SamuraiNet Blog

Windows has it’s place in today’s world. Here are some examples of places it is and really shouldn’t be. http://www.networkworld.com/community/node/29644

Many companies provide their employees with company cell phones. When text messaging is enabled a unique privacy issue develops regarding when the logs may be obtained. Techrepublic’s article explains how legality plays into this issue. http://blogs.techrepublic.com.com/security/?p=490&tag=nl.e036

Which browser is most secure? Which is best ‘out of the box’? This article goes through three popular browsers and discusses their security issues and strengths. http://itmanagement.earthweb.com/…E+vs.+Safari+vs.+Firefox.htm

I recently re-discovered this set of web-radio shows and thought I would post the link. They don’t have a huge selection of shows currently, but the 40 or so that are posted are really top notch. I have recently been working through the series on the Linux Boot Process and cannot recommend it highly enough. http://hackerpublicradio.org/

Quantum physics applied to security. That’s right. By keeping track of the quantum states of photons researchers have found a way to make a cryptographically secure transmission. Any eaves dropper would alter the current state and would therefor destroy the transmission. http://www.economist.com/sci…fm?story_id=11703138

Think you know everything there is to know about information security? This quiz is nowhere near comprehensive, but does ask a few interesting questions. http://www.newsfactor.com/…00Q2H0VF&page=5

Net Perspective has recently created a blog section for their developers and designers. As an ex-employee, I recommend keeping up with this set of blogs as these individuals are some of the top in the industry. http://blog.net-perspective.com/

Continuing on with my web application penetration testing series I will now go into the usage of RefControl. RefControl is useful in checking referrer-based exploits, such as CSRF.

RefControl

RefControl allows you to specify the referrer for a site when you view it. Accessed either from the Tools->RefControl options is the global list of all rules for all sites that you have set. Access from the right clicking menu are the current settings for the site you are visiting. If you have set no rules, you will be able to add in a new rule.

After selecting the RefControl options for the current site, you are able to add in your custom referer, send no referer, or have RefControl automatically send the root of the current site.

What use is this? With the tidal wave of CSRF exploits being found a tool that can help find these would be welcomed with open arms. This is where RefControl enters the domain. While referrer checking is not a hardened safe guard against CSRF many site still employ its use.  By setting RefControl’s custom referrer to an off-site referrer you are able to check forms and links with GET variables simply by interacting as you normally would. If the request goes through, that form or link should be inspected further. Sites using only Token Key Pairs might be vulnerable to this method of probing, but not vulnerable to CSRF itself. This is why it is important to continue inspecting after said vulnerability is found, rather than simply accepting it as a vulnerability.

Another interesting permutation of RefControl is setting the custom referrer to include SQL characters. Many sites check referrers and store then in a database for analytic purposes and this allows the penetration tester to check if those inputs are being validated also.

It has been brought to my attention that the P3P settings in Firefox 2 have actually been disabled. I missed this in my research as I was going more to understand how it worked and simply assumed that it did work. Mozillazine states that “P3P functionality is not present in Firefox and will probably be removed from Mozilla Suite (see bug 225287).” (http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries as provided in a comment on my Cookies, Cookies, Cookies posting.)

I apologize for missing this fact, however; the concept of P3P and third party cookies are still valid so I will leave the posting up.

Virtual machine’s use unique MAC addresses to access the internet. This article provides a listing of their identifiers so that you may asertain whether or not a particular machine is within a Virtual machine. http://blogs.techrepublic.com.com/networking/?p=538&tag=nl.e102

Botnets are no new threat and neither is the way they are used. The article shows some statics on just how powerful they are and what sorts of damages they are doing. The second link provided is from SANS and discusses a proactive, rather than reactive way to deal with the possibility of infection. The final link provided shows how bot herders are using their destructive potential to make money. With such a lucrative business in place it puts more and more pressure on security professionals to take the next step in securing their systems. http://www.sourcewire.com/releases/rel_display….9472&hilite= http://isc.sans.org/diary.html?date=2008-06-14 http://www.technewsworld.com/story/The-….Con-Game-63357.html

