6 days after Wordpress 2.2 release,  Janek Vind has discovered a vulnerability in WordPress 2.1.3, which can be exploited  to conduct SQL injection attacks.  Secunia has the scoop on this one :

Input passed to the "cookie" parameter in wp-admin/admin-ajax.php is not properly sanitized before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

As dangerous as this vulnerability seems, the attacker needs to know the database table prefix in order to carry on successful data enumeration.

I wonder how many of these vulnerabilities are found by source code analysis vs. Changelog.txt "reverse engineering"

Original Advisory : http://www.waraxe.us/advisory-50.html

In case you use Adsense, YPN or Chitika you might be interested in AdsBlackList.com’s free service which lists hundreds of websites that you can filter not to appear on your website.Think of it as a spamware protection

What is ABL? AdsBlackList.com is a unique project designed to enable you to dramatically reduce the amount of MFA (made for ads) and LCPC (low cost per click) sites which appear through the use of PPC systems such as Google Adsense™, Yahoo Publisher Network™ and Chitika eMiniMalls™

To test the service, I got a list of MFA sites which were generated for these keywords: security tips news spyware phishing virus trojan web vulnerabilities hackers computers windows free p2p linux firewall. I will not post the MFA URLs here, instead, you can download them as a pdf file here. If you chose to use this service, remember to double check the generated sites before updating your filters.

Starting from Wordpres latest Akismet vulnerability, I was thinking of the impact that blogs have allready made in the way we use the internet nowadays. In terms of social networking and web interactions, the Web 1.0 brought the forums . Web2.0 brought the extensive use of blogs and this fact isn’t going to change.

On May 16 Wordpress released it’s 2.2 version and a few days later, the download counter already shows 42,000 downloads. The install base it’s huge and this is one of the reasons that blogs have become attractive targets for the  spammers / crackers . Spam comments are just one example of blog abuse .

I reviewed the number of security vulnerabilities published for the major blogging platforms in the past year (May 2006 - May 2007) . The numbers are high, especially for the open source products (Wordpress, Drupal).

The number of publicly disclosed vulnerabilities in blogs during May 2006 and May 2007 according to securityfocus vulberability database:

• Wordpress : 25
• MovableType : 5
• TypePad : 0
• Drupal : 37 

 However, it’s hard to say which blogging platform is most secure and it’s almost impossible to say which blogging platform is best for your blog. You can use a very convenient blog publishing system such as MovableType or TypePad but you will face the black box approach when it comes to application security. Rolling your own install might seem difficult (although it’s not) but using an open source product will bring you the advantage of  quickly  "looking under the bonnet" and applying a bugfix in seconds.

There is also the option of using a hosted blogging service such as blogger.com or wordpress.com which saves you from keeping up with vulnerabilities and patches. I’m not going to get into the details of  why you should  / shouldn’t use such a service because Darren Rowse explained very well at Problogger.net .

Recently I’ve been asked to design a system to detect phishing attacks for a rather large organization. One of the first things that came to my mind was to contact the anti-phishing organizations to see how I could integrate with their system .

Well, it turns out that the biggest two online anti-phishing databases are PhishTank and Anti-Phishing Working Group (APWG). However, I noticed some big differences between these two organizations.

1. Founders, Development and Support

• PishTank is operated by OpenDNS
• APWG apparently is operated on a voluntary base but their Premium and Sponsored Members list is impressive because you can find almost all the big names in security; it’s like a Fortune 100 security directory

2. Services offered

• Phishtank offers free submission (free reg. required) of suspect URLs considered to be phishing sites. They even provide a free API to integrate in your applications. You can add and search for a phishing site right away. Impressive.
• APWG on the other hand offers the possibility to submit emails which are considered phishing emails. And that’s pretty much all that’s offered for free. The most recent publicly available scam email is dated July 4, 2005 , almost 2 years ago.  But ! you can go to one of their partners which sells the complete database of 175916 email scams harvestes so far.

So I might be completly off the right foot here, but my guess is that PhishTank is trully a community effort whereas APWG is the product of a huge coallition of security vendors which use the submitted phising data to improve their security tools.

Am I wrong about these assumptions and sould lower the level of paranoia & conspiracy theory? 
Which service do you use and where would you submit a piece of phishing evidence ?

Identity theft happens everyday and apparently there are no security controls which can stop this menace. Ranging from a few hundred SSN disclosure to milions of credit card compromise - (TJ MAXX is a "good refference" on this subject) - identity theft continues to pose one of the biggest threats to US Internet economy.

