Today I make my 1st appeal to the giant heart I know the hacker community has. My seven-year-old nephew-in-law Cole Baker has been battling cancer (neuroblastoma) for the past year. We thought after a handful of advanced treatments he had finally beaten it but, alas, we found out last week that the cancer has spread to a different area.

In a month, Cole has to undergo a new radiation treatment which is more aggressive than the norm. It will require him to be almost completely isolated for a week because of the radiation.

So, what can you and I do?

I will be holding a 1 day virtual workshop on Mobile Application Security and Testing in June, dates TBA. Anyone who donates 25+ US dollars to Cole and his family are welcome. If you’re not interested in mobile security you can also just donate =) If a TBA date doesn’t work for you I will offer the recorded workshop to you in video format.

To read more about my nephew-in-law and his family you can visit: http://www.aboutcole.blogspot.com/

To donate you can visit: http://www.aboutcole.blogspot.com/p/donations.html

In the donation message write “Hacking Cancer” and any other well wishes you want to give. Include your email and twitter handle, and if you wish to attend the training or are just donating. I will email potential attendees with the dates and syllabus for the training.

I thank you sincerely for reading this and spreading the word.

Hack Cancer!

- Jason Haddix  (jhaddix [at] securityaegis.com)

Hacking Cancer! – Please spread the word belongs to Security Aegis

At BruCon 2011 I gave a talk called The Web Application Hackers Toolchain. In this talk i outlined several non-standard additions and aides to web pentesters. One section in particular was leveraging tool chaining for better application mapping.

In the appsec space the biggest challenges to testing come from edge cases in heavily dynamic pages, non-standard payload types, or pages using special authentication routines; Things like REST, AJAX, NTLMv2, Kerberos, Flash, Silverlight, ActiveX, Java Serialized Objects, encoded JSON, InnerHTML, ViewState, CSRF tokens, etc.

It’s sad to say but, most standalone tools do not test these correctly, or require high levels or customization to deal with. In these cases it becomes necessary to utilize a toolset that includes upstream proxy options. The advantages in tool chaining are several, but ill start with some easy examples and then reference others. In these scenarios I’m assuming you’re using some type of scanning tool (open source or enterprise level). Without going into which tools are better for each type of edge case, ill instead focus only on the ones use we’ll use to solve an issue.

Let’s start with the elephant in the room, AJAX. Almost every site uses it these days, in some fashion or another.

Issue: As an app sec tester you need visibility into every parameter for fuzzing coverage. When using tools, crawler engines in these tools work on link based logic and tend not to fire of DOM events that might be crucial to the application. Some crawling engines can parse these ajax calls, but don’t map them as completely as a browser actually interacting with the page/DOM would. You could manually walk the site and interact with it (which should be done always) but in enterprise or large applications ensuring you hit all functionality of the site is difficult. This becomes increasingly harder if you don’t have a good set of test data (i’ll go more into this later) like application specific “stuff” (credit card numbers, transaction IDs, any non-standard data used to drive application logic).

Solution(s): Like i said, using the browser and manually walking the app is your best bet on smaller sites. The next option involves tool chaining. Most scanners have the ability to act as an inline proxy (Burp, WebInspect, etc, etc). If they don’t, like some command line scanning tools, they can take a flat file of links an crawl/spider from those. To a lesser extent, this can capture application functionality. So right now we have;

Browser > Scanner in proxy mode

At this moment you are browsing the site, filling up the site map and executing/mapping all the main functions. Later, after you finish walking the site, you can then have your scanner fuzz off of that site map.

Now lets take a new tool called ACT (Ajax Crawling Tool) and add it to the mix. ACT uses selenium to actually open a browser and spider the site, thus executing DOM events better.

Already have done the above > ACT Browser > Scanner in proxy mode

This setup should be used in addition/after already having walked the site manually to populate a site tree in your scanner. Now, ACT does it’s thing and hopefully finds some functions you didn’t (this is common in large apps). Now when you launch the fuzzing tests in your scanner, you can sleep better knowing you probably have executed everything.

Now, good application security testers don’t just stop there. We use some sort of inline proxy tool to tamper with individual requests, or perform custom checks on functions that look interesting. In this case we are going to use Burp. Don’t lie to yourselves, if you’re not using Burp (ZAP is damn close to catching up though) then you are not doing in-depth analysis. Let’ try this:

Step 1:
Browser (walk the app manually) > Burp > target

Step 2:
ACT Browser > Burp > target

Step 3:
Burp Spider > Scanner in proxy mode > target

So, some advantages here: Burp now has a good site tree with parameters parsed well from AJAX calls (thanks to a manual walk and ACT). We then can execute Burps crawler, which will use our already filled in site tree and possibly improve upon it. When we hit “scan” on our scanning tool it will also spider/crawl the site before fuzzing it. Quadruple crawl coverage. Also burp has a full site tree to do your manual intruder/repeater fuzzing tests (we love the fuzzDB).

Caveats: Chaining a scanner to a scanner can be done, but keep it to crawling only, fuzzing/scanning early in the chain will pollute your site tree’s upstream. If you always have your Burp session clean you can use it as a jump off point for a different scanner.

The biggest pushback against this idea is: “Shouldn’t X tool do this for me?” In a perfect world yes, but we’re just not there yet. Some areas of appsec testing (both dynamic and static) will always require a sharp mind and a dynamic toolset to test around edge cases. Be very wary of vendors telling you they do this, make them show you. Dinis Cruz posted a while back on how awesome this type of thing is… edge case testing is what separates good appsec testers from great appsec testers. I just thought we knew this already.

