Anyone who knows training (or InfoSec for that matter) knows SANS is probably THE most recognized name in InfoSec training. While the foundation of SANS is Stephen Northcutt and Alan Paller, his superstars are the InGuardian’s crew. Call them security divas, we don’t care. We know that Ed Skoudis, Kevin Johnson, Mike Poor, and Joshua Wright are instructors with whom we’d give the whole of our security budget to train. We can’t decide what we like best: their stellar tool development, their helpful whitepapers, their nifty cheat sheets, their open source projects, or the fact that their courses are the most interesting and engaging we’ve seen.
Web application pen testing is a huge focus for the security space right now, and SANS just turned their 4-day SEC542 – Web App Penetration Testing and Ethical Hacking into a 6-day class. We had the chance to pick the brain of its instructor/creator Kevin Johnson, InGuardian pen tester, father, and all around great guy.
Read on as he answers our questions on a wide array of our web-app security queries.
Thanks for joining us Kevin! Can you tell us a little about who you are and what your
history is in the security field?
Sure. I have been working with computers for WAY too long and have done lots of different
things. Everything from installing a modem for the little old lady down the road, to building
complex web sites with mainframe back ends. I started getting into security because it touched
everything I did. The final push was when a company I worked at was compromised. It was
nothing substantial but the fact that someone used “my” machines pissed me off.
I have since started and run quite a few open-source security projects and author/teach the SANS
web pentesting course, Sec542.
As to who I am, that is pretty simple. I am a nerd that has a wife that supports what he does and
the two best daughters in the world. My ultimate goal is to turn both Brenna and Sarah into the
biggest nerds I can. It helps that my hobbies are what I do for a living.
Can you give us a high level overview of your current projects like: yokoso, samuraiWTF, and
sec tools?
Most of them are related to web security, which is my main focus. But here is a short description
of the major ones.
SamuraiWTF – A live CD that focuses on web penetration testing
Yokoso! – Infrastructure fingerprinting delivered via XSS.
Laudanum – Injectable scripts to increase our foothold after finding SQL injection flaws
BASE – Web interface for monitoring and managing Snort alerts
SecTools – Catch-all project where things like Hping2 (Windows) and WebArmor end up
SocialNetworkBots – Exactly what it is named.
Some people feel that webapp pentesting is the new open vector and network pentesting is in
decline, what do you think? Do you think there is a long future in network and web-app
hacking?
Wow, I can’t believe that anyone would think network pen-testing was going away any time soon.
I will agree that web app flaws are getting more attention right now, but I think that what we will see
in the future is combined testing. Ed Skoudis, Josh Wright and I did a series of web casts outlining
how the three types of testing are related and scenarios combining the attacks. I really think those
outline what I see quite well.
What does Inguardians do? Can you give us a day in the life of an Inguardian’s pentester?
InGuardians does quite a bit actually. I am always amazed at the incredible skill I am surrounded
by. Our services include everything from penetration tests and security architecture review to
forensics and incident response. We also regularly take on research projects for our clients. Our
staff regularly teaches, mainly through SANS, and we present at many different venues.
A day in the life of an InGuardians agent is varied based on what is going on and which projects we
are working on. If we are on-site at a client or a conference our day is focused on doing what
needs to be done there. When not, I work out of my home office handling the various requests or
projects going on then. The main point of my day is the constant support and communication that
happens between the staff. We have adapted well to the distance between us and the virtual nature
of our collaboration. I am constantly sending messages or talking within our internal systems to the
other members. That collaboration is what I think makes up the best part of being an InGuardians
agent. When I am working a project, the best of the best is only a bit of typing away from
supporting and improving what I am doing.
What is the hardest or coolest webapp hack you’ve pulled off, what about the most challenging
pentest?
I will have to go with coolest since most of the problems we find are actually quite simple. (Which
is pretty sad if I may say so myself.) I personally think that some of the attacks performed by
injecting malicious code through help desk ticketing systems are a ton of fun. And of course the
fact that they almost guarantee elevated privileges makes me like them even more.
The other attack I really like is when we have an XSS flaw and we use it to inject Yokoso!. This
allows us to fingerprint what apps and infrastructure they are running internally. If we find they are
running something that has a CSRF flaw, we can then inject the exploit for that and cause the
admin’s system to add an account for us or what ever.
