Ravikanth's Blog

Honeywell and Miss America 2007 Educate Families about Internet Safety

2009-04-28T03:33:00Z

To convey the importance of Internet Safety, Honeywell produced this video with Internet safety advocate Lauren Nelson, Miss America 2007. This will help customers and prospects learn about the dangers in cyberspace. Click here for video.

Firefox Plugins for Security Professionals by Schmidt, Chris

2009-04-15T03:46:00Z

Access Me
Although it doesn’t find 90% of what it says it will, this plugin can be somewhat useful for determining whether a server configuration is vulnerable to certain attacks that can me made with different request methods such as DELETE.

SQL Inject Me
I have seen this plugin succesfully detect several *easy-to-find* SQL Injection vulnerable form fields. But it doesn’t really do a whole lot of checking beyond the simple obvious ones.

XSS Me
Of all of the Security Compass plug-in’s this one is by far the most useful and does most of what it says it will. However, just because the plug-in says a site is not vulnerable to XSS doesn’t mean it truly isn’t. This plugin, like SQL Inject Me, simply checks for the simplest XSS vectors.

Web Developer
Of every plugin I use, I probably use the functionality of this one more than any other. This is an entire suite of tools aimed at assisting web developers with things like local validation, src highlighting, form modifications, etc. That being said, the same functionality is invaluable to web application hackers to break your forms, discover XSS vectors, and analyze your code for other problems.

FireBug
Like Web Developer, this plugin was designed and built with the developer in mind. However, with enhanced JS debugging capabilities, and arguably the best DOM browser there is, this plugin has singlehandedly been responsible for more XSS powered CSRF exploits in my audits than every tool in my toolkit combined. This is a must-have.

Passive Recon
This is an entire suite of tools that allow you to pseudo anonymously get a pretty detailed domain recon report from a single click, or parts of that report individually. This can come in very handy when performing an audit on a site or app that you know very little about to begin with and often gives insight into the system and server architecture of the target that can prove invaluable to finding holes.

TorButton
If you haven’t heard of TOR you probably have no idea what I am talking about in most of the above plugins. While it is by no means perfect, and can never replace a good proxy chain, TOR provides basic anonymization of your internet traffic. This button allows you to switch in and out of TOR mode in firefox with a single click.

FireCookie
Firecookie is actually an extension to the FireBug plugin, and thus requires that FireBug be running and installed. However, it provides a means to view and edit cookies in real-time.

Modify Headers
This plugin can prove invaluable when used correctly, for everything from spoofing user-agent to spoofing client ip, this is a must have for any hackers toolbox.

Tamper Data
Like Modify Headers, the Tamper Data plugin allows you to modify headers and cookies. The difference is, it does so on a Per-Request policy, meaning that if you are enumerating manually to isolate a bug, this plug-in will prove to be your best friend. I have broken many a webservice with this tool.

Security logic flaws - Real world examples by Bill cory

2009-02-23T06:17:00Z

* Yahoo had a promotional offer where if you deposited USD $30 into an advertising account, Yahoo would then add an additional USD $50 to that account. The sign-up process was able to be circumvented in such a way that failing to deposit the requisite USD $30 still allowed the additional USD $50 to be credited to the account.

Yahoo SEM Logic Flaw
http://ha.ckers.org/blog/20080616/yahoo-sem-logic-flaw/

* Tower Records' form validation assumed that the user would fill out a form in the order presented, but in reality, some users filled out the bottom portion first, causing a bug that wasn't caught during development and resulted in the loss of sales.

Tower Records Tunes Its Site
http://www.storefrontbacktalk.com/story/021005tower.php

* YouTube restricts some videos to users that are 18-years-old and older on their site. However, if the same video is embedded in another site, then the process that filters the videos is bypassed, allowing anyone of any age to view the video.

Youtube’s 18+ Filters Don’t Work
http://www.darkseoprogramming.com/2008/06/01/youtubes-18-filters-dont-work/

* Facebook restricts access to private user pages, but there have been incidences where an attacker can replace the user ID in the URL with a victim ID, thereby circumventing the security measures. Two examples include accessing private photos and accessing private fan pages.

Peekaboo! Facebook fills photo security hole
http://news.cnet.com/8301-1009_3-10042909-83.html

Hole unveils Facebook fan pages
http://news.cnet.com/8301-1009_3-10046932-83.html

* E-trade and Schwab failed to limit one bank account to any given user, allowing an attacker to assign the same bank account to tens of thousands of users, resulting in a loss of USD $50,000.00.

