Interesting python script which when used in conjunction with information from social media i.e. Facebook, Twitter and Linkedin it can create a possible password list for the user. With social media being so popular and virtually all the users have account in at least one of these sites, it is easier to know a user’s background by correlating the various account profiles. This public information can also be leveraged to guess answers to a user’s secret questions.  The Python script can be found here;
http://pentestlab.wordpress.com/2012/03/06/common-user-passwords-profiler/?goback=%2Eanp_40911_1336639118690_2

PHP Remote code execution bug has been fixed

PHP Remote code execution bug has been fixed with the new version 5.4.3 or PHP 5.3.13.  Patch your PHP as soon as possible
http://packetstormsecurity.org/news/view/20967/PHP-Devs-Lob-Second-Patch-At-Super-Critical-CGI-Bug.html

A short article that provides a brief look at how bitcoins and Tor make anonymous black markets tick.
http://features.techworld.com/security/3355031/online-black-markets-how-they-work/?olo=rss

Revelo – Javascript Deobfuscator

This tool works by converts the submitted Javascript with some user-based modifications to an HTML file.  It then opens the file and extracts deobfuscated elements using the Internet Explorer engine. This tool does rely on the user to make some choices based on some understanding of the obfuscated script. While this tool does have some protections built into it, it may execute malicious code that could harm your computer, so use it with caution possibly within a virtual machine. This is just a prototype which works on windows XP
http://www.kahusecurity.com/2012/revelo-javascript-deobfuscator/

Other similar tools include

A Firefox plugin, JavaScript Deobfuscator, https://addons.mozilla.org/en-us/firefox/addon/javascript-deobfuscator/

Hacker claims to hack European Space Agency, NASA, US Air Force and  Military, French Ministry of Defense

No official information is out yet but if this information to be believed to be true, big profile applications are vulnerable to one or another web application attack. We see this kind of posts quite often now.  Test your application today with NTOSpider to find all possible vulnerabilties
http://thehackernews.com/2012/05/hacker-claims-to-hack-european-space.html

Websense (Triton version 7.6) suffers from an authentication bypass vulnerability in the report management UI.

Websense is web traffic filtering software which can be used to protect networks from spyware, prevent users from viewing sexual or other inappropriate content, discourage employees from spending time browsing webpages instead of working, and similar purposes. WebSense report management UI application is vulnerable to authentication bypass. Test your application today with NTOSpider to find out all possible vulnerabilities
http://packetstormsecurity.org/files/112360/NGS00138-1.txt

Why did we write this paper?

1. Business logic vulnerabilities are not new, but these vulnerabilities are common, dangerous and are too often untested.
2. Security experts need to know that these must be tested manually and must not be overlooked. It is imperative to complement automated testing process with a human discovery of security risks that can be exploited by manipulating the business logic. We know that automation can’t test everything.
3. We wanted to demystify business logic vulnerabilities by giving specific examples and patterns that we have observed. We designed this to be helpful to new and experienced pen testers, security teams and developers.

Automation v. Humans

There are some things that automation can do better than humans and some things humans can do better than automation. Let the automated scanners check for SQLi, XSS and the other vulnerabilities that have repeatable patterns that scanners can test better than humans. Conducting comprehensive manual testing on a custom application takes too long, is too expensive and too error prone. Humans just can’t and won’t check every single parameter with a single tick.

Take this simple formula that I like to use as an example:An application has 10 parameters/page, 200 payloads and 100 pages, this is what your work looks like:

10 inputs x 200 payloads = 2000 attacks x 100 pages = 200,000 attacks.

It doesn’t matter if they are hired guns or new employees, too often they will only be able to spot check.

As 451 Research Director, Wendy Nather said on our Securing in a Hurry webinar yesterday. You can give your team Red Bull all day long, but they still need to sleep sometime.

It just makes sense. Leverage automation to check every parameter on every page for every repeatable payload. Save your smart and expensive resources to do the difficult testing that requires human intelligence, deductive reasoning and an understanding of business logic.

What are business logic flaws?

