- Otto von Bismarck

I’m not sure how many of you have kids or how diligent they are with their homework but I’m sure you’ve heard stories of parents observing that their kids have finished their homework in a remarkably short period of time.  However, upon investigation, you quickly discover that your child has only finished half of their homework.

Sadly, this state of affairs can also true for SAAS providers offering web application scanning services.  Only half of the work gets done, resulting in rapid, but inaccurate scans and potentially vulnerable websites that are given clean bills of health by the scanning company.

Taking shortcuts

Properly configured web vulnerability scanners should test parameters by locating all of the parameters on a page and then making attacks against individual parameters at a time.  So if there are 10 parameters, you do an attack against parameter 1 and put acceptable values into the other 9 parameters to successfully complete the form request.

Why can’t you just attack all 10 at once?  Well, let’s say that parameter 1 is vulnerable and parameters 2 -10 have good filters. If you attack parameter one with an attack that works (i.e. the application does not recognize it) and parameter 2 with an attack that trips the filter in the application, the application will quite likely appear to not be vulnerable.

Now the problem is that if you are testing various attacks (SQL Injection, Blind SQL Injection, Cross Site Scripting, etc.) you will have dozens of attacks of each class against each parameter.  Your total attacks per parameter will exceed 100 and if you have 10 parameters on a page (which you will likely have in a signup form, for example), you will have over a thousand attacks for that page. On top of that, some of these attacks, like blind SQL, will have multiple requests per attack.

Performance vs comprehensiveness

Many SaaS vendors want to complete scans fast to make them look more impressive. The problem is that in order to accomplish, you have to cheat.

To speed up a scan, you might only test the first parameter or the first three or whatever and then skip testing the rest of the parameters.  If the customer doesn’t test the site and doesn’t get hacked, no one is the wiser if those untested parameters are vulnerable.

Does this matter?  Is it possible that one of parameters 4-10 is vulnerable if 1-3 are not?  In a word, yes.  Different parameter types (dates, text fields, numerical values, etc.) will have different filters.  Just because a developer got 1 right doesn’t mean that he got them all correct.  We’ve seen numerous cases where one parameter is 100% clean and others are full of holes.  You have to thoroughly test every parameter.

Letting those POSTs get away with murder

Since dealing with forms on web pages can be difficult and there is a possibility that they could modify data in the database behind the web application, some SaaS solutions don’t even attack them. So this means all the inputs from the forms never get tested.

On many of the sites we have tested over the last decade, the form inputs sent over POST have been some of the most critical attack points with some of the worst vulns and often the most important areas to test on a website. Not testing them is the same as locking your doors, but leaving your windows wide open.

How can you assess your vendor

Ask your vendor the hard questions, such as:

1. How many parameters do they attack per page? Are there limits they impose.

2. Ask them to demonstrate that only one parameter at a time gets attacked while the other fields having good data. Heck, ask them to put these answers in the Statement of Work (SOW).

3. Confirm that they attack forms and POST data. Ask them to demonstrate it or test it yourself with a trial.

• Tuesday, February 28^th, 2012
• 6:00 pm – 8:00 pm
• Restaurant LuLu

Each guest will receive a complimentary copy of Ghost in the Wires, enjoy tasting some rare wines from Europe’s finest boutique wineries with me and have the opportunity to  connect with leading CISOs.

The wines have been selected by NTO’s own wine geek, me, and come from San Francisco’s hottest wine bar, Terroir. These are “natural” wines (WARNING: That links to a video that unnecessarily overuses and abuses of the f-bomb, but it is the best explanation of natural wines and its entertaining as well.) made with minimal intervention to preserve their unique flavor profiles and as such, are favored by industry insiders and wine geeks.

As the ISE® VIP Programs have been oversubscribed in previous years due to limited availability and strong interest, we recommend that you register early.

Hope to see you there!

More information on the NTObjective’s ISE VIP Reception and Book Signing

Analysts Neil MacDonald and Joseph Feiman state in the report that “Dynamic Application Security Testing (DAST) solutions should be considered mandatory to test all Web-enabled enterprise applications, as well as packaged and cloud-based application providers.” They go on to note that “the market is maturing, with a large number of established providers of products and services.”(ii)

We consider our positioning in the “Visionaries” quadrant by Gartner confirmation of our mission and ability to deliver technologies and services that solve today’s toughest application security software challenges. Web application security represents one of the greatest security challenges facing the information technology industry today. We will continue to innovate and deliver the products today’s security teams need. In the months ahead, we are excited to launch a number of products that will further enhance our market position and help our customers.

