Owner: Smart Security URL:http://smartsecurity.blogspot.com Join Date: Sun, 21 Oct 2007 23:50:44 -0500 Rating:0 Site Description: Application Security Blog - Hacking, Web Security, Cyber Security, Application Security, OWASP, MASTEK, Mumbai, Web Services Site statistics:Click here
SQL Injection in Stored Procedure : 2nd Case Study 2007-10-23 08:07:00 Stored procedure with dynamic SQL
and embedded parametersThe Stored Procedure
Create proc authenticate (@uid nvarchar(25),@pwd nvarchar(25))as DECLARE @uid VARCHAR(64) DECLARE @pwd VARCHAR(64) DECLARE @SQLString NVARCHAR(500) DECLARE @ParmDefinition NVARCHAR(500) /* Build the SQL string once.*/ SET @SQLString = N'SELECT * FROM users WHERE userid = @uid AND password = @pwd' SET @ParmDefinition = N'@login VARCHAR(64), @password VARCHAR(64)'Server side code:cmd.CommandText = "authenticate";cmd.CommandType = CommandType.StoredProcedure;cmd.Parameters.Add( "@uid", strUserName);cmd.Paramerters.Add( “@pwd, strPassword);con.Open();string result = (string)cmd.ExecuteScalar();oCon.Close();In this case,bSQL Injection
would NOT be possible. Hence what I would like to summarize is if at all we have to use dynamic SQL in stored procedure, always use embedded parameters in dynamic SQL Read more:Study
SQL Injection in Stored Procedure 2007-10-18 23:53:00 Let us examine SQLInjection
in Stored Procedure
. This would be 1 of the vulnerable cases.The Server Side Code would be something like:oCmd.CommandText = "sp_login";oCmd.CommandType = CommandType.StoredProcedure;oCmd.Parameters.Add( "@loginId", strUserName);oCmd.Paramerters.Add( “@password”, strPassword);oCon.Open();string result = (string)oCmd.ExecuteScalar();oCon.Close();====================================================================The Stored Procedure would be:CREATE PROC sp_login (@loginid nvarchar(25),@password)AS DECLARE @SQLString NVARCHAR(500) DECLARE @loginid VARCHAR(64) DECLARE @password VARCHAR(64) /* Build the SQL string once.*/ SET @SQLString = 'SELECT * from cust_users WHERE login_id = '+ ''''+@loginid+'''' + 'AND password = '+ ''''+@password+'''' EXECUTE sp_executesql @SQLString====================================================================If the user input is as follow
HTTP Pipelines in ASP.NET 2007-10-15 02:28:00 1. ASP.Net uses a pipeline model to process incoming requests and provide responses.2. The steps in the pipeline are:HTTP RuntimeHTTP Application FactoryHTTP ApplicationHTTP Handler FactoryHTTP Handler3. When IIS receives a request, it checks the extension of the requested page.4. If the extension is .aspx, then it invokes aspnet_isapi.dll and passes the request to it5. The aspnet_isapi.dll calls the HTTP Runtime object in the ASP .Net worker process6. The pipeline is implemented inside this worker process (Aspnet_wp.exe)7. The HTTP Runtime passes the request to the HTTP Application Factory8. The Application Factory creates an application object for the request (or reuses an existing one) by looking at which application should be invoked9. Every virtual folder is a different “application” to IIS10. The HTTP Application objects contains modules or filtersa. The filters can be used inspect and modify HTTP requests and responsesb. For eg, to cloak t
Thick Client Application Security 2007-10-12 05:54:00 This article discusses the top vulnerabilities in a two tier thick client application. Thick
client is defined as an applicationclient that processes data in addition to rendering. An example of thick client application would be a VB.NET or Java Swing application that communicates with a database.I have generally observed in these types of applications have weak access controls, weak authentication management, information disclosure, improper error handling or application crash. It is interesting to note that most of the Open Web Application
Security Project (OWASP) Top 10 vulnerabilities are as applicable to Thick Client
applications as they are to web applications.Let us map them for simplicity. Sr OWASP Top 10 (Web Apps) Thick Client 1 Unvalidated Input Unvalidated Input 2 Broken Access Control Broken Access Control 3 Broken Authentication & Session Management Weak Authen Read more:Application Security
