All Entries Tagged With: "web"

American Express Security – FAIL!

I came upon this from a twitter post – check it out! American Express have an insecure web form. They actually ask you to click on a link if you want a secure web form. Wow – talk about conflict of interest. Consider the stringent PCI requirements that Amex put corporations under, with some pretty expensive repercussions if you don’t comply, and they have an insecure web form. I’m flabbergasted!

See for yourself HERE!

News

Move your mouse over image or click to enlarge

Torn Portfolio

Move your mouse over image or click to enlarge

Grunge Parchment

Move your mouse over image or click to enlarge

Dark Car

Move your mouse over image or click to enlarge

Blog Source

Move your mouse over image or click to enlarge

Grunge Paper

Move your mouse over image or click to enlarge

Web 2.0

Move your mouse over image or click to enlarge

Web Application Scanning Using Nessus – Video

Web Application Scanning Using Nessus Video

Scanning web applications with Nessus offers the end user several new configuration options in the Nessus client. You should take into account:

• Number of web servers and applications being scanned
• Size of the applications (e.g. how many parameters does each CGI application have?)
• Depth and scope of the scan with respects to the type of tests being performed and how exhaustive they should be

This video demonstrates how to setup Nessus to scan a web application using the new options:

Click to play

You can visit Tenable Security’s new video channel at http://tenablesecurity.blip.tv for more exciting video tutorials!

Using Nessus in Web Application Testing

Here’s a PDF for ‘Using Nessus in Web Application Testing’, from PaulDotCom. It’s a handy doc to read, especially if you want to supplement your current testing, or you don’t have a test framework yet. Download it below.

Deliberately Insecure Web Apps For Learning Web App Security

If you are setting up a penetration testing lab you might was some insecure web applications for learning web application security. Irongeek has a great list that he is keeping up to date. I have copied a few of them into this post. Don’t forget to visit Irongeek for more information.

BadStore
Link: http://www.badstore.net/
Platform: Perl, Apache and MySQL
Install: Meant to run by booting a Live CD, but I’d recommend using my Live CD VMX
Notes: Easy to set up, and it’s nice that you can run it from a VM with a little work. Just make sure you set the VM to use the IP addresses that are only available from the local host OS (NAT or Host-only).

Damn Vulnerable Web App
Link: http://www.ethicalhack3r.co.uk/damn-vulnerable-web-app/
Platform: PHP, Apache and MySQL
Install: Should work on any box you can install Apache/PHP/MySQL on.
Notes: When I first posted Mutillidae, Ryan Dewhurst emailed me and told be about a project he started a few months before mine. His is also PHP/MySQL based, and looks prettier than mine. :) I’ve yet to play with it much, but I may be using some of his code in the near future to expand Mutillidae.

Hacme Series from Foundstone

Foundstone has put out a whole series of venerable web applications you can learn from and test your skills against. Some are harder to install than others since a few are quite old by web standards and the installers require outdated MSSQL services that don’t work the same way as the more up-to-date ones. Still, with a little work you should be able to get them installed on a modern system. I can’t guarantee all of them are designed to only listen to the local loopback, so if you decide to run them on a production network I highly recommend you use a VM set to use the IP addresses that are only available from the local host OS (NAT or Host-only). One of the great things about the Hackme series is the diverse programming platforms they are written in. As I said in the intro paragraph, most web development platforms have similar common vulnerabilities, but it’s nice to know what to look out for on your specific environment. Most of them I have limited install note on, but I’m working on testing them out.

Hacme Travel
Link: http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
Platform: Windows XP, MSDE 2000 Release A, Microsoft .NET Framework v1.1, C++
Install:
Notes:

Hacme Bank
Link: http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
Platform: Windows, IIS, .Net 1.1
Install:
Notes:

Hacme Shipping
Link: http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
Platform: Windows XP, Microsoft IIS, Adobe ColdFusion MX Server 7.0 for Windows, MySQL (4.x or 5.x with strict mode disabled)
Install:
Notes:

Hacme Casino
Link: http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
Platform: Ruby on Rails
Install: Installer that sets up a built in WEBrick server
Notes:

Hacme Books
Link: http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
Platform: J2EE application, Java Development Kit
Install:
Notes:

Foundstone also hosts video solutions for Hacme Travel v1.0 and Hacme Bank v2.0.