Man Allegedly Bilks E-trade, Schwab of $50,000 by Collecting Lots of Free 'Micro-Deposits'
http://blog.wired.com/27bstroke6/2008/05/man-allegedly-b.html

* AT&T offered free wi-fi service to iPhone users, but to distinguish the iPhone users from the rest, AT&T used the user-agent and an iPhone phone number to determine who received the free service. By changing the user-agent and providing a phone number to any iPhone account, users of other devices were able to obtain free wi-fi service.

Apple and AT&T providing free Wi-Fi access to iPhone users and oops… to everyone else as well!
http://blogs.zdnet.com/security/?p=1067

* MySpace restricts access to private user photos, but when they launched a new service that allowed sharing of data with Yahoo, the process contained a flaw that allowed access to private user photos via Yahoo.

Paris and Lindsay Hacked Again (There’s a Lesson Here, Really)
http://blogs.wsj.com/biztech/2008/06/03/paris-and-lindsay-hacked-again-theres-a-lesson-here-really/

TA-Mapper: Application Penetration Testing Effort Estimator

2009-01-02T06:07:00Z

My colleague Debasis has released TA-Mapper tool @ http://coffeeandsecurity.com/resources/tools/tamapper.aspx

TA-Mapper (Time and Attack Mapper) is an effort estimator tool for blackbox security assessment (or Penetration Testing) of applications.

This tool is very useful, when you need to explain\justify efforts at micro level.

Secure Coding Standard for Java

2008-12-26T07:37:00Z

CERT and Sun Microsystems have released The CERT Sun Microsystems Secure Coding Standard for Java.

The rules and recommendations are not globally editable, but anyone is able to add comments, and qualified individuals can be added as editors.

Determine the security risk of using Open source projects

2008-11-11T08:04:00Z

Visit the Java Open Review, an open source project sponsored by Fortify Software which uses Fortify SCA tools and Findbugs to look for defects in software – as a service. It publishes aggregated statistics but has a "responsible disclosure policy", which means details of bugs found are fed back only to the authors.

The project on going basis analyses some common open source projects and other applications, including Hibernate, Struts, Spring, Apache frameworks and Tomcat then publishes list of defect free projects from quality & security perspective.

Using Defect free project list, consumers can gauge the level of risk involved in different open source components.

Acrobat Reader (CVE-2007-5659) Download/Exec Exploit Demo video

2008-10-24T09:21:00Z

My colleague Debasis has released Acrobat Reader Download/Exec Exploit Demo Video @ http://coffeeandsecurity.com/resources.aspx.

Due to hosting space/bandwidth constraint, He will not keep the original version for long....so grab it before it is gone.

Microsoft Threat Modeling 3.0 & Optimization Model tools slated to release in November 2008

2008-09-17T07:19:00Z

Microsoft is planning to roll out new version of Threat Modeling Tool 3.0 in November, 2008, which focuses on the software design process, with built in guidance and advice into the tool. Also shows what is the [security] implication of a design, and gives a chance to learn about security in a way that's broader than just vulnerabilities. Microsoft will also roll out the Optimization Model in November, 2008. Another free download, it is designed to show an organization where it currently stands on the secure development front and then helps it move toward a broader use of the SDL techniques. Both the tools are free & helps in writing more secure code.

Step by Step - By passing .NET Validate Request

2008-08-29T08:32:00Z

The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation attacks such as HTML injection and XSS (Cross-site Scripting). The following paper introduces script injection payloads that bypass ASP .NET web validation filters and also details the trial-and-error procedure that was followed to reverse-engineer such filters by analyzing .NET debug errors.

Paper:

http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf

The original version of this paper was released in January 2006 for private CPNI distribution. This paper has now been updated in August 2008 to include additional materials such as input payloads that bypass the latest anti-XSS .NET patches (MS07-40) released in July 2007.

Implementing an Anti-Virus File Scan in JEE Applications

2008-07-16T07:49:00Z

The following article will discuss, step by step how to implement anti virus solution (file scanning for virus) in Java, particular in the JEE applications.

http://www.developer.com/design/article.php/3711331

Fortify Taxonomy: Software Security Errors\Vulnerabilities

2008-06-27T12:01:00Z

The following site presents a taxonomy of software security errors developed by the Fortify Software Security Research Group. Each vulnerability category is accompanied by a detailed description of the issue with references to original sources, and code excerpts, where applicable, to better illustrate the problem.

http://www.fortify.com/vulncat/

This will be good resource for security analysts\software developers who want to know kind of vulnerabilities possible in different kind of languages\environments(ColdFusion, PHP, Java, ASP, ASP.NET etc).

