Monday, June 24, 2013

OWASP 2013 Top 10 Application Security Risks


A1-Injection

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.


A2-Broken Authentication and Session Management

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.


A3-Cross-Site Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.


A4-Insecure Direct Object References

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.


A5-Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.


A6-Sensitive Data Exposure

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.


A7-Missing Function Level Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.


A8-Cross-Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.


A9-Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.


A10-Unvalidated Redirects and Forwards

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Friday, May 10, 2013

Ostinato - IPv4 & IPv6 Packet/Traffic Generator and Analyzer

Ostinato:
                is an open-source, cross-platform network packet crafter/traffic generator and analyzer with a friendly GUI. Craft and send packets of several streams with different protocols at different rates.



Features :
  • Runs on Windows, Linux, BSD and Mac OS X (Will probably run on other platforms also with little or no modification but this hasn't been tested)
  • Open, edit, replay and save PCAP files
  • Support for the most common standard protocols
    • Ethernet/802.3/LLC SNAP
    • VLAN (with QinQ)
    • ARP, IPv4, IPv6, IP-in-IP a.k.a IP Tunnelling (6over4, 4over6, 4over4, 6over6)
    • TCP, UDP, ICMPv4, ICMPv6, IGMP, MLD
    • Any text based protocol (HTTP, SIP, RTSP, NNTP etc.)
    • More protocols in the works ...
  • Modify any field of any protocol (some protocols allow changing packet fields with every packet at run time e.g. changing IP/MAC addresses)
  • User provided Hex Dump - specify some or all bytes in a packet
  • User defined script to substitute for an unimplemented protocol (EXPERIMENTAL)
  • Stack protocols in any arbitrary order
  • Create and configure multiple streams
  • Configure stream rates, bursts, no. of packets
  • Single client can control and configure multiple ports on multiple computers generating traffic
  • Exclusive control of a port to prevent the OS from sending stray packets provides a controlled testing environment
  • Statistics Window shows realtime port receive/transmit statistics and rates
  • Capture packets and view them (needs Wireshark to view the captured packets)
  • Framework to add new protocol builders easil.
Some screenshots :

Stream Configuration -Protocol Selection (Simple Mode)



 Stream Configuration - Stream Control



Stream Configuration -Packet View 


Ostinato aims to be "Wireshark in Reverse" and become complementary to Wireshark.

Here's a screencast showing basic usage -



Download Link : Ostinato 


Thursday, May 2, 2013

IPv6 port scanner Tool - Topera

 Topera:
           is a brand new TCP port scanner under IPv6, with the particularity that these scans are not detected by Snort.

                        Snort is the most known IDS/IPS and is widely used in many different critical environments. Some commercial tools (Juniper or Checkpoint ones) use it as detection engine also.


Mocking snort detection capabilities could suppose a high risk in some cases.
   
                          We keep researching on the security implications that the "new" IPv6 protocol will have in different environments.

                      Get local IPv6 address - Get local ethernet interface - sniffer packet counter - Some minor fixes. You can see an example of execution of Topera in demo videos below,


Latest Video :


 Sample Snapshot :

                                   In next pictures you can see some executions screenshots:











Topera in TCP port scanner mode:

Run with default options:

# python topera.py -M topera_tcp_scan -t fe80:b100:::c408
 
Run specifing: ports to scan, delay between connections, and number os extensions headers:

# python topera.py -M topera_tcp_scan -t fe80:b100:::c408 \
-p 21,22,23,80,8080 --scan-delay 0 --headers-num 0 -vvv
 

Download Link : Topera

Mirror Download Link 1 : Topera
Mirror Download Link 2 : Topera



Sunday, December 23, 2012

OWASP - Web Security Training

OWASP - Open Web Application Security Project :

                                               is a open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies.


