security

One of the first steps of any web application security audit is to determine what software is installed, which allows you to search for known vulnerabilities at websites like Bugtraq. The Weblog Tools Collection blog recently had a post asking readers to guess how many WordPress plugins they had installed, with the prize being a pro account on Flickr. I'm not a big fan of guessing games, so I thought I would write a simple VuGen script to find the answer. Using the list of plugins taken from my post on content scraping, I got a list of all the [...]

Princeton researchers released a research paper yesterday which documents Cross-Site Request Forgery vulnerabilities in 4 well known commercial websites (ING Direct, NY Times, Youtube, and Metafilter). It makes for interesting reading. Wikipedia article on Cross-Site Request Forgery Jeff Atwood of Coding Horror has a blog post on CSRF CSRF FAQ at CGI Security

In my first post I gave a very brief overview of the web security testing products offered by HP. Unfortunately people's understanding of where the products should fit into the software development lifecycle is still weak. This is even the case inside HP. Here is a current slide from HP Software... The obvious, glaring problem with this diagram is that WebInspect is being promoted as a tool to be used in Production. As someone who has spent a long time working in highly technical areas of testing, I have some huge problems with this, and most of my clients will [...]

Something that confuses new users to WebInspect is that the Web Macro Recorder will not record any requests to http://127.0.0.1 or http://localhost. This can cause much head scratching for someone who just wants to try something out on their local machine. The simple solution to this is to add an entry to your hosts file, and use the alias instead of localhost. So (for those who need me to spell it out for them), to record a macro for the HP WebTours website on my local machine (http://127.0.0.1:1080/WebTours/), I added the following line to my hosts file (C:WINDOWSsystem32driversetchosts)... # HP/Mercury [...]

I live in a bad neighbourhood...well, okay, not a really bad neighbourhood but its close proximity to the CBD and its abundance of funky bars, galleries and restaurants is neatly balanced by a high concentration of government housing that seems to go hand-in-hand with junkies panhandling outside the supermarket, groups of people drinking in the street during the day, and the occasional stabbing near the public housing estate. Anyway, living in my neighbourhood means that people keep trying to break into my car. I usually know if they have been successful when I find my car unlocked in the morning [...]

HTTPS will protect your application. Just because a user's browser displays a lock icon when they visit your website, doesn't mean that your website is secure. HTTP over SSL (HTTPS) only encrypts the traffic between the user and the web server, which prevents snooping of the user's traffic. It does not prevent a user sending malicious requests to the web server. A firewall will protect your application. Firewalls are great; you can lock down every non-essential port on your server. But you can't prevent people from accessing port 80 (or 443) or you will have the worlds least-used web server. If port 80 [...]

Akamai, who provide transparent mirroring of web content for high-traffic websites, see a large sample of Internet traffic. They have started to report on some of the trends they see in their traffic patterns (while some not so subtle points about how good they are). Their first report covers Q1 2008 (January - March). The report is available from http://www.akamai.com/stateoftheinternet/ (registration required). Here are some of the security-related things that I found interesting Approximately 2% of all inter-domain Internet traffic was DDoS traffic (does not include spam, phishing, scans or other malicious traffic). The "Anonymous" DDoS attack on the Church [...]

Lock Picked with Toilet Paper Tube

WebInspect is definitely not a stealthy tool; and that's fine, because you shouldn't be secretly auditing anyone's website. Here are a few of the signs that WebInspect leaves when doing a crawl and audit of a website. WebInspect Scan Signature: The webinspect scan signature is a request that webinspect sends to the server with the text SCANNED-BY-SPI-DYNAMICS-WEBINSPECT-WWW.SPIDYNAMICS.COM. This will be found in the webserver logs, identifying that a scan has taken place. In the web server logs, the request may look something like this... 127.0.0.1 - - [03/Feb/2008:18:44:08 +1000] "GET /----SCANNED-BY-HP-WEBINSPECT---- HTTP/1.1" 404 -1 "http://127.0.0.1:1080/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows [...]

Super-fast posting mode... Slashdot review of Google Hacking for Penetration Testers The book on the publisher's website http://www.syngress.com/catalog/?pid=3150 Google Hacking database (from the author) http://johnny.ihackstuff.com/ghdb.php Google Hacking on Wikipedia http://en.wikipedia.org/wiki/Google_hacking Author's website http://johnny.ihackstuff.com/ Direct download of the PDF of the book (33MB) (removed) http://www.scribd.com/word/download/319798?extension=pdf Flash-based online reader of the book (removed) http://www.scribd.com/doc/319798/Google-Hacking-for-Penetration-Testers New version of the book to be released sometime soon Update: a new version of the book has been released, and is available from Amazon.

For those who want to have a look at what WebInspect can do, there is a free 15-day trial available. Note that you will need to provide a valid email address to receive your trial license key, and you will also need to install SQL Server 2005 or SQL Server 2005 Express Edition (free download from Microsoft [36MB]). There is a test website you can scan for vulnerabilities at http://zero.webappsecurity.com, which is fortunate because this is the only website you can scan with your trial license... Also, you may wish to turn off some of the resident protection software that [...]

On June 19, HP announced in a press release that it had signed an agreement to acquire SPI Dynamics, a software company specialising in web security testing tools. The deal was finalised on August 1, and it is only now that theses new tools are reaching the wider pool of technical people (like me) at HP partner companies. Purchasing SPI Dynamics nicely compliments HP's November 2006 purchase of Mercury, who were best known for their defect management, functional test automation and performance testing tools. IBM has a similar portfolio in the software testing space, with the Rational products and their [...]

Last week I posted a question asking how I could recover or change the password for a VMware guest operating system (Windows 2000) that I had forgotten the password for. After receiving no useful suggestions, this week I allocated some time to solving the problem. Windows password recovery tools usually consist of a bootable CD image containing a version of Linux that will overwrite the NT password with a known value or will extract the hashed password from the filesystem. To boot your virtual machine from a CD, you must change the boot order in the virtual machine's BIOS. Press [...]

Sometimes when creating performance testing scripts, you will stumble upon vulnerabilities in the application under test. Maybe you will miss a value you should have correlated before sending to the server, and when you go back and check your script you will find that (hypothetically) the web store is allowing you to purchase every item in their inventory for $9.95. This is the sort of problem that will never show up under functional testing, as the client application should always sent good (validated on the client side) data to the server. Once you expose your application to the world by [...]