Whitebox Pentest (Based on AWAE/OSWE)

This repo is based on the offensive security AWAE syllabus and is designed to act as a cheatsheet for the OSWE exam and whitebox source code reviews in general.

Free Source Code Review Courses

• https://owasp.org/SecureCodingDojo/codereview101/
• https://pentesterlab.com/exercises/codereview/course

Source Code Review Methdologies

Reference: https://pentesterlab.com/exercises/codereview/course

Dangerous Functions

References:

• Nodejs: https://github.com/rinku191/OSWE-prepration/wiki/Nodejs-Dangerous-function
• C#: https://github.com/rinku191/OSWE-prepration/wiki/C%23-Dangerous-Function
• PHP: https://github.com/rinku191/OSWE-prepration/wiki/PHP-Dangerous-function
• Java: https://github.com/Cryin/JavaID
• Java, Ruby, ASP.NET, PHP, Android: https://github.com/cldrn/InsecureProgrammingDB

Enable Database Logging

```
 [mysqld]
 general_log_file = /var/log/mysql/mariadb.log
 general_log = 1
```

• Postgres: https://tableplus.com/blog/2018/10/how-to-show-queries-log-in-postgresql.html

Enable Remote Debugging

• Java: https://stackify.com/java-remote-debugging/
• Java: https://stackoverflow.com/questions/975271/remote-debugging-a-java-application
• Java, PHP, NodeJs: [Requires access to offsec forums] https://forums.offensive-security.com/showthread.php?37965-Visual-Studio-Code-debugging&p=172805

OSWE: Possible vulnerabilities that might show up in exam based on the syllabus

Vulnerable Code Examples

Code Review Checklist

• Identify Tech Stack:
  • Programming language? What version, i.e., PHP 5 or 7?
  • Database?
  • Framework?
  • Templating engine?
  • Is it MVC based?
  • What are the communication protocols, does it use websockets?
  • Does it have an API?
  • What Opertating System? find ubuntu version using lsb_release -a
• Map the app
  • Use tree -L 3 command, open the app in VSCode or build a sitemap using burp suite to understand the application directory structure
  • What are the routes/pages? If java app search for doPost and doGet. In case of python find routes starting with @
  • Is the app MVC based? where are the Models, Views and Controllers located?
• Explore the app
  • Is the application running as root?
  • Which pages don't require authentication? You can prioritise testing them first
  • MVC: Check if some logic breaks the MVC driven pattern, try to search for direct SQL queries within controller
• Discover vulnerabilities
  • What are the interesting functionalities? Password reset, comment section visible to all users, search bar etc
  • SQLi: Find database queries using regex ^.*?query.*?select.*?
  • SSTI: Find templating engine, you might have a similar line app.set('view engine', 'pug'); in app.js
  • DOM based XSS: Grep for sinks. REF: https://domgo.at/cxss/sinks
  • Weak random token generator: java.util.random is vulnerable

OSWE Like Machines

• https://www.vulnhub.com/entry/securecode-1,651/
• https://github.com/bmdyy

Skeleton Scripts

Regex

Tutorial: https://www.youtube.com/watch?v=rhzKDrUiJVk

Exam Tips:

• Make sure you have templated exploit scripts and exam report ready, before you appear for the exam.
• You will have to RDP into a machine to review code, so be prepared for a lag while clicking buttons and browsing through the code. It will be best to have an external monitor, it will drastically improve your performance since you will be able to look at more lines of code without scrolling. Try to make the font size in the remote code editor smaller as well, that can also help you avoid scrolling.
• During exam, first & foremost setup remote debugging & database query logs, you cannot survive the exam without these.
• Once you pickup an app to test, identify all the routes, preferably list them in a text editor as a checklist.
• Once you have the routes list, sort them based on attack potential i.e., unauthenticated routes and critical features like password reset, authentication logic etc should be on top of the list.
• Set breakpoints, supply input and go one by one through the routes to understand the complete flow and try to identify vulnerabilities.
• Don't jump into exploitation straight away, what looks like a vulnerability might be a rabbit hole, make sure you have looked into enough routes and have a fair idea of what all potential vulnerable functionalities are present before you decide to spend time on a single vulnerability.
• Keep a note of all the confirmed/potential vulnerabilities you identify even if they don't appear to lead to auth bypass or RCE, same as labs the exam also involves vulnerability chaining, you might need them later.
• Learn multithreading to save your precious exam time, it's not mandatory but just imagine testing & debugging a Blind SQLi script during the exam which takes 20 minutes for each run. Without multithreading you'll already be putting yourself in a bad position to pass the exam.
• Take a lot of breaks; during the breaks rethink if you are pursuing the right exploitation path.

All the best !!

Author: https://www.linkedin.com/in/hitman/