Sunday, February 25, 2007

Separating actual urls hidden behind the link can help reduce phishing

Lately i have been getting a lot of phishing emails in my inbox. Over the years yahoo has done a good job in redirecting those to spam folders. Of course every now and then one or two might slip through the cracks but its only until recently when i started getting a lot of phishing emails in my inbox. Emails for washington mutual, paypal, bank of america, etc. It didnt matter if i have an account with them or not. Luckily Over time i have developed a habit of dragging my mouse over the link to see what is the actual url behind the link. Sure enough, it was taking me to some other website instead of what was shown in the link. What surprises me most is that though phishers have been using the same old method of deceiving the users by making them click on fake urls, the industry is still trying to find all the possible means but not separating the actual url from the link.

Here is an example. I received this in my yahoo mail today. If you drag your mouse over the link, you will see the actual url is something else as mentioned in the link. (Be careful if you click on the url)

I know its an ongoing battle between the product managers and the security professionals on Where do you draw a line between a feature and the security. Allowing a user to click on a url is the basic feature of a html page. Html emails use the same feature which is exploited by the phishers and with a great success rate. The point i am trying to make here is email providers are spending a lot of money in creating a robust phishing detection mechanism but giving no attention to the urls. How hard it is to match the actual url with the text mentioned in the link. If it doesnt match then based on other criterias it can be marked as phishing email/spam. If they dont want to mark it as phishing emails, the least they can do is display the actual url separately from the link and let the user copy and paste it, if they want to. Its not a huge inconvenience to the user but at the same timeit can help reduce phishing attempts from the malicious people.

If a phishing url could be displayed like this, (

then at least the customer is not fooled and if he copies and pastes the wrong url then there is no solution to that.

Friday, February 23, 2007

Reflection on Jeremiah Grossman

Today’s personality is again well known for its contribution to the world of web application security. Jeremiah Grossman is an expert in webappsec and is a CTO and a co-founder of Whitehat Security. He is also a founding member of Web Application Security Consortium. Jeremiah started hacking around 1991-92 but it was only until 2000, he took it as a profession when he was working for yahoo where he performed various web application security related activities. Over the years he has done a lot of web application security R&D and contributed to the community in various ways. He has spoken at numerous conferences, published a lot of articles, shared a lot of research ideas and made various other contributions including but not limited to Internet Security Apache Benchmark Group and Web Application Security Consortium. In his spare time he trains in Brazilian Jiu Jitsu and play australian rules football and his specialty is web application security, web development, Australian rules football and video game hacking.

Jeremiah is based out of San Jose, CA and is only 29 years old and has spoken at numerous conferences all over the world including Black Hat, ISSA, ISACA, NASA, RSA, OWASP, AFITC, Stanford and many other industry events. His research, writings, and discoveries have featured in USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, BetaNews, etc. Below is a compilation of most of his work, which by no means, covers his entire contribution.

Articles / Books:-

Ten Things You Should Know about Web Application Security

The 80/20 Rule for Web Application Security

Chasing Vulnerabilities for Fun and Profit

Myth-Busting AJAX (In)Security

Myth-Busting Web Application Buffer Overflows

Pay Now or Pay Later: Obtaining ROI from Web Security

Technology Alone Cannot Defeat Web Application Attacks,289483,sid92_gci1189767,00.html

Insecure Web Sites

Thwarting SQL Web Hacks

Top 5 Myths of Web Application Security

Web Application Security 101

What Phishers Know That You Don't

Cross-Site Scripting Worms and Viruses

Top 10 Web Hack of 2006
Most of the recent ones are listed here:

Automated Scanner vs. The OWASP Top Ten

He is also co-authoring a book on XSS to be released tentatively on March 1, 2007
Cross Site Scripting Attacks: XSS Exploits and Defense

He also wrote the foreword for two books:-

Preventing Web Attacks with Apache

Hacking Exposed Web Applications, Second Edition



Hacking Intranet Websites from the Outside (Session code: HT2-107)

Hacking Intranet Websites from the outside - "JavaScript malware just got a lot more dangerous"

