We went over some of these tools at the latest North Carolina OWASP Meeting, so I thought I’d make this list available here. Enjoy!

Proxy Servers:
WebScarab: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project#Download
Burp: http://www.portswigger.net/suite/download.html
Paros: http://www.parosproxy.org/download.shtml

Firefox Plugins:
Tamper Data: https://addons.mozilla.org/en-US/firefox/addon/966
NoScript: http://noscript.net/getit
ShowIP: https://addons.mozilla.org/en-US/firefox/addon/590
SwitchProxy: https://addons.mozilla.org/en-US/firefox/addon/125
SQL Inject Me: https://addons.mozilla.org/en-US/firefox/addon/7597
XSS Me: https://addons.mozilla.org/en-US/firefox/addon/7598
ViewStatePeeker: https://addons.mozilla.org/en-US/firefox/addon/7167

Many of these are included in a single plugin distribution here: https://addons.mozilla.org/en-US/firefox/collection/webappsec

Some SQL Injection Tools we Discussed:

SQLMap: http://sqlmap.sourceforge.net/
SQLNinja: http://sqlninja.sourceforge.net/
Pangolin: http://www.nosec.org/en/pangolin.html

Test Applications that wont land you in Prison:
WebGoat: http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824&release_id=613045
Hacme Series: http://www.foundstone.com/us/resources-free-tools.asp (look under SASS Tools)

Some suggestions taken from RSnake over at ha.ckers.org:
* http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
* http://testasp.acunetix.com/Default.asp
* http://test.acunetix.com/
* http://hackme.ntobjectives.com/
* http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
* http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
* http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
* http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
* http://zero.webappsecurity.com/
* http://www.hackertest.net/
* http://www.hackthissite.org/
* http://www.mavensecurity.com/WebMaven.php
* http://ha.ckers.org/challenge/
* http://ha.ckers.org/challenge2/
* http://demo.testfire.net/
* http://scanme.nmap.org/
* http://www.hellboundhackers.org/
* http://www.overthewire.org/wargames/
* http://roothack.org/
* http://heorot.net/
* http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
* http://wocares.com/xsstester.php
* https://how2hack.net
* http://hax.tor.hu/

Last week we discussed the first 9 (top 9) in the CWE Top 25 Most
Dangerous Programming Errors. This week, we’ll discuss the second 8
on the list, which have been grouped into a category called “Risky
Resource Management”.

 

 

 

Risky Resource
Management

The weaknesses in this category are
related to ways in which software does not properly manage the
creation, usage, transfer, or destruction of important system
resources. The majority of the errors covered in this category are
more complex than the Top 9 (Insecure Interaction Between Components)
and –as such- can be more difficult to fully comprehend and
mitigate against.

 

 

 

#10CWE-19: Failure to
Constrain Operations within the Bounds of a Memory Buffer

Usually referred to simply as a “Buffer
Overflow”, this class of attack has been with us for many years.
Although not frequently seen or publicized in most web application
technologies, almost all known web servers, application servers, and
web application environments are indeed susceptible to buffer
overflows, the notable exception being Java and J2EE environments,
which are immune to these attacks (except for overflows in the JVM
itself).

 

 

Anytime an application allocates a
memory buffer to store a variable or input supplied by an attacker,
the buffer could be vulnerable to overflow if proper input validation
is not performed. As an example, imagine a buffer set to hold 64
bytes of data. This buffer holds information provided by the user via
web-based form. If there is no input validation, entering a string of
96 bytes in length could effectively overflow the buffer.

 

 

Depending on what type of application
and what type of data (and many other factors) an attacker could use
the overflow data to execute code outside of the intended function of
the application, potentially resulting in the attacker gaining
complete control of the server or application.

 

 

 

 

#11CWE-642: External
Control of Critical State Data

There are many ways to code your web
applications to maintain state information. Ever wonder why when you
return to a website (such as this one) that the application
“remembers” who you are? This is usually referred to as session
or “state” data, and there are various ways to accomplish this.

