Monday, May 28, 2007

Reflection on Stefano Di Paola

This week on reflection we have Stefano Di Paola who caught everyone’s attention through his paper Subverting Ajax which talked about acrobat reader plugin vulnerability and javascript prototype exploit. Those of you who remember, there was a lot of commotion on WASC mailing list at the beginning of this year. Tons of emails going back and forth on a vulnerability which was identified in acrobat reader plugin and had the potential of infecting almost all the websites hosting PDF files (Universal XSS).

Stefano has released several advisories including the ones that are not publicly disclosed but patched. He has also contributed to OWASP testing guide and is a also a Research & Development Director of OWASP Italian Chapter. Today he shares with us how he started with web application security. In his own words

”When I was 9 or 10 years old, I began to hack my 45 rpm portable record player in order to control the angular speed and play with my childhood songs in a funnier way. Then I realized I didn't know how to remount my opened player, I asked my parents to buy me another one with the promise to not break it again. I kept that promise… or at least for a while. A couple of years later I decided to hack my tape recorder and I succeeded in mixing voice recording while playing music (my mother never knew I recorded my voice on her music tapes).

I started to practice with computer security when I bought a 486 in 1997; I was a student at the Computer Engineering Faculty at the University of Florence. The first thing I read about hacking was about reverse engineering and cracking shareware software protections. It was quite funny but when I managed to install my first linux 2.0 on my PC, the approach and the vision were going to change inside me. I had already worked on Sun Solaris and AIX at the University, but linux was my first Unix love. The research and the study about linux configurations tutorials brought me to Phrack and "Smashing the Stack for Fun and Profit" by Aleph1. The first time I applied all the theory I had learned was when I urgently needed root privileges on a SGI Workstation at the university while I was finishing my master degree thesis. As the sysadmin was sick I decided to get root by myself and accomplish my tasks. After a couple of days I warned the sysadmin about my privilege escalation and I told him how to fix the issue.

It was in 1999 the first time I stumbled upon and I was amazed by the quantity of information about hacking old style CGI web pages and search engines. Since large number of web servers where on *nix OS flavors at that time, my background on linux, Sun Solaris and AIX helped me a lot. I realized it was quite easy for me to find flaws on CGI scripts (most of all system execution vulnerabilities). As a consequence of my hacking research activity, I began to think about web application firewalls but since it was early days of web application security and no information on WAF was available on the net, so I gave up. But it was in the 2004 that I decided to work as web application security consultant and released my first public advisory.

I've been working as a freelance in Italy from 2000 to early 2007 then I founded MindedSecurity(an Application Security Company with the mission to build a Center of Excellence on Web Application Security in order to give high quality services).”

Based out of Florence, Italy, Stefano is 35 years old and works as a freelance ICT security consultant and software architect for several companies and public institutions in Italy. Below is a list of his contributions to the webappsec community.


Universal Cross Site Scripting (Internet Magazine - Italy)

The Owasp Testing Guide (Hackin9)

Several sections in the Owasp Testing Guide v 2.0

XML Injection

Xpath Injection

LDAP Injection

Mysql Injection

Ajax Testing


Research & Development Director of Owasp Italian Chapter.

Tools written by him:-

PassBroker - a php extension which dispatch secrets which are often embedded in clear inside php web pages (ie. sql username and password.)

HMAUTH - A Html form authentication using HMAC

Anti Tamper Module for Apache 2.0 - It is a tool which parses every outbound html page and add a sign to every static link and to cookies, in order to prevent malicious users from tampering GET parameters and cookies.

Rul-o-matic - a web agent for white list mod_security rules generation.

Company working for :-

Co-founder of Minded Security ( ).






Web Security By Example - SMAU (Italy)

Subverting Ajax - 23rd CCC (Germany)

Ajax Security - Infosecurity (Italy)

Testing Flash Applications - 6th Owasp AppSec Conference (Italy)

Lectures (University of Florence):-

Secure Software Development Life Cycle(2007) - Phd Course Faculty of Software Eng.

Web Developing Security(2005/2006) - Course of 'Databases', Faculty of Software Eng.


