Nabble - Web App Security

Free On-Demand Security Scanning Service

2010-03-18T01:51:32Z

Hi All,

Checkmarx has recently launched an on demand security scanning service.
We would like to extend an offer to all WebAppSec members for a free trial.
The scans support all common languages included in the Java and .Net
families.

In addition members will enjoy some benefits like:
• Support for Force.com languages: Apex and Visualforce
• Detection of recently discovered vulnerabilities like ReDos and XSHM
• Detailed reports demonstrating full detection path.

Please enjoy the complementary service at: www.cxcloud.com

Yours,

Maty Siman

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[HITB-Announce] HITBSecConf2010 - Dubai Agenda Released

2010-03-14T00:35:59Z

Conference agenda for HITBSecConf2010 - Dubai has been announced!

Welcoming Address by H.E Mohammed Nasser Al-Ghanim (Director General, UAE Telecom Regulatory Authority - TRA) -- TBC

Keynote 1: John Viega (CTO, SaaS, McAfee Inc.) -- A/V Vendors Aren't As Dumb As They Look
Keynote 2: Matt Watchinski (Senior Director of Vulnerability Research, Sourcefire Inc.) -- TBA

1.) Daniel Mende (ERNW GmbH) with Oliver Roeschke (ERNW GmbH) -- Attacking CISCO WLAN Solutions
2) Dino Covotsos (Managing Director, Telspace Systems) -- Hiding a Giant: Analysis of a Next Generation Botnet
3.) Fredric Raynal (Head of Research, Sogeti/Cap Gemini) with Arnauld Mascret (Sogeti / Cap Gemini) & Christophe Devaux (Sogeti / Cap Gemini) -- Deception 2.0: Gathering and Exploiting Information
4.) Gynvael Coldwind (Researcher, Hispasec) -- A Case Study of Recent Windows Vulnerabilities
5.) Laurent Oudot (Founder, TEHTRI-Security) -- Silent Steps: Improving the Stealthiness of Web Hacking
6.) Marc Schoenefeld (Independent Network Security Specialist) -- Open Sesame: Examining Android Code with undx2
7.) Shawn Merdinger (Security Researcher) -- We Don't Need No Stinkin' Badges: Hacking Electronic Door Access Controllers
8.) The Grugq (Anti Forensics Specialist) -- Base Jumping: Attacking GSM Base Stations and Mobile Phone Basebands

HITBSecConf2010 - Dubai will also feature a HITB Web Hacking. This years contest will once again include an additional binary reversing challenge as well.

http://conference.hackinthebox.org/hitbsecconf2010dxb/agenda.pdf

---
Hafez Kamal
HITB Crew
Hack in The Box (M) Sdn. Bhd.
Suite 26.3, Level 26, Menara IMC,
No. 8 Jalan Sultan Ismail,
50250 Kuala Lumpur,
Malaysia

Tel: +603-20394724
Fax: +603-20318359

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: Need a real Java web application with vulnerabilities

2010-03-08T11:59:30Z

On Mon, Mar 8, 2010 at 19:45, Holger Peine <Holger.Peine@...> wrote:
> I was thinking that an early version of some open source application
> such as a CMS might be a good candidate(?)

Sounds like the right approach, though I'm not aware of any Java based CMS.

I'd suggest your best bet is to go trawling some of the various
vulnerability databases around the place for a suitable candidate.

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

RE: [WEB SECURITY] Re: Need a real Java web application with vulnerabilities

2010-03-08T11:30:29Z

Yeah, Steve's is just a nice approach, my experience is the same, you
will hardly find a non vulnerable custom application.

Besides you will improve your internal systems security, but fix them
fast or you could suddenly have those vulnerabilities exploited in
production and some grades changed :).

Regards,
JC

-----Original Message-----
From: Steve Pinkham [mailto:steve.pinkham@...]
Sent: Lunes, 08 de Marzo de 2010 12:04 p.m.
To: Rogan Dawes
Cc: webappsec@...; Holger Peine; websecurity@...
Subject: Re: [WEB SECURITY] Re: Need a real Java web application with
vulnerabilities

Rogan Dawes wrote:
> Unfortunately, your first requirement seems to suggest against your
> suggestion. :-) > > As an open source app, the student would be able
to see the change logs, > and any security announcements for the app,
and would be able to make > use of those to identify known
vulnerabilities in that version of the app.
>
> I suggest you look for a project that may have had a history of >
vulnerabilities (suggesting that they may still have others), but assign
> the student to review the current version of the app.
>
> Regards,
>
> Rogan

Unfortunately, as Rogan says, there's really no way for you to guarantee
there are flaws in any webapp without knowing what they are.

Based on prior experience, if you take any of your internal department
webapps of any complexity and let them work on (a non-production version
of) those, there will be flaws. Also, finding less well known open
source projects that probably haven't been widely deployed and tested
raises the chances it has problems. Extra points for projects that
haven't been maintained in a few years and built with slightly older
frameworks.

I don't think I've ever turned in a report at the end of an assessment
that says everything was done correctly, even when dealing with very
competent teams in frameworks with the latest defenses. I doubt finding
flaws in an internal app or decent size but not widely deployed open
source project unmaintained since early 2000s would be very hard.

Steve
--
| Steven Pinkham, Security Researcher |
| http://www.mavensecurity.com |
| GPG public key ID CD31CAFB |

------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: [WEB SECURITY] Re: Need a real Java web application with vulnerabilities

2010-03-08T10:03:41Z

Rogan Dawes wrote:
> Unfortunately, your first requirement seems to suggest against your
> suggestion. :-)
>
> As an open source app, the student would be able to see the change logs,
> and any security announcements for the app, and would be able to make
> use of those to identify known vulnerabilities in that version of the
app.
>
> I suggest you look for a project that may have had a history of
> vulnerabilities (suggesting that they may still have others), but assign
> the student to review the current version of the app.
>
> Regards,
>
> Rogan

Unfortunately, as Rogan says, there's really no way for you to guarantee
there are flaws in any webapp without knowing what they are.

Based on prior experience, if you take any of your internal department
webapps of any complexity and let them work on (a non-production version
of) those, there will be flaws. Also, finding less well known open
source projects that probably haven't been widely deployed and tested
raises the chances it has problems. Extra points for projects that
haven't been maintained in a few years and built with slightly older
frameworks.

I don't think I've ever turned in a report at the end of an assessment
that says everything was done correctly, even when dealing with very
competent teams in frameworks with the latest defenses. I doubt finding
flaws in an internal app or decent size but not widely deployed open
source project unmaintained since early 2000s would be very hard.

Steve
--
| Steven Pinkham, Security Researcher |
| http://www.mavensecurity.com |
| GPG public key ID CD31CAFB |

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Security BSides Austin - sponsors needed!

2010-03-08T07:46:44Z

Hi folks,

We need your help. We're still looking for sponsors for this weekend's
Security BSides Austin, which is set to occur the same day as the
kickoff for SxSW Interactive (a major developer conference). We have
official sponsorship from Astaro and Panda, plus a couple unofficial
sponsors. We'd love to see your organization involved, too! We're hoping
for a successful inaugural event in Austin, TX, so that next year we can
become officially sanctioned by SxSW.

Unconference details here:
http://www.securitybsides.com/BSidesAustin

Here are some benefits for sponsoring:
* Being part of the media conversation: As people talk about us they
talk about you or at least see you. Security B-Sides has been covered
in magazines, podcasts, videocasts, blogs, and even inscribed on
microchips. Get caught up in the conversation and be part of what
people are talking about.
* Brand recognition and awareness: Depending on the level of
sponsorship, you may recognize your brand placement at some or all of
the following: t-shirts, signage/lanyards, lunch sessions, or attendee
badges. Based on your level of participation, create and custom branding
may be arranged including transportation, banners, and podcast interviews.
* Big Fish in a Small Pond: For some, sponsoring large events is not
within their price range leaving them with no option for communicating
their message. BSides is just the place for you! This small, community
atmosphere brings together active and engaged participants who want to
absorb information. Sponsoring a BSides event enables to be that big
fish in a small pond and better communicate your message to an active
audience.
* Stay in touch with the industry: BSides enables its supporters and
participants to identify and connect with industry leaders and voices.
These participants represent the social networking of security. They are
the people who you want to engage to solicit feedback and bring voice to
your conversation.
* Targeted and Direct Audience: You didn't enter the secrutity
industry selling your product to everyone the same way, so why approach
events that way? Instead of marketing to the broader "security"
community connect directly with the security practioners who write
about, talk about, recommend, and implement security products and services.
* Be associated with the next big thing: Nobody knows what the “next
big thing” will be, but these events are community driven with
presentations voted upon by the industry. There is no magic to how it
works, but we believe that listening to the underground can help prepare
you and help identify what the next big thing might be.

Thank you,

-ben

--
Benjamin Tomhave, MS, CISSP
tomhave@...
Blog: http://www.secureconsulting.net/
Twitter: http://twitter.com/falconsview
LI: http://www.linkedin.com/in/btomhave

[ Random Quote: ]
"Hanging is too good for a man who makes puns; he should be drawn and
quoted."
Fred Allen

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: Need a real Java web application with vulnerabilities

2010-03-08T05:53:37Z

You can have a try at Securibench. Some of the apps in there don't run without
some serious armtwisting though, but its good enough for manual review and
static analysis.

Marc-André Laverdière
Software Security Scientist
Innovation Labs, Tata Consultancy Services
Hyderabad, India

On Monday 08 March 2010 02:15 PM, Holger Peine wrote:

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: Need a real Java web application with vulnerabilities

2010-03-08T05:40:44Z

Check out Daffodil CRM - http://sourceforge.net/projects/daffodilcrm/
It has SQL injection, XSS and some coding opportunities.

Nick Baronian

On Mon, Mar 8, 2010 at 3:45 AM, Holger Peine
<Holger.Peine@...> wrote:

> Hello,
>
> I have a student who wants to perform a mostly manual security review
> of some Java web application as his master's thesis work. I am well
> aware of pedagogical, deliberately insecure applications like Webgoat
> and many others. However, we need a real application for this:
>
> - Real code, since the job should create a realistic experience for
> the student, and the results should not be readily available
> in advance (as with Webgoat etc.)
>
> - Open source, so that source code review is possible, too
>
> - Containing some vulnerabilities (so that the review will not be
> too frustrating)
>
> - Medium-sized, to give a student (who has some beginner knowledge
> of web security) maybe two months of review work (the rest of his
> time will go into understanding web securty review and testing
> techniques and into writing up)
>
> - Written in Java (e.g. not PHP), since this is the only language
> the student is sufficiently proficient in.
>
> I was thinking that an early version of some open source application
> such as a CMS might be a good candidate(?)
>
> I'm hoping for your suggestions,
> Holger Peine
>
> --
> Prof. Dr. Holger Peine
> FH Hannover, Fakultät IV, Abt. Informatik
> Tel: +49(511)9296-1830 Fax: -1810 (shared, please state my name)
> Ricklinger Stadtweg 120, D-30459 Hannover, Germany
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>

Re: Need a real Java web application with vulnerabilities

2010-03-08T05:22:08Z

Hi, Peine and others:

I have encountered similar problems too, my suggestion is please try to google the alphabetic strings like this:

"sql injection vulnerability CVE site:web.nvd.nist.gov jsp"

I believe that some positive results can be found. I'm also looking forward to other suggestions, thx!

Best wishes!

------------------------------------

Yu Qu

Ph.D. Candidate Student

Ministry of Education Key Lab for Intelligent Networks and Network Security,

PO.Box 1821#, Xi'an Jiaotong University,

No.28 West Xianning Road, Xi'an, Shaanxi Province, China 710049

Tel: (+86)-029-82663330-817

Mail: yqu@...

Homepage: http://nskeylab.xjtu.edu.cn/people/yuqu

·¢¼þÈË£º Holger Peine
·¢ËÍÊ±¼ä£º 2010-03-08 20:43:40
ÊÕ¼þÈË£º websecurity; webappsec
³ËÍ£º
Ö÷Ìâ£º Need a real Java web application with vulnerabilities

Hello,
I have a student who wants to perform a mostly manual security review
of some Java web application as his master's thesis work. I am well
aware of pedagogical, deliberately insecure applications like Webgoat
and many others. However, we need a real application for this:
- Real code, since the job should create a realistic experience for
the student, and the results should not be readily available
in advance (as with Webgoat etc.)
- Open source, so that source code review is possible, too
- Containing some vulnerabilities (so that the review will not be
too frustrating)
- Medium-sized, to give a student (who has some beginner knowledge
of web security) maybe two months of review work (the rest of his
time will go into understanding web securty review and testing
techniques and into writing up)
- Written in Java (e.g. not PHP), since this is the only language
the student is sufficiently proficient in.
I was thinking that an early version of some open source application
such as a CMS might be a good candidate(?)
I'm hoping for your suggestions,
Holger Peine
--
Prof. Dr. Holger Peine
FH Hannover, Fakultät IV, Abt. Informatik
Tel: +49(511)9296-1830 Fax: -1810 (shared, please state my name)
Ricklinger Stadtweg 120, D-30459 Hannover, Germany
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: Need a real Java web application with vulnerabilities

2010-03-08T05:01:15Z

OWASP Broken Web App Project contains WebGoat an app vulnerable in Java.
http://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project#tab=Project_Details

Regards

2010/3/8 Holger Peine <Holger.Peine@...>:

--
Wagner Elias - OWASP Leader Project Brazil
------------------------------------------------------------------
Twitter: www.twitter.com/welias
Blog: http://wagnerelias.com
Profile: http://www.linkedin.com/in/wagnerelias

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: Need a real Java web application with vulnerabilities

2010-03-08T04:46:43Z

On Mar 8, 2010, at 9:45 AM, Holger Peine wrote:

> I was thinking that an early version of some open source application
> such as a CMS might be a good candidate(?)

OWASP's WebGoat Project has designed a non-trivial web application in Java, exactly for this purpose.

Ciao,
-- Federico

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Need a real Java web application with vulnerabilities

2010-03-08T00:45:40Z

Hello,

I have a student who wants to perform a mostly manual security review
of some Java web application as his master's thesis work. I am well
aware of pedagogical, deliberately insecure applications like Webgoat
and many others. However, we need a real application for this:

- Real code, since the job should create a realistic experience for
the student, and the results should not be readily available
in advance (as with Webgoat etc.)

- Open source, so that source code review is possible, too

- Containing some vulnerabilities (so that the review will not be
too frustrating)

- Medium-sized, to give a student (who has some beginner knowledge
of web security) maybe two months of review work (the rest of his
time will go into understanding web securty review and testing
techniques and into writing up)

- Written in Java (e.g. not PHP), since this is the only language
the student is sufficiently proficient in.

I was thinking that an early version of some open source application
such as a CMS might be a good candidate(?)

I'm hoping for your suggestions,
Holger Peine

--
Prof. Dr. Holger Peine
FH Hannover, Fakultät IV, Abt. Informatik
Tel: +49(511)9296-1830 Fax: -1810 (shared, please state my name)
Ricklinger Stadtweg 120, D-30459 Hannover, Germany

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

SamuraiWTF 0.8 released

2010-03-05T10:56:56Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

I have just finished releasing SamuraiWTF 0.8. It is available at http://samurai.inguardians.com
and is a huge update. It includes metasploit, target applications
and tons of tool updates. It is now DVD sized as it has out grown the
CD release.

