Surviving the Week 5/25/2012

Not that it has been a quiet week in the web application seucrity arena, it was simply a busy week.

Microsoft’s SDL Expands Beyond Redmond

Microsoft has given the industry a process for secure software development.  After more than 10 years of developing this process, it’s effects within Microsoft have shown to be positive.  Other organizations have adopted either part of all of this lifecycle process and have also experienced positive effects.  This article discusses a use case for adoption of the process by an organization that manufactures smart meters and the positive outcome.  If your organization has not adopted the SDL, it’s time to understand the process and see how it can help your organizations products.

Update of Microsoft SDL 5.2 has been released

Microsoft Security Development Lifecycle (SDL) is an industry-leading software security assurance process. A Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in Microsoft software and culture. Combining a holistic and practical approach, the SDL introduces security and privacy early and throughout all phases of the development process. New version (v 5.2) has been released with the updates.

NASA SSL Digital Certificate hacked

SSL certificate of NASA has ben hacked by exploiting a vulnerability within the portal’s login system. Attack resulted in obtaining User information for thousands of NASA researcher With Emails and Accounts of other users. Portal running in NASA can be vulnerable and attacked to steal information. Is your applications protected against attacks? Test your application with NTOSpider to find out whether you are protected???

An Information Security Place Podcast – Episode 04 for 2012

Hmmm Lets see if I even remember how to enter this stuff anymore… Yeap you guessed it, we finally recorded another episode – WOOT!
Show Notes:

InfoSec News Update – 

  • Howard Schmidt is Retiring – Link Here
  • Vulnerability Stats of Publicly Traded Companies – Link Here
  • Tool Update – Threadfix from Denim Group – Link Here
  • The Mission Impossible Self-Destructing SATA SSD Drive – Link Here
  • The WAF Wars – Link 1 / Link 2 / Link 3
  • PwnieExpress Releases PwnPlugUI/OS 1.1 – Link Here
  • App for scanning faces to gauge age at bars – Link Here
  • Business Logic Testing defined – Link 1
  • ErrataSec – Wants your hotel PCAP Files – Link 1 / Link 2

Discussion Topic –

  1. Should specific security efforts be validated when the program as a whole is crap? Link Here

Music Notes:

Special Thanks to the guys at RivetHead for use of their tracks –

Tour Dates:

  1. June 1 – Dallas – Curtain Club

Intro – RivetHead – The 13th Step”
News Bed – RivetHead - “Beautiful Disaster” 
Discussion Bed – RivetHead - “Difference” 
Outro – RivetHead – “Zero Gravity”

Surviving the Week 5/18/2012

WAF Wars

WAF is more commonly used as an IDS rather than IPS, This is mainly due to the amount of alerts they generate when using a default rule set. To use a WAF more effectively requires the writing of custom rules which can be a daunting effort. NTODefend generates custom WAF rules for vulnerabilities discovered by NTOSpider. Many of our customers implement these auto-generated WAF rules to specifically block the vulnerability findings while providing a mitigation strategy so that application developers have the time to re-code and fix the vulnerabilities –

An interview with Christopher Doyon, a.k.a. Comander X of Anonymous

It’s very interesting to get a glimpse from the inside of Anonymous.  We’ve all heard much about this hacktivist group and it’s several factions such as LulzSec.  These folks have a global influence and are changing culture.  It is believed that some of the values that drive Anonymous have lead others into the Occupy movement.  It’s a powerful statement this group makes and the actions they take.  We’ve encountered their activities on several occasions and we are in this business to help businesses mitigate the risk posed by this and other groups to follow.

Companies are slow to react to the mobile security threat.

This presents a large opportunity for nefarious programs to take advantage of the BYOD initiative and own corporate networks.  Nearly 9 in 10 executives and employees are using their personal smartphones or tablets for business and without permission.  And it’s believed by some that most of these users do not have any consideration for the security of these devices, their idiots.  This article claims that nearly 2/3 of IT managers in china have reported a security risk as a result of personal devices on the corporate network.  The threat is real and we need to take immediate action as an industry to to identify the risks.

Secure your mobile

It’s expected to be a hot topic.  With that, here are a few links to articles that help point readers to techniques and apps for security.

10 ways to make Android faster, more productive and more secure

Mobile Device Management – tools and technologies for the BYOD era

They are still at it

Anonymous hacks a pedophile website and leak it’s data.  How?  SQL Injection

Surviving the Week – 5/11/12

Common User Passwords Profiler

Interesting python script which when used in conjunction with information from social media i.e. Facebook, Twitter and Linkedin it can create a possible password list for the user. With social media being so popular and virtually all the users have account in at least one of these sites, it is easier to know a user’s background by correlating the various account profiles. This public information can also be leveraged to guess answers to a user’s secret questions.  The Python script can be found here;

PHP Remote code execution bug has been fixed

PHP Remote code execution bug has been fixed with the new version 5.4.3 or PHP 5.3.13.  Patch your PHP as soon as possible

Surviving the Week – 05/04/2012

Insight to online black markets and how they work

A short article that provides a brief look at how bitcoins and Tor make anonymous black markets tick.