Php RFC1867 Arbitrary File Upload (10/2004)

Php shmop safemode bypass and write to arbitrary locations (10/2004)

MySQL Server CREATE FUNCTION libc arbitrary code execution (03/2005)

MySQL Server CREATE FUNCTION mysql.func table arbitrary library injection (03/2005)

MySQL Server insecure temporary File Creation (03/2005)

MySQL Server COM_TABLE_DUMP Information Leakage and Arbitrary command execution.(04/2006)

MySQL Server Anonymous Login Handshake Information Leakage. (04/2006)

Acrobat Reader Plugin Multiple Vulnerabilities (01/2007)

Php import_req_var globals overwrite Advisory (03/2007)

IE and Firefox Digest Authentication Request Splitting (04/2007)


Masters in Software Engineer (University of Florence)
Certified Lead Auditor ISO 27001.

Stefano had recently released a paper on Flash vulnerabilities in OWASP Europe conference and is also working on some new interesting research ideas. For all those who are in webappsec community should definitely keep an eye on him.

Last Week – Ryan Barnett
Next Week – Saumil Shah

Friday, May 25, 2007

WASC Meetup at Black Hat (USA 2007)

For the third year in a row WASC will be organizing a web application security meet-up during the BlackHat USA (2007) conference. There's going to be a lot of webappsec presentations and people in attendance, likely more than ever, so it's a good opportunity for those in the community to get together and share some food and drinks. This email will serve as a way to gauge the level of interest and number of attendees expected. Please drop us a line if you'd like to stop by.Also, we're exploring the idea of getting sponsor(s) lined-up as our meet-ups are of sufficient size to make good use of a private room. Please let us know if any companies have interest here as well.

Please RSVP to

Monday, May 21, 2007

Reflection on ryan barnett

This week on reflection we have Ryan Barnett from breach security. Ryan is a well respected figure in web application security and is well known for his book “Preventing Web Attacks with Apache”. He is a faculty member for SANS institute and a WASC officer. He is also the Project Lead for the Center for Internet Security Apache Benchmark Project. Ryan has a passion for web application security and has made several contributions to the community. Today he shares with us how he got into the webappsec field and his journey so far. In his own words

“I first realized that I had the hacker’s mindset back in 1999. It was at this time that I got my first real IT consulting gig which was testing a Federal Government’s software for Y2K compatibility. What I found was that I had a knack for identifying input validation issues beyond just whether or not the application would implode if the date field went to 00. After Y2K came and went, the company that I worked for appreciated my Y2K efforts so much that they offered me another position as a Unix Administrator with the same client. I knew a little bit of Unix but not too much about its security. That is when I went to Borders and stumbled upon the two books that would change my career path: Practical Unix and Internet Security and The Cuckoo’s Egg. After gobbling up those books, I was hooked. I wanted to be in security. My first step on this path was when I joined my client’s Computer Security Incident Response Capability (CSIRC) Team. Around this time is also when the SANS Institute was starting to really take off. I took the Hacker Techniques and Incident Response course and obtained the GCIH certification. After successfully helping the client respond to a number of incidents, we then ran into a misconfigured web server allowing anonymous FTP and it quickly turned into a Warez depot. This proved to be a pivotal incident as I was able to work with both the client’s Web Server Admins to track down and fix the problems and setup new monitoring systems (Snort) to identify future issues. It was after this incident that I was offered the position of Web Security and IDS Admin. Basically, they wanted me to be in charge of security within the DMZ segments.

My first real taste of web security came as I was monitoring Snort sensors in DMZ segments and I was constantly weeding out false positives with the web attack signatures. In December of 2001, I was presenting at the SANS Cyber Defense Initiative Conference in Washington D.C. At this conference, they set up a hacker network called ID-Net and I wanted to test the TCP session-resetting capabilities of Snort vs. web attacks. My goal was to try and create a whitelist of allowed URLs and then have Snort pass on these requests. If a requested URL was not listed in the whitelist, Snort would use its Flexible Response capabilities with Libpcap to craft TCP reset packets and try to kill the connections. So, how did Snort perform while under attack on the ID-Net? It did reasonably well; however, the session sniping was not able to effectively terminate all requests that were not in the whitelist file. This was due to a few variables, such as the low network latency and the placement of Snort. One of the main limitations was the actual flexible response code itself. Snort creator Marty Roesch was actually at the SANS CDI conference/ID-Net and I showed him my idea. He liked the concept, but confessed that the Snort session sniping capabilities were probably not fast enough to terminate a malicious HTTP request before it got to the web server. We ran some tests to prove his theory and he was correct. Snort was not able to stop the inbound requests. It did, however perform rather well on the outbound data returned after the web server processed the request. This test did get Marty's wheels turning as he spent a good deal of time while on the ID-Net re-coding the flexible response portion of Snort.

