Category Archives: Web App Sec

Surviving the Week – 04/06/2012

  Posted by
on
Reply

An ebay Site is Vulnerable to SQL Injection

The eBay site in Southeast Asia is vulnerable to SQL Injection.
https://www.upsploit.com/index.php/advisories/view/UPS-2012-0003
Sites such as ebay have certainly done a lot of internal security review and testing, but they are still vulnerable to classic SQL Injection vulnerability. How good is your application?

SQL Injection Through HTTP Headers

SQL Injection has been a popular attack for quite some time. Traditionally user inputs were only attacked by SQL Injection but as developers started using HTTP request headers as input fields, attackers also started attacking request headers for SQL Injection. This article has a good list of request parameters which can be attacked by SQL Injection
http://packetstormsecurity.org/news/view/20824/SQL-Injection-Through-HTTP-Headers.html

Study: 72% of Developers See 2012 as the Year of Hybrid Apps

As the study suggests, developers are seeing more hybrid application development. As the development platform of the application changes, new attack scenarios and vectors are emerging. To test your application with latest attack vectors, You can use NTOSpider to test your application in completely automated fashion
http://creatingapps.telekomaustria.com/study-72-per-cent-of-developers-see-2012-as-year-of-hybrid-apps.html

 

WOA watch out! Don’t forget about Web Services (Going beyond XSS &  SQLInjection (SQLi)

In his blog post this week, Jared Day from eEye’s Any Means Possible research team provides detailed techniques for how security experts and pen testers should think about and test web services for security vulnerabilities. He explains how web services can be vulnerable –  that an attacker can “bypass server-provided client-side SQLi and XSS protections by simply sending the queries directly to the server”, and that too many developers don’t think about it that way and fatally rely on JavaScript parsers to filter out potentially malicious characters. He also discussed how web services can expose data that you don’t want exposed. In a very practical and useful way, Jared details descriptions about how to test web services for vulnerabilities. I agree with Jared, web services continue to be vulnerable and must be considered as part of any pen testing approach and considered in technology purchases. Thanks for the helpful post Jared!  http://www.sys-con.com/node/2234940

Cloud Computing Can Be More Secure

If you walked the RSA floor this year in San Francisco as I did, you might agree with Neil MacDonald. Every other booth at RSA said something about security in the cloud. I joked on Twitter that the cloud sounded so secure that I just might move my family there. Neil has posted a new blog on cloud computing that asserts “Why Cloud Computing Could Be More Secure Than What You Have Today”. He explains that if a cloud service provider does its job well, their application could be as secure as an on-premise application. In his blog, he shows a chart from a recent study, comparing the number of security incidents between on-premise and cloud applications. This chart not only highlights the parity between on-premise and cloud attacks, but it also shows that web application security attacks as the 2nd most common type of attack in their study after brute force attacks. 71% of Alert Logic’s customers have had web application security breaches in the cloud and 65% have had web application security breaches with on-premise applications. Neil promises to continue to look for independent studies that show similar trends. We will look forward to continued insights from Neil as always. Complete URL: http://blogs.gartner.com/neil_macdonald/2012/03/31/cloud-computing-can-be-more-secure/

Tales from the Web Scanning Front: Blacklisting

  Posted by
on
2

The smell of melting Blackberries/iPhones/Droids. You have probably smelled it before. You began testing an application and forgot to blacklist the “Contact Us” page so everyone who receives an email for “Contact Us” gets pummelled with emails during the test.

We often remind our customers about this kind of logistical trouble, but we still manage to get the frantic breathless panicky phone call when recipients of the “Contact Us Page begin receiving 1000 emails within 10 minutes.

So what do you do to prevent this from happening? It’s actually very simple.

First, a wee bit of background on web scanners. Because all applications are different (different page names, different parameter names, vulnerable in different spots to different attacks, etc.). Web scanners have to crawl the targeted websites and then attack every page and parameter with hundreds of attacks. Unless told otherwise, every single page will be crawled and every parameter attacked.