Revelo – Javascript Deobfuscator

This tool works by converts the submitted Javascript with some user-based modifications to an HTML file.  It then opens the file and extracts deobfuscated elements using the Internet Explorer engine. This tool does rely on the user to make some choices based on some understanding of the obfuscated script. While this tool does have some protections built into it, it may execute malicious code that could harm your computer, so use it with caution possibly within a virtual machine. This is just a prototype which works on windows XP

Other similar tools include

A Firefox plugin, JavaScript Deobfuscator,


Hacker claims to hack European Space Agency, NASA, US Air Force and  Military, French Ministry of Defense

No official information is out yet but if this information to be believed to be true, big profile applications are vulnerable to one or another web application attack. We see this kind of posts quite often now.  Test your application today with NTOSpider to find all possible vulnerabilties

Websense (Triton version 7.6) suffers from an authentication bypass vulnerability in the report management UI.

Websense is web traffic filtering software which can be used to protect networks from spyware, prevent users from viewing sexual or other inappropriate content, discourage employees from spending time browsing webpages instead of working, and similar purposes. WebSense report management UI application is vulnerable to authentication bypass. Test your application today with NTOSpider to find out all possible vulnerabilities

Top 10 Business Logic Attack Vectors

We released a new white paper today, Top 10 Business Logic Attack Vectors.

Why did we write this paper?

  1. Business logic vulnerabilities are not new, but these vulnerabilities are common, dangerous and are too often untested.
  2. Security experts need to know that these must be tested manually and must not be overlooked. It is imperative to complement automated testing process with a human discovery of security risks that can be exploited by manipulating the business logic. We know that automation can’t test everything.
  3. We wanted to demystify business logic vulnerabilities by giving specific examples and patterns that we have observed. We designed this to be helpful to new and experienced pen testers, security teams and developers.

Automation v. Humans

There are some things that automation can do better than humans and some things humans can do better than automation. Let the automated scanners check for SQLi, XSS and the other vulnerabilities that have repeatable patterns that scanners can test better than humans. Conducting comprehensive manual testing on a custom application takes too long, is too expensive and too error prone. Humans just can’t and won’t check every single parameter with a single tick.

Take this simple formula that I like to use as an example:An application has 10 parameters/page, 200 payloads and 100 pages, this is what your work looks like:

10 inputs x 200 payloads = 2000 attacks x 100 pages = 200,000 attacks.

It doesn’t matter if they are hired guns or new employees, too often they will only be able to spot check.

As 451 Research Director, Wendy Nather said on our Securing in a Hurry webinar yesterday. You can give your team Red Bull all day long, but they still need to sleep sometime.

It just makes sense. Leverage automation to check every parameter on every page for every repeatable payload. Save your smart and expensive resources to do the difficult testing that requires human intelligence, deductive reasoning and an understanding of business logic.

What are business logic flaws?

Application business logic flaws are unique to each custom application, potentially very damaging, and difficult to test. Attackers exploit business logic by using deductive reasoning to trick and ultimately exploit the application.

In a web application, the business logic is the intended behavior and the functionality that governs the core of what the application does. Some high level examples of business logic are:

  • customer purchase orders,
  • banking queries,
  • wire transfers or
  • online auctions.

Business logic is also defined in more specific rules such as which users are allowed to see what and how much users are charged for various items.

This whitepaper arms new and experienced penetration testers with specific instructions, real-world examples and code-snippets for testing and exploiting the ten most common business logic vulnerabilities.

In conjunction with our SaaS offering, NTOSpider On-Demand, we offer business logic testing as an one of our enhanced services.

The 10 most common business logic attack vectors include:

  • Authentication flags and privilege escalations
  • Critical parameter manipulation and access to unauthorized information/content
  • Developer’s cookie tampering and business process/logic bypass
  • LDAP parameter identification and critical infrastructure access
  • Business constraint exploitation
  • Business flow bypass
  • Exploiting clients side business routines embedded in JavaScript, Flash or Silverlight
  • Identity or profile extraction
  • File or unauthorized URL access & business information extraction
  • Denial of Services (DoS) with business logic

The NT OBJECTives research team determined these 10 logic flaws as being most common through years of experience testing applications.

For more information or to download the complete paper visit:

To read the press release: