Tuesday, May 31, 2011

Review: How to Break Web Software by Andrews and Whittaker

I haven't had to travel much over the last couple of weeks, which has been good for me in that I get to work on my reading list a bit.  I picked up "How to Break Web Software" for a trip a little while ago, and never got to the book.  Not having to travel coupled with the long weekend gave me some time to read and digest this book.  Here are a couple of things that I really liked about this book:

  • I really liked the table of regular expressions that is included in chapter 2.  To me, this is great because after I have retrieved source code, I can script out exactly what I'm looking for; especially hidden fields.
  • I liked the fact that the CD contained some older software that is not easily found on the web.  While the functionality of some of these tools is rolled up into newer software, there are times that I want to perform just what these tools do, and nothing more.  HttpPrint is highly useful to me as there are plenty of times I get on site and the client either doesn't know what they have, or doesn't want me to know all that they have.  SSLDigger is great for letting the client know how strong their SSL is.
  • The book includes its own vulnerable web application where you can practice some of these attacks.
  • I liked the chapter on Web Services.  More and more, I'm running into web services, and while some of the more advanced tools cover the services, it is good to have a primer on the various technologies involved.
Overall, I enjoyed the book.  In my estimation, the material is basic, and gives a great jumping off point for someone getting into testing/breaking web applications.  With the tools, a reader can dive into the material, practice, and really start to get a foundation for breaking web applications.

Thursday, May 26, 2011

DISA guidance with regard to cross-site tracing?

I've been doing some reading concerning different ways to test applications, and more specifically, web applications.  The last couple of books have mentioned cross-site tracing, and how to test to see if the server could be vulnerable.  We use WebInspect on many of our tests, and I know I have seen the vulnerability come up.  But that got me thinking:  where does DISA./DoD talk about configuring the web server to turn off TRACE?  I looked through the Apache STIG (both 1.3.x and 2.x) and the IIS STIG (both IIS 5 and 6.)  I did not find any mention of the TRACE verb and how the server should be configured in the DoD's eyes.  Further, I looked in the Application Security and Development STIG, and I did not see a finding/check in that STIG either.  (I did not expect to, since the finding really is a function of the server, and not the application.)

The closest the Application Security and Development STIG comes is a discussion in the finding for cross-site scripting.  There are three checks within the cross-site scripting finding that deal directly with cross-site scripting.  The fourth check specifically discusses the HttpOnly flag being set on cookies.  However, what makes cross-site tracing a bigger risk is that it has the ability to read/steal/reveal cookies even if the cookies have the HttpOnly flag set.

A great paper on the attack is here.

So, am I missing something in a STIG or checklist?  Or, is there really no guidance on web servers for the TRACE verb?

Tuesday, May 24, 2011

Sony Security Timeline

I don't have an iron in the fire, however I wanted to track how this story plays out; mostly so I could refer back to the timeline.  The poll on Slashdot the other week got me thinking about the various security issues Sony has faced over the past couple of years.  So, I briefly compiled this list.  I'll update it as it plays out. 

10/31/05 - Sony BMG copy protection rootkit scandal
Mark Russinovich's blog posting

2/9/11 - Sony Retweets the PS3 key
FuriousFanboys article

4/17/11 - Sony PlayStation Network hacked
Wikipedia article

5/20/11 - Phishing site found on a Sony Thailand server
F-Secure posting

5/22/11 - Sony BMG Greece hacked
Sophos posting

5/25/11 - SONY Ericsson Canadian e-commerce site
Sophos posting

6/2/11 - Sony Pictures
ISC posting

6/4/11 - Sony Europe
Zero Day posting

6/6/11 - Sony Computer Entertainment Development Network
The Epoch Times

6/9/11 - Sony Portugal
Naked Security

I must have missed a bunch, because this article mentions the 20th breach:
6/20/11 - Sony Pictures France

7/5/11 - Sony Music Ireland
Naked Security

edit:  5/25/11 - add the Canada hack
6/3/11 - add Sony Pictures
6/6/11 - added Sony Europe
6/7/11 - added Sony Computer Entertainment Development Network
6/9/11 - added Sony Portugal
6/20/11 - added Sony Pictures France
7/5/11 - added Sony Music Ireland

