Archive for the ‘appsec’ Category
Java and .NET security
Java Security
http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html
Java has many built in security features that developers of your organization need to use. It is best not to build your own cryptography methods but use well established classes that have been tested and verified.
Java is has many built in security mechanisms that other languages do not including the following:
1. Strong data typing
2. Automatic memory management
3. Bytecode verification
Cryptography
· Comprehensive API with support for a wide range of cryptographic services including digital signatures, message digests, ciphers (symmetric, asymmetric, stream & block), message authentication codes, key generators and key factories
· Support for a wide range of standard algorithms including RSA, DSA, AES, Triple DES, SHA, PKCS#5, RC2, and RC4.
Authentication and Access Control
· Abstract authentication APIs that can incorporate a wide range of login mechanisms through a pluggable architecture
· A comprehensive policy and permissions API that allows the developer to create and administer applications requiring fine-grained access to security-sensitive resources.
Secure Communications
APIs and implementations for the following standards-based secure communications protocols: Transport Layer Security (TLS), Secure Sockets Layer (SSL), Kerberos (accessible through GSS-API), and the Simple Authentication and Security Layer (SASL). Full support for HTTPS over SSL/TLS is also included.
Public Key Infrastructure
Tools for managing keys and certificates and comprehensive, abstract APIs with support for the following features and algorithms:
· Certificates and Certificate Revocation Lists (CRLs): X.509
Certification Path Validators and Builders: PKIX (RFC
· Certificates and Certificate Revocation Lists (CRLs): X.509
· Certification Path Validators and Builders: PKIX (RFC 3280), On-line Certificate Status Protocol (OCSP)
· KeyStores: PKCS#11, PKCS#12
Certificate Stores (Repositories): LDAP, java.util.Collection
http://docs.oracle.com/javase/6/docs/api/java/security/SecureRandom.html
java.security
Class SecureRandom
java.lang.Object java.util.Random java.security.SecureRandom
All Implemented Interfaces:
public class SecureRandom extends Random
This class provides a cryptographically strong random number generator (RNG).
A cryptographically strong random number minimally complies with the statistical random number generator tests specified in FIPS 140-2, Security Requirements for Cryptographic Modules, section 4.9.1. Additionally, SecureRandom must produce non-deterministic output. Therefore any seed material passed to a SecureRandom object must be unpredictable, and all SecureRandom output sequences must be cryptographically strong, as described in RFC 1750: Randomness Recommendations for Security.
A caller obtains a SecureRandom instance via the no-argument constructor or one of the getInstance methods:
SecureRandom random = new SecureRandom();
Many SecureRandom implementations are in the form of a pseudo-random number generator (PRNG), which means they use a deterministic algorithm to produce a pseudo-random sequence from a true random seed. Other implementations may produce true random numbers, and yet others may use a combination of both techniques.
Typical callers of SecureRandom invoke the following methods to retrieve random bytes:
SecureRandom random = new SecureRandom(); byte bytes[] = new byte[20]; random.nextBytes(bytes);
Callers may also invoke the generateSeed method to generate a given number of seed bytes (to seed other random number generators, for example):
byte seed[] = random.generateSeed(20); https://www.owasp.org/index.php/Insecure_Configuration_Management
http://www.troyhunt.com/2012/04/67-of-aspnet-websites-have-serious.html
https://netbeans.org/kb/docs/javaee/secure-ejb.html
.NET security
For the .NET portion of the article most of the security vulnerabilities come from insecure configuration management in the web.config file.
The below setting is insecure.
<configuration>
<system.Web>
<customErrors mode="Off">
This one is secure.
<configuration>
<system.Web>
<customErrors mode="RemoteOnly">
It is a good idea to have a custom error page that states there was a problem please try again and have the user use the back button on the users browser.
Cookies Accessible Through Client-Side Script
In Internet Explorer 6.0, Microsoft introduced a new cookie property called HttpOnly. While you can set the property programmatically, you can set it generically in the site configuration.
Vulnerable
<configuration>
<system.Web>
<httpCookies httpOnlyCookies="false">
Secure
<configuration>
<system.Web>
<httpCookies httpOnlyCookies="true">
Custom Errors Disabled
When you disable custom errors as shown below, ASP.NET provides a detailed error message to clients by default.
Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’
([Microsoft][ODBC Microsoft Access Driver] Extra )
In query expression ‘UserID=’’’ AND Password =‘’
/_tblemployees/login3.asp, line 49
Vulnerable
<configuration>
<system.Web>
<customErrors mode="Off">
Secure
<configuration>
<system.Web>
<customErrors mode="RemoteOnly">
Having the detailed error message to the user or attacker could give an attacker information leakage about the system to launch an attack on the application. Displaying the type of language the application is written in, the database type, the web server operating system gives too much information to a would be attacker to compromise the application.
Hardcoded Credentials Used
Hardcoded credentials to a production database are really the keys to sensitive intellectual property or customer data. Anyone that has access to hard coded credentials has access to the database.
Insecure
<configuration>
<system.Web>
<password = rootpassword >
Secure
<configuration>
<system.Web>
<authentication mode="Forms">
<forms>
</forms>
So hopefully you have a better understanding of java and .NET security. A few configuration issues fixed in the web.config can make your application secure and better protect it from hackers.
Matt Parsons, CISSP, MSM
mparsons@parsonsisconsulting.com
Secure Coding
With 95 percent of Web applications having software security vulnerabilities secure coding has never been more important.
With 95 percent of Web applications having software security vulnerabilities secure coding has never been more important. 80 percent of all web application have cross-site scripting vulnerabilities on them and 62 percent have more dangerous SQL injection vulnerabilities. If organizations follow simple secure coding practices a majority of these vulnerabilities can be eliminated.
With these vulnerabilities eliminated; the attack surface of your organization is greatly diminished ensuring the confidentiality, integrity and availability of your business critical web applications.
This article will talk about high-level application security concepts, Java security, .NET security, and web application security vulnerabilities and remediation steps.
Secure coding has to be implemented early in the software development process to ensure the application is secure and free from most vulnerabilities. Security is based on the remediation of design flaws and bug flaws.
Bug flaws are the Cross Site Scripting vulnerabilities and SQL injection vulnerabilities were design flaws are the improper use of authorization and cryptography to protect a web application. Both bugs and design flaws must be remediated to have a secure application.
Secure coding starts with senior management implementing a secure coding culture and giving developers the time and the tools to remediate software security vulnerabilities. Education is always important. A developer must be taught to write secure code in order for your application to be secure. Lunch and learns and training help. Online training is a good way to train many developers the basic concepts of secure coding. Individual specialized training is great to teach developers beyond the basics and the secure coding concepts in the language that they program.
In the above figure it is a good idea to have defense in depth in order to protect the business critical application.
A short checklist of what developers’ should and should not do in beneficial in remediating software security vulnerabilities. An example of this would be that all developers must validate all input and use parameterized queries. A not requirement would be that all developers cannot use MD5 hashing to protect sensitive credentials. Instead they should use something stronger as SHA-256. Telling the developers what they should and shouldn’t do is only beneficial if you show that what could and will eventually happen if they do not follow secure coding policies. A good checklist is as follows:
1. Where is the application? Where does it reside?
2. Who uses the application? What is the use case scenario?
3. Who are the attackers?
4. What does the application do?
5. What are the vulnerabilities in the application?
6. Implement policies that are already being used BSIMM.
7. Use automated review for large applications.
8. Create a secure coding check list.
9. AUDITING AND LOGGING
10. COOKIES AND PASSWORDS
11. TECHNOLOGIES THAT CAN NOT BE USE
12. ATTACKS ON SESSION
13. WHAT COULD AN ATTACKER DO TO YOUR APPLICATION
14. PASSWORD POLICIES
15. GETS AND POSTS
16. ACCESS CONTROL POLICIES
17. VALIDATE ALL INPUT
18. UPLOADS AND DOWNLOADS OF FILES
19. PREVENT XSS
20. PREVENT SQL INJECTION
21. INFORMATION LEAKAGE
22. APPLICATION DENIAL OF SERVICE
23. DOCUMENT SECURITY
24. CENTRALIZE SECURITY
25. CODING RULES
26. TESTING
With training secure coding should be implemented early in the development process whether you are using traditional waterfall methods or agile methods. Implementing security in the requirements and design phase is much more effective than bolting security on once the product is released.