Again we find proof that hackers are compromising government systems and using the data attained to raise problems. What is possibly more disturbing is the government’s continuing lax efforts to deal with the issue at hand. It seems that just pushing it under the carpet is the defacto method of dealing with these problems, when the correct approach should be to deal with the problem at the source. Here we see that Chinese hackers actually managed to gain access to dissident lists and actually managed to find the people on those lists. http://ap.google.com/article/ALeqM5g….ZaBwez4_gq7mwD918ATTG0

Mozilla’s Firefox 3 was supposed to come packaged with “private browsing” a “no digital trail” method of surfing the net, however; because of the amount of code affected by this options it has been released without this feature. http://news.cnet.com/8301-10789_3-9967829-57.html

That’s cookies times three… or perhaps Third party cookies. Not the world’s greatest pun, but all the same a decent intro. In this posting I will explain third party cookies and why they are bad as well as provide a method to deal with these pesky cookies without destroying your “website experience.

What are cookies and what are “third party” cookies?

Cookies are small bits of information stored on your computer. Web-sites place tracking information in these cookies to remember who you are, if you’ve logged in, in the case of shopping carts, what you’ve purchased, and all sorts of other useful information. Most of this information is not publicly accessible, even with physical access to the machine because the information is stored server-side; however, the Session ID or other information is stored within the cookie. (This is what allows “session hijacking” with XSS.)

Cookies come in all shapes and forms: first party cookies, third party cookies, session cookies, etc. A first party cookie is issued by the site you are visiting and is only accessible by that website. For example, when you visit my blog, samurainet.org issues you a cookie to keep track of if you’ve logged in and for the “unique visit” counter. Only samurainet.org can access this cookie and it’s information and thus makes it a first party cookie.

A third party cookie can be issued by any web-site and subsequently can be accessed by any web-site. The main purpose of these are for tracking users and advertising. These cookies are not important to the operation of web-site, unlike first party cookies that may be carrying your Session ID.

Managing cookies with FireFox.

Firefox provides settings for cookie management. You will find these settings in Firefox’s advanced configuration. There are three settings that I will discuss here, network.cookie.cookiebehavior, network.cookie.p3plevel, and network.cookie.p3p. Each contains values that can be modified to affect the overall behavior of Firefox when dealing with cookies.

Network.cookie.cookiebehavior - This controls how the browser allows cookies. ( values: 0 - allow all, 1 - allow first party only, 2 - disallow all, 3 - allow cookies based on the P3P policy)

Network.cookie.p3plevel - This specifies the P3P acceptance policy when Network.cookie.cookiebehavior is set to 3. (values: 0 - Low[afafaaaa], 1 - Medium[ffffaaaa], 2 - High[frfradaa], 3 - Custom)

Network.cookie.p3p - This specifies the custom P3P policy. The policy specifies 8 positions with 4 separate values that I will explain below.

Selecting the policy for you.

The P3P (Platform for Privacy Preferences, a W3C project) policy dictates the handling of both first and third party cookies from sites of various levels of trust. The trust is based on what the web-site claims to be doing with your information and cookie information. As a personal rule, I distrust even reputable web-sites and prefer to keep cookies for as short a time period as possible.

P3P gives four possible values ( A - accept, D - downgrade to a session cookie, F - flag, and R - reject) for cookie management as well as 8 various scenarios for the cookie to fall under. The P3P cookie “byte” is structured as followed. (Taken from the Mozillazine.org web-site)

1. First party cookies from sites with no privacy policy
2. Third party cookies from sites with no privacy policy
3. First party cookies from sites that collect personal information without permission
4. Third party cookies from sites that collect personal information without permission
5. First party cookies from sites that collect personal information only with permission
6. Third party cookies from sites that collect personal information only with permission
7. First party cookies from sites that don’t collect personal information
8. Third party cookies from sites that don’t collect personal information

Firefox has built-in cookie management that ranges from blank policies (in the cookiebehavior) for accepting all, rejecting all, or accepting only first-party cookies as well as pre-built P3P policies of Low (accept all and flag suspicious third party), Medium (flag all suspicious first and third party, and accept the rest), and High ( flag suspicious first party, reject suspicious third party, accept all others and downgrade third party that collect personal information.) [I have used suspicious to refer to positions 1-4 since the site either claims no privacy policy or is collecting information without permission.]

