parsonsisconsulting

Parsons Software Security Consulting Blog

Archive for the ‘web penetration testing’ Category

OWASP web goat source code SQL injection code vulnerability

with 3 comments

For this post, I have to give credit to OWASP for creating web goat.   I scanned the vulnerable application with different commercial static code analysis analyzers which allow the user to see the code behind the vulnerabilities.


public String getRawParameter(String name) throws ParameterNotFoundException

{

String[] values = request.getParameterValues(name);

if (values == null)

{

throw new ParameterNotFoundException(name + " not found");

}

else if (values[0].length() == 0) { throw new ParameterNotFoundException(name + " was empty"); }

return (values[0]);

Notice that there is not a validation mechanism for the values USERNAME and PASSWORD.


try

{

String username = "";

String password = "";

username = s.getParser().getRawParameter(USERNAME);

password = s.getParser().getRawParameter(PASSWORD);


// If they get back more than one user they succeeded

if (results.getRow() >= 1)

{

// Make sure this isn't data from an sql injected query.

if (results.getString(2).equals(username) && results.getString(3).equals(password))

{

String insertData1 = "INSERT INTO user_login VALUES ( '" + username + "', '"

+ s.getUserName() + "' )";

statement.executeUpdate(insertData1);

}

// check the total count of logins

query = "SELECT * FROM user_login WHERE webgoat_user = '" + s.getUserName() + "'";

results = statement.executeQuery(query);

results.last();

// If they get back more than one user they succeeded

if (results.getRow() >= 3)

{

makeSuccess(s);

Above is the visual smart trace of the SQL injection code so you can visually see it and understand it.   The red boxes are sources and sinks.  The blue boxes are sinks as well.   The grey boxes allow code to pass through them.  The grey boxes should have validation mechanisms in them.   Those grey boxes don’t and this allows for SQL injection.   Webgoat by design, is also using dynamic SQL statements and not parameterized queries which allow for SQL injection that it teaches on the front end of the lessson.

Here are the screen shots of the application which is vulnerable to SQL injection.   Thanks for Aspect Security for creating this application.

My passion is software security and linking web penetration testing with source code analysis.

Matt Parsons, CISSP, MSM, mparsons1980@gmail.com

Parsons Software Security Consulting, LLC

How to find Robots.txt with 02

with 2 comments

We already discussed a script to find the crossdomain.xml file with 02.  Today we are going to talk about how to find the Robots.txt file.  Many websites have Robots.txt file but sometimes they contain sensitive information inside of these files.   Today we are going to write a script that searches Google for these files.

 

 

Below is a sample Robots.txt from a sample web application.

 

 

 

 

 

 


var ie = panel.clear().add_IE().silent(true);
ie.open("http://www.google.com");
ie.field("Search").value("inurl:robots.txt filetype:txt");


ie.button("Google Search").click();
var targetUrls = new List<string>();

foreach(var link in ie.links().urls())
 if (link.ends("robots.txt"))
 targetUrls.Add(link);

return targetUrls;
return targetUrls;
return targetUrls;
return ie.buttons();

//O2File:WatiN_IE_ExtensionMethods.cs
//using  O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll

 

 

 

 

I don’t plan on showing you how to exploit robots.txt.  But the 02 script is a simple one to find robots.txt  out in the wild.

 

Parsons Software Security Consulting, LLC

Securing the Internet one Application at a time.

 

mparsons [at] gmail.com

 

Written by mparsons1980

December 8, 2010 at 11:07 pm

Etherpad 02 scripting to search and click on a link in Google

leave a comment »

I was on an Etherpad session with Dinis and Sarah from OWASP.   Below is the link to Etherpad.   Etherpad is a great tool for programmers and for us to help write scripts together and trouble shoot.

http://ietherpad.com/

We used the free version.

Below are our Etherpad sessions from December, 3, 2010.

http://ietherpad.com/xkckfhJGAY

http://ietherpad.com/UYmog5ljkj

Dinis blogs about it on his blog.   http://o2platform.wordpress.com/2010/12/04/o2-script-to-perform-a-google-search/

Below is today’s 02 script.  Dinis is the original author but I tweaked it to do some shameless self promoting.


panel.clear();
var ie = panel.add_IE().silent(true);
ie.disableFlashing(); // use this when developing the script to make it faster
Action<string> searchGoogle =
 (searchText)=> {
 ie.open("http://www.google.com");
 searchText = searchText.line();       // here......  <----
 ie.field("Search").value(searchText).flash();
 ie.button("Google Search").Click();
 };
Action<string> clickOnLink =
 (linkToClick)=> {
 if (ie.hasLink(linkToClick))
 ie.link(linkToClick).flash().click();
 else
 "Error: could not find link: {0}".error(linkToClick);
 };

searchGoogle("Parsons Software Security Consulting, LLC");
clickOnLink("Parsons Software Security Consulting, LLC - Home");


return ie.link("Parsons Software Security Consulting, LLC - Home").click();




//O2File:WatiN_IE_ExtensionMethods.cs
//using O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll


This code opens Google.  Disables flashing to make the search faster.  Then searches for my company, Parsons Software Security Consulting, LLC and clicks on the first link then opening my company’s website.