I also think that one of the cooler ones was a physical attack Justin Searle and I did. We told the
security guard we had left one of our cell phones in the secured area and they let Justin into the
area. People are the fun link to attack.
What are your views on the browser tri-fecta this year at CanSecWest, in the Pwn to Own
Contest? Were you surprised Firefox, IE, and Safari were all pwned with zero days in a
relatively short amount of time, or did you have a pretty good feel that today’s browsers are
highly insecure?
I was not surprised at all. Our client applications are, and will be for some time, the weakest part of
our infrastructure.
What are your views that Chrome was the only browser unscathed with its sandboxing
feature? Do you think that Google’s sandboxing is an exemplary implementation of that
technology?
While Chrome did escape unscathed, I am not sure I would call it an exemplary implementation. It
just isn’t the target the others are and since the others were in-scope, it didn’t fall. Let’s talk next
year. 
What are your thoughts on this years two zero-day Adobe exploits? Do you feel the wide-
spread implementation of Adobe technologies makes it a big target or is it a representation of
something else?
Adobe, Adobe, Adobe… (Read that with the pitying voice I meant it in.) I think that the zero-days
in Adobe products are caused by both the target size it represents and a problem with the client
complexity it and others are increasing. I think that we have seen an amazing jump forward in
client complexity in the last few years and it isn’t stopping. Client apps have to be securely written
and very few organizations are working on it. We, the consumers, need to start loudly complaining
when problems like this are found. And someone needs to solve the client patching issues that
exist. And no the Adobe/Java/whatever updater is not the answer.
In your “forget 0-day, let’s talk zero exploit” talk you gave an overview of Click Jacking,
Have you seen these exploits in the wild yet? Do any tools exist yet or are you (or any
colleagues) developing anything for the scope of pentests regarding click jacking?
Yes we have seen these “exploits” in the wild. The noscripts addon’s main site uses it to provide a
download link. The main point of the talk and this issue is that the client applications provide us so
many ways to attack with out taking advantage of a flaw or vulnerability.
We do not currently have a tool that is focused on click-jacking, but I could see Middler being
expanded to support it.
How do you feel about Web Applications Firewalls and their lackluster performance, do you
feel they can be improved to be a usable defense mechanism?
I have quite a few opinions of WAFs and the technology behind them. I actually think they
perform quite well, IF you take the time to configure and build their rule sets correctly. The biggest
improvements would come from integration with development environments and tools.
You gave a presentation a few years ago on your projects and then ended in some awesome
advice about open source projects; can you instill that on our readers?
Have you been stalking me??? What I have found over the years is that lots of people want to
help or offer help, but they then make the comment “I am not a developer so I won’t be able to do
much!” What I tried to get across back then was that projects need tons of different help,
everything from coding to testing to documentation. Some of the most important features or
improvements in BASE and my other projects have come from someone that just had an idea. The
only way that OSS projects are successful, excepting things supported by corporations, is by
individuals getting past our inherent lazyness and helping out. Join the developer mailing lists and
start talking. Things just happen after that. (But be prepared for the addiction that follows!)
What are your top 5 tools you use in webapp pentesting and what are some up-and-coming
on that list?
W3af, w3af, w3af, w3af and w3af.
Seriously, I find w3af to be one of the best tools out there. Andres has done incredible work and
has built a team that continues to move the project forward.
Netcat is a close second, and anyone who remembers I work with Ed Skoudis would know this
answer was coming.
I quite often say that python is probably the most flexible web pen-testing tool but people insist on
calling it a programming language.
Burp Suite is also one of my favorite tools and it continues to improve. The professional version is
a requirement to anyone who wants to do this professionally.
BeEF is one of my favorite exploitation platforms. It is commonly part of my presentations and
job.
Do you have any exciting tools or projects that you are currently working on that you can give
us preview on?
I have a couple tools I am working on around my research into social networks and the problems
they cause/increase. I am working on a presentation that I hope is accepted at DEFCON this year.
The Laudanum project is also moving forward quite quickly and Frank DiMaggio, Justin Searle and
I are hoping it will be released at DEFCON.
We’ve seen a lot on BeEF in your presentations, how is the development of BeEF going? Is
there a large community behind it? Do you leverage it in your everyday webapp tests?
Wade seems to be continuing the project quite well. He doesn’t have a huge group but there are
some people like Jabra that appear to be contributing regularly. Yokoso! includes a series of BeEF
modules and I am hoping to clean up some code to contribute back to the project.