Think about it, this includes the following kinds of pages:

  • E-Mail the sales team
  • E-Mail tech support
  • Wire the money
  • Delete this blog
  • Delete this item
  • Reset the admin password

Fortunately, all modern scanners have blacklisting technology. Blacklists in this context simply tell the scanner not to crawl and/or attack that page.

During your planning period or before you execute any application test, carefully consider the pages on your site that you don’t want to be crawled by the scanner dozens of times. Then, simply add the URL’s for those pages to the blacklist in your scanner. It’s that easy.

Whether you outsource your scanning, use software in-house or use a SaaS service, you will have many fewer people screaming at you if you take some time to blacklist the pages and prevent the unexpected deluge in your co-workers inbox.

Spending two minutes to properly configure your scanner will help avoid potential problems and keep the office free from the smell of burnt plastic.

 

Surviving the Week – 03/30/2012

  Posted by
on
Reply

Will there be a blackout?

The Anonymous hacker group has announced that they will bring down 13 root DNS servers by DDoS. Is this possible? According to Hackers News, they say that it might not be completely possible to shutdown the internet because the ISP’s are pretty-well prepared for these types of attacks. At this stage, I think the chances of them being able to pull this off are basically nil because its too easy to recover from backups and make use of read-only backup DNS servers. We will find out on the 31st – (update: Looks like they failed, ‘cause the internet is still here)
http://thehackernews.com/2012/03/why-hackers-cant-take-down-dns-root.html

Authorization bypass in McAfee Email And Web Security Appliance

The current McAfee Email and Web Security appliance authorization bypass functionality allows any logged-in user to reset the administrator password which results in any user becoming the administrator. If a product like “McAfee Email And Web Security Appliance” can have an authorization bypass vulnerability, how certain are you that your custom applications are secure???
http://packetstormsecurity.org/files/111362/NGS00155.txt

Verizon’s insightful 2012 Data Breach Investigations Report

The most common malware infection vector continues to be installation or injection by a remote attacker. This paper covers the various scenarios in which an attacker breaches a system via remote access and then deploys malware or injects code via web application vulnerabilities.
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

An EU Cybercrime Centre to fight online criminals and protect e-consumers

The EU centre will warn EU Member States of major cybercrime threats and alert them of weaknesses in their online defences. It will identify organised cyber-criminal networks and prominent offenders in cyberspace. It will provide operational support in concrete investigations, be it with forensic assistance or by helping to set up cybercrime joint investigation teams.
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/12/317&format=HTML&aged=0&la

 

Surviving the Week – 03/23/2012

  Posted by
on
Reply

Joomla vulnerability

One of the world’s leading CMS solutions, Joomla (Version 2.5.1) was vulnerable to Blind SQL Injection. Joomla reported the vulnerability February 29th and reported it resolved March 5th.

By exploiting Blind SQL Injection, an attacker can enumerate a database which can potentially result in complete loss of data and functionality. Subsequently, this vulnerability can lead to web site defacement or access to internal network.

This should serve as a reminder that building web applications on top of popular and well reviewed platforms can still leave you at risk to serious security breaches. These are the types of vulns that script-kiddies love to perform mass attacks against.

Read more: http://developer.joomla.org/security/news/391-20120301-core-sql-injection

Microsoft SharePoint missing protection

Apparently, Microsoft SharePoint 2007 & 2010 is missing protection against Frame Injection & Click-Jacking. Microsoft SharePoint fails to send X-Frame-Options to the server. An attacker can leverage this vulnerability to inject a frame in the page. This frame can access information in the framed page. The way it works is that X-Frame-Options instructs the browser to disallow framing. If a content management application and SharePoint are both vulnerable, do you have all security controls in place???

