After the LANguard NSS 8 review, I thought I should repeat the experience of testing an industry grade vulnerability scanner, enterprise edition, of course: The brand new Acunetix Web Vulnerability Scanner v.5

Note : This is not a sponsored review.

So I presented my plan to Tamara Borg @ Acunetix and she was kind enough to provide me an enterprise edition license of Acunetix WVS 5. Sweet. I’m glad I tested this software as it was a nice surprise to see all the features you would expect from a web application security scanner packed in an easy to use , sharp designed application.

For my tests I used a VMware install of PACMS: Personal AJAX CMS (heavy JavaScript usage) because I was really curious about the new JavaScript interpreter deployed in Acunetix 5 .

The Scan
So without further ado, I fired up Acunetix WVS and began to work on my assessment. There is a scanning wizard available in case you want a canned scan or you could take the matters in you own hands and define the targets and the scanning profile. You can chose one of the predefined scanning profiles :CGI tester,parameter manipulation (XSS, SQL, CRLF,etc), file checks,known web applications, etc  or you can define you own profile.

I chose the default profile and 40 minutes and 37,616 http requests later the scan was finished and the results were ready for analysis. It’s worth noted that during a scan you can manually verify any vulnerability using a built in HTTP Editor. Although the scan results are automatically saved in a database (SQL Server or MS Access), you can save the whole scan session for further investigation. Pretty handy for short time on-site assessments when you want to grab as much data as possible for further crunching.

The Reports
Acunetix WVS provides a separate report generator and it’s very easy to generate a report based on any scan stored in thedatabase. You can customize the report with your own logo and captions as well as which information to include in the report. I preferred to use the default template and I chose to generate 3 reports for my assessment , all of them available as PDF for download.

• OWASP 2007 Compliance Report
• Executive Report
• Developer Report

The Custom Vulnerability Checks
Acunetix WVS offers the option to define custom checks which are merged into the main body of vulnerabilities and one can easily integrate these checks into the scanning profiles. Very useful feature for internal QA assessments, I must say.

 
The Tools
Undoubtedly, automatic scanning does a great job at discovering application vulnerabilities such as Cross Site Scripting, SQL injection , CSRF, XPath. However, the manual security analysis requires powerful additional tools and Acunetix WVS provides the penetration tester with a well structured collection of such tools (a.k.a web security Swiss knife):

Site Crawler Target Finder Subdomain Scanner HTTP Editor HTTP Sniffer HTTP Fuzzer Authentication Tester

 

The Extras
As if it wasn’t enough, here are just a few features that truly make Acunetix WVS 5 stand out from the crowd :

• Command line support - good for scripting and automated tasks
• Scanning Scheduler - define the scan once, schedule it and forget about it ; you can always run differential reports later to check the status of vulnerabilities.
• JavaScript / AJAX Support - Client Script Analyzer (CSA) : parsing Javascript is so yesterday; welcome to Document Object Model (DOM) real time reconstruction.
• WebService Support - got WSDL ?
• Flash Files Support : What’s behind that flashy animation ?
• Google Hacking Database Support : Find out what google migh reveal about your site - because you don’t want to be known as a googledork!

The Conclusion
Acunetix Web Vulnerability Scanner 5 is definitely a most valuable allied  in the battle against web security risks. This versatile software has successfully tackled the 80 / 20 problem of advanced software applications. It delivers good value for the money even if you use just 20 percent of it’s features, whereas in the hands of an web application security professional it reveals the 80 percent reserve of raw power. 

I love it !

Download Acunetix WV 5 and use it for  the full 100 percent !

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

I was reading about Tenable’s new Passive Vulnerability Scanner (PVS) which can monitor traffic for as much as 25,000 systems whilst passively detecting vulnerabilities.

