Monday, 1 October 2012

OWASP OWTF BruCon 2012 Workshop slides, code, demos

Here are a few links if you want to download the materials from the OWASP OWTF BruCon 2012 workshop that happened last week in Ghent, Belgium:

- The slides are now online in slideshare
- The demos, code and slides PDF can be downloaded from either of these:
  1. The OWTF Project Github page
  2. The BruCon site: Using the tar.gz link at the top
If you use the tool and you find any bugs of have any suggestions please feel free to do either or both of these:
  1. Fork the OWASP OWTF project in github and send me a Pull request
  2. Create a bug report on github

If you attended the workshop or even if you just downloaded the materials, I would also appreciate if you could take the time to provide some feedback on ideally at least:
  • What you liked the most
  • What you liked the least 
  • What could have been done better
Thank you!

Monday, 24 September 2012

OWASP OWTF 0.15 "BruCon" released!

IMPORTANT: If you are attending the "Introducing OWTF" BruCon workshop on Wednesday please download the latest OWASP OWTF and latest DEMO Report. Thank you!

Another round of GIT hell has taught me a couple of things but finally, OWASP OWTF 0.15 is here for your entertainment!

OWTF 0.15 "BruCon" is dedicated with special love to BruCon, its organisers and attendants!

Usual background + Disclaimer:
OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient @owtfp
WARNING: This tool unites many great tools, websites, knowledge and their associated power, please hack responsibly and always have permission. That being said, happy pwnage :)

Some links:
- You will probably get the most out of this tool if you look at the Presentation Slides first.

Change log since OWTF 0.14 "London" (Full change log is here):
24/09/2012 - 0.15 "Brucon" pre-alpha release: Dedicated to Brucon (, its organisers and attendants
+ Changed name to OWASP OWTF since this is an OWASP project now, thank you OWASP! -
+ Bug fix: General clean-up of the script + OWTF's tool locations for a smoother install experience, thanks to Xavier Mertens (@xme) for reporting!
+ Bug fix: Removed Slowloris download code from script since redistribution was allowed by RSnake and it's packaged with OWASP OWTF
+ Bug fix: Commented out whatweb download from since the Backtrack version is now stable, default config also points to Backtrack path now
+ Bug fix: was referencing "Core.mError" which could sometimes result in the following error: "AttributeError: Core instance has no attribute 'mError'"
+ New feature: Instead of having to use our own nikto binaries, the OWTF's install script will now patch's nikto's poor default user agent (blocked by basic WAF blacklists)
+ Added to Sandro Gauci's Webapp Exploit Payloads to the following external plugins: XSS, CSRF and Cross Site Flashing
+ Added cross-site flashing link to get swfdump from
+ Added external plugin link to bAdmin project (from whitehat) for default admin interfaces passwords
+ Added xss external plugin link to Gareth's Heyes HackVertor
+ Added xss external plugin link to Mario Heiderich's
+ Changed default UA to a more believable FF15
+ Added udl filetype to blanket google hacking searches (ica and rdp were already there), thanks to Chema Alonso (@chemaalonso)!
+ Added external cross-site flashing link to Adobe's SWFInvestigator
+ Added external xss link to Krzysztof Kotowicz's Chrome extension exploitation framework (XSS ChEF)
+ Added external xss link to Michal Zalewski's post-XSS ideas on XSS exploitation
+ Added external session management schema link to .NET VIEWSTATE vulnerabilities blog post
+ Added external SQLi plugin link to InfoSec Institute's SQLi Backdoor creation article
+ Added external file extension handling + SQLi link to's Collection of Web Backdoors & Shells
+ Added external file extension handling + SQLi link to Laudanum's Project for shells and utilities
+ Added external Bypassing Authentication Schema plugin link to OWASP's Password Storage Cheat Sheet
+ Added external Clickjacking plugin link to OWASP's ClickJacking article
+ Added external Bypassing Authorisation Schema link to OWASP's Access Control Cheat Sheet
+ Added external plugin link to bAdmin project (from whitehat) for default or guessable user accounts plugin
+ Added external plugin link to OWASP's XSS Filter Evasion Cheat Sheet
+ Added external plugin link to OWASP's XSS Prevention Cheat Sheet
+ Added external plugin link to OWASP's DOM XSS Prevention Cheat Sheet
+ Added external plugin link to OWASP's Web Service Security Cheat Sheet
+ Added external plugin link to OWASP's Transport Layer Protection Cheat Sheet
+ Added external plugin link to OWASP's SQL Injection Prevention Cheat Sheet
+ Added external plugin link to OWASP's Query Parameterization Cheat Sheet (complements SQLi cheat sheet)
+ Added external plugin link to OWASP's Session Management Cheat Sheet
+ Added external plugin link to OWASP's Logging Cheat Sheet
+ Added external plugin link to OWASP's JAAS Authentication Cheat Sheet
+ Added external plugin link to OWASP's Forgot Password Cheat Sheet
+ Added external plugin link to OWASP's Cryptographic Storage Cheat Sheet
+ Added external plugin link to OWASP's Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
+ Added external plugin link to OWASP's Choosing and Using Security Questions Cheat Sheet
+ Added external plugin link to OWASP's Authentication Cheat Sheet

