Introducing HP Scrawlr

Interesting posting from the folks at HP Security Labs. Not sure if this is as capable as other SQL injectors already out there, but worth a look. Interesting note that they are packaging the Intelligent Engines on the backend with this tool.

[rip from HP blog site]

Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!

• Technical details for Scrawlr
• Identify Verbose SQL Injection vulnerabilities in URL parameters
• Can be configured to use a Proxy to access the web site
• Will identify the type of SQL server in use
• Will extract table names (verbose only) to guarantee no false positives
• Scrawlr does have some limitations versus our professional solutions and our fully functional SQL Injector tool
• Will only crawls up to 1500 pages
• Does not support sites requiring authentication
• Does not perform Blind SQL injection
• Cannot retrieve database contents
• Does not support JavaScript or flash parsing
• Will not test forms for SQL Injection (POST Parameters)

You can download Scrawlr by visiting the following link:

https://download.spidynamics.com/products/scrawlr/

A Risk Management-Based Approach to Web Application Security

At the end of the day, it all comes down to the Software Development Life Cycle (SDLC).  All vulnerabilities, big or small, can be traced back to a few lines of code written by a Developer who was hoping to achieve a bit of functionality.  According to Gartner, “By 2009, 80 percent of companies will have suffered an application security incident”.  The significance of this statement is astounding, due to the fact that most organizations rely heavily on their web presence for daily e-survival. 

While the majority of organizations have yet to merge their development and security processes, the move towards producing secure Web Applications is absolutely critical.  Unfortunately, most Development, Quality Assurance and Information Security teams operate in isolated communities and are rarely driven by the sentiment that security is fundamental for all parties involved.  Ultimately, the goal for any organization is to exist with a strong, well-defined process to the SDLC; however, development of such a program can be quite overwhelming - even for the most mature organizations.

Risk Management provides a structured process for identifying, assessing and quantifying risk for an environment.  By applying a Risk Management-based approach, your organization will be able to kick-start its program and achieve success through a more palatable set of goals.

Through this approach, several significant variables are quantified in an effort to understand the threat against your Web Application infrastructure.  These variables include:

1. Asset Value (AV)
2. Vulnerability Severity (VS)
3. Likelihood of Threat (TH)
4. Applied Countermeasures (CM)
5.  Weighted Value for severity of vulnerabilities (WV)

The end-result of this program is to achieve an overall Risk Score (RS), which will aid in measuring compliance for your security policy and posture.  

[ Download Paper ] 

Web Security 101

Over the past few weeks, I've read several posts from folks around the industry on how to secure web applications and I've read many interesting viewpoints. In my opinion, there are seven basic ideas that I believe any security professional should carry with them for web applications.

1. Test Everything!

   The first concept for every security professional is to test everything. There is no amount of testing that can be accomplished -- test and simply keep testing. Just because you ran one scan with some tool and reviewed the results....testing should not end. What was once a very secure application could absolutely be compromised tomorrow.

2. Secure the foundation

   Web Applications are nothing more than applications running on an Operating System so as such, it is still absolutely critical to secure the environment that they live in.

3. Encrypt your data

   Use of data encryption may be utilized in a number of areas within your architecture. Whether you are using SSL certificates to data encryption on the database to the file system. I'm not sure I have the ability to recommend the "type" of encryption, but use of encryption is highly recommended.

4. Input Validation

   With Application Security vulnerabilities, the majority of the vulnerabilites lie with poor input validation. Using input validation with all areas of the application is absolutely critical. If you have the ability to discover tools that will perform Input Analysis on your application prior to going live, I would highly recommend employing them. For those not familiar with Input Analysis techniques, these are solutions that will search for any component of your application where input is taken in (controls, form fields, etc) and assists with the validation of those points.

5. Strong Authentication

   Authentication is key to applications and the use of strongly authenticated users or sessions is necessary. If strong authentication is not always an option, at the very least, please encourage your users (or security policy) to use strong passwords.