That sure is a lot to process, but are those policies good? That really depends on if they suit your needs. My policy is a custom policy, meaning I have set cookiebehavior’s value to 3 as well as p3plevel’s value to 3 (custom). I have then specified the following p3p value: DRDRDRDR. Very simply I downgrade all first party cookies (meaning they will be deleted when I close Firefox) and I reject all third party cookies, regardless of where they came from. This provides me blanket protection against third party cookies, since I don’t care about advertising and I don’t want to be tracked. Also, it provides me the ability to still use all web-sites normally, but stops them from tracking me beyond one session (at least by using cookies.)

References:

http://kb.mozillazine.org/Network.cookie.cookieBehavior

http://kb.mozillazine.org/Network.cookie.p3p

http://forums.mozillazine.org/viewtopic.php?p=2576901

http://kb.mozillazine.org/Network.cookie.p3plevel

http://www.clicktracks.com/insidetrack/articles/first_v_third_cookies.php

http://www.w3.org/P3P/

Restrictive passwords make cracking more difficult by requiring that users use a wider range of characters; however, can restrictive password policies actually decrease time required to crack? This blog goes into the math behind it. http://lukenotricks.blogspot.com/2008/03/more-on-counting-restrictive-password.htm

Mozilla has a new campaign to break the world record for number of downloads in 24 hours. They have even gone to allowing people to pledge downloads, to be sure they accomplish their goal. This is an interesting marketing campaign. http://www.spreadfirefox.com/en-US/worldrecord/

In a previous post (America’s Cyber defense or lack there of) I pointed out problems with foreign hackers and our government. Here are two articles as a semi-continuation of the saga. http://www.scmagazineus.com/Potential-security-breach-by-China/article/110790/ http://www.thehindubusinessline.com/2008/06/04/stories/2008060451781200.htm

If you are considering being in the IT field or are looking to hire new IT staff, this article is well worth a read. 30 items that IT staff should know. I don’t agree with all 30, but the list itself is something to be looked at and will help you evaluate yourself or potential staff. http://www.infoworld.com/article/08/06/02/23FE-how-to-fire-IT-staff-skills-list_1.html

After battling with an .htaccess problem all day long I ended up at this article. It didn’t solve my problem, but is a great source of information on all things .htaccess. http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/

In my previous post on penetration testing I mentioned various tools that I use for web application testing. In this post and future posts, I will go into some of these tools and how I use them. This post will be over Tamper Data, which is probably the add-on I use most for penetration testing.

Tamper Data is used for monitoring and editing requests made to a server. When you start Tamper up and refresh a page or have a page that automatically refreshes or uses AJAX you will see the requests in the top portion of the window. When selected, the bottom will display both the request headers you sent as well as the response headers you received. These can be useful for determining information about the server, monitoring background processes on a site (such as AJAX requests), and seeing all the various files and locations that are loaded when you view the page. While this is useful for reconnaissance work and gaining initial information on the a target, this is not where Tamper’s strong suit lies. As the name suggests, Tamper Data is for … Tampering with data.

Despite the fact that Tamper is running and capturing headers for requests and responces, Tampering has not actually be started. By clicking “Start Tamper” we enable Tampering of Data. Now, when Tamper notices an outgoing request it will halt that request and ask for approval. You are then presented with three options to proceed, along with the option to discontinue Tampering. If you unselect the check box, Tamper will go back into passive mode and allow you to work, undisturbed, on the current request.

Submit: This simply sends the request as-is. Normally I use this if unsuspecting traffic gets caught up in Tamper’s web, such as gmail which makes AJAX requests.

Abort Request: This should be a fairly obvious option. It will stop the request from being sent. I generally use this when I am testing a potentially malicious site. In the case that a client asks me to review some code or I am analyzing a piece of Cross Site Scripting code I will use Tamper, to allow the request to be made, but to stop it before any of the data is actually transfered. I would recommend using this only after looking over the code. Some Cross Site Scripting code does not need for a request to be made to be dangerous and therefore Tamper is a poor defense.