 

 

Typically this is done by setting a
Cookie variable in the user’s browser that relates to a session
variable on the server. The problem is that oftentimes insecure or
unencrypted human-readable data can be used for this purpose, and -as
such- manipulated by an attacker to escalate privileges. Say for
example that a web application sets a Cookie called “Username”
set to the user’s login ID once a user successfully authenticates. In
this example, we’ll assume that user Mike authenticated to the web
application, and a Cookie named Username assigned the value of
“Mike”. What happens if I change the cookie stored in my browser
to “Username=admin”? In this primitive example, I would now have
admin rights to the site.

 

 

Cookie values aren’t the only danger in
this category though. Oftentimes developers will utilize “hidden”
form field variables to store pertinent data about the user, session
or transaction. This data can also be manipulated by an attacker to
break the application or escalate privileges.

 

 

 

#12CWE-73: External
Control of Filename or Path

Many web applications are coded on the
backend to utilize libraries, classes or files stored on the web
server. Additionally, some applications may allow user-supplied input
to specify which file or resource is interacted with. This type of
logic has been exploited many times over the past 15 years, most
commonly by pre-pending the input filename with “../../” or
similar, which allows an attacker to interact with files outside of
the intended directory.

 

 

Additionally some applications may
allow a user to input a URL or other external resource that is
processed or run by the web server in some fashion. Failing to use
proper input coding or file validation before processing can lead to
big problems. Making this worse, most system engineers will configure
the web server to run as the super user, or admin, account, which
means that any trickery by an attacker would result in administrative
access.

 

 

Running the web server as a non-admin
account and (for *nix servers) running the web server in a “jailed”
environment (chroot) would prevent any manipulation of the filename
to be limited in severity. Of course, though, input validation is a
key to mitigation with this error….never trust the data provided by
your users to be “trusted”.

 

 

 

#13CWE-426: Untrusted
Search Path

Although similar to the previous error,
this one has more to do with the default trust relationship the web
server has within it’s own environment. Servers running the web
applications have a series of trusted PATHs that are searched when
attempting to execute a file or locate a resource. On Windows
systems, for example, the PATH usually contains “C:\Windows\System32”
which contains applications that could cause serious harm if misused.

 

 

A common lazy programming technique is
to rely on environment variables to locate libraries or classes
utilized by the web application code. If an attacker can control the
environment variables, then they can cause your application to
execute malicious code. The best example of this is in shared web
hosting environments. Due to a flaw in the way the HOST headers are
utilized in a default installation of Apache, it is possible for one
web application on a shared server to access resources in the path of
another site hosted on the same server.

 

 

I demonstrated an example of this last
year on my personal blog (here) if you’re interested in just how this
works.

 

 

 

#14CWE-94: Code
Injection

It is common for robust, dynamic web
applications to pass data back and forth between external programs
and systems in order to execute complex processes which return output
back to the web application for display to the user.

 

 

A common PHP example is to use the
function fopen() to interact with a user-supplied file or to execute
a program on the system that interacts with user-supplied input. I
ran into a similar issue in an application I was writing last month
that took a user-supplied file and ran it through a perl script. When
troubleshooting an issue I realized that an improperly formatted
input file caused the perl script to die. I quickly realized that If
the right data was in the file, I could do more than cause the
backend script to die.

 

 

Again, input validation, correct
privileges and error-checking at each step of the way is necessary to
thwart these attacks.

 

 

 

#15CWE-494: Download
of Code without Integrity Check

This error is less of a risk to your
web applications, and more of a risk to your users. Untrusted
downloads have led to massive virus outbreaks and system compromises.
Systems that don’t employ anti-virus clients are particularly at
risk.

 

 

Since I don’t have much to say on this
issue, if you are a software provider, digitally sign your
applications/downloads and provide an integrity-checking mechanism
for your users to identify valid versions of your code, vs malicious
software masquerading as your application.

 

 

 

#16CWE-404: Improper
Resource Release or Shutdown

All dynamic web applications utilize
various applications and processes that require system resources or a
temporary data set (such as cookies and session variables). Failing
to dispose of running processes, allocated memory, or state data can
allow an attacker to gain access to information as a result.

 

 

From the system perspective, failing to
shutdown resources after use can lead to a denial of service or crash
of your system.