Must visit website for newbie's in application security.

Integrated Application Security into Software Development Life Cycle

2008-05-23T11:12:00Z

With today, I had completed integrating security in standard SDLC to prevent security bugs from appearing in released applications. SEI CMMI Version 1.1, Maturity Level 5 Process has been updated with security tests/tools/guidelines/templates to ensure application security is adequately covered and controls are effective throughout the development process. Following is the breif summary outlined here...Click here for download of following.

SDLC Process	Requirements & Engineering Management	Architecture & Design *	Coding & Unit Testing	Integration & Testing
Entry Criteria	Business Requirements	Security requirements	Threat model	White Box test results
Entry Criteria	Constraints & assumptions	High Level Architecture/Design Document Use cases	High Level/Low Level Architecture, Design Documents
Activities	Determine application risk rank	Create threat model	Security development/coding guidelines/best practices	Automated Application Assessment
	Identify key compliance objectives	Review/modify security requirements	White Box Review & Host review	Manual/Automated penetration testing
	Define secure integration with external systems	Architecture & Design Review	Static code analyzer
Deliverables	Security test strategy	Threat model
	Security integrated into the development process	Security requirements in all defined components	White Box Review Report & Sign off	Black Box Review Report & Sign Off
	Predictive Risk Ranking	Architecture & Design Review Report
Tools	Security consultant	Threat Model Tool	Static Code Analyzer	Automated security tool
Tools	Security Requirements Review Checklist	Architecture & Design Review Checklist	Security Development Guidelines
Exit	Test strategy approved	No Sev 1 & Sev 2 issues exists	No Sev 1 & Sev 2 issues exists	No Sev 1 & Sev 2 issues exists
Responsibility	Project Team & Security Team	Project Team & Security Team	Project Team & Security Team	Project Team & Security Team

Integer overflow & underflow revisited

2008-03-10T10:42:00Z

Following java program will compare customer balance with minimum balance. If customer balance is higher than minimum balance then customer will get a special discounts.

//Integer overflow & underflow example

int min_balance = 25000;
int cust_balance = (25000 * 25000 * 20);
cust_balance = (-25000 * 25000 * 20);if (cust_balance >= min_balance)
{
System.out.println("This customer qualifies for special pricing.\n");
}
else
{
System.out.println("This customer does NOT qualify for special pricing\n");
}

Try giving 25, 25000, 30000 as customer balance, the program will behave as expectedly.

If you change the customer balance to the following computations, you will observer un expected behaviour in the program due to integer/overflow underflow.
cust_balance = (25000 * 25000 * 20); //Integer overflow
cust_balance = (-25000 * 25000 * 20); //Integer underflow

What happend:

Java does not detect errors in numerical computations at compile time. Java type "int" is represented as a 32-bit binary number. With 32 bits, it's possible to represent a little over four billion different values. The values of type int range from -2147483648 to 2147483647.

When the result of a computation lies outside this range, the mathematically correct result in each case cannot be represented as a value of type int. The above two computations lies outside of the range. These are examples of integer overflow/underflow.

In most cases, integer overflow/overflow should be considered an error. However, Java does not automatically detect such errors.

Security tips for file uploading

2008-02-18T12:00:00Z

For file upload in your application, one important thing that you must consider is security, as improper design and configuration will make your application vulnerable to attacks.

Here are a few security tips that may be useful to you.

• File Size – Have some limit in uploaded file sizes
• Always Check content type & and also check against list of allowed file types
• Never store files with user supplied files names. Always generate a unique file name, by appending Unique, non guessable ID’s, timestamps, random numbers etc.
• Make sure anti virus (with up to date signatures) is installed and enabled for monitoring of incoming & outgoing files
• As industry practice uploaded foldern files should not be a part of your source directory
• Access to uploaded file share should be given on need to know basis

Find in files results customization in visual studio 2005

2008-01-11T09:18:00Z

If you spend considerable time in reformatting your find in files results, then this tip is might helpful for you. As an security analyst I always required to report a security issue with directoryname, file name , line number and code snippet. But default find in files results window will provide filename & code text and that to in single line.

To change default settings & to display results in multiple lines, you can use the following registry setting.

1. Go to HKCU\Software\Microsoft\VisualStudio\8.0\Find
2. Add a new string called Find result format with a value of Directory : $d\nFile name : $f$e\nLine #: $l\nCode:$t\r\n where

$d is directory name
$f is the filename
$e is the extension
$l is the line
$t is the text on the line

Note: You don’t have to restart Visual Studio to pick up on your registry changes.

Full list of items you can specify in the registry can be found here.