Thursday, May 19, 2011

Review: Web Security Testing Cookbook by Paco Hope & Ben Walther

I’m not much for writing reviews of books that I read, but I wanted to heap some praise on this excellent book.  As a DoD auditor, more and more, especially in enterprise systems, we are running into applications; specifically web applications.  While auditing web servers, database servers, and operating systems is pretty generic (usually,) auditing the enterprise web applications is anything but.  To that end, I’ve picked up some books on (pen)testing web applications with the goal of sharpening my skills and better being able to answers the technical checks from the Application Security and Development checklist.

The Web Security Testing Cookbook by Paco Hope and Ben Walther is an excellent book for helping to be a better web application tester.  I should point out that the book is not aimed at pen-testers by any stretch; it is clearly aimed at in-house application testers.  But, that does not mean that the tools and concepts provided do not translate well to the auditor/pen-tester field.  In fact, it is with the eye of an auditor that I believe I was able to glean bits of information that I found useful that may not necessarily apply to an in-house application tester.

Like other books in the O’Reilly cookbook series, the book contains recipes to solving various problems.  Typically, within each chapter are a collection of like-recipes that have a problem, a solution, and a discussion.  Many tools are discussed (most of which are free or open source.)  And, many solutions are given to the various topics of testing.

Here is what I liked:

Chapter Two was awesome for me; a listing of the various tools that are used in the book.  Some of these tools I’ve heard of and used, some were new.  This was important to me because many times I am limited to “certified” tools for the networks we are auditing.  For example, most sites allow us to use Retina, but not Nessus.  On the application side, we are typically allowed to use HP’s WebInspect.  The tools listed in chapter two allow me to take a more “manual” approach to testing the application.  Specifically, I liked Firebug, EditCookies and TamperData, WebScarab, and ViewState Decoder.  One note, while testing Edit Cookies, I was not able to get it to work with FireFox 4, at the time of this writing.

The chapter on Basic Observation gave me a new appreciation for hidden fields and what you can do with them.

I do not have much experience with web encoding, so chapter four got me up to speed on the topic.  A recipe dealt with OWASP’s CAL9000, however another good encoder I have used is the one linked to by the Ethical Hacker:  http://yehg.org/encoding/.

Chapter 5, Tampering With Data, was one of my favorite chapters.  Many recipes were discussed, using the tools to show different ways to tamper with the data being sent to the application.  My favorite recipe in the book came from this chapter and discussed uploading of files with malicious files names; a concept I never gave much thought in the past.

Chapter 6 discussed the automation of some of the rudimentary tasks.  Some of the great tools discussed included wget, nikto, WSFuzzer, along with native *nix tools.

Chapter 7 dealt with cURL, a tool I’ve never used before but will probably add to the toolbox.  The first sentence in the chapter sums it up perfectly:  “cURL is a command-line URL tool that is ideal for automating simple web testing tasks.”  Many recipes were presented that gave examples of using cURL to accomplish common tasks.

Uploading viruses to an application (via EICAR), in chapter 8, was a that never dawned on me.  And, included with the concept is a snippet of Perl code that will do the trick.  Yet another great feature of the book is the inclusion of much Perl code to make the scripting of many of the recipes possible.

Chapter 11, on manipulating sessions, was enjoyable because I liked the presentation of the various tools to attack sessions and session state.  There are checks in the Application Development checklist that are specific to session state, so it was good to expand on my arsenal of tools to check sessions.

Probably the best feature of the book was that it gave me many "A-Ha" moments that will greatly expand my knowledge of auditing applications.  If you are in a position of having to audit web applications you will benefit from reading the recipes presented and using the tools described.

Monday, May 16, 2011

Draft Red Hat 5 STIG released

I just noticed that DISA has released version 1 of the Red Hat 5 STIG.  I've only taken a cursory look through the XML STIG, and it looks to be the unix STIG with specific guidance pointed towards Red Hat 5.