To many security firms, a web application vulnerability assessment is a list of confirmed exploitable findings in a web application. They index the site, run scans, manually test, so research, and write them all down. The report will get you through a PCI audit.
That's not enough. You must tell the developer how to fix the problem, and "apply patches" isn't enough. If you find cross-site request forgery, and can't explain the developer how to fix the problem on their platform, you aren't doing enough. "Add a token" isn't enough. "Apply fix as appropriate for your language" isn't enough. If you don't know, that's fine, but learn.
We are, as an industry, doing a tremendous disservice to companies by selling them 68 pages of non actionable fluff for $10,000. If you, as a tester, aren't sure how to fix it, look it up, ask someone, or work directly with the developer to find a solution.
Good intro to fingerprinting web servers. This has been codified in the past but the tools are all old. Need to resurrect an open source project.
https://isc.sans.edu/forums/diary/Another+approach+to+webapplication+fingerprinting/23605/
I mentioned CVE-2018-2628 and my Nikto test for it in an earlier newsletter. Well, apparently the patch doesn't work.
https://securityaffairs.co/wordpress/71951/hacking/oracle-botches-cve-2018-2628-patch.html
Nice video of finding and exploiting another hole in the PDF format. Apparently they are so common now we just livestream them.
https://www.youtube.com/watch?v=8VLNPIIgKbQ
I am fond of saying that the government can outlaw as much encryption as they want, if the bad guys have two coins and a pencil, they can make as much unbreakable encryption as they want with a one-time pad. (Not my line and I don't remember the source sorry) Here is another nice new pencil and paper cipher.
https://www.schneier.com/blog/archives/2018/05/lc4_another_pen.html
Finally. PHP has a security flaw. WHAT YEAR IS IT??
https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-046/
And that's the news.
I posted a silly tweet after finding a vulnerability in an Android app the other day. It grew legs and is making its way around.
I've gotten a few funny replies, but not as good as the QA tweet - mostly "Well duh" or "It isn't" or "People think that?" So I wanted to write a short explainer.
Base64 looks like encryption. The nice readable test gets all scrambled up. For instance the text of the tweet turns into this:
QmFzZTY0IGlzIG5vdCBlbmNyeXB0aW9uLiBCYXNlNjQgaXMgbm90IGVuY3J5cHRpb24uIEJhc2U2NCBpcyBub3QgZW5jcnlwdGlvbi4gQmFzZTY0IGlzIG5vdCBlbmNyeXB0aW9uLiBCYXNlNjQgaXMgbm90IGVuY3J5cHRpb24uIEJhc2U2NCBpcyBub3QgZW5jcnlwdGlvbi4gQmFzZTY0IGlzIG5vdCBlbmNyeXB0aW9uLiBCYXNlNjQgaXMgbm90IGVuY3J5cHRpb24uIEJhc2U2NCBpcyBub3QgZW5jcnlwdGlvbi4gQmFzZTY0IGlzIG5vdCBlbmNyeXB0aW9uLg==
See, not even spaces! Wild stuff! But it is not encrypted. Base64 encoding is a way to turn binary or ANSI files into something that can be transferred over a readable ASCII only medium like the web. For instance, your binary serialization is like that. If you serialize an object and save it, you'll have unreadable characters in there. If you base64 encode it, you can save it in a cookie of a web page. It's super handy, but it is not protected. The page I used to encode the example above is here:
https://www.base64encode.org/
So to give a concrete example, if you use Apache MyFaces or ASP.NET Web Forms (pre 4.6.2) then your viewstate is just Base64 encoded. Don't believe me? View source, find the viewstate, and paste it into the site above. It will probably decode for you. An attacker can change that data and resubmit, so take care!
To learn even more, check out the OWASP Cryptography cheat sheet.
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
My favorite thing this week, how HTTPS works, via a cartoon of cats.
https://howhttps.works/
Ray Ozzie (yeah, that Ray Ozzie) says he has a solution for backdoorable encryption.
https://www.theregister.co.uk/2018/04/27/ray_ozzie_encryption_backdoor/
Tutorial by Check Point on stealing NTLM hashes with weaponized PDF files. Check your file upload features, folks!
https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/
And that's the news!
More news than usual today.
There is a new WebLogic RCE. I'll be adding it to Nikto this week.
https://github.com/brianwrf/CVE-2018-2628
Android is adding DNS over TLS. As a user I am happy about this. As a tester, @#$%&#$%@^.
https://security.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
There are 100 devs for every appsec specialist. We have out work cut out for us.
https://www.infosecurity-magazine.com/news/developers-outnumber-security-pros/
The thermometer in a fishtank was the pivot point for hackers to pwn a casino. Noice.
http://www.businessinsider.com/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4?r=UK&IR=T
Holy crap I forgot about this one. The RSA custom Android application had the API keys stored in the source code, so someone downloaded the attendee list.
https://twitter.com/svblxyz/status/987044025122336774
Verizon last week, Microsoft this week. Annual security report.
https://cloudblogs.microsoft.com/microsoftsecure/2018/03/15/microsoft-security-intelligence-report-volume-23-is-now-available/
Finally, a teen found some documents on a web server, downloaded them, and now is going to jail. Stay safe out there kids!
http://www.cbc.ca/news/canada/nova-scotia/freedom-of-information-request-privacy-breach-teen-speaks-out-1.4621970
And that's the news.
