Monday, June 25, 2007

Reflection on Cesar Cerrudo


This week on reflection we have someone who has done a lot of database research and published several advisories and presented at Blackhat, CanSecWest and other conferences on database security. Cesar Cerrudo works for his own company “Argeniss” and has contributed a lot to some of the databases to be more secure today. He has also identified a lot of vulnerabilities in Microsoft Windows, Microsoft Commerce Server, etc. He is passionate about application security and a big believer in open source community both for software and books. Cesar shares his journey with application security in his own words

"I think I always have had "hacker mind" for calling it in some way, I remember being a child and breaking things to look inside. When I was 10 or so I got my first computer a CZ Spectrum (I don't remember the exact model) but it ran BASIC. when I wanted to learn how to use it and to code in BASIC, I went to a place for kids but got bored after many days of being taught PRINT "HOLA MUNDO" only, so I used that computer for games (games were stored on a audio cassette tape and loading them required playing it in a cassette player). I learnt few tricks looking at the guy from a store that recorded games so I started to modify screens when the games were loading, I also hacked multilevel games by loading parts of one level and the rest from a different level, which for my age was a big deal. After a couple of years I stopped using that computer and I didn’t do anything computer related for several years apart from taking few boring classes of MS DOS, QPRO, Lotus, etc. When I was 19 I started to study Computer Science but I didn't have a PC (they were a bit expensive on this side of the planet earth) so I only read old books available at the university and played with a friend's computer, on those days the challenge was to try running cool games on old computers, I became an expert in MS DOS :)

I remember one day being very excited because I found the assembly code from a MS DOS virus in one of the PC at the university, I spent several hours with an old assembly book (thanks Norton-Socha!) until I learnt how the virus worked (in the process I learnt some x86 assembler without coding it in a PC). After some time I started to work on a client/server software for a couple of different local companies and one of the companies had internet access so I started using Internet and since I always liked hacking, Internet was a really good source of information so I started to learn something about hacking for the first time, I was lucky since I had a good academic background on programming, computers, etc. so I didn't end up reading and learning stupid things, but because I had an old PC and no Internet access at home I couldn't test much of the stuff I learnt. Then I took up a new job where I started using Internet frequently and started trying things in free time, this was like 7 years ago and that was when I started with webappsec. I had worked a lot with MS SQL Server so when I first read about SQL Injection I was really amazed with it and I started to create my own techniques, tools, etc.

That’s when I started to play with MS SQL Server and after some time I found my first vulnerability, then the next one and so on when I realized I had found dozen of vulnerabilities on MS SQL Server, I also learnt how to code exploits and new techniques for finding vulnerabilities, since then I have found several vulnerabilities on MS Windows, Oracle Database Server, etc. I have also created new exploitation and attack techniques. Few years ago I designed and wrote a complete web application scanner for a security company, the scanner at that time was better than other available web app scanners but because of some patent issues the product was stop being sold (hurray for Watchfire!!!). Currently I do research on application security mostly focused on database security and in my spare time I like to hack MS Windows :)

I always try to keep big vendors improving on security, I don't care if I have to publish 0day vulnerabilities or controversial papers in order to accomplish that. I have been offered to write books but the only way I can write or contribute in a book is if it will be available for free in some way (electronic, etc.), I know what is not having resources for learning, all people should have easy access to knowledge, books only makes money for the editors and people without money can't get them."


Based out of Parana, Entre Rios, Argentina, Cesar is 31 years old. Below is a list of his contribution to the community


Articles:-

Hacking databases for owning your data
http://www.argeniss.com/research/HackingDatabases.zip

Practical security audit: Oracle case
http://www.argeniss.com/research/10MinSecAudit.zip

WLSI-Windows Local Shellcode Injection
http://www.argeniss.com/research/WLSI.zip

Story of a dumb patch
http://www.argeniss.com/research/MSBugPaper.pdf

Demystifying MS SQL Server & Oracle Database Server security
http://www.argeniss.com/research/SQL-Oracle.zip

Hacking Windows Internals
http://www.argeniss.com/research/hackwininter.zip

Auditing ActiveX Controls
http://www.blackhat.com/presentations/win-usa-04/bh-win-04-cerrudo/bh-win-04-cerrudo.pdf

Hunting Flaws in SQL Server
http://www.appsecinc.com/presentations/Hunting_Flaws_in_SQL_Server.pdf

Manipulating Microsoft SQL Server Using SQL Injection
http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf


Tools written by him:-

DataThief
http://www.argeniss.com/research/HackingDatabases.zip

Shared section tools
http://www.argeniss.com/research/hackwininter.zip


Contributions:-

WASC - Web Security Threat Classification


Advisories

Microsoft Windows Kernel GDI local privilege escalation procedure
http://www.argeniss.com/research/ARGENISS-ADV-110604.txt
http://www.argeniss.com/research/GDIKernelPoC.c

Oracle Database Server Directory traversal
http://www.argeniss.com/research/ARGENISS-ADV-030501.txt

COM+ Vulnerability
http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx

COM Structured Storage Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS05-012.mspx
http://www.argeniss.com/research/SSExploit.c

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx

Vulnerability in Windows LSASS Could Allow Elevation of Privilege
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx

Multiple vulnerabilities in Oracle Database Server
http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf

Vulnerability in Utility Manager Could Allow Code Execution
http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx

Utility Manager Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Biztalk Server Vulnerabilities
http://www.microsoft.com/technet/security/bulletin/MS03-016.asp

Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution
http://www.microsoft.com/technet/security/Bulletin/MS03-042.mspx

Symantec Security Check RuFSI ActiveX Control Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/8008

http://secunia.com/advisories/8924/
Yahoo! Chat and Messenger Hostname Buffer Overflow Vulnerability

Multiple buffer overflows in DBCC and SQL Injections
http://www.appsecinc.com/resources/alerts/mssql/02-0011.shtml

BULK INSERT buffer overflow
http://www.appsecinc.com/resources/alerts/mssql/02-0010.shtml

Encoded password written by service pack
http://www.appsecinc.com/resources/alerts/mssql/02-0009.shtml

Microsoft SQL Server: Buffer Overflows in numerous extended stored procedures
http://www.appsecinc.com/resources/alerts/mssql/02-0000.html

xp_dirtree Buffer Overflow
http://www.appsecinc.com/resources/alerts/mssql/02-0007.shtml

Heterogenous Queries Buffer Overflow
http://www.appsecinc.com/resources/alerts/mssql/02-0008.shtml


Conferences:-

Hacking databases for owning your data - Black Hat Europe 2007
http://www.blackhat.com/

Practical security audit: Oracle case - Black Hat DC 2007
http://www.blackhat.com/

DataTheft - How databases are hacked and how to protect them - No cON Name 2006
http://www.noconname.org/

WLSI - Windows Local Shellcode Injection - Black Hat Europe 2006
http://www.blackhat.com/

WLSI - Windows Local Shellcode Injection - EUSecWest/core06 conference
http://www.eusecwest.com/

Database Hacking and Security - Web Application Security and Hacking
http://www.websec.com.mx/

Demystifying Microsoft SQL Server & Oracle Database Server security - Black Hat USA 2005
http://www.blackhat.com/

Hacking Windows Internals - cansecwest/core05 conference
http://www.cansecwest.com/

Hacking Windows Internals - Bellua Cyber Security Asia 2005
www.bellua.com/bcs2005/

Hacking Windows Internals - Black Hat Europe 2005
http://www.blackhat.com/

Auditing ActiveX Controls - Black Hat Windows 2004
http://www.blackhat.com/

Hunting Flaws in MS SQL Server - Black Hat Windows 2003
http://www.blackhat.com/


Company working for:-

Argeniss


Companies worked for:-

Application Security Inc.


Website:-

http://www.argeniss.com/


Email:-

Cesar<(at)>argeniss<(.)>com


Education:-

Analyst programmer


Cesar is very driven and passionate about application security. One of the best in database security. Though he doesn't have a blog right now but you can get all the information on his website along with the whitepapers and latest on database security.

Last Week – Alex Stamos

Next Week – Dinis Cruz

Monday, June 18, 2007

Reflection on Alex Stamos


This week on reflection we have Alex Stamos from iSEC Partners Inc. Alex has been involved in webappsec for sometime now and has presented at Blackhat, ToorCon, OWASP, ISACA, etc. He is a founder and Vice President of Professional Services at iSEC. He is a leading researcher in the field of web application and web services security and is also a co-author of an upcoming book Hacking Exposed Web 2.0. Alex shares with us how he got started in webappsec field. In his own words

"Back in 2001 I started working at Loudcloud, which was basically a large ISP/ASP made famous by the fact that Mark Andreessen was a founder. While there, I ended up with the primary security responsibility for about 50 Fortune-500 web applications. Through a series of late night pages, self-exploration through our customer's code, and a couple of hairy incidents, I decided that web app security was way more important to these apps than double-checking the firewall rulesets or slightly decreasing how fast we patched OpenSSH.