From the PVS datasheet, it can continuously monitor the traffic for a variety of security related information including:

• Keeping track of all client and server application vulnerabilities
• Detecting when an application is compromised or subverted
• Detecting which applications and servers host or transmit sensitive data
• Detecting when new hosts are added to the network
• Detecting when an internal system begins to port scan other systems
• Highlighting all interactive and encrypted network sessions
• Tracking exactly which systems communicate with other internal systems
• Detecting which ports are served and which ports are browsed for each individual system
• Passively determining the type of operating system of each active host

I have to admit that this sounds like a cool combination of IDS & Sniffer devices and it sure helps to have an all seeing eye inside your network. The part that I don’t get in PSV is the "Scanner" .

Each PVS is deployed like a sniffer. It needs to be attached to a switch span port, network tap or can be deployed directly on commonly used servers.

Again this deployment scenario is typically for a network sniffer performing protocol encapsulation and analysis.
By definition, a vulnerability scanner is a proactive security control, whereas an IDS is a reactive control.

Of course, using an IDS may prevent some successful exploits taking over a specific system (incident response tickets can take care of this), but labeling a system as vulnerable just because PVS  has detected malicious traffic originating to / from that system is a reactive security action.

I guess this is the reason Tenable is strongly recommending using a combination of scanning, host-based and passive monitoring. But still.. how can a passive network sniffer be qualified as vulnerability scanner ?

Update: The Passive Vulnerability Scanner’s plugin rule base was recently updated with new logic to recognize a variety of client-side account information for services such as AIM, MySpace and many others. 

• 1329 return email addr
• 2341 POP3 User
• 2600 MSN Messenger UserID
• 2609 PGP Sender email
• 3018 HTTP Base64 encoded credentials
• 3954 IDA Pro UserID
• 4082 AOL Instant Messenger user enumeration
• 4098 IMAP UserID enumeration
• 9000 Myspace UserID
• 9001 Facebook UserID
• 9003 Xanga UserID
• 9005 gmail userID
• 9006 XM Radio UserID

Pretty cool spying tools .

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Google has released it’s Safe Browsing API  thus giving access to any application to it’s malware URL database. The Safe Browsing API is an API that allows client applications to check URLs against Google’s constantly-updated blacklists of suspected phishing and malware pages.

You must have a Google Account to get an Safe Browsing API key, and your API key will be connected to your Google Account.

I have generated my API and I updated the two lists of phishing and malware hosting URLs. 

[goog-malware-hash 1.77] +0000a2e9842085e75a57282eff0e7832 +0001849970ec2acd0b73bfa18eb91ac8 +0001b67cc3f39afdb2a2acb71cd7f869 +00023d5c9707dbe4bece6a215e725f96…

[goog-black-hash 1.830] +00007d518f6b658dc1776bb76ca2b29e +0000d595886c972265a26d38eb07ba2e +00156d6e1cce6db8906c9073d06e572b +00194c0e4a92d09a81748bb214fb245c …

The lists contain MD5 hashes of the actual URLs and this is quite useful as it leaves it up to the developer to use this data as needed. However, Google recommends two standard messages to be shown to the users, should they try to open a blacklisted URL:

• Warning- Suspected phishing page. This page may be a forgery or imitation of another website, designed to trick users into sharing personal or financial information. Entering any personal information on this page may result in identity theft or other abuse. You can find out more about phishing from www.antiphishing.org.
• Warning- Visiting this web site may harm your computer. This page appears to contain malicious code that could be downloaded to your computer without your consent. You can learn more about harmful web content including viruses and other malicious code and how to protect your computer at StopBadware.org.

