Cenzic vs. SPI Dynamics?

An interesting article posted to Dark Reading has really pushed a thorn in my side. 

First of all, allow me to lay the groundwork for what you are about to read.  I'm not associated with any of these companies, but I will say that in the past six or seven years, SPI Dynamics has done more for the web application security industry than Cenzic will do in its pathetic little lifetime. 

Okay....so on to my rant.

So.....Cenzic has filed some lawsuit against SPI for infringement on a "technology" they claim to have crafted (i.e., fault injection)?  Let's be honest here...Cenzic couldn't find a web vulnerability with both hands, a flashlight and a map of the location.  As if it's not embarrassing enough to have an XSS exploit on your own website, but the pathetic display of client-side validation on their download page really makes me scratch my ass. 

Seriously....what are these people thinking?  I can just see the group sitting around the Cenzic offices thinking this one up....

Ok guys....so we are the worst company that anyone could hire for a web application scanner.  So ....what if we were to place a patent around a technology that we didn't invent so that all of the 'real' companies would need to pay us a license fee for something they already do much better?

Do us all a favor and close your doors....

+++++EOF+++++

SQL Injection: Give yourself a little time...

I was recently involved in web application assessment and discovered something that I wanted to pass along. Keep in mind that this has probably been utilized before, but it is something that I just noticed so ... I wanted to throw it out for your amusement.

To set the stage, I had been looking at this application for quite some time and had an idea that SQL Injection might exist, but I was having much difficulty determining if the injection was actually present. The application was catching errors, displaying 404's, (etc) and really not displaying any good data to make a decision. So .... the question was ... if the application is catching our errors and really not giving us anything to work with ... how could we ask the question to the database to indicate if we were actually getting our requests processed by the database server?

Answer? Time!

Since the application is catching all of our attempts and not providing any good feedback the thought was ... let's come up with a way to have the database provide us an "indirect" response. To do this, I tried "waitfor". WAITFOR specifies a time, time interval, or event that triggers the execution of a statement block, stored procedure, or transaction.

Syntax: WAITFOR { DELAY 'time' TIME 'time' }

To implement 'waitfor', simply tag it onto the end of the injection test you're trying to accomplish. For example, if you're injection string is:

=> 30000' union select 1,email,password from Customers --

By implementing 'waitfor', your string might appear as....

=> 30000' union select 1,email,password from Customers waitfor delay '0:0:30' --

Keep in mind that while the injection results might not appear to your screen, you will experience a delay of the response back to the browser. The point here is to demonstrate that our injection is being accepted by the database server and that the injection is executing. So, while our injection string might not render results to the screen, we can test that the database server is executing our injection strings.

HP to purchase Fortify?

So HP has moved forward with the purchase of SPI Dynamics....seems to be a good fit. However, with their new found capability of providing a web application security for the SDLC, would it not benefit HP to pull in a more robust solution for the source code scanning initiative?

While SPI/HP does provide a robust offer in DevInspect (a source code analysis and blackbox testing solution), the solution is still behind the 8-ball when it comes to true source code analysis technology. Now....keep in mind that history has indeed shown that the Fortify solution does present a terribly large number of "theoretical" vulnerabilities; however, the combination of Fortify's source code analysis with SPI/HP's blackbox testing would be a huge step forward for everyone.

apple and the iphone

[ Security Focus ] Customers angry at Apple for breaking their hacked iPhones with the company's latest update now have a class-action lawsuit to call their own.

On Friday, a California lawyer filed suit against the consumer-technology company over the iPhone's September 27 upgrade, which bundled a critical security patch with code that disabled phones which had been hacked to accept third-party applications or modified to use other cellular carriers.

[ more article ] [ view the lawsuit ]

Web Application "Cheat Sheets"

There seems to be quite a bit of traffic lately of folks who are seeking out cheat sheets for various application security attacks.  To help out, I am going to put together a reference document to point you in the right direction.

• All
  • MichaelDaw.org
• Oracle
  • Mavituna
• SQL Injection
  • Hackers.org
  • SPI Dynamics (White Paper)
  • Mavituna
• Cross Site Scripting
  • shiflett.org
  • gnucitizen.org
  • Hackers.org (XSS)
• mySQL
  • mySQL Cheat Sheet
  • 0x00000
• Ingres
  • PenTestMonkey
• PostgresSQL
  • PenTestMonkey

OWASP Books Released

An interesting download to come out of the OWASP camp -- books are now available for your reading pleasure. The initial group of books are:

• OWASP CLASP v1.2
• OWASP Top 10 - 2007 Edition
• OWASP Top 10 - Testing - Legal 07'
• OWASP WebGoat and WebScarab
• OWASP Code Review - 2007 (RC1)
• OWASP Evaluation and Certification Criteria
• OWASP Top 10 - Ruby on Rails Version
• OWASP SpoC 2007
• OWASP World (Nov2007)
• OWASP Guide 2.0 (2005)

All are available free of charge (download versions) from www.lulu.com.

Jeremiah Grossman at OWASP

We attended the October OWASP meeting where Jeremiah Grossman provided an *awesome* presentation on "Top 10 Website Attack Techniques".  Be sure to download the presentation from OWASP.

XSS’ing Attacks and Defense (Book Released)

So…I just finished with a new book called “XSS Exploits: Cross Site Scripting Attacks and Defense“ which was put out by by Seth Fogie (Author), Jeremiah Grossman (Author), Robert Hansen (Author), Anton Rager (Author), Petko D. Petkov (Author) and I must say…the book is outstanding. The book is (probably) the most comprehensive analysis of XSS and related vulnerabilities that you will find out on the market and I absolutely encourage you to pick up a copy!