What resources would you point a pentester to for the large foray into webapp hacking? We
know that your webapp class is stellar, what about books, websites, software, links, etc, that
you could recommend to us?
Of course I would recommend that everyone takes the SANS Sec542 class, but I am biased. I
think that there are a number of places that people should look. The Web Application Hackers
Handbook was an excellent read as were AJAX Security by Billy Hoffman and XSS by Jeremiah
Grossman. As for software, w3af would be the starting point but anything within SamuraiWTF is
great. As for sites, the blogs of the people already mentioned as well as ha/sla.ckers.org are
wonderful. I personally also recommend twitter. I try to follow some of the “luminaries” within
the field and learn something new every day.
Can you give us one of your back pocket pentesting tricks? Some Kevin-fu perhaps?
The biggest “trick” I have is the combination of tools and custom scripts. As I look over previous
tests and the things we have accomplished they all used a combination of tools and scripts built
upon the skewed perspective we approach every site with. For example, on one site recently, we
used a web interception proxy to determine all of the requests a flash object was making and then
crafted a simple python script to abuse this portion of the application. I also regularly use social
networks to gather information about the target and then combine that within my attacks. We
have been able to retrieve enormous amounts of PII and complete control of various networks
using the information users expose regarding themselves and their organizations.
How do you feel about alphabet soup these days other than SANS (CISSP, CEH,
OSCP, CPTS, NSA IAM/IEM, etc)? Which credentials do you think hold up? What about
associated methodologies?
“I love alphabet soup” says Kevin Johnson GCIA GCIH GCFA GWAS CISSP CEH IBM CSE Inet+
ad nauseum.
I think that certifications, including SANS/GIAC have a place within our industry. I find that it
depends on the person taking them and the person evaluating that person. Some people think that
certs are the be all end all, and I would say they are wrong. I personally use my certs as a goal
when I am trying to do something. For example, my GCFA was a point where I wanted to
formalize my understanding of forensics and its foundations. While I could have just gotten some
books and played with the tools we use, it helped focus my study to have a measurable goal.
As to which will hold up, I am not sure. We all know that ISC2 and GIAC aren’t going anywhere.
And I am hoping that the GWAPT, GIAC’s new Web Pen-Testing cert will stand the test of time.
(Of course I feel very strongly that it will!) As to the others, I think we will see some of them stay
around where others such as EC Council’s will disappear.
A lot of readers want to know how you feel about the OWASP live CD, and how would you
leverage both it and SamuraiWTF in a webapp pentest?
Now that’s a loaded question. As the project lead for SamuraiWTF I think it’s the best. The
OWASP live CD has existed for a couple years now and when I formed the SamuraiWTF project, it
just didn’t seem to be an active project. Back then it seemed to be a summer of code thing that
wasn’t being worked any longer. Now it has picked back up and is actively being worked. I think
though, and of course I am biased, the SamuraiWTF project has a bit more momentum. I would
love to see the two projects work together since we have similar focuses but I am not sure it would
work since the base OS and the goals are different.
As to how would I use them both, bluntly I wouldn’t. Currently SamuraiWTF includes all of the
tools in the OWASP Live CD and many others. But more importantly then a tool count, I am more
comfortable within the SamuraiWTF environment, which makes sense since I have focused on
building it out based on my way of working and the methodology we teach within Sec542.
Anything you’d like to get of your chest or promote? Now’s the time!
Wow, that is an open-ended question…. There are a number of really cool things going on right
now. I am working with Frank DiMaggio on the social zombie projects, which are as exciting as
anything I have ever worked on. Tom Liston is doing some incredible work on utilities that people
can use. For example his CertGuard utility is being beta tested right now and LaBrea Tarpit is still
one of the best worm mitigation techniques around. Josh Wright has been focusing on some
incredible Zigbee stuff including some tools he has just released. Middler by Justin Searle, Matt
Carpenter, Tom Liston and Jay Beale is improving daily. All of this can be seen at
http://www.inguardians.com. Frank DiMaggio and I are working diligently on research into
information disclosure within social networks and will be bundling all of it into SocialButterfly. Of
course, I think I would be remiss if I didn’t at least mention that InGuardians is available to do
security consulting and penetration testing for everyone. 
I can be reached for questions at Kevin@inguardians.com and am on Twitter at @secureideas