 

 

One simple example (for anyone who’s
ever used Dreamweaver to write a dynamic application) is the use of
database hooks. For example, if writing a dynamic PHP application in
Dreamweaver, those database connections will automatically generate
the ‘mysql_free_result’ function at the end of your code. If you need
to modify the PHP code manually (which is usually the case) to setup
a nested repeat region, the mysql_free_result code stays improperly
stuck at the end of your code, rather than at the end of a loop or
elsewhere…..with enough queries in a short amount of time, you
could cause the application to crash.

 

 

 

#17CWE-665: Improper
Initialization

This error has everything to do with
variables. When you create or call a variable in your application, it
either contains data or is NULL – it doesn’t just happily exist
until you use it. For languages that simply initialize a variable as
NULL, what happens when your application isn’t configured to handle
NULL values? Or worse, if your application fails to shutdown
resources (CWE-404) it is possible that a variable can hold data from
a previous user’s session.

 

 

 

The basic gist of the error is to
assign (initialize) all of your applications variables with a default
value. This ensures that un-supplied (NULL) data or previous data
cannot be introduced into your application.

 

 

 

#18CWE-682: Improper
Calculation

Have you ever seen Superman III or the
Office Space? In both of these movies a programmer figured out a way
to handle rounded-off digits to siphon money into a 3^rd
party account. This was because in both instances, the application
only utilized 2 digits after the decimal, either rounding up or down
(or not at all).

 

 

Take for example, the simple
calculation of 3 divided by 2. The answer is
0.66666666666666666666666666666667. Most applications and databases,
however, will round off to only 2 trailing digits (0.67 or 0.66
depending on the way the application is coded). What happens to all
those remaining digits?

 

 

What if your application uses
mathematical calculations for other purposes, and relies on
user-supplied input? What if an attacker enters a Zero instead of any
otherwise-anticipated value? Unexpected things are sure to occur.

 

 

Once again, Input Validation is the key
to many of the Errors in this category.

 

 

Next week, we’ll round out this series
by discussing the final 7 issues, categorized as “Porous Defenses”

Last week we introduced the CWE Top 25 Most Dangerous Programming Errors in Part 1 of a 4 part series. This week we will discuss the first nine, which have been categorized in a group called “Insecure Interaction Between Components”. Being the first nine, they are also the top 9, or the top most prevalent errors on the list.

As mentioned last week, we will discuss these errors within the confines of web-based applications. Being the top 9, you may think these errors will be more complication and harder to defend against than errors further down the list. In fact, the opposite is true. These top 9 are the most prevalent, sure – but they are also the easiest to defend against. As you go through this break-down, pay close attention to the first 2 errors covered, as there will be a recurring theme in the remainder of this discussion.

Insecure Interaction Between Components

These weaknesses are related to insecure ways in which data is passed between separate components within web applications, to include the user’s browser (the client component).

#1 CWE-20: Improper Input Validation

Input validation is the practice of sanitizing (validating) data before passing that data on to another component within a web application’s framework. The most basic example of this is form-field validation used on many web-based forms. For example, leaving a Required Field empty, then clicking on the form’s submit button will often result in a pop-up message or other similar error indicating that the field is required and must be filled in before proceeding.

The problem with the above example is that many times Javascript is used to perform this function, with no server-side equivalent to ensure that the data wasn’t tampered with prior to reaching the web server. This type of manipulation of data is possible because HTML, Javascript and others are processed within the user’s browser (rather than the server) and can be manipulated by the user as they see fit. Simply put, client-side validation cannot be trusted, since it cannot be controlled. Applications relying on client-side validation alone are at great risk to being hacked, defaced or otherwise harmed.

Proper input validation is critical for web applications to operate as designed and -as such- is not correctable with a magic PHP, Java, or ASP function. Input validation requires that the developers of the application put every effort into checking externally-supplied data at each step in it’s processing. This is often done using pre-built Regular Expression Patterns to ensure that the supplied data is the correct type, length and format.

Example:

Let’s assume that we have a form that requires the user to enter their 5-digit zip code. We would use a similar PHP function to ensure that the supplied data is an integer with a length of 5 as such:

preg_match("/^[0-9]{5}$/", $form_zipcode)

where $form_zipcode is the form-variable.

Similar code exists for ASP, Java and others, but you can see that depending on the data your applications expects from the user, this can become very unique to your specific needs, although most foreseeable patterns have already been written into code snippets that you can use within your organization. More information and examples can be found here.