After my adventures with attempting to use Snort for HTTP protection, I realized that in order to provide the best identification and protection, I need to either be inline (reverse proxy) or on the web server itself. I then set out to learn all that I could about Apache security. The research led me to create a hardening checklist for Apache that included many tweaks to the configurations and attempted to leverage Mod_Rewrite for URL filtering and CGI scripts for alerting on malicious traffic. These new configurations proved their worth the next time the Government auditors came a round and attempted their pen-tests. My client was ecstatic that we were able to quickly identify the auditor’s traffic, implement blocking rules and notify them through the proper incident response channels within 5 minutes. After successfully passing that audit, I was flattered to learn that my client’s CSO had provided my hardening information to the other Department Bureaus. Not soon afterwards, I was asked to give a number of presentations on Web Security to the Department and also participating in other Government Security Technical Conferences. A short time later, I met the fine folks at the Center for Internet Security and accepted their offer to lead the Apache Benchmark Project. Over the next few years, I worked my normal job and I also freelanced with the SANS Institute where I both developed and taught classes on Web Security.

It was around 2003 when I had another career altering encounter, even if I didn’t know it at the time, when I was doing research for new Apache Intrusion Detection information and I found an application called ModSecurity. At this time, it was in its early stages however it included many of the advancements and features that I had been left wanting after trying to squeeze every possible ounce of configuration voodoo that I could out of other modules. I immediately started testing it and a kinship with Ivan Ristic quickly developed. I would test ModSecurity and would find bugs and/or request features and Ivan would crank it out almost immediately. As ModSecurity progressed, so did our working friendship as we both wrote separate books on Apache Security and helped each other with reviews and answering questions. We had discussed the possibilities of working together in some capacity but it never worked out. That is until Breach Security acquired Ivan’s company Thinking Stone in late 2006. And that is how I came to work for Breach as the Director of Application Security Training and ModSecurity Community Manager.

Based out of Falls Church, Virginia, Ryan is only 34 years old. Below is a list of his contributions to the webappsec community.


Preventing Web Attacks with Apache (Addison-Wesley)

Sample Chapter/Article: Mitigating the WASC Threat Classification with Apache


Quoted In:

May 15, 2007 – InfoWorld (ZeroDay) – “WASC Details Honeypot Project”

May 4, 2005 – SANS NewsBytes – “Web Server Attacks and Web Site Defacements Up Thirty-Six Percent”

January 16, 2004 – ComputerWorld – “Opinion: Sticky Security”,10801,89107,00.html


ModSecurity Community Manager

WASC Distributed Open Proxy Honeypot - Project Leader

WASC Threat Classification: Contributing Author

WASC Web Application Firewall Evaluation Criteria: Contributor

The Center for Internet Security’s Apache Benchmark Document and Scoring Tool

The SANS Institute’s Top 20 Vulnerabilities Team

Sponsored the Honeynet Project’s Scan of the Month Challenge #31

SecureWorld Conferences -

Panel: Facing Off With the Digital Dozen-Technology Challenges Of PCI DSS 1.1

Panel: The Tangled Web: Web Security 2007


(ModSecurity Cool Rules, Web Security Threat Report)


Web Application Security Workshop (Developer/Instructor)

Building a Web Application Firewall Workshop (Developer/Instructor)

Web Intrusion Detection and Prevention with Apache (Developer/Instructor)

Securing and Auditing Apache (Developer/Instructor)

Secure Internet Presence – LAMP (Developer)