PCI Compliance bothering??? 2007-10-09 22:36:00 Hi,When I was reading thru PCI DSS standards, something that was bothering me was the following requirement:Ensure that all web-facing applications are protected against known attacks by applying either of the following methods: * Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security * Installing an application layer firewall in front of web-facing applications.This method is to be considered a best practice until June 30, 2008, after which it becomes arequirement.My confusion was whether I had to hire someone to go a code review or penetration testing or would other means work ?? Finally I could clear this by posting it to PCI and getting the answer.What they mentioned was :-----------------------------------------------Using specialized 3rd-party tools that perform thorough analysis of applications to detect vulnerabilities and defects may well meet the intention and objectives of the source code revie Read more:Compliance
Westside in Mumbai stores your credit card numbers.. 2007-10-03 05:10:00 Hi,If you are a Mumbai
local, I am sure you would have visited Westside
- one of the famous retail shops. I happened to bump into their store in Andheri(W) Infinity Mall and to my surprise, when I gave my credit
card for swipe, they swiped it twice. :( - Once on the processing machine and second on his computer.I asked the fellow, "Why are u swiping my card twice?"He replies, "Sir, we need to store your card information for tallying it at the end of day."I was really disturbed by this. They stored my name, card number and expiry date. Only thing remaining was the CCV number. Remember this is generally a 3 or 4 digit number usually at the back of the card.I am surprised that these merchants are allowed to store credit card information. No PCI compliance required ??I felt like calling up the media - Mumbai Mirror, DNA or Times and yelling them that see these guys....what are they upto ?? Why the hell are they storing credit card information and if they need it, why is is not encrypted?? Read more:stores
Oracle Default Passwords 2007-09-24 05:05:00 Hi,Beware of database Default
Accounts before you ship your database to production.I saw this screen while installing Oracle
. I think this kind of screen should be shown in all database tools and also there should be a warning mentioning the harm of keeping the default accounts ON in the database.For now, enjoy this screen... :)
Introducing - TechTrails 2007-09-20 06:10:00 Dear Software Professional , So the rupee’s rising. Now why’s that causing sleepless nights for some software exporters? And hey, what’s the net impact on you? . Does this rise of the rupee present a great opportunity that could have far-reaching positive consequences ? What is the future of Indian IT industry ? What will happen when other low cost destinations for outsourcing catch up with India ? Will India sustain it’s cost advantage ? These are questions that impact your career and you need an answer on how and what you need to do to get ready for the next wave of Indian IT . www.techtrails.com has the answers for you . This is the only web portal of it’s kind that will help you as a IT professional or a student planning a career in IT to get ready for the future . Thought leadership articles , interviews with industry leaders , tips and tricks , white papers www.techtrails.com has it all . Besides you would get invited to free seminars and panel discussions on topics t Read more:Introducing
App Security Testing Cheat Sheet 2007-09-10 07:20:00 Hi,I thought to prepare a brief cheat sheet for Application Security Testing
.Please have a look and drop in your views. In case you wish to use it for your testing, please drop me a mail at dharmeshmm at gmail dot com to notify me about it.Authentication Checks1. Login and Change Password pages on SSL?2. All sensitive pages (accepting SSN, Credit Card) over SSL?3. Strong Password Policy? (Joe Accounts/Blank Passwords/Max Password Age/Min Password Age, etc)4. Is Forgot Password page secure?5. Password Change forced on 1st login?6. Re-authenticate before moving to sensitive pages (Edit Account Info?)7. Prompts old password before changing password?8. Has "Remember Me" feature? If so, how's password stored?9. Warns before allowing "Remember Me"?10. Has CAPTCHA to prevent password guessing?11. Does show error msgs like "Invalid User/Invalid Password"?12. Can auth. be by-passed for priviledged URL's?13. Is AutoComplete set to OFF?14. Is password re-submitted on 'Back/Refresh' of browser Read more:Cheat
Get into pay sites for free as a Googlebot 2007-09-10 04:34:00 Ever wondered why Google returned search results that lead to sites that require a registration? How did Google index the site without a registration? Many sites want their site indexed in Google to receive more hits, so they allow Googlebots in. Because of this reason we can take advantage of this. All we have to do is disguise ourself as a Googlebot and many sites will let us in without registration.To do this we have to change the User Agent. The user agent defines the browser and what version you are using. For example if you go to this site it will tell you what browser you are using, and it finds this info out by the user agent.Changing the user agent is easy, to do this in Opera you have to uses these settings:User Agent: Googlebot/2.1 Compatible: http://www.googlebot.com/bot.htmlFirefox users can use this extension and import this file (right click and save) that has a huge list of user agent settings including Googlebot/2.1 and many other spiders/bots.Internet Explorer users
OWASP Mumbai Meet : 6th September 2007 2007-08-08 05:43:00 Mumbai Celebrates OWASP Day : OWASP Live 0 OWASP Day - Day of Worldwide OWASP One Day Conferences Date: 6th September
, 2007 Timing: 2:30 PM to 6:00 PM Venue: HOTEL HEAVENS INDIA Plot No A-1, Opposite SDF 4, SEEPZ, SEZ, ANDHERI (E)- MUMBAI Registrations - LIMITED SEATS !!! The event is FREE to attend. If you are willing to attend, just send a mail with (Your Name, Your Organization, Designation & Contact Number) as details to dharmeshmm at mastek dot com to receive a confirmation. Venue Entrance - GATE PASSES NOTE: The venue is inside SEZ (Special Economic Zone). Entry to SEZ is very restricted. The visitor can only enter via a company gate pass. The gate pass for the event will be provided on behalf of MASTEK LTD as organization. The gate passes will have to be collected from the SEEPZ SEZ Main Gate (Gate #1). Any vehicle (Two wheeler or Four wheeler), Cameras, Video Recorders, Laptops / CD’s / DVD’s or any other form of Digital Media is NOT ALLOWED inside SEZ (v Read more:Mumbai
You can be arrested for using free Wi-Fi 2007-07-25 22:50:00 A Michigan man has been arrested
and will be prosecuted for using a cafe’s free Wi-Fi network from his car without buying anything. According to reports, Sam Peterson says he didn’t realize he did anything illegal until he was cuffed (nor did the cafe owner or even the police officer). Prosecutors believe him, so they’re letting him off easy with a $400.00 USD fine and 40 hours of community service. So let me get this straight - $400.00 and 40 hours of community service is considered being let off easy? Apparently under Michigan’s “Fraudulent access to computers, computer systems, and computer networks” law, Peterson’s actions could result in a five-year felony and a $10,000 fine, so I guess the answer is yes. If the prosecutor and the cop believe him, they should just let the guy walk completely. Moral of the story… if you plan on using the “free wireless internet” at your local Cafe Coffee Day, Cross Word Store or other favorite hangout, be sure to buy somethin
Big B Watching or Is this Intrusion of Privacy? 2007-06-10 12:09:00 I ain't talking about Big B - Amitabh Bachhan here....This is about Big Brother - our own police force.I read an article in Hindustan Times (April 30th, 2007). In first-of-its-kind intitative to tackle cyber-crime, the Nashik police is keeping an electronic eye on cyber cafe users. They aim to maintain real-time photo record of users at cyber cafes and the times spent surfing. This is all done using a software called Webcafe.Hence if a user goes to a cyber cafe, his photo, name, address and identity proof gets recorded into the main server which would be connected to a central server located at police head quarters. So everytime a user logs on to a computer the details would be automatically transeferred to the police servers. I saw similar kind of photograph based logs in Hyderabad when I was touring. Now with these kind of systems coming in place, we would hope that cyber crimes would reduce atleast from cyber cafes as point of origin. I am still not seeing such measures from cyber Read more:Watching
, Intrusion
, Privacy
Security Concerns in Web 2.0 2007-04-24 03:30:00 Hi,I did get a chance to submit a paper on security concerns in Web 2.0This paper has been published by OWASP now and is available at link below:PDF version:http://www.owasp.org/index.php/Category:OWASP_PapersHTML version:http://www.owasp.org/index.php/OWASP_Papers/Jeopardy_in_Web_2_0Happy reading !!!Please feel free to drop in your comments about the paper.You can mail me at dharmeshmm_at_gmail_comWregs,Dharmesh M MehtaMastek Ltd. Read more:Security Concerns
