I had the pleasure this week of attending some of the pre-conference training offered by NorthSec in Montreal. There were two training tracks: Advanced Web Application Security and Malware and Memory Forensics. I went to the Advanced Web Application Security track, and quite enjoyed it, but I also heard great things about Malware and Memory Forensics next door during lunch breaks.
All in all, I enjoyed the course, and I met a number of really great people in the industry. I felt like the pre-conference training would have been worth it just for the lunch chats -- everyone was helpful, friendly, and looking to talk shop, and there were few enough of us that you could reasonably expect to shake everybody’s hand.
I’m sad that I won’t be able to attend the rest of the conference proper this week -- Security Jeopardy sounded great, and I hear the Capture the Flag on Friday is the competition to try -- so I’ll probably try to schedule a bit better next year so I can make it to more of the conference.
Before I jump into the training, I’d like to give a special thanks to the folks from GoSecure who were present to oversee training and logistics for the participants. They were unfailingly friendly and happy to help, and I had a few good conversations with them while I was there. I’m looking forward to seeing more of them around the conference circuit.
Advanced Web Application Security
The training in which I took part was a three-day course, primarily focused on practical capture-the-flag exercises which take advantage of known exploits. We covered a pretty decent list, including but not limited to: various methods of XSS, template injection, SSRF, XXE, LDAP poisoning, and the mass-assignment flaw.
Our targets were all hosted on the local network, and they ran the gamut of technology types. Off the top of my head, we ended up invading setups running Java, PHP, and Ruby, among other things. The techniques we used to pull off exploits followed a kind of whack-a-mole progression -- every time the host closed off a vulnerability, we would find a new way around it.
The most interesting part of the class by far, though, was our use of Burp Suite, an automated pen-testing tool. As part of the class, we had access to a temporary trial version of Burp Suite Pro, which has more features available than the community edition. Our instructor, Philippe Arteau, knew his way around Burp Suite Pro very well, and would offer tips on how to accomplish the same tasks more quickly using the software. We were also given a few pre-written scripts to use with Burp Suite Pro, and allowed to take them home for our own future use.
We got some good tips out of Philippe, but I probably wouldn’t say no to a class focused entirely on Burp Suite Pro; it’s that useful, and it’s clear that we barely got a chance to scrape the surface of what it’s capable of doing, even in three days of training. I’ve written a separate blog post detailing the very simplest way to use Burp Suite for penetration testing, for anyone who shares my interest in it. I’ll be posting that one later, so keep an eye out for it.
I’m of the impression that if you can execute the code in a polyglot image, you can probably execute a more direct XSS attack under most circumstances. I’m sure there are reasons you might want to use an image instead of direct scripting, so if someone knows of one of these reasons, please let me know!
Another really interesting exploit was opcache poisoning. This requires that the target server be running file-based opcaching, that you have access to an unsecured upload feature, and that you know of a page on the site which probably hasn’t been visited and cached just yet.
Being able to write your own file extension onto an uploaded file is pretty rare, though, even for a relatively insecure site. If you’re allowing your users to upload literally any file extension they please, you’ve probably got bigger problems on your website. There might be some interesting ways to use opcache poisoning in conjunction with other exploits; I’ll be playing around with the technique for the next little bit, and let people know if I find one.
Even though I won’t be able to attend the rest of the conference, I got a pretty good consolation prize on my way out the door. Every participant was given a programmable, hackable badge, complete with a USB connector and bluetooth support. I won’t be present to have mine loaded up with flags for capture-the-flag, but I was told that NorthSec will be posting the source code on a git repository so I can tweak mine at home!
(I’ll keep it on at the office so you can hack it if you want, Debbie.)
Featured image by Paul Rascagnères