Oops! Something went wrong while submitting the form.
Hacking websites is perhaps often underestimated yet is super interesting with all its potential for command injections and cross site scripting attacks. Tib3rius from White Oak Security discusses his experience as a web application security pen tester, his OSCP certification, and how he’s giving back to the community with his Twitch, Youtube, and tools he's made available on GitHub.
VAMOSI: There’s a perception in information security that if you are serious about working in the field that you must have a computer science degree. You don’t. I’m not going to knock people with a formal degree -- they’re very good at what they do. But often these requirements on a job app exclude a great number of otherwise qualified people from applying.
And, when you think about it, criminal hackers don’t have years of formal education. In fact, the word “hack” simply means to take things apart. Sometimes finding a flaw in a website can be as simple as randomly striking keys on a keyboard. Anyone can do that, no formal degree required.
So it can be argued that those who guard against that should be formally trained, knowledgeable. And again, I do think it’s important that we have people who are formally educated. But I am not formally trained. Yet I am knowledgeable, I am even experienced. So to prove that to the world, I felt I needed a certification.
My CISSP cert was the product of studying and a lot of very hard work. For example, I didn’t take a professional CISSP course although I was advised that I should, nor did I even sign up to do any online study. No, I simply bought Shon Harris’s massive book CISSP- All-in-One Exam Guide -- and read through it -- not one, twice. Then I took the test and hoped for the best. I passed. So ask me anything about RAID servers. Go on. I’m waiting.
There are other tests beyond the CISSP exam. One of which is the Offensive Security Certified Professional or OSCP exam, which provides the basics for becoming a professional pent tester. So you may not have a CS degree, but you will definitely need a OSCP cert to get work professionally hacking for a living.
In a moment I’ll introduce you to someone who not only got his OSCP cert, but also started to give back to the community by teaching others, and even creating some tools necessary to get through the exam. I hope you’ll stick around.
VAMOSI: Welcome to the Hacker Mind, an original podcast from ForAllSecure. It’s about challenging out expectations about the people who hack for a living.
I’m Robert Vamosi and in this episode I’m going to talk about web application pen testing and some of the training and certifications you might want to get if that’s something you want to do for a living.
VAMOSI: So when you look at a web page, you probably just think “it’s a web page.” It’s not very interesting. If I want information, I’ll fill out a form. Well, that’s not necessarily true. The webpage has a lot of information going back and forth between the server and you and therefore it’s a point of entry for someone who’s malicious. So in order to get to that good stuff, let me introduce my guest, his title, and his company.
TIB3RIUS: Yeah, we can just use Tiberius, fine. I guess just a penetration tester at White Oak security would be fine. We're a relatively small company, based out of Minnesota. But pretty much a completely remote team. super talented group of people. Honestly, like one of the best places I've worked, just everyone, everyone there is just top of their game. Pretty much we try and hire the best. So pretty much everybody there is like a senior level. And yeah, we check us out at whiteoaksecurity.com to various ranges of pen tests, like web apps, internals, red teams, social engineering, etc. So that is another good thing about white oak is, you know, the first day they asked me, you know, which tests do you want to be on? Like, just give me all the web apps and I'll be fine.
VAMOSI: Web application security by itself is interesting. For one thing, web sites -- yes, web sites, are vulnerable in a number of ways. There’s code injection, where a criminal hacker can have their code run in place of the legitimate code. There’s cross site scripting, where a criminal hacker can manipulate the URL of a site to load malicious code. Then there’s cross site request forgery, also known as a one lick hack, where URL parameters are also involved. So, before we begin, we should set some definitions. Web applications vs APIs. They’re different. How does Tib3rius explain?
TIB3RIUS: But in terms of what we're, that's what Web Application Security means to me. I always define it in terms of the movement of information, and ultimately protecting user information. So honestly, every single kind of web app is just a portal to information.
VAMOSI: Yeah. This is a good definition in that it allows a lot of leeway. Ultimately, it is information security, so, yeah, the flow of information is always what’s important.