Mutillidae
Link: http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
Platform: PHP, Apache and MySQL
Install: Should work on any box you can install Apache/PHP/MySQL on. I have personally tested it in XAMPP under Windows and Linux.
Notes: Mutillidae is my personal project to implement the OWASP Top 10 Vulnerabilities. It’s designed to be easy to follow and geared towards a classroom environment. Think of it as a noob’s WebGoat.

Stanford SecuriBench
Link: http://suif.stanford.edu/~livshits/securibench/
Platform: J2EE application, Java Development Kit
Install: Looks like it’s another “by hand” install.
Notes: Includes a bunch of venerable J2EE web apps, such as: jboard 0.30, blueblog 1.0, webgoat 0.9, blojsom 1.9.6, personalblog 1.2.6, snipsnap 1.0-BETA-1, road2hibernate 2.1.4, pebble 1.6-beta1 and roller 0.9.9 .

WebGoat
Link: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Platform: J2EE web application
Install: Self contained Tomcat server you can run from a directory under Windows or Linux
Notes: Love the fact it’s so self contained and easy to run. By default it only listens on the loopback address, so you can run it from your workstation a production network with little worries.

WebMaven (AKA: Buggy Bank)
Link: http://www.mavensecurity.com/WebMaven.php
Platform: Perl CGI scripts
Install: You have to install this on a box with a web server and Perl CGI support. The creators recommend Xitami for the sake of ease. Makes sure that you don’t put the server on a production network.
Notes: I’ve not played with this one much. The website for WebMaven says it was the basis for WebGoat v1.

Other Resources

The Heorot forum also has a collection of Live CDs you can use as targets in learning pen-testing. They are not necessarily web app focused, but they may still be useful to you.

Tips For Using Nessus In Web Application Testing

From: http://blog.tenablesecurity.com

Selecting a Target

To create a realistic testing environment our target was setup to run “Mutilidae” version 1.2, a PHP application that was written to contain vulnerabilities. Multilidae was written by “Irongeek” and contains vulnerabilities that specifically the OWASP top ten list. It contains many different types of vulnerabilities, including SQL injection, cross-site scripting (XSS) and information disclosures.

Selecting Plugins

When tuning Nessus for web application testing, you can select the plugin families that are relevant to your test. This saves time and makes for a more efficient scan. However, for a more thorough scan, you can leave all plugin families enabled and let Nessus choose the best plugins. For this scan, I have enabled the following plugin families:

• CGI abuses – This plugin family checks for anything that is ‘CGI’ related, unless it is XSS (and only a XSS vulnerability), in which case it falls into the “CGI abuses : XSS” family. These checks use a combination of detection techniques, including checking version of the application and testing for the actual vulnerability. The attacks include software detection, information disclosure, XSS, SQLi, LFI, RFI, overflows and more.
• CGI abuses : XSS – Specific CGI checks for reflective and persistent XSS vulnerabilities in common web applications.
• Database – Typically a web server will run a database that is used by various web applications.
• FTP – Web pages need to be updated, and FTP is a popular protocol used to allow your web developers to send files to the server.
• Gain a Shell Remotely – If you can obtain a shell on the remote web server, testing the application is somewhat moot.
• Gain root remotely – Same thing as above, if you gain root, resolve this problem before the application is tested.
• General – Contains the operating system fingerprinting plugins, including ones that will identify the OS over HTTP. Identifying the underlying operating system is very important for web application testing, as it will determine the syntax of commands sent via injection (command and SQL) attacks.
• Remote file access- Includes checks for specific web server/application vulnerabilities that lead to remote file disclosure.
• Service detection – Contains checks for several different services, including detecting Apache running HTTPS, HTTP CONNECT proxy settings and other services that may host web applications.
• Web servers – Plugins in this family detect approximately 300 specific vulnerabilities in popular web servers, such as Apache, IIS and generic vulnerabilities associated with the HTTP protocol itself.

Configuring the Scan Policy

In the “Advanced” settings tab, go to the “Global variables settings” and enable the following options:

The “Enable CGI scanning” checkbox causes Nessus to search the web server for known CGI applications and associated vulnerabilities. “Enable experimental scripts” allows Nessus to test for vulnerabilities that use new techniques. The “Thorough tests (slow)” expands your testing when it comes to web applications and allows the the plugin to “try harder” on various tests. This enables more exhaustive SQL injection testing, and it will tell more about CGI applications. By default, Nessus will only store and test the last 8 CGI applications found. With thorough testing enabled, Nessus will store and test up to 1024 CGI locations.