Tamper: Here is where the real meat and potatoes to Tamper lay. When you choose to tamper with the request you are brought to a new window. On the top of the window is the URL the request is being sent to. In the case of a POST, this saves us the effort of looking through the HTML (and potentially JavaScript) for where the request is to be sent. On the left-hand side of the window we have the Request headers and their values. We can actually modify the request headers on the spot. Instead of using JavaScript injection to modify cookie data, we can simply change it in the request header, we can modify our referrer to be anything we want, even spoof our User Agent. For referrers and User Agents I recommend other tools, but Tamper is the swiss army knife of my FireFox plug-in set of tools and I have used it over the others for such actions. Finally, we reach the right-hand side of the window. This is the POST data of the request. Here we can see what POST fields are sent and the values they are sent with. By right clicking we can add other elements and we can modify the values of current fields. Again, this saves us the effort of bypassing client side restrictions on what values may be sent or to submit an element not part of a select without using JavaScript. When finished tampering, simply select OK and watch you request be sent.

As this is an introduction to the usage of Tamper, I won’t go into advanced usage of the tool nor will I go into exactly how I execute some exploits with it. I leave you to tamper with Tamper.

I played with both of these plugins. The view formated source one didn’t do a whole lot for me, but the view source chart was a great improvement. It makes checking out HTML much easier, and with the added ability to collapse various blocks of code it makes it easier to sort through just what I want. http://blogs.techrepublic.com.com/programming-and-development/?p=670&tag=nl.e055

A friend asked me a few months ago to help him uninstall Internet Explorer 7 and it was more than a pain. Here is a great explanation of how to do it painlessly.http://blogs.techrepublic.com.com/window-on-windows/?p=680&tag=nl.e101

As security becomes more mainstream, solutions grow beyond the capabilities of do-it-yourself solutions. Here is discussed various ways to keep current and secure, without sacrificing stability and redundancy. http://blogs.techrepublic.com.com/security/?p=456&tag=nl.e036

As hacking becomes “more popular,” or perhaps simply easier with the availability of tools, proper attacks are not the elegant assaults of yesteryear. Now, brute force attacks are run simply because the tool is easily downloadable and anyone with an internet connection and a target can attempt to crack user accounts. Discusses her further is an example of just this situation. http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=207603339&subSection=Cybercrime

I saw this site on a forum and it’s really wonderful. Has texts on all sorts of programming languages, networking, the works. http://stommel.tamu.edu/~baum/programming.html

I was looking into various methods for backing up websites on my localhost and have come up with 3 options. I’m sure there are more, but these require tools you already have.

Internet Explorer 6 (I don’t have IE7 installed yet, so I did it with IE6)

Internet explorer 6 offers the ability to “work offline” which downloads all data to your localhost and allows you to act as tho you are viewing the live site. In order to enable this, you bookmark the page and select “make available offline.” If you want more than just that one page, goto customize and you are prompted for getting pages it links too also. What is nice is that you can specify how deep you want IE6 to go. If you select 2, for example, all links on the page will be followed and downloaded. All links on these pages will be treated similarly and the process stops. You are then prompted for how you want to synchronize these local copies. You have 2 options: manually synchronizing and scheduling. Scheduling will do it at a specified time every n number of days. Since IE6 is “working offline” paths don’t need to be modified.

FireFox 2

Firefox 2 offers a similar solution, however; it does not appear to have the synchronization by default. To do this you “save page as” and then have the option of saving as a text file, as the single page, or “complete” which will build up all the files needed for that page. Unlike IE6 you cannot get pages linked to. There is a Firefox add-on that will provided added functionality, but this article’s scope is default functionality. Also, Firefox does not change links to localhost paths.

WGET

The previous options are great for GUI systems, however; if you are a sysadmin or a web developer and need to make a backup of a current live site before replacing it with a new version neither of these options are very good for you. So I provide a command line, no GUI option. running wget with the -r (recursive) option will provide the same functionality as IE6. Simply create a directory, change directory into it, and run:

wget -r site.com

and you have all the client side data. Much eaiser and without GUI.

These options bring up 2 more topics I’d like to cover. First is from the perspective of the site owner. Suppose you don’t want people going around downloading your content. For a dedicated person, this is not preventable, but you can make it more difficult and annoying. IE6 and wget both follow the robots.txt rules, this is not an issue for Firefox 2 since it doesn’t have this functionality by default anyways. In short, other than making it less convenient and data you send to a client (HTML, CSS, Javascript) will be available for backup which is obvious since it is client side data and the web would be useless if it was inaccessible.

The other topic is client side security. Browsers disallow cross site AJAX requests. This is a security feature to stop a malicious individual from putting AJAX calls to other sites on their page and stealing your personal information. Browsers do however allow this behavior from the localhost. So by downloading and viewing this malicious code it will execute. Also, by putting JavaScript code on your local file system you allow malicious individuals to access these files.