TIB3RIUS: And so you can do various things with that information. And obviously the major things we're talking about are kind of with the CIA, sort of triangle, right confidentiality, integrity and availability. So you want to make sure that only people who actually do, the people who have proper permissions to access information, can access it, right? It's like confidentiality. At the same time, you have to make sure that nobody can change the information without having the proper permissions. And finally, obviously, you want to make sure that you know if you can access that information, you should always be able to access information. And so that's really how I kind of see I try and frame every single kind of security, like issue in terms of web apps is effectively what can attacker due to the information that's being stored in this web app
VAMOSI: And that’s where Tib3rius gets to be creative, where he gets to the bad actor and to try and manipulate that data. So how does one start on that path?
TIB3RIUS: I've been in the industry over 10 years now, first two years that I was, I was, you know, a junior doing absolutely everything. But I had a slight background in web development, sort of for my personal level. And so I was kind of drawn more to that side of things. And ultimately, that's where I decided, you know, in my opinion, if you're going to be a pen tester, you can go one of two ways. You can either be a kind of jack of all trades, and, and be pretty good at a variety of things. Or you can focus on one area and just become a subject matter expert in that particular field.
VAMOSI: The former seems to be the typical media response to pen testers, that they are the jack of all trades; a human swiss army knife. For example, Elliot Alderson seems to know a little bit about everything, whatever the plot of Mr. Robot demands. And there are some of those people in real life; they do exist. In Episode 15 I talked with Kim Crawley about how to become a pen tester, and what skills you might need, and she, too, said it’s more realistic to specialize. That’s what Tib3rius did, he found that honing his skills in one area worked best for him.
TIB3RIUS: And there's no there's no reason why you would do one more than the other. It's entirely up to you I just decided, You know what, I don't really like doing internal stuff. It's kind of boring. It's kind of samey. I much prefer trying to hack into web applications and see what I can do there. So that's where I've spent pretty much the last eight years almost exclusively doing web applications.
VAMOSI: One advantage of doing web application testing is that you don’t have to physically be on site. The web page is accessible from anywhere. And, as a professional hacker, you should be able to access what you need from your own home. I mean, the bad actors aren’t necessarily inside the corporate headquarters. That said, for a thorough pen test, Tib3rius’ company sends out devices with tools he can access remotely.
TIB3RIUS: Well, actually, yeah, it depends. So most of our apps are mostly upside tests over the internet. But like I said, Why security is an entirely remote company. We don't actually have a headquarters. I think their headquarters is technically the CEOs house but we're entirely remote. So what we have is a bunch of network devices called knucks. And they have basically a version of Cali installed on them with a bunch of tools that we use. We send them over to a customer, they plug them into the network. They're basically entirely encrypted. And they call home to a central server. And that's how we connect into their environments. So yeah, I do a lot of internal testing as well, but we all do it remote. I think there were like three instances last year where people had to go on site. But most of the time, we seem to be able to do everything remotely. And I think that's probably the way the industry is shifting these days anyway.
VAMOSI: So, again, deconstructing the Elliot Alderson highly romanticized view of what a pen tester might look like on TV vs what a pen tester actually does, how does Tib3rius approach a generic assignment, given that each client with scope out different areas where they want the work done. What might a generic assignment be like?
TIB3RIUS: Yeah, so yeah, I mean, it does vary. So obviously the first thing we do is a scoping call. Where we, we usually get the customer to go over the web app in in some degree of detail. It usually lasts anywhere between 15 to 30 minutes. I'm trying to get them really to just show me the complex stuff. Because obviously the main issue with testing web apps is the devs. And the people who've used them already know how to operate these web apps. But I'm coming almost completely blind. I've never seen this app before. It might be you know, and I'm testing stuff. Like insurance apps, you know, where there might be some weird series of forms. And you know, I'm not an insurance guy. I don't know what I'm doing. So that's, that's obviously very important to know how to use the web app because ultimately, you need to know which inputs are correct in order to kind of try and mess with those inputs. You need to get a positive result that you know is a correct result before you can even try and attempt anything security related. So that's how I approach that in terms of the actual testing. The first thing is always enumeration. So effectively, that's opening Burp suite. It's going through the application, usually the highest level user I have is basically just clicking around the first maybe like three or four hours of any test. It's just me trying to use the application. And I'll make mental notes and sometimes I'll type notes on my laptop about, you know, certain things I've seen if there's a file upload, for instance, you know, that's a huge red flag. So I'll make a note of that. If there's anything that particularly strikes me as potentially secure as security risk, you know, we're talking about fields that seem okay, yeah, they could potentially be SQL injectable or, you know, they're, they're using numeric IDs. So that could be you know, open side or attacks. But that's mostly the first like three to four hours of doing that. And then I'll start like Xi going through looking more in detail in the actual requests are captured in burp. And I'll try and see okay, well, I'll try and actually attack these things. And start fuzzing stuff. And yeah, obviously, it depends entirely on the application. If I have just one user account, I'll do some basic authorization testing, trying to access stuff logged out, but I can only access logged in if there are multiple user accounts, it gets way more complicated. Authorization testing is just a nightmare. But almost every time there's multiple user accounts, I found, like multiple user roles, I found authorization issues. I think it's number one in the OWASP Top 10 right now for a very good reason. It's just it's an I get it. It's extremely difficult to implement for developers, so I don't blame him at all. But ya know, other than that, you know, there's the other stuff that we test for, you know, things like HTTP request smuggling, which is still a thing these days, and other things like, you know, testing the SSL and TLS configuration. So it's a wide variety of stuff we'll test for.