The following are some of the biggest identity theft incidents collected last week  by Attrition.org Data Loss Archive and Database.

Mon, May 7
The state Department of Administration may have inadvertently disclosed the Social Security numbers of dozens of people involved with women- or minority-owned businesses, officials said today.
http://www.southbendtribune.com/apps/pbcs.dll/article?AID=/20070507/News01/70507025

Tue, May 8
A recent attack on the University of Missouri system computer database allowed an unknown hacker, or several hackers, to retrieve 22,396 names
and Social Security numbers of individuals associated with the university.
http://www.columbiatribune.com/2007/May/20070507News054.asp

Wed, May 9
STANDARD Life has admitted that up to 300 customers may have been affected by a security breach in which personal information was sent to others by mistake.
http://news.scotsman.com/uk.cfm?id=716812007

Thu, May 10
Highland Hospital is warning its patients of a security breach.A hospital spokesperson told us two computers containing patient information were stolen from one of its business offices last month. Over  13,000 people are affected.   
http://www.13wham.com/news/local/story.aspx?content_id=d70aed97-d001-4e3f-990d-50f9d8e32769

Sat, May 12
Police are investigating the disappearance of medical files containing personal information for nearly 300 patients from UCI Medical Center, university officials said Thursday.
http://www.ocregister.com/ocregister/homepage/abox/article_1690870.php

Sat, May 12
From May 5 to 7, a Goshen College computer was remotely accessed by a "hacker" with the suspected motivation of using the system to send spam
e-mails, Goshen College officials said Friday.
http://www.goshennews.com/local/local_story_132001116.html

Sun, May 13
Utah State Auditor Auston Johnson conducted a "sting" operation a year ago that found important information - including Social Security and credit
card numbers - on a handful of state surplus computers that were heading toward public sale.
http://deseretnews.com/dn/view/0,1249,660220231,00.html

Tue, May 15
The Community College of Southern Nevada is warning nearly 200,000 current and past students that their names and social security numbers may have been stolen… months ago.
http://www.klas-tv.com/Global/story.asp?S=6512881

Have you been the victim of identity theft ? What would be the first 3 things to do when you find out about your credit card compromise ?

David Kierznowski of Operation n has discovered a serious flaw in the Akismet anti-spam plugin that comes by default with the latest version of WordPress (2.1.3).

Given the large install base of WordPress blogging platform, I imagine that this vulnerability wil be massively exploited in the following days / weeks.

Securityfocus.com has more details on this issue, as well as a presumably functional exploit.

The vendor has issued a new version (2.0.2) which fixes the problems. Because I couldn’t find an extensive description of the bug, I tracked the SVN commit log and this is the code that changed between release 12811 and 12812 :

If you are using this plugin (very useful plugin I might say), you are advised to either install the latest  version or disable it in Wordpress plugins section.

OpenDNS has added a new interesting feature to their free DNS resolution service. It’s about domain blocking. It may seem a poor man’s URL filtering solution.

We’re launching a powerful new feature today. We are giving you the power to block specific websites. That means you can protect your computer, your house, your office and anything else that uses DNS from being able to service domains that you don’t want to load.

If I were David Ulevitch, Founder and CEO, my next step would be a fully managed URL filtering service . I mean it’s great that their service is free, but come on, it’s pretty hard to edit tens of millions of domains by hand. Why not pay for a fully categorised and updated URl filtering service ?  I guess we’ll wait and see.

Have you had any experiences with managed URL fitering services? Is it better than rolling your own Websense-Surfcontrol installation ?

In my quest for better and smarter security tools I came across N-Stalker Web Security Scanner. There is a free download available but, since I don’t like testing evaluation versions, I needed to find a way to evaluate the full blown Enterprise edition. I knocked on the door and both Thiago Zaninotti and Sabrina Martins from N-Stalker were very kind and granted me an 8 IP license of N-Stalker Enterprise Edition.  So this review was born out of my curiosity and an open minded vendor


The test bed consisted of Badstore.net free web application which includes the Apache web server, a Perl CGI (Common Gateway Interface) application, and a full MySQL implementation.
It is a full-featured application that uses standard coding methods and, inevitably, the most common web security vulnerabilities.

Having everything installed, I fired N-Stalker up and started the assessment.
I was expecting some sort of scan assistant / wizard and indeed, the wizard popped up .Choosing the most suitable security scan profile it’s not easy and it’s interesting to see how N-Stalker decided to split the assessment tasks.

N-Stalker approach is based on integrating security into SDLC (System Development Life Cycle) which is defined as the scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.

