ethicalhack3r

The World Wide Web and the applications that run on it have come a long way since the invention of HTML by Tim Berners-Lee (British man I might add) in the early 1990’s. Back then the World Wide Web was a static web of text, images and hyperlinks. Nowadays we have the privilege (sometimes not) of having whole communities which solely exist in a dynamically evolving cyberspace with wikis, blogs, social networking, video sharing and a lot more. “Web 2.0” would not exist without the complex web applications that run on the millions of web servers across the globe.

So how do we go about securing our web applications?

There are many different ways in which web applications can be made more secure. In this article I am going to cover a few tools and techniques which make this possible.

WAF:
Web Application Firewall’s are applications which filter HTTP traffic looking for malicious code which could be used in attacks such as SQL Injection , Cross Site Scripting (XSS), File Inclusion and more.

According to OWASP (Open Web Application Security Project), the important criteria in selecting a WAF is the following:

Very Few False Positives
Strength of Default
Power and Ease of Learn Mode
Types of Vulnerabilities it can prevent
Ability to keep individual users constrained to their current session
Ability to be configured to prevent ANY specific problem
Form Factor: Software vs. Hardware

Web Application Vulnerability Scanners:
Web Application vulnerability scanners help improve security and minimise the risk of the application being exploited by automatically crawling the site actively looking for vulnerabilities. Once the scan has been completed the web application scanner will produce a report with its findings which a professional information security practitioner should then investigate and patch. These scans should be run on a regular basis.

Updates/Patches:
When using ready-made web applications such as blogs, CMSs, wikis, etc. It pays to keep the application updated to the latest version and patched against the latest bugs. Ready-made web applications are often targeted for their wide deployment. If a SQL Injection vulnerability is found within a bespoke application, it would only affect that particular application. However if a SQL Injection vulnerability was found in WordPress for example it would affect their nearly 8 million version 2.8 users (at the time of writing) including big names such as PlayStation, EBay and others. This is what makes ready-made web applications a bigger target and why it pays to keep software updated and patched.

References:
http://www.rfc-editor.org/rfc/rfc1866.txt
http://www.owasp.org/index.php/Web_Application_Firewall
http://wordpress.org/download/counter/
http://wordpress.org/showcase/

For our second ever interviewee we have Chris John Riley the ‘Änal Security Guy’. Chris was born in the UK and is now living in Austria. He has been in the IT industry for over 13 years, he now works as a IT Security Analyst doing penetration testing internally and for external clients.

Questions:

How did you get started in information security?

Well I’ve always been interested in security I guess. Although I always used to think of it as an unhealthy interest in how things really worked under the hood. I’ve broken my fair share of systems be being too curious what would happen if I just changed or deleted this or that file. Then again, who hasn’t done that once in a while.

I guess the real turning point was while I was working in Munich, Germany. An interesting project came across my desk that really seemed interesting to me. The project was a simple one, install and configure an Intrusion Detection System to protect an external server farm, and schedule regular vulnerability scans. But to tell you the truth, the project wasn’t really what made me want to do security, it was the response from the management after the project was finished. I sat down with one of the bosses and started to go through one of the vulnerability reports I’d run. Lots of red and yellow alerts, and things to change. His response, was that the IDS and scans where simply a contract requirement to win a customer bid, and nobody had the time or interest in changing things. We’d ticked the box that said we have IDS and run regular scans, project done, please move on.

As you can imagine this didn’t sit too well, but there wasn’t much I could do at the time. I was still learning German and could rock the boat. So, moving on I tried to work security into the next couple of projects and found it increasingly hard to get the point across that security should be built in at the ground level and not just ignored. Well to cut a long story short, I asked for 4 weeks leave to attend some training (self funded naturally) and it was turned down. At that point I decided I’d be better off moving on and finding a position that supported security and didn’t punish it. So I handed in my notice, did my training and made the move to Austria to be with my girlfriend.

After a few months of sitting in-front of a computer screen, self training and reading books, I was lucky enough to interview for a IT Security Analyst position at a large financial institution here in Austria. They took me on as part of their CERT team and ever since then I’ve been working as a penetration tester and Security Analyst. It’s been a little under 18 months since then, and I feel I’ve learnt a lot. Then again, I’ve still got a lot to learn as well, which is good. Learning something new is always a good thing.

You have attended most security conferences in existence this year, which for you was the best? And why?

Well I wouldn’t say I’ve been at every conference, but this year has been a lot about travelling and attending conferences. I managed to get out to Blackhat and Defcon in the US this year, which really gave me a new perspective on the large US conferences and how they differ from the European events. Each event brings something special and different, but most of all they gave me the chance to put faces to the people I talk with online all the time through my blog and twitter. Despite how good all the other conferences have been this year, I’d have to say that the FIRST conference in Kyoto, Japan was the best conference this year. As a big Otaku (Anime fan) just getting to visit Japan was a great experience. I also got to talk and hang out with lots of bright people, like Andreas Schuster, Martin McKeay, Jonathon Ham, and Sherri Davidoff.