VAMOSI: Earlier I mentioned various ways of hacking a website. These are categorized in the current OWASP TOP 10 list . Of course everyone should follow the OWASP TOP 10 guidance and mitigate against thees more common flaws but I’m wondering as a pen tester if there are times when Tib3rius might say if only the developers had done this, dot, dot, dot and then there must be a bucket of like common areas that you would recommend that maybe developers or companies focus on in your experience?
VAMOSI: Right. For example, there’s the Common Weakness Enumeration, a list of common coding flaws that developers should look out for. There are automated tools within static analysis solutions that flag these as they parse through the lines of code. And then there’s the Common Vulnerabilities and Exploits, a huge list of identified vulnerabilities, some exploitable, that have workarounds or patches, and developers should check their code with Software Composition Analysis solutions as well.
TIB3RIUS: Obviously, there's the CW ES. There's a huge list of CW es, which are basically individual web application vulnerabilities. Technically, they span regular applications as well. But yeah, the seed seed series into like the 1000s. Now in terms of the numbers, and so definitely look through those. There are a few good ideas in there as well. But I think the main thing is definitely educating developers on secure coding practices, just to make sure that you know those SQL injections just never even come up in the first place.
VAMOSI: Tib3rius also teaches best practices. He has a Twitch channel and a YouTube. I find that great that people in the industry want to give back. So what was a trigger point for Tib3rius to begin to give back?
TIB3RIUS: Yes, so it was in 2017. I managed to get through most of my career without even doing the OCP which seems weird now but back when I joined the industry, it just wasn't needed. However, I was working in a company, we had a training budget, my manager, he knows, do you want to do anything? I'm like, Yeah, I'll do the OCP you know, whatever. And so I was studying for that. I joined a Discord server called InfoSec prep. And I was basically just you know it was a good community, it was focused on hey, you know, we're not gonna, like, tell you what to do. But everybody can like to work together and solve problems and help each other out. So it was a really, really good community. I made a lot of friends there. Eventually I became an admin of that community. Now I still am. It's grown to like, I think it's like 30,000 users now, but the whole point of it was to help people through SCP and I kept seeing people get tripped up on privilege escalation, especially. So the OSDP course for anyone who doesn't know it's a kind of very hands off course, in terms of they will give you the basics, but they expect you to go off and learn stuff. yourself and Google things and they've gotten a little bit better with the second version, but they release a lot more slides and information. I don't necessarily agree with that approach. I think if you're going to teach a course and do an exam, you should probably, you know, teach everything that's going to be in the exam. So a lot of people are getting tripped up by privilege escalation. And at the time I passed my OCP. I figured, you know, I'll write a couple of privilege escalation courses. And I'll just go through you know, the basics and do sort of a deep dive into a few of them. And data, these sell them as, hey, you know, if you study these, you're not necessarily going to pass the OCP but you'll be prepared for whatever you find in the exam. And so yeah, a lot of people have asked me to do that. So I did and I put them on Udemy and they got extremely popular, so I can't remember how many students now I think it's near 20,000 have got the courses. And yeah, so I said that was just huge. And a few of my friends are streaming on Twitch doing hacking content. And so last year I started doing that as well. And that was you know that that's gotten a lot of a lot more attention now. And you know, it's quite fun. It's stressful sometimes because you know, you're solving these CTF boxes. And if anyone's tried to solve a CTF box, you know, it could take hours and you just tear your hair out. And, you know, I'm doing it in front of an audience. So, yeah, it's kind of daunting. And obviously, you know, I make mistakes and a lot of people have said, you know, I don't want to start streaming because, you know, I'm making all these mistakes. And I think my response to that is just do it anyway. Because you know, if anything, it just shows Yeah, even people who've been in the industry for 10 years, you still make dumb mistakes and just miss kind of obvious stuff and it's not it's not a problem. That you Yeah, that's gotten quite big. I have a YouTube channel as well, where I upload the recordings of the streams to that as well. So yeah, I'm currently working on the web web testing course actually. That should be released later this year.