SD3 is important to follow. Secure by design, secure by default and secure by deployment. Following SD3 ensures a holistic approach to application security. Having security best practices like running production applications with least privilege and using white list regular expressions for validation is also helpful. In order to reduce the attack surface of the application it is necessary to only use services that your application requires. The server administrators must turn everything else off. Too often applications are attacked by insecure unused services.
If there is only one aspect of secure coding that needed to be remembered it would be not trusting input and validating all input. This is important whether the input is coming from a user or a system in your web application. User input must be sanitized and checked with length checks, range checks and format checks. It is necessary to use defense in depth and learn from mistakes when attacks happen. Manually reviewing source code with peer code reviews and static code analysis find security bugs early. Threat modeling and use case scenarios find design bugs early. Having an internal application security department or third party test the web application with penetration testing and ethical hacking verifies the vulnerabilities have been fixed to an acceptable level to publish the application to users.
Secure code must be: seamless, easy to understand, cognizant of attack, unobtrusive, resilient, error tolerant.
Apple hacked!! Ethical hackers personal information hacked at Apple
My fiancé was trying to download a movie today from iTunes when the security certificate was marked as invalid. My first thought was did Apple get hacked? She was trying to download the Jackie Robinson movie, 42. I didn’t think anything of it and went back to my normal Sunday evening routine. I was outside playing with our dogs in the yard when my iPhone alerted me of a new message.
The message I received was the following. 
I then did a little research and found out that Apple was indeed hacked and they were doing major over runs for maintenance. Part of the problem is that first and foremost I am a an application security engineer and apple developer second. I have been programming for 15 years and doing application security for 11 of those years. I have been an apple developer for two years learning cocoa daily to one day strike it rich on an apple development idea.
I was then thinking. Apple has all of my sensitive information. They have my social security number, my credit card, my name and address and my bank account number to deposit my application sales at least 60 percent of it to my bank account while apple profits 40 percent.
I was thinking that man; I am an ethical hacker and I got hacked. It was not a good feeling. It was a similar feeling when I found out my veteran’s information was hacked and they enrolled me in credit monitoring.
I felt like a victim. My career goal in life is to make more applications more secure. I actually interviewed a few times with the apple development team and they told me I was not smart enough. I do know this; if I was working with Apple, I would have been smart enough to encrypt all sensitive information. I would have ensured that the confidentiality, integrity and availability of the application was met.
I am not sure how this attacked happened but I am guessing from a web application vulnerability. I believe if Apple hired a competent 3rd party unbiased application security engineer this would not have happened. Attackers use the same tools and techniques that application security professionals do. A thorough penetration test and a secure application review could have prevented this. I pray for other consumers sake and companies that more companies take application security more seriously and reach out to non profit organizations like the open web application security project by training developers and hiring ethical third party security engineers to do software reviews to ensure the confidentiality, integrity and availability of data in systems and putting the proper security controls in place to prevent this from happening in the future.
I hope that the most successful company getting hacked is a wake up call. We need to train developers to program applications more securely and value the competent ethical third party application security engineers that review these applications.
Matt Parsons, CISSP, MSM, CWASE
mparsons@parsonsisconsulting.com
http://www.businessinsider.com/apple-developers-site-hacked-2013-7
How many software security bugs can you find in OWASP web goat below?
Today’s post is going to be interactive. I am going to show the source code of a file in web goat. The file name is BlindSQLInjection.java. I am asking my readers to point out the security vulnerabilities in the code and post below in comments. I will post my answers in a couple days.