Thank you
Kevin Johnson and the SamuraiWTF project team

Senior Security Analyst
InGuardians, Inc.
office: 202.448.8958
cell: 904.403.8024
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkuRU/gACgkQGDcWptZ2zmRVtwCgxmAqGarrS9gsSFbEcmhjtwx+
EMgAoO2OVExyqrl4uHXLgvGkFLnXHcjI
=j8Vv
-----END PGP SIGNATURE-----

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

removing version identifying attribution data

2010-03-03T16:32:10Z

With a lot of open source web apps there is usually some kind of file
or comment block in the code that identifies the author and gives
attribution. The problem with most of these is that they end up
leaking information about the version of the app being used.

I'm very keen on keeping attribution in place and wouldn't want to
release software without giving due credit but at the same time I'd
rather not expose my clients to data leakage which I could easily
control by removing all, or at least part, of the attribution.

The three general options I can see are:
* leave as is and if there is a vuln found hope you can patch before
the bad guys scan and find your site - battle potential google dorks
* modify the included file or comment block to cut the information
down to a minimum - either a lot of manual work or search and replace
job depending on how consistent the info is
* remove all attribution but put in place a file offering full
disclosure to anyone who asks for the information - doesn't credit the
authors directly which would annoy me if it were my code

What do others do about this?

Robin

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Vulnerabilities Animated Clips

2010-03-03T00:05:02Z

One of the biggest challenges of the security community is to build true
SDLC (Secure development Life Cycle).
The biggest obstacle is that application developers at large lack the
know-how and motivation to address application risk.
At Checkmarx labs we thought that a new approach to application developers
might help them cross the barrier.
We have developed as a pilot including two short animated clips that should
help developers understand a security flaw, how it can be detected and
consequently prevented.
We built one clip for SQL Injection and another for Parameter Tampering -
limited up to 5 minutes each.

We would appreciate feedback from the OWASP community whether the effort is
meaningful and should it be extended.
Please feel free to use the clips freely.

The clips can be found at:
SQL Injection : http://www.youtube.com/watch?v=vjDrseRLyuA&hd=1
Parameter Tampering: http://www.youtube.com/watch?v=l5LCDEDn7FY&hd=1

Yours,

Maty Siman, CISSP
CTO
Checkmarx

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Advanced PHP Hacking

2010-03-02T16:23:42Z

Hi,

I'd like to announce a Security Master's Dojo course during next
CanSecWest 2010 in Vancouver (March 22-26 2010).

Title: Advanced PHP Hacking (!)

PHP is a worldwide web language used by individuals as well as companies
(Facebook...). This session aims at providing a hands-on focused PHP
Hacking experience. After this course, you will really know how
attackers work and move through PHP hax0ring so that they can jump
deeper down to your networks.

*BONUS*
This training will end with a final amazing exercise through a step by
step live hacking simulation. It will help students at coming back to
offensive and defensive hands-on exercises seen during the whole day,
thanks to this complete information warfare operation.

For further information, just check :
http://www.tehtri-security.com/en/trainings.php?t=cansecwest-2010

Register as soon as possible (!) and join us at Cansecwest 2010
(http://cansecwest.com)

See you soon in Vancouver :)

--
Laurent OUDOT
Founder & CEO of TEHTRI-Security
http://www.tehtri-security.com

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: Cookie Secure Attribute - Clarification

2010-03-01T05:47:56Z

I would make the attribute as Secure and then also set the requireSSL of the
form to true. In this way the server will discard it if it's over HTTP.

Regards, Sandeep

--------------------------------------------------
From: "arvind doraiswamy" <arvind.doraiswamy@...>
Sent: Sunday, February 28, 2010 12:23 PM
To: <webappsec@...>
Subject: Re: Cookie Secure Attribute - Clarification

> @John:
> I believe it is a) , the first time the client (browser) accesses the
> Webserver - a cookie gets set on the Client browser. Though it might
> well be b) as well..I didn't check on any pages after that to see if
> the client sent it back as well. I will check the same. Is there a
> difference though? The Web Server shouldn't be sending it either..rt?
>
> @Sandeep:
> Isn't that a problem? If despite accessing a HTTP link , a 'Secure'
> cookie previously set on a HTTPS link is sent over it? For eg. There
> might be an image or some other static resource which is downloaded
> when a 'secure' page is browsed. For speed reasons this might not be
> HTTPS but HTTP. The 'Secure' cookie will also be sent in this case and
> hence sniffable over the network. The moment a HTTP link is accessed
> all 'Secure' cookies should NOT be sent at all. IMO anyway as of my
> current understanding.
>
> I put in a lot of detail over on the OWASP mailing list where I posted
> this - you might want to take a look at the same there. Here's the
> link:
> https://lists.owasp.org/pipermail/webappsec/2010-February/000829.html
>
> Thnx
> Arvind
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>

Re: Cookie Secure Attribute - Clarification

2010-02-27T22:53:45Z

@John:
I believe it is a) , the first time the client (browser) accesses the
Webserver - a cookie gets set on the Client browser. Though it might
well be b) as well..I didn't check on any pages after that to see if
the client sent it back as well. I will check the same. Is there a
difference though? The Web Server shouldn't be sending it either..rt?

@Sandeep:
Isn't that a problem? If despite accessing a HTTP link , a 'Secure'
cookie previously set on a HTTPS link is sent over it? For eg. There
might be an image or some other static resource which is downloaded
when a 'secure' page is browsed. For speed reasons this might not be
HTTPS but HTTP. The 'Secure' cookie will also be sent in this case and
hence sniffable over the network. The moment a HTTP link is accessed
all 'Secure' cookies should NOT be sent at all. IMO anyway as of my
current understanding.

I put in a lot of detail over on the OWASP mailing list where I posted
this - you might want to take a look at the same there. Here's the
link: https://lists.owasp.org/pipermail/webappsec/2010-February/000829.html

Thnx
Arvind

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: Cookie Secure Attribute - Clarification

2010-02-27T04:41:34Z

It will be in plain-text if both HTTP and HTTPS are enabled for the
application. If only HTTP, not sent. If only HTTPS, sent encrypted.

Regards, Sandeep

--------------------------------------------------
From: "arvind doraiswamy" <arvind.doraiswamy@...>
Sent: Friday, February 26, 2010 6:48 PM
To: <webappsec@...>; <webappsec@...>
Subject: Cookie Secure Attribute - Clarification

> Hey Guys,
> A little bit of clarification needed about the 'Secure' attribute to
> be set in a Cookie. I'm looking at Section 4.3.1 in the
> RFC(http://www.ietf.org/rfc/rfc2109.txt) for the Secure attribute.
> What I understand is - If I programatically set the Cookie attribute
> of say a Session ID to Secure - it shouldn't be sent over an insecure
> channel. Meaning if I have a web server which has HTTP and HTTPS
> enabled, the Secure cookie should NOT be sent if I access the website
> over HTTP. However for some stupid reason which I cannot understand -
> it does get sent even over a HTTP channel. First I though it was coz I
> was accessing the site over localhost , and Secure pertained only to
> stuff on the Network. But its the same behavior over the n/w as well -
> anyone accessing my server over HTTP over the n/w..a cookie gets set
> with the Secure attribute and sent in clear text over the n/w.
>
> Surely something in my implementation or understanding is incorrect.
> What am I missing?
>
> Thnx
> Arvind
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>

Cookie Secure Attribute - Clarification

2010-02-27T03:44:50Z

2010/2/26 arvind doraiswamy <arvind.doraiswamy@...>
>
> A little bit of clarification needed about the 'Secure' attribute to
> be set in a Cookie.

Hi Arvind!

Just to be sure:

1. Is the problem that your web server sends secure cookies to the
client over http (i e in cleartext)?
2. Is the problem that the client's browser sends secure cookies back
to the server over http?
3. Is the problem both of the above?

If the web server is (part of) the problem, could you tell us which
one you're using?

Regards, John

--
John Wilander
Chapter leader OWASP Sweden
Conference chair OWASP AppSec Research 2010
http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: [Webappsec] Cookie Secure Attribute - Clarification

2010-02-26T07:58:23Z

I'll relook it but I'm quite sure it was. I checked the Firefox Cookie
Prefs where you can see the attributes, and it showed Secure there.
Can a cookie appear as Secure in Firefox but not be "secure"
otherwise? AFAIK No.