OWASP Testing Guide :

January 2004
–"The OWASP Testing Guide", Version 1.0

July 14, 2004
–"OWASP Web Application Penetration Checklist", Version 1.1



Download Link : OWASP Ver 1.1


December 25, 2006
–"OWASP Testing Guide", Version 2.0
Download Link  MS- DOC Format : OWASP Ver 2.0  
Download Link PDF-Format   : OWASP Ver 2.0
15th September, 2008
–"OWASP Testing Guide", Version 3.0

Download Link MS-PPT Format : OWASP Ver 3.0
Download Link PDF Format : OWASP Ver 3.0

Video Tutorials :

OWASP AppSec Basics :


OWASP SQL Injection :
OWASP Cross Site Scripting :

OWASP Strict Transport Security :

Setting Up OWASP Web Security Learning Lab with OWASP ZAP :


Installation

Required Software

 Setup

  1. Install VirtualBox
  2. Unzip OWASP Broken Web Apps VM into any directory (don't pick restricted directories that require admin or sudo to access)
  3. Open VirtualBox and hit the icon for "New"
    • VM Name and OS Type: Enter name "OWASP-BWA" and select OS "Linux" and Version "Ubuntu"
    • Memory: Default of 512 is fine
    • Virtual Hard Disk: Important Select "Use existing hard disk" and click on the folder.
    • Browse to the unzipped folder contents of the OWASP Broken Web Apps VM. Select "OWASP Broken Web Apps.vmdk" Note: There are similar files ending in -s001. Don't pick those.
    • Click OK to finish VM Setup
  4. Right click on OWASP-BWA in the left pane of the Oracle VM VirtualBox Manager App and select "Settings" (also available via menu Machine->Settings)
    • Go to Settings->Network->Adapter 1.
    • Make sure the checkmark for enabled is checked.
    • Change "Attached to:" from "NAT: to "Host-Only Adapter"
    • Click OK
  5. Right click on OWASP-BWA in the left pane of the Oracle VM VirtualBox Manager App and hit "Start"
  6. After the VM boots the OWASP-BWA login page will provide the following message (the IP address will be similar but not exactly this)

  7. You can access the web apps at http://192.168.56.101

  8. Open a browser on your main machine (not the VM) and go to this URL. It should load a page that starts with "OWASP Broken Web Applications"
  9. Note: You don't need to actually login to the virtual machine. Everything is already running.

Common Errors

  • Boot Up Error Message - Kernel requires feature on CPU: pae
    • Power off VM (not VirtualBox, just VM window)
    • Right click on OWASP-BWA on left side and select "Settings" (also available via menu Machine->Settings)
    • Go to System->Processor and enable PAE
    • Click OK and restart VM
  • Host Only Adapter Shows Error Message and Name says "not selected" with no options
    • Go to the VirtualBox Manager (e.g. the main virtualbox control app, not the individual vm)
    • Go to the VirtualBox->Preferences and then select "Network" (note: these are settings for the virtualbox app overall)
    • There is text box with the title "Host-only Networks:" it is most likely an empty text area and this is the problem
    • Click the plus icon on the right to add a new adapter. You should now see "vboxnet0"
    • Click ok and then go back to the VMs preferences. You should be able to select the hostonly adapter now
  • Keyboard and mouse trapped in VM
    • Mac: Hit the left command button to exit VM control
    • Windows: Left Alt??
    • Simply click back inside the vm with the mouse to regain keyboard control in the VM

Training PDF : Click Here 

OWASP WebScarab Proxy Training : 

                 
                                      WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.

Download

Windows : Click Here  or Alernate Link Click Here

Linux: java -jar ./webscarab-selfcontained-[numbers].jar

Video Training Click Here: http://yehg.net 

Sample Video : 


OWASP Webgoat Training :

                                    WebGoat is a deliberately insecure J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson. 

Download Link : WebGoat V 5.4


Training Documentation :

References to WebGoat documentation or solutions.

Sample Video : 





Hacking-Lab is providing the FREE OWASP TOP 10 : 

         
                                                    hands-on lab as a service to the OWASP Academy Portal and to the OWASP community. Those training material is reviewed and approved by the OWASP Academy Portal Project members in order to set and maintain an OWASP-worthy training quality.

Installation :

These are the simple steps I followed on a Windows 7 laptop.


  • Dowload the Virtual Appliance OVA file to your laptop
  • Download and install the Oracle Virtual Box  application onto your laptop
  • Double-click the .ova file through Windows Explorer and the appliance import process should commence on the Virtual Box application. You should see something like Fig 1:
Fig. 1: Oracle VM Virtual Box Manager
  •  In  theVirtual Box Manager left-hand pane double-click on the LiveCD-Hacking-Lab-V5.55 entry. The LiveCD should start and after a short while  the Welcome screen as shown in Fig 2 should appear.
Fig 2: Welcome Screen
You should be ready to go now at the OWASP Security Training.