In the report, MacDonald and Feiman also note that “as organizations have improved the security of their network, desktop and server infrastructures, there has been a shift to application-level attacks as a way to gain access to the sensitive and valuable information they handle, or to use a breach of an application to gain access to the system underneath. In addition, there has been a shift in attacker focus from mass “noisy” attacks to financially motivated, targeted attacks. As a result of these trends, application security has become a top investment area for information security organizations, whether improving the security of applications developed in-house, procured from third parties or consumed as a service from cloud providers.”(iii)
Gartner clients may view a copy of the Magic Quadrant for Dynamic Application Security Testing (DAST) report via Neil MacDonald’s blog, “The Market for Dynamic Application Security Testing is Anything but Static”.

Disclaimer:
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About NT Objectives
NT OBJECTives, Inc brings together an innovative collection of experts in information security to provide a comprehensive suite of technologies and services to solve today’s toughest application security challenges. NT OBJECTives solutions are well known as the most comprehensive and accurate Web Application security solutions available. NT OBJECTives is privately held with headquarters in Irvine, CA.

(i) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011
(ii) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011
(iii) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011

On to the news, so I can help keep you all informed about the important news in web app security.

• Will a standardized system for verifying Web identity ever catch on? - Maybe the question is “Do we even want a standardized system for verifying Web Identity?” I for one see stuff like this everyday, and if the FBI’s site can be hacked, who is going to promise the security of OpenID? It will just become the single place an attacker has to attack to get access to everyone’s confidential/private data.
• CSRF with upload – XHR-L2, HTML5 and Cookie replay - XHR-Level 2 calls embedded in an HTML5 browser can open a cross domain socket and deliver an HTTP request. Cross-domain calls will abide by CORS, but browsers end up  generating preflight requests to check policy and based on that, will allow cookie replay. Interestingly, multi-part/form-data requests will go through without the preflight check and “withCredentials” allow cookie replay. This is how some new cutting edge attacks are going to be performed.
• Vote Now! Top Ten Web Hacking Techniques of 2011 – This is an incredibly useful survey that they do each year. So, please vote to help the community get an idea of what is interesting and important to you.
• Twitter Enables HTTPS By Default – As sites like Google, Facebook and now Twitter start pushing all traffic to HTTPS, I fear that users will mistake this for real security. “Oh, I can put all my information on Facebook/Twitter/etc now because they are ‘secure’. See there is even a little padlock icon in my browser when I go to those sites, just like the bank.” – FAIL

Much ink has been spilt over personal privacy in the modern age – most of it has been over whether we have any expectation of personal privacy in our lives.  I emphasize the word personal because it is generally agreed that it would be nice if we had personal privacy.  That is I really do not want my credit card data, my health data and my banking information splattered all over.  Without getting too far into this, I can agree that many of us have made the affirmative decision to, wittingly or unwittingly, to broadcast a ton of personal information about ourselves on the Internet through Facebook, Foursquare and the like.  The argument is generally about whether we have any hope of maintaining the privacy of our personal information in this day and age.

But that is not what is interests me about Assange and his potential copycats.  The area of privacy that Assange has threatened is more corporate privacy.  I should say enterprise because this would include government and nonprofit but corporate privacy sounds better.

Assange, as we know, has facilitated the dissemination of private enterprise communications for all the world to see.  His motivations are very clear; he seeks to expose wrongdoers by providing evidence of evil deeds.  For the sake of argument, let us agree that, in the words of Richard Nixon, “mistakes were made” by the enterprises exposed by Mr. Assange.  Let us also assume, for the sake of argument, that Mr. Assange’s motives were pure and he does this for the sole purpose of punishing the wicked and discouraging bad behavior in the future.  While i have not met Mr. Assange, I actually have no reason to doubt this.

My question is this: do we have any right to or expectation of corporate privacy?

This is a trickier question than one of personal privacy.   Almost all enterprises have policies that explicitly state that our communications over media owned by them (e.g. E-Mail) are owned by the enterprise.  Having said that, there is an implicit expectation of the confidentiality of certain communications between parties in the corporate world.