6. Control Access to the Application

   As discussed in our AJAX post, validation of data is a very difficult aspect of security around your web application. The idea that we are able to validate every single request to your web application is sometimes difficult, however, it's my recommendation to your best with this.

7. Session Management

   Session Management is yet another very serious aspect of securing your web application. Points of weakness for many web applications is found when developers make some great attempt to start creating their own session management schemes.  Three words that I have for you: 1) Cryptographically Strong, (2) Random, (3) strong protection.

Again, these are only a few thoughts that I'm throwing around here ....there are a thousand other things that could be considered so please don't consider this the almighty list [no flames, please].

TRISC Conference

For those of you living around Texas, you might be interested in this conference. TRISC 2008 will be held April 21-23 with a theme of "Back to Basics: People, Processes & Products". It's being held at the Omni San Antonio Hotel at the ColonNade. Check out the website at:

http://www.trisc.org/

Mark your calendars for TRISC 2008!

Properties of Secure Hash Functions

A very interesting article on Properties of Secure Hash Functions

Enjoy!

Microsoft asks web developers to 'bet on us'

Okay...so *usually*, i try not to feed too much off of simple articles on the web, but as I am flipping through the news journals, I have run across (yet) another interesting post. Before reading on ...yes...let's put this into perspective. Yes...Microsoft is the whipping boy, yes...they are the biggest...yes...they have the most to deal with (ok....so i made that last part up). Read on ....

[ Article ]

Apple's Leopard lasts '30 seconds' in hack contest

Apple's Leopard has been hacked within 30 seconds using a flaw in Safari, with rival operating systems Ubuntu and Windows Vista so far remaining impenetrable in the CanSecWest PWN to Own competition. Security firm Independent Security Evaluators (ISE) — the same company that discovered the first iPhone bug last year — has successfully compromised a fully patched Apple MacBook Air at the CanSecWest competition, winning $10,000 (£5,000;) as a result. Although the competition recorded the hack taking eight minutes, Charlie Miller, a principal analyst with ISE, told ZDNet.com.au that it took just 30 seconds and was achieved using a previously unknown flaw in Apple's Safari web browser.

[ Article ]

wep cracking 101

WEP was intended to provide confidentiality comparable to that of a traditional wired network. Several serious weaknesses were identified by cryptanalysts; a WEP connection can be cracked with readily available software within minutes. WEP was superseded by Wi-Fi Protected access (WPA) in 2003, followed by the full IEEE 802.11i standard (also known as WPA2) in 2004. Despite its weaknesses, WEP provides a level of security that may deter casual snooping. ( Source, Wikipedia )

Trust me when I say that this is not the most comprehensive posting on WEP cracking, but I received a request from a friend of mine to provide the "short and sweet" on WEP cracking ... so I thought i would share this very short tutorial. The sample I am going to provide has several limitations (ex. I am only demonstrating an attack using ARP replay attack (there are several other methods of attack)), but we are simply giving a brief overview. Video sample of instructions

There are four basic steps (well...at least in this example) to cracking a WEP key. The broad overview is as follows:

1. Setup network interface card to monitor mode with airmon-ng (madwifi drivers for packet injection)


2. Execute airodump-ng for sniffing wireless traffic and creation of "cap" file (to be used later with aircrack-ng)


3. Execute aireplay-ng to create traffic for the generation and capture of IV's (we will be using an ARP-Replay attack (-3))


4. Execute aircrack-ng against the generated cap file

Step One: Setting up your NIC with airmon-ng

• The first step (and often daunting for the experienced administrator) in our quest for cracking a WEP key is to setup the network interface card on your system. For our example, we are utilizing the Netgear 108 Wireless PC Card (WG511T) which is based on the atheros chipset for packet injection. To setup your NIC to monitor mode, we must first execute a couple of commands in order initialize our card. The first two commands you will execute are:
  
  # rmmod ath_pci
  # modprobe ath_pci

Once you have executed these two commands, your interface will be ready to use with the airmon-ng script for setting your card into monitor mode with use with the madwifi drivers for packet injection.

