A post on http://securityretentive.blogspot.com/2009/12/security-disclosure-policies-that.html and http://securityretentive.blogspot.com/2007/11/some-comments-on-paypals-security.html caught my eyes, i read it a while and made me browse to another post(s):

https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/ReportingSecurityIssues-outside

http://shiflett.org/blog/2007/nov/paypal-groks-security

http://jeremiahgrossman.blogspot.com/2007/11/paypals-vulnerability-disclosure-policy.html

After taking a quick glance on the post(s), i have a question pop-up in my mind (i should have turn on the pop-up block feature on my head) about:
“Do not engage in security research that involves:
* Use of an exploit to view data without authorization, or corruption of data.”

For example if i run sql injection test and i can login as admin or the first user on the database … that mean i can view the user data right? Will it cross the line on the policy guidelines? And the company can take a private action or refer a matter for public inquiry?

Well … we’ll never know until we try??? … or we’ll never know until we go to court or jail?

http://ha.ckers.org/blog/20090401/certified-application-security-specialist/

I ROFL after reading the response on the post. This is the 3rd time i ROFL after reading posts on RSnake blog, the other two posts were http://ha.ckers.org/wallofshame.html and http://www.fthe.net/stuff/419.html

The Open Web Application Security Project (OWASP) today released a new top 10 list at its conference in Washington, D.C., that focuses on Web application security risks rather than the way its previous lists highlighted the most common weaknesses found in Websites.

OWASP member Georg Hess says the risk-based focus should broaden the OWASP list’s applicability to IT and higher-level executives, too. “This time, it’s not only about vulnerabilities, but really more about identifying the top 10 risks,” says Hess, CEO and founder of Art of Defence. “This should help raise the importance of this…and make it more likely [for organizations] to understand their risks.”

Injection attacks top the 2010 OWASP Top 10 list of Web application security threats, including SQL, OS, and LDAP injection, followed by cross-site scripting (XSS), broken authentication and session management, insecure direct object references, cross-site request forgery (CSRF), security misconfiguration, failure to restrict URL access, unvalidated redirects and forwards, insecure cryptographic storage, and insufficient transport layer protection.

The list is considered a “release candidate” that will be published in its final form in 2010.

New to the list are security misconfiguration and unvalidated redirects and forwards. Security misconfiguration is prevalent today, as is unvalidated redirects and forwards. “The evidence shows that this relatively unknown issue is widespread and can cause significant damage,” says the OWASP report. Web redirects typically steer users to other pages and sites, and when the data for the destination pages isn’t properly validated, users can be redirected to phishing or malware sites by attackers.

Malicious file execution and information leakage/improper error-handling are no longer on the top 10 list. OWASP says that while malicious file execution is still a big problem in many environments and was especially high in 2007 with PHP vulnerabilities, now that PHP ships with default security, it’s less of a problem. While information leakage/improper error-handling are rampant vulnerabilities, the impact of them isn’t usually as critical.

The OWASP report also includes how to assess the possibility that your Web application would be at risk of these types of Web attacks, as well as mitigation tips. OWASP used its risk-rating methodology to come up with its new list.

The top 10 comes on the heels of WhiteHat Security’s report yesterday of the most common vulnerabilities discovered in its clients’ Websites. In that list, XSS was No. 1 and SQL injection No 5. But Jeremiah Grossman, founder and CTO of WhiteHat, says SQL injection flaw finds were likely underreported. SQL injection flaws can be difficult to detect in scans because developers who disable verbose error messages as a way to protect against SQL injection attack can also inadvertently make it difficult to find SQL injection flaws, according to Grossman.

OWASP 2010 RC1: http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf
Source:

http://darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=221700095&cid=ref-true

http://www.cgisecurity.com/2009/11/owasp-issues-2010-top-10-rc1.html

Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:

1. Testing Web Application Security Scanners
2. Testing Static Code Analysis tools (SCA)
3. Giving an introductory course to Web Application Security

The main objective of this tool is to give the community a ready to use testbed for web application security tools. For almost every web application vulnerability that exists in the wild, there is a test script available in moth.

There are three different ways to access the web applications and vulnerable scripts included in moth:

1. Directly
2. Through mod_security
3. Through PHP-IDS (only if the web application is written in PHP)

Both mod_security and PHP-IDS have their default configurations and they show a log of the offending request when one is found. This is very useful for testing web application scanners, and teaching students how web application firewalls work. The beauty is that a user may access the same vulnerable script using the three methods; which helps a lot in the learning process.