Tuesday, 26 June 2012

Password Storage Challenge: bcrypt or loop salted hashes?


A recent data breach on the LinkedIn database leaked around 6.5 million salted hashes. This ignited a healthy debate in the security community:
- Some people said you should only use bcrypt and that salted passwords are useless
- It was clear that LinkedIn failed to salt their passwords: This is the immediate worst option after storing passwords in clear-text.
- Other people suggested that "adding a salt only marginally increases the difficulty in cracking the passwords"

Since LinkedIn did not store the hashes securely 2 million out of the 6.5 million hashes were cracked within hours.

So who is right? I think the OWASP Password Storage CheatSheet provides the best advice:

1- Use a modern hash algorithm
2- Use a long cryptographically random per-user salt and make the salt hard to steal: Then the attacker must also bruteforce the salt and rainbowtables won't work, good luck!
3- Iterate the hash: This step seriously increases cracking difficulty

I only slightly disagree on this:
"As such general hashing algorithms (eg, MD5, SHA-1/256/512) are not recommended for password storage. Instead an algorithm specifically designed for the purpose should be used such as bcrypt, PBKDF2 or scrypt."

Let me illustrate what I mean:
I challenge you to crack a random 15 character password hash that has been generated this way (assume you have the 2 different random 60 character long System and User salts):

Python example:

PHP example:

The point I am trying to make is that with a relatively modern sha512 algorithm if you salt and iterate in this way using a hidden System Salt (i.e. stored outside of the DB) and a per user Salt (i.e. stored in the DB and which you can reset as users reset their password also) most people are going to have a seriously hard time cracking this:

- For starters most tools do not support homebrew algorithms that iterate the hash and use fancy salts as above
- If you "only" hacked the DB you will have to brute-force the System Salt (could happen)
- The whole process is just too slow with 1 million iterations per user and the salts thrown in just for fun
- If you force users to have passwords longer than 14 characters the number of cracked passwords will be reduced significantly

Ok. What about bcrypt?

- First of all, bcrypt is just making things slow, which is something that you can achieve to a much more granular level by experimenting with the number of iterations above: A delay that is very slow but acceptable for a user. Therefore despite all the crypto going on in bcrypt, we can achieve something similar with the number of iterations variable.
- Second of all, Jim Manico gave a great presentation for developers in Dublin recently where he touched on this very topic, he said something that surprised me (start at 02:09:08): ""You can take one of the biggest monster servers, one of the biggest CPUs on the planet and if you can hit bcrypt concurrently about a hundred times that CPU is pinned for like 30 seconds". So bcrypt does not scale and may DoS your box even without you being targeted (does your website have more than 100 concurrent users?).

For a great summary on this topic I would suggest to watch Jim Manico's summary for developers on Password storage (starting at 02:05:00). The rest of Jim's talk is also interesting, even if you are not a developer.

I also liked the following article by Troy Hunt: "Our password hashing has no clothes" (published right after I wrote this :)).

Wednesday, 2 May 2012

"Legal and efficient web app testing without permission" slides, demos, etc

UPDATE: I will update this blog post with links to the video when available
NOTE: Remember there is a Download option in slideshare :).

"That was best description of why cross domain policy is bad I've ever heard" - Full props to Robin Wood for those kind words re this talk!

