CISO

Enterprise Information Security

10 Vulnerable web applications for security testing

by 3 Comments

In this post I am listing a set of vulnerable web applications publicly made available for the purpose of security testing and training.

  1. Google Gruyere for Web Application Exploits and Defences: A Python application with lots of bugs deliberately setup for web application security training. This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you’ll get a chance to do some real penetration testing, actually exploiting a real application. To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.). Specifically, you’ll learn the following:

    2. How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
    How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

  2. SPI Dynamics (live): This is primarily setup for showcasing the capabilities of WebInspect web application security scanner. The application simulates a vulnerable online banking Web Application. The platform is ASP
  3. Testfire (live): Testfire is an ASP.Net based online banking application for web application security testing. It is setup primarily to demonstrate the capabilities of WatchFire, now IBM, web application security products.
  4. Acunetix: Acunetix provides a set of web application security products and they have setup three test sites for performing web application security testing. Acunetix PHP, Acunetix ASP & Acunetix ASPX are the three sites which is used for demonstrating the web application security tools capabilities of Acunetix products.
  5. Crack me Bank / Cenzic: Another vulnerable online Banking application for web application security testing. It is a PHP based live script running on a webserver.
  6. Foundstone SASS tools: Foundstone, a McAfee company, has a range of tools for web application security. For web application security testing, Hacme Bank, Hacme Casino, Hacme Shopping etc are some of the interesting tools which can be downloaded and installed on your local machine. These tools provide good insights about secure software development as well as secure coding
  7. OWASP WebGoat: OWASP is a leader in providing public information about the web application security process. OWASP has a number of streams and products to enhance the Web Application Security posture of any organization. The resources at OWASP provides a great amount of knowledge for any web application security enthusiast.
  8. OWASP SiteGenerator:  OWASP SiteGenerator allows the creating of dynamic websites based on XML files and predefined vulnerabilities (some simple, some complex) covering .Net languages and web development architectures (for example, navigation: Html, Javascript, Flash, Java, etc…).
  9. Stanford SecuriBench: It is an old application based on J2EE, however, still kept active for anyone who are interested to test this out. It should be considered that many of the attack vectors would have been already changed and/fixed. SecuriBench Micro is a series of small test cases designed to exercise different parts of a static security analyser. Each test case in Securibench Micro comes with an answer, which simplifies the comparison process.
  10. BadStore: Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. Badstore demonstration software is designed to show you common hacking techniques

    These are demo tools and should not be made part of the production systems. Use all these tools at your own risk Smile  Hope this list of web applications will help you or your team build web application security capabilities.

A study about the SQL injection attacks

by Leave a Comment

Imperva has released a report on the anatomy of the SQL injection attacks. Well, its not much about the anatomy, but more about how, from where and  when are the thing covered in this report.  The report is prepared after monitoring a set of 30 web applications over the last nine months. Key excerpt from the report is below.

    • SQL Injection continues to be a very relevant attack. Since July, the observed Web applications suffered on average 71 SQLi attempts an hour. Specific applications were occasionally under aggressive attacks and at their peak, were attacked 800-1300 times per hour.
    • Attackers increasingly bypass simple defenses. Hackers are using new SQLi attack variants which allow the evasion of simple signature-based defense mechanisms.
    • Hackers use readily-available automated hacking tools. While the attack techniques are constantly evolving, carrying out the attack does not necessarily require any particular hacking knowledge. Common attack tools include Sqlmap and Havij.
    • Attackers use compromised machines to disguise their identity as well as increase their attack power via automation. To automate the process of attack, attackers use a distributed network of compromised hosts. These .zombies. are used in an interchangeable manner in order to defeat black-listing defence mechanisms.
    • About 41% of all SQLi attacks originated from just 10 hosts. Again, we see a pattern where a small number of sources are responsible for a majority of attacks.

To better deal with the problem, enterprises should:

    • Detect SQL injection attack. Using a combination of application layer knowledge (application profile) and a preconfigured database of attack vector formats. Detecting SQLi must normalize the inspected input to avoid evasion attempts.
    • Identify access patterns of automated tools. In practice, SQLi attacks are mostly executed using automatic tools.  Various mechanisms exist to detect usage of automatic clients, like rate-based policies and enforcement of valid client response to challenges.
    • Create and deploy a blacklist of hosts that initiated SQLi attacks. This measure increases the ability to quickly identify and block attackers. Since we observed that the active period of host initiating SQLi is short, it is important to constantly update the list from various sources.

In this report, we discuss some of the most popular tools as we outline the challenge of . and solutions to . SQLi attacks targeting Web applications. The full report is available here for download.

110,000 bank card numbers were stolen via a SQL injection attack

by Leave a Comment

Hackers have broken into the website of the New York tour company CitySights NY and stolen about 110,000 bank card numbers.They used the SQL Injection attack to get into the companies web server according to the breach notification letter published by the attorney general.

It appears that the company learned about this problem in late October when a programmer discovered an unauthorized script at the companies web server.

Cloud Security vsTwitter Security Incident

by Leave a Comment


The recent incident at the Twitter on the information leakage shall not be considered as a cloud security weakness. Reading through various blogs and the description from Twitter , it looks like the real cause is the weak security practices followed by a Twitter employee.