Things to ponder for securing your UI 2007-03-31 02:46:00 #1. Clearly describe how to set security· Ensures that UI reduces the level of complexity in configuring and managing security· Are there features to test roles?· Will users understand how the test features work?· What are Default Security Roles for New Objects· When objects are created, what are the default security settings?· Are users informed what the security settings are?· Default Security Roles for Updated Objects· What is the default security mode for updated (sub-) objects?· Are users aware of the default security permissions?· Is the security mode appropriate?· When updating the object, will users think/be prompted to change the security?· Are there Multiple Methods of Setting Security:· Are there are multiple methods of setting security for an object?· How are the methods different?· Do users understand the key differences between the methods? (Will the
How do you get Web Testing the right way? 2007-02-04 02:57:00 With the eminence of Internet in business and culture which has expanded the applications to evolve in complexity and scale, it has become very crucial for organizations to build webs for scalability and rigor. The webs with capability to withstand expected (and unexpected) spikes and peaks in load are in the insight.As web applications are becoming increasingly mission-critical, errors can mean disastrous strikes to a company’s business and reputation, as well as exposure to potential legal and financial liability.With global access to systems, nonfunctional requirements such as security, performance, scalability, and availability suddenly become strategic. Many Internet systems are tested for performance and scalability only after the bulk of the functionality is built. Since companies now realize that errors in web application performance andfunctionality can be insidious, occurring as a result of multiple causes, and risky andcostly to fix, they are becoming more proactive in the Read more:Testing
Security among The Hottest Skills for 2007 2007-01-02 03:03:00 With fewer openings this year, expect these five premium skills to win the jobsTop skills IT executives say they will hire for in 2007:1. Programming/application development2. Project management3. IT/business analysis4. Security5. Help desk/technical supportSource: Computerworld's quarterly Vital Signs survey Read more:Skills
Using Google to View MySpace or Any Restricted Site 2006-12-22 05:32:00 Most companies and schools employ proxy servers to filter unwanted sites so employees won't waste precious company resources surfing sites that the companies deem unproductive. While the use of proxy servers to block unwanted sites may be understandable in commercial cases, there are also companies that are overdoing it, banning almost all websites and creating a lot of inconvenience to their employees. If you are in such an environment, what can you do about it? One way is to use an anonymous proxy server (such as http://www.spysurfing.com/). But once the system administrator learns about this, he will likely block this site as well. A much more foolproof way is to use Google
(yes, you read that right).Google Translate is a translation service provided by Google to help you translate text or web pages to the language you desire. Some of the languages supported include English, Simplified Chinese, Spanish, French, German, Korean, Japanese, etc. If you want to translate a page from o Read more:MySpace
UI Security Check #1 2006-11-20 02:26:00 I was trying to collate a few checks for Web UI Security. Here are somethings for check ONE....I invite people to put in their suggestions and comments for the same.#1. Does the UI disclose information that might compromise the security of the system?Don’t provide information in error messages that might compromise the security of the system.Don’t reveal data store locations and URL’s when they are not necessaryMask sensitive information such as SQL Server name, User ID, PasswordDon’t return errors with cross-site scriptsDon’t allow links to open executablesDon’t provide error information with clickable links. Convert links to plain text to encourage these to be scrutinized prior to being launchedEnsure that logs are correctly stripped of sensitive informationRelevance: Developer Read more:Check
Web Services Design Security Considerations 2006-11-15 03:43:00 Web Services
Design Security Considerations