The Verizon Data Breach Investigations Report is out. It's a good read.
https://www.verizonenterprise.com/verizon-insights-lab/dbir/
DARPA (the government organization that created the Internet) is funding research into Human Assisted AI.
https://www.schneier.com/blog/archives/2018/04/darpa_funding_i.html
WebAuthN went to Candidate stage, perhaps leading to the end of passwords on the Internet. But ... universal federal IDs? Not sure.
https://arstechnica.com/gadgets/2018/04/practical-passwordless-authentication-comes-a-step-closer-with-webauthn/
Motherboard has a REALLY good series on phone cracking. If you are into mobile, it's worth a look.
https://motherboard.vice.com/en_us/topic/phone-crackers
And that's the news
There are some neat developer and security events this spring that I'll be speaking at or otherwise participating in, and I'd love to see all of you there!
On the morning of the 18th, I'll be talking about updated OWASP Projects at the Columbus ISSA meeting. I know daytime meetings are weird, but come by if you can. There is a small charge for non-members. https://www.centralohioissa.org/
April 26th, there is an OWASP meetup where we will be following up on Jason Kent's Docker seminar and building some cool python code. This event is at the Idea Foundry, and is a lab environment - bring your machine. I'll get everyone started, but this is mostly team coding. https://www.meetup.com/Columbus-OWASP/
In May, on the 4th, I'll be speaking about the changes to the OWASP Top 10 at Stir Trek, one of the most awesome developer events in the midwest. The content is awesome, the venue is a movie theater, and you get to watch the new Avengers movie the night before the rest of the world! NO SPOILERS. https://stirtrek.com/
May 14th, I have the honor of speaking at one of the most awesome security events in the midwest (I told you this was quite a spring!) It's the Central Ohio InfoSec Summit, and the content is also awesome, although there isn't a movie at the end. If you can go, do so. It's really a great conference. https://www.infosecsummit.com/
Gonna be a bust few months, but some really great events. Make sure you catch what you can - attending these events is one of the best ways to stretch your mind and see what skills you should be working on right now.
(Yes, last week was indeed an April Fools' joke)
(This week isn't.)
Domain names are a blessing and a curse. It's a lot easier to remember "sempf.net" than "168.62.224.13". The domain registration system is also on the front lines of fighting spam and malware - and it is under attack by the Powers That Be. Overreaching privacy law is about to make blue teaming a lot harder.
https://krebsonsecurity.com/2018/03/who-is-afraid-of-more-spams-and-scams/
Twitter thread regarding Tmobile Austria storing passwords in plain text. Warning: rough language
https://twitter.com/c_pellegrino/status/981409466242486272
https://motherboard.vice.com/en_us/article/7xdeby/t-mobile-stores-part-of-customers-passwords-in-plaintext-says-it-has-amazingly-good-security?utm_campaign=sharebutton
So, if they store the WHOLE password salted and hashed, but keep the first 4 characters in plain text just to help customer service, it is still a vulnerability?
Three Vulnerabilities Discovered in Spring Development Framework. Patchy patchy.
https://t.co/ytHgTw59LU
Critical — RCE Attack (CVE-2018-1270)
High — Directory Traversal Attack (CVE-2018-1271)
Low — Multipart Content Pollution (CVE-2018-1272) https://t.co/3UQj3iD3qO
Normally I link to primary sources, but El Reg did such a good job writing up the trustwave report I want to link to them. Good, tongue-in-cheek breakdown of the TRustwave report, which is pretty ugly (Spoiler: criminals are getting better, and we are not catching up). Link to the report at the end of the article - there will be a quiz.
https://www.theregister.co.uk/AMP/2018/04/05/trustwave_security_sitrep/
And that's the news
I am testing an application that only works on Internet Explorer in compatibility mode. Before you laugh, it's is EXACTLY these legacy applications that get us into trouble, and they should be tested regularly, and they can be secured using compensating controls. However, I am on the client's computer, which has enterprise controls on the proxy, which means I can't easily configure IE to use Burp because it uses the system proxy.
Fiddler, however, traps WinINET so it will see the traffic from IE, even with the proxy set to the corporate settings. Fiddler is only an average-at-best security testing tool though, so I would like to use Burp too. The solution is to chain the proxies, and all of the instructions I am reading online are out of date. Because of this I thought I would add to the corpus because it is quite simple these days.
First it is important to know that Burp Suite listens on localhost, port 8080. This is what you need to set your browser to in order to have the requests and responses filtered through Burp. We can leave these settings as default.
Fiddler's proxy is localhost, 8888, but that doesn't matter on Windows. Since it listens on the network channel, we don't have to do anything - Fiddler "Just Works (tm)." You can leave these settings default as well.
The "Gateway" tab in the Options dialog has settings to proxy Fiddler outbound. It will probably be set to System settings, as it should, but we are going to change that for this exercise. Just like you would normally do in Chrome, set the proxy to manual, and set the values to localhost, 8080. (Remember 127.0.0.1 is localhost)
That's it! Now every request and response will go through Fiddler and Burp. Note that some of your enterprise applications might notice the proxy change and stop working, but at least you can get through your test. Happy hacking!
Chinese cell phone manufacturer OnePlus (incidentally my daily carry) plans on including cryptocurrency mining baked into their next release of Oxygen in the OnePlus 6, sparking security concerns.
The IETF floated a new analog protocol for internet traffic in an attempt to get some more security in the system.
https://tools.ietf.org/html/rfc1149
I don't often talk biotech here, but Razer (the gaming hardware maker) is creating a nanobot infused energy drink for gamers. I am sure that will go well.
https://www.razer.com/campaigns/project-venom-v2
Finally some good news - plans to add a security parameter in response headers. Should be a good move toward better browser level decision making.
https://tools.ietf.org/html/rfc3514
And that's been your week in application security.