Surviving the Week – 04/13/2012

Another trends report for 2011 through Q1 2012

This report details the continued threat of vulnerabilities within web apps, mobile apps, and specific vulns with cloud-based implications.  It’s fairly alarming to note from this report that over this time period, 38% of reported web vulns are XSS related and SQL Injection accounted for 15%.  These numbers are quite staggering since these are well-known vulns with many mitigation strategies and published details on how to fix such problems.  This report also covers details for reported vulns in mobile apps.  All though the numbers being reported for mobile apps is low, we can anticipate mobile apps to become the wild west of exploit development.  http://info.cenzic.com/2012-Applicaiton-Security-Trends-Report.html

The question becomes, how do we test mobile apps for vulnerabilities and injection points?  Stay tuned to NTO development for those answers.

On the topic of web application reports, we ran across Imperva’s Web Application Attack Report which was published in Jan 2012.  http://www.imperva.com/download.asp?id=344  Here’s it’s interesting to note that Imperva details the category of web app hacks it has identified as most common today.  Such attacks as Remote File Inclusion (RFI), SQL Injection (SQLi), Local File Inclusion (LFI), Cross Site Scripting (XSS), and Directory Traversal (DT).  Where XSS and DT are the two most prevalent classic attacks.

Shameless plug time, NTOSpider will perform assessments of your web application for these 5 attack categories.

For those that like to get their hands dirty in this stuff, the following paragraphs will help guide you to some tools.

SQL Injection Tools

SQL Injection has been in top of the list in most common vulnerabilities for quite some time now. There are quite a number of free tools available that can be used to exploit SQL Injection an get information from the backend database. Ericka a contributing writer for Dark Reading, put together a quick reference list of 10 tools which are handy to attack using SQL Injection.
http://www.darkreading.com/galleries/security/news/232900180/slide-show-10-sql-injection-tools-for-database-pwnage.html

Our tool of choice is SQLInvador
http://www.ntobjectives.com/research/sqlinvader-intro

 Do you speak URL or URI?

Ambiguous RFC leads to Cross Site Scripting

RFC 1738 defines the standard for Uniform Resource Locators (URL) and RFC 3986 defines the standard for Uniform Resource Identifier (URI).  RFC 1738 explicitly mentions unsafe characters – “The characters “<” and “>” are unsafe because they are used as the delimiters around URLs in free text; the quote mark (“””) is used to delimit URLs in some systems.”.  On the other hand, RFC 3986 doesn’t mention unsafe characters anywhere. Internet Explorer follows RFC 3986 which makes it an enabler to some XSS attacks –
http://labs.neohapsis.com/2012/04/06/ambiguous-rfc-leads-to-cross-site-scripting/

Finding the New Encryption Standard, SHA-3

The search for a replacement for SHA-2 has settled on five finalists. Five candidates are –

  1. The BLAKE Function
  2. Grøstl
  3. JH Function
  4. Keccak
  5. Skein

 http://www.drdobbs.com/security/231700137

About Dan Kuykendall
Dan Kuykendall is the founder and co-CEO at the premier application security solutions provider NT OBJECTives, Inc. Throughout his career, Dan has helped develop advanced dynamic application security testing software, a fundamental aspect to NT OBJECTives’ reputation as a leader in comprehensive web application scanning. Dan has also worked for McAfee’s Foundstone and Fortis, where he founded the U.S. Information Security team. Connect with Dan on Google+

Leave a comment

Your email address will not be published.

*