Web Server Fingerprinting

Preventing Website Defacements

Catching Intruders with Snare

ModSecurity: Web Intrusion Detection and Prevention


WASC Officer

SANS Institute: Courseware Developer, Instructor and Local Mentor

The Center for Internet Security: Apache Benchmark Project Leader

Member of the Counterpane Intelligence Committee



Companies worked for:-

Universal Systems and Technology (Unitech), RS Information Systems, EDS, Breach Security

Company working for:-

Breach Security:
Position Title: Director of Application Security Training


Commercial: Ryan_dot_Barnett__@__breach_dot_com
Personal : RCBarnett__@__gmail_dot_com

Ryan has a vast knowledge on web application defense strategies and is also involved in mod security cool rules project. He has started blogging recently and I am sure we will start to see a lot of his original thoughts being shared with the community through his blog.

Last Week – Caleb Sima
Next Week – Stefano Di Paola

Tuesday, May 15, 2007

Reflection on Caleb Sima

This week on reflection we have caleb sima from SPI dynamics. He is the co-founder and CTO of SPI dynamics. He has been involved with internet security since its very early age and is widely respected in the industry. He is often quoted in various magazines and is called upon for his expert opinions. Caleb’s story tells us we can be what we want to be if only we put our minds to it and channel our efforts in the right direction. Caleb is exceptionally talented and at a very young age has achieved so much because of his determination, hard work and dedication.

I guess some other reporter had also done a bit on him before which caleb shared with me along with some other details. His is a very interesting read on how he got into web application security and his journey so far. In his own words

“It started off when I was a kid. I was in trouble a lot in school and with my parents, so restriction was a way of life for me. One day, when I was around 8 or 9 years old, my dad bought a PC and said that I could play on it when I was on restriction, but no games. So I started messing around w/ computers, which started my obsession. Soon afterwards I read something on a friend’s computer about how to make free payphone calls. At this point I become hooked on IT security. I wanted to bypass any security, figure out how to hack into anything electrical from phones to bypassing screensavers. This kicked into my rebellious phase where I got kicked out of multiple schools. It got so bad that my step-dad told me that he would not allow me to touch or read anything about computers. This really sucked as I knew that I wanted to do something with computers when I grew up, so I eventually quit school and ran away from home around the age of 16. I ended up living with one of my best friends and his dad in Jasper, Georgia where the only thing to do was to get in trouble and read books. At the same time though I knew what I wanted to do very early on in life and to me nothing else mattered. So I went and pursued my career in computers and security.

I got to a point where I knew I could get a job with computers somewhere so I started applying. I ended up landing a job on Delk Road in a hole in wall computer repair shop where I was the technician. I was the little Asian kid that fixed your computer when it had problems :). After being there around six months, I went to visit my Mom at her work one day. She introduced me to the network administrator of their company. We hit it off and he offered me a job being a network administrative assistant. Then one day he got fired and a new guy came in to take his place. I became real good friends with the new guy - slept on his couch multiple times. Then one day HR calls me in and fires me claiming that my new boss said I did not do my job. Welcome to my 1st corporate backstabbing. I was furious I went and posted my resume on the Internet and went to the mall. While I was there I received a page (this was when pagers were the “in” thing) that was a recruiter telling me they had a job for me doing network security for a bank. The most perfect job and not even hours after I posted! I called the recruiter and landed my first real security job interview at a company called S1. On the morning of my interview I had one suit to my name, which I wore. It was raining when I left to go to the interview and as I was driving my car (a Chevy Nova of all things – definite piece of junk) I hydroplaned and went into a ditch. So I walked back in the rain three miles to the house, obviously now running late. I woke my friend up and he lent me his suit which was three times too big for me and I drove his car into the interview which was 2.5 hours away.

