If you like this, you can use flattr. ;)
- Quickpost: Inspiring Windows software profilers and checkers
- 0x41 - back to bugs
- low footprint/hardware assisted virtualization with Linux and GrSec
- Postfix troubleshooting - a security nightmare
- New content soon
- 0x41 - (weekly) exploitation matters - Vista Heap, scripting debuggers with debug libs and how to learn to use that knowledge
- 0x41 - weekly exploitation matters - Shellcode and frameworks
- Explicit and implicit security in software development - measures and change
- 0x41 - weekly exploitation matters - Heap overflow fundamentals
- 0x41 - weekly exploitation matters - About
- wishinet: checking out GDB with Dtrace support for OS X... (1.9.2). Should be interesting.
- wishinet: RT @bfoo: Worth reading: http://merbist.com/2010/08/22/discussion-with-a-java-switcher/
- wishinet: nächstes Jahr Taikai in Nürnberg (http://www.taikai.de/) - und nu aus Nürnberg total groggy in die Falle! ;)
UnprotectedHex - about formal software verification
Sean's blog
Xecurity - a security feed collecter
Reddit RCE group
Freedom To Tinker
Emergent Chaos
Woodmann RCE forums
OpenRCE community forums
SecViz - security data visualization
DAVIX Live - for security metrics
Hex Live
Security Metrics
Immunity's Free Software
Core Security's OpenSouce research
Zynamics Blog
So fast - so weekly: web web web
Thu, 03/05/2009 - 16:17 | wishi
txt
no one cleans the data-highway
Web Application Pentests are important for online-enterprises. Economically no one wants to employ people who manually check every order because that's as expensive as ordering via telephone. From a technical standpoint web applications can severely harm host security and cause data leakage. Again no economy can stand this. Companies causing data leakage will suffer in future:
Even if it seems people don't care jet. Obviously they will if there's credit card fraud for example and criminals start to target.
So where to start... there're some deliberately insecure web applications to proof and teach certain concepts, there's good literature like "The Web Application Hackers Handbook" by Dafydd Stuttard and Marcus Pinto, which I personally can recommend to any web programmer.
But again: where to start? - You can demonstrate the power of a web-proxy by changing prices of orders, you can sniff on a protocol level and target further insecurities, use a Web-App Scan-engine to search for possible XSS, CSRF, SQL Injection or JS Injection vulnerabilities.
I personally start with this. I try to understand and to classify one or two vulnerabilities a day for me, because I'm not this web-guy. Nevertheless many people treat web-app pentests as THE hot-stuff. I don't like it.
But it's amazing: Google doesn't see a need to patch the CSRF flaw, Amazon has some malware-activities in the database-backend (rumor), Orcale admins don't see a reason for security patches ... I feel my work is safe. Bright future.
Common browsers like Safari (by default), Firefox (by default), IE (you name it) don't have script-controls and are a primary malware target nowadays... kewl. And Google wants to run native x86 code in browsers (which I think is a great idea!). And nowadays it's easier than ever to pop a command prompt via SQL Injection and to do some Kung Fu.
Web-Application Firewalls... may be a good idea. Let's see. As it is now: the security semantics problem occurs. A system without tight defined semantics does unforeseen options which cause damage. Like a robot's arm in realtime going out of sync and hitting people - a web-app getting exploited and handling out stuff for free. Same procedure, no magic, and solvable through minimal, modular and clean design through good code.
The incident response, and the final point of ownage
While I was dumping some memory with mdd, and using volatility to go through some memory samples from NIST... I found out that this is a very good way to characterize malware behavior. In a Windows VM, in a MacOS VM... works fantastic. Death to malware!?
Well no... this is a double edged sword. I can steal some memory with Meterpreter and extract the passwords. But if somebody ever wants a proof how problematic exploitation is... that's the final point of ownage!
meterpreter > execute -f "cmd.exe" -i -H
Process 1908 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
c:\>mdd.exe -o memory.dd
mdd.exe -o memory.dd
[...]
(more?)
Meterpreter's upload stuff is just kewl... btw.. And even if the AntiVirus eliminates your binary, mask it. Just do it ;).
Cloud computing... is useless above the sky?
Funny thing about cloud computing - it's useless at 35,000 feet.
In cloud computing, you rely on applications running on the Internet instead
of on your personal machine. So rather than write a file in Microsoft
Corp.'s Word or Excel, you might use Google Docs. This online suite from
Google Inc. features word processor and spreadsheet programs and stores your
documents in the Internet cloud.
Funny write-up. I'm not a great fan of outsourcing information as long as the value is high. But the world is getting loco.
Who is this guy again who wrote the clound computing and DNS poem? Hmpf... Schneier should write poems. His blog is so dry. ;) I should write poems, but I'm German. I'm dry by definition. Which is a prejudice: some Germans even have humor. Believe it!
IE user still suck
Why? Sometimes I think the greatest evil, next to cloud computing, is mass computing. Use what everybody uses like everybody does and get pwnt. Everything is insecure, world is turning, and only the strongest survive! That's what IT security sells.
Have fun,
wishi
Post new comment