Application business logic flaws are unique to each custom application, potentially very damaging, and difficult to test. Attackers exploit business logic by using deductive reasoning to trick and ultimately exploit the application.

In a web application, the business logic is the intended behavior and the functionality that governs the core of what the application does. Some high level examples of business logic are:

• customer purchase orders,
• banking queries,
• wire transfers or
• online auctions.

Business logic is also defined in more specific rules such as which users are allowed to see what and how much users are charged for various items.

This whitepaper arms new and experienced penetration testers with specific instructions, real-world examples and code-snippets for testing and exploiting the ten most common business logic vulnerabilities.

In conjunction with our SaaS offering, NTOSpider On-Demand, we offer business logic testing as an one of our enhanced services.

The 10 most common business logic attack vectors include:

• Authentication flags and privilege escalations
• Critical parameter manipulation and access to unauthorized information/content
• Developer’s cookie tampering and business process/logic bypass
• LDAP parameter identification and critical infrastructure access
• Business constraint exploitation
• Business flow bypass
• Exploiting clients side business routines embedded in JavaScript, Flash or Silverlight
• Identity or profile extraction
• File or unauthorized URL access & business information extraction
• Denial of Services (DoS) with business logic

The NT OBJECTives research team determined these 10 logic flaws as being most common through years of experience testing applications.

For more information or to download the complete paper visit: http://www.ntobjectives.com/go/business-logic-attack-vectors-white-paper

To read the press release:  http://www.prweb.com/releases/notobjectives/applicationsecurity/prweb9470384.htm

Interesting article and kind of funny.  No responsibility is taken for
the problem.  One of the reasons for this disparity is that applications are built on new
technologies that web scanning solutions don’t yet scan – the application scanner vendor community isn’t keeping up with those change to web frameworks., Web application scan assessments don’t all all have to be manual
http://m.networkcomputing.com/135564/show/bd14f882107b61f7d0fc317efd57871f/

Distribution of FlashBack

Hilarious that a web vuln was the entry point for the first worm on the Macs, but it makes sense and goes to highlight how critical web security is!
http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/232900618/apple-mac-attack-began-with-infected-wordpress-sites.html

Guide to AppSec vol. 2

Another AppSec info piece was posted as the next part, part 2, of a series of articles aimed at CISOs.  It is a CISO’s Guide to Application Security, and is a primer on AppSec best practices.  http://threatpost.com/en_us/blogs/cisos-guide-application-security-part-2-growing-threat-applications-042312

There are some staggering statistics included in this post.

• 90% of companies have been breached at least once over the past 12 months.
• 54% of attacks on large organizations exploit web application vulnerabilities.
• The cost of a single data breach are average at $194 per compromised record or an average of $5.5M per incident.
• Companies spend just 0.3% of what they pay for software to ensure that it is secure.

Mobile Device Application Stores, love them and fear them.

Researchers have identified a bug in the TreasonSMS app for iPhone that can enable attacks to potentially gain full control over the iPhone.  This app allows users to send SMS messages directly from their desktop machines by using their iPhone as a relay proxy.  The application contains such vulnerabilities as a file include and a HTML inject bug.  These could allow the remote attacker to include a malicious persistent script and have it execute on the application-side of the phone.
http://threatpost.com/en_us/blogs/researchers-find-bug-sms-app-can-lead-iphone-exploits-042312
http://seclists.org/bugtraq/2012/Apr/169?utm_source=twitterfeed&utm_medium=twitter

These vulnerability findings were not intentional, but there are some sleeper apps in which vulnerabilities are intentional.
If you are in an organization, you are competing with the BYOD initiative where users are wanting to bring their own mobile devices onto the company network.  How do you assess what applications are allowed on these mobile devices?  How do you achieve due diligence?
The next version of NTOSpider can help you and your organization with evaluating mobile applications

Think you’ve got what it takes to beat Anonymous?

