Category Archives: Web App Sec

Watch your SaaS: Partial parameter checking or The case of the unfinished homework

  Posted by
on
Reply

“Laws are like sausages. It’s better not to see them being made.”

- Otto von Bismarck

I’m not sure how many of you have kids or how diligent they are with their homework but I’m sure you’ve heard stories of parents observing that their kids have finished their homework in a remarkably short period of time.  However, upon investigation, you quickly discover that your child has only finished half of their homework.

Sadly, this state of affairs can also true for SAAS providers offering web application scanning services.  Only half of the work gets done, resulting in rapid, but inaccurate scans and potentially vulnerable websites that are given clean bills of health by the scanning company.

Taking shortcuts

Properly configured web vulnerability scanners should test parameters by locating all of the parameters on a page and then making attacks against individual parameters at a time.  So if there are 10 parameters, you do an attack against parameter 1 and put acceptable values into the other 9 parameters to successfully complete the form request.

Why can’t you just attack all 10 at once?  Well, let’s say that parameter 1 is vulnerable and parameters 2 -10 have good filters. If you attack parameter one with an attack that works (i.e. the application does not recognize it) and parameter 2 with an attack that trips the filter in the application, the application will quite likely appear to not be vulnerable.

Now the problem is that if you are testing various attacks (SQL Injection, Blind SQL Injection, Cross Site Scripting, etc.) you will have dozens of attacks of each class against each parameter.  Your total attacks per parameter will exceed 100 and if you have 10 parameters on a page (which you will likely have in a signup form, for example), you will have over a thousand attacks for that page. On top of that, some of these attacks, like blind SQL, will have multiple requests per attack.

Performance vs comprehensiveness

Many SaaS vendors want to complete scans fast to make them look more impressive. The problem is that in order to accomplish, you have to cheat.

To speed up a scan, you might only test the first parameter or the first three or whatever and then skip testing the rest of the parameters.  If the customer doesn’t test the site and doesn’t get hacked, no one is the wiser if those untested parameters are vulnerable.

Does this matter?  Is it possible that one of parameters 4-10 is vulnerable if 1-3 are not?  In a word, yes.  Different parameter types (dates, text fields, numerical values, etc.) will have different filters.  Just because a developer got 1 right doesn’t mean that he got them all correct.  We’ve seen numerous cases where one parameter is 100% clean and others are full of holes.  You have to thoroughly test every parameter.

Letting those POSTs get away with murder

Since dealing with forms on web pages can be difficult and there is a possibility that they could modify data in the database behind the web application, some SaaS solutions don’t even attack them. So this means all the inputs from the forms never get tested.

On many of the sites we have tested over the last decade, the form inputs sent over POST have been some of the most critical attack points with some of the worst vulns and often the most important areas to test on a website. Not testing them is the same as locking your doors, but leaving your windows wide open.

How can you assess your vendor

Ask your vendor the hard questions, such as:

1. How many parameters do they attack per page? Are there limits they impose.

2. Ask them to demonstrate that only one parameter at a time gets attacked while the other fields having good data. Heck, ask them to put these answers in the Statement of Work (SOW).

3. Confirm that they attack forms and POST data. Ask them to demonstrate it or test it yourself with a trial.

NT OBJECTives Positioned in the “Visionaries” Quadrant of the Magic Quadrant for Dynamic Application Security Testing (DAST)

  Posted by
on
Reply

Recent Gartner research positioned NT OBJECTives in the Visionaries quadrant for Dynamic Application Security Testing(DAST).(i) Gartner’s report was published in December and is now available to all Gartner subscribers.

Analysts Neil MacDonald and Joseph Feiman state in the report that “Dynamic Application Security Testing (DAST) solutions should be considered mandatory to test all Web-enabled enterprise applications, as well as packaged and cloud-based application providers.” They go on to note that “the market is maturing, with a large number of established providers of products and services.”(ii)

We consider our positioning in the “Visionaries” quadrant by Gartner confirmation of our mission and ability to deliver technologies and services that solve today’s toughest application security software challenges. Web application security represents one of the greatest security challenges facing the information technology industry today. We will continue to innovate and deliver the products today’s security teams need. In the months ahead, we are excited to launch a number of products that will further enhance our market position and help our customers.

In the report, MacDonald and Feiman also note that “as organizations have improved the security of their network, desktop and server infrastructures, there has been a shift to application-level attacks as a way to gain access to the sensitive and valuable information they handle, or to use a breach of an application to gain access to the system underneath. In addition, there has been a shift in attacker focus from mass “noisy” attacks to financially motivated, targeted attacks. As a result of these trends, application security has become a top investment area for information security organizations, whether improving the security of applications developed in-house, procured from third parties or consumed as a service from cloud providers.”(iii)
Gartner clients may view a copy of the Magic Quadrant for Dynamic Application Security Testing (DAST) report via Neil MacDonald’s blog, “The Market for Dynamic Application Security Testing is Anything but Static”.