At @stake, a major focus of my work was penetration testing of web applications and teaching classes to web app developers on how to stop making the same mistakes others had already made. Since we started iSEC about three years ago, web application and web services security has been a major focus of my research and work with clients, although I also dabble in other security areas such as forensics. "


Based out of San Francisco, CA, US, Alex is only 28 years old. Below is a list of his contribution to the community.


Books:-

Co-authored - Hacking Exposed Web 2.0 (to be released soon)
(http://www.amazon.com/Hacking-Exposed-Web-2-0-Solutions/dp/0071494618/ref=sr_1_1/103-2901853-2679805?ie=UTF8&s=books&qid=1182153208&sr=8-1)


Tools written by him:-

Alex has worked on a few SOAP security tools with Scott Stender and Jesse Burns, and is releasing some new file and file system fuzzing tools to attack forensic software at BlackHat this summer.
All the tools can be found on ISEC website
http://www.isecpartners.com/tools.html


Presentations:-

Upcoming - "Breaking Forensics Software: Weaknesses in Critical Evidence Collection"
BlackHat USA 2007
http://blackhat.com/html/bh-usa-07/bh-usa-07-speakers.html#Palmer


"Vulnerabilities 2.0 in Web 2.0: Next Generation Web Apps from a Hacker's Perspective" - Web 2.0 Expo, BlackHat USA, BlackHat Japan, ToorCon, ACM Reflections/Projections, OWASP SF
http://www.isecpartners.com/files/Attacking_AJAX_Applications-UIUC_ACM_2006.pdf


Cyber Crime- Security, Strategy & Solutions - ISACA Silicon Valley Annual Conference
http://www.isaca-sv.org/WinterConferenceSecTopic.html#11


"Cross-Domain Request Forgery and Web Crimes" - SF Bay Infraguard with Jesse Burns
http://www.sfbay-infragard.org/


Attacking Web Services - BlackHat USA, CanSecWest, OWASP App Sec, SyScan
http://www.infoworld.com/event/soa/may/



Memberships:-

OWASP
http://www.owasp.org/

ISACA
http://www.isaca.org/

IEEE
http://www.ieee.org/portal/site


Company working for:-

Founder and Vice President of Professional Services at iSEC
Partners, Inc. (http://www.isecpartners.com/)


Email:-

alex__at__isecpartners_dot_com


Website:-

http://www.isecpartners.com/


Companies worked for:-

@stake, Loudcloud, E.O. Lawrence Berkeley National Laboratory


Education:-

BS in Electrical Engineering and Computer Science- University of
California, Berkeley.


Last Week – pdp
Next Week – Cesar Cerrudo

Monday, June 11, 2007

Reflection on pdp


This week on reflection we have Petko D Petkov (popularly known as pdp). pdp has been active in the webappsec community for sometime now. He has written many articles and published many tools. Two of his more popular tools are Attack API and Technika (firefox extension). He is also a co-author of the book XSS Exploits: Attacks and Defense. Recently he presented on Advanced Web Hacking Revealed in OWASP Appsec Conference in Italy 2007. In his reflection pdp shares with us how he got started in webappsec field. In his own words

“I have always been fascinated by the power of Web but it was around year 2000 when I got into web application security. Other then that, my interests towards IT security has been growing since 1995. Funny enough, it was "Hackers", the movie that sort of inspired me to spend my time on solving interesting problems with my not-so-advance for that time PC, rather then wasting time on games. Back then, I had 286 MHz "Pravetz", produced in Bulgaria. One of the first projects of mine was a simple calculator that was also password protected. When I finished the project, I also learned how to trick the password protection mechanism by modifying the jumper inside the program binary. That was fun. The Bulgarian underground scene used to be a great resource for me to learn. I started reading an online-zine called Phreadom. I am still looking for the old issues but I guess they are somehow lost forever.

I started hacking from the time I learned how to program. My Dad told me that programming is one of the few professions out there that teaches you about the world in general since programmers try to reflect real world problems into easy to maintain and use software products. That made me start thinking outside the box. I define myself as a life-hacker. I guess this is the reason why I am where I am today. When I came to UK I didn't wanted to waste time so I did a lot of security related projects. This is when my IT Security career started. I was 18 I was doing the stuff that I wanted to do all my life.”

Based out of london, UK, pdp is only 22 years old. Below is a list of his contributions to the webappsec community.