Like many other users, I use the Google Apps for various solutions and email is one among them. So, if there is a security issue at the google cloud, it will be a threat for my applications as well. This made me to look into the details of this security incident.

The outcome of my thoughts are the following:

  • You need to establish good security practices
  • You need to educate your staff on the password management practices
  • You should have a solid password policy. I will suggest 8 characters of alphanumeric and if possible special characters with a 45 days expiry

Another interesting this I saw in the twitter blog is that, the twitter CEO’s wife’s account had the family personal details and no official information. This is another key aspect to be concerned.

There should be an email/internet usage policy which should detail the restrictions of using the personal account for business use. The policy should also clearly state that the personal emails shall neither be used for communicating the business information nor for storing them.

Remember the Sarah Paulin’s email hacking case where the hacker claims to have obtained the government information by hacking into her personal email account

The twitter incident is a personal security incident and not a cloud security concern at this point.

I can have good sleep without any nightmares about cloud security at least for a while

Universal Browser PDF XSS vulnerability

by Leave a Comment

Everyday application security is facing new threats and it challenges the business users. The latest is in the form of XSS attacks; where an application serving PDF files are vulnerable to these attacks.

Attackers simply have to add an anchor containing a script, e.g. add #blah=javascript:alert(document.cookie); to ANY URL that ends in .pdf (or streams a PDF). The browser hands off the anchor to the Adobe reader plug-in, and the script then runs in the victim.s browser.

The Universal PDF XSS issue was discovered by Stefano Di Paola and Giorgio Fedon and it was presented on 23C3 security conference. This vulnerability obviously affects the Adobe Acrobat Reader which is a widely used software among business, non-business organizations and individuals. By abusing Acrobat.s open parameter features well protected sites become vulnerable to Cross-site scripting attacks if they host PDF documents. This is pretty bad and unless you update your reader or change the way your browser handles PDF documents, you may get hacked quite badly. This issue is very serious.

This vulnerability can be exploited by using the URL in the following fashion

http://path/file.pdf#blah=javascript: yourcode

It is very clear that any malicious user can write the required code for malicious activity. Can hijack sessionID and thereby the user identity or execute code from another location and thus redirect a user to a phishing site and a lot more.

Some examples

Try it on your windows OS

file:///C:/Program%20Files/Adobe/Acrobat%207.0/Resource/ENUtxt.pdf# blah=javascript:try%20{var%20req%20=%20new%20XMLHttpRequest();req.open(%22GET%22,%20%22file:///C:/WINDOWS/system32/drivers/etc/hosts%22,%20null);req.send(null);%20alert(req.responseText)%20}%20catch%20(e)%20{console.dir(e)};

Does this ring any bell?? Doesn.t it crazy? Minor modifications in the JavaScript will reveal the directory browsing, or copying of files from your system.

Another one for directory listing

file:///C:/Program%20Files/Adobe/Acrobat%207.0/Resource/ENUtxt.pdf# blah=javascript:try%20{var%20req%20=%20new%20XMLHttpRequest();req.open(%22GET%22,%20%22file:///C:/%22,%20null);req.send(null);%20alert(req.responseText)%20}%20catch%20(e)%20{console.dir(e)};

OK, now lets go more details from the fun part of the vulnerability.

PDF being widely used, it is important to understand that most of the applications in the internet have this vulnerability. This makes the situation a lot worse because If you happen to be on a malicious site or you click a malicious link, attackers can simultaneously compromise several of your WEB accounts that are currently open/authenticated.

Note the point that, this attack will be effective only if you/victim click on the url.

Now lets see what hackers/crackers/(you name it) do to make use of this vulnerability?

Being an intelligent user, chances are less you click on a suspicious link. However attackers can make use of sneak techniques to force you somehow, by changing the file extension of the PDF document to .mp3 or .mov or even .html. It looks less suspicious, but still when pulled from the server the content will be served as application/pdf:

For example:

A slight modification in the htaccess file of http://currentdomain/

#.htaccess

RewriteEngine On

RewriteRule *.(jpg|png|css|mp3|mov|avi)$ http://otherdomain/abc.pdf

When a user clicks on the following url

http://currentdomain/whatever.mp3#something= javascript:malicious_code

the code will be executed on http://otherdomain and not in the currentdomain. The user has fallen into the trap.

Now you have tiny URL.

One can embed the malicious URL in a tiny URL and send the tiny URL to the victims. This will make the user less suspicious about the URL and has more possibility of clicking on the link.

Using tinyurl you can have

http://currentdomain/whatever.mp3#something= javascript:malicious_code

become

http://tinyurl.com/..Another option is to have the exploit link opening automatically without user action. This can be performed by embedding the link in a site, normally malicious site. When a user visits such sites, the exploit page will automatically opened by using iframes.

his vulnerability will be a solid tool for phishing attackers and they can use this cleaverly to gather personal information and identity thefts.

What are the fixes?

Do not click any url which is not familiar and/or which is not from a trusted source. Always type the URL and then guide through the site links.
Upgrade your Adobe Acrobat reader to version 8
Upgrade the browsers using vendor released patches