Phishing with super bait

Challenges of Automated Web Application Scanning

Webserver Fingerprinting

The land that application security forgot

Hacking Intranet Websites from the Outside with JavaScript Malware Dang (CSI NetSec)

StillSecure, After all these years, Podcast #28

Cross-Site Tracing (XST)

Automated Scanners vs. Low-Hanging Fruit

Speaking engagements:-

Jeremiah Grossman TV interview with ABC News (AU)

ISSA NORCAL Systems Security Symposium 2004, Network Security Conference 2004 – Web Application Security Auditing

Black Hat 2006 - Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous"

Black Hat 2005 - Phishing with Super Bait

Black Hat USA 2004 - Panelist

AITP Central Valley – Web Application Security

ISSA Sacramento 2004 – Auditing Web Applications

Blackhat Seattle 2004

BlackHat Windows 2003 – Hacking Web Applications Training Class, Detecting Web Application Attacks Presentation

Blackhat New Orleans 2002 – Web Application Security and Arsenal

Blackhat Europe 2001 – Web Application Security

Air Force Information Technology Conference 2001, Web Application Security

DefCon Las Vegas 2001 – Web Application Security in Theory and Practice

Speaker and Panelist for the Web Application Security Forum (Tokyo, Japan) - “WASC Activities and U.S. Web Application Security Trends”

Blackhat Singapore 2002 – Web Server Fingerprinting - "A first look into web server fingerprinting"

Podcast with ITRadio (Risky Business #1)

Credit Union Information Security Conference Panelist 2004

Washington Software Alliance 2003 / ISSA Pugeot Sound 2003 / Blackhat Federal 2003 / SuperCIO 2003 / NASA AMES 2003 – Challenges of Automated Web Application Scanning

ISSA San Diego – Auditing Web Applications

ToorCon San Diego 2001 (Couldn’t find the url)

Proof of concepts:-

Intranet Hacking

Browser Port Scanning without JavaScript

Bypassing Mozilla Port Blocking

I know if you're logged-in, anywhere

I know where you’ve been

Goodbye Applet, Hello NAT'ed IP Address

JavaScript Array Overwriting - Advanced Web Attack Techniques using GMail

Tools written by him:-

WhiteHat Webserver Fingerprinter (no longer available)

Scoring Tool CIS for the Apache Benchmark

WhiteHat Arsenal (no longer available)


WASC Co-Founder



Companies worked for:-

Amgen, Yahoo, WhiteHat



He is a man of ideas and thinks differently from others. His blog is amongst the most followed blogs on information security. A must follow figure in web application security to stay current with emerging threats and news.

Last Week – RSnake
Next Week – Ivan Ristic

Tuesday, February 20, 2007

Compliance - is it worth the money?

While surfing through the net i found a posting on compliance

Though it was more of a ranting on the compliance but it certainly made me think my experience on PCI compliance.

I do agree that compliance has a place in the industry. In my experience, had it not been for compliance, many companies have not paid attention towards web application security at all. Unfortunately, many of the product managers or project managers (in big enterprises) still do not understand the issue of web application security (or should i say don't want to understand) and hence we see a lot of vulnerable applications out there. As for small and medium businesses, the sheer cost of securing web applications in itself makes them not go for the solutions. Compliance in a way is forcing them to do something about it. However, the problem starts from the governing agencies enforcing compliance. Take PCI compliance for example. It all started as a good idea to enforce companies to secure customer information but then they lost focus along the way. It is OK as long as you are making sure if the network and the applications aren't vulnerable but if you want to enforce a company to have source code audit by an independent third party, that is where it gets ridiculous.
What about companies who doesnt want to reveal their source code? what if it is proprietary software? Can I trust the company who is doing my source code audit, more importantly can I trust the person who is doing my source code audit? We have seen cases of hackersafe signing websites that they are safe from hackers and we have seen cases of bank's employees (who are the guardians of the customer information) selling the very customer information to the outside agencies. Who can I trust? Not to say what is the guarantee that the person doing the source code audit has enough knowledge of the language and more importantly where are the secure coding guidelines for us to follow?
The sheer cost of doing web application security compliance including black box testing, white box testing, source code analysis, web application firewall, etc, etc will run into hundreds of thousands of dollars (as we saw in RSA Conference) and not to mention the amount you have to pay for the auditors.