Thnx
Arvind

On Fri, Feb 26, 2010 at 7:01 PM, Ray <gunblad3@...> wrote:
> Amongst all the different things that could go wrong, based on your
> observations so far a first place to look is to determine for sure
> whether the secure attribute is really being sent along with the
> Set-Cookie header.
>
> You could achieve this with a network sniffer (tcpdump, wireshark,
> etc) or by using a firefox plugin like LiveHTTPHeaders.
>
> Ray.

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Cookie Secure Attribute - Clarification

2010-02-26T05:18:21Z

Hey Guys,
A little bit of clarification needed about the 'Secure' attribute to
be set in a Cookie. I'm looking at Section 4.3.1 in the
RFC(http://www.ietf.org/rfc/rfc2109.txt) for the Secure attribute.
What I understand is - If I programatically set the Cookie attribute
of say a Session ID to Secure - it shouldn't be sent over an insecure
channel. Meaning if I have a web server which has HTTP and HTTPS
enabled, the Secure cookie should NOT be sent if I access the website
over HTTP. However for some stupid reason which I cannot understand -
it does get sent even over a HTTP channel. First I though it was coz I
was accessing the site over localhost , and Secure pertained only to
stuff on the Network. But its the same behavior over the n/w as well -
anyone accessing my server over HTTP over the n/w..a cookie gets set
with the Secure attribute and sent in clear text over the n/w.

Surely something in my implementation or understanding is incorrect.
What am I missing?

Thnx
Arvind

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

RE: Trustwave's SpiderLabs Security Advisory TWSL2010-001

2010-02-12T18:49:53Z

I respectfully defend our statement as very realistic. The .Net exploit provided in the advisory is all that is required to work; no code-behind is required because the vulnerability related to "innerhtml" lies in the .Net code.

The specific flaw is actually in System.Web.UI.HTMLControls.HtmlContainerControl class, which is the super class of the HTMLForm control (among others). The bug is easy to spot in the LoadViewState method as revealed in .Net Reflector:

protected override void LoadViewState(object savedState)
{
if (savedState != null)
{
base.LoadViewState(savedState);
string text = (string) this.ViewState["innerhtml"];
if (text != null)
{
this.Controls.Clear();
this.Controls.Add(new LiteralControl(text));
}
}
}

For those not familiar with C#, the .Net class takes the "innerhtml" value from the view state and adds it as a LiteralControl (basically literal HTML) in its "Controls" collection. When the HtmlContainerControl object is rendered, it will take that LiteralControl and place HTML directly into the response body.

The other .Net-defined subclasses of HtmlContainerControl are listed below:
HtmlAnchor
HtmlButton
HtmlGenericControl
HtmlHead
HtmlSelect
HtmlTable
HtmlTableCell
ListViewTableCell
HtmlTableRow
ListViewTableRow
HtmlTextArea

There are other .Net controls that take properties from the view state that may also be vulnerable. Enumerating them is not very helpful because the solution will always be the same: secure the view state.

Regarding the articles you linked to, I am familiar with Scott Mitchell's. It is a great document, but the vulnerabilities he references have to do with custom use of the view state, not specific flaws inherent in the .Net view state. As we mentioned in the advisory, technically this is a known issue in .Net, although a proof of concept attack against the framework has (to our knowledge) not been documented before.

I've also read Michal Zalewski's advisory. It stands out as (I think) the first specific attacks documented against .Net's view state. However, they are of a different nature than the attack documented in our advisory.

Sacha Faust's post on encoding controls is a useful reference, but isn't directly relevant to view state attacks. The list is of properties that will automatically HTML encode when the programmer sets the value. This isn't necessarily the same as when the value is set in the view state.

Thanks,
David Byrne
Senior Security Consultant
Trustwave - SpiderLabs, Application Security
Email: dbyrne@...

-----Original Message-----
From: full-disclosure-bounces@... [mailto:full-disclosure-bounces@...] On Behalf Of Chris Weber
Sent: Thursday, February 11, 2010 3:43 PM
To: Trustwave Advisories; webappsec@...; websecurity@...; full-disclosure@...; bugtraq@...
Subject: [Full-disclosure] (resend) RE: [WEB SECURITY] Trustwave's SpiderLabs Security Advisory TWSL2010-001

The key part of the advisory for me wasn't VIEWSTATE as much as it was the controls, but this statement you made seemed pretty outrageous (with regard to ASP.NET):

'These vulnerabilities show that unsigned client-side viewstates will ALWAYS result in a vulnerability in the affected products.'

I would disagree - it depends how the software developer implemented use of the VIEWSTATE's content. In ASP.NET, the interesting part here was that you appeared to be controlling an innerhtml property of a Form control through the VIEWSTATE. What your example didn't show, I'm assuming, is some code behind that pulled out the <IndexedString> and set the value in the form's innerHtml property/attribute. That's just dangerous coding, akin to trusting client-side input and no different than acting on client input that came from any method, form input, JSON, etc. Your repro was a bit confusing/misleading without that part. Otherwise, were you saying that some controls inherently populate their properties/attributes from VIEWSTATE content automagically?

There have been past discussions on VIEWSTATE's security:

Scott Mitchell documented tampering VIEWSTATE in a 2004 article:
http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic12

Michal Zalewski reported some exploit scenarios with replay and DoS through VIEWSTATE.
http://seclists.org/bugtraq/2005/May/27

You made a reference to how other controls are also vulnerable to this attack. I think that data would be more useful in the advisory.

Yes there do exist ASP.NET controls which don't properly encode, and I would refer readers to Sacha Faust's FxCop rule which finds those dangerous controls:

http://blogs.msdn.com/sfaust/archive/2008/09/18/fxcop-htmlspotter-spotting-asp-net-xss-using-fxcop-and-html-encoding-document.aspx

Best regards,
Chris Weber

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

RE: Trustwave's SpiderLabs Security Advisory TWSL2010-001

2010-02-11T11:45:52Z

Any input from a user is susceptible to tampering. The advisory is specifically about vulnerabilities in how frameworks handle view states. While the frameworks provide functions to secure the view states, the specific vulnerabilities are not documented by the vendors.

Apache's documentation states that the encryption is only needed when t:SaveState tag is used. Sun provides no specific recommendations on encrypting the view state. Microsoft recommends securing the view state, but doesn't provide concise information about what will happen if you don't.

The purpose of our advisory was to show that unsecured view states will always be vulnerable to real-world attacks. This changes view state security from a best-practice to a demonstrable vulnerability for all applications developed on the three frameworks described.

Regarding your specific questions:

1) Yes, we did find specific vulnerabilities in all three products listed. The Microsoft vulnerability is demonstrated in the advisory. The Apache MyFaces vulnerability is described in the advisory, but a specific attack is beyond the scope of the advisory. Trustwave has released Deface (https://www.trustwave.com/spiderLabs-tools.php) to demonstrate an actual attack. The Sun Mojarra vulnerability is essentially the same as the one in Apache MyFaces, but is not supported by Deface. If you are familiar with Java, Deface can be modified for use with Mojarra.

2) Enabling encrypted view states in Apache MyFaces and Sun Mojarra will prevent the vulnerability. Microsoft offers several security controls that will effectively prevent the attack. All three frameworks support server-side view states which will also prevent the attacks.

3) Microsoft enables view state MAC (essentially cryptographic signing) by default. Apache MyFaces and Sun Mojarra do not enable encrypted view states by default.

Thanks,
David Byrne
Senior Security Consultant
Trustwave - SpiderLabs, Application Security
Email: dbyrne@...

-----Original Message-----
From: arian.evans@... [mailto:arian.evans@...] On Behalf Of Arian J. Evans
Sent: Tuesday, February 09, 2010 5:07 PM
To: Trustwave Advisories
Cc: webappsec@...; websecurity@...; full-disclosure@...; bugtraq@...
Subject: Re: [WEB SECURITY] Trustwave's SpiderLabs Security Advisory TWSL2010-001

Hidden Form Fields and Cookie values are also sometimes vulnerable to these attack techniques.