Some examples come to mind where corporate privacy is beneficial to us as a society.

• Communications About Personnel
• Personal Information (e.g.Health Information)
• Corporate Secrets
• Sensitive Information

Now I am sure that Mr. Assange would agree with most or all of these points.  I have never met Mr. Assange and can’t state with any certainty how he would respond but a possible response would be that he should be trusted to weigh these risks and decide what and should not be published based on the benefits of the dissemination and the potential harm.

I would also point out that we are entering a brave new world of whistleblower disclosures.  journalists have long reported on instances of whistleblowing but they very carefully extract documents as opposed to disseminating vast quantities of microdata as Mr. Assange has.  Additionally, journalists (at least in the US) are exposed to potential litigation if they cause harm by their actions.  Mr. Assange has intentionally (by his own admission) set up in jurisdictions to minimize his risk of litigation.

My question is, is that really how we as a civilized society (or at least a society striving to be civilized) wants a decision that has potentially significant impact on corporate privacy to be made?

For the sake of argument, let’s look at another decision that we make.  Punishment.  There are millions of criminals in this country and others that violate the understood morals of the society in which they live.  Do we allow individuals to decide to punish them?  If I see someone stealing an old woman’s purse, do I grab him and lock him in my basement?  Of course the answer is no.  We have a codified system of laws and a judicial system made up of individuals who effect judgement and punishment of criminals.  We do not leave these decisions to individual people or groups of people.

One can argue that Mr. Assange is basically a whistleblower (or a facilitator of whistleblowers).  A whistleblower is someone who reports wrongdoing.  There is some degree of legal protection for whistleblowers both in the US and internationally and I am personally certainly  on board with the idea of exposing evildoers.

I guess that my question is whether dumping E-Mails on the Internet is the optimal way to do this.  The question is, is there a better solution?  The irony is that I think that the security community has actually already come up with a better solution.  When a security researcher discovers a vulnerability, most will contact the vendor. The vendor is supposed to investigate the claim and crate and release a patch before the researcher releases the exploit.  Now this system doesn’t always work perfectly but it at least allows the responsible party to do the right thing before the world knows that their system can be hacked.

Maybe this is a better model for whistleblowers.   If a crime is committed, the evidence can be sent to the appropriate government authorities with a reasonable deadline for action.  The government should be able to act while using its resources to scrub the communications and minimize the damage to corporate privacy.  If the government fails to act and cannot convince the Assange’s of the world of their reasoning, then all bets are off.  This problem, of course, becomes much trickier if the wrongdoer is the government but the government does have mechanisms to investigate itself.  This idea is admittedly a Devil’s Bargain but it may be better than the situation we find ourselves in today.  If Mr. Assange and his imitators continue to have success, it may be better for governments to try to strike deals with them rather than risk widespread dissemination of confidential information.

Surprisingly, application scan times are one of the most common issues raised by customers.  Occasionally, scans will take days or even weeks.

At this point, I would say that in almost all cases, there is an issue that lies within the application’s environment as opposed to a something within the software.

First some background on web application security scanners. Web scanners first crawl websites, enumerate attack points and then create custom attacks based on the site.  So, for example, if I have a small site with 200 attackable inputs and each one can be attacked 200 ways, with each attack requiring 2 requests, I have 200*200*2 or 80,000 requests to assess that site.

Now NTOSpider can be configured to use up to 64 simultaneous requests so depending on the response time from the server, you can run though requests very quickly.  Assuming, for example, 10 requests a second, that’s 600 per minute, 36,000 per hour and you can get through that site in 2.22 hours.

The problem is that quite often the target site is not able to handle 10 or even 1 request per second.  Some reasons can include:

• Still in development - The site is in development and has limited processing power and/or memory.
• Suboptimal optimization - The site is not built to handle a high level of traffic and this has not yet shown up in QA.  We were on the phone with a customer last month who allowed us to look at the server logs and we saw that one process involved in one of our requests was chewing up 100% of the CPU for 5 seconds.  Another application was re-adding every item to the database each time the shopping cart was updated (as opposed to just the changes) and our 5,000 item cart was severely stressing the database.
• Middleware  Not to bash any particular vendor (Coldfusion) but some middleware is quite slow.

