Surviving the Week – 04/27/2012

Decline in web application vulnerabilities?

Interesting article and kind of funny.  No responsibility is taken for
the problem.  One of the reasons for this disparity is that applications are built on new
technologies that web scanning solutions don’t yet scan – the application scanner vendor community isn’t keeping up with those change to web frameworks., Web application scan assessments don’t all all have to be manual

Distribution of FlashBack

Hilarious that a web vuln was the entry point for the first worm on the Macs, but it makes sense and goes to highlight how critical web security is!

Guide to AppSec vol. 2

Another AppSec info piece was posted as the next part, part 2, of a series of articles aimed at CISOs.  It is a CISO’s Guide to Application Security, and is a primer on AppSec best practices.

There are some staggering statistics included in this post.

  • 90% of companies have been breached at least once over the past 12 months.
  • 54% of attacks on large organizations exploit web application vulnerabilities.
  • The cost of a single data breach are average at $194 per compromised record or an average of $5.5M per incident.
  • Companies spend just 0.3% of what they pay for software to ensure that it is secure.

Mobile Device Application Stores, love them and fear them.

Researchers have identified a bug in the TreasonSMS app for iPhone that can enable attacks to potentially gain full control over the iPhone.  This app allows users to send SMS messages directly from their desktop machines by using their iPhone as a relay proxy.  The application contains such vulnerabilities as a file include and a HTML inject bug.  These could allow the remote attacker to include a malicious persistent script and have it execute on the application-side of the phone.

These vulnerability findings were not intentional, but there are some sleeper apps in which vulnerabilities are intentional.
If you are in an organization, you are competing with the BYOD initiative where users are wanting to bring their own mobile devices onto the company network.  How do you assess what applications are allowed on these mobile devices?  How do you achieve due diligence?
The next version of NTOSpider can help you and your organization with evaluating mobile applications

Think you’ve got what it takes to beat Anonymous?

Did that get your attention?  Here’s some info for those that are ready to take on the global hacker games, compete at CyberLympics 2012.  The CyberLympics World Finals are scheduled for 29 -31 October, 2012 at the Hacker Halted Conference in Miami. For more information about CyberLympics or to register, visit:

New Version of WordPress Fixes Security Bugs

This week on 4/20, a new version of wordpress 3.3.2 has been released. This version has some major security issues fixed including a pair of XSS bugs, a fix for a privilege escalation vulnerability that can crop up in some circumstances when a site administrator could deactivate network-wide plugins when running a WordPress network.

CVE-2012-0158 Exploit in the Wild

Malicious code is exploiting a vulnerability in Microsoft Office which infects a users machine when a user opens a file using Microsoft Office. As classic attacks, these files are usually distributed by email and a user gets infected by simply opening the file. Following link describes it in detail how victim gets affected.
Microsoft has released patch for these vulnerability. Do Patch your system

XSS in jQuery

jQuery is one of the most common library for developing ajax based application. jQuery is a library for the JavaScript programmers, which simplifies the development of web 2.0 applications. jQuery library simplifies the process of traversal of HTML DOM tree.
jQuery 1.7.2 (recent build) and older have been found vulnerable to a cross site scripting vulnerability. Do test your application with NTOSpider to test for possible cross site scripting vulnerability.

Live Webcast 5/2: Application Security in a Hurry w/451 Research Director Wendy Nather

We’re looking forward to our upcoming webinar with 451 Research Director, Wendy Nather next week on 5/2. Wendy and I will be discussing a trend we have noticed. More and more security executives are demanding urgent application security audits in response to an attack on themselves, a competitor or someone they know. (Register)

During this webcast, we’ll discuss specific examples, strategies and techniques for how to scale your application security program to address hundreds or thousands of applications and how to avoid the common technology and process pitfalls.

This webinar will be helpful to anyone working in application security and focused on improving the effectiveness and efficiency of their program. The thing is, whether you are doing this in a hurry or building an application security program, the pitfalls are the same. They are just much more painful when you are trying to do a massive scale rapid scan.

Participants of this webinar will learn how to address common pitfalls like:

  • Effectively assess attack surface
  • Identify & avoid potential bottlenecks
  • Know when to use automation v humans
  • Define requirements for scan deliverables
  • Reduce false positives & prioritize in a target-rich environment
  • Remediate vulnerabilities rapidly & patch with a WAF easily

Join us on 5/2. Register today!

