After almost a year I’ve finally managed to take the GWAPT (Web Application Penetration Tester) exam, just in time to head to SANS London and the Security Essentials class. I have mixed feelings on the exam. Even though I passed with a good mark (96.67%), the 5 that I got wrong were (in my opinion) a little questionable. Still, I’m sure I’ll hit the holy grail (100%) sooner or later It will just take time, and patience.

For a little history on this, I first attended the 4-day version of the SEC-542 back in December last year. The course was good, and I wrote about the contents on the blog (day-1, day-2 ,day-3. day-4). The 6-day version of the class has incorporated a number of welcome additions and helps the course really grow. I always felt that the 4-day version lacked a certain something, and the new version really fills the gaps with new sections on Flash, WebServices (WSDL, UDDI, SOAP…) and nice coverage of Python, JavaScript and PHP for Penetration Testers. The last day is also now a Capture the Flag event which will really help to solidify the knowledge and let people get a hands-on approach to testing.

I can’t finish this post without saying a little something about the OnDemand program. The new OnDemand system is certainly a step in the right direction. As SEC-542 is one of the first on the BETA OnDemand it lacks the additional links that will come with maturity. I think that the OnDemand option of training has become more of an option than previously. The support you get is also great, especially as Kevin is very approachable. If all else fails you can shoot me an email and I’ll see if I can help. Hopefully this will be the class I’ll be Mentoring in Vienna next year (given the chance).

Overall I’d give the class 95/100 –> There’s room for some additional coverage of things like JBoss, Coldfusion and Tomcat. Still you can’t fit everything into 6 days I can’t wait for SEC-642, for some advanced WebApp fu.

GWAPT Certified Professionals –> LISTING

GWAPT Exam Coverage –> Coverage

I know, I know, what a strange title for a blog post. Then again, I’ve never really been known for  being the most normal of people bloggers. Then again projects really are like buses. There’s none for ages then 2 come along at once Things have been a little quiet on the blog for several reasons. The first was my nagging neck problem, which I’m hoping is back under control. The second is the start of a few projects that have been in the works for a while now.

• €urotrash security podcast
• PenTester Scripting

The €urotrash security Podcast has been in the planning phase for a while now, with the initial meeting to discuss particulars at the recent BruCON conference in Brussels. Episode 1 has just been released, so head over to http://www.eurotrashsecurity.eu and grab a copy. Let us know what you think. As with any new Podcast we’re looking for feedback on how to make things better and cover what you want us to cover. You can load up your favourite RSS reader HERE for updates on the next Podcast release..

The second project I’m involved with came out of a simple remark on Twitter. I’m not much of a scripter, but it’s something I’m looking at improving. When I commented that a SANS course cover scripting for Penetration Testers would be a good thing, Kevin Johnson agreed and the project was born. PenTesterScripting is still in it’s early phases, but we hope it will turn into a place for Penetration Testers to come and find useful scripts to help automate some of the more tedious and long-winded parts of penetration testing. Head over to the site and vote on our logo competition, and feel free to email us scripts you want us to host on the site.

For updates to both projects, follow me on twitter as @ChrisJohnRiley, or follow the projects directly, @PenTesterScript and @EurotrashSec

Some people may have noticed the addition of an “advisories” section to the blog over the last few days. Despite the fact I’m drugged up on painkillers and muscle relaxants, I managed to post up some information about the newest TYPO3 Security Advisories released in the past week.

Although the latest additions are basic XSS type vulnerabilities, I thought it was worth adding some information to the text from the TYPO3 security team. Once I’m a little less dosed up, I’ll try and add some example XSS strings (purely for educational purposes). I’m a believer in responsible disclosure, but a part of that is obviously disclosing the vulnerability and how it can be tested. Without that, security practitioners end up with a list of possible exploits and no way to demonstrate this to their clients. I personally hate nothing more than having to write “vulnerable to unpublished exploit” in a report, and often see those kind of vulns ignored or pushed to the back of the pile.