Did that get your attention?  Here’s some info for those that are ready to take on the global hacker games, compete at CyberLympics 2012.  The CyberLympics World Finals are scheduled for 29 -31 October, 2012 at the Hacker Halted Conference in Miami. For more information about CyberLympics or to register, visit: http://www.cyberlympics.org

New Version of WordPress Fixes Security Bugs

This week on 4/20, a new version of wordpress 3.3.2 has been released. This version has some major security issues fixed including a pair of XSS bugs, a fix for a privilege escalation vulnerability that can crop up in some circumstances when a site administrator could deactivate network-wide plugins when running a WordPress network.
http://wordpress.org/news/2012/04/wordpress-3-3-2/

CVE-2012-0158 Exploit in the Wild

Malicious code is exploiting a vulnerability in Microsoft Office which infects a users machine when a user opens a file using Microsoft Office. As classic attacks, these files are usually distributed by email and a user gets infected by simply opening the file. Following link describes it in detail how victim gets affected.
http://blogs.mcafee.com/mcafee-labs/cve-2012-0158-exploit-in-the-wild
Microsoft has released patch for these vulnerability. Do Patch your system

XSS in jQuery

jQuery is one of the most common library for developing ajax based application. jQuery is a library for the JavaScript programmers, which simplifies the development of web 2.0 applications. jQuery library simplifies the process of traversal of HTML DOM tree.
jQuery 1.7.2 (recent build) and older have been found vulnerable to a cross site scripting vulnerability. Do test your application with NTOSpider to test for possible cross site scripting vulnerability.
https://twitter.com/@0x6D6172696F

During this webcast, we’ll discuss specific examples, strategies and techniques for how to scale your application security program to address hundreds or thousands of applications and how to avoid the common technology and process pitfalls.

This webinar will be helpful to anyone working in application security and focused on improving the effectiveness and efficiency of their program. The thing is, whether you are doing this in a hurry or building an application security program, the pitfalls are the same. They are just much more painful when you are trying to do a massive scale rapid scan.

Participants of this webinar will learn how to address common pitfalls like:

• Effectively assess attack surface
• Identify & avoid potential bottlenecks
• Know when to use automation v humans
• Define requirements for scan deliverables
• Reduce false positives & prioritize in a target-rich environment
• Remediate vulnerabilities rapidly & patch with a WAF easily

Join us on 5/2. Register today!

This study provides a unique technique to protect against SQL Injection.  However, it is not a full proof solution and maintaining/updating queries using this method becomes cumbersome and difficult to manage. Generic web application firewall rules do not provide protection against SQL injection as this study supports. You need to find the root cause and either programmatically fix the code or you need custom rules to protect against the vulnerability. NTOSpider can help you find vulnerabilities and NTODefend can help you generate rules as a mitigation strategy until code can be updated -
http://www.darkreading.com/database-security/167901020/security/news/232900232/using-reverse-proxies-to-secure-databases.html

Oracle Enterprise Manager – 2 SQLi Vulnerabilities

2 SQLi vulns were closed with April’s Critical Patch Update.  Both are remotely exploitable but considered medium risk.  http://cxsecurity.com/issue/WLB-2012040163 affected the Search page and was 8 months from vendor notification to patch release.  Whereas, http://cxsecurity.com/issue/WLB-2012040162 which affected the Compare Wizard first Config page was over 2 years between notification and patch.  As much as we talk about SQLi, that vector doesn’t go away.

We’re very excited to announce a first-of-its kind partnership with the terrific people over at Core Security, a provider of predictive analytics security solutions and maker of Core Impact and Core Insight. Together, we will be working over the next two months to develop an integrated solution using NTOSpider and Core Insight™ Enterprise to automatically discover application vulnerabilities, and pinpoint enterprise-wide operational and business risks. This is big - with next generation application vulnerability testing software.

Put it this way. With this integration, NTOSpider software will tell you which doors and windows are open in your “house” and Core’s software will automatically read that input, then walk through each and every door and window to see if it can find the hidden safe and break it open.  We will be able to provide enterprise customers an automated and real time view of their critical application security exposure.

