CPNI Technical Note: Development and implementation of secure web applications
The Centre for the Protection of National Infrastructure (CPNI) has published today the Technical Note on developing secure web applications that I prepared a few months ago.
Among the topics covered are:
- Introduction to web application security
- General aspects of web application security
- Access handling
- Injection flaws
- Thick-client security
- Preparing the infrastructure
Tony Dorrell and Greg Jenkins’ invaluable contributions have ensured the technical quality and high standards of the document.
Here is the guide, hope you enjoy it:
Comments and feedback are welcomed (you can also find me in Twitter: @etdsoft)
Popularity: 1% [?]
Running Dradis Framework in BackTrack4 R2
Following the series of articles on how to get the Dradis Framework running in different operating system, this time is the turn of BackTrack 4 R2.
Popularity: 2% [?]
Running Dradis Framework in Ubuntu 10.10 (Maverick Meerkat)
This is a step-by-step guide on how to get Dradis (v2.6) up and running in a fresh install of the latest Ubuntu (10.10 - Maverick Meerkat).
Popularity: 2% [?]
Dear Scammed Victim
Just got this on my inbox:
Compensation From The Government.
The Chairman
DEBT MANAGEMENT OFFICE
Committee On Government Compensation,
Wuse Zone II, FCT, ABUJA.:
Our Ref : FGN /SNT/STBDear Beneficiary,
Re: Government Compensation on Scams Victims, Lotto, Unpaid/Unclaimed
Contract/Donation.The Federal Government of Nigeria through the President Dr.Goodluck Jonathan GCFR CON, has mandated the Debt management office in colaboration with Nigeria Financial Intelligence Unit (EFCC)to compensate all foreigner’s who in one way or the other has been retrieve of there hard earn money through illegal transaction.
All the Scams Victim who has lost so much to the fraudsters in Nigeria can now be compensation in pro rata of money lost.we are carrying out this verification and payment procedure with guideline from the The Federal Bureau Investigation Director (FBI) Mr.Robert,S.Mueller. The EFCC Chairman Mrs. Farida Waziri agency had not only recovered $6.5bn since its inception but had secured 400 convictions :http://www.punchng.com/Articl.aspx?theartic=Art201006153502178
You are officially informed that the sum of $150,000.00 (One hundred and fifty thousand U. S. dollars only)has been accredited in your favor for compensation due to your inability to claim your funds for some circumstances.
The Instruction has been given to us to Compensate the Scams Victims.Please if you have not been Scammed do not reply this message,it is onlyfor those that were scammed of their money that needs to reply this mail for Compensation.
For processing and verifications, kindly tender the below information:
* Full Name:
* proof of payment/relevant document:
* Phone Number:
* Gender:
* Age:
* Occupation:
* Country:
* Identification:Direct your information below to the officer that will give instruction to
pay you the Compensation.Dr. Greg Sambo
DEBT MANAGEMENT OFFICE
Committee On Government Compensation.
email:dmo@contractreviewplanel.fr.fm
Popularity: 1% [?]
Java Bytecode Injection
When assessing the security posture of a Java thick application we can usually process the code through a decompiler (such as Jad) and have a proper look at the code. It may be the case that we need to bypass the SSL checks but that is usually it.
However, every now and then, we stumble upon more complex scenarios, for instance, an application whose code has been obfuscated causing decompilation errors. In that case it will no longer be enough to decompile, modify the code and compile again, we would need some other technique. Patching the .class file at the bytecode level sounds like a reasonable approach.
Popularity: 4% [?]
Beware of JBoss’ “SecureIdentityLoginModule”
From JBoss' Community Wiki EncryptingDataSourcePasswords page:
The
org.jboss.resource.security.SecureIdentityLoginModulefromjboss-jca.jarcan be used to encrypt database passwords rather than using clear text passwords in the DataSource configuration. [...]
Which in principle, is a great thing. The problem being that usually database credentials end up being placed in the web application configuration file in clear text. However:
[...] It uses a hard-coded password to encrypt/decrypt the DataSource password.
Bottom line, anyone using the SecureIdentityLoginModule to encrypt their password in the configuration file is doing it with a Blowfish algorithm and well known key. So if during an engagement you find a configuration snippet similar to the one below:
<policy> [...] <!-- Example usage of the SecureIdentityLoginModule --> <application-policy name="EncryptDBPassword"> <authentication> <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required"> <module-option name="username">sa</module-option> <module-option name="password">5dfc52b51bd35553df8592078de921bc</module-option> <module-option name="managedConnectionFactoryName">[...]</module-option> </login-module> </authentication> </application-policy> [...] </policy>
You should be able to reverse the encryption and get the credentials in clear text. JBoss.java can help you with this, it is now available in usefulfor's repository at GitHub.
Popularity: 4% [?]
DEFCON 17: a late write up
This year's DEFCON was quite amazing, apparently 10k people showed up in the Riviera for it. This is a late write up because everybody knows already about the fake ATM and the RFID reader near the Wall of Sheep, on the other hand, not everybody knows about other things that also took place. By the way, this is how the back side of one of the ATMs at the conference looked like:

The truth is that you would need 2 or 3 duplicates to get to do all the stuff that you want to do. There are just too many talks, contests and random stuff going on that it is not possible to cover it all. Anyway, below is a breakdown of the talks I managed to get in.
Popularity: 2% [?]
Bypassing Java thick client SSL checks
x509 certificate generation
Generate the certificate using OpenSSL:-
$ openssl genrsa 1024 > foo.key $ openssl req -new -x509 -nodes -sha1 -days 7300 -key foo.key > foo.crt $ openssl pkcs12 -export -out foo.p12 -in foo.crt -inkey foo.key -name "your name"
You will need the .p12 file (contains key and certificate) to configure Burp. And the .crt file to add it to the Java keystore used by the client. Checkout Burp's help page for instructions on how to get the first done.
Create a Java keystore, import the certificate
Straightforward enough (just remember the password you entered):
keytool.exe -import -file foo.crt -keystore usefulfor.jks -alias burpcert
Run the application and point it to your keystore
java \ -Djavax.net.ssl.trustStore=usefulfor.jks \ -Djavax.net.ssl.trustStorePassword=password \ -Djavax.net.debug=all \ com.usefulfor.Demo
Other interesting properties that you may need in order to further tweak the SSL configuration are javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword.
Popularity: 2% [?]
dradis v2.0 – flexibility unleashed
It has been a long time since the last formal release of dradis (remember the dradis v1.2 one-click installer?). But that does not mean we have been doing nothing in the mean time
We have been working as hard as one can work: over 487 commits since then (check the stats), we went to DEFCON 16 where a pre-release of the new dradis v2.0 was showcased... But finally we are here, there is a new release ready for you to try and get addicted to!
Lots of new features: new web interface (+10 neatness, +20 usability), new internal architecture (+30 flexibility), new built-in modules (+10 usefulness)...
Popularity: 4% [?]
DeepSec 2008
DeepSec 2008 took place in Vienna in November. For a period of two days attendees enjoyed a good set of talks, a good atmosphere and had the chance to talk to different people from different security backgrounds.
I was invited to present my 'Behind Enemy lines' research, which mainly focused on different attack techniques that are currently affecting a large number of administrative web interfaces.
The slides of this presentation can be found here: [1]
More information about this research can be found in the following white paper: [3] [4]
Popularity: 3% [?]