The other ugly side of compliance is auditing companies. For PCI compliance, there have been too many companies doing auditing for price ranging from $1000 to $13000. This confused me in the beginning and I started to ask questions about what is the value addition for that extra money and after doing a lot of research, I found out it's not about the value addition for the extra money, it's about saving your neck. When you can buy a compliance certificate for $1000 then why do you want to pay $13000. Of course, if you really are concerned about your security and want to do things the right way, then the price definitely will not be $1000.

I am sorry to say but compliance has become just another way for auditing companies to make money and the real message has gotten lost.

Thursday, February 15, 2007

Reflection on RSnake

If you have heard of XSS cheat sheet or then you already know him. His name is Robert Hansen or more popularly known as RSnake. If there is any mention of XSS, there is a big chance RSnake’s name or its cheat sheet is mentioned along with it. His contribution in the web application security awareness is legendary. On two of his many web sites ( and ) you will find a wealth of information on various aspects of webappsec. His XSS cheat sheet is arguably the most referenced link in the webappsec space with 27000 hits in the month of January ’07 alone and has around 10,000 unique visitors per day (not counting the RSS feeds) making it probably the most followed blog in webappsec field. He has shared his technical expertise with a lot of industry professionals in their work including but not limited to working with Microsoft engineers to address XSS issue, Cloaking to Stop Scraping, and his discussion with the author of the chilling effect.

Looking at his past, he started hacking when he entered college, which was when the web applications were just getting started. In his words

"I'm a college dropout but was studying Computer Engineering. It was way too boring. They were dealing with the theoretical nuances of computers and outdated technology (Pascal pseudo-code on Macintosh assembler). At the same time that I was going to school, in my part time jobs I was doing in practice what my professors could only barely grasp from a theoretical perspective. This was pre-bubble and my parents and my teachers were telling me to get out there and make my millions. I took angel funding for a project, and everything seemed to be going well, but then the stock market crashed, investment money dried up and I learned a hard lesson. It was the day I closed up shop at my own company that I learned everything I need to know about business.
My first PERL script was a top100 list for (long gone now). I had a lot of people trying to hack it. It was a fun experiment that I finally gave up on due to time issues, but it gave me a lot of insight into how you can spoof traffic. Hackers have some of the most interesting traffic on the Internet. It's a pleasure to host security sites, because I get great visibility into the techniques and tools.”

RSnake is currently based out of California but is planning to move to Texas, US and start his own company SecTheory. In the WASC meetup I got a chance to meet with him, and for a person who is known and respected by the hackers and security professionals alike, he is very down to earth and with a good sense of humor, unlike a typical geek. Below are some of his contributions to the webappsec community. I say some because the information below does not represent all his work. Even he has lost track of some of his work over the years.

Articles / Books

PGP Man in the Middle Attack

AcuTrust Entropy Attacks

Hardening HTAccess, Part One

Hardening HTAccess, Part Two

Hardening HTAccess, Part Three

Accessing Trillian Pro Remotely and Through an Encrypted Tunnel

Death By 1000 Cuts – a Case Study

Is your money safe?

Electronic Commerce Insecurity

Internet Mind Games

Apache Information Disclosure Issues or, "How to detect cloaking"

He is also co-authoring a book on XSS to be released tentatively on March 1, 2007
Cross Site Scripting Attacks: XSS Exploits and Defense

Tools written by him:-


MHTML framework

XSS fuzzer


Lots of changes to browser technology over the years. Started a number of security sites, written hundreds of articles, dozens of tools and many sample PoC. He has also presented at Blackhat USA and Networld+Interop on a Security Information Management roundtable (couldn’t find the url)


Web Application Security Blog

Snake Bytes


He had started many security related sites, but these two are most popular

To discuss any aspect on web application security

If you want a break from your work and need a quick laugh


ISSA, CISSP, OWASP, WASC, IASCP. He is also working on something to certify web application security engineers.