Moth image: http://sourceforge.net/projects/w3af/files/moth/moth/moth-v0.6.7z/download

Source:

http://www.bonsai-sec.com/en/research/moth.php

http://www.bonsai-sec.com/blog/index.php/moth-vulnerable-vmware-image/

As live CD’s have become more popular, specialized distributions have begun to emerge. One such specialty live CD is Samurai, a distribution squarely focused on web application penetration and vulnerability testing. Samurai is dubbed a “web testing framework” in much the same way that Metasploit is termed a framework. Samurai is sponsored by IntelGuardians Network Intelligence Inc a for profit information security consulting firm based in Washington, DC.

Samurai focuses on tools needed by web application testers to look for common vulnerabilities, such as misconfigurations, cross site scripting (XSS), SQL injection, remote file inclusion and other common vulnerabilities. the CD includes several tools to reconnoiter web applications and servers, enumerate files and directories, and test scripts.

Samurai – First Looks

The bootable Samurai CD allows several options once started. It can be run as a live CD or you can install the framework as a complete operating system:

The starting status screen is fairly clean:

Once you boot Samurai to the login screen you enter the username ’samurai’ and the password ’samurai’ to log in. This information is a little obscure. It appears on the Samurai SourceForge.net project page, and in the Readme.txt that is only available once you’re logged in to the distro:

Once logged in it becomes obvious that Samurai is based on Ubuntu, which is a little unusual for a live CD distribution:

Applications

Samurai comes with a host of useful applications. These include many of the regular Linux tools but also include:

• Burp Suite, a web application attacking tool
• DirBuster, an application file and directory enumeration and brute forcing tool from OWASP
• Fierce Domain Scanner a target ennumeration utility
• Gooscan an automated Google querying tool that is useful for finding CGI vulnerabilities without scanning the target directly, but rather querying Google’s caches
• Grendel-Scan, just released, an open source web application vulnerability testing tool
• HTTP_Print a web server fingerprinting tool
• Maltego CE, an open source intelligence and forensics application that does data mining to find information from the internet and link it together (great for background research on a target).
• Nikto, an open source web server scanner
• Paros, one of my favorite, Java based, cross platform, web application auditing and proxy tools
• Rat Proxy, a semi-automated, passive web application security audit tool.
• Spike Proxy, an extensible web application analyzer and vulnerability scanner.
• SQLBrute, a SQL injection and brute forcing tool.
• w3af (and the GUI), a web application attack and audit framework.
• Wapiti, a web application security auditor and vulnerability scanner
• WebScarab, an HTTP application auditing tool from OWASP
• WebShag, a web server auditing tool
• ZenMap, a NMAP graphical front end

Additionally Samurai includes several utilities that aren’t available from the GUI menu. These include:

• dnswalk, a DNS query and zone transfer tool
• httping, a ping like utility for HTTP requests
• httrack, a website copying utility.
• john the ripper, a password cracking program
• netcat, a TCIP/IP swiss army knife
• nmap, a port scanner and OS detection tool
• siege, an HTTP stress tester and benchmarking tool.
• snarf, a lightweight URL fetching utility

and many others. Of course, all of these tools could easily be installed on your own Linux based machine, but having a live CD with the tools installed and pre configured is quite nice. Samurai also comes with Wine installed, which is handy if you want to run some windows based tools off of the distribution.

Source: http://www.madirish.net/?article=218

w3af, is a Web Application Attack and Audit Framework. The w3af core and it’s plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much.

Download: http://sourceforge.net/projects/w3af/files/
FAQ: http://w3af.sourceforge.net/faq.php
User Guide: http://w3af.svn.sourceforge.net/viewvc/w3af/trunk/readme/EN/w3afUsersGuide.pdf
Video: http://www.youtube.com/watch?v=YABMASGv4A8 & http://www.youtube.com/watch?v=3UwQO3-Unt8

The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.

Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.