Many thanks to OWASP, Jeff Williams, Aspect Security and Bruce Mayhew and anyone else that have worked on the web goat project.
package org.owasp.webgoat.lessons;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.<a class="zem_slink" title="Dynamic array" rel="wikipedia" href="http://en.wikipedia.org/wiki/Dynamic_array">ArrayList</a>;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an <a class="zem_slink" title="OWASP" rel="wikipedia" href="http://en.wikipedia.org/wiki/OWASP">Open Web Application Security Project</a> utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* <a class="zem_slink" title="GNU General Public License" rel="wikipedia" href="http://en.wikipedia.org/wiki/GNU_General_Public_License">GNU General Public License</a> as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the <a class="zem_slink" title="Implied warranty" rel="wikipedia" href="http://en.wikipedia.org/wiki/Implied_warranty">implied warranty of MERCHANTABILITY</a> or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the <a class="zem_slink" title="Free Software Foundation" rel="homepage" href="http://www.fsf.org/">Free Software Foundation, Inc.</a>, 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web site</a> (this lesson
* is heavily based on Bruce Mayhews' <a class="zem_slink" title="SQL" rel="wikipedia" href="http://en.wikipedia.org/wiki/SQL">SQL</a> Injection lesson
* @created January 14, 2005
*/
public class BlindSqlInjection extends LessonAdapter
{
private final static String ACCT_NUM = "account_number";
private final static int TARGET_ACCT_NUM = 15613;
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the <a class="zem_slink" title="Return statement" rel="wikipedia" href="http://en.wikipedia.org/wiki/Return_statement">Return Value</a>
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
Connection connection = DatabaseUtilities.getConnection(s);
ec.addElement(new P().addElement("Enter your Account Number: "));
String accountNumber = s.getParser().getRawParameter(ACCT_NUM, "101");
Input input = new Input(Input.TEXT, ACCT_NUM, accountNumber.toString());
ec.addElement(input);
Element b = ECSFactory.makeButton("Go!");
ec.addElement(b);
String query = "<a class="zem_slink" title="Select (SQL)" rel="wikipedia" href="http://en.wikipedia.org/wiki/Select_%28SQL%29">SELECT</a> * FROM user_data WHERE userid = " + accountNumber;
String answer_query;
answer_query = "SELECT TOP 1 first_name FROM user_data WHERE userid = " + TARGET_ACCT_NUM;
try
{
Statement answer_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet answer_results = answer_statement.executeQuery(answer_query);
answer_results.first();
//System.out.println("Account: " + accountNumber);
//System.out.println("Answer : " + answer_results.getString(1));
if (accountNumber.toString().equals(answer_results.getString(1)))
{
makeSuccess(s);
}
else
{
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet results = statement.executeQuery(query);
if ((results != null) && (results.first() == true))
{
ec.addElement(new P().addElement("<a class="zem_slink" title="National identification number" rel="wikipedia" href="http://en.wikipedia.org/wiki/National_identification_number">Account number</a> is valid"));
}
else
{
ec.addElement(new P().addElement("Invalid account number"));
}
}
} catch (SQLException sqle)
{
ec.addElement(new P().addElement("An error occurred, please try again."));
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
/**
* Gets the category attribute of the SqlInjection object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.INJECTION;
}
/**
* Gets the credits attribute of the AbstractLesson object
*
* @return The credits value
*/
public Element getCredits()
{
return new StringElement("By Chuck Willis");
}
/**
* Gets the hints attribute of the DatabaseFieldScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. "
+ "Create a SQL statement that you can use as a true/false test and then "
+ "select the first character of the target element and do a start narrowing "
+ "down the character using > and <"
+ "<br><br>The backend database is HSQLDB. Keep that in mind if you research SQL functions "
+ "on the Internet since different databases use some different functions and syntax.");
hints.add("This is the code for the query being built and issued by WebGoat:<br><br> "
+ "\"SELECT * FROM user_data WHERE userid = \" + accountNumber ");
hints.add("The application is taking your input and inserting it at the end of a pre-formed SQL command. "
+ "You will need to make use of the following SQL functions: "
+ "<br><br>SELECT - query for your target data and get a string "
+ "<br><br>substr(string, start, length) - returns a "
+ "substring of string starting at the start character and going for length characters "
+ "<br><br>ascii(string) will return the ascii value of the first character in string "