Encrypting hidden form fields and cookies usually protects them from tampering. Same problem; same solution.

Viewstates typically have the advantage over cookies and hidden FFs, from a security control standpoint, of having native encryption and checksumming facilities provide by the programming environment/framework.

These controls are as easy to turn on as flicking a switch. Super simple remediation. Most frameworks do not offer easy, native controls like this for cookies or hidden FFs.

Would you agree that the issue here is RTFM?

Many developers using Viewstates aren't aware they are using Viewstates. Think "Newbie Visual Studio Jockey" developers. They are using a control in their IDE and have no idea it's passing off stuff in b64 strings to the web-browser/client that can be decoded and/or modified.

The most common scenario where developers disable native Viewstate controls is in multi-websever deployments when they start load-balancing. The Viewstate keys don't match across servers; the app breaks; the developers Google just enough info to decide to turn off Viewstate encryption/checksums (or the server admin does it).

The fix for Viewstate load balancing issues is also super simple:
Share Viewstate MAC/checksum or encryption keys. But it is fairly common not to do this until after a security assessment. Usually for the same reasons I outlined above: they aren't really even sure what Viewstate is doing.

So good work. Nicely written advisories.

Questions:

1) Did you find any unpublished new vulns in these specific products?

2) Are the core issues "if you turn off your compensating control your vulnerabilities are still vulnerable?"

3) Do most vendors enable Viewstate controls by default (like Microsoft does)? If not - I think you should highlight and underscore that. Certainly a default checksum would be smart.

Ciao

---
Arian Evans
Solipsistic Software Security Statistician

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Praetorian Advisory: Reflective XSS in Alkaline Search Engine Server

2010-02-10T09:26:01Z

Advisory Title: Reflective XSS in Alkaline Search Engine Server
Release Date: 02-10-2010
Vendor: Vestris, Inc.
Application: Alkaline Search Engine Server
Version: 1.9

Overview:
Alkaline is a multi-platform, all-in-one index and search engine server.

Details:
The web interface for the Alkaline Search Engine Server does not
validate user input or sanitize its output prior to display in the
viewing page. Subsequently, a malicious user can use the Alkaline
server to perform unauthenticated, reflective cross-site scripting
attacks by passing arbitrary scripting content in the request which
the server will display verbatim in the error message it returns.
Example:
http://somealkalineserver.com:<9999>/<script>alert('test');</script>/a

Vendor Response:
The vendor, Vestris Inc, has been contacted on the matter and stated
both the software and the company are no longer in operation. Alkaline
version 1.9 is the last release of the product and no patches will be
made available for this or any other vulnerability. According to the
company's website "Vestris is gone, but we're giving it all away for
free. You can download software from this page..."
Although the product has reached end of life, the software is still
available for download and has been identified in DMZ environments.
For these reasons, value is still seen in disclosure.

Recommendation:
Given the state of the software, end users should ascertain whether
instances identified in their environment still have a legitimate
purpose and discontinue servers appropriately. Cursory review suggests
several other vulnerabilities are present in the product, but an
in-depth analysis has not been performed.

For more information please visit http://www.praetoriangrp.com or
email research@...
Praetorian General PGP Key:
http://www.praetoriangrp.com/praetorian.asc

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Trustwave's SpiderLabs Security Advisory TWSL2010-001

2010-02-09T14:47:18Z

Trustwave's SpiderLabs Security Advisory TWSL2010-001:
Multiplatform View State Tampering Vulnerabilities

Published: 2010-02-08 Version: 1.1

SpiderLabs has documented view state tampering
vulnerabilities in three products from separate vendors.
View states are used by some web application frameworks to
store the state of HTML GUI controls. View states are
typically stored in hidden client-side input fields,
although server-side storage is widely supported.

The affected vendors generally recommend that client-side
view states are cryptographically signed and/or encrypted,
but specific exploits have not been previously documented.
These vulnerabilities show that unsigned client-side view
states will ALWAYS result in a vulnerability in the affected
products.

Credit: David Byrne of Trustwave's SpiderLabs

===============================================
Vendor: Microsoft (http://www.microsoft.com)
Product: ASP.Net (http://www.asp.net)
Versions affected: .Net 3.5 is confirmed vulnerable;
previous versions are likely to be vulnerable as well.

Description:
ASP.Net is a web-application development framework that
provides for both user interfaces, and back-end
functionality.

The ASP.Net view state is typically stored in a hidden field
named "__VIEWSTATE". When a page's view state is not
cryptographically signed, many standard .Net controls are
vulnerable to Cross-Site Scripting (XSS) through the view
state.

It is well documented that using an unsigned view state is
"bad", but most previous advisories focus on vaguely
described threats or vulnerabilities introduced by custom
use of the view state. To the best of Trustwave's knowledge,
this is the first time a proof of concept attack of this
nature has been demonstrated against the view state. A
vulnerability was alluded to in a 2004 Microsoft article on
troubleshooting view state problems [1]. However, other
Microsoft documents recommend disabling view state signing
"if performance is a key consideration," [2, 3, 4] or for
various other reasons [5, 6]. Realistically, unsigned view
states should never be used in a production environment.

The following code is vulnerable to a XSS attack against the
form control. Note that the "ValidateRequest" setting does
not prevent the attack.

<%@ Page EnableViewStateMac="False"
ValidateRequest="True" %>
<html runat="server">
<form runat="server"/>
</html>

If the following request is sent to the server, the response
will contain JavaScript that calls an alert box.

xss.aspx?__VIEWSTATE=/wEPDwUKLTgzNDA2NzgyMA9kFgJmD2QWAgIBDxY
CHglpbm5lcmh0bWwFHTxzY3JpcHQ%2BYWxlcnQoJ3hzcycpPC9zY3JpcHQ%2
BZGQ=

The view state's XML equivalent is below:

<?xml version="1.0" encoding="utf-16"?>
<viewstate>
<Pair>
<Pair>
<String>-834067820</String>
<Pair>
<ArrayList>
<Int32>0</Int32>
<Pair>
<ArrayList>
<Int32>1</Int32>
<Pair>
<ArrayList>
<IndexedString>innerhtml</IndexedString>
<String><script>alert('xss')</script></String>
</ArrayList>
</Pair>
</ArrayList>
</Pair>
</ArrayList>
</Pair>
</Pair>
</Pair>
</viewstate>

The HTML response is below:
<html>
<form name="ctl01" method="post"
action="xss.aspx" id="ctl01">
<div>
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"
value="/wEPDwUKLTgzNDA2NzgyMA9kFgJmD2QWAgIBDxYCHglpbm5lcmh0b
WwFHTxzY3JpcHQ+YWxlcnQoJ3hzcycpPC9zY3JpcHQ+ZGQ=" />
</div>
<script>alert('xss')</script></form>
</html>

This example uses the "innerhtml" attribute of the form
control, although other attributes in other controls are
also vulnerable to similar attacks.

Remediation Steps:
The ASP.Net view state should always be cryptographically
signed with a "Message Authentication Code" (MAC). This has
been enabled by default since .Net 1.1, but can be disabled
using the "EnableViewStateMac" setting. Using the
"ViewStateUserKey" setting can also help to mitigate the
scope of this vulnerability. [7]

===============================================
Vendor: Apache Software Foundation (http://www.apache.org)
Product: Apache MyFaces (http://myfaces.apache.org/)
Versions affected: 1.2.8 and 1.1.7 are confirmed as
vulnerable. All previous versions are likely vulnerable.
Related products: Some versions of IBM WebSphere Application
Server (at least 6.x and 7.x) ship with Apache MyFaces
[8,9]

Description:
MyFaces is an open source implementation of the JavaServer
Faces standard. JavaServer Faces [10] is a framework that
aids in developing user interfaces for web-based
applications.