Website: http://samurai.inguardians.com/
Video: http://www.vimeo.com/1790680
Live CD: http://sourceforge.net/projects/samurai/files/

Remember Pangolin? It’s an automatic tools for SQL Injection Tool developed by nosec (http://www.nosec.org/download/) that used by Unu when “walking” on symantec server (http://unu123456.baywords.com/2009/11/23/symantec-exposed-passwordsserials-sql-injection-full-database-access/). Laramies (Christian Martorella Etiquetas) run some test that revealed pangolin dubious behavior! Laramies said that: “… the results of the injection is sent to a nosec.org web server, and then Pangolin perform a GET to retrieve the data”! At least don’t use it when you audit a client network, otherwise the data will goes to 3rd party?!

Source:

http://laramies.blogspot.com/2009/05/pangolin-and-your-data.html

The Romanian hacker that made the news this week by blowing the whistle on an SQL injection affecting two of the best known security software developers, Kaspersky and BitDefender, is not resting on his laurels and is now putting the Finish experts from F-Secure to the test. According to Unu, the alias used by the hacker in question, the web page of F-secure is vulnerable to SQL injection and XSS (cross site scripting); the good thing is that no confidential or sensitive data has been leaked. The only info that Unu managed to access is related to past virus activity and some statistics.

“During the last few days a Romanian group has been doing SQL injection attacks on several security vendor’s websites and early this morning they hit us,” replied F-Secure. “One of our servers used in gathering malware statistics had a page that didn’t properly sanitize input and was therefore vulnerable to attack. Fortunately we utilize defense-in-depth strategies so the attack was only partly successful. Although the attackers were able to read information from the database they couldn’t write or manipulate it. And they couldn’t access any other data on that server because the SQL user only had access to its own database, which only contains public information that is shown on our statistics pages. So while the attack is something we must learn from and points at things we need to improve, it’s not the end of the world.”

It may not be “the end of the world” but it is properly embarrassing when a company that specializes in security solutions is vulnerable to some sort of exploit or attack.

While Unu’s success may have been a limited, some other hacker has been successful in compromising the official web page of Germany’s Interior Minister, Wolfgang Schäuble. The attacker exploited a security vulnerability in the Typo3 content management system and placed the “Visit: Vorratsdatenspeicherung” message on the site. The attack seems to have been spurred by the minister’s support for biometric passports and logging all email, internet, landline and mobile phone communications.

Source:

http://www.findmysoft.com/news/SQL-Injection-Attack-on-F-Secure-Site-of-Germany-Ministry-of-Interior-Successfully-Hacked/

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1347639,00.html

http://www.hackersblog.org/2009/02/11/f-securecom-sql-injection-cross-site-scripting/

Unu, the Romanian hacker that blew the whistle on the SQL injection vulnerability affecting the Kaspersky USA web page has done it again: this time he has discovered a vulnerability affecting the BitDefender Portugal site. By means of SQL injection he managed to gain access to loads of confidential data such as admin usernames, passwords, sales tables, customer details and email addresses, and so on.

Just as in the case of the Kaspersky SQL injection, Unu has posted several pictures depicting his accomplishments: “It seems Kaspersky aren’t the only ones who need to secure their database. BitDefender has the same problems. The images speak for themselves. First we see the version, user and name of the Data Base. Now let’s see the Admin userName, userPass, sessionID and lastlog. Here’s an injection that returns thousands of lines where we see personal details of the customers, tabel vendas (sales table),” he says.

The list of customer email addresses alone makes is worth it for spammers to take advantage of the poorly programmed database – with a simple SQL injection they have access to a whole list of verified and authentic addresses which can be later on exploited. The least worrisome situation would be bombarding the inboxes of these people with “Genuric Viagr@” messages; but what is stopping someone with malicious intent to launch a phishing attempt? We can only take comfort on the fact that Unu will not disclose details about the vulnerability, just as he did in the Kaspersky situation. The other consolation is that since BitDefender is based in Romania, the communication process between Unu and the aforementioned security software developer will go smoothly.

In related security news, it must be said that Microsoft will release a patch tomorrow, the 10th of February 2009. With this month’s Patch Tuesday the Redmond software developer will address two critical vulnerabilities in Internet Explorer and Microsoft Exchange Software and two important vulnerabilities in Microsoft Office and Microsoft SQL.

Source:

http://www.findmysoft.com/news/Unu-Strikes-Again-Hacks-BitDefender/

http://hackersblog.org/2009/02/09/hackedbitdefender-portugal-exposes-sensitive-customer-data/