• New Advisories section
• Original advisory (TYPO3-SA-2009-016)

This week has been an eventful one. Not only am I reduced to typing slowly and painfully with my left hand (don’t ask, it’s a long story *), but the audio for my guest appearance on the Security Justice podcast is out as well.

Security Justice International BBQ Edition – Chris John Riley (@ChrisJohnRiley) and Robin Wood (@digininja)

October 20th, 2009 Tom Posted in Podcast Special Editions | No Comments »

This special edition was recorded during our 1st annual International BBQ podcast.

Chris John Riley is a penetration tester and well known security blogger currently located in Austria.  Robin Wood is from the UK and is the creator of many well known open source security projects including Jasager, the Interceptor and KreiosC2. Find out more about Chris on his awesome blog.  You can find out more about Robin and his projects on his website.  Chris and Robin talk to us about Cider, HAR, blogging, BruCON, security/pentest certifications, metasploit modules, Jasager updates, talks at security conferences and more!

Thanks again to Chris and Robin for being on the show!

Security Justice International BBQ – Chris John Riley and Robin Wood [34:39m]: Play Now | Play in Popup | Download

Many thanks to all the guys over at Security Justice for letting me get on the show and be a general media whore

Ryan Dewhurst over at http://www.ethicalhack3r.co.uk also asked me to do a short written interview for his Blogs  “people in infosec” feature. I’m a bit long winded, but aren’t I always ! So if you want to read my comments on conferences, ethical hacking courses and general stuff, pop over to his blog and take a look. While you’re there, take make sure to take a peek at his excellent DVWA (Damn Vulnerable Web App) project.

* Well, it’s not really that long. Needless to say a neck/back injury that’s been plaguing me for a few years have flared up again. Currently I have numbness and tingling in (mostly) my right hand. So, I’m banned from prolonged use of computer currently. Yes, it’s hell….

The guys over at CIRT.NET has released an update to the Nikto web server scanner tool. According to the blog post discussing the release, this version has undergone “significant rewrites under the hood …” “… to make it more expandable and usable”. Sounds interesting.

The newest version includes a number of bug-fixes, as well as some enhanced functionality .:

• Added test for asp source code disclosure through the Translate header
• New plugin added to identify embedded devices
• Added check for multiple index files for request
• Add plugin to use dirbuster lists with mutate 6 and mutate-options
• Added subdomain buteforcer as mutate option 5, thanks to Ryan DewHurst
• Added extra tests to pull information if scanning ePO agent or HP WBEM
• Added test to recognise a Dell Remote Access Console
• Now supports NTLM authentication
• Added tests to identify Ampache
• Altered favicon database to use dynamic database
• …

For a full list of fixes, enhancements and changes see the project changelog.

By looking at the versions.txt released with this version it appears that the following plugins have been updated .:

• nikto_user_enum_apache.plugin
• nikto_core.plugin

Well I’ve finally hit the milestone I’m sure everybody on Twitter aims for at one point or another. I’ve managed to brain-wash 666 people into following my inane ramblings and random comments on Twitter. I’m sure I’d have hit this milestone a lot quicker if I didn’t have a horrible tendency to block anybody who looks remotely like a bot (there are a lot more than you’d think), and of course n3td3v, I blocked him too to stop him retweeting anything (who’d want to be associated with that kind of thing ???). Sorry if you weren’t a bot, thems the breaks

In celebration of this milestone I’ll make sure to bite the head off a bat at the next available opportunity. Next up 1337, at which point I hope to release a stunningly uninteresting XSS  zero-day exploit in an application nobody uses or cares about. Keep an eye out for that one…

3 Months stats – twittercounter.com

]]> http://c22blog.wordpress.com/2009/10/18/number-of-the-beast/feed/ 0 ChrisJohnRiley 666followers 2009-10-18-021922 http://c22blog.wordpress.com/2009/10/16/strange-twitterings-from-the-bbc/ http://c22blog.wordpress.com/2009/10/16/strange-twitterings-from-the-bbc/#comments Fri, 16 Oct 2009 12:02:40 +0000 ChrisJohnRiley http://c22blog.wordpress.com/?p=922 ]]>

Earlier today I was catching up on some tidbits of world news from various sources when I stumbled across something that caught my eye. BBC World News offer a twitter feed of their latest headlines. I sometimes browse the list to see whats going on in the world and to reaffirm my opinion that we’re all doomed. Today however a specific article in the list caught my eye.