Disclaimer:
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About NT Objectives
NT OBJECTives, Inc brings together an innovative collection of experts in information security to provide a comprehensive suite of technologies and services to solve today’s toughest application security challenges. NT OBJECTives solutions are well known as the most comprehensive and accurate Web Application security solutions available. NT OBJECTives is privately held with headquarters in Irvine, CA.

(i) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011
(ii) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011
(iii) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011

Surviving the Week – 02/17/2012

  Posted by
on
Reply

The NTO team keeps growing and the demands of running the business and supporting our customers is keeping me busy… and its a blast. But now its good to be getting back to these weekly postings.

On to the news, so I can help keep you all informed about the important news in web app security.

  • Will a standardized system for verifying Web identity ever catch on? - Maybe the question is “Do we even want a standardized system for verifying Web Identity?” I for one see stuff like this everyday, and if the FBI’s site can be hacked, who is going to promise the security of OpenID? It will just become the single place an attacker has to attack to get access to everyone’s confidential/private data.
  • CSRF with upload – XHR-L2, HTML5 and Cookie replay - XHR-Level 2 calls embedded in an HTML5 browser can open a cross domain socket and deliver an HTTP request. Cross-domain calls will abide by CORS, but browsers end up  generating preflight requests to check policy and based on that, will allow cookie replay. Interestingly, multi-part/form-data requests will go through without the preflight check and “withCredentials” allow cookie replay. This is how some new cutting edge attacks are going to be performed.
  • Vote Now! Top Ten Web Hacking Techniques of 2011 – This is an incredibly useful survey that they do each year. So, please vote to help the community get an idea of what is interesting and important to you.
  • Twitter Enables HTTPS By Default – As sites like Google, Facebook and now Twitter start pushing all traffic to HTTPS, I fear that users will mistake this for real security. “Oh, I can put all my information on Facebook/Twitter/etc now because they are ‘secure’. See there is even a little padlock icon in my browser when I go to those sites, just like the bank.” – FAIL

Tales from the Web Scanning Front: Why is This Scan Taking So Long?

  Posted by
on
Reply

As CEO, I’m constantly emphasizing the importance of customer support and trying to attend several support calls each week to stay on top of our support quality and what customers are asking.

Surprisingly, application scan times are one of the most common issues raised by customers.  Occasionally, scans will take days or even weeks.

At this point, I would say that in almost all cases, there is an issue that lies within the application’s environment as opposed to a something within the software.

First some background on web application security scanners. Web scanners first crawl websites, enumerate attack points and then create custom attacks based on the site.  So, for example, if I have a small site with 200 attackable inputs and each one can be attacked 200 ways, with each attack requiring 2 requests, I have 200*200*2 or 80,000 requests to assess that site.

Now NTOSpider can be configured to use up to 64 simultaneous requests so depending on the response time from the server, you can run though requests very quickly.  Assuming, for example, 10 requests a second, that’s 600 per minute, 36,000 per hour and you can get through that site in 2.22 hours.

The problem is that quite often the target site is not able to handle 10 or even 1 request per second.  Some reasons can include:

  • Still in development - The site is in development and has limited processing power and/or memory.
  • Suboptimal optimization - The site is not built to handle a high level of traffic and this has not yet shown up in QA.  We were on the phone with a customer last month who allowed us to look at the server logs and we saw that one process involved in one of our requests was chewing up 100% of the CPU for 5 seconds.  Another application was re-adding every item to the database each time the shopping cart was updated (as opposed to just the changes) and our 5,000 item cart was severely stressing the database.
  • Middleware  Not to bash any particular vendor (Coldfusion) but some middleware is quite slow.

So let’s look at our 80,000 request example from above and assume that our site can only handle 1 request per second.  Our 2.2 hour scan time balloons to 22 hours.  For our 5 second response in bullet 2, we get to 4.6 days for our little site.  The good news is that NTOSpider can be configured to slow itself down so as to not DOS the site (this is our Auto-Throttle feature).  The bad news is that it will take some time.

So what’s a poor tester to do?

  • Beefier hardware  If you are budgeting for a web scanner,  consider spending a couple of extra thousand dollars on some decent hardware to test your apps. (Note – a modern laptop with optimal ram for the OS you are running – 32-bit OS = 4 Gigs of ram / 64-Bit OS = 8 Gigs of ram – will solve 90% of all performance issues.)
  • Scheduling  In some cases, you can schedule scans so that even if they are longer, you can still get things done in time.
  • Segmenting  In some cases, if you know that only a portion of the site has changed, you can target the scan to test only that subset and dramatically reduce scan time.
  • Code Augmentation  Not to put too fine a point on it, but if a single request is taking 5 seconds to process, a hacker can DOS your site by hand.  You might want the developers to look at adjusting the code.

