Archive
OWASP at Northumbria Uni – June 2010
June 16th marked the first time the Open Web Application Security Project’s (OWASP) Leeds/Northern Chapter ran an event at Northumbria University, meaning it was the first time I was able to attend. Jason Alexander started off events with a brief overview of OWASP and the projects the group is involved with.
ENISA Common Assurance Maturity Model (CAMM) Project
Colin Watson did a good job of explain the work he and others have been working on. The project have released two documents which Colid discussed, the Cloud Computing Risk Assessment[.pdf] and the Cloud Computing Information Assurance Framework[.pdf]. Don’t be put off by the focus on ‘Cloud’, whilst this was the focus and reasoning behind the work at the start of the project, the information and processes Colin describes could easily be related to any IT environment and at first glance seem to be well worth a read.
Open Source Security Myths
Next up David Anumudu gave a somewhat brave talk considering the audience discussing and (potentially) debunking the assumption that open source software is more secure than it’s closed source competitors. David picked on the now famouse phrase from The Cathedral and the Bazaar, ‘ Given enough eyeballs, all bugs are shallow’. David argues that while this is true and reasonable, it only works in practice if all the eyeballs have both the incentive and the skills to effectively audit the code for bugs, something is rarely discussed. A sited example of insecurities in prominent open source software was that of the MD6 hashing algorithm, intruced at Crypto 2008, where despite being designed and developed by a very clued up team still had a critical flaw in it’s implementation.
My ultimate take away from this talk was that software’s licensing model has no direct impact on the security and vulnerabilities of any codebase, only the development model and developers themselves have any real impact.
SSL/TLS – Just when you thought it was safe to return
Arron Finnon (Finux) gave a great presentation on vulnerabilities and weaknesses with the implementation of SSL protection. Arron argues that most problems with SSL are actually related to the implementation rather than methodology itself, and that despite the high profile of problems related to SSL most techies still don’t ‘get’ it; and most users, regardless of user awareness training will continue to blindly click through the cert warning prompts.
Several of Moxie Marlinspike’s tools were discussed, mainly SSLStrip and SSLSniff. I was aware of both tools, but hadn’t tried them out in my own lab yet, after Arron’s discussion of the problem and capabilities this is definitely something that I intend to rectify shortly. Especially when combined with other SSL issues, including the SSL renegotiation attack and the Null Prefix[.pdf] attack issues with SSL can be deadly to an environment.
Main takeaway from this talk was that SSL isn’t as secure as some would state, and that when planning to defend against the attack vectors we need to stop thinking ‘what if’ and start working towards ‘what when’.
AppSensor – Self aware web app
Colin Watson came back to the front to discuss the work currently being undertaken with the AppSensor project. The idea behind the project is to create web applications that are ‘self aware’ to a lesser extent enabling any user making ‘suspicious’ web requests to be limited or disconnected to limit the damage that they can cause to the target system, and works on the premise that the application can identify and react to malicious users in fewer connection requests than the user needs to find and exploit a vulnerability.
The identification comes from watching for a collection of red flags and tripwires built throughout the system, from simply looking for X number of failed log-in attempts to real-time trend analysis looking for an unusual increase in particular functionality requests. A lot of the potential indicators and trapped reminded me a lot of an old post on the Application Security Street Fighter blog, convering using honeytokens to identify malicious activity, which I’ve covered previously.
Summary
Overall I really enjoyed the event, I’m hoping that the Leeds/Northern OWASP chapter decide to run more events within Newcastle, but if not it’s convinced me that the events are worth the time and cost to travel down to the other locations. Always good to discuss infosec topics face to face with some really knowledgeable people.
–Andrew Waite
Book Review: 7 Deadliest Web Application Attacks
A while ago I was offered an excellent opportunity to read and review Mike Shema’s contribution to Syngress’s Seven Deadliest series focused on web application security. My first impression was very positive, and now I’ve had a chance to get my hands on the finished product I haven’t been disappointed.
As with the rest of the Seven Deadliest series the book is broken down into sever chapters, each focusing on a key attack vector. Covered in Web Application Attacks is:
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- SQL Injection
- Server Misconfiguration and Predictable Pages
- Breaking Authentication Schemes
- Logic Attacks
- Malware and Browser Attacks
I’ll be the first to admit that web application security isn’t my forte. Rather than let that put me off this was the appeal of the Seven Deadliest series, given the target topic the books aim is to succinctly cover the core issues and let the reader quickly get to grips with the subject material. Shema does this brilliantly; before I reading the book I (thought I) was comfortable with my understanding of web application security issues, after reading I’m now confident in both my theoretical understanding and, crucially, the technical implementation of the attack vectors discussed.
While the material is accessible to a new comer to web application security Shema wasn’t able to cover all subjects touched on during the book. For example, character encoding sets are discussed quite heavily during the cross-site scripting, but isn’t explained indepth at a low level. As a result, what a reader is able to take away from the book will likely be dependent on the experience and knowledge that the reader is able to bring to the material. In my case I was more comfortable with the chapters covering server misconfiguration (chapter 4) and malware (chapter 7).
After re-reading the material I would recommend this book to anyone that deals with web sites in anyway (that’s you), especially considering the price of the Severn Deadliest books. I’d also take a look at the rest of the series, covering:
- Seven Deadliest Microsoft Attacks
- Seven Deadliest Network Attacks
- Seven Deadliest USB attacks
- Seven Deadliest Unified Communications
- Seven Deadliest Wireless Technologies
- Seven Deadliest Social Network Attacks
- Seven Deadliest Web Application Attacks
— Andrew Waite
(oh, and if you won’t take my word for it, pay attention to the recommendation on the back….)