With all this bad luck, I questioned how the rest of the day would go. Lucky me, my nightmare continued. I walk into this interview and the guy who interviewed me was literally the grouchiest looking old man I had ever seen. He came into the room and shot a round of questions at me like a machine gun, all of which I handled with ease. Then, he just got up and left the room without a word. No smiling, nothing. I just sat in this room not knowing what to do. It was terrible. All I could think was did I just completely do the wrong thing? Should I leave? After about 10 minutes he comes back in and miraculously offers me a job. I then became the security analyst for the world’s first online bank. It was a fantastic job I was able to help implement security for almost all the online banks and my job was to lock down the data center that had most of the major bank transactions going thru it. I ended up learning a great deal about security and it was my first intro into web security. That grouchy old man eventually became a great friend. I still make fun of him today for that interview.

At this stage I was around 17 or 18. I stayed at S1 for a while learning everything about online banking I could. Then one day I was evaluating some new software that claimed it would help protect our network. The software was from a company called Internet Security Systems (ISS). Being the security deviant I was from my years as a kid fascinated with breaking into things, I found huge holes in the software and was able to break the software in various different ways. I notified ISS about these problems and worked with them through various other issues. They liked what I did so much they offered to have me come down and interview with them for a job. This was a time when Internet security was unheard of. I was completely intrigued at the concept of a company solely dedicated to Internet security. I had two full day interviews with the company and they hired me. This was when the company was very small. I joined and became part of their research and development team. ISS became my family of sorts as I basically grew up with them all through the dotcom bubble. I was finally able to experience a company that really appreciated what I contributed and had a lot of fun doing what I did for them because it was something I was really interested in and knew I did well. I also learned a lot about business, which would come to help me in my future endeavors.

Around 2000 when I was about 20, I decided to leave ISS. I noticed that there was huge opportunity in the market for a different kind of security product that no one out there was focused on, but the need was significant. So I left and started doing my own consulting. At the time i was doing a lot of pentests and was breaking in 100% of the time via the web application. All current security products were useless in protecting or finding these flaws. Since most of my work was automated via perl scripts I started to see a way to turn it into a product. The real key moment though was when I was contracting with a large telecom company and the head of security told me that if I could automate what I do he would buy it no questions asked. Thus webinspect was born.

During this time I ran into an old friend from S1. I told him about my idea about a new type of security product. We both decided to hook up and form the company together, so we set-up shop in his house and my apartment. At the same time, I told another friend at S1 who was a very talented security professional about the idea and he wanted to help. So thus SPI Dynamics was created. During the past five years we have gone from an apartment and house to the top floor of a building in the Perimeter area with decks and 180 views of Atlanta, over 100+ employees and our revenue doubling every quarter. Guess I was right – there was a need for this new type of security.

My spare time is usually quite limited, but when I do have some there are a couple things I like to do. My hobby is motorcycles. I ride a 2005 black Yamaha R6 and I ride often. I will usually go up to Vortex in Little Five in atlanta on Thursday nights and hang out and talk with other riders, and on Sundays we usually get a group to go up to Sucches in the North Georgia mountains and hit the curves. I also play poker quite often and hold scratch games at my place every week.”

Based out of Atlanta, GA, Caleb is only 27 years old. He is a member of ISSA and is one of the founding visionaries of the Application Vulnerability Description Language (AVDL) standard within OASIS, as well as a founding member of the Web Application Security Consortium (WASC). Below are some of his contributions to the community


Hacking Exposed – Web Applications 2

Sample Chapters:

Attacking Web authorization: Web authorization-Session token security,295582,sid14_gci1210022,00.html

Input Validation Attacks -- Chapter 6, Hacking Exposed Web Applications, Second Edition,289483,sid92_gci1204666,00.html


June 27, 2006 - - "Web application security testing reaches new level",289142,sid92_gci1196342,00.html

March 1, 2006 - - "Threat modeling key to pro-active security",289142,sid92_gci1169779,00.html

November 20, 2006 and December 11, 2006 - Webcast - "Three Application Threats You Can't Afford to Ignore"

November 2006 - - "Ask The App Security Expert: Questions & Answers - How to safely deploy Ajax",289625,sid92_gci1196901,00.html

January 25, 2007 - - "Ask The App Security Expert:
Questions & Answers - Authentication - From passwords to passphrases,289625,sid92_gci1240747,00.html

Is your site vulnerable to SQL injection attacks?,289483,sid87_gci1157666,00.html

How do government regulations address application security?,289625,sid92_gci1163408,00.html

