These are my notes of OWASP Belgium Chapter meeting of 29th of May.
HTTP for the good or the bad
The talk was about the (mostly php) webshells and how the bad guys are using it.
(Webshels) common features :
- file manipulation
- system command execution
- DB administration
- network scanning
How the bad guys are trying to protect the access to the webshell url once is installed on the vulnerable servers:
- obfuscation
- use random get parameters
- use the .httpaccess file – use the
- user agent
- fully qualified domain names
- (HTTP) referrer header
- custom HTTP headers – use custom HTTP header to grant access to the webshell url.
- fake arguments
- IP geolocalisation – used an external service to geolocalize the connected client.
- black listed IPs – use the (black) list of IPs from which the client cannot connect.
(Common) mistakes made by the webshell developers:
- use deprecated functions.
- all of them are suffering from the XSS vulnerabilities (but are hard to be exploited).
- no httpOnly cookies.
- weak authentication; no password protection against brute-force attack.
- the check of th password is done via a hash check (very often the real password is in the code as comment).
Panopticon – a cross-patform dissambler
Panapticon goals:
- disassemble the code
- do a static analysis of the code
- have a very user friendly UI.
Panapticon “special” features:
- semantic-based analysis; approximative what happens at run time without executing the code.
- display, compare and run execution traces.
- scripting support:Ruby/Python/Js
Adventures in the programming jungle 
You must be logged in to post a comment.