Monday, December 12, 2005

Article on web application footprinting [HITB E-zine]

Any search engine database is a very powerful source of information for web applications. The Search Engine’s spiders are well-powered to run frequently on sites and capture all possible links. As an end user, however, we are more interested in the searching interface and criteria these engines provide. By using their search options, end users can craft intelligent queries against a database and fetch critical information. There are several tools out there that query the Google database and fetch this sort of security-related information about web applications.

This paper describes some of the queries that can be run against SEARCH.MSN in order to fetch important information that would eventually help in web application assessment. SEARCH.MSN provides web services APIs to build applications using their search interface.

More information can be gathered from To be able to use SEARCH.MSN, you will require an Application ID. This can be obtained using MSN passport. Queries are limited to 10,000 a day and allow a total of 50 results for each query. This provides great flexibility to the application. As a security tool, substantial information can be queried from MSN search, making it a handy tool to have in your toolkit. For the examples outlined in this paper, some of the information is retrieved using this interface, with a sample application called wapawn.

Read Here

Saturday, October 22, 2005

Assessing Web App Security with Mozilla (Oreilly)

Web application assessment is a challenging task for security analysts. Several products and tools are available, each claiming to perform automated analysis on entire applications. Their capabilities include obtaining data, corroborating it, and printing aesthetically appealing reports--all without user intervention.

The nature of web applications is very different from that of standard applications. Many times, these tools miss key vulnerabilities in the application. The best way to perform web application assessment is by using the unassailable combination of automated tools and human intellect. This article examines the LiveHTTPHeaders project, which fits seamlessly into Mozilla browser components to facilitate very effective web application assessment.

Read Here

Thursday, October 06, 2005

RSA Europe 2005



Attack is the best way to know your defense. Knowledge of attack methodology, tools and defense strategies are most critical before creating shield for your ultimate defense. This presentation encompasses all three dimensions (Methodology, Tools and Strategies) with innovative researched approach and live demonstrations. UDDI, SOAP and WSDL are pawn, knight and queen of this new chess board.


1.Imparting web services assessment methodology and demonstrate approach with live application. 2.Leveraging tools and creating your own tool on the fly while performing your work on web services. 3.Build ultimate defense for your web services by leveraging content filtering and secure coding for web services.

Thursday, September 22, 2005

OSCON Europe 2005

Open Source Web Application Security Kung-Fu & Art of Defense

Web application attacks are growing at rapid rate in last five years. Many innovative ways of breaking systems have come into existence. Web applications are even more vulnerable since they cannot be protected by firewalls and become easy prey for attackers. Next generation web application attacks have arrived and are here to stay. These attacks are targeted towards vulnerable and poorly written web applications.

Read Here

Sunday, August 14, 2005

Papers appeared on packetstorm...

Paper on browser identification.
Read Here

Paper on domain footprinting.
Read Here

Advisory on ASP.NET
Read Here

Thursday, August 11, 2005

Presenting paper at HackInTheBox 05

Title: Web hacking Kung-Fu and Art of Defense
Web attacks are on the rise and new methods of hacking are evolving. This presentation will cover new methodologies for web application footprinting, discovery and information gathering with a new range of tools.

Web applications are getting exploited using various new injection techniques like advanced SQL injection, LDAP query, XPATH goofing etc. All these new exploit methods will be discussed. The HTTP stack is changing in application frameworks like .NET. The stack can be utilized for defense using HTTP interfaces. Defense methodology for web applications are required to combat new threats emerging in the field.

This will be a deep-knowledge presentation that will be full of live demos, examples and new tools!

Presenting paper at Syscan05

Title: .Net web security – Attacks and Defense
Web security is becoming very critical as .Net framework is evolving. New set of vulnerabilities are coming up at web application level. Web Services are also becoming integral part of web application and creating next generation threat for emerging web application layer. There are new set of methodology is required to attack .Net applications and to provide defense new strategies are evolving. This presentation will brief about both attacks and defense with new set of tools.

Sunday, August 07, 2005

wschess 1.4 released

Some bugs are rectified in this build. These bugs were in following areas
1. wsKnight - SOAP action tag in header and host
2. wsPawn - Parsing error
3. Domain footprinting is removed from wspawn and planning to build a seperate tool.

Thanks for reporting bugs. Few more stuff to be added in next build.

Saturday, July 02, 2005

Browser identification on HNS

Paper on browser identification is featured on HNS.

Read Here

Saturday, June 25, 2005

Browser Identification

Paper on browser identification is posted on infosecwriters. Several approaches are defined in this paper.

Read Here

Thursday, June 09, 2005

[Oreilly] Protect your applications without recoding them

Article on Onlamp.

Web services are increasingly becoming an integral part of next-generation web applications. They're also vulnerable to attacks. The nature of these attacks is the same as for traditional web applications, but the modus operandi is different. These attacks can lead to information leakage; further, they aid in remote command execution. By using WSDL, an attacker can determine an access point and available interfaces for web services. These interfaces or methods take inputs using SOAP over HTTP/HTTPS. Without good defense at the source code level, your application is in danger of compromise and exploitation. mod_security operates as an Apache web server module, ideal for defending web services against attacks that also include malicious POST data containing SOAP envelopes.

Go to Onlamp

Monday, June 06, 2005

wschess 1.3 released

wsKnight is updated with 4 new audit/attack vectors. This will help in auditing or testing web services.