The best way to secure a Web site,289625,sid92_gci1176981,00.html

Ajax's effect on Web services security,289625,sid92_gci1163402,00.html

Data breach legislation could affect Web site development,289625,sid92_gci1186073,00.html

SQL injection: Secure your Web applications,289483,sid92_gci1211973,00.html

Denial of service and Ajax,289625,sid92_gci1236230,00.html

Automated SQL injection: What your enterprise needs to know - Part 1,289142,sid92_gci1157989,00.html

Automated SQL injection: What your enterprise needs to know - Part 2,295582,sid92_gci1227121,00.html

October 19, 2006 - - "One simple rule to make your Web apps more secure",289202,sid92_gci1225425,00.html

October 31, 2006 - - "Injection attacks -- Knowledge and prevention",295582,sid92_gci1227121,00.html

November 30, 2006 - Podcast - "Ajax security: A dynamic approach"

December 2004 - Security Post - "Are Your Web Applications Secure?"

March 3, 2005 - - "Bugwatch: Security through the development cycle"

May 15, 2006 - Government Security News (GSN) - "Web Applications: The Hacker's Ultimate Goldmine"

July 28, 2006 - - "The Software Development Life Cycle:
When to Secure Your Process"


Microsoft TechEd 2006
Microsoft TechEd 2007

Software Security Summit 2007

Software Security Summit 2006
Software Security Summit East 2006

RSA 2006
RSA 2007
RSA Europe 2006

Secure Software Forum 2005
Secure Software Forum 2006

Secure Software Forum 2007

Blue Hat 2006

Atlanta Code Camp 2006

Black Hat USA 2005
Black Hat USA 2006

HP World 2005
HP Technology Forum 2005
HP Technology Forum 2006

ISSA Georgia 2006
ISSA Austin 2006
ISSA Metro Atlanta Chapter Conference 2006 Charlotte Metro ISSA 2006 Security

Summit Interz0ne 2005

(ISC)2 D.C. 2005
(ISC)2 Las Vegas 2005

CarolinaCon 2005

Techno-Security 2005

2006 Texas Regional Infrastructure Security Conference University of South Carolina International Event 2007 Regular guest speaker at Georgia Institute of Technology

DHS Software Assurance Forum

InfoSec World

Quoted in:-

September 4, 2004 - The New York Times - "Citing Threats, Entrepreneur Wants to Quit Caller ID Venture"

January 2005 - SC Magazine - "Is your website an easy target?"

January 15, 2005 - SD Times - "Application Security: Mindset Is What Matters"

February 22, 2005 - DevX - "Security Training Falling Through the Education Cracks"

February 28, 2005 - Wired - "Known Hole Aided T-Mobile Breach"

April 11, 2005 - Atlanta Business Chronicle - "Blogging the new word-of-mouth for businesses"

April 18, 2005 - Network World - "Is your cell phone at risk?"

April 2005 - CNN - "Top 25 Technology Breakthroughs"

August 1, 2005 - SD Times - "Are Your Web Services Vulnerable?"

August 8, 2005 - Government Computer News (GCN) - "Agencies making little progress against cybervandalism"

January 17, 2006 - eWeek - "SPI Tool Measures Web App Security Risk",1895,1911830,00.asp

February 15, 2006 - Network World - "Secure software is up to businesses"

May 10, 2006 - CNET (and ZDNET) - "Hijacking MySpace for fame and fortune"

June 6, 2006 - InformationWeek - "Caution, Developers: SOA And Ajax Open To Attack"

June 12, 2006 - Federal Computer Week (FCW) - "Preventive measures"

June 9-15, 2006 - Atlanta Business Chronicle – “SQL injection' attacks on the rise in Atlanta"

June 19, 2006 - InformationWeek - "Yahoo Mail Worm May Be First Of Many As Ajax Proliferates"

July 15, 2006 - SD Times - "In War for App Security, New Intelligence on Way"

July 30, 2006 - eWeek - "Vista, Rootkits Headline Hacker Confab"

July 31, 2006 - - "SQL Injection Threatens to Needle Web Users"

August 3, 2006 - Computerworld - "Black Hat: Blog readers vulnerable to embedded malware"

August 15, 2006 - SD Times - "Slipping In The Side Door With App Security Message"

August 23, 2006 - CRN - "Keeping Up With The Hackers"

October 23, 2006 - CRN - "Is Oracle Downplaying Security Vulnerabilities?"