So let’s look at our 80,000 request example from above and assume that our site can only handle 1 request per second.  Our 2.2 hour scan time balloons to 22 hours.  For our 5 second response in bullet 2, we get to 4.6 days for our little site.  The good news is that NTOSpider can be configured to slow itself down so as to not DOS the site (this is our Auto-Throttle feature).  The bad news is that it will take some time.

So what’s a poor tester to do?

• Beefier hardware  If you are budgeting for a web scanner,  consider spending a couple of extra thousand dollars on some decent hardware to test your apps. (Note – a modern laptop with optimal ram for the OS you are running – 32-bit OS = 4 Gigs of ram / 64-Bit OS = 8 Gigs of ram – will solve 90% of all performance issues.)
• Scheduling  In some cases, you can schedule scans so that even if they are longer, you can still get things done in time.
• Segmenting  In some cases, if you know that only a portion of the site has changed, you can target the scan to test only that subset and dramatically reduce scan time.
• Code Augmentation  Not to put too fine a point on it, but if a single request is taking 5 seconds to process, a hacker can DOS your site by hand.  You might want the developers to look at adjusting the code.

Show Notes:

InfoSec News Update –

• The Hacker News Hacking Awards: Best of Year 2011
• Japan’s Anti-Virus Virus
• Nginx (pronunciation: “engine-ex”) becomes #2 web server
• Saudi hackers break into Israeli site
• 3 Surefire Ways to Tick Off an Auditor
• OWASP AJAX Crawling Tool – Link2

Discussion Topic – 2012 Breach Report

1. Care2 Discloses Breach; Company Has Nearly 18 Million Members
2. AntiSec hit California and NY Law Enforcement Sites
3. Anonymous Nabs 50,000 Credit Card Numbers From Security Think Tank

Music Notes: Special Thanks to the guys at RivetHead for use of their tracks

• Intro – RivetHead – “The 13th Step”
• News Bed – RivetHead - “Beautiful Disaster”
• Discussion Bed – RivetHead - “Difference”
• Outro – RivetHead – “Zero Gravity”
• Tour Dates:
  1. Jan 6 – Dallas – Curtain Club
  2. Jan 27 – Dallas – Trees
  3. Jan 28 – Dallas – Trees
  4. Mar 2 – Dallas – Curtain Club – 7th Album CD Release Party
  5. Mar 3 – Houston – BFE Rock Club
  6. Mar 24 – Fort Worth – The Rail Club
  7. May 5 – Dallas – Renos Chop Shop

First, I’d like to clear the air in the spirit of full disclosure.

• NT OBJECTives Releases SQL Invader - NTO SQL Invader finally makes it easy to exploit a SQL Injection vuln from a clean graphical interface. Check out the video demonstration.
• Santa’s CISO failed him! –  Another major data leak for 2011
• MySQL.com Once again Compromised using Sql Flaw – The article says it well “MySql website is pretty embarrassed for not securing its own database’s properly”.
• HTML5
• Top 10 HTML5 threats and attack vectors – HTML5 is going to be a treasure trove of attack vectors over the next 2+ years. Heres a good start on a list.
• HTML5 Security Concerns Complicate Deployment Plans – Finally people are starting to slow down the wagon to make sure we arent making things worse.
• It’s ba-ack. Exploit revives slain browser history bug – Im glad to see this type of research being done, because sometimes we assume one style of change will fix a thing, but thats rarely the case in the end.
• OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection – Great write up on making sure the transport layer is secured, and how to recognize when its not.
• Critical Zero-day Vulnerability in Adobe Reader – Another week, another critical flow in adobe.
• Yahoo Messenger 0-Day Exploit allow status message hijacking – This is cool because its basically an XSS attack against the yahoo messenger.
• Millions of printers open to devastating hack attack – Said best by Steve Tornio on twitter “My HP all-in-one printer barely even works. Asking them to code securely is not likely to end well.”
• Cross-Site Scripting vulnerabilities in HP Network Node Manager i 9.10 – While on the topic of HP, heres an Interesting application XSS filter in the GET request evaded by new line characters %0D%0A and XSS filter didn’t exist for POST request. Good bypass!!
• DNS cache poisoning attack on Google, Gmail, YouTube, Yahoo, Apple - Nothing new, but a reminder of how much we trust in DNS and how easy it is to screw with.