When the application's view state is not encrypted, it is
possible for an attacker to supply a new or modified view
object as part of a request. The malicious view can contain
arbitrary HTML code (allowing Cross-Site Scripting), and
arbitrary Expression Language (EL) [11] statements that will
be executed on the server. The EL statements can be used to
read data stored in user-scoped session variables, and
application or server-scoped variables. Since these
variables should be inaccessible by the user, it is not
uncommon to store sensitive data in them.

Exploiting this vulnerability requires modification of the
serialized view object, which is not stored in a plaintext
format. The Deface tool[12] can be used to provide
proof-of-concept attacks.

Remediation Steps:
This vulnerability can be completely prevented by encrypting
the application's view state.[13] This should always be
performed, even if this specific vulnerability is remediated
by Apache.

===============================================
Vendor: Sun Microsystems (http://www.sun.com)
Product: Mojarra (https://javaserverfaces.dev.java.net/)
Versions affected: 1.2_14 and 2.0.2 are confirmed as
vulnerable. All previous versions are likely vulnerable.
Related products: Some versions of IBM WebSphere Application
Server (at least 6.x and 7.x) ship with Sun Mojarra [8,9]
Although not well documented, some versions of Caucho
Resin (at least 4.x) ship with Sun Mojarra [14]

Description:
Mojarra is the open source reference implementation of the
JavaServer Faces standard. JavaServer Faces[10] is a
framework that aids in developing user interfaces for
web-based applications.

When the application's view state is not encrypted, it is
possible for an attacker to supply a new or modified view
object as part of a request. The malicious view can contain
arbitrary HTML code (allowing Cross-Site Scripting), and
arbitrary Expression Language (EL) [13] statements that will
be executed on the server. The EL statements can be used to
disclose data stored in user-scoped session variables, and
application or server-scoped variables. Since these
variables are usually inaccessible by the user, it is not
uncommon to store sensitive data in them.

Exploiting this vulnerability requires modification of the
serialized view object, which is not stored in a plain-text
format. Techniques similar to those used in the Deface
tool[12] can provide proof-of-concept attacks.

Remediation Steps:
This vulnerability can be completely prevented by encrypting
the application's view state.[15] This should always be
performed, even if this specific vulnerability is remediated
by Sun.

===============================================
References
1. http://support.microsoft.com/kb/829743
2. http://msdn.microsoft.com/en-us/library/system.web.configuration.pagessection.enableviewstatemac.aspx
3. http://msdn.microsoft.com/en-us/library/ydy4x04a.aspx
4. http://msdn.microsoft.com/en-us/library/ms691344.aspx
5. http://technet.microsoft.com/en-us/library/cc732610.aspx
6. http://technet.microsoft.com/en-us/library/dd807062%28WS.10%29.aspx
7. http://msdn.microsoft.com/en-us/library/ms178199(VS.85).aspx
8. http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.express.doc/info/exp/ae/cweb_javaserver_faces.html
9. http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/topic/com.ibm.websphere.express.iseries.doc/info/iseriesexp/ae/cweb_javaserver_faces.html
10. http://java.sun.com/javaee/javaserverfaces/
11. http://java.sun.com/j2ee/1.4/docs/tutorial/doc/JSPIntro7.html
12. https://www.trustwave.com/spiderLabs-tools.php
13. http://wiki.apache.org/myfaces/Secure_Your_Application
14. http://www.caucho.com/resin-javadoc/com/caucho/jsf/integration/Mojarra12InjectionProvider.html
15. http://192.9.76.37/Wiki.jsp?page=JavaServerFacesRI

Revision History:
1.0 Initial publication (2010-02-03)
1.1 Added information about IBM WebSphere and Caucho Resin
(2010-02-08)

About Trustwave:
Trustwave is the leading provider of on-demand and
subscription-based information security and payment card
industry compliance management solutions to businesses and
government entities throughout the world. For organizations
faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with
comprehensive solutions that include its flagship
TrustKeeper compliance management software and other
proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500
businesses and large financial institutions to small and
medium-sized retailers--manage compliance and secure their
network infrastructure, data communications and critical
information assets. Trustwave is headquartered in Chicago
with offices throughout North America, South America,
Europe, Africa, Asia and Australia. For more information,
visit https://www.trustwave.com

About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave
responsible for incident response and forensics, penetration
testing, application security and security research for
Trustwave's clients. SpiderLabs has responded to hundreds of
security incidents, performed thousands of ethical hacking
exercises and tested the security of hundreds of business
applications for Fortune 500 organizations. For more
information visit https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as
is" without warranty of any kind. Trustwave disclaims all
warranties, either express or implied, including the
warranties of merchantability and fitness for a particular
purpose. In no event shall Trustwave or its suppliers be
liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business
profits or special damages, even if Trustwave or its
suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental
damages so the foregoing limitation may not apply.

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

#HITB - Special Report: HITB2009 CTF Weapons of Mass Destruction

2010-02-09T09:03:03Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A true 'hacker's conference' wouldn't be fun without a competition
where hackers go head to head, tears are shed, and blood is spilled,
and when we say blood we mean points. CTFs have always been about how
good and fast you are at reversing and exploiting daemons and
binaries. Sure it's fun and all but after a few years of the same
thing, it's starts to get boring. Hence we decided to come up with CTF
- - Weapons of Mass Destruction (say it with me, destruktion!!!).

Let's face it, acquiring allies and launching nukes at rival teams is
much more fun than just reversing binaries and stealing flags.
Strategy is everything! The crew worked hard through out the year,
planning the game mechanics, designing the world map, and coming up
with complex challenges for the game. Though there were some quirks
here and there on game day, miraculously we pulled it off. The nukes
weren't the only thing that was different. We also had no prize money
for this year's CTF but teams still signed up anyway purely for the
bragging rights. You guys are f@#&king awesome!

So without further ado, the CTF crew brings you the writeup for
Weapons of Mass Destruction 2009. Enjoy!

https://www.hackinthebox.org/misc/HITB-CTF2009-Special-Report.pdf
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktxlUQACgkQbMY1K865PtGXeACfdD2kYtSaPi8xjC4v8a4mLp/S
jYIAoLbNRbXUQpBBZhobgPO6QoF8CkWn
=yeuM
-----END PGP SIGNATURE-----

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Dradis Framework v2.5 is out!

2010-02-05T13:25:54Z

Hi all,

We have pushed a new major release of Dradis (an open source framework
to enable effective information sharing), and it comes with a few new
features [i]:

* Improved Note editor: bigger, easier to use and supports formatting!
* New First Time User Wizard
* Keep track of all the activity with the built-in RSS feed
* More plugins:
o New HTML Export reporting plugin.
o New Burp Upload plugin so you can use Burp Scanner output.
o New Nikto Upload plugin to use your Nikto scan results.

You can download from:
http://dradisframework.org/

If it looks like the project can interest you, consider signing up for
the mailing list [ii] or visiting the forum [iii].

Thanks to all who sent us bug reports and feature requests, please keep
them coming!

Daniel

[i]
http://dradisframework.org/announcements.html

[ii]
https://lists.sourceforge.net/lists/listinfo/dradis-devel

[iii]
http://dradisframework.org/community/

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

winAUTOPWN 2.1 - Now you can sleep

2010-01-29T21:31:43Z

Dear all,

This is to announce release of winAUTOPWN version 2.1

This version covers almost all remote exploits from January 2009 start up-till December 2009.
It also contains a few exploits released before January 2009 and for January 2010 till date.
A few could still be missing but they will be added shortly.
A complete list of all Exploits in winAUTOPWN is available in CHANGELOG.TXT

- winAUTOPWN or WINDOWS AUTOPWN version 2.1 now attempts to exploit port 80 after completing testing
exploits for all other ports.
This is mainly because of the high number of "Remote File Include Vulnerabilities" which winAUTOPWN tries to
exploit.
- winAUTOPWN 2.1 no longer incorporates the "Shell Upload vulnerabilies".
- It also has a few internal modifications to suit a few exploits.
- The winAUTOPWN GUI now allows you to keep any Text box empty unlike the previous one which contained a
bug in processing the input arguments.
If you intend to use the GUI, kindly use the new winAUTOPWN GUI 2.1 and not the old one.