If you’ve been involved into information systems development (even developing a small web application), you know that the sooner you include security checks in the system the better. One penny spent in the early stages of design & coding can save hundreds of man hours later. NIST covers this issue very good in their Security Considerations in the Information System Development Life Cycle (PDF).

N-Stalker took the same approach when defining the scanning tasks and this can be summed up in this table:

 
Scanning Policy #1 Development &QA
I chose this option and I got 3 policies to choose from:

• Custom Designs Errors Only
• Common OWASP Top10 Check
• Information Exposure Analysis (Confidentiality Check Only)

 I went for Common OWASP Top10 check and the scan started right away. 18 minutes later I was informed that the scan ended and I opened the N-Stalker Report Manager to check the results.

The executive report (PDF) would make any project manager happy (or rather unhappy :)  38 Vulnerabilities sorted by vulnerability classes :
Policy Name: Common OWASP Top10 Check
Policy Type: Development & QA Assessment

• Type of vulnerabilities
• Web Server Exposure: 3
• Custom Design Errors: 25
• Web Signature Attacks: 0
• Confidentiality Exposure: 5
• Cookie Exposure: 4
• File & Directory Exposure: 1
• Custom Content Inspection: 0

However, the technical detailed report (PDF)  gave all the details about vulnerabilities and, very important, remediation suggestion for each vulnerability.

I would use this scanning profile while the application is still under development because it focuses more on the application itself than the hosting platform, OS, etc. We all know that testing environments (web server, application server) are not the top security priority when code is pouring in every day.

Once the development phase is over ( or at least when the project manager decides to freeze the code base:) you do care about the whole application environment and this is the moment I would use the second scanning profile of N-Stalker :

Scanning Policy #2 Infrastructure / Deploy
The testing procedure is similar to #1 but the results are different :
 
The executive report (PDF)  presented 11 vulnerabilities sorted on vulnerability types :
Policy Name: Complete Web Server Pen-test
Policy Type: Deploy & Infrastructure Assessment
Type of vulnerabilities

• Web Server Exposure: 7
• Custom Design Errors: 0
• Web Signature Attacks: 0
• Confidentiality Exposure: 0
• Cookie Exposure: 0
• File & Directory Exposure: 2
• Custom Content Inspection: 0

The detailed technical report (PDF) presents remediation suggestions because, in order to pass the user acceptance tests, the application server admins must fix any single vulnerability.  Let’s just hope that the application developers have a good change management and versioning system in place which will prevent other bugs to creep in after the code freeze!

And the big day comes and the application is released and everybody is concerned only about Champaign overflows in their glasses (yeah, I wish). Now the application moves into the maintenance phase of the SDLC. This also means undergoing periodic security audits which everybody loves / hates to experience or to endure.

Lucky for the security staff, N-Stalker has a 3rd Scanning Policy: Audit & Pen-Test: This policy combines all the security checks from the previous two policies. You get the most complete security scan and you have a consistent report to present to the auditor.
 
The executive report (PDF) presents the 42 vulnerabilities sorted by vulnerability type:
Complete Pen-test Assessment
Policy Type: Audit & Pen-Test Assessment
Type of vulnerabilities

• Web Server Exposure: 7
• Custom Design Errors: 26
• Web Signature Attacks: 0
• Confidentiality Exposure: 3
• Cookie Exposure: 2
• File & Directory Exposure: 2
• Custom Content Inspection: 0

The technical report (PDF) as always gives details and remediation suggestions about every vulnerability which was found. Of course one can create new security scanning policies either form scratch or by modifying an existing one. N-Stalker offers the possibility to create new security checks in an intuitive way. You just need to know what you want to check and a helpful wizard assists you completing this task.

At any moment of the scan you can pause it and resume it later which I found very helpful because as a security auditor you might run out of time during the maintenance window assigned by the operations department and it’s nice to know that you can resume the scanning at a later time.

Because every coin has two sides, I will present two things I found missing in N-Stalker.

1. Lack of additional tools.
During my web application assessments I rarely rely on automated scanners alone. There are many times when I prefer to manually continue the attack starting where the scanner left it. And for that you need tools such as encoders, fuzzers, custom proxies, cookie crunchers etc. I would love to see this tool collection in N-Stalker.

2. No support for Web Services. Web 2.0 is here to stay and many applications are built on web service powered consumer / provider architecture.

As a wrap-up of my review, I would like to point out that N-Stalker is a great tool for every day’s security tests. It’s packed with lots of features which will make your job easier. For instance it can go beyond the login screen of an application thanks to its smart authentication procedure which supports pre-recorded username/password pairs as well as digital certificates.

