Showing posts with label web security. Show all posts
Showing posts with label web security. Show all posts

Thursday, August 21, 2008

BSQL (Blind SQL) Hacker

This is definitely a tool to checkout....

BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.

BSQL Hacker aims for experienced users as well as beginners who want to automate SQL Injections (especially Blind SQL Injections). It allows metasploit alike exploit repository to share and update exploits.

http://labs.portcullis.co.uk/application/bsql-hacker/
Posted by at
Labels:

Friday, August 8, 2008

Clear Program >= "Pathetic"

I must say, I'm completely blown away by what has happened with the Clear Program.  For those of you who do not know what/who Clear is....

Clear® is the fast pass for airport security. Clear members are pre-screened and provided with a high-tech card which allows them to access designated airport security fast lanes nationwide. Clear members pass through airport security faster, with more predictability and less hassle.

Basically, they pre-screen you through TSA and give you a card to carry around so you don't have to wait in line with all of the other yahoos.  So let's take a look at the recent email that just came out. First line of the email ...

We take the protection of your privacy extremely seriously at Clear. 

This isn't giving me a warm feeling.  Next?

Before we could send out that notice, the laptop was recovered. And, we have determined from a preliminary investigation that no one logged into the computer from the time it went missing in the office until the time it was found. Therefore, no unauthorized person has obtained any personal information.

Okay....this isn't getting any better.  Next?

We are sorry that this theft of a computer containing a limited amount of applicant information occurred, and we apologize for the concern that the publicity surrounding our public announcement might have caused. But in an abundance of caution, both we and the Transportation Security Administration treated this unaccounted-for laptop as a serious potential breach. We have learned from this incident, and we have suspended enrollment processes temporarily until all pre-enrollment information is encrypted for further protection. The personal information on the enrollment system was protected by two separate passwords, but Clear is in the process of completing a software fix - and other security enhancements - to encrypt the data, which is what we should have done all along, just the way we encrypt all of the other data submitted by applicants. Clear now expects that the fix will be in place within days. Meantime, all airport Clear lane operations continue as normal.

So .... as a security person, my first question would be -- HOW DID THIS COMPANY GET APPROVED TO OPERATE WITH TSA SENSITIVE DATA WITHOUT THE USE OF ENCRYPTION?  Yet another quote from the privacy policy....

TSA also conducts periodic audits to assure that we comply with their extremely high standards of data security.

Okay...I won't be hiring these idiots to perform my next vulnerability assessment...

We use encryption (a strong data coding process) for all program sensitive data communications. We apply firewalls to guard against outside intruders.

Wow!  Now this is really surprising to me -- yet another group of yahoos who think that a firewall is going to guard your applications from compromise.  Brilliant.

I'm sorry folks, but there are few moments in life when you really do find yourself speechless -- and well.....i guess this is one of them.  I must say - if this is the way these folks plan to do business, you might want to:  (a)  Not enroll or (b) enroll and quickly find yourself a good lawyer.

Ug.




Posted by at
Labels: , ,

Tuesday, June 24, 2008

Introducing HP Scrawlr

Interesting posting from the folks at HP Security Labs. Not sure if this is as capable as other SQL injectors already out there, but worth a look. Interesting note that they are packaging the Intelligent Engines on the backend with this tool.

[rip from HP blog site]

Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!

  • Technical details for Scrawlr
  • Identify Verbose SQL Injection vulnerabilities in URL parameters
  • Can be configured to use a Proxy to access the web site
  • Will identify the type of SQL server in use
  • Will extract table names (verbose only) to guarantee no false positives
  • Scrawlr does have some limitations versus our professional solutions and our fully functional SQL Injector tool
  • Will only crawls up to 1500 pages
  • Does not support sites requiring authentication
  • Does not perform Blind SQL injection
  • Cannot retrieve database contents
  • Does not support JavaScript or flash parsing
  • Will not test forms for SQL Injection (POST Parameters)

You can download Scrawlr by visiting the following link:

https://download.spidynamics.com/products/scrawlr/

Posted by at
Labels:

Thursday, May 8, 2008

A Risk Management-Based Approach to Web Application Security

At the end of the day, it all comes down to the Software Development Life Cycle (SDLC).  All vulnerabilities, big or small, can be traced back to a few lines of code written by a Developer who was hoping to achieve a bit of functionality.  According to Gartner, “By 2009, 80 percent of companies will have suffered an application security incident”.  The significance of this statement is astounding, due to the fact that most organizations rely heavily on their web presence for daily e-survival. 

While the majority of organizations have yet to merge their development and security processes, the move towards producing secure Web Applications is absolutely critical.  Unfortunately, most Development, Quality Assurance and Information Security teams operate in isolated communities and are rarely driven by the sentiment that security is fundamental for all parties involved.  Ultimately, the goal for any organization is to exist with a strong, well-defined process to the SDLC; however, development of such a program can be quite overwhelming - even for the most mature organizations.

Risk Management provides a structured process for identifying, assessing and quantifying risk for an environment.  By applying a Risk Management-based approach, your organization will be able to kick-start its program and achieve success through a more palatable set of goals.

Through this approach, several significant variables are quantified in an effort to understand the threat against your Web Application infrastructure.  These variables include:

  1. Asset Value (AV)
  2. Vulnerability Severity (VS)
  3. Likelihood of Threat (TH)
  4. Applied Countermeasures (CM)
  5.  Weighted Value for severity of vulnerabilities (WV)

The end-result of this program is to achieve an overall Risk Score (RS), which will aid in measuring compliance for your security policy and posture.  

Posted by at
Labels:

Friday, May 2, 2008

Web Security 101

Over the past few weeks, I've read several posts from folks around the industry on how to secure web applications and I've read many interesting viewpoints. In my opinion, there are seven basic ideas that I believe any security professional should carry with them for web applications.