1. Bruteforcing - One can specify user/pass fields and map it to files. This will launch bruteforcing combinations on the wire.
2. Buffer overflow - Specify parameter and buffer size.
3. LDAP and XPath injection - This is very simple just a different category.

Stay tune more to go.


Tuesday, May 24, 2005

Advisory on securitytracker

Recent finding on ASP.NET is posted on security tracker.
Read Here

Monday, May 23, 2005

Domain Footprinting Paper

Featured on HNS and also posted on infosecwriters. The methodology discussed in the paper is implemented in wschess toolkit.
Read Here

Read Here

wschess you can down load from here

Wednesday, May 18, 2005

ASP.NET web services advisory

Microsoft ASP.NET Web Services.
Unhandled exception leads to file system disclosure and SQL injection.
Read Here

Tuesday, May 17, 2005

wschess beta 1.2 release

Changes are as follows

1. Doamin footprinting is added to wspawn. Methodlogy is discussed in paper [Read]
2. wspawn threading is much more controlled now with option to stop.
3. wspawn's command line is also posted which can run under linux with mono.

Planning to add few more audit/attack modules for xpath,xss,ldap etc in wsknight in next release.

Friday, May 13, 2005

Monday, May 09, 2005

Paper appeared on HNS (IHTTPModule for .Net)

Web Application Defense At The Gates – Leveraging IHttpModule
It is featured on HNS.
Read Here

Wednesday, April 13, 2005

HITB 2005 - Bahrain

HITB at Bahrain. You can find detail on my talk here.
Read Here | See Photos

Sunday, April 03, 2005

Bellua Archive

Anthony just posted all presentations of Bellua 2005, Jakarta. I had my talk on Web Application Kung-Fu. You can find all material here.

Saturday, April 02, 2005

wsChess 1.0 (beta/prototype) - Web Services Assessment and Defense toolkit

A set of tools written C# for the .Net platform. This is a prototype, released as beta with limited support at this point. It has the following tools:

wsPawn - Web services footprinting, discovery and search tools. If you are looking for registered web services and their access points, this tool will help you in retrieving information from public UDDI.

wsKnight - Web services profiling, proxy and audit tool. This tool helps in profiling web services from its WSDL. It also allows you to invoke methods and intercept them before they go on the wire to the target, so that you can manipulate the SOAP envelope if needed. The autoaudit feature allows you to inject characters and attack strings for assessment work.

wsRook - This is a very simple technology demonstration for developers. This is a regular expression-based defense for web services input content. This is a hook in HTTP pipe using the HttpModule interface.

Whitepapers are included for better understanding for all these tools.

Read & Download

Tuesday, March 29, 2005

HITB videos

Dhillon has just posted HITB videos on his site for HITB2004.

Monday, March 28, 2005

Web Services: Enumeration and Profiling (Whitepaper)

Web services assessment can begin with a corporate name or some other such bit of information. This simple hint offers a wealth of information that needs to be unearthed. Focus first on locating single or multiple access points for a particular corporate. The methodology, which includes web services footprinting, discovery and search, is described in another paper ( Once an access point for a web service is uncovered, the next obvious step is to extract information from it.

Web services are deployed to invoke remote calls over HTTP/HTTPS. To make calls such as these, requires that information about the calls be shared with the end client. In the past, during the days of CORBA, developers used to share IDL (Interface Definition Language) files providing the required information over the network. Now, in the days of web services this has changed to WSDL (Web Services Definition Language). WSDL is a major source for information and can help in the enumeration process. We shall go over the enumeration process in subsequent sections.
Read Here

Monday, March 21, 2005

Web application defense at the gates – Leveraging IHttpModule (Whitepaper)

Web applications are vulnerable to many attacks, mainly due to poor input validation at the source code level. Firewalls can block access to ports but once a web application goes live and TCP ports 80 and 443 are accessible, the web application can be an easy prey for attackers. HTTP traffic is legitimate traffic for web applications; all the more reason to include application-level content-filtering over unencrypted and encrypted communication channels. Application-level content filtering is possible to some extent but may not work over HTTPS (port 443). The only way to provide a strong defense is by applying powerful content-filtering at the application-level for both TCP port 80 and TCP port 443.

The .Net framework with ASP.NET provides the IHttpModule interface access to HTTP pipes - the lowest of programming layers - before an incoming HTTP request hits the web application. This can provide defense at the gates. In this paper, we look at how one can build this sort of defense in all three aspects - coding, deployment and configuration.
Read Here

Tuesday, February 08, 2005

Web Application Footprints and Discovery

Serious challenges arise when doing web application assessments on web servers that host multiple virtual hosts and all this with zero knowledge about the number of web applications mapped to a single IP address. Using the manual techniques outlined in the paper, the methodology pinpoints specific ways to discover applications and enhance web application assessment with tangible results.
Read Here

Wednesday, January 19, 2005

Defending Web Services using Mod Security (Apache) Methodology and Filtering Techniques (Whitepaper)

Web services are vulnerable to several attacks. These attacks can lead to information leakage and further aid in remote command execution. By using WSDL an attacker can determine an access point and available interfaces for web services. These interfaces or methods take inputs using SOAP over HTTP/HTTPS. If these inputs are not defended well at the source code level, they can be compromised and exploited. ModSecurity operates as an Apache Web server module, ideal for defending web services against attacks that also include malicious /POST variable/content. This paper describes techniques to defend your web services layer using mod_security.
Infosecwriters(Read Here)

Some interesting resources on same topic.
Read Here