#2 CWE-116: Improper Encoding or Escaping of Output

The terms “Output Encoding” and “Output Escaping” are often interchanged, and can be misleading. For the purpose of this discussion, we will refer to this error as Output Escaping.

Output escaping is the practice of sanitizing data for use by other components. This could be data displayed in the user’s browser or passed to a SQL Query, for example. The root of this problem lies in the way in which computers process data. Much of the data processed by web applications is in “human-readable” form. This human readable data could be in any number of different languages, and contain special characters, which could have special meaning to HTML or SQL. Output escaping is the process of converting this data into a standard format used by the receiving process, so that data is always processed as intended.

The easiest example would be with HTML and the greater than and less than brackets, or “>” and “<” respectively. These characters are protected HTML characters used in the processing of HTML data, so allowing these characters to be displayed as such by the user's browser would effectively break the HTML code written by the developer of the site. Escaping of this data is performed by converting these characters to their equivalent 'HTML Entity'.

There are 5 specific characters that must always be converted to their equivalent entity. These are the greater than and less than symbols, the ampersand, the single quote and the double quote. The equivalent HTML entities are as follows:

>

<

&

"

'

You can see very easily from the above example why the ampersand has special meaning in HTML, but the above 5 are the most crucial. There are many other characters that also have equivalent HTML entities and best practices suggest that all data be “escaped” properly.

Lack of output escaping is the largest contributor to Cross-site scripting attacks.

Example:

Let's assume that we have a form field that allows a user to enter any data they wish – for example, in a blog-submission form, which may require the user to use the above special characters. Output escaping would dictate that we sanitize or convert this data into HTML equivalents, as demonstrated below in this PHP example.

$cleandata = htmlentities($data, ENT_QUOTES, UTF-8);

The above example takes the variable called $data and performs an embedded function called “htmlentities” to escape all applicable characters into their HTML entity equivalents, specifically in the UTF-8 character set.

#3 CWE-89: Failure to Preserve SQL Query Structure (SQL Injection)

SQL Injection is the act of tricking a web application into executing add-on commands to an intended SQL Query. There are many methods of performing SQL Injection (and we wont go into them here), but the basic types are Blind and Error-based SQL Injection.

A common thread we'll see with these errors from here on out is that the individual errors are typically not capable of being manipulated by themselves, and almost always come back to lack of Input Validation and lack of Output Escaping.

Example:

Let's assume that we have a form field that allows a user to search for records in a database by entering a search term, such as their userid (in the case of login forms).

A typical SQL query on the backend would look something like:

'SELECT * from Users where username = $user';

If the user enters (for example) mike' or 1=1, the above SQL query would return all records in the database (because 1=1 is always true). Its obvious from this example (if successful) that the application failed to do 2 critical things: Input Validation and Output Escaping. If the web application had checked to make sure that special characters were not part of the username, this attack would not be allowed as the data would not pass validation, hence not be passed to the SQL query.

Well what happens in the instance where the user's name contains a valid special character (O'Reilly for example). This is where output escaping would be critical to ensure that the single quote was escaped in a fashion understood by the target database.

#4 CWE-79: Failure to Preserve Web Page Structure (Cross-Site Scripting)

Cross-Site Scripting's name doesn't do it justice. Cross Site Scripting (or XSS) is an attack whereby special HTML characters are input by the user (attacker) to manipulate the processing of the HTML code itself.

As we discussed in #2, the special characters “<” and “>” are used by HTML and Javascript to process code blocks. If a user is able to enter anything they wish, and that data is processed and echoed back to the user, they can essentially re-write the entire code to do whatever they wish.

Example:

Let's assume that we have a form field that allows a user to enter text, such as a blog submission form. If the user enters <script>alert('you have been hacked')</script> and the application is not escaping the output, then this data will be processed by the user's browser as HTML code (as opposed to displaying text) and a Javascript pop-up box with the message “you have been hacked” would pop-up in anyone's browser reading the blog entry.

However, if output escaping is properly performed the above text will be converted to the following:

<script>alert('you have been hacked')</script>

The above text would simply display the HTML characters in the user's browser, as opposed to being executed by the browser.