“It’s Time To Legalize Cannabis.”

This snippet of news, and the associated link didn’t really fit with the other news. For starters the capitalisation and use of the American spelling of legalize (legalise). There was also the fact that a majority of other news snippets started off with BBC Business News, whereas this didn’t. By using Twitters search function I could also see that the exact same tweet had been sent out on a regular basis for at least 10 days (possibly longer). The last thing that made me think this wasn’t really a tweet from BBC_News_World was the from label under the tweet

Whereas all other tweets come from Twitterfeed, these are the only ones that report to come from twitRobot. Very strange.

By pulling up the link on a test system the bit.ly link took me to a Facebook cause with the same title at the tweets posted through the BBC Twitter feed “It’s Time To Legalize Cannabis”.

By pulling up the bit.ly statistics I could see that this link had been actively used since the end of September and had been clicked over 665 times. It also showed the original creator of the link as a user called therealtwitter. This appears to be the name used when Twitter automatically shortens a URL in a post for the user. So no tracking information there unfortunately.

More detailed information can be found on the bit.ly info page for this link. Including breakdown of clicks by country and clicks by referrer. By looking at the referrer stats it’s evident that this bit.ly link is also being sent out through email and IM.

Although the Facebook cause at the end of the link appears benign at first appearance, it certainly warrants further investigation into why this link is spreading through the BBC Twitter feed (possibly without their knowledge). This cause could be something as simple as a person trying to drum up members for their cause. Then again it could just as easily be a phishing site designed to steal logon credentials, or perform attacks against the users browser. Further work is needed to see exactly whats behind this.

If I receive response regarding this I’ll certainly post a followup. Until then, watch out just incase.

A few days back I was alerted to a new website that was offering a new way to hide your email address online. It sounded interesting so I headed over to the scr.im website and had a quick poke around. As you can guess, I’m a bit suspicious of these kind of services and web application security is what I do (at least recently). So there were a few things that really jumped out at me straight off in reference to the sites use of CAPTCHA.

Now I’m pretty sure a big portion of people reading this are already saying WTF just by looking at the above screenshot. This is not the way to use CAPTCHA. For a visitor to the site this is nice and quick, however for a script this is just a matter of playing the odds. The correct CAPTCHA has to be one of the 9 possible links displayed, certainly much better odds than attempting to crack the CAPTCHA itself. If a link is selected and it’s incorrect, the CAPTCHA screen can be reloaded (with new CAPTCHA options of course) and you can try again. Sure for a human it’s tedious to do this, it took me 11 tries to get through by simply always selecting the first CAPTCHA option (top left corner, Y9VJJ in the above screenshot). However for a scripted attack, this is a no brainer and shouldn’t take more than a few seconds. The slowest part would be the page reload. There doesn’t seem to be any timeout, lockout or any other such protections to prevent this kind of attack. Still the page reload is the bottleneck here.

The above solution was too messy for me, and I hate nothing more than having to click buttons constantly, it bores me. So how can we do the same thing, but work more effectively, with less overhead. By taking a look at the scrim.js JavaScript you can see how the CAPTCHA buttons translate directly to POST requests. Although the value of the CAPTCHA is obfuscated, the code is simple enough to understand if you use BURP Suite to capture and examine the requests and responses. The Burp screenshot (LEFT) shows the POST request that sends the CAPTCHA together with a token number and some other information. Initially I thought this token value was used as a replay prevention function, however by capturing all 9 possible POST requests from a simple scr.im page (using Burp naturally), I found that you could send each request in sequence to the remote server until the correct CAPTCHA is found and the desired email address is returned.

As with most web applications the POST request isn’t strictly enforced on the server side. As such you can easily change this to a single GET request (e.g. http://scr.im/test?captcha=46UU8&action=view&token=e6f0006403ab0c714034f25bc571aa93&ajax=y) which makes things a little easier when scripting a solution.

The screenshots below show the responses from the scr.im server (both negative and positive).

scrim negative response

scrim positive response

As most of the heavy work is done on the client-side using JavaScript (obfuscation of the CAPTCHA value, etc..), I don’t think it would take much for a good scripter (that rules me out most likely) to script up something that could quite simply go through and harvest addresses from the site. Normally this wouldn’t surprise me much as spammers are harvesting emails all the time from various sources. However scr.im is placing itself as a way to “… protect your email address before sharing it, so only real people will use it …” That’s a problem, as most people will blindly think that the service must be secure.

Don’t get me wrong here, the idea is sound, and I’d really like to use something like this myself under certain circumstances (not for my primary accounts, but for some things certainly). So what can be done to fix things up .:

• Add protection to prevent multiple options from being selected from the same CAPTCHA options (one-time token) *
  • Resolves: The possibility to select ALL 9 CAPTCHA options and scraping the responses
  • Issue: Doesn’t stop an attacker reloading and trying again
• Add protection to stop more than X number of requests per URL, per second/minute *
  • Resolves: Brute-Force style attacks, automated attacks (to some extent)
  • Issue: Could cause DoS against peoples links
• If the wrong CAPTCHA is selected X times, revert to traditional CAPTCHA entry *
  • Resolves: Brute-Force style attacks, automated attacks
  • Issues: Same issues as traditional CAPTCHA, breakable

* Won’t prevent all possible attacks if implemented alone

By mixing and matching the above solutions the attack vectors could easily be reduced, but never truly removed completely. However with the use of the 3×3 grid CAPTCHA there is always that 1 in 9 chance of the attacker choosing the correct CAPTCHA on the first try. Given these odds a single attacker could (in theory) harvest 11.11% of email addresses on the first attempt purely by guessing (even with the above implemented restrictions). Depending on how/what protections are implemented, the attacker could then come back 8 more times (within minutes, hours, days) to scrape the remaining addresses. There will certainly be email addresses not scraped, but for a spammer, this isn’t a big issue.

With this in mind, the only workable solution is to alter the way CAPTCHA protection is implemented to go with the more traditional “typing” option. It’s tried and tested, and although it’s not perfect, it does resolve a number of the issues faced by scr.im currently.

Disclaimer: I’m not a developer, and I have the utmost respect for those who take time to put up services like this online. Hopefully people can learn from what I’ve explained here, so we don’t all make the same mistakes next time.

About a weak back I posted about the upcoming SANS London 2009 event (28 November – 6 December). The guys behind the conference have put together a list of webcasts that they’ll be running to showcase the various courses on offer. You can find a list below of the upcoming events that are especially for the European security community. A full list of the webcasts in the series along with a breakdown of the topics covered can be found on the SANS website.

Upcoming Webcasts .:

• Friday, 25 September
  • Topic: SEC401: SANS Security Essentials Bootcamp Style
  • Instructor: Dr. Eric Cole
  • Time: 15:00 CET

• Tuesday, 29 September
  • Topic: DEV541: Secure Coding in Java/JEE: Developing Defensible Applications
  • Instructor: Sahba Kazerooni
  • Time: 15:00 CET

• Wednesday, 30 September
  • Topic: SEC508: Computer Forensics, Investigation & Response
  • Instructor: Jess Garcia
  • Time: 15:00 CET

• Thursday, 01 October
  • Topic: SEC542: Web App Penetration Testing & Ethical Hacking
  • Instructor: Raul Siles
  • Time: 15:00 CET

• Friday, 02 October
  • Topic: SEC566: 20 Critical Security Controls
  • Instructor: James Tarala
  • Time: 15:00 CET

• Wednesday, 07 October
  • Topic: What Course Should I Take at SANS London 2009 & Question and Answer session
  • Instructor: Johannes Ulrich
  • Time:15:00 CET

Previous webcasts in the series .:

• SEC560: Network Penetration Testing & Ethical Hacking
  • John Strand
• SEC709: Developing Exploits for Penetration Testers and Security Researchers
  • Stephen Sims

For those who didn’t manage to catch the live webcasts that have already taken place, the recording is now available from the webcast archives.

Craig Balding – The Belgian beer lovers guide to Cloud Security

High-level talk covering cloud security with the goal to get people thinking about whats possible.

The CFO view on cloud computing purely bottom line. The less things appear on the balance sheet the better for the company. This isn’t always better for security.

Speed of provisioning makes it an easy sell to the CEO.

Not everyone is happy – IT Security people are cynical people. Same problems in a different guise. From a security standpoint though, we as security professionals need to know about it. The business wants the cloud, so we have to work with it.

Cloud is painting a vision that doesn’t yet exist. Marketing is out of sync with their engineering department. Easy to write it off, but it shouldn’t be that way.

Talking about the cloud is hard. There are so many different kinds. It’s like walking into a Belgian pub and asking  for a beer. Sure, but what kind of beer do you want ?

Cloud properties .:

• Abstraction of Resources
• On Demand
• Elastic
• Scalable
• API
• as a Service (aaS)

Virtualisation != Cloud != Virtualisation

Dynamic resources meet static security – The systems you have to secure as flexible, constantly growing and changing, so how does your security measures adapt to those issues.

Cloud != Outsourcing

You can visit an outsourcing company to check them out. Any large cloud company won’t be willing to show you around the data-center. Cloud is more of a black box solution, with an API interface.

Cloud Platforms are often stitched together open-source software with an API. These combinations and uses are all new. New doesn’t mean secure. Untested combinations are dangerous.

• Infrastructure as a service (i.e. Virtual servers)
• Platform as a service (i.e. Google AppEngine,…)
• Software as a service (i.e. Salesforce.com,…)

Software as a service is no longer a dedicated machine or environment for your software. Shared platform amongst many companies.

Cloud Taxonomy and Ontology ==> More details can be found HERE
Jericho Cloud Cube ==> More details can be found HERE

Cloud can be public or private. Virtual private cloud solutions using VPNs to connect you to the cloud. The level of sharing here opens up attack vectors where moving from the public cloud to the private cloud could be possible. VPN driver vulnerabilities ?

Government clouds — Apps.gov offering cloud storage, software development, virtual machines for government use

Cloud specific security concerns .:

• What are they hiding in the basement – Where is your data stored ?
• Uptime – Is 99.9% enough ?
• Lock-in – Can you get your VMs out if you need to ? What format are they in ? Apps coded to a specific API ?
• Multi Tenancy – Shared systems with mixed security. Shared Databases with mixed customer data
• Change Control – What did they change and when ? Do Google have change logs ? Are they public ?
• Visibility – What logs do you have ? Can you see if somebody is brute-forcing your account ?
• Cloud Layers – Services layered on-top of services. Subcontractors. What risk level do these dependencies introduce ?
• Identity – Multiple accounts. Problems in-house, worse on the internet. SSO for the cloud ? Using your AD to authenticate in the cloud ?
• SLAs – Have you read them ? How often are they changed ? Can you negotiate better SLAs ?
• Terms of Service – If they screw up you get service credit ? is that ok if you’re down a week or more ?
• Legal Issues – (Search & Seize) – What if the FBI takes the servers out of the datacenter ?
• Auditor – They’ve only just learnt about virtualization, do they know what cloud is ?
• Pay As You Go – Paying with a credit card. Where are your payment details stored ? Do they have anti-fraud systems ? Attackers driving up your CPU usage or bandwidth may cost you more. Can you set a limit?
• Data Wiping – Can’t do it. You can delete them, but there’s no REALLYDELETETHIS API call.
• Distributed Programming – Developers have to code to the API, are they experienced with distributed environments ? Race conditions.
• Cloud APIs – Protected through SSL. Other options

How can a tester (PCI, PenTester,..) verify your security. Will the systems be the same today as they are tomorrow. It’s like changing a tyre at 70mph.

The cloud is like the wild-wild-west right now.

More researchers are needed to rally shed light on these security issues.

Cloud Security Aliance – Shape the future of Cloud

Cloudsecurity.org – Craig Baldings Blog