I. Information Gathering WSDL Retrieval: Identify web method call mechanicsSOAP Error MessagesWeb Method Enumeration: Identify methods not published in the WSDL.II. Parameter Manipulation Identify mishandling of numerical fields, character strings, Base64 data handling, etc.Identify SQL Injection/XPATH Injection VulnerabilitiesXML input data is validated based on an agreed schema.If parameter manipulation is a concern (particularly where messages are routed through multiple intermediary nodes across multiple network links). Messages are digitally signed to ensure that they cannot be tampered with.Determine whether the logging mechanism is vulnerable to arbitrary entry creation via carriage return and line feed injection.Assess the possibility of inserting HTML tags into a HTML based log.Assess the possibility of inserting XML elements and/or attributes into an XML based log.Deter
Alternative to IE and Firefox 2006-11-08 05:11:00 An interesting alternative is SecureIE (www.secureie.com) which costs 30$ and seemsto outperform Firefox
and IE in the security field (http://tinyurl.com/bjayn). Read more:Alternative
Mitigating XSS Attacks in ASP.NET Apps 2007-10-25 06:12:00 Most of the security analyst must be finding it difficult to completely eradicate chances of Cross Site Scripting Attacks. As far as Microsoft ASP.NET platform goes, it does provide a directive called ValidateRequest to check for input containing malicious code.This directive was present since .NET 1.1 version. However, I find several cases where the application team deviates from having this directive set to true for some business reasons. For eg. there is a rich text box in the web page which must allow any kind of input data. If ValidateRequest is configured for this web page or for the application as a whole, it will throw HttpRequestValidationException before the input is even processed by your code. So we started recommending that you must use output validation i.e HTMLEncode all data echoed back on web page. You could also use the new Microsoft Anti-XSS library.In conclusion, ValidateRequest should be turned on if it does not block valid user scenarios. However, even with Vali
PCI DSS Applicability Information 2007-10-23 23:45:00 * These data elements must be protected if stored in conjunction with the PAN. This protection must be consistent with PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.** Sensitive authentication data must not be stored subsequent to authorization (even if encrypted).
Managing Account Lockout 2007-10-31 23:16:00 User Account
s are vulnerable to dictionary attacks or brute force attacks. These attacks are ones where user credentials are deduced through successive attempts.Using tools or scripts enable the attacker to automate the process and establish a positive match more quickly and efficiently.The "Good Practices" would be:Design usernames which are not predictable or guessable.Strong password policy.Disable user account after n failed login attempts which are successive.You could also consider locking out account for a specified amount of time. For e.g. 30 mins. Display generic error messages to user on failed login attempt. E.g. "Authentication Failed - Invalid Username / Invalid Password / Account LockedNo automatic account lockouts for admin accountsImplement CAPTCHA's to prevent bots or automated username/password guessing.
Clear Text Secrets 2007-11-06 12:14:00 We often find applications storing secrets in a non-encrypted form which presents a severe security risk. If an attacker was able to retrieve & read the secrets, it could lead to compromise of the application, host or network, loss of revenue, loss of confidence of the user with the application."Sensitive"data like User Credentials, cryptographic keys must never be stored, cached, or sent unencrypted. For instance: logon passwords, PINs, credit card numbers, telephone calling card numbers, session ID that can be used to gain access to goods, services, or confidential information must always be stored and sent encrypted.Avoid using proprietary encryption algorithms. Use trusted and proven standard algoriithms for encryption and have key lengths of at least 128 bits. Secure Socket Layer (SSL) must be configured to use at least a minimum of 128bit encryption and must not be allowed to fall back or accept weaker levels. Applications which use SSL must ensure that non-SSL connections Read more:Clear
, Secrets
Is virtual keyboard been considered? 2007-11-14 11:06:00 Phishing is an attack where the attacker sends a mail making it look as if it has come from a bank or a financial institution and lures the victim into entering his sensitive information. Image based keyboard
(or virtual
keyboards) were invented to make life harder for banking or phishing Trojan horses (specifically key-stroke loggers or key loggers), some even suggested they be used specifically to avoid these Trojan horses.
Recommend Site To A Friend