There is the script. Feel free to email me at mparsons1980@gmail.com for comments.

Matt Parsons, CISSP, MSM,
Parsons Software Security Consulting, LLC
Securing the Internet one Application at a time.

Written by mparsons1980

December 4, 2010 at 4:05 am

How to find Crossdomain.xml Cross Site Request Forgery with 02

with one comment

Lately it seems that a lot of people are talking about the potential security vulnerabilities of having an unrestricted crossdomain.xml.   It’s public knowledge that this can be abused by an attacker setting up Cross Site Request Forgery.

Below is the sample code in the crossdomain.xml.   This is a simple one.  Some of the big websites that have these crossdomain.xml’s unrestricted have alot more data in the xml file.   From the blogs that I have read in the community and from HP Web Inspect Remediation Guide “Exploiting a Vulnerability Involves crafting a custom Flash Application”.


<cross-domain-policy>

<site-control permitted-cross-domain-policies="all"/>

<allow-access-from domain="*"/>

</cross-domain-policy>

The fix is “not to design and deploy Flash APIS meant to be accessible to arbitrary third parties.   It is also recommended “to host these on a sub domain”. We are not going to discuss how to exploit this vulnerability but rather to find it in the wild with 02.

So lets open up 02.   I like using Dinis Cruz’s version because it is more powerful.

Then lets open IE Automation.

Below is the default script in IE Automation that Dinis Created.  The default website is Google.


panel.clear();
var ie = panel.add_IE().silent(true);

ie.open("http://www.google.com");

//O2File:WatiN_IE_ExtensionMethods.cs
//using O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll


var topPanel = panel.<strong>clear</strong>().<strong>add_Panel</strong>();
var ie = topPanel.<strong>add_IE</strong>().<strong>silent</strong>(<strong>true</strong>);
ie.<strong>open</strong>("http://www.google.com");
ie.<strong>field</strong>("Search").<strong>value</strong>("inurl:crossdomain.xml filetype:xml");
ie.<strong>button</strong>("Google Search").<strong>click</strong>();
var targetUrls = <strong>new </strong>List<string>();
<strong>foreach</strong>(var link <strong>in </strong>ie.<strong>links</strong>().<strong>urls</strong>())
<strong>if </strong>(link.<strong>ends</strong>("crossdomain.xml"))
targetUrls.<strong>Add</strong>(link);
var listOfUrls = topPanel.insert_Left<Panel>(250).<strong>add_TextArea</strong>().<strong>wordWrap</strong>(<strong>false</strong>);
listOfUrls.<strong>set_Text</strong>(targetUrls.<strong>str</strong>());
return targetUrls;

//O2File:WatiN_IE_ExtensionMethods.cs
//using  O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll

var topPanel = panel.clear().add_Panel();
var ie = topPanel.add_IE().silent(true);
ie.open("http://www.google.com");
ie.field("Search").value("inurl:crossdomain.xml filetype:xml");
ie.button("Google Search").click();

var listOfUrls = topPanel.insert_Left<Panel>(350).add_TreeView();
var fileContents =listOfUrls.insert_Below<Panel>(200).add_SourceCodeViewer();

listOfUrls.afterSelect<string>(
 (selectedUrl)=> {
 listOfUrls.backColor(Color.LightPink);
 Application.DoEvents();
 var html = selectedUrl.uri().getHtml();
 fileContents.set_Text(html);
 listOfUrls.backColor(Color.White);
 });

foreach(var link in ie.links().urls())
 if (link.ends("crossdomain.xml"))
 listOfUrls.add_Node(link,link);

listOfUrls.selectFirst();

//O2File:WatiN_IE_ExtensionMethods.cs
//using  O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll

If the script executes properly it displays all the potential websites that are vulnerable to this vulnerability and then puts them inside of 02.  In order for them to be vulnerable allow-access-from-domain has to be set to *.    I don’t want to expose which sites are vulnerable due to legal reasons.   What is missing from the script is  is the rule that checks for the * value.

Many thanks to Dinis, all the security researchers that have been blogging about this vulnerability, HP, IBM and the Netsparker crew.

http://erlend.oftedal.no/blog/?blogid=107

http://shiflett.org/blog/2006/sep/the-dangers-of-cross-domain-ajax-with-flash

http://www.hp.com/go/appsec

www.ibm.com/software/awdtools/appscan/

http://www.o2platform.com/wiki/Main_Page

http://diniscruz.blogspot.com/

http://www.mavitunasecurity.com/

Matt Parsons, CISSP, MSM

mparsons [at]  gmail.com

Parsons Software Security Consulting, LLC Securing the Internet one Application at a time.

Written by mparsons1980

December 2, 2010 at 7:40 pm

SQL injection with 02 and FuzzDB Database plugin

with 3 comments

O2 Database plugin testing for SQL injection.

