OWASP Benelux days ’18

By 03/12/2018security

On the 29th of November 2018 some of our colleagues followed the OWASP ZAP training given by David Scrobonia. ZAP (Zed Attack Proxy) is one of OWASP’s flagship projects. ZAP a free, open source  tool used for testing web applications for security risks, pentesting and manual security testing.

David, being one of the core members of the development team for ZAP is the perfect person to give a training like this.

First David showed us the basic techniques of ZAP and how to use ZAP for manual testing. We tried this on 2 different vulnerable applications (Juice Shop and BodgeIt). The UI of ZAP is quite complex so we started off exploring the different panes and what can be found inside them.

At first we configured ZAP to work with our browsers and just manually browsed through our applications to see how ZAP logs and tracks the visited websites. All the visited pages get tracked and added to a tree representation of the application. Each request the browser sends to the application server gets logged inside ZAP and can be edited and resend from inside ZAP. This is useful for when you want to send the same request multiple times to see how the server reacts.

After the first break we started looking into more advanced techniques for more active reconnaissance instead of passive. ZAP provides a configurable spider that will crawl through the web application. Following each link it can find it will map out a full structure of the application. Doing this ZAP will already mark requests that have possible vulnerabilities in requests.

We can take this a step further by using the ‘active scan’ option on the now fully crawled web application. This will send possible attacks to the application, SQLinjection, Cross-side scripting and more will be fired at the application, and an overview will be shown inside ZAP. From this a report can be generated to help explain the found issues.

In the afternoon we explored how we can use ZAP in a more automated manner. First we checked out the scripting feature, supporting zest, ruby and python, it is easy to make ZAP to customized actions you like. Having these scripting abilities available inside ZAP makes it incredibly powerful. Also included in ZAP is a community ‘store’ with scripts other people have created that can be used.

Last but definitely not last we looked at the API ZAP exposes together with using ZAP from command line. These 2 options make it very possible to integrate ZAP into your CI/CD pipeline to scan your application. For example you could make ZAP generate a full report on each new version you build. Reports like these can make everyone more aware of the vulnerabilities in their applications. Which can prevent developers from for example leaving XSS vulnerable search fields in their code.

I cannot possibly do justice to this training in a blogpost like this one, so I urge all of you to take a look at ZAP and play around with it. Try to find some vulnerabilities in a confined environment and see how it can make your applications more secure.



30 November: Conference

Fast, Furious and Insecure: Passive Keyless Entry and Start in Modern Supercars by Lennert Wouters

Passive Keyless Entry and Start systems are starting to see more and more use in modern cars. Lennerth Wouters took a look at the security behind these systems and talked about his (and his team’s) work in reverse engineering the wireless key fob used in Tesla vehicles. He discussed how he discovered that the keys to unlock and start the luxury vehicle use a 40-bit cypher behind the scenes. As some of us know 40-bit ciphers have been obsolete for a while now. So they set out to make a proof of concept and inform Tesla of their security issues.

Thanks to the work of Lennert and his team Tesla will be shipping new cars with an updated key fob, offers replacement key fobs for existing cars, and have updated their car software to disable keyless entry and start. A nice demo of the device they created can be found here.

Weaknesses in our voice communications network: from Blue Boxing to VoLTE by Ralph Moonen

Ralph Moonen’s talk was about the security in our telephone networks. He gave a nice history from the vulnerabilities when he first started out, all the way to the issues anno 2018.

He talked about the issues 2G – 3G and 4G are having, especially with VoLTE (or voices or 4G). It turns out the implementations of SIP in different european providers’ infrastructure opened up a lot of possibilities for attacks. He showed us what kind of control a user can have with a rooted phone, including gaining IPSec keys from the VoLTE stack.

He also showed us more fun stuff including subscriber enumeration, location determination trough leakage of cell-ID and LAC, text message spoofing, IMEI leakage and a SIM-card sharing attack.

It’s a bit of a niche area, but super interesting!

OWASP Zap by David Scrobonia

In this talk by David he showed the latest addition to ZAP. As I already briefly mentioned in my part about the OWASP ZAP training, ZAP is a very powerful tool, but not very accessible. This is the main addition of the new HUD David presented in this talk.

The HUD ties in with your browser by injecting a js script. This script makes the ZAP functionality available from your browser, making it a lot easier to use. In good open source fashion the HUD is expandable by the user. In this case it is easy to add more functionality by using the already existing scripting options inside ZAP.

Overall a very nice addition to the already nice ZAP application.

Juice Shop: OWASP’s most broken Flagship by Björn Kimminich

Björn Kimminich is a lead developer for OWASP’s flagship project Juice Shop. Juice Shop is a intentionally insecure web application, that can be used for trainings. Juice Shop is completely written in javascript and includes the full OWASP top 10 as well as may more security flaws. Each of the flaws is intentional and thus, when you exploit of the flaws you will get a nice green popup and the scoreboard will be updated.

Björn showed us how to re-theme the shop to provide for more realistic testing. Theming the shop to your company style will help increase the awareness of how real some of these issues can be in your own applications.

We also got a quick demo of how to set-up Juice Shop as a CTF in less than 10 minutes.

Very impressive stuff from a very entertaining speaker.

Leaky Processors: Stealing Your Secrets with Foreshadow by Jo Van Bulck

Jo Van Bulck told us about some of biggest vulnerabilities in modern CPUs. He gave in-depth explanations about Meltdown, Spectre, and Foreshadow. To me it is very impressive that security reaches to such a micro level and I thoroughly enjoyed Jo’s talk. But most of it went way over my head. Very complex matter but super interesting!

Lessons From The Legion (The OWASP BeNeLux Remix) by Nick Drage

Nick Drage came to us with a simple statement. InfoSec has so many intelligent people, working very hard, yet it feels like we are losing. He attests this to the fact that we are using the wrong strategies to use the strong tactics that we have build. We are playing a singleplayer game in a multiplayer environment. He asked to take a step back and to look at other places that deal with similar issues for answers, mainly generals and their war strategies, and american football with the strategies run on the field. Nick gave a very inspiring talk and I urge anyone who has the chance to go watch one of his talks.