Books:-

XSS Attacks: Exploits and Defense
http://www.amazon.com/Cross-Site-Scripting-Attacks-Exploits/dp/1597491543/sr=1-1/qid=1170769149?ie=UTF8&s=books

Articles:-

The Web has Betrayed Us
http://www.gnucitizen.org/blog/the-web-has-betrayed-us

Persistent CSRF and The Hotlink Hell
http://www.gnucitizen.org/blog/persistent-csrf-and-the-hotlink-hell

Preventing CSRF
http://www.gnucitizen.org/blog/preventing-csrf

Sex, Candies and Bookmarklet Exploits
http://www.gnucitizen.org/blog/sex-candies-and-bookmarklet-exploits

The Machine is Using Us
http://www.gnucitizen.org/blog/the-machine-is-using-us

Playing in Large
http://www.gnucitizen.org/blog/playing-in-large

Universal PDF XSS After Party
http://www.gnucitizen.org/blog/universal-pdf-xss-after-party

Danger Danger Danger
http://www.gnucitizen.org/blog/danger-danger-danger

Web OS
http://www.gnucitizen.org/blog/web-os

Cross-site Request Forgery
http://www.gnucitizen.org/blog/cross-site-request-forgery

The 0XSS Credo
http://www.gnucitizen.org/blog/the-0xss-credo

The Backdooring Series:
http://www.gnucitizen.org/blog/backdooring-images
http://www.gnucitizen.org/blog/backdooring-mp3-files
http://www.gnucitizen.org/blog/backdooring-quicktime-movies
http://www.gnucitizen.org/blog/backdooring-flash-objects-receipt
http://www.gnucitizen.org/blog/backdooring-flash-objects
http://www.gnucitizen.org/blog/backdooring-web-pages

The XSSing the Lan Series:
http://www.gnucitizen.org/blog/xssing-the-lan-4
http://www.gnucitizen.org/blog/xssing-the-lan-3
http://www.gnucitizen.org/blog/xssing-the-lan-2
http://www.gnucitizen.org/blog/xssing-the-lan


Presentation:-

Advanced Web hacking revealed
http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007/Agenda


Tools written by him:-

Some of the tools published by him

JavaScript YPipes Spider
http://www.gnucitizen.org/projects/6th-owasp-conference/spider.htm

JavaScript TinyURL Filesystem
http://www.gnucitizen.org/projects/6th-owasp-conference/tinyfs.htm

Google Hacking Database Interface
http://www.gnucitizen.org/applications/ghdb

JavaScript Port Scanner
http://www.gnucitizen.org/projects/javascript-port-scanner

Greasemonkey Backdoor
http://www.gnucitizen.org/projects/greasecarnaval

Exploit Development Environment for Firefox
http://www.gnucitizen.org/projects/technika

Geo position Zombies on a map
http://www.gnucitizen.org/applications/zombiemap

Attack Framework for controlling zombies
http://www.gnucitizen.org/applications/backframe

simple JavaScript tesing framework
http://www.gnucitizen.org/projects/firetest

powerful JavaScript based attack library
http://www.gnucitizen.org/projects/attackapi

The Cross-site Scripting database
http://www.gnucitizen.org/applications/xssdb

Powerful and very customizable attack communication channel
http://www.gnucitizen.org/projects/javascript-attack-channel

Set of utilities useful when performing enumeration attacks
http://www.gnucitizen.org/projects/met


Company working for:-

NTA-Monitor


Email:-

pdp__at__gnucitizen_dot_org


Blog:-

gnucitizen.org


Web:-

gnucitizen.org


Companies worked for:-

Freelance


Pdp has a vast knowledge of different technologies and frameworks available on the internet. If you are not already following his blog, then I would recommend doing so. He brings up some good points for webappsec community.

Last Week – Saumil Shah
Next Week – Alex Stamos

Wednesday, June 06, 2007

WASC meetup in Blackhat USA 2007



OWASP and WASC have joined hands to have a combined meetup at Blackhat USA 2007 in Las Vegas which was earlier planned as a WASC meetup. Breach Security has stepped forward to sponsor the event. Please click on the image to see a larger version of the invite. Come and join us for a drink and meet other like minded people from the industry.
NOTE: Those who have already RSVPed need not to RSVP again.

Tuesday, June 05, 2007

Any java developers in bay area?

Any java developers in bay area who are interested in working together on some of the research ideas i have in web application security.

Most of the development would be in java. Knowledge of javascript is a plus. Knowledge of webapp security field is optional.

