Instructors: Jeremy Druin (webpwnized), Conrad Reynolds, Adrian Crenshaw (Irongeek)
Twitter: @webpwnized
Title: ISSA KY Web Application Pen Testing Workshop
Tools Used: Mutillidae 2.5.7 (hxxp://sourceforge.net/projects/mutillidae/), Burp Suite 1.5 Free Edition
Recorded By: Adrian Crenshaw of irongeek.com

The KY ISSA hosted a one-day web application pen testing workshop in support of the Johnny Long family (@ihackstuff) which many know from Hackers for Charity. The demonstrations were performed on Mutillidae 2.5; a deliberately vulnerable web application freely available on Sourceforge. Mutillidae 2.5 is developed by Jeremy Druin (aka webpwnized). It contains 42 vulnerabilities in many different context. It is a free download.

The interception proxy used is Burp Suite 1.5 Free edition. Both Mutillidae and Burp-Suite may be installed on Windows or Linux. They may be installed on the same host or two different hosts (more realistic). Mac OSX is not officially supported but Mutillidae and Burp-Suite have been known to run well using MAMP and Java respectively.

The workshop was done to support the Long family. Johnny Long is a well-known speaking and author otherwise known as "j0hnny" or "j0hnnyhax". He moved to Africa in order to build computer training facilities in Uganda. Donations are given by browsing to http://www.hackersforcharity.org/donate/ then clicking the “Make a one-time donation directly to the Long family” link.

Topics which were generally covered were:

  • Injection point identification, prefixes, suffixes, and context
  • SQL Injection
  • Cross Site Scripting / Beef Hooks
  • HTML Injection
  • JSON injection
  • Authentication Bypass (SQLi)
  • Authentication Bypass (Cookie Tampering)
  • Local File Inclusion
  • Remote File Inclusion
  • Cross Site Request Forgery
  • Web Shells

Before the workshop began, students were expected to have Mutillidae and Burp-Suite installed and operational so these topic were not covered. However, the following pre-requisite videos cover these topics using older versions of Mutillidae.

Installing and Using Burp Suite: http://www.youtube.com/watch?v=L4un5IppoY4

Installing NOWASP Mutillidae on Samurai Linux: http://www.youtube.com/watch?v=y-Cz3YRNc9U

Installing XAMPP/Mutillidae on Windows: http://www.youtube.com/watch?v=1hF0Q6ihvjc

Note: The specific environment used in the class was Mutillidae 2.5 running on a Windows XP virtual machine and Burp-Suite 1.5 Free running on both the localhost and a Kali Linux host. All of the hosts were on a Virutal Box host only network. No software was installed on the host operation system. All demos were run from virtual guests.

The modules were recorded in sections. Some sections covered speaker introductions, mentions of the ISSA hosts, and other material which was not related to the instruction. Therefore the instructional "parts" are not sequential.

ISSA 2013 Web Pen-testing Workshop - Part 1 - Intro to Mutillidae, Burp Suite & Injection

ISSA 2013 Web Pen-testing Workshop - Part 2 - SQL Injection

ISSA 2013 Web Pen-testing Workshop - Part 3 - Uploading Web Shells via SQL Injection

ISSA 2013 Web Pen-testing Workshop - Part 4 - Auth Bypass via SQLi & Cookie Tampering

ISSA 2013 Web Pen-testing Workshop - Part 6 - Local/Remote File Inclusion

ISSA 2013 Web Pen-testing Workshop - Part 7 - Webshells

ISSA 2013 Web Pen-testing Workshop - Part 9 - HTML & Javascript Injection

ISSA 2013 Web Pen-testing Workshop - Part 10 - Beef Hooks

ISSA 2013 Web Pen-testing Workshop - Part 12 - JSON Injection