There are three versions of "Legal and efficient web app testing without permission":
1) Troopers12 - Heidelberg (Germany) - 1h talk - 129 slides, no demos, video here soon
2) HackPra - Ruhr University, Bochum (Germany) - 1h talk - 129 slides (same) + 1h of live demos, video here!
This was the only talk where I showed demos of the aux plugins (for spear phishing, etc). This was possibly the best talk because of the extra time, live demos with audience interaction and many great questions.
I truly believe the HackPra talk publishing format is even better than the one in the BlackHat Briefings. UPDATE: Except in the link above :). I meant this format!
3) BSides London - London (UK) - 1h talk using 125 slides (4 removed for time) + 3 demos here (Subset from Hackpra), video here!
4) CONFidence - Krak√≥w (Poland) - 1h talk using 125 slides (4 removed for time) + 3 demos here (Subset from Hackpra), video here soon

NOTE: At BSides London, right after me was Sandro Gauci presenting "Escalating privileges on common webapps". This was the perfect continuation to my talk to "finish the job off" ;). Sandro published the source code here and the video and slides here. Please send him pull requests, this is an awesome project!

Pull requests to OWTF are very welcome! For example: Missing tools, missing links, tools that can be called better, Web Design (noted as a weak area at BSides London, please help! :)), CSS, JavaScript and/or Python and/or Shell development. Many possibilities here, you do not even have to develop anything to contribute (links to PoC code, etc also help!). Thanks.

"Legal and efficient web app testing without permission" tried to:
- Draw attention to the HTML filter challenge so that you hack it and let me know :)
- Improve Silent web app testing by example, increasing coverage and focus on the 100% legitimate stuff
- Cover the basics of OWTF in the same talk
- Briefly cover almost 50% of the OWASP Testing guide + Clickjacking + CORS
- Allow the audience to get something out of the talk regardless of skill level:
By using real-world examples I hope I made this accessible not only to pen testers but also developers, etc
- Provide something practical and useful that is easy to apply
- Explain the disadvantage security testers have and how to get around it without breaking the law
- Briefly explain the powerful concepts of "analysis in parallel", "chess-like priority analysis" and using the OWASP Testing guide as a checklist
- Increase awareness: Your site can be tested without you seeing anything and this talk can be used as evidence of that :)

If you attended or watched any of the talks I would really appreciate if you could take the time to provide feedback, including negative feedback :).

Thanks for the kind words, great conferences and support!

Monday, 23 April 2012

OWTF 0.14 "London" released! cc @BSidesLondon

OWTF 0.14 "London" is dedicated with special love to BSides London, its organisers and attendants!

Usual background + Disclaimer:
The Offensive (Web, etc) Testing Framework (aka OWTF) is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient @owtfp
WARNING: This tool unites many great tools, websites, knowledge and their associated power, please hack responsibly and always have permission. That being said, happy pwnage :)

Some links:
- Project page:
- You will probably get the most out of this tool if you look at the Presentation Slides first.
- Demo interactive reports (Firefox >= 8):

Change log since OWTF 0.13b "HackPra" (Full change log is here):
23/04/2012 - 0.14 "London" pre-alpha release: Dedicated to BSides London (, its organisers and attendants
 + Fixed URL regexp on the payload for the OWTF imap client Agent
   It was missing IP-only URLs like: http://192..., regexp changed to: 'http[:0-9a-zA-Z\.\/]+'
 + Upgraded SET spear phising scripts from SET version 2.5.3 to SET version 3.2.2
 + Bug fix: Added GetFileAsList and AppendToFile convenience functions (required by some existing code)
 + Added Version information at the bottom of the OWTF banner and arranged some loading messages to suit
 + Added GetCurrentDateTimeAsStr convenience method to the Timer class
 + Added SET script for new payload (19)
 + Replaced /etc/motd by new parameter WORD_TEMPLATE in SET payload script 3, and added parameter to Spear_Phising plugin
 + Added better error handling to the Spear Phishing handler so that it aborts when a payload script is not found (instead of crashing in SET, after)
 + Fixed SET payload 15 to take advantage of the custom PDF template
 + Added a bit of SET's documentation to the readme directory
 + Commented out the Attachment name modification in the Spear Phising plugin (sometimes you may want to control this from outside the plugin)
 + Added better exception handling to OWTF's SMTP class so that failure to perform the SMTP Login assumes open relay and moves on (also sent as a patch to SET)
 + Added slightly better message to OWTF's SMTP START TLS exception handling error message
 + Added warning to SET handler when sending blank values
 + Added check to Spear Phishing module to verify the word template exists
 + Improved exception handling on the SMTP class for Targeted Phising, thanks Sam!

Tuesday, 17 April 2012

Defeating Airline restrictions

I have had to travel a lot lately and there are some annoying issues I see as I take planes, this blog post combines some tips and tricks I have used successfully with the hope that they may be useful for you too :).