Surviving the Week – 04/20/2012

Using Reverse Proxies To Secure Databases

This study provides a unique technique to protect against SQL Injection.  However, it is not a full proof solution and maintaining/updating queries using this method becomes cumbersome and difficult to manage. Generic web application firewall rules do not provide protection against SQL injection as this study supports. You need to find the root cause and either programmatically fix the code or you need custom rules to protect against the vulnerability. NTOSpider can help you find vulnerabilities and NTODefend can help you generate rules as a mitigation strategy until code can be updated –

Oracle Enterprise Manager – 2 SQLi Vulnerabilities

2 SQLi vulns were closed with April’s Critical Patch Update.  Both are remotely exploitable but considered medium risk. affected the Search page and was 8 months from vendor notification to patch release.  Whereas, which affected the Compare Wizard first Config page was over 2 years between notification and patch.  As much as we talk about SQLi, that vector doesn’t go away.

NTO & Core Security partner: Integration pinpoints operational & business risks with next generation application vulnerability testing software

We’re very excited to announce a first-of-its kind partnership with the terrific people over at Core Security, a provider of predictive analytics security solutions and maker of Core Impact and Core Insight. Together, we will be working over the next two months to develop an integrated solution using NTOSpider and Core Insight™ Enterprise to automatically discover application vulnerabilities, and pinpoint enterprise-wide operational and business risks. This is big – with next generation application vulnerability testing software.

Put it this way. With this integration, NTOSpider software will tell you which doors and windows are open in your “house” and Core’s software will automatically read that input, then walk through each and every door and window to see if it can find the hidden safe and break it open.  We will be able to provide enterprise customers an automated and real time view of their critical application security exposure.

Application security is a massive, complex and escalating problem. Many organizations have hundreds or even thousands of web applications that access sensitive customer, financial and corporate databases. Security teams use application security scanners such as NTOSpider to identify the application vulnerabilities and then use Core’s Insight threat simulation and real-world threat replication technology to do deeper testing on those vulnerabilities pivoting off each internal asset, such as databases and servers, to find which can actually be exploited. But, it takes time to manually feed the vulnerabilities to Core Insight, until now.

At NTO we are huge champions of finding ways to automate security processes that really should be automated. So, the even better news for security teams out there is that this solution, through automation, will provide a more efficient way to get a holistic view of their security posture.  Through the automation of vulnerability identification, validation and risk prioritization, companies will now be able to efficiently monitor their application security posture, allowing security teams to spend their time on the material risks and threats that require more detailed analysis and subject matter expertise. And who wouldn’t like a little more time in their day to focus on the fun stuff with security?

It’s sort of like a round the clock application security penetration testing team in a box and can give security teams better information as to the exploitability and impact of discovered vulnerabilities.

In the meantime, you please check out our formal announcement that provide some specifics on how the integrated, automated solution will work.

Surviving the Week – 04/13/2012

Another trends report for 2011 through Q1 2012

This report details the continued threat of vulnerabilities within web apps, mobile apps, and specific vulns with cloud-based implications.  It’s fairly alarming to note from this report that over this time period, 38% of reported web vulns are XSS related and SQL Injection accounted for 15%.  These numbers are quite staggering since these are well-known vulns with many mitigation strategies and published details on how to fix such problems.  This report also covers details for reported vulns in mobile apps.  All though the numbers being reported for mobile apps is low, we can anticipate mobile apps to become the wild west of exploit development.

The question becomes, how do we test mobile apps for vulnerabilities and injection points?  Stay tuned to NTO development for those answers.

On the topic of web application reports, we ran across Imperva’s Web Application Attack Report which was published in Jan 2012.  Here’s it’s interesting to note that Imperva details the category of web app hacks it has identified as most common today.  Such attacks as Remote File Inclusion (RFI), SQL Injection (SQLi), Local File Inclusion (LFI), Cross Site Scripting (XSS), and Directory Traversal (DT).  Where XSS and DT are the two most prevalent classic attacks.

Shameless plug time, NTOSpider will perform assessments of your web application for these 5 attack categories.

For those that like to get their hands dirty in this stuff, the following paragraphs will help guide you to some tools.

SQL Injection Tools

SQL Injection has been in top of the list in most common vulnerabilities for quite some time now. There are quite a number of free tools available that can be used to exploit SQL Injection an get information from the backend database. Ericka a contributing writer for Dark Reading, put together a quick reference list of 10 tools which are handy to attack using SQL Injection.

Our tool of choice is SQLInvador

 Do you speak URL or URI?