Read more: http://packetstormsecurity.org/news/view/20744/Microsoft-SharePoint-Exposes-Privates-In-Sniffing-Hack.html

How to prepare for google’s privacy change

On Thursday, Google’s much-discussed new privacy policy went into effect. Here are some useful tips to avoid leaking your private data:

  1. Don’t sign in unless it is required
  2. Remove your Google search history
  3. Clear your YouTube history
  4. Set chat to Off-the-record

Read more: http://edition.cnn.com/2012/02/29/tech/web/protect-privacy-google/index.html

Watch your SaaS: Partial parameter checking or The case of the unfinished homework

  Posted by
on
Reply

“Laws are like sausages. It’s better not to see them being made.”

- Otto von Bismarck

I’m not sure how many of you have kids or how diligent they are with their homework but I’m sure you’ve heard stories of parents observing that their kids have finished their homework in a remarkably short period of time.  However, upon investigation, you quickly discover that your child has only finished half of their homework.

Sadly, this state of affairs can also true for SAAS providers offering web application scanning services.  Only half of the work gets done, resulting in rapid, but inaccurate scans and potentially vulnerable websites that are given clean bills of health by the scanning company.

Taking shortcuts

Properly configured web vulnerability scanners should test parameters by locating all of the parameters on a page and then making attacks against individual parameters at a time.  So if there are 10 parameters, you do an attack against parameter 1 and put acceptable values into the other 9 parameters to successfully complete the form request.

Why can’t you just attack all 10 at once?  Well, let’s say that parameter 1 is vulnerable and parameters 2 -10 have good filters. If you attack parameter one with an attack that works (i.e. the application does not recognize it) and parameter 2 with an attack that trips the filter in the application, the application will quite likely appear to not be vulnerable.

Now the problem is that if you are testing various attacks (SQL Injection, Blind SQL Injection, Cross Site Scripting, etc.) you will have dozens of attacks of each class against each parameter.  Your total attacks per parameter will exceed 100 and if you have 10 parameters on a page (which you will likely have in a signup form, for example), you will have over a thousand attacks for that page. On top of that, some of these attacks, like blind SQL, will have multiple requests per attack.

Performance vs comprehensiveness

Many SaaS vendors want to complete scans fast to make them look more impressive. The problem is that in order to accomplish, you have to cheat.

To speed up a scan, you might only test the first parameter or the first three or whatever and then skip testing the rest of the parameters.  If the customer doesn’t test the site and doesn’t get hacked, no one is the wiser if those untested parameters are vulnerable.

Does this matter?  Is it possible that one of parameters 4-10 is vulnerable if 1-3 are not?  In a word, yes.  Different parameter types (dates, text fields, numerical values, etc.) will have different filters.  Just because a developer got 1 right doesn’t mean that he got them all correct.  We’ve seen numerous cases where one parameter is 100% clean and others are full of holes.  You have to thoroughly test every parameter.

Letting those POSTs get away with murder

Since dealing with forms on web pages can be difficult and there is a possibility that they could modify data in the database behind the web application, some SaaS solutions don’t even attack them. So this means all the inputs from the forms never get tested.

On many of the sites we have tested over the last decade, the form inputs sent over POST have been some of the most critical attack points with some of the worst vulns and often the most important areas to test on a website. Not testing them is the same as locking your doors, but leaving your windows wide open.

How can you assess your vendor

Ask your vendor the hard questions, such as:

1. How many parameters do they attack per page? Are there limits they impose.

2. Ask them to demonstrate that only one parameter at a time gets attacked while the other fields having good data. Heck, ask them to put these answers in the Statement of Work (SOW).

3. Confirm that they attack forms and POST data. Ask them to demonstrate it or test it yourself with a trial.

NT OBJECTives Positioned in the “Visionaries” Quadrant of the Magic Quadrant for Dynamic Application Security Testing (DAST)

  Posted by
on
Reply

Recent Gartner research positioned NT OBJECTives in the Visionaries quadrant for Dynamic Application Security Testing(DAST).(i) Gartner’s report was published in December and is now available to all Gartner subscribers.

