How do you find a 0day ? (web apps)

[0wn4g3]

Hello guys.
I thought to open this thread so everybody shares\tells how he finds a 0day in a web application.
You do it manually , or automatically with scanners\tools ?
I`d like to hear your ideas.

~0wn4g3

[namespace7]

No you dont do it automatically with scanners/tools.
No tool exists that can find an 0day for you. Well, theoretically, a tool could accidentally or randomly brake something in a program that might reveal some problems that you might or might not exploit, but in practice I don't think this happens.
Better go learn C, ASM, debugging, reversing, shellcoding. I think thats enough keywords to get you reading.
See you in 10 years.


Its not something you learn in a month.

[Alin]

No you dont do it automatically with scanners/tools.
No tool exists that can find an 0day for you. Well, theoretically, a tool could accidentally or randomly brake something in a program that might reveal some problems that you might or might not exploit, but in practice I don't think this happens.
Better go learn C, ASM, debugging, reversing, shellcoding. I think thats enough keywords to get you reading.
See you in 10 years.


Its not something you learn in a month.

For web application hacking, that is a ridiculous set of skills. I would encourage topic starter to start out by learning about the HTTP protocol, SQL and a scripting language e.g. PHP.


0-days in web apps are easy, but usually not really interesting. A CSRF vulnerability in a WordPress plugin is not interesting at all. An arbitrary code execution in the base WordPress system is interesting.


A lot of web applications are build on top of an open platform like Drupal, TYPO3, WordPress. You can just download them and look through the code.

[namespace7]

You are of course right alin. I was not being specific at all, just mentioned what you want to learn for conventional vulnerability/exploit finding/writing in binary software.

So sorry OP, my bad I wasn't answering in relation to what you wanted to know.

[scuarplex]

No you dont do it automatically with scanners/tools.
No tool exists that can find an 0day for you. ¿

There are tool for finding 0days actually such as:


RIPS: http://sourceforge.net/projects/rips-scanner/
SWAT:https://www.owasp.org/index.php/Category:OWASP_SWAAT_Project


Among others which performs an static analysis (Code Review).


Of course you can't compare it with a manual static/dynamic analysis of a Web Application.


There are logic flaws which would be impossible for a Tool to find out. And regular vulnerabilities which have to be exploited in some other kind of way since it's not always matching the defined heuristic.

Wanna learn how to find 0days in Web Apps?

• Learn to code
• Learn how to code secure
• Learn how do static and dynamic analysis

Check OWASP for references

0-days in web apps are easy, but usually not really interesting. A CSRF vulnerability in a WordPress plugin is not interesting at all. An arbitrary code execution in the base WordPress system is interesting

Interest depends on how far your imagination can go. A CSRF attack well performed can create an administrator in a sensitive blog.

The xmlrpc in Wordpress didn't seem to have a great usage, but when you combine it with a small botnet you could have 90% of the Wordpress Blogs (at least when it was realeased) performing a DDoS attack at some target of your choice

[Alin]

Interest depends on how far your imagination can go. A CSRF attack well performed can create an administrator in a sensitive blog.

CSRF in a plugin is not interesting, but I agree it can be exploited for an ultimate impact that is alot worse than the actual CSRF and should it be fixed.


Secunia just published a CSRF in the qTranslate plugin for WordPress today that is not fixed.


edit: Just for reference, the qtranslate plugin has +800k downloads

[BangYa]

The best be is to do it manually.  Automated tools are used just really for "Risk/Vulnerability Management".  Use a tool like BurpSuite and start browsing and look for 302 errors and such, which could be indicative of an issue, but not necessarily.  Its a lot of hit and miss, but once you find one its fun. 

[whit3 f0x]

Unless I am mistaken most people generally find them as they are browsing through the source code of an application.

From there they test them on a multitude of applications running the same software and if it works globally they are then either kept privately or released as a "0day".

[namespace7]

Unless I am mistaken most people generally find them as they are browsing through the source code of an application.

From there they test them on a multitude of applications running the same software and if it works globally they are then either kept privately or released as a "0day".

WTF? O.o

[Alin]

Unless I am mistaken most people generally find them as they are browsing through the source code of an application.

From there they test them on a multitude of applications running the same software and if it works globally they are then either kept privately or released as a "0day".

0-days in software are found by


1. fuzzing applications, but this can take a lot of time looking through crash dumps to determine if the crash can be exploited.
2. Trying to accomplish other stuff and having the application do unexpected things.
3. Looking specifically at source code or assembly for vulnerabilities


If you are looking for vulnerabilities in general software, go for programs that implements some kind of parser, they are usually broken in some way.


Most critical vulnerabilities are coordinated with vendors before being disclosed. Every now and then, they are found in the wild.

[frog]

Get the book "The Web Application Hackers Handbook". This book will answer all your questions and you will mos def learn along the way. Learning is the trick. Don't think you're ever done, because you're not. That is the point of being a human anyway, to evolve our consciousness and experience new things.

[AnarchyAngel]

if its a web app like php you can get a lead on things with a quick egrep. it will take knowledge of php or what ever lang you are fuzzing.