Security for Web Developers: 13: Testing With Hydra

THC Hydra

Hydra

First, be clear that there is more than one way to password-protect a website or a directory (folder) inside a website. One is to use a database management system to control what everybody sees. Another is to use simple htaccess files to require a password. Regardless, Hydra is an app to brute-force website logins, including just about any service you can get to over the Internet.

Assignment: First, watch this video.

Note that there are more videos in this series. Click the Youtube link to find them there.

There is also a nice tutorial with some insightful comments here:
http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html

Get Hydra. Fire it up. Does your site use passwords? Try some brute force on your login form.
https://www.thc.org/thc-hydra/

Next: https://schoolforhackers.com/security-web-developers-burp-suite/

Security for Web Developers: 12: Mutillidae

Mutillidae

Using Mutillidae

Mutillidae is another pre-built vulnerable web app. It’s highly aligned with the OWASP testing organization (which can take you wildly deep into the world of web app testing). You can install it side-by-side with other web apps by simply putting it in a separate sub-folder. (How does mutillidae/ sound for a name?)

Assignment: Download Mutillidae and set it up on your pen testing machine.
https://sourceforge.net/projects/mutillidae/

Next: https://schoolforhackers.com/security-web-developers-testing-password-hydra/

Security for Web Developers: 11: DVWA

DVWA

Using Local Test Web Apps

You should be testing  your site. If you don’t – or even if you do – other people will. So get familiar with some of the tools of the trade. Use a local website development tool like XAMPP so you can host vulnerable websites on your security testing computer.

Using DVWA

Damn Vulnerable Web App is exactly that: a testing website that’s prebuilt for you, ready to unzip into a folder in your web root. DO NOT run your local web service (like XAMPP) with this web app installed while you are accessible from the Internet. It’s called Damn Vulnerable for a reason. Suggestion: set it up in a virtual machine.

Assignment: Download DVWA and set it up on your pen testing computer.
https://sourceforge.net/projects/dvwa/

Next: https://schoolforhackers.com/security-web-developers-mutillidae/

Security for Web Developers: 10: Defense Strategies

Strategic Defense Initiative

Security Strategy A: Put someone on it full-time.

Security Strategy B: Use a web scanning service or plugin.

  • Does your hosting provider offer a website monitoring service? (For instance, GoDaddy does.)
  • Does your platform offer free or paid monitoring plugins? (WordPress has dozens.)

Next: https://schoolforhackers.com/security-web-developers-dvwa/

Security for Web Developers: 09: Exploits

Security Exploits

Which Exploits Will You Meet: Known or Unknown?

Your site is likely to be attacked by known, old exploits, unless you’re a spy site. Don’t be relieved. You still have to protect your site against all those old threats, and the probabilities are way too great that something evil’s going to work.

Fortunately, truly rigorous auditing can keep you certain that your site is protected against the known threats.

Assignment: Look up your web application’s exploits at the Exploit Database
https://www.exploit-db.com/

Search against:

  • Your web server’s OS and version (Linux, Unix, Windows, Mac, e.g. Ubuntu Linux 14.04, Windows Server 2012, etc.)
  • Your web daemon software and version (Apache, IIS, Nginx, by version)
  • Your web language, framework, platform and version (PHP, Python, Java; CodeIgniter or J2EE; WordPress, Joomla! or Moodle, again by version)

Next: https://schoolforhackers.com/defense-strategies

Security for Web Developers: 08: What Can Hurt You

Script Kiddies

What You Know Can Hurt You. What You Don’t Know Can Hurt You.

Most so-called hackers are really just script kiddies:
http://www.hackpconline.com/2010/05/painfully-computer-pranks.html.

Most of the fruit is low-hanging:
https://www.toptal.com/security/10-most-common-web-security-vulnerabilities.

Real exploit developers who find real vulns go much deeper:
http://blog.dewhurstsecurity.com/2013/04/17/http-form-password-brute-forcing-the-need-for-speed.html.

Public and private groups share information (unfortunately, not to an equal degree) about newly discovered exploits: “zero day” exploits.

The most wicked exploits are saved for the highest-value targets and demonstrate vast knowledge and skill, for example Stuxnet:
http://arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost-control-of-it/.

Part of your equation is realistically considering the value – or controversy – of your website goodies.

Next: https://schoolforhackers.com/security-web-developers-exploits/

Security for Web Developers: 07: Tamper Data

Security Testing With Tamper Data

Tamper Data

Here’s a more sophisticated tutorial:

Assignment: Test your site security

Install Tamper Data in Firefox on a suitable computer. Now visit your site and find what you can tamper with. Particularly tinker with pages with forms, especially if you use hidden fields.

You can also try it out on Hack This Site (https://www.hackthissite.org/pages/index/index.php), or on your own testing sites like DVWA (http://www.dvwa.co.uk/) or Mutillidae (https://sourceforge.net/projects/mutillidae/).

Here’s how the really sophisticated bad guys do it:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.

Next: https://schoolforhackers.com/security-web-developers-can-hurt/