• The second step in setting up your NIC card is to engage the madwifi-ng drivers. Because the madwifi-ng drivers allow for multiple virual access points to be run, personally, I like to destroy and the create a new VAP on each session ... simply to make sure I understand what I have setup on the system. To do this, you will execute the following command:
  
  # airmon-ng stop ath0
  # airmon-ng start wifi0 1
  # macchanger -m 00:12:23:34:45:56 ath0
  
  This command(s) will destroy the current VAP and create a new parent VAP as well as, enable monitor mode on ath0 interface. You should now be able to execute the "iwconfig" command to verify that your ath0 interface is in monitor mode for sniffing wireless traffic.

Step Two: Discovering a target with airodump-ng

• The first step taken with airodump-ng is to initate a session so that you can obtain information regarding a target access point. You will launch airodump-ng with the following command:
  
  # airodump-ng ath0 (ath1,ath2,...)
  
  Once you have determined the target access point for your capture, you will perform the following setup.
  
  # airodump-ng -w FileToCrack -c targetAP_ChannelNumber ath0
  
  Once this process is started...move to step 3.

Step Three: Initiate aireplay-ng

• One purpose of aireplay-ng is to move the process of capturing IV's for cracking. This step will submit traffic to the access point so that it stimulates the AP into responding with initialization vectors in the ARP response. We are able to accomplish this with two simple steps. Keep in mind that we are ONLY demonstrating one single method of attack here (but it is (probably) the most popular method).For our example, we will assume that the target AP name is "tdurden" running on channel 6.
  
  # aireplay-ng -1 0 -e tdurden -a target_ap_mac -h our_mac_addr ath0
  
  Once this process successfully completes, initiate the following command.
  
  # aireplay-ng -3 -b target_ap_mac -h our_cards_mac_address ath0
  
  This will start the initiation of ARP requests to the access point. Once you have captured enough ARP requests, you may the use aircrack-ng to crack the WEP key based on the traffic capture of the .CAP file.

Step Four: Cracking our WEP key with aircrack-ng

• The final step is to initiate the aircrack-ng script against your .CAP file (generated by airodump-ng). Simply issue the following command:# aircrack-ng FileToCrack.cap
  
  If you have captured a sufficient number of IV's from the ARP-replay attack then you should have a successful decryption of the WEP key.

Video sample of instructions

I'm addicted to Mac

78%How Addicted to Apple Are You?

ajax security (book release)

Billy Hoffman and Bryan Sullivan released a new book on AJAX Security this last month (or so). For those of you who aren't familiar with Billy and Bryan, they are/were involved in the SPI Dynamics group before being acquired by HP Software in late 2007. I would highly recommend that you grab a copy of this book for your library.

AJAX Security Book

[Ripped from Amazon]

Billy Hoffman is the lead researcher for HP Security Labs of HP Software. At HP, Billy focuses on JavaScript source code analysis, automated discovery of Web application vulnerabilities, and Web crawling technologies. He has worked in the security space since 2001 after he wrote an article on cracking software for 2600, “The Hacker Quarterly,” and learned that people would pay him to be curious. Over the years Billy has worked a variety of projects including reverse engineering file formats, micro-controllers, JavaScript malware, and magstripes. He is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes.

Bryan Sullivan is a software development manager for the Application Security Center division of HP Software. He has been a professional software developer and development manager for over 12 years, with the last five years focused on the Internet security software industry. Prior to HP, Bryan was a security researcher for SPI Dynamics, a leading Web application security company acquired by HP in August 2007.While at SPI, he created the DevInspect product, which analyzes Web applications for security vulnerabilities during development. Bryan is a frequent speaker at industry events, most recently AjaxWorld, Black Hat, and RSA. He was involved in the creation of the Application Vulnerability Description Language (AVDL) and has three patents on security assessment and remediation methodologies pending review.