Monday, July 21, 2008

Upcoming ChiSec Event

The next ChiSec event is Wednesday, July 23, 2008. Unfortunately, I won't be available for this one. But I attended the event a few months back. It's a nice social gathering of security people in the Chicago area. I'd recommend it if you've never been.

When
ChiSec 19 is July 23th, 2008. A Wednesday. 7:00PM. We stay until people get tired of hanging out. That seems to be about 3 hours.

Where
Hop Haus, near downtown, by popular vote. They have the group name, so grab someone and ask.

Here's a map.


-Michael Coates

Tuesday, July 15, 2008

Help Shape the OWASP Certification

Here is a survey to help shape a future OWASP certification. The questions you will be most interested in (aka security focus areas) come towards the end. So make you way through the first page. I skipped a few questions I didn't really like (i.e. don't give up if you find a few you don't like).

By the way, I think this is a great idea if done correctly. I think OWASP is in a good position to offer a nice certification for app security.


Found out about this survey from this post Enterprise Architecture: From Incite comes Insight...: Certification of Software Development Professionals

-Michael Coates

Wednesday, July 9, 2008

WebScarab Template - Bean Shell














In the spirit of WebScarab templates, here is a fresh template for the bean shell. Wait, you just put out a template for Manual Request, how is this different? Good question. The Scripted feature allows you to build and send custom requests. The bean shell lets you modify all requests/responses sent through WebScarab. So, if you turn on WebScarab and start browsing the web, your bean shell code will execute for each request/response.


Copy the source code below into the bean shell and hit 'Commit'. The output file prints to c:\ so change that as desired.

-Michael Coates





/* ======================================= */
/* Provided by http://michael-coates.blogspot.com */
/* ======================================= */
/* Please read the JavaDoc and/or the source to understand what methods are available */

import org.owasp.webscarab.model.Request;
import org.owasp.webscarab.model.Response;
import org.owasp.webscarab.httpclient.HTTPClient;
import java.io.IOException;
import java.io.*;

public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException {

//=====Make changes to the requests=========
//=====Remember: These changes will be applied to all requests while the bean is enabled. ============
//request.setHeader("User-Agent","MySuperBrowser");
//request.setHeader("Accept"," text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
//request.setHeader("Accept-Language"," en-us,en;q=0.5");
//request.setHeader("Accept-Encoding"," gzip,deflate");
//request.setHeader("Accept-Charset"," ISO-8859-1,utf-8;q=0.7,*;q=0.7");
//request.setHeader("Keep-Alive"," 300");
//request.setHeader("Proxy-Connection"," keep-alive");
//request.setHeader("Cookie"," Some cookie values here");
//==============


//Send the request and fetch the response - this is required for requests to work
Response response = nextPlugin.fetchResponse(request);

//=====Print some stuff to a file=========
FileWriter fstream = new FileWriter("c:\\webscarab_bean_out.txt", true);
BufferedWriter bw = new BufferedWriter(fstream);
// printRequest(request,bw);
// printResponse(response,bw);
// PrintToFile("some string",out2);
bw.close();
//==============

return response;
}

// ============= Add any additional supporting methods below===============
void printRequest(Request request,BufferedWriter out2){
out2.write("========\r\n");
out2.write(request.getMethod()+"\r\n");
out2.write(request.getURL()+"\r\n");
out2.write(request.getVersion()+"\r\n");
String[] headers=request.getHeaderNames();
for(String header : headers){
out2.write(header+" : " + request.getHeader(header)+"\r\n");
}
out2.write("\r\n====
====\r\n");

}

void printResponse(Response response, BufferedWriter out2){
out2.write("========\r\n");
out2.write(response.getStatus()+"\r\n");
out2.write(response.getMessage()+"\r\n");
//print the headers
String[] headers=response.getHeaderNames();
for(String header : headers){
out2.write(header+" : " + response.getHeader(header)+"\r\n");
}
out2.write("\r\n");
//print the content - this could be a lot of content
byte[] data=response.getContent();
String data_response=new String(data);
out2.write(data_response);

out2.write("\r\n====
====\r\n");

}

public static void PrintToFile(String string_value,BufferedWriter out2){
//Write arbitary data to the file
out2.write("=======================================\r\n");
out2.write(string_value);
out2.close();
}

Wednesday, July 2, 2008

Template for WebScarab Scripted



If you've ever used WebScarab and been interested in the scripted tab, here is a nice template to get you started. One of the problems with the default template is that it leaves a lot of work to just get the output displayed to the window. I created two easy helper methods (printRequest and printResponse) and also rearranged the layout to be easier to traverse. Edit the details at the bottom. It should be pretty clear.

Never used webscarab? