Skip to main content
Right of Boom
January 30, 2025

The Cybercall: ET Web Exploitation: Is your Web Presence Secure?

In this video, Bryson Medlock, Jason Slagle, and Amit Israel discuss the intricacies of web exploitation and securing web presence. They delve into the OWASP top 10 vulnerabilities, offering insights into common web security issues like SQL injection and cross-site scripting, while also demonstrating practical solutions using tools such as DVWA and Zap. The session emphasizes the importance of continuous monitoring, proper logging, and adopting a proactive approach to securing both personal and client web systems.<ul><li>The webinar discussed the importance of securing web applications, focusing on the OWASP top 10 vulnerabilities like SQL injection, cross-site scripting, and broken authentication.</li><li>Cyberfish offers a comprehensive solution for phishing, securing, protecting, preventing, and training within a single console that operates automatically with minimal configuration.</li><li>The webinar emphasized the significance of using tools and practices like web application firewalls, vulnerability scanning, and code reviews to protect web applications from exploitation.</li></ul>

Guests

Andrew Morgan

Video Transcript

All right, back live. Day two final session. Joined with Bryson Medlock of the Perk Sock. Jason Slagel, CNWR, and Amit Israel from Cyber Fish. Let me set the stage real quick for everybody. Exactly. David Ellis, top 10. oas Bryson is gonna be awesome and we're excited about, uh, kicking this off. Alright, so just real quick, as we did yesterday, I just wanted to, uh, first off, thank everybody for being with us for two days.

Um, I want to thank Cyber Phish for always being part of our technical sessions, our year of CTFs, and the prizes that they did there, as well as sponsoring two winners that I'll pick and we will announce at the end. Uh, each is gonna get an hour of time with Jason Slagel. Um, and real quick, what you can do is either click the Wind Time with Jason Slagel will take you out to the Cyber Phish website. You can learn more about Cyber Phish and, or you can email me, I'll put my email in.

But real quick, it's Andrew at the Cyber Nation all in Word, the cyber nation.com. I'll put it in there. Let me just ramble real quick here 'cause I want to kick things off. So, for those of you that don't know about Cyber Phish, it's awesome. It came on site a little less than a year ago. Over 500 MSPs use it. They play in the visual detection space and phishing. Um, and, uh, a lot of the MSPs out here are using it.

One of the things that, you know, we've noticed over the years are people still have to do, obviously secured awareness training, phishing simulation, et cetera. What Amit's tool does is captures millions upon millions of phishing, uh, kits and business email compromise, you name it, quarantines them. Detonates them. And so instead of you having to, now, one of the things they're, it's in beta and they're gonna start releasing this or their beta group over the next two weeks.

So instead of having to create your own phishing campaigns, security awareness training, take all your tech time to do that, you're gonna be able to just simply select a type of campaign. The detonated campaign will, uh, take real world phishing, uh, and, and take those and, and quote unquote, attack your customers. The other thing that's gonna be huge about this is a lot of times your help desk doesn't know phishing is going on.

Phishing simulations are going on, which then takes your help desk trying to figure out why their customers are calling in freaking out. Um, Amit and team are gonna update the PSAs to let you know active phishing is taking place. This should save you not only a lot of hard cogs because you're not paying for multiple solutions, but also a lot of labor costs. Ami, real quick, did I leave anything out or did I get that all down for you? Tell me what we're doing here. You're the best.

You said everything. It's the holistic thing that we're, that we're interested in. Like, uh, providing one solution that, that gives the, everything that connected to phishing, like securing, protecting, preventing and training. And the same console, the same solution configured in one minute runs by itself and the rest is done, as you said. Okay. Very easy.

If you click the send you an email or you click down there, the green one, then you actually have the ability just to schedule a talk with me or one of the guys, and then we'll explain everything that's needed about our solution or training solution. You can join us. And yeah, that's again, Yeah, to that point too, you have protect your house model. So if you're using cyber fish, you will get protected, which is huge. Um, alright, so with that, Amit, thank you.

I want to kick it over now to the team. Yeah. Thank you. Thank you guys. Yeah. Um, Bryson, um, do you have a slide deck of question? Okay. So let me let you share your slides and because we're gonna render this up in the True Methods portal and other things, I'll formally introduce you and Jason and, and the, um, and the session. And that way we can have it all neatly recorded. By the way, everybody, um, if you have questions, pop 'em in to ask a question along the way. I'll monitor it.

I'll be off camera. But, um, I will pop in from time to time and make sure that your questions, uh, get answered here. Okay. Uh, um, I've got reset my browser to fix the permissions because I'm on a Mac. Ah, there we go. So I'm gonna have to drop be yesterday. No, you won't. I didn't have to yesterday. It did. It did it. Yeah. Okay. All right. No, I, I know that happened on like, um, for those I, I know everybody.

I, and by the way, since we're doing that right now, just real quick, does everybody know about, I'm sure you all do right now, but while you're doing that, everybody aware of the VMware, uh, critical. Um, I know Jason was on it instantly. We were on talking about it last night. Uh, there's a multiple critical VMware, um, vulnerabilities. All right, so let's kick it off right now. So, um, we are doing web exploitation and is your web presence secure?

Joining me today, Bryson Medlock of the Prime soc, Jason Slagel of C-N-D-W-R. Thanks so much guys for joining us, and I'll let you take it away. Sure. Uh, yeah, so, so like, uh, Andrew said we're gonna talk about web exploitation today. Uh, we're gonna start off just talking about the Oasp top 10, and then we've got, uh, a hands-on demo on how to actually do some web exploitation and do some testing. Uh, so hopefully we'll have some fun.

We've got a lot of content, so we're gonna, might have to rush a little bit, but I think we can do it in an hour-ish. So, uh, in case you weren't here yesterday, just to introduce ourselves, uh, I'm Bryson, I'm with Perch. I'm actually not in the sock anymore. I'm in the research team, um, doing threat research stuff. Uh, so that's, that's what I'm doing. Jason? Yeah, I'm, uh, Jason Segel, VP of operations at CWR, longtime computer nerd, doing security stuff for a while. Cool. Okay.

So let's jump into it. So today, yeah, we're talking about web exploitation and is your web presence secure? Because a majority of the exploits that happen nowadays are, are web exploits there? There's a ton of them. They happen every day. That's, uh, I, I don't have any statistics that probably would've been nice, but, uh, I will just say a majority of the things that we see at Perch and that the things that actually get exploited are, are web exploits.

There's so much out there and there's so much, uh, low hanging fruit, uh, it, it's just happening all the time. So, to start off with, we wanna talk about oasp. So oasp is an, uh, open source. Uh, it's a nonprofit group. Uh, let's see, oasp, it stands for, what is it? Open Web Application Security Projects. So it's, it's a nonprofit group. They do a number of things. They've, they've actually got some products, uh, out there like, like Burp Suite. Uh, that's a, that's an OAS product.

Um, they local chapters that have meetings, uh, that kind of thing. Uh, so, but they focus a lot on, and primary focus is on web exploitation because that's, you know, one of the biggest risks that are, are out there right now. So they've got, they produce this, uh, semi-annual, uh, list of, of the most, uh, common or the top 10 types of web exploitations that you see out there.

They've got a lot of tools out, uh, available for testing for these, uh, a lot of tips and that sort of thing for how do you, um, write secure code. 'cause that's, that's part of what we're talking about here as well, is, uh, you know, making sure your code is secure, and these are the things that can go wrong with your code.

So, being aware of those things and, uh, what you can do to, to prevent, um, your own applications from being vulnerable is definitely something you need to know, especially if you're developing your own stuff. But even if you're using other projects that other people have written, whether it's open source or something you've purchased, it's still stuff you want to check for, uh, and, and keep an eye out for. So let's just jump into the list. Uh, number one is injection.

So injection is a number of different things. Um, essentially it's just accepting untrusted data, uh, sending that data to some kind of interpreter and then being able to execute on it. And the most common example would be SL injection. And of course, we're talking about SQL injection. We have to use the obligatory XKCD, uh, little body ta body tables here. But this, this is a good example of what SQL injection looks like.

Uh, you can see on the third frame there, the, uh, their son's name is Robert, uh, parentheses drop table students. Um, that, that's an example of SQL injection. So essentially, if you have a, a, a webpage and it has some kind of form, uh, where accepts data, you could insert something like that. And, um, if you're not properly sanitizing input and you're just trusting whatever the users will give you, then they can execute other things.

In this case, it's a SQL query, but there's other types of injection, for example, some command injection. So, um, de depending on how your website's set up and what it actually is doing with that data, uh, you could potentially actually almost get a shell, uh, or at least actually execute commands directly, uh, through, you know, CMD or bash depending on what system you're running.

Um, there's, there's other types of injection, but it just boils down to any place where users can control the data that you're getting. Injection is something that could happen. It can happen in your, um, uh, your, your HTTP headers. Uh, so it doesn't just have to be in form data. If, if you've got something that's, uh, you know, like a, excuse me.

Like for example, if you have a WordPress site and you've got a plugin that's tracking users, uh, one of the things that we'll do is look at user agents and actually put that data into the data base. So since it's taking the user agent from the HT HTTP headers and putting it into a database, that could be something you could do SQL injection. And so you'll see SQL injection queries, uh, in the user agent field of a web request. Uh, that's just one example, but it these other injections as well.

Uh, for example, uh, was it shell shock a few years ago? Was it, uh, kind of an example of command injection that you could use in any of parts of a web request, uh, just depending on how that was processed. So this is a big one, and this is probably the most common thing. Uh, so many people know about SQL injection and command injection, and there's so much low hanging fruit in this field.

Um, you can use a number of open source tools and just scan the entire internet and find lots and lots of sites that are vulnerable to SQL injection. So, gotta keep an eye for that. And, uh, you know, actually I didn't put remediation tips on each of these. Uh, but yeah, you go to oas, but they'll talk about that. But essentially, all of these, for the most part, boiled down to you don't trust user input if, if the data's not coming directly from you, don't trust it.

You, you need to, you know, escape special characters. You've gotta sanitize it. Uh, just never trust your users. All right, so number two is broken authentication. And, and this could mean any number of things, um, related to just authenticating users, session management, access control, uh, for example, you know, credential stuffing and brute force are a couple of examples, um, of broken authentication.

Um, and, and you also gotta, you know, think about the user, uh, you know, what actually happens. Um, That. But anyway, uh, Jason, did you have anything to add to authentication? I think you're on mute. Okay, I'm on mute. Yeah. Uh, yeah, there was, there's been a couple of, uh, uh, RMM tools that have suffered from this in the past. I'll talk a little bit about, uh, how a couple of things were chained, uh, in a CV that I actually own.

Uh, not specific details, but a little about how some of these were used when we get to that section. Okay, cool. Um, since it's sensitive data exposure, so this is like information exposure type vulnerabilities or just, uh, stolen data. So there's password databases that get leaked online all the time, um, using, you know, any kind of unencrypted data that, that people can access you, man, in the middle attacks where you're, uh, sending unencrypted data.

So this is some examples of sensitive data exposure that you know, you wanna watch out for. And, um, you just gotta be careful with all that unencrypted data. Just, again, always assume that somebody's watching.

And so whatever you can do to protect your data, I, So XML external entities or XXE, uh, essentially this boils down to any, anytime you've got your processing an XML file, um, there's, you know, a possibility depending on how you're processing it, that somebody could inject things into that. Uh, so the examples we've got here, there's, uh, some XML entities there.

And, um, if, uh, depending on how you're processing it, somebody could put in something like, you know, file Etsy password, and when it processes the document and re and returns a response, you know, you may actually get the, uh, the contents of your Etsy password file. Um, or you can even do other, um, uh, use it for, for accessing other internal services.

Uh, so if you, if you've got an idea of what's on inside the network, um, and you have maybe a, a private, uh, intranet site that's only accessible to people inside the network, you know, this is something, for example, that, that second example, uh, where you could actually get the, the internal server to send a request and pull that data in and would show up on the, on the public site. Again, that boils down to don't trust user input again.

Uh, so broken access controls, I, I, again, this, this goes to, um, so the restrictions you put on place on a user and the ways those can be bypassed. So, uh, some examples of that are, you know, you have an API that maybe doesn't use the built-in access controls of your application. Um, so an API might be a way to bypass the access controls. Um, another example is if, if you can change the primary key of a user's record.

So you know, if, if user one is always admin, and maybe there's a way you can change your user's key to one, uh, or any kind of elevation of privileges. And, uh, um, Jason demoed yesterday, the pseudo, uh, vulnerability, the recent one that was, which was a privilege escalation vulnerability. So a normal user could use that to escalate themselves as root, and it was called Make Me a Sandwich, which was a reference to, again, this, this XKCD comic. There's, there's an XKCD comic for everything.

Um, I went through last night and found one for each of the oasp top 10. And, and it didn't take too long. Uh, we've got security misconfiguration. So, uh, this could be any number of things. Uh, some common ones are default accounts and passwords. So we talked about that yesterday. Also, uh, related to like firewalls, um, or, you know, your switches, have you changed your default usernames and passwords? Uh, any kind of incorrectly configured permission.

So like, there's a, Um, a common vulnerability in, in, in Engine X if, if you don't set up the permissions for it correctly, you can actually use that for some direct traversal stuff. And it's just a configuration issue. Like, there's no patch for it.

It's just, it's, it's pretty simple if you don't know what you're doing to configure it in a way that allows for, uh, directory traversal, any kind of security services that you've got disabled, that's a security misconfiguration or features or services you don't need. So one, one example of that is the, uh, VMware stuff that was released yesterday. There were a couple of, uh, of vulnerabilities, and one of them was related to, um, uh, what was it, open, SLPI think.

And it's actually a service that according to VMware's documentation, they don't need, none of VMware's products actually use it. Uh, but it's there and it's enabled by default. And this, there was a, a heap overflow vulnerability related to that that would allow for remote command execution. So their recommendation is to disable it, Uh, cross site scripting.

So, so when, when you talk about web exploitation, the two that most people kind of default to or, or talk about because they understand are that, you know, you hear a lot about our SQL injection and cross-site scripting. So, uh, cross-site scripting, again, goes back to unsanitized input, but in this case, it's allowing, um, arbitrary HTML or JavaScript to run. So there's, there's three different types.

There's reflected, there's stored, there's dom, uh, but it's, you know, again, boils down to a, you have a, some way for users to input data, and they can input that data as a JavaScript, and that JavaScript will then run when the site is is shown.

So that's a, a, a reflected would be, um, you know, something you do in a URL and a stored is, uh, you know, something that's, uh, um, for, for example, a and, and A-D-V-W-A has this, I think it's like a, like a guest book that you sign and you, uh, uh, can put in JavaScript as your, you know, your signature in the guest book. And then the next time somebody loads that page, it's got that JavaScript saved on the page, and it'll run whatever it is that you told it to run.

Uh, so you can do some session stealing, you can do account takeovers. Uh, you can also bypass MFA with, with some of these types of things depending on what it's, what, uh, what it's doing.

So it's a common, like with phishing technique, you can form a specially crafted URL that goes to a banking site, and you can use that to collect, um, you know, the, the session information or even the login information for someone, but it actually could, you know, ends up directing them to the bank's website. Uh, but you just, there's extra code in there that lets you steal that data.

So insecure des serialization, uh, there's, there's a lot of text on that screen, but, uh, so des deserialization and serialization, these are, these are engineering terms, uh, that to, for the most part, I know this is oversimplified, but it's reading and writing data is what we're talking about. Serialization is writing data.

Uh, so it's taking the data that's, that's been received, and it's formatting in a way that can be saved, for example, to disc, uh, sent through a stream or sent over a network. So in any kind of data writing. And then des serialization is the opposite of that. So we're taking saved data and we're, we're curing it into an object that can be used programmatically. So that's can read from a js ON file, reading from a database or reading data over the network.

So an example of that, uh, we've got here. So we've got a PHP forum that uses object serialization to save a super cookie. So when you, when you log into this forum, there's a cookie that's saved locally on your browser as a user, which has all of this user information. Now, if they have insecure d serialization, uh, the, the second example there at the bottom, what they've done is actually just changed the username, um, and the permission.

So now, instead of Mallory, who's a user, now I'm Alice, who's an admin. And, uh, if, if it's, if, if your code is, uh, insecure and it's just trusting the cookie, uh, then now you're able to log in as an admin because you, you've got a cookie that's saying that your admin, Um, and then using components with known vulnerabilities. So this, this is a big thing with, uh, open source and, and I think Google recently published a report about this. Um, and there's a, an open SSF framework.

It's open SSF, uh, that they worked with some other people on. But, but essentially it's, it boils down to you've, you've got all this software that you've developed, this web software, but what does it depend on? So there's probably some third party libraries, um, e even some, you know, built in stuff in your application. So, um, or, or your, your operating system, you know, so you've got OS level vulnerabilities. It doesn't matter how secure your, your actual PHP might be.

If there's something at the OS level that's vulnerable, or, or maybe all of your PHP is good, but you're, um, importing some other PHP library and it has a vulnerability or, or a Python library or, um, your database management system has a vulnerability. So there's keeping track of not only the software that you write or the things that you're running, but everything that is dependent upon it, which is a lot.

Uh, there's, there's a lot of things that, a lot of components that, that work together in order for a web server to, to work. It's not just Apache or Nginx. Um, there's all the libraries that Apache is dependent upon. You know, there's, uh, open SSL you know, when open SSL has a, has a vulnerability. Now, even though Apache may be fine, your TLS connections, your HT TPS connections are all relying on that open SSL library. And, uh, and, and now that's something that you've gotta keep track of.

Uh, so the, uh, uh, we'll, we'll, we'll talk about this at the end, but that, that, uh, open SSF uh, framework has some tools to kind of help keep track of that stuff. But that's just another thing to, uh, to keep in mind is what, what is your software dependent upon? And insufficient logging and monitoring? Um, you know, most of the things that we've talked about can be detected, and you can respond to them quickly if you're logged and you're monitored.

And, and the worst example of that is you're not a perch customer. Uh, if you want sufficient monitoring and alerting, uh, that's, that's a quick easy fix. Just, just call perch. We're, we're there for you. We've got your back. So the, so that's the au top 10 in, in 10 minutes or 15 minutes. Uh, and, and, uh, just, just real quick, you know, what, what are the risks? If you've got a web presence and you're not secure, what could happen to you?

Uh, I mean, the quick simple things, you know, you could have a site defacement, which, which is of course bad pr, uh, but then there's other things like data can be stolen. So if, if someone's able to run queries in your database, what kind of data can they get out of that?

If, if you're running some sort of, uh, um, e-commerce site and you've, you know, you may have some billing information, you may have some credit card data, usernames and passwords, uh, every day there's database dumps online from, uh, databases that have been stolen with usernames and passwords.

And even, even though that may be usernames and passwords for one site, you know, a a big risk is that everybody's reusing those passwords, and they may log into some random, uh, um, e-commerce site to, to buy something. Uh, that database gets leaked, and they're using the same password that they used to log into your corporate network.

So now that, uh, that data is out there and someone could use those credentials, um, and then, you know, you can, you, your network could actually be part of a C two network. So that's a lot of the C two service that we see out there. So that's command and control servers that are used by malware, um, are actually just tacked sites that, uh, that they've gained access to a lot of WordPress sites, a lot of jula sites, a lot of Drupal sites.

Uh, those, those are the most common just because they've had a number of vulnerabilities that are really easy to get into. Uh, but yeah, when, when you actually track down, where is this C two connecting to, it's just some guy with a blog and, uh, UN is unknowingly now hosting malware. And, you know, you don't, you don't want that to be you, you don't want that to be your customers. So these are significant risks, uh, that you need to, to keep an eye out for.

Um, on the MSP side, Jason, is, is there anything, any other risks that you might wanna bring up? Yeah, uh, uh, so, you know, as I think you put this in the slide here, you know, if your customers have a web presence, somebody's trying to get in, uh, it doesn't take very long of looking at access logs to see that you're just constantly being poked and prodded.

Uh, back in June when, uh, one of the RMM vendors had an issue, uh, we were combing through a bunch of us were combing through logs to see if, uh, certain endpoints were accessed, uh, to indicate that we might have a problem. And it's just, it's impossible to dig through those logs without some sort of filtering because, like perch, uh, because, uh, you just, there's just too much noise in 'em.

Uh, and more importantly, your RMM tool is almost certainly a website, uh, front end backend, all the pieces of it. Almost everything you do these days on your phones, on your computers everywhere in your life is web, right? It's from push notifications on your phone, like how many people knew here that you, when you get a push notification on your phone, it's actually a web connection.

Your phone has to your phone vendor's, uh, server that's pushing a web socket thing down to give your phone a push notification, right? Like, that's the thing most people don't think about. Uh, all of these are relevant to your RMM tool. Uh, and, uh, you know, at the end of this, you know, one of the calls to action is learn how to do this. Poke your vendors, right? Make sure you're not violating accessible use policies.

But every single bug that somebody can find in these that isn't found by a black hat is a win for the entire community here, right? Because this, uh, it, and, and exploited RMM via web, uh, is basically allows all of your clients to be exploited. And I'll talk a little bit about that, uh, when we go through the demo here. Uh, when we specifically, I'm gonna go through a couple things and one of 'em will be SQL injection. Yeah.

That, that's, uh, the Buffalo jump that, uh, that we like to talk about at Purge. It was in our MSP threat report last year, uh, where, you know, once, once you get into the, the MSP, you know, the RMM tool, it, it can go from there and, and jump off and get to all of your customers. So, um, alright. I think we are ready for the demo. Jason, did you wanna take over the Screen?

Yeah, I'll take over slides just because, uh, so, uh, while we're doing that, uh, I learned lessons, uh, yesterday and decided that Crowdcast may not have been, may not be the, uh, uh, best platform to try to run a totally full live demo on. So I went to ahead and switched and, and basically ran the demo this morning. Uh, is it showing? It does not look like it. Yeah. Okay. I see it. It's, it's not resizing the same way. Yeah. I'll figure it out. Hold up. We will try it again.

'cause maybe I got it before you were done. Uh, let's see. There we go. Uh, maybe we needed, uh, Andrew to help us here. Make it full screen. Cool. So, uh, I went through this morning, uh, I had planned to do this live, uh, when I've done webinars in the past. I think live fully live demos are one, they're more fun 'cause they're riskier and everyone really likes to see the risky demo guy. Like, oh, is it gonna work? Is it gonna work? Uh, but Crowdcast just isn't very well suited for it.

I kind of bumbled through my demo yesterday, uh, because switching back and forth between Windows and, and this, it was gonna be no, no better. I needed to be in like three different apps at once. So I ran through it this morning, uh, I ran through it this morning and just recorded some screenshots here that I'll talk about. So we're gonna take a look here at an application called DVWA. It's, it stands for the, uh, DAM Vulnerable Web app.

And basically it's a playground that lets you learn about a lot of these, uh, a lot of these vulnerabilities, uh, it can cover, I don't think it quite covers the entire scope of the, uh, OAS top 10, but it covers most of them. Uh, and it covers them at multiple levels, right? It, it, it starts out easy, right? With basically no protection on it. And the hardest level is impossible, which in theory, the impossible is supposed to be fully secure.

And, uh, you're not supposed to be able to breach it. Uh, spent a little bit when I was first learning to use this tool, trying to figure out why nothing would work, only to realize that I had set the default through impossible. And I'm like, why isn't any of this stuff working? Uh, I did go through most of the things that I'm gonna show here today on low, just for ease of not trying to break people's brains with, uh, how complicated some of these things can be.

And so the primary tool that I'm actually gonna be using today to, uh, to demonstrate this stuff, is a tool called zap. Uh, so I don't believe Burp Sweep is actually an OAS product. I think it's Port W****r, right? So I think Zap is actually the oas, uh, thing that is essentially equivalent. I, I thought I thought the same thing you did. And then I'm like, why would they have two? Uh, so, uh, zap is something called the Zero Attack Proxy.

It's basically, uh, a web application scanner that can do both automated and assist you in manual, uh, uh, scanning of web apps. This is different than a vulnerability scanner, although there is some overlap in, in the, the industry here with these things here. Uh, but this tool is specific, uh, to being, uh, to doing web stuff. And there are commercial tools out there that can do a good job, uh, probably better job than this, but obviously they come with better than this price tags, right?

Which is free. Uh, you know, AppScan is one that we have several bigger enterprise clients. We serve use, uh, uh, burp Suite is one that has a free and a paid version. Uh, and then most of your tools, if you do any PCI at all, and you have external scans via like Trustwave or Quals Quas, they all have tools that do similar sorts of things. So as we were going through this here, uh, we we're gonna poke, zap using DVW or DVWA using zap.

So one of the things that Zap allows us to do is it allows us to script, right? So, uh, because of all of the vulnerabilities in, uh, DVWA are hidden behind a login screen for fairly good reasons, 'cause it's very vulnerable, uh, we have to set up Zap to be able to authenticate against, uh, DVWA. Uh, the Zap Zap website actually has a really good tutorial on setting up and doing that. Uh, it, it requires, uh, some scripting knowledge.

Uh, in this case it's, there's JavaScript to actually just provide on their site that you can just paste in there and set it up. And then when we're done, we'll go ahead. We, I went ahead and set up Zap to, uh, talk to, uh, DVWA setting up basically the URL. And this is the up on two machine I scanned yesterday. Uh, setting up the URL set that are in scope.

Uh, I added a couple of exclusions and I basically told on the right hand side there, you can see I told, uh, zap how to log into DVWA and then how to tell if it was logged in. So then we go, uh, the cool thing about this is that Zap is a proxy, right? So basically it will intercept all of the web requests and it handily has that button. It's probably tiny, you probably can't see it, but there's a button up there top that looks like the Firefox logo.

You press it, you get a Firefox window that is pre-configured to talk through Zap, which is super cool. Uh, you can actually see at the bottom there. Uh, also probably tiny, most of it's, I try to make bigger. Uh, but you can actually see some of the default, uh, web requests that, uh, Firefox makes when it starts up the things like services calls, and Pocket Firefox really likes to talk to Pocket these days for some reason.

So you, you know, you go ahead and you log into DVWA with that, and one thing you'll notice is these little buttons that appear on the side. So if you're using the d uh, ZAP proxy, you kind of get this like heads up display. So on the live website that you're looking at, you can do things like market in and outta scope. Uh, you can see those little flags on the left and right there, and those little flags tell you, you know, what kind of things it found on the page you're looking at, right?

So you can, you can see that, you know, just this default page, it found a couple of, uh, uh, medium and a couple of low, uh, risk things on the page. Uh, and they're just things like, uh, I'm hitting the page and secure, and I think it doesn't properly set, uh, cookie attributes to be secure, stuff like that. So they're, they're relatively minor things.

But then once you, I, you logged into the site, you know, the fun really starts, one of the things that Zap can do is it can do an active scan, right? So, uh, first you go through and you basically configure a scan up, uh, you scan the website, uh, and then you can go through and you can run a full scan. And, uh, one of the reasons I, one of the other reasons I was glad I didn't run this as a full demo is, you know, this isn't necessarily a super quick process, right?

Uh, I think it took, uh, I, I wrote in my notes here, 10 to 20 minutes, but I think in the end it actually ended up taking almost 30 minutes to do a full scan of the site after I got everything logged in. But once it was done, it came back and it gave me a bunch of things that are possibly wrong with the site, right? Which is super cool. It, you know, I picked up a couple of, uh, cross site scripting attacks, so some DOM based ones and some reflection based ones.

Uh, it picked up, uh, some SQL injections, which we'll explore here in a minute. 'cause I think that's the super cool stuff. And then it, it picked up a bunch of things here that, uh, uh, CSP, uh, which are, what is CSP? It's insecure inclusion of files, uh, picked up some, you know, misconfiguration and directory browsing, you know, which, it kind of goes to the thing that, uh, SSON said earlier with the Engine X misconfiguration and directory traversal.

Uh, and so, you know, just out of the box without any additional poking, you know, we were able to find a handful of things here that we should probably investigate with more detail on this site. So what else can we do with this tool? Right? So it, uh, as you can see here, uh, it, it is, it is a proxy, right? So I can run all web traffic through it, uh, with some work. You can even get your RMM agents running through it.

Uh, it, it, we, I have definitely done work, uh, in scanning RMM tools, making them run through the proxy intercepting requests and editing them, right? So, uh, that, that's a, a super useful thing. It's super useful for web debugging. Uh, but one of the other cool things you can do is you can take a request here, right? And so here's a request trying to, on the brute force page in DVWA, right? Where I'm trying to log in with username test user username test pass, right? So what can I do?

Well, uh, zap supports basically brute forcing those, right? So we configure up a thing here where we tell it the parts of the request that it's gonna modify, uh, the, the user part here, and then the password part here, and it, and you, you feed it a dictionary out of the box that it ships with, and that dictionary has, you know, a bunch of common username and passwords in it, and you tell it go, right?

And, and it will happily go and make, you know, in this case here, it looks like it made about 139 different requests of various different username password combinations that you can see on the right hand side here. And then you can see that most of them, uh, all of them returned 200, right? Because the app was basically just, it generated a page back indicating you were in or you weren't. Uh, but if you look at here, almost all of these were 4,237 bytes of length, right?

So if you look at that 4,237 byte reply, you can see here that the HTML of it actually tells you that the username password you're using is not correct, right? But if you look at the one that stood out that had a different size, you can see that it, uh, it said, welcome to the password protected area, right?

So looking back at that, uh, you can see it's actually admin and it cut it off here, it's password, uh, actually went into the login page, logged in with the admin and password, and year into the password protected area, right? So we were able to use the tool to basically do a, a brute force attack, uh, of the site. So that's, that's one thing it can do. Uh, it can do some amount of SQL injection, but like so many of these things, there are domain specific tools that we can look at here.

So I, I wanted to talk, uh, in particular about SQL injection, right? So, 'cause this one is near and dear to me, we've seen some big issues, uh, with SQL injection in, in various tools. Uh, and people tend to think of SQL injection as, you know, maybe stealing a little bit of data, you know, maybe being able to modify some things, but it can do other things, right? It, it can, it can update existing data, right?

And if your backend database and say your RMN tool, uh, runs things like commands, right? Or, or does other things like that, it can lead to full takeover, right? So, so we have, uh, as a particular example here, uh, I in the owner of two CVEs, uh, one of which, if you are looking at the top OS top 10 was basically broken authentication. And the other one is, uh, injection or SQL injection.

Uh, that combined together, uh, for six weeks or so, while I worked with the vendor to fix it, uh, allowed me to remotely and fully take over any RM any instance of this vendor's RM product on the net, right? And these are, these are just simple. They're, they weren't simple, they're relatively complex. Uh, but these are just web vulnerabilities, right? These aren't, you know, huge remote code execution vulnerabilities. These are run of the mill web, uh, vulnerabilities.

So I like to teach people in particular about SQL injection. So, you know, if you go to the SQL injection page on, uh, DVWA, we have two different methods. We can do this. We have the normal SQL injection, which takes some data and then spits it back out onto the page, right? So you can see how that could be useful, right?

In the, in this case, uh, say we're selecting out a list of users, or it's telling us about a username and we can make this thing spit out more information than it was supposed to. Then we can obviously get that back on the page. But there's also another type of SQL injection called a blind SQL injection, right? And in, in this case, maybe it's not gonna actually output anything it uses on the page, right?

Maybe it's only going to, in Bryson's case earlier, log a user agent on the back end, right? Or, uh, tell you that a user doesn't exist or does exist. And you're like, well, there's not really a whole lot of risk in that, but there actually is, uh, because there's this whole concept of a blind SQL injection. So you can see here, uh, we have a form here that literally takes a user ID, and that's all it does. And you hit submit and it tells you if the user ID exists in the database or not.

And if you look at the backend that's actually doing a GI and that GI is calling, uh, ID one with the submit value of submit, right? So you're like, okay, well that's, that's great. So we look at a tool called SQL map. And SQL MAP is a awesome open source tool. Uh, I use it a ton when we're doing CTF stuff, but it does, uh, much more than that. That can basically automate, uh, attempting to do SQL injection attacks against, uh, against various database platforms.

Uh, it supports, uh, a number, a whole ton of databases, uh, sq l Light, you know, SQL Server, Oracle, MySQL, Postgres, you know, if you can name it, it probably supports it. Uh, it automates, uh, the hard work 'cause it is relatively painful, especially when you're talking about blind attacks of attempting the many different methodologies, uh, used, uh, to do these attacks, right? So we'll go ahead and we'll take a look at what that looks like, right?

So we, we'll do, uh, I did a little bit of setup here, right? So what I did is I went into, uh, zap and I looked at that same request that we looked at earlier, right? We're doing a GI against that URL, right? With the ID one submit, right? And we've got some cookies here. So you figure those cookies are probably important. So then I configured SQL MAP to hit that same URL, you know, with the, the whole thing, right? I didn't tell it anything about what might be vulnerable.

I, I, I fed it the same exact proxy. 'cause I wanted that to go through the proxy so I could see what it was doing. And I fed it. The cookie, when that was done, it ran, and within, uh, five, 10 seconds it came back and said, Hey, I think this is my sequel. You know, do you, do you want me to try stopping, like looking for other R-D-V-M-S solutions? 'cause I think this is probably, uh, MySQL and I think that we probably have a blind injection on the ID parameter.

So this wasn't within five seconds of using this tool. So I'm like, sure, go ahead and skip everything else. You know, you let it run for a little bit longer. It's like, okay, you know, we know it's MySQL. We're gonna go through and look at some other things we can do with regards to various parameters to try to find the quickest way to cause pain and suffering for this website.

Uh, and after a little bit, it, it optimizes its query here and figures out that it can use a combination of order by and some time-based sleep stuff to, uh, to, to get some data out pretty quickly. And then it was done, it, it basically said, okay, this is definitely vulnerable. Here are two different ways you can do it. We can do a bullying based attack, right? And, uh, where we do, you know, ID equals one and 3, 5 0 5 equals blah and whatever equals whatever, right?

Or we could do a time-based attack and a time-based attack. Basically, it involves inserting some sort of sleep into your SQL statement and then measuring how long it it takes to return to you, right? So that's super interesting because the only side effects that you have is how long that page takes to load. And that's like next level. That's like, uh, extracting data from a computer by listening to the frequency variations of the monitor level stuff going on here, right?

So the in in this tool, it completely automates it for us. So this is, let's see if the video guides are nice to me, just thinking. So it's, we've determined it's, uh, it's exploitable. So now what, well, now let's, there's prob there's a table called users, right? Let's, let's see what that table looks like. So I ran this through this morning and we'll, we will let it run here and hopefully this plays okay. And is relatively visible.

And Java software actually got up, got updated, so I ran this and it had run for a little bit this morning, right? It's like, okay, you're connecting to a thing that you've connected to before. And you can see here that character by character, this thing is extracting.

And I, uh, it's under our thumbnails a little bit here, but you can see it's actually extracting information from the database character by character using the amount of time it takes to return, uh, a query that the character equals n or it doesn't equal n. And in a second here, I actually drag over, uh, the, uh, zap window that I had running. So you can actually see like how many web queries this thing's running against this. And it's, it's quite amazing.

It's just pounding this thing with queries here. And you can see it just running query after query. And each one of these, you know, brings back, uh, uh, a letter or every couple of 'em brings back a letter, and then in the end, it, it gets it all and it comes back. And this took, oh, I don't know, like five minutes to run, but at the end of it, it pulled back the entire contents of the user table and it was happy to say, Hey, this looks like an MD five hash.

Do you want me to go ahead and crack that for you too? Uh, it cracked the MD five hashes and spit out the u the entire content of the user table of this web app with the decrypted passwords available. And I think that's actually really cool, but kind of scary at the same time. Yeah, definitely. So you want to cover what you can do to protect yourself. Um, sure.