Although the above example is overly simplified, the same principle is exploited to perform very complicated XSS attacks including credential theft and worse.

#5 CWE-78: Failure to Preserve OS Command Structure (Command Injection)

Command Injection follows closely with SQL Injection, rather than executing “add-on” SQL Queries, the attacker executes “add-on” system commands.

Of course, calling system applications from within your web application's code is not generally recommended, but there are many instances where the application is required to make calls to external applications upon processing user-supplied data.

If the application fails to perform proper Input Validation and Output Escaping....hopefully you get he picture :)

#6 CWE-319: Cleartext Transmission of Sensitive Information

This one sounds like it should be a “no-brainer” but believe me when I say that this is the single most common error that I continue to see with public web applications. This doesn't always mean that a site doesn't have an SSL-secured version running on TCP port 443, rather than standard HTTP running on TCP port 80.

Very often, an organization will install an SSL certificate and bring online the “secure” version of their application, but will leave the unsecured version still running. All the user needs to do is change the “https://” to “http://” in their browser to bypass this one.

Even more common, is that by default Apache, IIS and other web applications allow the use of insecure SSL ciphers such as SSLv2, or allow the user's browser to negotiate which encryption protocol and cipher it wants to use. This is a “no-no”, but shame on the vendors for making the default operation insecure, and force the system administrator to jump through hoops. (The good news is that it's relatively easy to fix). The general rule of thumb is only allow SSLv3 or TLSv1 on your SSL-enabled web applications.

The issue of insecure communications doesn't just apply to the interaction between the web application and the user, but also between the web application and the database server, or the web services engine. Any communication of sensitive data should be via an encrypted data stream only, unless you want to be the next “Heartland” press release.

If you would like specifics on how to configure your web servers to only allow cryptographically sound algorithms, shoot me an email and I'll forward you the appropriate information.

#7 CWE-352: Cross-Site Request Forgery (CSRF)

CSRF is a relatively “new” concept in the press, although it's a very basic exploit of bad programming. CSRF is the exploitation of URLs within an application that accept that an authenticated user is a valid user, and allows the automatic processing of commands based on this assumption of trust.

For example, let's say we have a URL on our site that allows a user to change their password:

http://example.site.com/cgi-bin/chPass.cgi?username=mike&newpass=vulnerable

The above example assumed that user “mike” is the user calling this script and performs the password change. Well, using other attack methods, such as XSS, an attacker could trick user “mike” into clicking on a link or viewing a page with an embedded image that calls this script. If user “mike” still has a valid session on example.site.com, the attacker would have just tricked Mike into changing his password to a value set by the attacker.

This may seem like an overly simple example, but Google just recently fixed a similar Password Changing CSRF vulnerability that was published quite some time ago (their vulnerability required that the attacker know the current password to change it to a new value) but a valid flaw nonetheless.

The basic protection strategy is to utilize POST form data, rather than URLs (GET) to perform actions like this. Additionally, adding a measure of human interaction to ensure that the request is indeed coming from the valid user, rather than a malicious script.

#8 CWE-362: Race Condition

A Race Condition is a situation where an application fails to properly maintain state data between various components, which can lead to the application getting “confused” and potentially allowing data from one state to be accessed by another.

A basic example is that of a single-threaded e-Commerce checkout application where one-user's cart accidentally gets pushed into another user's session because of timing issues.

Although commonly exploited Race Conditions are far more complicated than this basic example, they do occur quite frequently, often resulting in data leakage or a denial of service to the web application itself. I wont belabor the point here, but if you would like more information on this error, shoot me an email and I can get you some more pertinent information.

#9 CWE-209: Error Message Information Leak

Another “no-brainer” information leakage via error messages is a very useful way for an attacker to mount injection attacks against your application. By default, web servers, such as IIS, Apache and Tomcat show “error pages” that reveal way too much information to a would-be attacker.

For example, IIS by default shows the version of the ASP.NET framework being used, and if remote_errors are enabled, much much more. Apache and Tomcat have similar problems out of the box, and should never be put into production until custom, generic error messages are configured to handle exceptions in the execution of your web applications.