Daily/Weekly Snapshot/Beta Releases of winAUTOPWN are always available for download from WINAUTOPWN
website.

ALTERNATE DOWNLOAD LINK : http://089dc64a.seriousfiles.com
(Use this only if the Primary Website for Download [URL given below] is unavailable)

Enjoy the Release.

The Latest available release now is winAUTOPWN version 2.1.

Coded by : Azim Poonawala (QUAKERDOOMER)

winAUTOPWN available at http://winautopwn.co.nr

Author's website : http://solidmecca.co.nr

winAUTOPWN is updated almost daily. Check the Download page for weekly snapshots.
Latest Release can always be downloaded from : http://winautopwn.co.nr

"winAUTOPWN - WINDOWS AUTOPWN (For The True HyperSomniac H-a-c-k-e-r-z-z-z-z-Z-Z)"

Regards,
QUAKERDOOMER

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Dasient mod_antimalware_lite v0.2

2010-01-20T13:11:36Z

Overview
========

We are happy to release a new version (v0.2) of mod_antimalware_lite,
an open-source extension to Apache that will block infected web pages
from being served to users. Mod_antimalware_lite can help prevent
your web site from getting blacklisted by major search engines and
browsers in the case that web pages get "infected" due to malicious
user generated content, web application vulnerabilities, infected ad
networks, and other such causes. For more information about how web
pages get infected, resulting in drive-by-downloads, and the growth of
web-based malware, register for our free white paper at:

https://wam.dasient.com/wam/info?prod=18

Download / Trial:
===============

You can download mod_antimalware_lite from sourceforge:

http://downloads.sourceforge.net/project/modantimalware/mod_antimalware_lite_sourceforge.tar.gz

Click "Sign Up" at the Dasient web site at
http://wam.dasient.com/wam/partners to
create a "Webmaster / Developer" account to get trial malware
monitoring to try out mod_antimalware_lite. The web server module
works in conjunction with Dasient's monitoring service to identify
infected web pages and block them from being served.

What is mod_antimalware_lite?
=============================

The mod_antimalware_lite web server module is an Apache module that
can be used to automatically block "infected" web pages from
being served. Infected web pages may have malicious content that
result in drive-by-downloads when loaded by a browser. Instead of
serving infected pages, mod_antimalware_lite will serve a
pre-configured HTML message of your choice, such that users will not
get infected. The mod_antimalware_lite web server module can be used
to help avoid blacklisting by search engines, browsers, desktop
anti-virus packages and also gives a webmaster control of the
messaging seen by users when a web site infection happens (e.g., in
contrast to having users otherwise see a "Reported Attack Site / red
screen of death" in Firefox).

The mod_antimalware_lite module is a simple, open-source version of
Dasient's full-fledged mod_antimalware module that can quarantine and
strip out malicious code on infected web pages, while continuing to
serve the 'good' parts of the page instead of blocking them
completely, as mod_antimalware_lite does.

This is our v0.2 beta release of mod_antimalware_lite. We look
forward to your thoughts, feedback, suggestions, and contributions to
make it easier to both install and use over time!

More information/articles:
=======================

eWeek: http://bit.ly/eqwCE
internetnews.com: http://bit.ly/ddv90
bMighty.com: http://bit.ly/ttsA7
Network World: http://bit.ly/15h1O6
Web Host Industry Review: http://bit.ly/M4aro

Sincerely,

Neil Daswani, Pete Fritchman, Ravi Reddy, and Shariq Rizvi
http://www.dasient.com

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

OWASP for Charities: Haiti relief effort

2010-01-19T17:51:09Z

Hi, there are days that I am really proud of being part of the OWASP
community, today is one of those days :)

The Haiti tragedy prompt the OWASP community to kickstart a project
that we have talked about several times in the past but never got
around to do it: the OWASP for Charities project.

You can read all about it in the email included below. This email was
sent to all our mailing-list subscribers (more than 10,000), and it
looks like we are on to something, since we already had some great
responses. One in particular was really good: "...rebuild digital
infrastructure ... there is a need for IT infrastructure to support
the immediate relief efforts... people to set up local networks and
links between the diff countries (US, France, Spain, etc) who are all
working to aid but are not tied together.... or help keep PCs/net
work devices etc running, basic tech support..."

I just wrote a blog entry with the email's content
(http://bit.ly/OWASP-Haiti) and I would really appreciate if you
linked to it, or just reused its content on your own blog, or
redistributed it to your internal/external mailing lists.

Lets use this opportunity to build a team that is focused on helping
others, since we never know where it will happen next.
Please join us at the OWASP for Charities project, and in the short
term in supporting the Haiti relief effort.

Thanks
Dinis Cruz
OWASP Board Member
---------- Forwarded message ----------
From: Kate Hartmann <kate.hartmann@...>
Date: 2010/1/19
Subject: OWASP for Charities: Haiti relief effort
To: Owasp-all@...

OWASP Members and Supporters,

OWASP was founded, and is supported as a non-profit organization, by a
group of dedicated volunteers who believe that all applications should
be secure and trusted. As our organization matures we have taken
those beliefs broader, and have started setting up ways for our
members to donate to the global community. Among these initiatives
are:

* OWASP has an active Kiva lending team who have donated $9,125.00
to date. http://www.kiva.org/community/viewTeam?team_id=522

* OWASP in response to the need in Haiti has set up a secure and
trusted way for those within the OWASP community to donate funds to
help the people of Haiti. This allows our OWASP community to help
another with a single global voice. 100% of the collected donations
will be transferred directly to victims for disaster relief such as
food and medical requirements. Please visit www.owasp.org and click
the link for G33k-4-HAITI. In a time of crisis, OWASP can help those
who are in great need. The OWASP community can help organize, support
, and promote efforts outside of application security.

OWASP is well aware there is a movement for phishers to utilize this
tragedy to get unsuspecting people to donate to a “cause” without
having a legitimate business back end and ultimately funneling all the
money directly into their own pockets. The OWASP community is
uniquely qualified to help protect from this type of attack and
educate about attacks as well.

As the world becomes more dependent on technology and particularly web
applications, there are many who need protection who simply have no
options to protect themselves. These include small companies,
individuals, charities, and others. The OWASP community can help by
connecting qualified, trusted resources willing to volunteer their
time to those organizations which qualify. OWASP is setting up an
outreach program, which will be under the name project name of OWASP
for Charities.

We hope you will support OWASPs efforts to make a difference in any
of the above ways. We are also open to suggestions in regards to where
you feel the OWASP Community can be of service.

Regards,

Your OWASP Board

Kate Hartmann

OWASP Operations Director
9175 Guilford Road
Suite 300
Columbia, MD 21046
301-275-9403
kate.hartmann@...
Skype: kate.hartmann1

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Invitation: nullcon Goa 2010 International Security & Hacking Conference

2010-01-12T02:55:47Z

Hi all,

null is proud to announce the launch of it's security & hacking
conference nullcon Goa 2010 nullcon Goa 2010, India's first
'community' driven security & hacking conference will bring together
Security Researchers, security professionals, vendors, CXOs, Law
Enforcements agencies from all over the country to a common platform
to discuss latest research in field of Information Security and in
particular the major security threats faced by everyone today.

We are extremely thankful to SANS for providing us a free seat as a
prize for the hacking challenge winner at nullcon for their SEC 504:
Hacker Techniques, Exploits & Incident Handling class (worth USD 4095)
to be held in Feb at the Ramada Bangalore.
Details of the class: http://www.sans.org/india-2010/ , email:
AsiaPacific@...

nullcon is one of a kind of conference showcasing the latest research
and trends in information security by renowned security
researchers/professionals.
Any conference cannot be successful without the right audience.
That's why your presence is very essential for making nullcon
successful.