Interested? contact me on anurag.agarwal@yahoo.com

Monday, June 04, 2007

Reflection on Saumil Shah


This week on reflection we have Saumil Shah from net-square Solutions. Saumil has been involed in webappsec community for a long time and is a regular presenter at Blackhat. He focuses on researching vulnerabilities with various e-commerce and web based application systems, system architecture for Net-Square's tools and products, and developing short term training programmes. He specializes in ethical hacking and security architecture. In his reflection, Saumil shares with us how he got involed in webappsec. In his own words

“My original interest in security has always been Unix hacking and reverse engineering. In 1998, when I joined Ernst & Young as a penetration testing specialist, we used to have a field day with systems wide open on the Internet. NetBIOS and SunRPC made our day. Not to mention a slew of other services like open database ports, terminal ports, and more. By the end of 1999, the only ports we could find open on the Internet were 80 and 443. Not to be outdone, I ended up finding out ways to compromise systems, this time using HTTP and the application behind it.

Leaving apart the whole idiotic debate on hacking vs. cracking, I shall say that I truly started hacking at the age of 11. My first few "hacks" were to spot programming errors in home computer magazines, for the ZX Spectrum and the BBC Micro, fixing them while keying in long listings in BASIC, and enjoying the games until I had to unplug the power. The only storage medium was cassette tape back in 1984.”



Based out of Ahmedabad, India, Saumil is only 33 years old and is a co-author of "Web Hacking: Attacks and Defense" (Addison Wesley, 2002) and is the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996). He has served as a technical editor for "Hacking Exposed 2nd Ed", and has contributed to "Know your Enemy - the Honeynet Project" book. Saumil has also presented at Blackhat, CNET eDevCon, hack.lu, EUSecWest, and many more. Below are a list of his contributions to the webappsec community.

Books:-

Web Hacking - Attacks and Defense
http://www.awprofessional.com/bookstore/product.asp?isbn=0201761769&rl=1

The Anti Virus Book
http://saumil.net/antivirus/contents.html


Articles:-

Saumil did a monthly column for two years on C-NET Builder.com, titled ”Security Issues”, along with Chris Prosise.
http://builder.cnet.com/

One Way Web Hacking
http://net-square.com/papers/one_way

An Introduction to HTTP fingerprinting
http://net-square.com/httprint/httprint_paper.html


Tools written by him:-

httprint - Advanced HTTP Fingerprinting
http://net-square.com/httprint/


Contributions:-

One of the very early members of The Honeynet Project in 2000.


Presentations:-

Web Hacking
http://www.blackhat.com/html/win-usa-01/win-usa-01-speakers.html

Adware/Spyware
http://www.blackhat.com/html/bh-japan-05/bh-jp-05-en-speakers.html

The Exploit Laboratory: Analyzing Vulnerabilities and Writing Exploits
(Black Hat Europe 2006 Briefings and Training, Black Hat USA Training 2006)
http://www.blackhat.com/html/bh-usa-06/train-bh-us-06-ss-el.html

Defeating Automated Web Assessment Tools
http://www.blackhat.com/html/bh-usa-04/bh-usa-04-speakers.html


HTTP Fingerprinting and Advanced Assessment Techniques – (BH Europe 2004, BH Asia 2003, BH Federal 2003, BH Windows 2004)
http://www.blackhat.com/html/bh-europe-04/bh-europe-04-speakers.html


HTTP: Advanced Assessment Techniques
http://www.blackhat.com/html/win-usa-03/win-usa-03-speakers.html#Saumil%20Udayan%20Shah


Top Ten Web Attacks
http://www.blackhat.com/html/bh-asia-02/bh-asia-02-speakers.html

One-Way SQL Hacking: Futility of Firewalls in Web Hacking
http://www.blackhat.com/html/bh-europe-01/bh-europe-01-speakers.html#Marc%20Witteman


Writing Metasploit Plugins - From Vulnerability to Exploit
http://conference.hackinthebox.org/hitbsecconf2006kl/?page_id=81


CNET eDevCon 2000: "Hacking Exposed: Ecommerce - Live!


Company working for:-

Net-Square - Founder and CEO
http://net-square.com/


Companies worked for:-

Ernst & Young, Foundstone


Email:-

saumil__at__net-square_dot_com


Website:-
http://saumil.net/


Education:-

M.S. Computer Science, Purdue University, USA - graduated in 1998
B.E. Computer Engineering, Gujarat University, India - graduated in 1995


Saumil has also been doing pre-conference training since past 6 years at Blackhat, and have also taught classes at CanSecWest and Hack in the Box. I am sure we will see a lot more contribution from him going forward.


Last Week – Stefano Di Paola

Next Week – pdp