Now that we have covered XSS with 02 we are going to go through SQL injection using FuzzDB.

Adam Muntner created it using a number of sources.

fuzzdb helps identify security flaws in applications by aggregating known attack patterns, predictable resource names, and server response messages to create a comprehensive, repeatable set of malformed input test cases.


svn checkout http://fuzzdb.googlecode.com/svn/trunk/ fuzzdb-read-only

http://code.google.com/p/fuzzdb/downloads/detail?name=fuzzdb-1.08.tgz 

This code uses the fuzzdb plugin and fuzz’s the database with different SQL injection payloads.   It then takes screen shots of each successful iteration.

The screen shots are above.   If you have any questions feel free to email me at mparsons1980@gmail.com

Once again Parsons Software Security Consulting, LLC is offering unauthenticated scans for the holidays.  A few people have taken me up on this offer.

http://player.vimeo.com/video/17196966

Written by mparsons1980

November 25, 2010 at 3:04 am

XSS with 02 script editor Defacement on Gruyere

leave a comment »

Today’s post is going to go through step by step on Gruyere XSS defacement.

We already created our XSS builder with 02.   Now we are going to do a XSS defacement.

Above is the regular Gruyere Login page.   Below is Defacement with the IE Script Execution.

Here is all the code needed for the defacement.


using O2.XRules.Database.Utils;

using O2.XRules.Database.APIs;

using O2.External.SharpDevelop.Ascx;

using O2.External.SharpDevelop.ExtensionMethods;

using O2.DotNetWrappers.Network;

using O2.DotNetWrappers.DotNet;

using O2.DotNetWrappers.Windows;

using O2.DotNetWrappers.ExtensionMethods;

using O2.Views.ASCX.classes.MainGUI;

using O2.Views.ASCX.CoreControls;

using O2.Views.ASCX.ExtensionMethods;

using O2.Kernel.ExtensionMethods;

using O2.Kernel;

using O2.Interfaces;

using System.Linq;

using System.Xml.Linq;

using System.Xml;

using System.Collections.Generic;

using System.Windows.Forms;

using System.Drawing;

using System;

using O2.XRules.Database.Utils.O2;

public class DynamicType

{

public void dynamicMethod(object returnData, System.Windows.Forms.Panel panel)

{

panel.clear();

var ie = panel.add_IE().silent(true);

ie.open("http://google-gruyere.appspot.com/856783677371/login");

var target = ie.elements("DIV").str("Gruyere: Login");

target.flash();

target.injectHtml("beforeBegin", "<h1>O2 Platform Demos</h1>" + "The best way to learn about the security vulnerabilities of this website is to use the <a href=\"http://o2platform\">OWASP O2 Platform</a>" + "<script DEFER> " + " //alert(document.links[0].href);" + " document.links[0].href = \"http://o2platform.com\";" + " document.images[0].src =\" <a href="http://o2platform.com/images/a/">http://o2platform.com/images/a/</a> " + "a0/6_22_2010_7_08_23_PM_tmp9E4.jpg\";" + " //alert(document.images[0].sec);" + " //document.images[1].href = " + " //alert(document.images[1].href);" + "</script>");

}

}

//O2File:WatiN_IE_ExtensionMethods.cs

//using O2.XRules.Database.Utils.O2

//O2Ref:WatiN.Core.1x.dll

This is what Dinis Created and what is under the hood of these little scripts. It’s a bit more complex.

I was speaking to Dinis and in his own words after  I questioned him about the code he explained some of it too me.

what happens when you select the ‘show/hide generated source code’ is that you see the actual method that gets compiled (basicaly I automatically put the text you put on the main script window inside that public object dynamicMethod(object returnData, string testString, int testNumber) method

– the silent(true) in IE is just to prevent pop-ups (and sometimes you need to put it to false since you need to act on those popups)

– the ‘flash()’ method is used to slow down a little bit the script execution and so that you can see visually which HTML field is being edited

If you have any questions e-mail me. Matt Parsons, CISSP, MSM

Parsons Software Security Consulting, LLC

Written by mparsons1980

November 25, 2010 at 1:39 am

XSS Exploit with 02 continued on Google Demo Hack Site

leave a comment »

In the spirit of Cross Site Scripting exploits with 02 we will continue to exploit using 02 XSS exploit script. This time I will use the script from Dinis Cruz’s powerful 02.

We are going to select XSS builder.

Google is kind enough to offer an attack website, Gruyere.  Only attack websites you are authorized to  attack.  Parsons Software Security Consulting, LLC assumes no liability in any damage that you do from unauthorized hacking.

We are going to attack the login page.

The website is vulnerable to XSS.  Next time we will create a script to show this attack and do a defacement.

If you have any questions or comments feel free to contact Matt Parsons.

Also Parsons Software Security Consulting, LLC is offering free unauthenticated web penetration test to the first 10 companies that respond by the end of the year 2010.

Written by mparsons1980

November 24, 2010 at 9:49 pm