3. I drove the 3000 miles
  4. First week in new location my house was broken into and my computers were among the more than $5k worth of stuff stolen.
  5. I had just blown all my money moving 3000 miles =no way to replace computer (or go to BlackHat/Defcon/BSidesLV :(
  6. New job has been keeping me supremely busy in a good way.

This whole extravaganza started in May so the summer was kind of a whirlwind of craziness, the fall was work kicking into overdrive. I’ve kind of hit my stride at the new job and gotten used to the giant piles of work so I’m planning on setting aside time to blog again.

The job I started was at WhiteHat Security as a resident appsec bug hunter. Drinking from a fire hose for 6 months would be no exaggeration as we have a very unique playground of websites to find/test vulnerabilities on. I’ve found some very high profile vulnerabilities that I wish I could talk about but I’ll have to settle for severely obfuscated posts in the future merely describing the attack vector with all client information withheld.

Since I joined the team we have about doubled in size and gone from the “Operations” department to WhiteHat’s “Threat Research Center” which just sounds so muchs spiffier and more official.

We also participated pretty avidly in the Google bug bounty program. Mighty successfully I might add: Google Security Hall of Fame. 5 people on our team found rewardable bugs in Google apps. I say rewardable because a number of us found bugs that they didn’t qualify as rewardable, mostly minor XSS or open redirects.

I might add that this is 5 so far, we have a few more emails sitting in their queue and I’ve had a bit of fun with their Cr-48 as a beta tester :) (more details to come after bug is reported and fixed but this one is a fun one).

So there is a run down of my absence from the blog world, cliff notes of course. I did a fair amount of weekend getaways enjoying the west coast weather.

I hope anybody reading this had a great Christmas and will have a safe and happy new year. My better half put a grill / smoker under the tree for me and I’ll be breaking that out to ring in 2011 with some smoked meat.
So now that you know one of my resolutions is to start blogging again what are some of yours? I miss you. You look great by the way.

Cheers,
Matty Jay

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Slashdot
  • StumbleUpon
  • Reddit
  • Tumblr
  • Twitter

1 Comment

Attack These Apps

Posted by Matt Johansen in Educational, hacker, security, Uncategorized, Web App on May 29, 2009

I’ve been messing around a bit with some purposefully vulnerable web applications and beating them up as best I can. My problem for a while was my inexperience with Linux and the lack of documentation for some of the applications I was using.

So instead of spending a lot of time learning to hack and defend I was spending a lot of time getting my java set up correctly and editing some of the shell scripts so they would stop complaining.

I figured I can’t be the only one who has these kinds of troubles so I started a fresh install of Ubuntu updated it, and i got a number of the web apps I was having trouble with up and running properly and decided I would distribute it to save some people who just want to get to the hacking all ready some time and headaches in installing all of these things.

Like I said, this is my first write up on this sort of stuff so be gentle but here is some of the guidance I can give you in getting these apps up and hackable.

First of all you can download the .ova file HERE for now. It is pretty big I apologize maybe on my next release I’ll try to use Debian or something so the lack of GUI will get it under a gig.

Use whichever VM software you prefer I know VMware accepts .ova files but if you’re using Fusion you might have to create a .vmx file for it.

It should log you in automatically but the info is
UN: hacker
PW: p@ssword
(please change the credentials ASAP!)

First you’re going to have to start apache-tomcat

$ cd Desktop/apache-tomcat-6.0.18/bin
$ sh startup.sh
Using CATALINA_BASE: /home/hacker/Desktop/apache-tomcat-6.0.18
Using CATALINA_HOME: /home/hacker/Desktop/apache-tomcat-6.0.18
Using CATALINA_TMPDIR: /home/hacker/Desktop/apache-tomcat-6.0.18/temp
Using JRE_HOME: /usr
$

You should be good, but to check open firefox and go to http://localhost:8080 and you should see the tomcat intro page.

Once tomcat is up and running you can start up WebGoat (and the fun begins!)

Navigate back to /Desktop

$ cd WebGoat-5.2/
$ sudo sh webgoat.sh start8080
(reminder: the sudo password for the default account is p@ssword which I hope you will change!)
note: sometimes after you start tomcat the first time starting WebGoat will get stuck at this:
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409)

If this happens just restart the VM and start WebGoat again it should go all the way through to here:
INFO: Severver startup in XXXX ms
where the X’s are numbers.

Now you can open Firefox again and navigate to http://localhost:8080/WebGoat/attack/

It will ask you for a username and password which are both “guest”

Click the “Start WebGoat” button and go nuts. (I am aiming to do some write-ups on how to get through some of the lessons soon).

In order to start up the burp proxy that allows you to complete some of the WebGoat lessons just navigate back to the Destop and:

$ cd burpsuite_v1.2.01/
$ java -jar burpsuite_v1.2.01.jar

Easy enough.

The rest of the web apps are much easier and less buggy but also less step by step educational. These are just kind of put up and have fun in whichever way you want, the developers suggest looking at the OWASP Top Ten picking one and trying it out.

The rest just require you to start up some LAMPP

$ sudo /opt/lampp/lampp start

Check if it started up by going to http://localhost/ and seeing the XAMPP page.

Now the other vulnerable web apps are preloaded so all you have to do is navigate to them:

http://localhost/mutillidae

http://localhost/DVWA

Here are some other resources to look at to play with if you are interested in this area:

Moth – a VMware image with a set of vulnerable Web Applications and scripts. I haven’t gotten a chance to sit down and play with this one but it has come highly recommended

Samurai WTF – The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. Consider it the BackTrack of web apps.

That is all I’ve got for now, hopefully I’ll sit down and make some instructional screen cap videos in the near future.

Special thanks to Port Swigger, Damn Vulnerable Web App, OWASP WebGoat, and Iron Geek for giving me permission to distribute your applications. I appreciate it and I hope you guys keep up the amazing work.

Again download the VM: HERE

Hope you enjoy and please let me know any ways you’d like me to make this better and re-release.

Matt

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Slashdot
  • StumbleUpon
  • Reddit
  • Tumblr
  • Twitter

No Comments