 

An Information Security Place Podcast – Episode 01 for 2012 – Breach Report

  Posted by
on
Reply
Standard Podcast [ 32:04 ] Play Now | Play in Popup | Download (381)

Wow! Six Months…and two job changes later, we are finally back to recording! YEAH!….Here the latest show from our intrepid hosts.

Show Notes:

InfoSec News Update –

Discussion Topic – 2012 Breach Report

  1. Care2 Discloses Breach; Company Has Nearly 18 Million Members
  2. AntiSec hit California and NY Law Enforcement Sites
  3. Anonymous Nabs 50,000 Credit Card Numbers From Security Think Tank

Music Notes: Special Thanks to the guys at RivetHead for use of their tracks

  • Intro – RivetHead – The 13th Step”
  • News Bed – RivetHead - “Beautiful Disaster”
  • Discussion Bed – RivetHead - “Difference”
  • Outro – RivetHead – “Zero Gravity”
  • Tour Dates:
    1. Jan 6 – Dallas – Curtain Club
    2. Jan 27 – Dallas – Trees
    3. Jan 28 – Dallas – Trees
    4. Mar 2 – Dallas – Curtain Club – 7th Album CD Release Party
    5. Mar 3 – Houston – BFE Rock Club
    6. Mar 24 – Fort Worth – The Rail Club
    7. May 5 – Dallas – Renos Chop Shop

 

Surviving the Week – 12/09/2011

  Posted by
on
Reply

Sorry I missed last week, this one will cover the last two weeks.

 

Announcing SQL Invader

  Posted by
on
2

Today, we announced SQL Invader, a new free GUI-based tool that enables testers to easily and quickly exploit a SQL Injection vulnerability, get a proof of concept with database visibility and export results into a csv file. In just a few clicks, users will be able to view the list of records, tables and user accounts on the back-end database.

Tools like this are still critical for comprehensive application security testing and can help organizations remain a step ahead of the bad guys. SQL Injection has been the dominant method used in this year’s high-profile web application attacks; with millions of sites attacked in 2011.

We created this tool because our customers and the community at large have expressed a need. We want to always contribute to the community as much as we can. Although SQL Injection is well documented and there are tools to discover the vulnerabilities, it has been very difficult to determine if the vulnerability can actually be exploited because most existing SQL Injection testing tools are executed from a command line, lack an intuitive user interface or are no longer supported.  Without the ability to clearly demonstrate the exploitability of a vulnerability, remediation efforts are often delayed and friction between security and development teams surfaces. We designed NTO SQL Invader so that penetration testers and developers can quickly and easily leverage a vulnerability to view the list of records, tables and user accounts on the back-end database.

SQL Invader works as a standalone solution or with NTOSpider and enables you to:

  • Paste the injectable request straight from an application scan report
  • Control how much information is harvested.
  • View data in an organized manner using tree control and data grids.
  • Leverage logging data in CSV file

 

Surviving the Week – 11/25/2011

  Posted by
on
Reply

I hope that all of you in the US had a great Happy Thanksgiving.
As is normal for a holiday weekend, the new is a bit light, but here is what I was able to gather for this week.

Surviving the Week – 11/18/2011

  Posted by
on
Reply

This week was a busy one for me, as I’m finally done traveling for awhile and and got back to working on NTOSpider6 and our growing team. I should be able to keep up with this weekly post again, and will keep you all informed about the important news in web app security.

 

Twitter shortened links – Security bad practice?

  Posted by
on
Reply

As as spend more time using twitter, I understand the need for shortened URL’s and make heavy use of them. But, when I am viewing a tweet I always hesitate before clicking on those links knowing that they could be easily used to hide some sort of XSS or SQL Injection payload in the redirect.

It would be a great way to target accounts of twitter followers to even attack Intranet sites as well as public facing sites. Maybe some good proof of concept hacks will need to be created to demonstrate. Will leave that for another day.

I am sure some of these link shortening providers have put some effort into blocking XSS payloads from the URL’s they shorten, but its easy enough to have the short URL point to a page on the bad guys site which will perform a 302 with the payload in the Location header. This story/video on Help Net Security from a couple years ago tried to warn us.

I wish links didn’t count against the 140 char limit on twitter so these shortened URLs wouldn’t be as needed. Oh well, looks like another instance where features trump security.

(Now time to use bit.ly to make a short link of this blog post so I can tweet it)