 I welcome this new tool designed to protect and improve the user browsing experience. In the near future, it would be nice  to see a collaboration and why not, an integration with phishtank.com’s anti-phishing APIs.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Andres Riancho has released w3af 1.0  - the Web Application Attack and Audit Framework

This framework is written in python and resembles  to metasploit  having an architecture  based on plugins:

• Discovery plugins have only one responsability, finding new URL’s, forms, and other "injection points".
• Audit plugins take the injection points found by discovery plugins and send specially crafted data to all of them in order to find vulnerabilities.
• Attack plugins objective is to exploit vulnerabilities found by audit plugins. They usually return a shell on the remote server, o a dump of remote databases in case of SQL injections.
• Evasion plugins are used to try to evade IDS’s.
• Grep plugins are used to analyze every response that the server returns (no mather what plugin initiated the request) for interesting things.
• Output plugins are used to write the output of other plugins and the framework itself into a convenient format

In order to use this tool efficiently, you can read the w3af Users Guide(PDF). I will post more on this framework, so stay tuned.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

I read today about a new tool for web brute forcing : DirBuster. It is a multi threaded java application designed to brute force directories and files names on web/application servers.

DirBuster provides the following features:

• Multi threaded has been recorded at over 2800 requests/sec
• Works over both http and https
• Scan for both directory and files
• Will recursively scan deeper into directories it finds
• Able to perform a list based or pure brute force scan
• DirBuster can be started on any directory
• Custom HTTP headers can be added
• Proxy support
• Auto switching between HEAD and GET requests
• Content analysis mode when failed attempts come back as 200
• Custom file extensions can be used
• Performance can be adjusted while the program in running

What I found to be interesting is the usage of real directoy names harvested by spiders from Internet. I guess it can be used very well alongside nikto.

As cute as the developers’ website name is, DirBuster can put your application between the hammer and the envil
http://www.sittinglittleduck.com/DirBuster/

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

  I found out today about AQTRONIX WebKnight, an open source alternative to Microsoft’s URLScan and I’m curious to see if anybody has used it and what were the results.

AQTRONIX WebKnight is an application firewall for IIS and other web servers and is released under the GNU General Public License.

More particularly it is an ISAPI filter that secures your web server by blocking certain requests. If an alert is triggered WebKnight will take over and protect the web server. It does this by scanning all requests and processing them based on filter rules, set by the administrator.

These rules are not based on a database of attack signatures that require regular updates. Instead WebKnight uses security filters as buffer overflow, SQL injection, directory traversal, character encoding and other attacks. This way WebKnight can protect your server against all known and unknown attacks.

Because WebKnight is an ISAPI filter it has the advantage of working closely with the web server, this way it can do more than other firewalls and intrusion detection systems, like scanning encrypted traffic.

My first thought was how does this product relates to URLScan and the FAQ entry states:

Is WebKnight meant to be a complete alternative to IISLockDown and URLScan?
It is meant as an alternative to URLScan, not IISLockDown, because this last one does things an ISAPI filter cannot do. As for URLScan, all of its functionality is implemented in WebKnight. I’ve seen WebKnight blocking malicious requests URLScan didn’t block.

As always, I invite you to download AQTRONIX WebKnight and give it a spin.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

In adressing an IIS 5 bug (CVE-2007-2815), the Microsoft Knowledge Base article #328832 went a step further in presenting the conditions needed to reproduce the issue: they provided step by step instructions to what is basically an exploit of the vulnerability Nice.

To make matters worse, the only fix suggested by Microsoft is to upgrade to IIS 6.0 because the status of this vulnerability is :

STATUS
This behavior is by design.

The KB article has been updated and the step by step instructions were  removed. However, Google cache still has a copy of this :

1. In IIS 5.0 Service Pack 2 (SP2), create a folder named Dir1 in the Web site root (for example, C:\Inetpub\WWWRoot).
2. Create a file named File1.txt in Dir1, put some text in the file, and then save the file.
3. Set the authentication on the Web root folder in IIS to Anonymous authentication.
4. Set access in IIS to the Dir1 folder to Basic authentication only.
5. Using Anonymous authentication, open /Dir1/File1.txt. You receive an "Access Denied" error message.
6. Using Anonymous authentication, open the following URL (where null.htw represents your hit-highlighting file):
/null.htw?CiWebhitsfile=/dir1/file1.txt&CiRestriction=none&CiHiliteType=full

This will be successful.
In this case, the user can see the File1.txt file even when the user cannot be authenticated by IIS and cannot otherwise retrieve the file.

