Thursday, May 28, 2020

{Certification Review} - OSWE - Staff Review

Recently, Offensive-Security released an online version of their certification called “Offensive Security Web Expert” aka OSWE. After having already experienced and successfully obtaining several other certifications from Offensive Security such as OSCP and OSCE, I was curious and intrigued to give the OSWE course a try as well.
I decided to choose the 2-month package option for the course called “Advanced Web Attacks and Exploitation” and due to other commitments I was able to request and was granted a minor 15 day extension.
After watching the videos and reading through the course material, I was very impressed by the content of the course, as it contained detailed information and analysis on certain in-depth attacks.
The course followed a white-box testing approach which was based on source code review, by reading the code of the web application in order to find and exploit potential vulnerabilities.
The course material included several labs with web application software installed on them and by following the content provided in the course material, exploiting the machines was relatively easy.
Before embarking on this course, I would recommend that you have a good understanding of the following skills:

1.      Python scripting language:

The course will require you to have a solid understanding of, as well as experience with python scripting, as it  is used for automating the process of exploiting vulnerabilities as well as automating exploits. 

2.     Other programming languages:

It is also very important to have basic knowledge and understanding of other programming languages such as C#, JavaScript and Java.

3.     Prior experience with web application attacks:

Prior experience with web application attacks will also be very advantageous as you will be required to have strong knowledge and understanding of common modern web attacks. Personally, I would also highly recommend reading the book titled “Web Application Hacker’s Handbook”  beforehand as its content will be very helpful during the course and thereafter.

4.     Source code review:

One of the outcomes that this course will teach you is how to do Whitebox testing on web applications by reviewing and understanding the code of the application. Therefore, prior experience in doing source code review on web applications will be advantageous.

5.     Web development experience:

Having prior experience with web development and the workings of web applications will also assist with successfully completing this course.

Course Overview:


After receiving the course materials, I began reading the book, watching videos and solving the exercises and milestones. 
The first few chapters of the course were relatively basic but from Chapter 4 onwards it became far more advanced. Personally it was at this point that it really became fun, as the course delved deeper into  advanced techniques and attacks types.
Offensive Security recommends that you try and solve the exercises and milestones  as you progress through the chapters to ensure that you get a better grasp and understanding of the materials and also as proof that you have understood everything in that particular chapter.
Listed below, is a list of pros and cons to consider when deciding to take this course:

·       PROS:

o  Great for learning and advancing white box testing and source code review skills.
o  The course covers advanced real-world vulnerabilities such as deserialization attacks and advanced techniques. 
o  The course covers a wide range of vulnerabilities and exploits, including medium, high and critical risk.
·       CONS:

        o Although the course covers many different attack types, there are a few that are not covered in the course, for example, XXE, SSRF, CSRF and SSTI.
        o More exercise work and milestones would be advantageous to learners 

The lab review:


The lab consisted of 5 machines  which contained the web applications as discussed in the course material. Therefore, by going through the course material comprehensivly and successfully completing the course exercises and milestones, you should be able to successfully execute the necessary attacks and exploitation paths.
Personally, I would recommend practicing as much as possible before moving onto the exam, as this will help increase your skills and confidence. 

The exam review:


The exam for the OSWE course is a 48 hour exam, which includes an additional 24 hours for writing your step by step report of the exam. As with all exams, I would recommend that you ensure that you get enough sleep to ensure that you are well rested and able to perform at your peak. 
During the exam, I had not rested enough and it started to affect my performance, therefore my recommendation is that if you start feeling tired, go sleep for a bit and then resume as this will help you to think clearer.
A few other suggestions from my experience is to remember to get up and take a walk every few hours and don’t forget to take screenshots as you solve the challenges in the exam.
Lastly, try not to stress too much about the exam, try to think of it as a challenge that you are trying to solve, rather than an exam itself.

Important material to read before undertaking this course:


Below is a list of content material that I would recommend that you read and work through before you undertake the OSWE course:

Summary:


OSWE is a very good course for people looking to improve their source code review skills as well as learning how to detect bugs and vulnerabilities by searching for them in the code itself. I would recommend that you book your exam not long after your lab time ends, so that the information you have learned will be fresh and ready to be used. Overall I enjoyed my OSWE experience and would therefore recommend it to others.
- Blog post by Motaz of Telspace Systems

Wednesday, May 20, 2020

Bypassing refresh tokens with SQLMap’s tamper scripts





In this blog post, I will be taking you through how to make use of the “--tamper” parameter of the SQLMap tool to bypass the limitations of a web application using JWT tokens.

A function of web applications that use JWT tokens is to make the token expire after a certain period of time. This then results in you receiving an error 401 message in the web application, meaning that you don’t have the correct privileges to use that specific web application or endpoint.

During a recent assessment, I came across a web application, which made use of JWT tokens for its authentication process. After token expiry, a request should always be sent to the application to reauthorise access and get a new token.

When using SQLMap to test a web application against potential SQL injection vulnerabilities, this became an issue, as the application would re-authenticate and a new token was issued, which would then result in an error 401 message.

I came up with a solution to this problem when using SQLMap, by requesting a new token and then changing the authorisation header which would then result in this problem being bypassed.  

Below is the example of how this was successfully achieved.

First the request for a new token was sent to the application:

As can be seen below, this request then responded back with JSON, containing  an “access_token” which could then be used in the next request:

For the next step, I then used Python to recreate the POST request in a script. In the screenshot below, you can see the code that was used for the POST request:


In addition to the above code, the authorisation header should be rewritten with new information before every request that is sent by SQLMap, as can be seen below:

The full tamper script should then look like the code in the screenshot below:
Lastly, in the screenshot below you can see  the command for executing the tamper script against a target using SQLMap(sqlmap -u https://url.com/ --tamper bypass.py):


At this point, requests are sent correctly by refreshing the token and you will no longer receive a 401 error message. 
I hope you have found this information to be of a value and that it will assist you in future penetration tests.

- Blog post by Motaz of Telspace Systems.