As with other “no-brainers” this one is really easy to fix and shame on the vendors for using the verbose messages by default. What user cares if you're running ASP.NET 1.5, unless they are getting ready to hack you?

This week, we’ll take a look at the recently published CWE Top 25 Most Dangerous Programming Errors. Since the Top 25 are broken into three main categories, it makes sense to address the list in three separate segments. But first, let’s review what the CWE Top 25 is and its importance.

Introduction
The CWE Top 25 Most Dangerous Programming Errors was developed in late 2008 by over 30 industry experts in collaboration with SANS and Mitre to highlight the dangerous and common programming errors affecting today’s applications.

Although this list does not directly address web-based programming errors, it certainly applies to today’s most commonly abused web application security flaws.

Over the next 3 installments of this article, we will discuss the common assessment and remediation points of the entire list, and how your organization can defend against them. You may be surprised to find that the majority of these issues come down to lazy programming, and an overall lack of knowledge of basic HTML concepts.

We will discuss the specifics of each of the Top 25 and give specific examples of poorly-coded web apps that lead to these exposures, as well as the simple methods of remediation. We will also reference numerous external sources to help you with identifying where these principles of secure coding can be introduced into your organization’s SDLC.

The Top 25
Insecure Interaction Between Components

These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.

* CWE-20: Improper Input Validation
* CWE-116: Improper Encoding or Escaping of Output
* CWE-89: Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)
* CWE-79: Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)
* CWE-78: Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)
* CWE-319: Cleartext Transmission of Sensitive Information
* CWE-352: Cross-Site Request Forgery (CSRF)
* CWE-362: Race Condition
* CWE-209: Error Message Information Leak

Risky Resource Management

The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.

* CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
* CWE-642: External Control of Critical State Data
* CWE-73: External Control of File Name or Path
* CWE-426: Untrusted Search Path
* CWE-94: Failure to Control Generation of Code (aka ‘Code Injection’)
* CWE-494: Download of Code Without Integrity Check
* CWE-404: Improper Resource Shutdown or Release
* CWE-665: Improper Initialization
* CWE-682: Incorrect Calculation

Porous Defenses

The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.

* CWE-285: Improper Access Control (Authorization)
* CWE-327: Use of a Broken or Risky Cryptographic Algorithm
* CWE-259: Hard-Coded Password
* CWE-732: Insecure Permission Assignment for Critical Resource
* CWE-330: Use of Insufficiently Random Values
* CWE-250: Execution with Unnecessary Privileges
* CWE-602: Client-Side Enforcement of Server-Side Security

Given the presence of yet another very high-profile data breach from a supposedly PCI-compliant organization, many have begun to question the purpose and usefulness of PCI DSS and other similar regulations. There is a valid argument here, but let’s consider the purpose for these regulations.

PCI and all others are meant to be a baseline set of due diligence operations taken by organizations to ensure the safety, security and privacy of their users, clients and consumers. No compliance standard ever written is good enough, as it is intended to ensure that companies who haphazardly and dangerously risk the identities, credit and livelihoods of consumers can be punished.

As a baseline these regulations can never adequately protect organizations from malicious individuals who -in most cases- are smarter than those they are attacking. Used as a primary measure for security operations, relying on PCI DSS alone simply will not prevent data breaches and is not a recommended approach to security.

Some organizations that I have talked with recently have taken this to the extreme of ignoring PCI altogether, citing that the needs of their business are more important than the need for compliance. Let’s face it, depending on the organization and the level of compliance mandated, the certification process can be costly in terms of dollars and focus, so I understand the concern here. I do not endorse or recommend this course of action, but I applaud the organizations’ understanding that PCI compliance does not equal security.

If we must live with PCI, let’s live with it for what it is for–a baseline framework to oversee minimum due care. If we truly care about security and protecting our data from breaches, compliance must be a part of our overall security plan, or even completely separate if possible. There simply will never be any governing body anywhere that can write a standard that adequately addresses the security requirements for all organizations.

For anyone interested in tracking data breaches, visit www.privacyrights.org. You’ll be surprised just how many data breaches have occurred this year already, and many from PCI-certified shops.