- I do not like to see "first time fliers" get "busted" because of not following the rules
- I regularly see 99% of people with "incorrect" cabin baggage that does not take advantage of the rules
- Even when you follow the rules some tricks may make you less likely to be stopped and avoid hassle

General common sense rule
Take what is most important for you as cabin baggage: Cabin baggage is always with you, checked in suitcases are sometimes lost and even sometimes lost forever. Think about it.

Following the rules with some thinking - Cabin baggage
Ryanair is super-clear in this email they send you after booking a flight:
"Strictly one item of cabin baggage is permitted per passenger (excluding infants) weighing up to 10kg with maximum dimensions of 55cm x 40cm x 20cm (your handbag, briefcase, laptop, shop purchases, camera etc. must be carried in your 1 permitted piece of cabin baggage)."
It is important to know that other airlines, require a maximum of only 6kg of cabin baggage with up to the same dimensions as Ryanair.

To take advantage of the rules we need to purchase a hand bag that:
1) Measures as close to 55cm x 40cm x 20cm as possible: Use your full volume allowance
2) Weights as little as possible: Use your full weight allowance
3) Does not look suspicious or bigger than it really is: Avoid hassle at the airport
4) Does not have too many compartments inside: Cabin baggage with many divisions look interesting but are useless: You will eventually need to put something bigger than the biggest division and it will not fit.

Most cabin baggage I see at airports fails Rule 1) due to using cabin baggage with dimensions that do not take advantage of the volume allowance and may not even "fit in the cage" despite providing less volume to the person using it!

Rule 1) Makes hand bags with wheels inferior: Even if the hang bag with wheels is of exactly the allowed dimensions it will not allow you to use all the space because the wheels and surrounding structures will take some of the space away from you. This can be very annoying when you are trying to take big things that are light with you.

Rule 2) above makes backpacks superior to hand bags with wheels: Wheeled hand bags often weight 2-3 kg, the backpack alone is just fabric and it will weight less than 1 kg.

Rule 3) Gives backpacks an advantage again: If you take a backpack the lady at the airport will only have 1-3 seconds to decide if it is too big or not: She cannot see it until you go through and if you walk fast it is often too violent to stop you. Things with wheels or simply not hidden behind your back can be observed for more time and will be more likely to be questioned.

Rule 3) Makes black things superior: Black things look smaller than white things.

I recently bought a backpack like this and I am very happy with it:

I could take that backpack as cabin baggage even in smaller planes recently: Smaller airplanes have even tougher restrictions because normal cabin baggage does not fit: Most people, even playing by the rules (correct dimensions, etc), are often obliged to leave cabin baggage right before entering the plane in the cabin storage.

The backpack also has protection for a big laptop (my 18.4 inches one fits perfectly and its 4kg are no longer a problem for me while traveling, even with 6kg allowances).

Last but not least:  
- Wear clothes with plenty of pockets. I cannot stress this enough: No airline has rules to prevent you from putting heavy things in your pockets but your clothes must be able to handle this. If you know you cannot take all the weight you need with you consider this:
I systematically have my laptop's charger in a pocket in case they make me weight my cabin baggage. (Things that use little space but weight relatively more)
- Travel light: Take only what is strictly necessary and consider using plastic bags (which weight nothing) to wrap things instead of heavier bags/containers.
- Use automated check in systems if possible: Obviously a machine is not going to complain about your cabin baggage :). If you go to the check in desk and the lady sees your cabin baggage things could be different.
- I have seen 10.9kg be allowed by Ryanair (yes, sometimes they weight your cabin baggage), your mileage may vary but if you do not exceed a full kg you might be fine.

Being prepared for funny "security" measures
Other annoying things and how to get around them playing by the rules:
- Liquids are not allowed so purchase water after the security check in: It will be more expensive than a shop but less expensive than buying it at the airplane (unless the airline provides you drinks free of charge as some still do). You should always be well hydrated when flying, this is important for health reasons.
- Have those "super-important" plastic bags in a pocket of your hand bag so that you avoid to pay that 1€ (or pound) fee to buy them at the airport (or buy them the first time, then keep them at the bag for future travels):
- When in doubt check in "potentially dangerous items": You might have nobody to hand the stuff to at the "security" control if there is a problem
- Always be nice: If you get upset when you are stopped / questioned / etc and are uncooperative you are guaranteed to have a lot more hassle that you would ever have otherwise.

Bottom line:
Be cooperative, be nice, follow the rules but use your allowances and be prepared.