Analysts Neil MacDonald and Joseph Feiman state in the report that “Dynamic Application Security Testing (DAST) solutions should be considered mandatory to test all Web-enabled enterprise applications, as well as packaged and cloud-based application providers.” They go on to note that “the market is maturing, with a large number of established providers of products and services.”(ii)

We consider our positioning in the “Visionaries” quadrant by Gartner confirmation of our mission and ability to deliver technologies and services that solve today’s toughest application security software challenges. Web application security represents one of the greatest security challenges facing the information technology industry today. We will continue to innovate and deliver the products today’s security teams need. In the months ahead, we are excited to launch a number of products that will further enhance our market position and help our customers.

In the report, MacDonald and Feiman also note that “as organizations have improved the security of their network, desktop and server infrastructures, there has been a shift to application-level attacks as a way to gain access to the sensitive and valuable information they handle, or to use a breach of an application to gain access to the system underneath. In addition, there has been a shift in attacker focus from mass “noisy” attacks to financially motivated, targeted attacks. As a result of these trends, application security has become a top investment area for information security organizations, whether improving the security of applications developed in-house, procured from third parties or consumed as a service from cloud providers.”(iii)
Gartner clients may view a copy of the Magic Quadrant for Dynamic Application Security Testing (DAST) report via Neil MacDonald’s blog, “The Market for Dynamic Application Security Testing is Anything but Static”.

Disclaimer:
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About NT Objectives
NT OBJECTives, Inc brings together an innovative collection of experts in information security to provide a comprehensive suite of technologies and services to solve today’s toughest application security challenges. NT OBJECTives solutions are well known as the most comprehensive and accurate Web Application security solutions available. NT OBJECTives is privately held with headquarters in Irvine, CA.

(i) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011
(ii) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011
(iii) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011

Surviving the Week – 02/17/2012

  Posted by
on
Reply

The NTO team keeps growing and the demands of running the business and supporting our customers is keeping me busy… and its a blast. But now its good to be getting back to these weekly postings.

On to the news, so I can help keep you all informed about the important news in web app security.

  • Will a standardized system for verifying Web identity ever catch on? - Maybe the question is “Do we even want a standardized system for verifying Web Identity?” I for one see stuff like this everyday, and if the FBI’s site can be hacked, who is going to promise the security of OpenID? It will just become the single place an attacker has to attack to get access to everyone’s confidential/private data.
  • CSRF with upload – XHR-L2, HTML5 and Cookie replay - XHR-Level 2 calls embedded in an HTML5 browser can open a cross domain socket and deliver an HTTP request. Cross-domain calls will abide by CORS, but browsers end up  generating preflight requests to check policy and based on that, will allow cookie replay. Interestingly, multi-part/form-data requests will go through without the preflight check and “withCredentials” allow cookie replay. This is how some new cutting edge attacks are going to be performed.
  • Vote Now! Top Ten Web Hacking Techniques of 2011 – This is an incredibly useful survey that they do each year. So, please vote to help the community get an idea of what is interesting and important to you.
  • Twitter Enables HTTPS By Default – As sites like Google, Facebook and now Twitter start pushing all traffic to HTTPS, I fear that users will mistake this for real security. “Oh, I can put all my information on Facebook/Twitter/etc now because they are ‘secure’. See there is even a little padlock icon in my browser when I go to those sites, just like the bank.” – FAIL

Tales from the Web Scanning Front: Why is This Scan Taking So Long?

  Posted by
on
Reply

As CEO, I’m constantly emphasizing the importance of customer support and trying to attend several support calls each week to stay on top of our support quality and what customers are asking.

Surprisingly, application scan times are one of the most common issues raised by customers.  Occasionally, scans will take days or even weeks.

At this point, I would say that in almost all cases, there is an issue that lies within the application’s environment as opposed to a something within the software.

