Saturday, June 5, 2010

What are you running?

New Adobe Flash Player Vulnerability Released - CVE-2010-1297

http://www.adobe.com/support/security/advisories/apsa10-01.html

This is a major vulnerability affecting just about every platform available. A reminder that security doesn't always rest at the OS or browser level. The more that "Web 2.0" integrates into our "secure" systems, we will see new light on the vulnerabilities that are introduced when we allow third party code to execute on our computers.

Has anyone seen proof of concept code?

Wednesday, May 26, 2010

Best Web Application Hacking Book

The best book I've read on the subject:

http://www.amazon.com/gp/product/0470170778?ie=UTF8&tag=portswinet-20&link_code=as3&camp=211189&creative=373489&creativeASIN=0470170778

From the authors of Burp. Great stuff. Good overview and sanitized realworld examples.

Sunday, May 23, 2010

Automated Scanners?

Yes. Without a doubt, automated scanners are necessary. They save so much time. Tools like Acunetix, DirBuster, Paros, Burp, AppScan, Nessus, FoundScan, Qualys, are absolutely necessary for any good security test.

There are too many security holes readily identified by these applications. While these tools can not provide complex attacks which are unknown, they can cross of a lot of known problems right off the bat.

Don't get me wrong. These tools can never replace a qualified analyst, but they are a great start to check the common flaws in a system. If available, I always run an automated scanner-after mapping functionality.

"web 2.0" and "cloud computing"

Okay, if you haven't heard of "web 2.0" or "cloud computing" then you are much luckier than me. These ideas have been around for years and have become some managment BINGO game in the last couple of years.

Let me try to define these in the simplest terms possible as I understand them:

Web 2.0 - New technologies and infrastructure supporting a more rich Internet that original conception of accessing files. You could say that blogging, Active X, intelligent web applications, and RSS feeds are part of Web 2.0. Just as with cloud computing, the term is debated by most standards bodies.

Cloud Computing - Sharing servers and processing. To me this really isn't a new concept. You're paying for bandwidth, processing, application hosting. This could be confused with the notion that computers operate in a "cloud" and do not care about how the information travels.

Tip #1 - If you build it, they will come through the Internets

Let me paint a picture of some of the recent problems I've come across:

1. http://boydswebsite.com/admin
2. http://boydswebsite.com/test?_f=/tmp/view.bmp
3. http://boydswebsite.com/test?filename=/web/view2/note.txt
4. http://boydswebsite.com/test?url=http://boydspartnerwebsite.com
5. http://boydswebsite.com/public/sensitivefile.doc

---

The web addresses listed all had one (at least) problem. Programmers or administrators created these potential backdoors with one thought in mind: I have to get this thing to work. I'll walkthrough each of these examples and why they are bad.

1. This website gives a GUI administrative interface into the application with no credentials needed. Reasoning: No one knows that this page exists. Why it's bad: People can easily guess this page might exist.

2,3. These look like files to me. What happens if I throw in a ../../../../../../../etc/shadow or ../../../{cont}/boot.ini? Maybe this comes back with the file instead of an error message. Reasoning: This is a function the web site needs for interaction. Why it's bad: People who see this function will guess that arbitrary files could be gathered without any authentication.

4. This is basically important for spammers or hackers. The url parameter might send a client to a hacker website. Google owasp for more details on this one.

5. Not much to describe here. Web servers often allow directory listing... taking away the hard work for hackers. Directory listings sharing sensitive files occur very often-just ask JohnnyIhackstuff. Reasoning: I need to share this file with a co-worker and it's too big to email. Why it's bad: Most likely these files will remain for months or years somewhere on the Internet.

Moral of the story: People exist who want to take advantage of low hanging fruit. Check the simple stuff first.

Intro

Hello everyone,

As a PAID hacker for the last seven years, I've picked up some tips and tricks into the ways companies, governments, and individuals get hacked. I'll define hacking as gaining unauthorized access or privileges on some type of data system. I should disclose that I am obligated to a few certifications and ethical requirements, but I feel safe in maintaining full disclosure for attack techniques and procedures. The innocent will remain nameless. This blog is not intended for script kiddies to pick up a few new attacks. This blog is geared towards a security consultant, programmer, or mid level management in Information Technology (IT).

I'd like to work with YOU, the Internet, to pick up some new tips and tricks and hopefully help beginners pick up the trade and contribute to the relatively new position of security through attacks.

Please write with questions, concerns, comments, corrections to inaccuracies, or ideas.

Thanks, and I look forward to working with you in the future.

Boyd