+ "<br><br>> and < - once you have a character's value, compare it to a choosen one");
hints.add("Example: is the first character of the first_name of userid " + TARGET_ACCT_NUM
+ " less than 'M' (ascii 77)? "
+ "<br><br>101 AND (ascii( substr((SELECT first_name FROM user_data WHERE userid=" + TARGET_ACCT_NUM
+ ") , 1 , 1) ) < 77 ); "
+ "<br><br>If you get back that account number is valid, then yes. If get back that the number is"
+ "invalid then answer is no.");
hints.add("Another example: is the second character of the first_name of userid "
+ TARGET_ACCT_NUM
+ " greater than 'm' (ascii 109)? "
+ "<br><br>101 AND (ascii( substr((SELECT first_name FROM user_data WHERE userid="
+ TARGET_ACCT_NUM
+ ") , 2 , 1) ) > 109 ); "
+ "<br><br>If you get back that account number is valid, then yes. If get back that the number is "
+ "invalid then answer is no.");
return hints;
}
/**
* Gets the instructions attribute of the SqlInjection object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "The form below allows a user to enter an account number and determine if "
+ "it is valid or not. Use this form to develop a true / false test check other entries in the database. "
+ "<br><br>Reference Ascii Values: 'A' = 65 'Z' = 90 'a' = 97 'z' = 122 "
+ "<br><br>The goal is to find the value of " + "the first_name in table user_data for userid "
+ TARGET_ACCT_NUM
+ ". Put the discovered name in the form to pass the lesson. Only the discovered name "
+ "should be put into the form field, paying close attention to the spelling and capitalization.";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(70);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the DatabaseFieldScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Blind SQL Injection");
}
/**
* Constructor for the DatabaseFieldScreen object
*
* @param s
* Description of the Parameter
*/
public void handleRequest(WebSession s)
{
try
{
super.handleRequest(s);
} catch (Exception e)
{
//System.out.println("Exception caught: " + e);
e.printStackTrace(System.out);
}
}
}
Matt Parsons, CISSP, MSM
mparsons1980@gmail.com
Threat Model for OWASP web goat
I am trying to completely dissect OWASP’s web goat and link source code findings with web penetration findings. In my quest to do this I have created a very, very rough threat model. There is a lot more that needs to be added to the threat model. I have completed probably ten threat models for different clients’ of mine. I used the Microsoft Threat Model tool. I used an older version. I think there are newer ones and better ones. It is a good idea to use a threat model to see all of the components of the application. It allows a security analyst or a developer to see the users’ of the application, the data and the possible data exposure of the data of the confidentiality, integrity and availibility of your application. You can then create use and abuse cases for the application.
Matt Parsons, CISSP, MSM
mparsons1980@gmail.com
Reflected Cross Site Scripting in OWASP Web Goat source code
I am doing another web goat vulnerability. This time once again I scanned Web Goat with a commercial static code analyzer. The tool is telling me that the below vulnerability is reflected cross site scripting. With reflected XSS attacks an attacker tricks a user into sending malicious code to a vulnerable web server. This could access the user’s cookie.
Description of the Exception
*/
public String getRawParameter(String name) throws ParameterNotFoundException
{
String[] values = request.getParameterValues(name);
if (values == null)
{
throw new ParameterNotFoundException(name + " not found");
}
else if (values[0].length() == 0) { throw new ParameterNotFoundException(name + " was empty"); }
return (values[0]);
public String getRawParameter(String name, String def)
{
try
{
return getRawParameter(name);
} catch (Exception e)
{
return def;
}
}
/**
* Gets the rawParameter attribute of the ParameterParser object
*
String to = s.getParser().getRawParameter(HIDDEN_TO, "");
String gId = s.getParser().getRawParameter(GMAIL_ID, "");
String gPass = s.getParser().getRawParameter(GMAIL_PASS, "");
String message = s.getParser().getRawParameter(MESSAGE, "");
String subject = s.getParser().getRawParameter(SUBJECT, "");
boolean haveCredentials = !(YOUR_REAL_GMAIL_ID.equals(gId) || YOUR_REAL_GMAIL_PASSWORD.equals(gPass));
ec.addElement(new HR());
createGoogleCredentials(s, ec);
ec.addElement(new HR());
ec.addElement(new BR());
createMailMessage(s, subject, message, ec);
{
if (haveCredentials)
{
Message sentMessage = sendGoogleMail(to, subject, message, emailFromAddress, gId, gPass);
formatMail(ec, sentMessage);
}
else
{
sendSimulatedMail(ec, to, subject, message);
}
}
From reading the code it looks like it gets your gmail information and then sends the message without validating any inputs or encoding any outputs.