Application security is a massive, complex and escalating problem. Many organizations have hundreds or even thousands of web applications that access sensitive customer, financial and corporate databases. Security teams use application security scanners such as NTOSpider to identify the application vulnerabilities and then use Core’s Insight threat simulation and real-world threat replication technology to do deeper testing on those vulnerabilities pivoting off each internal asset, such as databases and servers, to find which can actually be exploited. But, it takes time to manually feed the vulnerabilities to Core Insight, until now.

At NTO we are huge champions of finding ways to automate security processes that really should be automated. So, the even better news for security teams out there is that this solution, through automation, will provide a more efficient way to get a holistic view of their security posture.  Through the automation of vulnerability identification, validation and risk prioritization, companies will now be able to efficiently monitor their application security posture, allowing security teams to spend their time on the material risks and threats that require more detailed analysis and subject matter expertise. And who wouldn’t like a little more time in their day to focus on the fun stuff with security?

It’s sort of like a round the clock application security penetration testing team in a box and can give security teams better information as to the exploitability and impact of discovered vulnerabilities.

In the meantime, you please check out our formal announcement that provide some specifics on how the integrated, automated solution will work.

This report details the continued threat of vulnerabilities within web apps, mobile apps, and specific vulns with cloud-based implications.  It’s fairly alarming to note from this report that over this time period, 38% of reported web vulns are XSS related and SQL Injection accounted for 15%.  These numbers are quite staggering since these are well-known vulns with many mitigation strategies and published details on how to fix such problems.  This report also covers details for reported vulns in mobile apps.  All though the numbers being reported for mobile apps is low, we can anticipate mobile apps to become the wild west of exploit development.  http://info.cenzic.com/2012-Applicaiton-Security-Trends-Report.html

The question becomes, how do we test mobile apps for vulnerabilities and injection points?  Stay tuned to NTO development for those answers.

On the topic of web application reports, we ran across Imperva’s Web Application Attack Report which was published in Jan 2012.  http://www.imperva.com/download.asp?id=344  Here’s it’s interesting to note that Imperva details the category of web app hacks it has identified as most common today.  Such attacks as Remote File Inclusion (RFI), SQL Injection (SQLi), Local File Inclusion (LFI), Cross Site Scripting (XSS), and Directory Traversal (DT).  Where XSS and DT are the two most prevalent classic attacks.

Shameless plug time, NTOSpider will perform assessments of your web application for these 5 attack categories.

For those that like to get their hands dirty in this stuff, the following paragraphs will help guide you to some tools.

SQL Injection Tools

SQL Injection has been in top of the list in most common vulnerabilities for quite some time now. There are quite a number of free tools available that can be used to exploit SQL Injection an get information from the backend database. Ericka a contributing writer for Dark Reading, put together a quick reference list of 10 tools which are handy to attack using SQL Injection.
http://www.darkreading.com/galleries/security/news/232900180/slide-show-10-sql-injection-tools-for-database-pwnage.html

Our tool of choice is SQLInvador
http://www.ntobjectives.com/research/sqlinvader-intro

 Do you speak URL or URI?

Ambiguous RFC leads to Cross Site Scripting

RFC 1738 defines the standard for Uniform Resource Locators (URL) and RFC 3986 defines the standard for Uniform Resource Identifier (URI).  RFC 1738 explicitly mentions unsafe characters – “The characters “<” and “>” are unsafe because they are used as the delimiters around URLs in free text; the quote mark (“”") is used to delimit URLs in some systems.”.  On the other hand, RFC 3986 doesn’t mention unsafe characters anywhere. Internet Explorer follows RFC 3986 which makes it an enabler to some XSS attacks -
http://labs.neohapsis.com/2012/04/06/ambiguous-rfc-leads-to-cross-site-scripting/

Finding the New Encryption Standard, SHA-3

The search for a replacement for SHA-2 has settled on five finalists. Five candidates are -

1. The BLAKE Function
2. Grøstl
3. JH Function
4. Keccak
5. Skein

 http://www.drdobbs.com/security/231700137

The eBay site in Southeast Asia is vulnerable to SQL Injection.
https://www.upsploit.com/index.php/advisories/view/UPS-2012-0003
Sites such as ebay have certainly done a lot of internal security review and testing, but they are still vulnerable to classic SQL Injection vulnerability. How good is your application?