The SDLC integration will definitely prove beneficial on the long term, should you decide to use it, because you can tailor your security checks according to the development phase of the project. And this saves money and time.

At some point you will need to dynamically alter a cookie / form parameter / request header, etc in a way that it looks harmless to the application syntax validation but it’s devastating for the application layer.You can manage to record specific attack scenarios and have it played automatically. You can create manual URL scripts through manual policy configuration or wizard-based policy configuration.

However, the web app penetration tester must continue alone from where N-Stalker stops. I don’t think that there will ever be a tool to replace the long hours of manual labor during a web application penetration test. For instance, you can check the badstore.net complete (well.. almost complete) list of vulnerabilities here (PDF). Many of these vulnerabilities have been discovered by hand.

Sometimes your arsenal resumes to a browser, a proxy and your own brain. But it sure would have helped to do an N-Stalker scan first

I would like to thank Thiago and Sabrina for the opportunity to test N-Stalker Enterprise Edition. You can download an N-Stalker evaluation version for free and I encourage you to do this and test it for yourself.

Or find a way to get the Enterprise edition for free like I did

I bet you never knew that one reliable resource of dictionary based password attacks is the US Census bureau. 

http://www.census.gov/genealogy/names/names_files.html

For example, below are 3 lists of the most common names registered in US :

so, how high is your name on the list ?

A Security Fuzzer is a tool designed to provide random data (fuzzing testing) to an application’s parameters. In the context of web application testing, fuzzing means testing especially for buffer overflow, parameter format check, various encoding and error handling.

The results of a fuzzing test reveal application vulnerabilities which range from juicy stuff such as  improper user supplied data sanitizing, failed boundary checks up to apparently harmless disclosure of application environment details such as OS version, Application Server version, database details and even private IP disclosure.

Web Application Fuzzing is performed mostly trough GET and POST requests, but you can use any method which is supported by the server (HEAD, TRACE, CONNECT, etc)

My favorite 10 web application fuzzing tools in fuzzy order

1. SPIKE Proxy
It is a professional-grade tool for looking for application-level vulnerabilities in web applications. SPIKE Proxy covers the basics, such as SQL Injection and cross-site-scripting, but it’s completely open Python infrastructure allows advanced users to customize it for web applications that other tools fall apart on. SPIKE Proxy is available for Linux and Windows.

2. WebScarab
WebScarab is a framework for analyzing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins.
Parameter fuzzer plugin performs automated substitution of parameter values that are likely to expose incomplete parameter validation, leading to vulnerabilities like Cross Site Scripting (XSS) and SQL Injection.

3. Burp Intruder
Burp intruder is a highly configurable java web application security tool and can be used to automate a wide range of attacks against applications, including testing for common web application  vulnerabilities such as SQL injection, cross-site scripting, buffer overflows and directory traversal; brute force attacks against authentication schemes; enumeration; parameter manipulation; trawling for hidden content and functionality; session token sequencing and session hijacking; data mining; concurrency attacks; and application-layer denial-of-service attacks.

4. Wapiti
Wapiti allows you to audit the security of your web applications.It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

5. RFuzz The Web Destroyer
RFuzz is a Ruby library to easily test web applications from the outside using a fast HttpClient and wicked evil RandomGenerator allowing the average programmer to use advanced fuzzing techniques for just pennies a day.

6. OWASP WSFuzzer
WSFuzzer is a GPL’d program, written in Python, that currently targets Web Services. In the current version HTTP based SOAP services are the main target. This tool was created based on, and to automate, some real-world manual SOAP pen testing work.

7. SPI Fuzzer (member of SPI Dynamics WebInspect suite)
It identifies buffer overflows using HTTP fuzzing or modification of input variables.Trial version available for download.

8. Suru Web Proxy
Suru gives the analyst the ability to fuzz ANY part of the HTTP request. This obviously includes GET and POST parameters, but can also be extended to Host: fields, Content-length: etc. The analyst can choose to fuzz any point of the HTTP request header or body. These "Fuzz control points" can be fuzzed with any value - and Suru includes some sample fuzz strings by default.

9. AppScan
AppScan scans and tests for all common web application vulnerabilities - including those identified in the WASC threat classification - such as SQL-Injection, Cross-Site Scripting and Buffer Overflow.

10. ASP Auditor
The purpose of this tool is to look for common misconfiguration and information leaks in ASP.NET applications.

What are your favorite Web App testing tools ?