Next, select “Web mirroring” from the pull-down menu:

In the “Start page” field, enter the location of the web application that you wish to test. Nessus will detect several different web applications and enumerate common directories on the web server. However, it cannot know about all directory names, so by entering the directory to do web mirroring, we add it to the list of applications that will be tested by the CGI scanner and other plugins.

Next, select “Unknown CGI Argument Input Validation Tests (toturecgis) from the pull-down menu:

Select the check box to send POST requests. This will expand the testing that Nessus can do beyond just GET requests. This is important for web application testing as many vulnerabilities could exist in the web application that are only triggered by sending a POST request. By checking this option, it will increase the amount of time for the scan to complete.

Reporting

After scanning the web application with the above settings, I noticed several plugin results of interest. The first plugin that was triggered was 26194, “Web Server Uses Plain Text Authentication Forms“:

Nessus finds three separate pages that are transmitting fields labeled “password” in clear-text, as the application is not using SSL.

The next plugin is 10662, “Web mirroring” which attempts to mirror the remote web site based on the parameters (“/mutillidea”) that we provided:

The web mirroring finds not only additional directories (“/mutillidae/images/”), but several CGI applications as well. In a web application assessment, the tester would use the provided CGI values above to perform manual or automated testing to determine the security posture of the web application. Nessus can perform some of this testing for you with plugin 10672, “Unknown CGI Argument Input Validation Tests (torturecgis)“:

The above plugin output identifies a couple of different CGI scripts that have security problems, such as traversals and XSS. Nessus chose to test the “logout” function, which is vulnerable to both XSS and remote file disclosure. By changing the syntax of the request slightly we can change this into a successful attack that reads the “/etc/passwd” file. Below we use the syntax of “index.php?page=/etc/passwd” and successfully execute the attack:

Conclusion

While Nessus is not specifically designed for application scanning, it can be a valuable aid in performing pre-deployment scans before bringing applications online. Nessus is a fast and efficient way to identify which applications are on the network and if they are vulnerable to common exploits. This helps to quickly identify applications that may need rudimentary security fixes before more detailed manual testing is performed. Nessus can automate the process of discovering applications and common software, discovering the versions running and checking to see if they are vulnerable. The CGI scanner does a good job of basic “fuzzing” of the parameters of the discovered CGI applications to uncover attacks such as XSS and remote file disclosure. Again, while Nessus does not replace your web application testing tool, or completely replace your web application testing methodology, it is a valuable tool in the web application assessment process, especially for blind testing of large environments with several web servers and multiple applications.

References

• Using Nessus to call Nikto
• Detecting Web Servers with Malicious Javascript

Download a specific file from the web

From: http://www.commandlinefu.com

To download a specific file from the web:

curl -f -O http://pcbsd.fastbull.org/7.0.2/i386/PCBSD7.0.2-x86-DVD.iso

or, if you have wget configured:

wget -c http://pcbsd.fastbull.org/7.0.2/i386/PCBSD7.0.2-x86-DVD.iso

-C option will re download from an existing & interrupted download.

Web Technologies and Design

Technology and design go hand in hand, for me. I have developed an online apparel designer – a web application – and I’m not an engineer. This goes to show that it’s not out of the grasp of anyone that uses a computer, assuming you are interested of course. The good thing is there are a lot of free applications out there if you look hard enough, dependent on what you want to achieve.

Web technologies and design – where to go with this? Let’s start with my web technology – at least the web application that I have built. If you’ve been parousing this website you will notice a few references to http://www.customizemydesigns.com – that is an online apparel designer that I have been bringing up – and it’s finally working. I have some design work to do, but the application is fully functional. It is an example of what can be done on the web. Once you have the application you need a website to wrap it in and off you go. I chose a flash based theme and I wanted a grunge look. I created the graphics and recoded the site to do what I needed. I won’t bore you with the details but instead of creating a PDF and sending to a print house, my application creates SVG templates and uploads through Cafepress. Since Cafepress is a print fullfillment company that allows singles, as well as bulk orders, it was a no brainer. The coding wasn’t so easy, but it’s done now. Check it out!