SQL Injection Through HTTP Headers

SQL Injection has been a popular attack for quite some time. Traditionally user inputs were only attacked by SQL Injection but as developers started using HTTP request headers as input fields, attackers also started attacking request headers for SQL Injection. This article has a good list of request parameters which can be attacked by SQL Injection
http://packetstormsecurity.org/news/view/20824/SQL-Injection-Through-HTTP-Headers.html

Study: 72% of Developers See 2012 as the Year of Hybrid Apps

As the study suggests, developers are seeing more hybrid application development. As the development platform of the application changes, new attack scenarios and vectors are emerging. To test your application with latest attack vectors, You can use NTOSpider to test your application in completely automated fashion
http://creatingapps.telekomaustria.com/study-72-per-cent-of-developers-see-2012-as-year-of-hybrid-apps.html

WOA watch out! Don’t forget about Web Services (Going beyond XSS &  SQLInjection (SQLi)

In his blog post this week, Jared Day from eEye’s Any Means Possible research team provides detailed techniques for how security experts and pen testers should think about and test web services for security vulnerabilities. He explains how web services can be vulnerable –  that an attacker can “bypass server-provided client-side SQLi and XSS protections by simply sending the queries directly to the server”, and that too many developers don’t think about it that way and fatally rely on JavaScript parsers to filter out potentially malicious characters. He also discussed how web services can expose data that you don’t want exposed. In a very practical and useful way, Jared details descriptions about how to test web services for vulnerabilities. I agree with Jared, web services continue to be vulnerable and must be considered as part of any pen testing approach and considered in technology purchases. Thanks for the helpful post Jared!  http://www.sys-con.com/node/2234940

Cloud Computing Can Be More Secure

If you walked the RSA floor this year in San Francisco as I did, you might agree with Neil MacDonald. Every other booth at RSA said something about security in the cloud. I joked on Twitter that the cloud sounded so secure that I just might move my family there. Neil has posted a new blog on cloud computing that asserts “Why Cloud Computing Could Be More Secure Than What You Have Today”. He explains that if a cloud service provider does its job well, their application could be as secure as an on-premise application. In his blog, he shows a chart from a recent study, comparing the number of security incidents between on-premise and cloud applications. This chart not only highlights the parity between on-premise and cloud attacks, but it also shows that web application security attacks as the 2nd most common type of attack in their study after brute force attacks. 71% of Alert Logic’s customers have had web application security breaches in the cloud and 65% have had web application security breaches with on-premise applications. Neil promises to continue to look for independent studies that show similar trends. We will look forward to continued insights from Neil as always. Complete URL: http://blogs.gartner.com/neil_macdonald/2012/03/31/cloud-computing-can-be-more-secure/

We often remind our customers about this kind of logistical trouble, but we still manage to get the frantic breathless panicky phone call when recipients of the “Contact Us Page begin receiving 1000 emails within 10 minutes.

So what do you do to prevent this from happening? It’s actually very simple.

First, a wee bit of background on web scanners. Because all applications are different (different page names, different parameter names, vulnerable in different spots to different attacks, etc.). Web scanners have to crawl the targeted websites and then attack every page and parameter with hundreds of attacks. Unless told otherwise, every single page will be crawled and every parameter attacked.

Think about it, this includes the following kinds of pages:

• E-Mail the sales team
• E-Mail tech support
• Wire the money
• Delete this blog
• Delete this item
• Reset the admin password

Fortunately, all modern scanners have blacklisting technology. Blacklists in this context simply tell the scanner not to crawl and/or attack that page.

During your planning period or before you execute any application test, carefully consider the pages on your site that you don’t want to be crawled by the scanner dozens of times. Then, simply add the URL’s for those pages to the blacklist in your scanner. It’s that easy.

Whether you outsource your scanning, use software in-house or use a SaaS service, you will have many fewer people screaming at you if you take some time to blacklist the pages and prevent the unexpected deluge in your co-workers inbox.

Spending two minutes to properly configure your scanner will help avoid potential problems and keep the office free from the smell of burnt plastic.