There has been a lot of press, effort and money focused on Web Application Security over the past year–and rightly so. The attack footprint for many publicly-facing web applications has been growing as new web and browser-based vulnerabilities are being discovered at a scary pace. The PCI DSS push has helped primarily with the escalation of the press given, but we really haven’t crossed the bridge of minimizing the impact yet, and many security experts don’t yet see the light at the end of the tunnel.

What I want to discuss in this article is the trend observed over the past year, taken from data collected from hundreds of Pen Tests performed by myself and my peers. The results are indeed interesting.

Although web services take the cake, it’s not the web application vulnerabilities we hear about so much (such as XSS, SQL Injection and CSRF) that tops the list. In fact, the Top 8 of the Top 10 (although may contribute in some cases to things like XSS) are configuration and deployment errors.

The List (Organized by Number of Occurrences):

1. Weak, Insecure and Deprecated SSL Ciphers
2. TRACE Debugging Method Enabled on Web Server
3. Private IP Address of Web Server Leaked Through Headers (IIS)
4. Form Credentials and Confidential Information Transmitted over Clear Text (no SSL)
5. Default, Vendor Supplied Directories and Files (Mainly Apache/Tomcat Installations)
6. Poorly Configured Apache Servers, Including Directory Indexing and User Home Directories
7. Default ASP.NET Errors on IIS Installations
8. Unpatched IIS Installations Vulnerable to Remote Exploit
9. Presence of phpinfo() pages on Apache/PHP Installations
10. Cross-Site Scripting (XSS) Vulnerabilities

So at least one of the media-worthy vulnerabilities hits the list (XSS), but what is surprising to me is that common configuration errors and poor judgment calls by far takes the cake. In fact, when looking at the following graph, it is apparent just how bad this situation is.

This data is taken from raw pen testing data, is not specific to web servers and web applications only, and does not in any way correlate to things such as the OWASP Top 10 and the CWE Top 25 Programming Errors lists.

Food for thought: has the focus on web application security completely blinded us to the standard level of due care that should be exhibited in activities such as server deployment and patch management?

As a PHP coder myself, I know that it can be difficult for new programmers to build secure code. Aside from the Apache server config and the PHP config directives, writing secure code in PHP often is an afterthought — and it’s really easy to write insecure code with PHP.

Where many of the difficulties lay are in the use of Database connectivity, flashy AJAX and powerful Javascript to make a highly functional, good looking site. When coding these applications, many developers will pull pieces of code from other sites and integrate them into their own, often times not aware of input validation flaws, overflows and use of insecure PHP functions.

Where PHP often fails as a language is that it’s just that–a language. In and of itself, there are no input validation classes, no XSS or SQL Injection class to use, and no re-usable security mechanisms that can be used out of the gate.

In searching for frameworks that can be utilized by programmers to assist them in writing more secure PHP code, I ran across CakePHP. CakePHP is a PHP Framework that allows for the rapid coding of new applications using a Model, View, Controller (MVC) architecture. Aside from enabling the rapid development of new data-driven applications, CakePHP has some really good input validation classes that are extremely simple to use.

One of the main drawbacks with coding your own input validation with PHP is that many programmers aren’t familiar enough with regular expression syntax matching to make effective input validation routines–CakePHP simplifies this with pre-built functions for CC validation, SSNs, email addresses, password complexity and more.

Aside from its input validation classes, CakePHP allows developers to easily generate AJAX-enabled views, RSS feeds, XML and more without heavy modification of code or 3rd party downloaded scripts. Having been running through CakePHP for the past few weeks, I’m really impressed. I was really dumbfounded when I realized that CakePHP has been around for a really long time, has a corporate-sponsored team of developers and a very large base of programmers using it.

Any organization that utilizes PHP for writing public-facing web applications should look into (and require) a PHP development framework like CakePHP to ensure consistency and provide a baseline for common security features.

Note: this post is a rambling with no solutions at all–I’m just bitching/rambling, whatever you want to call it–hell, it’s my blog, I’ll write what I please :)

There’s an interesting trend in the formerly “Gospel” OSI virtual model for the way computers talk…

It used to be that the application layer was sacred and didn’t violate lower-level protocol’s. When I say that, I mean that when you talked on TCP port 80 (i.e your IP packet was tagged with 80 in it’s TCP header) to a web server, you talked RFC HTTP lingo…the server understood your requests, your browser understood the responses, etc.