Training Videos - Hacking_Lab LiveCD
Video Description
Details
How to use 2 different (attacker/victim) browser instances
Learn how to use 2 different (attacker/victim) browser instances (The Firefox Profiles are available on LiveCD V5.83 and newer)
How to use the ZAP browser in the LiveCD
Tutorial; ZAP Web Inspection Proxy on LiveCD
How to setup a landing page on the LiveCD
Tutorial; ZAP Web Inspection Proxy on LiveCD
How to import LiveCD in VirtualBox 
Learn how to import the LiveCD ova file into VirtualBox
How to import LiveCD in VMware
Learn how to import the LiveCD ova file into VMware
Run Hacking-Lab LiveCD with Vmware 8 workstation
Learn how to use the LiveCD ISO with Vmware 8 workstation
Installation of LiveCD in Vmware 8 workstation
Learn how to install the LiveCD ISO in your Vmware 8 workstation
How to open a root shell
Learn how to open a "root" shell
Server side VDI solution Learn how to use the server side VDI solution

Hacking-Lab Download 

document-open Documents and Videos
document-open Hacking-Lab LiveCD 

Thursday, December 20, 2012

Android Application Vulnerability / Security Assessment Tools & Framework

Android Security Evaluation Framework (ASEF) :
                                               performs this analysis while alerting you about other possible issues. It will make you aware of unusual activities of your apps, will expose vulnerable components and help narrow down suspicious apps for further manual research. The framework will take a set of apps (either pre-installed on a device or as individual APK files) and migrate them to the test suite where it will run it through test cycles on a pre-configured Android Virtual Device (AVD).

                            ASEF is a Open Source Project to perform security analysis of Android Apps by various security measures                         

                            ASEF is an Open Source tool for scanning Android Devices for security evaluation. Users will gain access to security aspects of android apps by using this tool with its default settings. An advanced user can fine-tune this, expand upon this idea by easily integrating more test scenarios, or even find patterns out of the data it already collects. ASEF will provide automated application testing and facilitate a plug and play kind of environment to keep up with the dynamic field of Android Security.

YouTude Videos :

Demo : Running ASEF to test all installed android apps from an android device on an Android Virtual Device



Short Demo : Running ASEF to test all installed android apps from an android device on an another physical android device

 

Download Link : Android Security Evaluation Framework


Tools :

Mercury v1.1 Tool - 

                              bug hunters to find vulnerabilities & write proof-of-concept exploits in Android Application. Simple called as Android Apps Vulnerability Scanner. 

 

                            Mercury is a framework for exploring the Android platform; to find vulnerabilities and share proof-of-concept exploits.

                         Mercury allows you to assume the role of a low-privileged Android app, and to interact with both other apps and the system.
  • Use dynamic analysis on Android applications and devices for quicker security assessments
  • Share publicly known methods of exploitation on Android and proof-of-concept exploits for applications and devices
  • Write custom tests and exploits, using the easy extensions interface
Mercury allows you to:
  1. Interact with the 4 IPC endpoints - activities, broadcast receivers, content providers and services
  2. Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see)
  3. Find information on installed packages with optional search filters to allow for better control
  4. Built-in commands that can check application attack vectors on installed applications
  5. Transfer files between the Android device and your computer
  6. Create new modules to exploit your latest finding on Android, and playing with those that others have found
                For those of you interested in vulnerabilities in vendor products, the new version is the start of a collection of these in a framework. The first privilege escalation was included, allowing the escalation to root from Mercury’s unprivileged context. A module was created to check for vulnerabilities in content providers discovered on Samsung devices.

Sample results of running this module on a vulnerable version of the Samsung Galaxy SII is shown below:


Running this on the Samsung Galaxy SIII yields the following:

                               

Security consultants Sample Testing :

                  The first set of vulnerabilities found by the MWR team was done manually by reviewing the AndroidManifest.xml of each package on the phone. With Mercury, a combination of the attacksurface command and the the info command in each section will get you the same results in a tenth of the time. If you are interested in looking for common problems on devices, the scanner modules will be of interest to you. As an example, this is scanner.provider.sqlinjection finding SQL injection flaws in default content providers on an Android 4.0.3 Emulator.



                        Don’t get too excited, these SQL injection vulnerabilities don’t lead to any serious information disclosure, but you get the idea right? Don’t just look at content provider problems because these tools are available. Content providers are the tip of the iceberg! Ask us questions or bounce ideas. Create new modules with Mercury. Go forth and innovate!