  1. Test Everything!

    The first concept for every security professional is to test everything. There is no amount of testing that can be accomplished -- test and simply keep testing. Just because you ran one scan with some tool and reviewed the results....testing should not end. What was once a very secure application could absolutely be compromised tomorrow.

  2. Secure the foundation

    Web Applications are nothing more than applications running on an Operating System so as such, it is still absolutely critical to secure the environment that they live in.

  3. Encrypt your data

    Use of data encryption may be utilized in a number of areas within your architecture. Whether you are using SSL certificates to data encryption on the database to the file system. I'm not sure I have the ability to recommend the "type" of encryption, but use of encryption is highly recommended.

  4. Input Validation

    With Application Security vulnerabilities, the majority of the vulnerabilites lie with poor input validation. Using input validation with all areas of the application is absolutely critical. If you have the ability to discover tools that will perform Input Analysis on your application prior to going live, I would highly recommend employing them. For those not familiar with Input Analysis techniques, these are solutions that will search for any component of your application where input is taken in (controls, form fields, etc) and assists with the validation of those points.

  5. Strong Authentication

    Authentication is key to applications and the use of strongly authenticated users or sessions is necessary. If strong authentication is not always an option, at the very least, please encourage your users (or security policy) to use strong passwords.

  6. Control Access to the Application

    As discussed in our AJAX post, validation of data is a very difficult aspect of security around your web application. The idea that we are able to validate every single request to your web application is sometimes difficult, however, it's my recommendation to your best with this.

  7. Session Management

    Session Management is yet another very serious aspect of securing your web application. Points of weakness for many web applications is found when developers make some great attempt to start creating their own session management schemes.  Three words that I have for you: 1) Cryptographically Strong, (2) Random, (3) strong protection.

Again, these are only a few thoughts that I'm throwing around here ....there are a thousand other things that could be considered so please don't consider this the almighty list [no flames, please].

Posted by at
Labels:

Tuesday, January 15, 2008

"Hacker Safe" Site Hacked, Data Stolen

It's simply amazing to me that folks will fall for the marketing literature. Hacker Safe? I think not....

http://www.cioinsight.com/article2/0,1540,2246925,00.asp
Posted by at
Labels:

Saturday, January 12, 2008

Vidalia Project

Thank you, Baby Jesus!

I'm sure that many of you have seen this software (and i'm sure i'll hear about it), but I had to point out what could be one of the coolest tools out there for your warped heads. The tools is called Vidalia and it's found at http://vidalia-project.net/ . Seriously one of the nicer tools ....it has options that will absolutely help you with your anonymity.

Here's a rundown of what i have found....

  1. Tor: A tool-set for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.
  2. Bandwidth monitor: Okay ...so it's not that spectacular, but a nice touch.
  3. New Identity: I haven't been able to research this and exactly how it works, but i would guess that this function generally kills and creates a new Tor circuit. I'll have more information on this later (and will post it), but it definitely works.

This is a must download!
Posted by at
Labels:

Top 15 SQL Injection Scanners

Keep in mind that I have played with most of the tools out on the web for SQL Injection, but these guys published this pretty nice list of SQL Injection scanners. I will say that there are a couple of commercial scanners that will rip the pants off of most of these, but again, you pay to play.

The Top 15 SQL Injection Scanners page is definitely something work seeking out. One addition to the list would be SQLiX which can be found on the OWASP page -- nice little tool if you're looking for something perl based.
Posted by at
Labels:

SQL Injection in ASP.NET

This nice, little How-To shows a number of ways to help protect your ASP.NET application from SQL injection attacks. SQL injection can occur when an application uses input to construct dynamic SQL statements or when it uses stored procedures to connect to the database. Conventional security measures, such as the use of SSL and IPSec, do not protect your application from SQL injection attacks. Successful SQL injection attacks enable malicious users to execute commands in an application's database.

Countermeasures include using a list of acceptable characters to constrain input, using parameterized SQL for data access, and using a least privileged account that has restricted permissions in the database. Using stored procedures with parameterized SQL is the recommended approach because SQL parameters are type safe. Type-safe SQL parameters can also be used with dynamic SQL. In situations where parameterized SQL cannot be used, consider using character escaping techniques. [ more ]

Posted by at
Labels:

Firefox Extensions

"Add-ons are small pieces of software that can add new features or tiny tweaks to your Firefox. They can add new search engines or dictionaries in other languages, change the look of Firefox with a new theme, or much more". (From the Mozilla Site)

Ok...with that out of the way, that’s the easiest way that these add-on’s can be explained..why should I reinvent the wheel, right? So...during pentesting, etc, I have found a few of these add-on’s to be pretty spectacular and simply thought it might be nice to mention them here.

  • Firebug: Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.

  • Fire Encrypter: FireEncrypter is an Firefox extension which gives you encryption/decryption and hashing functionalities right from your Firefox browser, mostly useful for developers or for education & fun.

  • Execute JS: Execute JS is a enhanced JavaScript-Console, where you can comfortably enter and execute arbitrary JavaScript-Code and modify functions.

  • Fox Tor: Anonymous Web Browsing using the encrypted TOR network.

  • Web Developer: Adds a menu and a toolbar with various web developer tools.

  • Hackbar: Simple security audit / Penetration test tool (understatement on "simple". Don’t get too excited, but it does give you a bit of functionality without having to open up numerous tools).

  • Switch Proxy: SwitchProxy lets you manage and switch between multiple proxy configurations uickly and easily. You can also use it as an anonymizer to protect your computer from prying eyes.

That’s it for now...I will add more as we move forward.

Posted by at
Labels:
Subscribe to: Posts (Atom)