Now, the “web application layer” has become the new virtual transport layer. We have decreased the overall exposure from the packet-byte perspective, taken advantage of the proliferation of web-based “thin-client” applications, and we are now building client-server applications that transcend the browser-server barrier and utilize embedded or installed client applications, mirroring a more legacy client-server deployment strategy.

What comes immediately to mind is the .NET “Smart Client” technology (http://msdn.microsoft.com/en-us/library/ms998468.aspx), which is getting some increased discussion on some popular webappsec forums…

Basically, the technology utilizes web services technologies over HTTP to facilitate what looks more like legacy client-server technology. This scares me a little in terms of the wide-spread adoption of “web-enabled” technology.

If we take the standard user-available browser out of the picture and require a client-technology, what have we really achieved here, except take an already overly-exploited protocol and base our future on this?

So, lets close all of our firewalls except for web traffic on TCP ports 80 and 443 (sometimes 81, 8080 and others) and run all of our applications over these few ports….we haven’t closed the gap, we haven’t solved anything…we’ve just made the virtual model of understanding IP communications more consolidated to the old “application layer” of the old, old, old OSI model. (i’m not sure, but I think the “O” in OSI meant “OLD”….

Like I said at the beginning of this post…I’m just rambling/bitching/whaterver..it’s my blog

So after 12 years of analyzing security risks (and with a specialty on web app security) I’m surprised to find that a large percentage of webappsec risks we find still revolve around the configuration of the web server itself.

What I’m finding
1. Verbose, default vendor-supplied error messages – this is really prevalent with IIS/ASP implementations…what a major impact when ASP.NET reveals exactly why a SQL Injection or Cross-Site Scripting attack failed…

2. Building a “secure” website, but still allowing standard HTTP connections – this seems like a no-brainer, but so many organizations will “SSL-enable” their web servers, only to let standard HTTP requests to the same content!

3. Not differentiating Server requests from Form requests or from URL requests – I’ve seen too many times where “Request” variables are handled in the generic fashion, rather than specifying “Request.Form” or “Request.Querystring” (in ASP.NET) or $_GET and $_POST (in PHP) –this can and HAS been a BIG problem with web apps I’ve analyzed.

These three points I see over and over and over again. (can I say “over and over ” again?– ’cause it happens nearly 100% of the time! — seriously, the numbers are in favor of this statistic)

What most organizations don’t realize is that these seemingly minor configuration flaws allow automated tools to really exploit most web applications.

So how can we protect our web apps from these seemingly minor issues?

Basic Protection
1. Always use custom HTTP error messages. These can be configured in IIS and Apache very easily. Where ASP.NET is involved, set “customErrors” to On or RemoteOnly (if you really need local debug) and set the “defaultRedirect” option to a generic HTML page with no specific error messages.

2. With IIS, if you don’t control your firewall, set the “Require Secure Channel” option under the Secure Communications section of the Directory Security tab for the site at question. This will generate a default error message, so use a custom error message or issue a redirect. If you DO control the firewall, don’t allow port 80 inbound…simple

3. Differentiate Request.Form from Request.Querysting from Request ($_GET and $_POST rather than $_REQUEST in PHP).

These are some basic (and I mean basic) protection measures that can reduce the overall attack footprint of your site and save face should you be subject to an assessment or audit.

Josh Perrymon, myself and a few others are working on a spear phishing toolkit to be released at OWASP NYC later this week. Lunker will be available through OWASP and is a collaboration between the Raleigh NC and Alabama OWASP Chapters.

This Spear Phishing toolkit allows a pen tester (or an organization) to actively target an organization’s email users via a variety of payloads. This toolkit is a full point and click exploit via email and in our testing has been extremely successful.

We have seen some commercial apps like this (phishme.com), but none with the Metasploit-like payload delivery mechanism.

This tool will also provide an email and directory brute-forcer as well as some passive assessment tools to further allow the attacker/pen tester/internal auditor to examine the response from their network/users.

UPDATE: Due to early testing we have delayed the public release of this toolkit. We have decided to release a “slimmer” version of Lunker which is basically a framework only, rather than a full turnkey solution (for the meantime) and should be available soon. Check back for updates.