Showing posts from November, 2009

Fun with fake Flash: an Abode update you don't want

Jericho of (support the Open Security Foundation!) recently asked the VIM mailing list a question: Adobe Flash - vuln or just "design"?
The question, inspired by Mike Bailey's work for Foreground Security, leads to healthy debate, including press and vendor response. But, ironically the same day I received the VIM mail, I was led to explore a slightly different perspective on Adobe Flash issues. Thus, your author doesn't intend to get in the middle of above proposed curmudgeonly discussion.

I am however inspired to be curmudgeonly; grumpy even.

The crux of this conversation is the fact that the oft updated Adobe Flash Player continuously proves to be social engineering attack vector fodder. This is by no means news, or likely a surprise to the 19 of you who read this blog, but I recently stumbled on a real gem in the wild and I thought I'd share.
Whilst defending the Intarwebs from evildoers, I spotted

Whitepaper Review - Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC

As part of a security team that cares deeply about the well being of Windows Live, I was extremely pleased to review a paper written by web application security specialists for whom I have deep respect.
Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC was written by a powerhouse team whose talent speaks for itself, including Casaba's Chris Weber; his Watcher was discussed in November'stoolsmith.

First, I am an unabashed SDL fanboy. Any work that accentuates SDL principles is off to a great start in my book: security by default being paramount.
Second, of this paper's three subtopics (CSRF, open redirects, JSON hijacking), two (CSRF, open redirects) consistently count as pet peeves for me.
As for JSON hijacking, the best explanation available is also offered by one of the paper's authors, Phil Haack: JSON Hijacking.

"ASP.NET MVC provides a new Model-View-Controller framework on top of the existing ASP.NET 3.5 runtime. This fra…

Pending book review: ModSecurity 2.5

Packt Publishing, a UK based publishing firm specializing in focused IT books, has asked me to review Magnus Mischel's ModSecurity 2.5.

Having recently discussed monitoring ModSecurity with OSSEC, I'm looking forward to reading this book.
I've been a ModSecurity fan since incorporating it in a secure server implementation, back when it was version 1.9.4 in 2006, as part of a paper written for OWASP.

Expected highlights include:
* Securing your system by knowing exactly how a hacker would break into it
* Writing rules in-depth and ModSecurity rule language elements such as variables, actions, and request phases
* Covers the common attacks in use on the Web; find the geographical location of an attacker and send alert emails when attacks are discovered
* Many real-life examples for better understanding

I'll give you a detailed, honest assessment of ModSecurity 2.5 in a few weeks.

Cheers. | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Sucuri NBIM: website integrity monitoring for free

Here's a nice freebie you might like as part of your website monitoring arsenal.
I signed up with Sucuri for their NBIM (network based integrity monitoring) service to help keep an eye on, and have been very satisfied with this free offering (sometimes you get more than what you pay for).
As an example, when my hosting provider updates the server, I know immediately via email.


< Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8k DAV/2 mod_auth_passthrough/2.1 FrontPage/
< X-Powered-By: PHP/5.2.9
> Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l DAV/2 mod_auth_passthrough/2.1 FrontPage/
> X-Powered-By: PHP/5.2.11

This alert was generated by the Sucuri Network Integrity Monitor.

There's a nice dashboard, offering you history snapshots:

You'll also find a nice web information gathering tool called WIGS which grabs public information available about websites.

Check it ou…

Watcher: Spotting dubious webishness

November's toolsmith features Watcher, a great passive security auditor from Chris Weber of Casaba Security, that detects web application security issues as well as operational configuration concerns. Watcher plugs neatly into Fiddler, an indispensable proxy that should be an inherent part of your web application assessment tool kit.
The toolsmitharticle covers using Watcher to detect "dubious" comments, unset HTTPOnly flags, open redirects, and bad cross domain flash policy, so I won't repeat myself here.
Watcher is also excellent for detecting likely XSS vulnerabilities, and will passively detect prospective parameters while you browse.
As an example, a visit to a site that shall remain anonymous only to those without fundamental Google skills results in Figure 1, seen by Watcher as it passively reviews a site with 37 different checks.

Figure 1

Note that Watcher spots what it declares is a potentially high severity user controllable HTML element attribute. Watcher furt…