Ambiguous RFC leads to Cross Site Scripting

RFC 1738 defines the standard for Uniform Resource Locators (URL) and RFC 3986 defines the standard for Uniform Resource Identifier (URI).  RFC 1738 explicitly mentions unsafe characters – “The characters “<” and “>” are unsafe because they are used as the delimiters around URLs in free text; the quote mark (“””) is used to delimit URLs in some systems.”.  On the other hand, RFC 3986 doesn’t mention unsafe characters anywhere. Internet Explorer follows RFC 3986 which makes it an enabler to some XSS attacks –

Finding the New Encryption Standard, SHA-3

The search for a replacement for SHA-2 has settled on five finalists. Five candidates are –

  1. The BLAKE Function
  2. Grøstl
  3. JH Function
  4. Keccak
  5. Skein

Surviving the Week – 04/06/2012

An ebay Site is Vulnerable to SQL Injection

The eBay site in Southeast Asia is vulnerable to SQL Injection.
Sites such as ebay have certainly done a lot of internal security review and testing, but they are still vulnerable to classic SQL Injection vulnerability. How good is your application?

SQL Injection Through HTTP Headers

SQL Injection has been a popular attack for quite some time. Traditionally user inputs were only attacked by SQL Injection but as developers started using HTTP request headers as input fields, attackers also started attacking request headers for SQL Injection. This article has a good list of request parameters which can be attacked by SQL Injection

Study: 72% of Developers See 2012 as the Year of Hybrid Apps

As the study suggests, developers are seeing more hybrid application development. As the development platform of the application changes, new attack scenarios and vectors are emerging. To test your application with latest attack vectors, You can use NTOSpider to test your application in completely automated fashion


WOA watch out! Don’t forget about Web Services (Going beyond XSS &  SQLInjection (SQLi)

In his blog post this week, Jared Day from eEye’s Any Means Possible research team provides detailed techniques for how security experts and pen testers should think about and test web services for security vulnerabilities. He explains how web services can be vulnerable –  that an attacker can “bypass server-provided client-side SQLi and XSS protections by simply sending the queries directly to the server”, and that too many developers don’t think about it that way and fatally rely on JavaScript parsers to filter out potentially malicious characters. He also discussed how web services can expose data that you don’t want exposed. In a very practical and useful way, Jared details descriptions about how to test web services for vulnerabilities. I agree with Jared, web services continue to be vulnerable and must be considered as part of any pen testing approach and considered in technology purchases. Thanks for the helpful post Jared!

Cloud Computing Can Be More Secure

If you walked the RSA floor this year in San Francisco as I did, you might agree with Neil MacDonald. Every other booth at RSA said something about security in the cloud. I joked on Twitter that the cloud sounded so secure that I just might move my family there. Neil has posted a new blog on cloud computing that asserts “Why Cloud Computing Could Be More Secure Than What You Have Today”. He explains that if a cloud service provider does its job well, their application could be as secure as an on-premise application. In his blog, he shows a chart from a recent study, comparing the number of security incidents between on-premise and cloud applications. This chart not only highlights the parity between on-premise and cloud attacks, but it also shows that web application security attacks as the 2nd most common type of attack in their study after brute force attacks. 71% of Alert Logic’s customers have had web application security breaches in the cloud and 65% have had web application security breaches with on-premise applications. Neil promises to continue to look for independent studies that show similar trends. We will look forward to continued insights from Neil as always. Complete URL:

Tales from the Web Scanning Front: Blacklisting

The smell of melting Blackberries/iPhones/Droids. You have probably smelled it before. You began testing an application and forgot to blacklist the “Contact Us” page so everyone who receives an email for “Contact Us” gets pummelled with emails during the test.

We often remind our customers about this kind of logistical trouble, but we still manage to get the frantic breathless panicky phone call when recipients of the “Contact Us Page begin receiving 1000 emails within 10 minutes.

So what do you do to prevent this from happening? It’s actually very simple.

First, a wee bit of background on web scanners. Because all applications are different (different page names, different parameter names, vulnerable in different spots to different attacks, etc.). Web scanners have to crawl the targeted websites and then attack every page and parameter with hundreds of attacks. Unless told otherwise, every single page will be crawled and every parameter attacked.

Think about it, this includes the following kinds of pages:

  • E-Mail the sales team
  • E-Mail tech support
  • Wire the money
  • Delete this blog
  • Delete this item
  • Reset the admin password

Fortunately, all modern scanners have blacklisting technology. Blacklists in this context simply tell the scanner not to crawl and/or attack that page.

During your planning period or before you execute any application test, carefully consider the pages on your site that you don’t want to be crawled by the scanner dozens of times. Then, simply add the URL’s for those pages to the blacklist in your scanner. It’s that easy.

Whether you outsource your scanning, use software in-house or use a SaaS service, you will have many fewer people screaming at you if you take some time to blacklist the pages and prevent the unexpected deluge in your co-workers inbox.

Spending two minutes to properly configure your scanner will help avoid potential problems and keep the office free from the smell of burnt plastic.