Website: http://nullcon.net

Legend:
** - BONUS Talk
+ - new(new version)Tool being released

First list of speakers (not in any specific order)
**0. Anonymous - Desi Special(pronounced pay-sul, as in chai) Hacking
+1. Abhisek Datta - Software Fuzzing with Wireplay
2. WhiteKnight - The art of cyber-warfare
3. Veysel Ozer - The evil Karmetasploit upgrade
+4. Anant Kochhar - Malware detection tool for Websites - A proof of Concept
5. Cassio Goldshmidt - Tracking the progress of SDL program
6. Vinoth Sivasubramanian - Defending Industrial espionage in Today's
Environment.
7. Vishwas Sharma & Amandeep - Intelligent Debugging and in-memory fuzzing.
+8. Lavakumar Kuppan - Imposter ke Karnamey: The browser phishing tool
9. Harshad Patil - Botnet mitigation, monitoring and management.
10. Prince Komal Boonlia - Steganography: Data hiding and Data Carving
11. Bhaskar Jain - Incomplete implementation of SAML
12. Navin Pai - Quantum computing: Challenges in the field of security

nullcon Details
--------------
Dates: 6-7th Feb 2010
Venue: The Retreat by Zuri,
Pedda, Uttor Doxi, Varca, Salcete
Goa 403 721
INDIA

Registration:
------------
Conference Pass - INR 2000/- (till 15th Jan 2010, avail the discounted
price now)
Details: http://nullcon.net/register
We are also accepting offline registrations for Conference Pass (and
stay at The Retreat, if required).

About null:
null - The open security community is a non-profit community with
focus on spreading security awareness, advanced research in security
and helping govt. and private institutions with security related issues.
website: http://null.co.in

Thanks to our sponsors
Gold Sponsor: SANS http://www.sans.org/india-2010/
Bronze sponsor: Timblo Group www.timblos.com

Best Regards,
null Team

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

HITB Ezine 'Reloaded' - Issue #001

2010-01-11T11:40:53Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Welcome to 2010! We are proud to announce the immediate availability of
our newly ?reborn? HITB ezine! You can grab your digital copies here:

https://www.hackinthebox.org/misc/HITB-Ezine-Issue-001.pdf

As some of you may know, we?ve previously had an ezine that
used to be published monthly, however the birth of the HIT-
BSecConf conference series has kept us too busy to continue
working on it. Until now that is...

As with our conference series, the main purpose of this new
format ezine is to provide security researchers a technical
outlet for them to share their knowledge with the security
community. We want these researchers to gain further recog-
nition for their hard work and we have no doubt the security
community will find the material beneficial to them.

We have decided to make the ezine available for free in the
continued spirit of HITB in ?Keeping Knowledge Free?. In addi-
tion to the freely available PDF downloads, combined editions
of the magazine will be printed in limited quantities for distri-
bution at the various HITBSecConf?s around the world - Dubai,
Amsterdam and Malaysia. We aim to only print somewhere
between 100 or 200 copies (maybe less) per conference so be
sure to grab a copy when they come out!

Happy New Year once again and we hope you enjoy the zine!

Zarul Shahrin - zarulshahrin@...
Editor, HITB Ezine
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktLfsMACgkQbMY1K865PtEUrQCdHtkPdSKOPdMdT7LiM3iZjVkT
48cAnRiORfFMcBu+my4KuVTi42SGO5fe
=nqGp
-----END PGP SIGNATURE-----

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

RE: Burp Suite v1.3 released

2010-01-11T03:00:11Z

Burp v1.3 already handles viewing and editing of AMF-encoded messages in the
Proxy and Repeater, and the Scanner places attacks into AMF string fields.
Intruder doesn't currently support AMF, but it will do soon.

Regarding support for other functionality to handle Flash, I'll look at
adding this if enough people ask for it.

Cheers
PortSwigger

-----Original Message-----
From: Michele Orru [mailto:antisnatchor@...]
Sent: 08 January 2010 21:25
To: PortSwigger
Cc: webappsec@...; pen-test@...
Subject: Re: Burp Suite v1.3 released

Hi Dafydd,

are you planning to add support to Flash-based applications, something
like Charles (at least in the PRO version)?
I was thinking in something like integration with flare/flasm, or by
the way some mechanisms
to check for reflected XSS on every field exposed by the swf
(something like SWFintruder of Stefano, but in
an automatic way).

When pen testing flash-based apps, I've always to work with
SWFintruder, that is far good but
anyway something external from my favorite proxy (burp). I don't think
I can achieve the same results
using the Intruder to send XSS vectors, specifying the swf url with
its GET/POST parameters.

I think that actually there not exists any semi-automated proxy that
does something like that.
Correct me if I'm wrong.

Thanks

Michele "antisnatchor" Orru'
http://antisnatchor.com

On Fri, Jan 8, 2010 at 11:27 AM, PortSwigger <mail@...> wrote:
>
> Burp Suite v1.3 is now available for free download at
> http://portswigger.net/suite/
>
> This is a major upgrade with a host of new features, including:
>
> - A new message editor/viewer optimised for HTTP requests and responses,
> with colourised syntax, mouse-over decoding, and quick conversion
functions.
>
> - Facility to add comments and highlights to the proxy history and site
map.
>
> - Support for viewing and editing AMF-encoded messages.
>
> - Improved handling of SSL server certificates, to eliminate browser SSL
> warnings and connection problems with thick clients.
>
> - Copy to file / paste from file to facilitate working with binary
content.

>
> - New display filters.
>
> - Greatly enhanced extensibility.
>
> - Configurable DNS resolution, to override your computer's own resolution,
> facilitating work with non-proxy-aware clients.
>
> - Fine-grained upstream proxy rules.
>
> - Exporting of HTTP messages and metadata in XML format.
>
> For more details see:
> http://blog.portswigger.net/2010/01/burp-suite-v13-released.html
>
> Cheers
> PortSwigger
>
>
>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>

Re: Burp Suite v1.3 released

2010-01-08T13:25:21Z

Hi Dafydd,

are you planning to add support to Flash-based applications, something
like Charles (at least in the PRO version)?
I was thinking in something like integration with flare/flasm, or by
the way some mechanisms
to check for reflected XSS on every field exposed by the swf
(something like SWFintruder of Stefano, but in
an automatic way).

When pen testing flash-based apps, I've always to work with
SWFintruder, that is far good but
anyway something external from my favorite proxy (burp). I don't think
I can achieve the same results
using the Intruder to send XSS vectors, specifying the swf url with
its GET/POST parameters.

I think that actually there not exists any semi-automated proxy that
does something like that.
Correct me if I'm wrong.

Thanks

Michele "antisnatchor" Orru'
http://antisnatchor.com

On Fri, Jan 8, 2010 at 11:27 AM, PortSwigger <mail@...> wrote:

>
> Burp Suite v1.3 is now available for free download at
> http://portswigger.net/suite/
>
> This is a major upgrade with a host of new features, including:
>
> - A new message editor/viewer optimised for HTTP requests and responses,
> with colourised syntax, mouse-over decoding, and quick conversion functions.
>
> - Facility to add comments and highlights to the proxy history and site map.
>
> - Support for viewing and editing AMF-encoded messages.
>
> - Improved handling of SSL server certificates, to eliminate browser SSL
> warnings and connection problems with thick clients.
>
> - Copy to file / paste from file to facilitate working with binary content.
>
> - New display filters.
>
> - Greatly enhanced extensibility.
>
> - Configurable DNS resolution, to override your computer's own resolution,
> facilitating work with non-proxy-aware clients.
>
> - Fine-grained upstream proxy rules.
>
> - Exporting of HTTP messages and metadata in XML format.
>
> For more details see:
> http://blog.portswigger.net/2010/01/burp-suite-v13-released.html
>
> Cheers
> PortSwigger
>
>
>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>