So, so we'll go back to, you know, kind of the theme that we've, we've stayed with, which is just assume you're vulnerable, you know, assume breach, uh, if you have a web presence, you, you probably have a vulnerability somewhere. Um, so just, you know, keep that in mind. Uh, one thing you can do, you can get a waf. So a WAF is a web application firewall. It's different than a regular firewall. So normal firewall's. Looking at the, at the, uh, network layer, we're looking at IPS and ports.

This is actually, uh, something that's application aware. So it's actually looking at the web request. It's a firewall that's, um, knows what SQL injection is and what a SQL injection query looks like. Uh, and so it can block it before it even gets to your website. So a WAF is definitely something that, uh, recommend you have if you have a web presence, uh, you know, never inherently trust any third party software, any third party plugins. Uh, you want to test that stuff.

Uh, again, that, that was one of the oasp top 10 about, you know, known vulnerabilities and, and, uh, required, um, you know, the, the, the things that your software's dependent upon. So, uh, uh, keep that in mind and, uh, and test everything.

Um, There to add to that, there was actually, there were recently two $30,000 payouts, I think PayPal and Apple, uh, because they had node node js dependencies that were private and internal that somebody went out and registered them and put them in the public node js, uh, repository, and the next time they built their software, it just happily went out and grabbed the public copy of it. Yeah. Um, vulnerability scanning.

So, so the tools we've talked about the past couple days, uh, to, to test and, and check your software, uh, just keep in mind that's not a, just because you run it and it doesn't find anything, doesn't mean a hundred percent that you're secure. Uh, but it is definitely a, a good tool to use and, and code review. So if you've got, if you're writing your own code, um, make sure whoever's doing that, it knows what oasp is.

They, they know the top 10, uh, they've looked into, you know, some of the training around that where they, they actually talk about the, um, what you can do in your code to protect yourself and go through and have regular code reviews where you're looking at everything that's been written, everything that's been committed, and look for those places where you're accepting input and you're not sanitizing it, uh, and that, that kind of thing. And again, secure your own house first.

So, um, you don't want your customer sites to be, to be hacked, but you definitely don't want yours. You don't want your RMM um, to, to be a, to be a target. You don't want people stealing data or, or jumping off of your tool to get into your customers. So take, take care of yourself, your own house, and log everything. So when something does go wrong, you, you need to know what happened. You're gonna need to know what did they actually access, uh, did they take data? What data did they get?

Um, and, you know, track it back down to how did they get in? But if you don't have those logs, uh, you're, you're just out of luck. Um, you know, you, you're, you're not gonna really know what happened if, if you don't have that data. And, and then, you know, they, they may still have a footprint in there and, uh, you think you've cleaned it up and then it, they're, they're still stealing data or, or accessing your customers or whatever the case may be. And were you gonna say something, Jason?

Uh, No, go ahead. I thought you were at the end of it because I have one more one Okay. At, at the end of this list. Oh, yeah. I was, I was just gonna say, and, and if you're, if you are doing web hosting, if you have your own web development, all these things we talked about, they're just, they're not optional. Um, you, they're, they're just not you. You can't host websites, you can't do web development and ignore any of these things. You're just asking to get hacked.

You're asking for your data to get stolen, you're asking for ransomware. Um, you, you have to do these things. They are 100% necessary. Yeah. And so what I was gonna add is, you know, if you run your own on-prem, you know, screen sharing, uh, remote monitoring management tools, you can sometimes with some work, get them running behind either a web application firewall or, uh, or a, at least a proxy, right?

We've, we have some of our tools, uh, that are on-prem running behind, uh, just engine X just to do things like GOIP filtering and, uh, filtering certain URLs that we, we know we don't need publicly accessible for everywhere. And just doing simple things like that can lower your, you know, your footprint of places that can attack you by quite a bit.

Uh, there has been, there are, there is at least one person on MSP geek that has, uh, some of the ConnectWise stack running behind Azure web application firewall, right? So things like that are definitely possible and, and things that you can think about doing. I think you're still controlling the slides. Jason. I'm, there we go. So yeah, there's, there's a lot of free tools out there.

Uh, I, well, not all these are free, but, um, there's definitely plenty of tools for testing your applications, uh, Nick Toe, that, that is a free open source web scanner that you can download it and try out now. Uh, it, it works pretty, it works all right. Um, Nexpose, that's Rapid Seven's vulnerability scanner, um, burp Suite. So that's by Port W****r. Uh, but it's very similar to Zap. It does the exact same thing where you, uh, it, it's, it's a proxy.

Um, and, you know, it's, it's got a, uh, open and Chrome, I think, I think they default to Chrome instead of Firefox. But, you know, it is got a button where it automatically launches a configured instance of Chrome that proxies everything through Burp Suite. And you can do all the same kind of stuff, uh, with testing things. And, uh, SQL Map, uh, we showed that that's another free tool. Uh, it's, it's got some stuff that works. It works really well with Burp Suite as well.

Um, if you're using WordPress. So, I mean, there's, there's a lot of people using WordPress out there. Uh, WP Scan is, is a tool you can use for that. Uh, the, the main thing about WordPress is you gotta watch out for plugins. 'cause any 12-year-old who's read an article on how to write PHP can write a WordPress plugin and put it on the marketplace, and they know absolutely nothing about security, and you're just opening yourself up for vulnerabilities there.

So I, uh, you know, a long time ago I worked for a web hosting company, and we had tons and tons of WordPress sites, and we would frequently, uh, see Compromise Sites. And, you know, most of the time came down to some kind of plugin like either WordPress or Jula. It was usually a plugin rather than the actual core framework that was compromised.

Uh, and then this open SSF, uh, so this is something that, uh, it was, I think it was earlier this month or maybe at the end of January that, uh, Google was, was talking about this. So this is, uh, uh, a security framework, uh, and they have these, these, uh, security scorecards that you can use to it.

Uh, um, so, so they, they, I believe they actually have scorecards that they've published, but you can also use it to like, generate scorecards for you, like your specific software and dependencies. And it goes through and it checks, um, some common things like, you know, is there a security policy and, um, checks for known vulnerabilities, but it builds a, uh, a scorecard for the current version of the software that you're running.

