tag:blogger.com,1999:blog-5361523904237597206.comments2023-09-05T08:22:02.987-04:00Tactical Web Application SecurityRyan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.comBlogger40125tag:blogger.com,1999:blog-5361523904237597206.post-55403959835882979802012-12-08T15:51:30.895-05:002012-12-08T15:51:30.895-05:00Ryan, this looks great and it's now on my Amaz...Ryan, this looks great and it's now on my Amazon wishlist. If don't get it over the holidays, I'll get a copy myself. <br /><br />There's lots of good stuff out there about breaking apps, but defending them doesn't get enough attention.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-15336667633219766012011-09-14T16:18:04.030-04:002011-09-14T16:18:04.030-04:00This is a very interesting perspective, and unfort...This is a very interesting perspective, and unfortunately one that is not yet globally adopted. If it were, we'd suggest we'd see a lot less vulnerable websites out there.<br /><br />Unfortunately, most applications (specifically open source web applications) focus primarily on functionality, over and above security. Whilst basic security does tend to be adhered to in most common opensource applications nowadays (for example the use of prepared SQL statements) anything over and above a baseline of security is treated as a luxury; not a necessity. For example, rules specified in .htaccess files can act as a great line of defence against common attacks such as SQLi and XSS - so why do opensource web applications not come with these rules in their .htaccess files by default? <br /><br />The concept of analysing what a transaction is doing, correlated against a users actions to determine malicious behaviour (i.e. Automating the JDLR recognition employed by casino staff) is something I think we're going to see much more of over the coming years. <br /><br />James @<a href="http://www.securatek.net" rel="nofollow">Securatek</a>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-45167394818422643402011-07-02T19:36:52.910-04:002011-07-02T19:36:52.910-04:00I just had a scan and noticed that my waf was bloc...I just had a scan and noticed that my waf was blocking the user agent of the spider, what is the stance on this? I am thinking I should disable that in the waf before the next scan I guess.Jon https://www.blogger.com/profile/02784963551957985008noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-53625210748526580542010-11-17T14:26:34.628-05:002010-11-17T14:26:34.628-05:00How do you detect this new attack?
http://chapter...How do you detect this new attack?<br /><br />http://chaptersinwebsecurity.blogspot.com/2010/11/universal-http-dos-are-you-dead-yet.htmlRaviv Razhttps://www.blogger.com/profile/07451656149326144303noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-77798291531084536202010-08-06T14:47:18.007-04:002010-08-06T14:47:18.007-04:00I'm a retard. You're absolutely right. I w...I'm a retard. You're absolutely right. I was pointed to this post to look for that problem and I didn't really read the rest of it carefully. <br /><br />On the other hand, my temporary loss of 120 IQ may have landed on the good idea you mentioned - fuzzing the dangerous PHP functions for bizarro URL features.Arshan Dabirsiaghihttps://www.blogger.com/profile/17228728745073712711noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-67920717723178855792010-08-03T19:51:28.768-04:002010-08-03T19:51:28.768-04:00Hey Martin, it has been a long time :)
With reg...Hey Martin, it has been a long time :) <br /><br />With regards to your comment on top targets, you can check out the WHID Top Attacked Vertical Market view here - https://wasc-whid.dabbledb.com/publish/wasc-whid/293f30b1-acbf-4426-bf36-11241d4db62b/verticalmarketview-2010.html As far as top attacked software packages, we do list what the software was that was exploited.<br /><br />I would agree with your statement that public software (commercial/open source) is attacked and compromised more from a statistical perspective however I would not say that custom built apps are *rarely* attacked. They are attacked all the time however they are manual in nature. You mentioned the rationale for your statement - which is that the bad guys are able to leverage economies of scale to mass-exploit known public software. Just reference the Mass-SQL Injection Bot attacks of the past two years.<br /><br />Your point is true in that in order to successfully compromise a custom built app, the attacker is going to need to poke and prod around and find a vuln. This, in my opinion, does offer a window of time where defenders may be able to identify the recon and take some evasive actions. This of course is predicated on the concept that organizations have properly instrumented their web apps with proper detection points and logging details.<br /><br />When you have these attack payloads that target packaged apps, however, then you dealing more with a sniper-type of attack where they are launching only 1 request. This means that your window of time for monitoring and response is eliminated and you had better have protected against the vuln.Ryan Barnetthttps://www.blogger.com/profile/12300602630139148313noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-53419905979673610112010-07-26T09:56:02.796-04:002010-07-26T09:56:02.796-04:00Ryan, I've been reading some of your posts on ...Ryan, I've been reading some of your posts on web hacking incidents, and am interested in your perspective on the most common targets and victims of such attacks. In my experience, packaged applications, whether commercial or open source, are the victims of most web hacking incidents. (Leaving aside commercial web services such as Twitter, GMail, etc., which I would categorize as packaged applications).