November 27, 2006 - eWeek - "Acunetix Offers New Security Audit Service",1895,2064320,00.asp

Security overhaul key to Microsoft's software success,289142,sid92_gci1193337,00.html

January 12, 2007 - Joe On .NET, Microsoft's Opinionated Misfit Geek - "Upcoming AJAX Security Webcasts"

February 5, 2007 - - "Experts Predict Bad Year Ahead for Cyber-crime, Cyber-terrorism"

February 8, 2007 -, - "Online apps facing barrage of attacks"

February 8, 2007 - Computerworld - "RSA - Hackers find a wealth of victims on corporate sites"

Personal Awards:-

Info Security Products Guide Shaping Info Security 2006 award

Atlanta American Electronics Association (AeA) - Spirit of Endeavor Award for Technology Entrepreneur

Microsoft MVP Award - Developer Security - 2007


WASC Board Member

Tools written by him:-

Webinspect versions 1-6
SQL Injector
HTTP Editor
Regex Tester
SPI Proxy
SOAP Editor
Web Discovery
Web Brute





WASC Threat Classification

Companies worked for:-

S1, Equant, ISS, SPI Dynamics

Company working for:-

SPI Dynamics

Caleb is a very active contributor to the community and is also on the Expert Panel of (formerly He is a man with ideas and vision and I am sure we will see a lot of cool things coming out of his brain.

Last Week – Bill Pennington
Next Week – Ryan barnett

Monday, May 14, 2007

Phishing using google ads

I received an interesting phishing email today. Whenever I receive any such email I hover my mouse over the link to see the actual url behind the link. In this particular case, it caught my attention. It was pointing to I was a little bit surprised then I copied the actual url behind the link separately to see where is it pointing. Be careful before you click on the url.

Here is a copy of phishing email for exploiting google ads

Please visit the resolution center located here verify your identity and avoid the blocking of your account
Sincerely,PayPal Account Review DepartmentPayPal,an eBay Company

the actual url behind the link is

Monday, May 07, 2007

Reading cookies from the server using Java

Last two posts have been about running TRACE on the host server.

Running TRACE on the server using Java from within the browser Part 1

Running TRACE on the server using Java from within the browser Part 2

In this post, we will see how to read all the HTTP headers including cookies. Tested on Firefox 2.0 and jdk 1.4

1. Get the browser host name from the location bar. Assuming the port is 80.
var l = "http://" + + "/";

2. Create a URL object to connect to the host.
var url = new;

3. Open the URL connection to the host.
var uc = url.openConnection();

4. Connect to the host.

5. Read all the headers returned from the server including the Cookies and display them as javascript alert.
var i = 1;
var header_keys;
while((header_keys = uc.getHeaderFieldKey(i))!= null) {
alert(header_keys + "=" + uc.getHeaderField(i));

6. Close the URL Connection

Run it as a bookmarklet
javascript:var l = "http://" + + "/";var url = new;var uc = url.openConnection();uc.connect();var i = 1;var header_keys;while((header_keys = uc.getHeaderFieldKey(i))!= null) {alert(header_keys + "=" + uc.getHeaderField(i));i++;}uc.close();

I am not sure if this will work for HttpOnly cookies but i would appreciate if someone could test this for HttpOnly cookies. I would be more then happy to walk them through, if they face any problems. You can reach me at anurag.agarwal__at__yahoo_dot_com

Running TRACE on the server using Java from within the browser Part 2

In the previous post on running TRACE on the server using java from within the browser, the approach was using In this approach, we are using

There are certain limitations with this approach
1.If the TRACE is disabled on the server, firefox will give PrivilegeException
2.It the HTTP is disabled on the web server then it will give PrivilegeException
3.It will run on FireFox only
4.Requires JDK 2 at least