   Download Link : Mercury v1.1

 

 





Wednesday, December 19, 2012

Fern Wifi Cracker - Wireless Penetration Testing Tool

Fern Wifi Cracker :
                       is a Wireless security auditing and attack software program written using the Python Programming Language and the Python Qt GUI library, the program is able to crack and recover WEP/WPA/WPS keys and also run other network based attacks on wireless or ethernet based networks

                          

Features


Fern Wifi Cracker currently supports the following features:
  • WEP Cracking with Fragmentation,Chop-Chop, Caffe-Latte, Hirte, ARP Request Replay or WPS attack
  • WPA/WPA2 Cracking with Dictionary or WPS based attacks
  • Automatic saving of key in database on successful crack
  • Automatic Access Point Attack System
  • Session Hijacking (Passive and Ethernet Modes)
  • Access Point MAC Address Geo Location Tracking
  • Internal MITM Engine
  • Bruteforce Attacks (HTTP,HTTPS,TELNET,FTP)
  • Update Support

Operating System Supported

The Software runs on any Linux machine with the programs prerequisites, But the program has been tested on the following Linux based operating systems:

Prerequisites

The Program requires the following to run properly:
The following dependencies can be installed using the Debian package installer command on Debian based systems using "apt-get install program" or otherwise downloaded and installed manually

    Installation

    Installation on Debian Package supported systems:

    root@host:~# dpkg -i Fern-Wifi-Cracker_1.6_all.deb



    Screenshot :

    Aim 

    • Crack the Wifi using Fern Wifi Cracker . 

    HOW TO OPEN FERN-WIFI-CRACKER

    • To open fern , follow the steps - 
    • Backtrack > Exploitation Tools > Wireless Exploitation Tools >WLAN Exploitation >fern-wifi-cracker 
    • See the below image for more details - 

    SELECT INTERFACE

    • First step is to select the interface .
    • Here in my case i have selected wlan0 interfaec .
    • See the below image for more details - 
    SCANNING ACCESS POINT 
    • To scan for Access Point click on the 2nd button ( wifi icon ).
    • See the below image for more details -
    • Once you get the Access Point , various AP's of WEP and WPA are detected .
    • See the below image for more details-

     

    WPA Cracking with WPS Attack:

    Video Tutorial :

    Session Hijacking With Fern Wifi Cracker


    Bruteforcing Routers with Fern-Wifi-Cracker


     
    Download Link : Click Here

    Tuesday, December 18, 2012

    Arachni - Web Application Security Scanner Framework

    Arachni :
                is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. Arachni is smart, it trains itself by learning from the HTTP responses it receives during the audit process.
    Unlike other scanners, Arachni takes into account the dynamic nature of web applications and can detect changes caused while travelling through the paths of a web application’s cyclomatic complexity.

    This way attack/input vectors that would otherwise be undetectable by non-humans are seamlessly handled by Arachni.








    Currently available modules:

    • Audit:
      • SQL injection
      • Blind SQL injection using rDiff analysis
      • Blind SQL injection using timing attacks
      • CSRF detection
      • Code injection (PHP, Ruby, Python, JSP, ASP.NET)
      • Blind code injection using timing attacks (PHP, Ruby, Python, JSP, ASP.NET)
      • LDAP injection
      • Path traversal
      • Response splitting
      • OS command injection (*nix, Windows)
      • Blind OS command injection using timing attacks (*nix, Windows)
      • Remote file inclusion
      • Unvalidated redirects
      • XPath injection
      • Path XSS
      • URI XSS
      • XSS
      • XSS in event attributes of HTML elements
      • XSS in HTML tags
      • XSS in HTML ‘script’ tags
    • Recon:
      • Allowed HTTP methods
      • Back-up files
      • Common directories
      • Common files
      • HTTP PUT
      • Insufficient Transport Layer Protection for password forms
      • WebDAV detection
      • HTTP TRACE detection
      • Credit Card number disclosure
      • CVS/SVN user disclosure
      • Private IP address disclosure
      • Common backdoors
      • .htaccess LIMIT misconfiguration
      • Interesting responses
      • HTML object grepper
      • E-mail address disclosure
      • US Social Security Number disclosure
      • Forceful directory listing




    Sample Report :






    To scan via the user-friendlier Web User Interface, just run:

    arachni_web_autostart
     
    This will setup a Dispatcher and fire-up the WebUI server for you.

    Then, point your browser to http://localhost:4567, accept the default settings and start the scan.



    Download Link : Click Here