Other examples of tool chaining:

using burp to custom rewrite for your scanner: scanner > burp re-write rules > target
using your scanner to deal with authentication burp can’t: scanner that handles kerberos > burp > target

TLDR; Feed tools with tools for fun and profit and new Web Application Hackers Toolchain 2.0 talk coming

Appsec Testing Tips: Edge Cases & Tool Chaining belongs to Security Aegis

<activity android:label="@7F040001" android:name=".InsomniActivity">

</activity>

Now we see what where to start our search without opening the app yet, toss that crackme into baksmali and get ready for the output. No baksmali tricks in place, so we can just take a look right at the main activity, InsomniActivity. The only interesting bits for us is the call to compute method on keyBytes and setting an onClick listener for the validate button;

read more at: InsomniDroid – crackme solution | strazzere.com.

InsomniDroid – Android crackme solution belongs to Security Aegis

• The Glitch Mob
• Cryptex
• NiT GrIt
• Kinetik
• NERO
• Juno Reactor (older but still good)

Hacking Music belongs to Security Aegis

Using Graphite to Graph DTrace Metrics belongs to Security Aegis

SQLMap Tamper Scripts belongs to Security Aegis

tshark -n -R http.request -s 2000

Run your tool, in my case i’ve used sqlmap with some mixed tamper scripts, pangolins payloads (previous modsec bypass), etc ,etc. Capture the tshark output and then use some grep/sed/awk magic to parse out the fuzz strings. I”ll let you figure the last part out on your own

One you’ve gathered the fuzz stings you can use them in Burp through Intruder. In most cases it is more useful as I can learn faster what characters are being filtered, I can sort by response types (page size, resp time, redirects, custom or non custom error pages, regex, etc), and just have way more control in identifying injection. Once you’ve identified injection you can choose your favorite tool to exploit.

Having your own modified fuzzdb comes in handy too. You never know when you might need some tricky injection to be encoded and dont have access to the web/tools/cmdline to do it.

Anyways, hope that made sense!

Jacking injection/fuzz strings for web hacking belongs to Security Aegis

The competition was a worldwide CTF run by Mozilla. The Mozilla CTF (capture the flag) competition consisted of 22 progressively harder web application and binary assessment problems.

I’m happy to say out of 150 scoring teams (including other security outfits), the team we played with, epicfail, got 5th place. The guys we played with were top notch, all from the UCSB security group. With our powers combined we were Captain Planet.

The competition was well run, and i liked it because they made good web challenges, not generic stuff, but really hard/obscure web stuff. Its hard to find good web ctf’s! They also included the idea of chaining web exploits in their challenges. That was fun.

Hopefully i’ll get to posting some more content soon and I’ve poked James (and purposefully put him on the spot here) to write something up. Hope everyone had an awesome holiday season… here’s to hacking in 2012!!

Mozilla CTF && Not Dead, Just Busy belongs to Security Aegis

LinkedIn Harvesting for OSINT (esearchy video) belongs to Security Aegis

sudo gem sources --add http://gems.github.com
sudo gem install gemcutter
sudo gem install esearchy

Let’s Pick on Valve (for no particular reason):

esearchy -q "@valvesoftware.com" --company "Valve Software" --enable-spoke --enable-linkedin -m 500

Output for Social Profiling”

-------==< FINAL RESULTS >==--------
Doug Lombardi -> http://www.spoke.com/info/pODvHj/DougLombardi
Chris Green -> http://www.spoke.com/info/p6SVncp/ChrisGreen
Scott Lynch -> http://www.spoke.com/info/p1EbnVh/ScottLynch
Mike Dunkle -> http://www.spoke.com/info/p1rx17V/MikeDunkle
Kerry Davis -> http://www.spoke.com/info/pC4F8IB/KerryDavis
Tom Bui -> http://www.linkedin.com/pub/tom-bui/2/329/168
Chris Green -> http://www.linkedin.com/pub/chris-green/5/b1b/827
Torsten Zabka -> http://www.linkedin.com/pub/dir/Torsten/Zabka/
Mark Behm profiles -> http://www.linkedin.com/pub/dir/Mark/Behm
Joe Rohde profiles -> http://www.linkedin.com/pub/dir/Joe/Rohde
Doug Lombardi profiles -> http://www.linkedin.com/pub/dir/Doug/Lombardi
Marc Nagel profiles -> http://www.linkedin.com/pub/dir/Marc/Nagel
Mike Blaszczak profiles -> http://www.linkedin.com/pub/dir/Mike/Blaszczak
David Kircher profiles -> http://www.linkedin.com/pub/dir/David/Kircher
Michael Blaszczak profiles -> http://www.linkedin.com/pub/dir/Michael/Blaszczak
Tom Bui profiles -> http://www.linkedin.com/pub/dir/Tom/Bui
Jeremy Bennett profiles -> http://www.linkedin.com/pub/dir/Jeremy/Bennett
Dave Kircher profiles -> http://www.linkedin.com/pub/dir/Dave/Kircher
Nick Coombe profiles -> http://www.linkedin.com/pub/dir/Nick/Coombe
Niall King profiles -> http://www.linkedin.com/pub/dir/Niall/King
Keith Huggins profiles -> http://www.linkedin.com/pub/dir/Keith/Huggins
Charles Burgin profiles -> http://www.linkedin.com/pub/dir/Charles/Burgin
Joseph Rohde profiles -> http://www.linkedin.com/pub/dir/Joseph/Rohde
Rob Korporaal profiles -> http://www.linkedin.com/pub/dir/Rob/Korporaal
Thomas Bui profiles -> http://www.linkedin.com/pub/dir/Thomas/Bui
Eric Tams -> http://www.linkedin.com/pub/eric-tams/5/929/3ba
::SNIP::

There a lot more options to play around with!

esearchy – my new favorite OSINT script belongs to Security Aegis