<br /><br />Therefore, I believe that enterprise custom-built applications are rarely the victims of such attacks, as the attack must be custom built to work against the app. For packaged applications, we are seeing an increasing number of automated tools developed which can efficiently exploit packaged applications and find victims using search engines.<br /><br />Given your experience with web application incidents and statistics, what is your perspective?<br /><br />-Martin NystromUnknownhttps://www.blogger.com/profile/00341906962563817531noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-16506505446400357422010-06-22T13:25:30.002-04:002010-06-22T13:25:30.002-04:00Hey Ryan, I like the idea of performing some form ...Hey Ryan, I like the idea of performing some form of analysis on the stored password hashes to determine if there are many accounts sharing the same passwords however couldn't denying the creation of the account reveal something pretty important to an attacker? Lots of other accounts use the same password. :-) I guess it all depends on how you present the error though. Interesting idea.Anonymoushttps://www.blogger.com/profile/17077150654588369229noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-26288285243725738132010-06-22T10:44:34.610-04:002010-06-22T10:44:34.610-04:00What would you specify as a threshold for differen...What would you specify as a threshold for different user accounts with the same password? I know that Twitter blacklists some passwords, but do they have any complexity requirements? I think that this would cause an awful lot of false positives, especially since most of the users that are signing up for these websites are using the weakest password they can get away with based on the site's password complexity requirements, if any.Unknownhttps://www.blogger.com/profile/11674366704883886264noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-22092937455285310972010-06-21T19:41:30.726-04:002010-06-21T19:41:30.726-04:00Comparing salted values after the fact is impossib...Comparing salted values after the fact is impossible if you salt your hashes per record. I certainly think it's a good idea; just slightly difficult to implement.Anonymoushttps://www.blogger.com/profile/14082895669552397138noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-24366643010659290322010-05-27T15:53:59.436-04:002010-05-27T15:53:59.436-04:00"How can you ensure that your DAST tool has b..."How can you ensure that your DAST tool has been able to enumerate and test out a high percentage of your site's content?"<br /><br />You use tools such as FilesToUrls.exe from HP or PTA from Fortify.<br /><br />Really, you just take the FilesToUrls.exe tool and perform a list-driven assessment. Then you need to follow it up with a workflow-driven assessment or similar, especially if the app has dynamic behavior (e.g. ajax, js libs, swfs, et al).<br /><br />"QA teams are typically in a great position in the SDLC phase to potentially catch a large number of defects, however they are typically not security folks and their test cases are focused almost exclusively on functional defects"<br /><br />You use tools such as PTA from Fortify, Watcher WebSecurityTool from Casaba, or Ratproxy to monitor their functional tests. You share test cases, test harnesses, and other information.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-58337896867770255892010-05-17T05:16:10.414-04:002010-05-17T05:16:10.414-04:00You are right, I still see RFI attempts in my serv...You are right, I still see RFI attempts in my server logs. However, the volume is nowhere close to what I've seen in 2007. So I guess that the number of vulnerable web servers has gone down very significantly - and hence the decreased popularity of this attack.<br /><br />Wladimir PalantWladimir Palanthttps://www.blogger.com/profile/10131620321763497910noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-71156504867331730382010-04-21T13:47:08.626-04:002010-04-21T13:47:08.626-04:00This raises the big question about privacy of cust...This raises the big question about privacy of customer in my point of view.<br />I think the more better solution that German government should follow is to contact directly to bank. Though there may be other concerns to this solution.Bipinhttps://www.blogger.com/profile/05323382733211284742noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-50705516772155546672010-04-12T12:54:06.500-04:002010-04-12T12:54:06.500-04:00Hrm, thanks but there's already a complete art...Hrm, thanks but there's already a complete article in wikipedia about this incident: <br />http://en.wikipedia.org/wiki/2008_Liechtenstein_tax_affair<br /><br />The "hacker" is named Heinrich Kieber and the "hacking method" is "being an LGT employee".