VAMOSI: So for someone who's not familiar with the OSCP, could you just in broad terms sketch out? What are some of the subject areas you're expected to know and who would most likely benefit from taking it
TIB3RIUS: Yeah. So originally, it was sold as sort of an entry level penetration testing exam. There's some argument about whether it is entry level or whether it's slightly above entry level. But effectively the course is supposed to teach basic penetration testing skills. And it does, it does take a more manual approach which is good because you should know the manual approaches to these things. So it'll teach you how to scan networks and teach you how to enumerate certain services. It'll teach some web skills like SQL injection, for example. It'll teach buffer overflows, even though the buffer overflow section isn't that good these days because it's, I believe they use 32 bit buffer overflows, which, you know, is pretty old. And more recently, they've got an active directory in there as well. So obviously, if I think that was important, because for years, the OCP didn't have anything to do with Active Directory. They didn't even cover it and so you have these pentesters taking the OCP joining a company and then facing this, you know, almost every internal is in a Windows network with Active Directory and that's daunting you know, I I really still don't understand that directory and I've been in the industry for more than 10 years. So it's complicated. So I'm glad they did that. Eventually. I think they were kind of forced to do it by a bunch of the other certificates that came along. Yeah, I think that the main sort of goal of the OCP is to teach these basic skills of pentesting. A lot of entry level pentesting positions require it for good reason. I think it at least shows that you've you've, you've gone through this exam, and you've managed to actually you know, demonstrate your skills, right. So I think that's probably it's definitely aimed at people who want to be pen testers. But at the same time, because it's such a manual kind of focus thing. You will need more skills, obviously if you do come into the industry, and you'll eventually end up using tools that aren't allowed on the OCP. Like, no, nobody really does manual SQL injection anymore. We all just use SQL map. And it's just because it's much easier. And you know, it's quick as well.
VAMOSI: There are some places on the OSCP exam where tools are allowed and so Tib3rius created his own such AutoRecon.
TIB3RIUS: Yes. So this is I created it for my OCP. So part of a big part of the OCP is enumeration. By that I mean you know, doing port scans of the environment, figuring out which services are running and then doing various other enumeration steps on those services. And it's extremely boring if you're doing it manually. And it's extremely time consuming if you're doing it manually. And automating enumeration was never bad on the exam. It was always sort of it was mainly exploitation was but the fact of the matter is yeah, you could automate your enumeration if you wanted to. And at the time I did the exam there were like three main tools out there being used there was recon scan, there was B scan and there was I can't ever pronounce this right but I think it was a record nitro it's I think it was a French tool. But they were all kind of okay, I liked them. But I didn't I didn't like everything about them. And so what I figured I would do is you know take the hard route, write one myself. So I kind of the first attempted it was effectively kind of taking code from all those three tools and kind of merging it into one tool. And so I did that. I named it auto recon and I use that on my SCP exam and a bunch of other people did and they said you know that it was really helpful because they could pretty much just give it the four IP addresses that you had for targets and let it do its thing. And while it was running that you would do the buffer overflow box. So the OCP exam used to just like basically before full boxes and a buffer overflow. The buffer overflow didn't need any scanning on it, you could just go ahead and attack that. So the strategy was run auto recon, and while that's running, get the buffer overflow and then once you've done that, you'll come back to a bunch of scans. So yeah, they got pretty popular. But because I wrote it, effectively kind of during my OCP wasn't very good. So I was always kind of like, like it was it was a popular tool and everybody loved it, but I kind of hated it because I was like well I did this wrong and I did this wrong. I did this wrong. So last year, I rewrote the entire thing from scratch, using a completely different system and now it has like a plugin system and everything. So I like it now. I think it's I think it's a good tool. Myself. So I'm pretty proud of that accomplishment.
VAMOSI: So Tib3rius mentioned that OSCP wasn't required years ago, and now it seems to be more required. Are there additional certs that are required today?
TIB3RIUS: OSCP is definitely the big one. But I think that there's definitely been some movement in the industry recently. OffSec has been getting a bit of flack. There used to be a cert where, you know, compared to sans was sounded like $5,000 and OCP was like $1,000. For what you got. It was a really good deal. However they seem to have and I don't necessarily think this is the case, but a lot of people have accused them of sort of money grabbing and increasing the prices for no real good reason, especially in terms of retakes. So there has been a movement in the industry. A lot of other competitors have come in and have offered sort of competitive deals, I guess. So you've got TCM academies pm PT whichis effectively, you know, SCP like exam. However, they definitely go into more detail. So there is Osen stuff, for example. There's Active Directory stuff as well, which obviously is in the OCP now as well. But I think the main differentiator there is they they take the time to write a report and then they will do like a half an hour readout call where they will go over the report with you and ask questions and see how you respond. And I think that's extremely important as well, because a lot of people come into this industry and come into pentesting and think, you know, yeah, I get to hack stuff. But, you know, yeah, that's kind of what you're being paid for, but not really like the people aren't paying for a pen test. They're paying for the report. And so you have to be able to write a good report and you also have to be able to send a report on a readout call. Almost every single one of the tests that I do we have a readout call, at least like a week. or two later. And the customer may have questions about certain things. They may argue certain findings. I've definitely had instances where customers said yeah, you've marked this as high we think it's a medium. And I have to basically defend why it's high. But I think that's really important. So I'm glad that they're doing that. But also eLearn security as well. Have a few good courses and exams. And I know their prices are pretty competitive as well.
VAMOSI: So if OSCP is a beginner level, are there more advanced levels?
TIB3RIUS: Yes, so OpSec Do you have another exam on I honestly cannot remember what it's called. I don't I don't want to mess it up. But it's an OS. It might be OSC or OS II. It does have, like, a level above the OCP which I've heard is good. But in other terms there's so there's a CRT P certified Red Team professional, which is a heavily Active Directory exam, which I've actually taken and so I think that's actually a very good, very good course, a very good exam. Extremely hands on there. I think there's like 24 hours of video. And the instructor is very well known in the community, especially if like Active Directory stuff. So that's, of course, I would definitely recommend it. And there's also a course above that. And I cannot remember the name of it, but effectively takes the Active Directory stuff to a new level. So that's really where I would go. If you want to do sort of internal things. The web applications, there's a few other courses eLearn security has a few web application exams and ports figure, the creators of Burp suite, they actually have a new exam as of last year. So that and that I've heard is very challenging. That's my honest, one of my goals for this year is just to do that. I haven't even attempted it yet. But I've been putting it off for too long, I think so. I'm gonna have to get that one.
VAMOSI: So, I’ve hard that people outside the computer sciences are good in security. I discuss this in greater detail in EP 44, where the SAN Institute is deliberately looking to hire people without CS degrees into the infosec world. People like me. For one thing, we don’t necessarily know the rules, which makes it easier to think outside the box. Also, we bring into the industry real world knowledge of how software actually is used -- not often how it was intended to be used. So I’m wondering if people outside of having a CS degree should consider pen testing as a career.
TIB3RIUS: Yeah, it's a good question. It's kind of complicated. I think it really depends on the company. So a lot of companies will require some kind of degree. Back when I joined, Yeah, you definitely needed a degree at least. I have one in computer science and I have a master's in information security. But I think that's kind of overkill. So I would say this, a degree in computer science isn't going to be a disadvantage. You know, it's going to teach you some stuff about computers at least you know, a lot of the computer science courses are kind of awful. But yeah, it'll give you a base level of knowledge. nothing really to do as security or anything, but at least you'll understand core concepts.
VAMOSI: Yeah, that’s all well and good but again coming at it from outside the box has some value.