Companies worked for:-

He has worked for a major banner advertising company as an Information Specialist and for several start-up companies as Chief Operations Officer and Chief Security Officer. He is now starting his new company SecTheory - doing boutique web application and network security consulting.


We will see a lot more contribution from him as he is working on some very cool stuff and if you want to stay on top of webappsec then make as the first site you visit to. I wish him all the best in his new endeavor.

Last Week – Amit Klein
Next Week – Jeremiah Grossman

Tuesday, February 13, 2007

I dont want a product, I want a solution

RSA Expo is over, and it was good to see a lot of Web application security products being showcased there. The awareness about Web application security is increasing, and a lot of companies are coming out with new products to protect Web applications. Such products include network and Web application firewalls, identity management, auditing tools, Web application security tools and encryption tools. If there's a way your company can be hacked, there was a product to protect it.

read the entire article here

Thursday, February 08, 2007

Reflection on Amit Klein

For those who are in the web application security field need no introduction to his name. He is an expert and by far one of the best in web application security space. He is one of the early starters of the field and has played a major role in the awareness of webappsec. His contribution ranges from not only identifying vulnerabilities and publishing them but also contributing towards standards like OWASP guide, WASC threat classification or web application firewall criteria. And those who are not aware should know he was the one who also contributed towards the solution for UXSS (pdf xss vulnerability). He is also a WASC (Web Application Security Consortium) officer and a board member and co-leads the WASC articles project.

Based out of Israel, he started back in 1997 with Perfecto Technologies (which later became Sanctum), mostly heading security research activities. Sanctum was later acquired by Watchfire in 2004 which is when he left Sanctum / Watchfire. He is currently a CTO of a security company.

Below you will find a list of his articles, contributions, presentations and other details.


A Refreshing Look at Redirection

Sending arbitrary HTTP requests with Flash 7/8 (+IE 6.0)

Under some conditions, it's possible to steal HTTP credentials using Flash

Forging HTTP request headers with Flash

IE + some popular forward proxy servers = XSS, defacement (browser cache

Path Insecurity

HTTP Response Smuggling

Domain Contamination

XST Strikes Back

Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a
lot more...

Detecting and Preventing HTTP Response Splitting and HTTP Request
Smuggling Attacks at the TCP Level

NTLM HTTP Authentication is Insecure by Design

Can HTTP Request Smuggling be blocked by Web Application Firewalls

DOM Based Cross Site Scripting

Meanwhile, on the other side of the web server

HTTP Request Smuggling (with Chaim Linhart, Ronen Heled and Steve Orrin)

The Insecure Indexing Vulnerability - Attacks Against Local Search Engines

Detecting and Testing HTTP Response Splitting Using a Browser

Blind XPath Injection

Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning
Attacks, and Other Topics

Secure Coding Practices for Microsoft ASP.NET

XS(T) attack variants which can, in some cases, eliminate the need for TRACE

Cross Site Scripting Explained

Hacking Web Applications Using Cookie Poisoning


OWASP guide to building secure web application


WASC's Threat Categorization (TC)

Co-lead the WASC articles project


OWASP AppSec Europe Conference 2006 – “HTTP Message Splitting, Smuggling and Other Animals”

CERT 2002 Conference, August 2002 - "WWW Forensics"

FM'99 Congress, September 1999 - "A Perfect Verification: Combining Model Checking with Deductive Analysis to Verify Real-Life Software"


Amit is WASC officer and board member.

Companies worked for:-

Sanctum, Cyota (RSA security)


B. Sc. Mathematics and Physics



And this just doesn't end here, you will see a lot more coming from him. He is a must follow figure of the webappsec field.

Next Friday – Reflection on RSnake

Wednesday, February 07, 2007

WASC meetup during RSA conference

Today at WASC meetup, quite a lot of crowd turned out and it was fun meeting a lot of players from the application security field. Here are some of the pictures from the meetup. You will see people like Jeremiah Grossman, RSnake, Arian Evans (Whitehat), Billy Hoffman (SPI), Robert Auger (, etc

You can view more pictures at Jeremiah's blog