I’d say Defcon comes a close second. Despite the fact there were far too many people, and I didn’t get to see more than a handful of talks, I got to meet and hangout with some really interesting people. There are lots of stories, but you’ll have to get me drunk at a conference to get me to talk about them.

Will you be attending FIRST or Defcon next year?

Currently things are up on the air about FIRST 2010. I attended last year through my company, and next year it’s somebody else’s turn to attend. Saying that, I’m hoping the people behind FIRST will let me attend as press, as I’d love the chance to blog and podcast from the Miami event next year. As for Defcon, I’ll be there for sure. I met lots of great people last time, and next year will be just as good I’m sure. I’ll know what to expect next time as well.

Whats the hacking scene like in Austria?

Austria isn’t really known as the number one hacking location in the world, and especially around where I live (middle of the middle of nowhere) you’ll be more likely to meet a farmer than a computer specialist. In Vienna there is a relatively good scene, with the guys behind the Metalab hackerspace putting on some small events. There are also a couple of small conferences that take place in Austria (PlumberCON, Deepsec, and IT-SecX are the ones that I know of). The scene is still growing here though as universities are now offering specialised IT Security degrees. So who knows what will happen in a few years. I’m still hoping to bring back the OWASP Vienna chapter, but getting the time to get things off paper and into a real life meeting is tricky.

What are your opinions on Ethical Hacking degrees in the UK?

I’ve spoken to a few people who’ve attended some of the Ethical Hacking style degrees from UK and Scottish universities. To be honest, although I see the benefit behind them, I can also see a number of drawbacks. Personally I spent almost 10 years working in desktop, server and comms support before moving into security. I use those skills everyday in my job and couldn’t imagine being able to do my job without that knowledge to back things up. Learning about ethical hacking is a good thing, but the people taking these courses need to know that it’s not the final destination when it comes to being a penetration tester, or security analyst. I think that some universities are taking advantage of the hype surrounding hacking and security, and what comes out the other end might not be what the industry really needs right now. You can know every tool in Backtrack back to front, but without knowing how an Active Directory domain works, I wouldn’t want that person testing a network. I’m sure that over the next few years we’ll have a better overview of what these courses are really teaching people. I know SANS have teamed with a couple of universities to offer training as part of degrees, and I really hope that takes off as the SANS training is usually very well designed and taught.

Do you have any advice for some one that wants to get started in information security?

Like I said before, it’s not all about learning to hack. I’d rather work with somebody who knows how SSL works than somebody who has a CEH certificate. Then again, that could just be my poor opinion of the CEH qualification. Spend some time learning Windows, Linux, OSX and play with them in a lab. Don’t just limit yourself to learning how to hack things. Learn how to configure a web server, a domain, or a MySQL database. Learn how to script and work with Linux commands to achieve your goals. Without knowing how to configure a server correctly, you won’t know how to take advantage of misconfiguration. Also, when it comes to reporting, you won’t know why you could gain access or how you can describe a solution to your client. The report is the most important part of the test. If you can’t articulate the how and the why, then there isn’t any point in doing the test. You can’t just put up a picture of you as Domain Admin and call it a day anymore. Customers are demanding real information and real solutions. It’s easy for people to think it’s all about exploitation, but that’s really only a small part of the job. You have to be well rounded, otherwise it’s going to be a steep learning curve once you finally land that dream job.

Are you currently working on any projects?

I’ve been working on a few projects on and off in the last year, but time is a real issue for me right now. I’m currently studying for a couple of SANS exams, as well as blogging and working on some Metasploit stuff when I get the chance. I’m always learning something new, so I guess right now I’m the project. I’ve always been a firm believer that you should learn something new everyday. Once you stop learning, it’s time to move on to something else.

Thank you Chris!

Thanks for asking me, it’s been a pleasure.

______________________________________

Chris’s blog: http://www.c22.cc/

Follow Chris on Twitter: http://www.twitter.com/ChrisJohnRiley

Today Andres Riancho owner of Bonsai Information Security (Argentina) and lead developer of w3af has released a couple of advisories on vulnerabilities in Achievo <= 1.3.4 which we found a few months ago after our vulnerability research into common web applications.

The affected web application is Achievo <= 1.3.4. Achievo suffered from multiple simple persistent XSS vulnerabilities within their scheduler module and an SQL injection vulnerability within their dispatch.php file.

Achievo is a flexible web-based resource management tool for business
environments. Achievo’s resource management capabilities will enable
organisations to support their business processes in a simple, but effective
manner.

I and Andres worked on quite an novel (to me) payload for the persistent XSS vulnerability which we found. Essentially the payload we worked on was an AJAX script which sent POST requests to the vulnerable application in order to escalate a users privileges. A write up by Andres on the payload can be found here: http://www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads/

For the original advisories:

Multiple XSS in Achievo

SQL injection in Achievo

All vulnerabilities found were disclosed in an ethical manner. We worked along side the affected application developers in order to fix the vulnerabilities found. The advisories were not published until the developers had fixed and updated their software.