Note For steps 3 and 4, you can use IP address restriction to restrict the file.

It would be interesting to watch the logs for
/null.htw?CiWebhitsfile=/dir1/file1.txt&CiRestriction=none&CiHiliteType=full

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

I was reading today the FBI’s warning against online gambling for US citizens :

If you’ve ever thought about visiting a cyber casino, here’s something you should know: it’s illegal to gamble online in the United States.

“You can go to Vegas. You can go to Atlantic City. You can go to a racetrack. You can go to those places and gamble legally. But don’t do it online. It’s against the law,” says Leslie Bryant, head of our Cyber Crime Fraud unit at FBI Headquarters.

A couple of months ago I was talking to a fellow PCI auditor who worked most of his time in Middle East and he was telling me about the issues they have over there about online gambling. You see,currently there are no licensed casinos present in Bahrain, Iran, Saudi, Syria, UAE, Yemen, Iraq, Jordan and Kuwait and this fact pushed a lot of people into online gambling. The latest trend was to use PDA/Smartphone devices for online gambling.

I read now that US bans online gambling and I can’t help wondering : which of the two "models" inflicts a bigger risk of financial fraud / money laundry ?  And since it’s illegal to operate an online casino business  in US, where are the datacenters and all the servers that host zillions of online gambling websites ?

Looking at whois data for a couple of online casinos I see that they don’t give a damn on US regulations . Yes, most of them are hosted in US . 

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

In the pursuit of accurate statements about application security, Ory Segal took a new shot at Beehive, the last bulletin board which I considered bug free in 2006. Well it didn’t take him long to find not one, not two but three new Beehive XSS vulnerabilities . I have installed Beehive 0.71 and indeed the vulnerabilities are confirmed.

/forum/links.php?webtag=FORUM_NAME&fid=1&viewmode=>"’><script>alert(1);</script>
/forum/links.php?webtag=FOEUM_NAME&fid=>"’><script>alert(1);</script>&viewmode=1
/forum/links.php?webtag=FORUM_NAME&fid=1&viewmode=0&page=1&sort_by=CREATED&sort_dir="><script>alert(1)</script>

What started as a quick secunia browsing for forum vulnerabilities turned into vulnerability assessments That was cool and maybe it’s a nice idea to continue these tests. I’ll post more on this topic.

Ory gets all the credit for this one and, again, I updated the forum vulnerabilities post .

So, in true MythBusters‘ style :
Zero vulnerabilities in any of the 10 most popular open source forums in 2006/2007 : Myth BUSTED

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

The release of NuFW 2.2 nearly slipped trough a huge pile of unread mails . In case you wonder what is nuFW :

NuFW is an enterprise grade firewall that performs an authentication of every single connection passing through the IP filter, by transparently requesting user’s credentials before any filtering decision is taken.

Practically, this means security policies can integrate with the user directory, and bring the notion of user ID down to the IP layers. NuFW lays on Netfilter, the state of the art IP filtering layer from the Linux kernel. It fully integrates with Netfilter and extends its capabilities.

The daemons currently run on Linux and software clients are available for Windows, Linux, FreeBSD et Mac OSX.

NuFW can :

• Authenticate any connection that goes through your gateway or only from/to a chosen subset or a specific protocol (iptables is used to select the connections to authenticate).
• Perform accounting, routing and quality of service based on users and not simply on IPs.
• Filter packets with criterium such as application and OS used by distant users.
• Be the key of a secure and simple Single Sign On system.

Pretty impressive features  (I love the fact it can differentiate Firefox vs IE :). The software is released under GPL license and there are binaries for all major Linux distributions. Props go to the guys at INL for building this software and making it open source.

I invite you to download NuFW and give it a spin.

UPDATE: New version NuFW 2.2.4 released :
This release fixes a security issue related to time-based filtering rules. A regression was leading packets not to be  dropped when their arrival time was out of period. It also features some improvements and bugfixes.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!