Interestingly it seems that Internet Explorer 6 actually beats the default install of Firefox 2 in this test. Seems Microsoft did a good job on this feature. wget doesn’t really enter into that comparison since both are browsers and wget is utility, however; it also tops Firefox 2 by having recursiveness. As backup utilities wget and Internet Explorer 6 are tied since they both preserve pages, links included. Personally, I prefer wget since I’m not a fan of GUI or tools that won’t run under linux.

I read a question recently on LinkedIn asking what tools penetration testers used for web application testing and felt that it was probably a question that merited more than the few sentences I put down as an answer. The following tools are for web application testing. This is by no means a complete list, but these are some common tools that are useful and anyone interested in penetration testing should look into understanding.

When we talk about web site penetration testing most people think of scanners like Nessus or Acunetix’s scanner. While these have some merit and I have seen them provide useful information, the best method in my opinion is to test by hand. This does not mean using no tools at all, rather simply not using these automated tools. The following is a list of tools and plug-ins that I find useful. All of the following tools are add-ons for FireFox 2, an appropriate platform for web application testing.

ChickenFoot - This is a great tool since it allows you to run javascript on the page. Much like greasemonkey, you can configure default scripts to run, but the real advantage is having a “javascript console” in the browser that can interact with the DOM. This has saved me a lot of trouble debugging scripts while developing as well as breaking scripts already in place.

LiveHTTPHeaders - This is a great tool for grabbing the request headers and banners that a server sends out. Data such as operating system and apache version can be found as well as a comprehensive list of ALL data that is transfered to your browser at request time.

User Agent Switcher - Normally changing your user agent doesn’t help with penetration testing much, since few sites require you to be using a specific browser or operating system as part of authentication, however; by using the Google Bot’s user agent sites designed for Search Engine Optimization sometimes open their doors for you. If the designer or developer allowed restricted pages to be indexed (I don’t know why they do this, but they do) by the Google Bot, we can now access them.

Tamper Data - This is a brilliant tool that allows you to capture outgoing HTTP requests and modify the data. This makes modifying data in select menus much easier than using javascript to modify the DOM. You can also enter in other fields to the POST array which is sometimes useful if the site is using automated SQL queries based on POST’s contents.

RefControl - Another great add-on. This allows you to customize the referrer you send. Many sites check this to make sure that you are sending data from an allowed page and RefControl can be used to forge this. This is useful when you want to send data from your own web-app to another (for fuzzing) or if you are trying to access another zone of the site without the correct credentials from the previous zone.

Beyond these FireFox add-on I have a few more tricks up my sleeve. The following are not necessarily tools for penetration testing, but they can lead to extra information.

http://www.myipneighbors.com/ - This is a great site that allows you to easily see what other sites sit on the same IP address. This is useful for testing sites on shared hosts where a cross-server hack is possible. This widens your range of vulnerabilities from one site to many. (In some cases I’ve seen IP address with upwards of 700 sites on them.) The site even provides an iFrame so that you can briefly browse the sites and see which look most likely to be useful.

nmap - Most of you are probably asking why a port scanner is on this list, but the fact that nmap can easily determine what version of Apache is running makes it useful. If you were unable to capture the banner from a request before nmap is your next option. You may even be able to find out versions of MySQL and what Operating system is being used. These can be useful for exploits inherent in the background processes of the site.

Finally, I will talk a brief bit about some automated tools that I will use for fuzzing and quick scans. Normally IF I run these, I set them and forget them until I’ve burned myself out and check them only later.

Nessus - This is a great tool for scanning even beyond web applications, but with the features for SQL injection, Cross site scripting, and I believe now even Remote and Local File inclusion vulnerabilities it can provide useful information. If you are doing more than simple Web Application scanning Nessus can provide even more information. Rather than just giving you a listing of ports and services like nmap, Nessus provides information on WHY these are dangerous and how they can be both exploited and fixed. This is great for testing your own network.

Acunetix’s scanner - This scanner will basically fuzz all inputs for Cross Site Scripting holes and report back to you on which, if any, were successful. I have had only moderate success with it, but again as a “set it and forget it” tool while you work by hand it can be useful.