I was lucky enough to get my greasy hands on a copy of ‘Netsparker Final BETA’ from Mavituna Security’s project leader Ferruh Mavituna.

Netsparker can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology it’s built on, just like an actual attacker. It can identify web application vulnerabilities like SQL Injection, Cross-site Scripting (XSS), Remote Code Execution and many more.

I tested Netsparker v0.9.9.9935 (FINAL BETA) against DVWA v1.0.6. Setting up a new scan was as easy as putting in the DVWA URL, adding the security/PHPSESSID cookies and then selecting the different vulnerabilities to scan for. Netsparker picked up on almost all of DVWA’s vulnerabilities, even the SQL Injection vulnerability which a lot of web application scanners have problems picking up for some reason. The vulnerabilities that it did not pick up on I sent in an email to Ferruh, he has already added scans for some of these and will implement others in future.

The GUI of Netsparker is really clean and easy to navigate. It includes a dashboard where you can visualise the progress of your scan, a vulnerability chart showing the criticality of the vulnerabilities found, live HTTP packet request/responses and much more.

After the scan has finished Netsparker allows you to export the results in a nice easy to read HTML or XML report. As well as crawling and scanning for vulnerabilities Netsparker also aids the exploitation of some of the vulnerabilities; it aids you in executing SQL commands against the vulnerable application much like using an SQL client, it also has a ‘Get Shell’ feature which injects a reverse shell payload into the vulnerable application which connects back to your testing box allowing you to execute commands on the underlying OS.

Netsparker is still in BETA and I have to say has made it into my top 3 web application tools I have played with. Netsparker will be commercially available, I am told at a lower price than most commercial web application vulnerability scanners.

For more information: http://www.mavitunasecurity.com/

Follow Netsparker on Twitter: http://www.twitter.com/netsparker

We have decided to start interviewing people in infosec to talk about various security topics. Our first ever interviewee is Rob Loos!


Rob Loos is a Belgium Applied Computer Science student at KHK Geel Belgium University who has a massive interest in the security world and loves to get other students involved too.

Questions:

What started you out in information security?

I’ve always had an interest in computers, playing games, writing a few small programs and helping other people out. As many security people I enjoyed the forums a lot and got in contact with people who’s hat were pretty far from white. I got a lot of blackhat knowledge that way, even tough most was pretty scriptkiddy. I got experienced with malware, remote administration and some webapp exploiting. Its a lot of fun but not something that can get you a good future.

So with the start of college, I started learning more about programming & networking. That gave me the knowledge to really understand whats going on. Too bad we don’t get security courses. So most of my security information comes from the Internet in many different ways : podcasts, blogs, whitepapers, testing applications (like DVWA).

How did you find out about BruCON?

At my college we got a project week and one of the events was an webapp pentesting workshop (basic sql injection & cookie fun). But the person presenting it is a member of the Belgian OWASP and he told us about BruCON. Ever since then I’ve been interested and as soon as tickets were up I grabbed one.

Which was your favourite talk & workshop? Why?

The best talk I saw was “Rage Against The Kiosk”, it was pretty simple but fun and the speaker was great. I wish i could have gone to the 2nd day and watch “Red and Tiger Team”.

I also went to the lock picking 101 workshop. I loved it, it’s kinda easy to get started but hard to master. A perfect skill/hobby for any hacker if you ask me.

Was BruCON your first security conference?

Yes it was. It’s hard to find people interested & serious about security (a lot of people still think of hackers as evil people). But when I saw BruCON and read a little about it, I was convinced this is what I needed. A great gathering of intelligent & fun people.

Will you be attending next year?

For sure!! but this time I’m gonna get a cheap hotel room in Brussels, I am currently also working on my students in security project & I hope to give small (lightning) talk about it next year.

Tell us a about your ‘Students in Security’ project:

I got to a school with general IT (information technology) students. So security isn’t part of my curriculum, some of my friends are interested in security but they know nothing about it. So when they (or anyone, this has probably happened to most security people) say “oh wow, teach me!!”. So I started my blog and added the basics of security in “Getting into security”. Just to make a reference for my friends/fellow students. But I want to do more on this.

Basically the idea is an OWASP-like organisation but not just for web applications and mainly focused toward to academics. I wanted to start this as a mini local hackerspace/security group JUST for students at my college and see where it goes. I might still do that but start of the school year madness is keeping me from that. But it would be a lot nicer if we could just make it global and maybe have small groups for colleges/local communities.

I’ve not done much yet but I’m looking for people who are interested in setting up something like this. Please get in touch!!

————————————————————-

Blog: http://www.robloos.be/

Twitter: http://twitter.com/RobLoos