So it just, it's just a tool to help you keep track of all the dependencies that your software has, uh, to see if, you know, you might have some vulnerabilities in your dependencies, or if there's, uh, anything that you need to patch that, uh, again, is one of something you're dependent upon, um, or, you know, some misconfigurations, that kind of thing. It's, it's just a, it is just an easy way to, uh, keep track of all those dependencies. And next slide.

So how to learn this is very similar to what we said last, last week, or, or, sorry, yesterday. Yesterday. It's been, it's been, it's been a long night. It's Been a long. Yeah. Uh, so yeah, CTFs, um, you know, we, we, we've got some coming up. Uh, I think we're gonna try to have one we, uh, somewhat soon, maybe in the spring. And then I know we've got one at IT Nation Secure that we're planning. Um, but beyond that, there's plenty of CTFs out there.

And, uh, web exploitation is a super common theme in, in CTFs. Um, so they're, they're a great way to, to practice and learn some of the, the exploit techniques. And as you understand those and how they work, uh, it's gonna help you better write your own code and, and, you know, test your own code and make sure you're not vulnerable. Uh, again, there's Hack the Box or try hack me. Uh, they both have, you know, plenty of examples and things you can hack into related to web exploitation.

Um, DVWA, which we looked at today. Uh, it's, it's just a great, uh, easy resource to set up. You can actually just get it as like an ISO and run it as a live cd. Um, I think you could even find some, uh, uh, already existing VMs that you can do, like OVAs, you can just download and, and set up. And, uh, yeah, it's just a simple web server, simple website and PHP, uh, but it lets you practice and learn how all these exploits work hands on.

Uh, and it's been around for a while so you can easily find tutorials and how to go through all the challenges in DVWA. So if you've never done any web exploitation, uh, get a copy of DVWA and just do a little Googling and find some walkthroughs, and you're gonna get that hands-on experience on how these work. And, uh, I, I'd recommend actually just do it manually first. 'cause they're, they're simple enough, you can just do it manually on, on the site.

And then once you, you've figured out how they work, then you can start looking into the tools like, uh, like SQL Map and, you know, burp or, uh, or Zap, uh, as well. And then, yes, the tons of, of other online resources, lots of people are publishing videos about all of this stuff. Uh, John Hammond from Huntress is one. I've got my CTF and cigars, uh, on, on Twitch. Um, and, uh, yeah, so there's, there's plenty of resources out there. Yeah.

And, uh, one of the things before we go to q and a, right, like I would encourage you, you know, act within the accessible use policy of your vendors, but as you learn to do this, poke your, poke the software you use, and if you find something, report it. Uh, it all of us. Part of the reason I do this is that, you know, sharing this information with other people makes more of us look at these tools.

And a lot of these tools are very old, uh, and they have not been, uh, looked at from this standpoint for a long time. So I'd rather somebody friendly find it than somebody unfriendly, uh, come across and find one of these things and have a bad day for all of us. Oh, Jason asked about the tools that come with C Um, actually the tools we talked about should be in C Yeah, I think every one of them are, We're gonna have Seco Map, burp, zap, all that comes with Cali TTOs in there. Yep.

Uh, so yeah, all that stuff, it's, if you've got Cali, you've already got access to them. Cool. You don't see any other questions? See, Andrew's back. He's muted though. Oh, I'm off. How are you Jason? Hey Bryce. Great job, Andrew. Hey, um, so, um, what'd you guys think? Uh, how about a y for a thumbs up? It's, I know it's five o'clock Eastern and, um, appreciate everybody hanging in there. Fantastic job as always guys. Um, can Cali run on Windows 10 WSL, Mr. Slagel?

I believe it will these days, but not every one of the tools will be available. I think there are still some limitations around things like packet capture that may not work properly under WSL, but all of the tools we talked about today should work fine. Fantastic. Any, any questions? Thanks guys for the feedback. I thought they did awesome.

Um, any questions that you guys may have either pop 'em in q and a and or, um, uh, you can send them into chat here, but it looks like, I think you guys got most of them. Yeah, and always you can always, you know, find me on LinkedIn. I'm linked various places for this, and I'll answer any questions you have, so, and maybe you win an hour with me. Um, we could talk about beards. Yeah. Well, hey, I got two, I got two winners. If people would like to know you ready, Mr. Segel? Mm. Yeah.

I presume you'll send me email addresses so I can reach out. I will, I will. I'll, I'll cross connect everybody. So, um, our first winner actually is all the way in South Africa. How do you like that? That's fine. So I wanted you to be able to get up really like middle to night, Jason. Yes. Something, you know, like, uh, I don't know, 3:00 AM if that works for you. Yeah. Um, yeah, but I think actually they're in the back part of our day, like 4:00 PM It's fine, we'll work it out.

I'm a but that Is, that is Steven Sheer, um, okay. From Tetron. And then, uh, the other winner is, um, Daniel Moyer, um, and the good folks at Envision. Okay, cool. I know that name, I think. Yeah, yeah. Yeah. Daniel and, and, uh, his CEO Bill are involved in a lot of this stuff. You probably, you know, seen them back and forth as well. So, um, Bryson, do you feel left out? I, I, I know, Uh, no, that's, that's fine. Uh, I don't have two hours to give away right now. Yeah.

And you're kind of twisting my arm. He is like, you, you wanna do this like Asher. Well, uh, we really appreciate it. Um, I'll cross, I mean, if, if you're a, if you're a Perch customer, I'm always available, so I guess I'll, I'll throw that Out there. I, I can attest to that. Yeah. Yeah, yeah. Yeah. Fantastic. Well, um, any closing thoughts or comments from you, Mr. Segel? No, I'm good. Okay. How about you, Bryson? I think I've said it all. Okay.

Well, on behalf of our two day event, um, number one, really appreciate you guys, uh, providing your time, talent, and energy to help our community as always. And, um, and all of you that hung in there until 5:00 PM really appreciate you doing it and being part of it as well. If we can do anything for you, please, again, you can always reach me at Andrew with the Cyber Nation. You can join us on the cyber call every single Monday at 1:00 PM and the Cyber Nation 24 7.

So with that, we wish everybody a fantastic day and take care. See you later. Bye.

Related Videos