“The threats highlighted should be understood by Web developers, administrators, and general users alike. If you use the Web in any way then this should be on your bookshelf. In addition to detailing the threat Shema also provides countermeasures to minimize or remove the risk, but be warned; you may never look at a Web site in the same way again.”
Andrew Waite, Security Researcher, InfoSanity Research
Month of PHP bugs 2010
Following in the now well-established form of a ‘Month of X Bugs’ php-security.org has just opened it’s call for papers for a second month, to update and expand on it’s successful run month in 2007.
I’ll admit that I largely ignored the original Month of PHP Bugs (MOPB), at the time I had just made the decision to stop coding in PHP and try a more mature language. I had found PHP to be a very simple language to learn and code it, but as a result I also found it very simple to code very badly in as well. (and I’ve since found that a bad coder can code badly in any language, hence why I gave up the career path of developer).
However, this month’s SuperMondays event changed my perspective slightly. Lorna Jane gave a great presentation on using PHP to provide a web services architecture, at first glance looks like PHP has improved and matured significantly since I last used it. For those interested Lorna’s talk was recorded and is available here, and Lorna’s own take on the event can be found here.
So while I’m not in a position to contribute to the month’s releases, I will be paying closer attention to the resources released this time around. If you think you can contribute the organizers have posted a list of accepted topics:
Accepted Topics/Articles
- New vulnerability in PHP [1] (not simple safe_mode, open_basedir bypass vulnerabilities)
- New vulnerability in PHP related software [1] (popular 3rd party PHP extensions/patches)
- Explain a single topic of PHP application security in detail (such as guidelines on how to store passwords)
- Explain a complicated vulnerability in/attack against a PHP widespread application [1]
- Explain a complicated topic of attacking PHP (e.g. explain how to exploit heap overflows in PHP’s heap implementation)
- Explain how to attack encrypted PHP applications
- Release of a new open source PHP security tool
- Other topics related to PHP or PHP application security
[1] Articles about new vulnerabilities should mention possible fixes or mitigations.
And prizes are available for the best submissions:
| # | Prize |
|---|---|
| 1. | 1000 EUR + Syscan Ticket + CodeScan PHP License |
| 2. | 750 EUR + Syscan Ticket |
| 3. | 500 EUR + Syscan Ticket |
| 4. | 250 EUR + Syscan Ticket |
| 5.-6. | CodeScan PHP License |
| 7.-16. | Amazon Coupon of 65 USD/50 EUR |
So what are you waiting for? Get contributing…
–Andrew Waite
Starting out with Glastopf
I’ve been lax in writing up my initial experience with Glastopf. For those new to Glastopf, initially created by Lukas Rist as part of the Google summer of code program in collaboration with the Honeynet Project and Thorsten Holz.
I must admit that I found the installation of Glastopf to be a complete nightmare. Although this is mostly due to my systems lack of some of the Python pre-requisites that I needed to compile from source, which in turn had other unmet pre-requisites, which in turn… you get the idea. But I did manage to get my install complete eventually, and have learnt a few things in the process, so it can’t be all bad.
At this point I also need to thank the guys from the #glastopf irc channel on freenode. The advice and suggestions provided made the job much easier than it could have been, and simplified my initial testing of the system once working.
My Glastopf system has been running a couple of weeks and I’m starting to take a closer look logs being recorded. I’m not entirely sure what I was expecting as a result of the install, I must confess to being a little disappointed so far, but as I’m no expert in the realm of web applications the findings may mean more to those with more insight.
Overall I have logged several scans for various resources, I’m assuming looking for vulnerabilities in installed services. Nothing too unexpected for example scans for Roundcube mail or phpMyAdmin installations.
I have also found some links to inocious, legitimate online resources. Again I am no expert with web attacks (one of my motivations for installing a web honeypot in the first place was to learn more about them), but I am assuming that this was to test the effect of a particular attack vector before providing host systems with malicious URLs in the logs for an unsuccessful attack. If anyone knows I’m wrong, or can provide a better explanation I’d appreciate a heads up.
With this installation the InfoSanity honeytrap environment is slowly expanding to show a wider and more indepth understanding of live attack vectors targetting production systems.
— Andrew Waite
Damn Vulnerable Web App, version 1.0.4
Ryan Dewhurst of ethicalhack3r.co.uk has created and been maintaining Damn Vulnerable Web App (DVWA). The goal of the project is to aid learning and teaching of the art of web application security.
Ryan provided an overview and demo of the suite at a recent SuperMondays open podium event, you can find an archive of the presentation here.
I’ve been looking at DVWA (current version is 1.0.4) and it is showing promise, especially as web application security is one of my weaker skill sets having limited experience in this field. DVWA currently focuses on six different attack vectors:
- Brute-force
- Command Execution
- File Inclusion
- SQL Injection
- File Upload
- Cross Site Scripting (XSS)
Each section provides help to exploit the target vulnerability, as well as providing access to the source code for white box review to aid full understanding of how the vulnerability exists and how it can be protected against. Each example attack vector also has the option of setting variable levels of implemented security, providing increasingly advanced attack vectors.
DVWA provides a solid basis for investigating and studying web application security issues, as well as a multitude of great links for further reading. For those of you with skill, or those that learn quickly there currently are vulnerabilities in even the high-security level versions of the code, but I’ll leave finding this as an excise for the reader.
Nice work Ryan, keep it up.
Infosanity's Blog 