TIB3RIUS: Yeah, potentially. A lot of pen testing is problem solving. So you have good problem solving skills than certainly and if you're able to look at things a different way. Absolutely. Be i i don't i don't think these days are absolutely necessary. I think the problem is there's a disconnect between reality and HR in terms of what HR think people need to do his job and what people actually need.But in terms of it, I mean, if if you can't, if you're in a situation where you just can't get a degree, for whatever reason, I would definitely recommend doing bug bounties and honestly, there's so much information out there online for free. If we're talking like hack tricks, it is a great website, which is basically just a massive brain dump of several pen testers, and payloads all the things on GitHub also is a really good resource. And if you start reading through those and you start doing CTFs, and you start doing bug bounties, I think that is experience in my book. And I actually know a guy who got a pentesting job straight out of college. I think even before he graduated actually, the main reason was he got into bug bounties and just started finding everything and was in like the top 50 and bug crowd. So you know, it definitely counts for experience and I think it's definitely something that you should try.
VAMOSI: Of course, pen tester Tib3rius has war stories. Or at least one good one to share.
TIB3RIUS: Yeah, so I mean, I think I've told this one a few in a few interviews before and it's it's almost half cheating because this was, this was an ASP app. So not even ASP x it was like a legacy app they still had online. I think this was back in 2016, though, so it's still pretty, pretty recent. So yeah, it was an SQL injection. They found us and basically, yeah, I think Burp suite flagged it and he flagged it using a collaborator. So effectively, it is sent some I think it was XP dirtree which caused a DNS lookup on the collaborator server. So I thought, Okay, that's interesting. And so I checked that out I was doing a bunch of SQL injection with SQL map. So I was able to dump a few things basically using time based exploits. They came back to the whole you know, XP dirtree. I wonder if XP command shell does as well. And for those of you who don't know what that is, it's basically a really bizarre feature in SQL Server, where you can execute system commands. And lo and behold, yeah, they turned that on for some reason.
VAMOSI: I’ve heard this from other pen testers as well. Oftentimes it comes down to misconfigured tools. If only the site administrator or the developer had configured it properly, they wouldn’t be sitting in that position.
TIB3RIUS: So that was fun. And the only issue with it is obviously it was a blind SQL injection. So I could cause myself to fall asleep and I can extract information that way. But that was extremely slow. So I wanted to try and extract information another way and I knew I had a DNS lookup available, right? I could cause the server to do DNS requests. I tried, at least getting some kind of remote connection but it seemed like every single port was blocked. So I couldn't even connect out on 53. The only reason DNS was working is because the collaborator server in Burp suite uses an authoritative domain for itself. So effectively, any DNS requests will hit that even if it's routed through, you know, 1.1 That one that one. And so what I figured was PowerShell was also on this box.
VAMOSI: Okay, powershell? That’s an open-source, command-line interface based tool that allows developers, IT admins, and DevOps professionals to automate tasks and configurations using code.
TIB3RIUS: And so I very quickly over the course of like maybe an hour and a half, I wrote a PowerShell script that was well. It has to be one line because this is an SQL injection in the URL. So I wrote a PowerShell script in one line which executed a system command. converted the result into hex characters, split the hex characters into 64 byte chunks and then just did a bunch of DNS requests appendix like prepending each of those results onto the burp collaborator domain. And so effectively, the first time I run I run that and I run like who am I? And I get this DNS request, I take the first 61 first hex characters off the domain. I decode them and it's the system account. So not only do I have command execution via this SQL injection, but I'm doing it as a system. So that was a story that I was honestly i That's where I peaked unfortunately, that's, that's the greatest exploit I've I've ever come across because it was, I call it like, it was a super blind SQL injection to RCE because, you know, it wasn't even like I could I could, I really couldn't do it via timed attack it would have taken too long. The fact that I had to trigger all these DNS requests, and the fact that I had to create a one line PowerShell script that I had to insert into an SQL injection, you know. I feel like that's never going to come up again. Is it? So that's the only story I can ever tell.
VAMOSI: I’d like to thank Tib3rius for coming on the show and talking about web application security pen testing, and how he got into the field, and some of the stuff he’s been able to find. I’d also like to call out his Twitch channel, and his YouTube channel, and keep an eye out for his trainings, and download some of his tools at https://github.com/Tib3rius/ - that’s Tib3rius with a 3 in it.