1. Get the host name from the browser’s location bar. Assuming the port is 80.
var l = "http://" + + "/";

2. Create a URL object
var url = new;

3. Open a URL Connection to the host.
var uc = url.openConnection();

4. Run the TRACE request on the host.

5. Open an input stream to the read from the server.
var rd = new;

6. Read the lines from the server and display them as javascript alert.
var lines = "";
while ((str = rd.readLine()) != null) {
lines += str + "\n";


7. Close the stream.

Run it as a bookmarklet
javascript:var l = "http://" + + "/";var url = new;var uc = url.openConnection();uc.setRequestMethod("TRACE");var rd = new;var lines = "";while ((str = rd.readLine()) != null){ lines += str + "\n"; }alert(lines);rd.close();

Sunday, May 06, 2007

Reflection on Bill Pennington

This week on reflection, we have Bill Pennington from Whitehat Security. Bill had been involved in web application security for a long time and has performed numerous web application assessments and is currently involved in research and development at Whitehat Security. He has spoken at industry events like blackhat, ISSA LA and OWASP Silicon Valley chapter and has contributed to or co-authored several books.

Bill was involved with OWASP in its early days and is currently a WASC officer. He has a very good sense of humor and is always willing to lend a helping hand. He spends his spare time with his family and kayak fishing. On his reflection, Bill shares with us how he got involved in web application security. In his own words

“I was around 16 with an Amiga 500 and a modem; I spent a lot of time exploring systems that would answer my modem. I got my first internet access in 1990 on a University of Houston machine and spent a lot of time poking around on systems that would talk to me. My roommate at the time got addicted to a MUD and I got addicted to learning about how the internet worked.

For getting into Web Application Security, I blame Caleb Sima from SPI. I was working at a start-up around 1998 doing all the IT/security/blinky light stuff when Caleb was hired to do an audit by a large company that wanted to use my company’s software. Caleb found a few issues with our web application that got me interested. I had mostly been concerned about firewalls and IDS at that point. I figured if Caleb could do it then I could do it :-) I started auditing our software at that point, found a bunch of stuff Caleb missed ;-), and the rest is history.”

Based out of San Jose, CA, Bill is 36 years old. Below are his contributions to the webappsec community


Contributed several chapters

Hacker's Challenge: Test Your Incident Response Skills Using 20 Scenarios


Hacker's Challenge 2: Test Your Network Security & Forensic Skills

Hacker's Challenge 3


Challenges of Automated Web Application Scanning - ISSA

The Challenges of Automated Web Application Security – ISACA

Latest Attack Trends and Statistics – OWASP San Jose

Hacking Web Applications – Blackhat 2003

Web Application Security - "Reconnaissance, Exploitation, and Investigation" – Blackhat

Taking aim at Web Applications - Blackhat


WASC Threat Classification

WASC Threat Classification Version 2 (under progress)


WASC Officer

Company working for:-

WhiteHat Security




Companies worked for:-

EDS, RocketCash, Guardent

Bill is a very humble person and is always willing to share his knowledge with others. He mostly works behind the scenes and on a lot of ideas in the labs of whitehat security. Though he doesn’t have a blog yet but I am hoping he would start something soon.

Next Week – Caleb Sima
Last Week – Andrew Van der Stock

Friday, May 04, 2007

WASC meetup at JavaOne on May 10

Alright guys!! WASC is having another meetup at JavaOne. From what i have heard this time we have a lot of people joining us. So come on and meet the guys and share a thought or two over a beer

Here is a copy of the post from Jeremiah's Blog

WASC is organizing a Meet-Up during the JavaOne Conference (May 8-11 @ San Francisco Moscone Center). As usual this will be an informal gathering. No agenda, slide-ware, or sponsors. We're expecting maybe 10-20 like minded webappsec people to share some food, drinks, and stimulating conversation. Everyone is welcome and it should be a really fun time!

We only ask two things:

1) RSVP by email ASAP, if you haven't done so already, so we can make the proper reservations: (contact ___ at ___

2) Everyone is encouraged to buy a beer for someone they didn't previously know.

Time: Thursday, May. 10 @ 7:00pm

ThirstyBear (walking distance from the conference)
661 Howard St San Francisco, CA 94105