<br /><br />For a similar, more recent story between France and Switzerland, <br />see http://www.cbsnews.com/stories/2010/03/11/business/main6288337.shtml<br /><br />Same hacking method.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-72898811363165591842010-03-28T13:58:27.525-04:002010-03-28T13:58:27.525-04:00Ryan: Plainscapital Bank v. Hillary Machinery is ...Ryan: Plainscapital Bank v. Hillary Machinery is one of the most unusual lawsuits in the history of IT. The bank sued the (apparent) victim. But the victim struck back with powerful Internet PR. The case demonstrates the role of <a href="http://legal-beagle.typepad.com/wrights_legal_beagle/2010/02/public-relations.html" title="information technology law" rel="nofollow">public communications in cyber-heist incidents</a>.Benjamin Wrighthttps://www.blogger.com/profile/11543639411820745571noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-68309731784190714812010-03-24T12:42:41.758-04:002010-03-24T12:42:41.758-04:00Nice. You'd hope that their license plate sca...Nice. You'd hope that their license plate scanners at least limit the text to 10 characters or something, but it'd be really funny to hear the developer trying to explain how the data was lost...Jon Daleyhttps://www.blogger.com/profile/03970580820135377670noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-89003931053353248822010-03-08T00:24:30.413-05:002010-03-08T00:24:30.413-05:00The challenge in this regard may also be lightweig...The challenge in this regard may also be lightweight project budget - I see "for 100 pounds," a recent commercial websites. Mmmmm.<br /><a href="http://www.perfectwriting.co.uk/" rel="nofollow">Thesis</a> AND <a href="http://www.perfectwriting.co.uk/" rel="nofollow">Dissertation</a> AND <a href="http://www.perfectwriting.co.uk/" rel="nofollow">Essay</a> AND <a href="http://www.perfectwriting.co.uk/" rel="nofollow">Assignment</a>Unknownhttps://www.blogger.com/profile/07270679426613543716noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-19686091490111935712009-12-22T11:26:17.102-05:002009-12-22T11:26:17.102-05:00How to read this? any other explanation?
Sugeng Ku...How to read this? any other explanation?<br /><a rel="nofollow" href="http://www.sugenk.com">Sugeng Kurniawan</a>Angelina Bennetthttps://www.blogger.com/profile/02084852943917270889noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-84352019031108541292009-11-17T12:31:46.340-05:002009-11-17T12:31:46.340-05:00Great information! Thanks.
Website design companie...Great information! Thanks.<br /><a rel="follow" href="http://www.eluneart.com" rel="nofollow">Website design companies</a>Unknownhttps://www.blogger.com/profile/12625459138653598620noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-31667510431505935952009-11-09T04:14:30.191-05:002009-11-09T04:14:30.191-05:00thanks for the info you posted here about the ligh...thanks for the info you posted here about the lightweigh development of application for web using WYWIWYG . . yes, it works well for <a href="http://www.promatics.in/" rel="nofollow">web 2.0 development company</a>Nataliehttps://www.blogger.com/profile/17375705739147454067noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-54072343429154612522009-10-22T02:36:38.701-04:002009-10-22T02:36:38.701-04:00hi! This template is simply super... http://www.it...hi! This template is simply super... http://www.itemplatez.comItsolusenzhttps://www.blogger.com/profile/12017514819578661132noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-16343688792559089542009-09-24T04:08:58.874-04:002009-09-24T04:08:58.874-04:00I just became a twitter user before 1 month. I am ...I just became a twitter user before 1 month. I am unknown about so much twitter application. Can any one tell me about retweet.<br><br /><a href="http://www.asiarooms.com" rel="nofollow">Visit</a>Davidhttps://www.blogger.com/profile/03857494673831574194noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-37785011613640556142009-09-14T17:49:05.775-04:002009-09-14T17:49:05.775-04:00Nice 2 cents for tracking attackers down.Nice 2 cents for tracking attackers down.Unknownhttps://www.blogger.com/profile/06557528160886056624noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-84332399339348590802009-09-14T16:45:21.659-04:002009-09-14T16:45:21.659-04:00Excellent work. This validates my findings in the...Excellent work. This validates my findings in the corporate world around web services and the (lack of) security around them. Thanks for the information. It's a very important specific example and another good point for application developers and infrastructure security configuration people to take heed.<br /><br />ACLs are your friend.Markhttps://www.blogger.com/profile/13843509641085137668noreply@blogger.comtag:blogger.com,1999:blog-5361523904237597206.post-63454310731498186372009-08-18T16:29:20.842-04:002009-08-18T16:29:20.842-04:00It's a definite vector for XSS, and has been f...It's a definite vector for XSS, and has been for quite some time. And not just for XSS, but SQL injection as well. <br /><br />A quick search on OSVDB for "user-agent" shows 54 results. http://osvdb.org/search?search[vuln_title]=user-agent&search[text_type]=alltext <br /><br />Not all related to XSS/SQLi, but quite a few are.Unknownhttps://www.blogger.com/profile/05846363581898509584noreply@blogger.com