First some background on web application security scanners. Web scanners first crawl websites, enumerate attack points and then create custom attacks based on the site.  So, for example, if I have a small site with 200 attackable inputs and each one can be attacked 200 ways, with each attack requiring 2 requests, I have 200*200*2 or 80,000 requests to assess that site.

Now NTOSpider can be configured to use up to 64 simultaneous requests so depending on the response time from the server, you can run though requests very quickly.  Assuming, for example, 10 requests a second, that’s 600 per minute, 36,000 per hour and you can get through that site in 2.22 hours.

The problem is that quite often the target site is not able to handle 10 or even 1 request per second.  Some reasons can include:

  • Still in development - The site is in development and has limited processing power and/or memory.
  • Suboptimal optimization - The site is not built to handle a high level of traffic and this has not yet shown up in QA.  We were on the phone with a customer last month who allowed us to look at the server logs and we saw that one process involved in one of our requests was chewing up 100% of the CPU for 5 seconds.  Another application was re-adding every item to the database each time the shopping cart was updated (as opposed to just the changes) and our 5,000 item cart was severely stressing the database.
  • Middleware  Not to bash any particular vendor (Coldfusion) but some middleware is quite slow.

So let’s look at our 80,000 request example from above and assume that our site can only handle 1 request per second.  Our 2.2 hour scan time balloons to 22 hours.  For our 5 second response in bullet 2, we get to 4.6 days for our little site.  The good news is that NTOSpider can be configured to slow itself down so as to not DOS the site (this is our Auto-Throttle feature).  The bad news is that it will take some time.

So what’s a poor tester to do?

  • Beefier hardware  If you are budgeting for a web scanner,  consider spending a couple of extra thousand dollars on some decent hardware to test your apps. (Note – a modern laptop with optimal ram for the OS you are running – 32-bit OS = 4 Gigs of ram / 64-Bit OS = 8 Gigs of ram – will solve 90% of all performance issues.)
  • Scheduling  In some cases, you can schedule scans so that even if they are longer, you can still get things done in time.
  • Segmenting  In some cases, if you know that only a portion of the site has changed, you can target the scan to test only that subset and dramatically reduce scan time.
  • Code Augmentation  Not to put too fine a point on it, but if a single request is taking 5 seconds to process, a hacker can DOS your site by hand.  You might want the developers to look at adjusting the code.

 

An Information Security Place Podcast – Episode 01 for 2012 – Breach Report

  Posted by
on
Reply
Standard Podcast [ 32:04 ] Play Now | Play in Popup | Download (730)

Wow! Six Months…and two job changes later, we are finally back to recording! YEAH!….Here the latest show from our intrepid hosts.

Show Notes:

InfoSec News Update –

Discussion Topic – 2012 Breach Report

  1. Care2 Discloses Breach; Company Has Nearly 18 Million Members
  2. AntiSec hit California and NY Law Enforcement Sites
  3. Anonymous Nabs 50,000 Credit Card Numbers From Security Think Tank

Music Notes: Special Thanks to the guys at RivetHead for use of their tracks

  • Intro – RivetHead – The 13th Step”
  • News Bed – RivetHead - “Beautiful Disaster”
  • Discussion Bed – RivetHead - “Difference”
  • Outro – RivetHead – “Zero Gravity”
  • Tour Dates:
    1. Jan 6 – Dallas – Curtain Club
    2. Jan 27 – Dallas – Trees
    3. Jan 28 – Dallas – Trees
    4. Mar 2 – Dallas – Curtain Club – 7th Album CD Release Party
    5. Mar 3 – Houston – BFE Rock Club
    6. Mar 24 – Fort Worth – The Rail Club
    7. May 5 – Dallas – Renos Chop Shop

 

Surviving the Week – 12/09/2011

  Posted by
on
Reply

Sorry I missed last week, this one will cover the last two weeks.