All of this takes place inside of the Web Goat file uncheckedemail.java.
Once again thanks to OWASP and Aspect Security for creating and supporting web goat. It’s a great web application security to practice white box ethical hacking, secure code review without going to prison for real hacking.
msg.setRecipients(Message.RecipientType.TO, addressTo); // Setting the Subject and Content Type msg.setSubject(subject); msg.setContent(message, "text/plain"); Transport.send(msg); return msg; <pre>
I couldn't find the page in Web goat that the above code references, but I was able to find the reflected XSS lesson in web goat. I went to the recently retired from software security blogging, RSNAKE's hackers.org website.I used the following script to attack it.
<IMG SRC=`javascript:alert("Parsons Software Security Consulting says, 'XSS'")`>
Matt Parsons, CISSP, MSM
Parsons Software Security Consulting, LLC
mparsons1980@gmail.com
OWASP web goat source code SQL injection code vulnerability
For this post, I have to give credit to OWASP for creating web goat. I scanned the vulnerable application with different commercial static code analysis analyzers which allow the user to see the code behind the vulnerabilities.
public String getRawParameter(String name) throws ParameterNotFoundException
{
String[] values = request.getParameterValues(name);
if (values == null)
{
throw new ParameterNotFoundException(name + " not found");
}
else if (values[0].length() == 0) { throw new ParameterNotFoundException(name + " was empty"); }
return (values[0]);
Notice that there is not a validation mechanism for the values USERNAME and PASSWORD.
try
{
String username = "";
String password = "";
username = s.getParser().getRawParameter(USERNAME);
password = s.getParser().getRawParameter(PASSWORD);
// If they get back more than one user they succeeded
if (results.getRow() >= 1)
{
// Make sure this isn't data from an sql injected query.
if (results.getString(2).equals(username) && results.getString(3).equals(password))
{
String insertData1 = "INSERT INTO user_login VALUES ( '" + username + "', '"
+ s.getUserName() + "' )";
statement.executeUpdate(insertData1);
}
// check the total count of logins
query = "SELECT * FROM user_login WHERE webgoat_user = '" + s.getUserName() + "'";
results = statement.executeQuery(query);
results.last();
// If they get back more than one user they succeeded
if (results.getRow() >= 3)
{
makeSuccess(s);
Above is the visual smart trace of the SQL injection code so you can visually see it and understand it. The red boxes are sources and sinks. The blue boxes are sinks as well. The grey boxes allow code to pass through them. The grey boxes should have validation mechanisms in them. Those grey boxes don’t and this allows for SQL injection. Webgoat by design, is also using dynamic SQL statements and not parameterized queries which allow for SQL injection that it teaches on the front end of the lessson.
Here are the screen shots of the application which is vulnerable to SQL injection. Thanks for Aspect Security for creating this application.
My passion is software security and linking web penetration testing with source code analysis.
Matt Parsons, CISSP, MSM, mparsons1980@gmail.com
How to find Robots.txt with 02
We already discussed a script to find the crossdomain.xml file with 02. Today we are going to talk about how to find the Robots.txt file. Many websites have Robots.txt file but sometimes they contain sensitive information inside of these files. Today we are going to write a script that searches Google for these files.
Below is a sample Robots.txt from a sample web application.
var ie = panel.clear().add_IE().silent(true);
ie.open("http://www.google.com");
ie.field("Search").value("inurl:robots.txt filetype:txt");
ie.button("Google Search").click();
var targetUrls = new List<string>();
foreach(var link in ie.links().urls())
if (link.ends("robots.txt"))
targetUrls.Add(link);
return targetUrls;
return targetUrls;
return targetUrls;
return ie.buttons();
//O2File:WatiN_IE_ExtensionMethods.cs
//using O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll
I don’t plan on showing you how to exploit robots.txt. But the 02 script is a simple one to find robots.txt out in the wild.
Parsons Software Security Consulting, LLC
Securing the Internet one Application at a time.
mparsons [at] gmail.com
parsonsisconsulting 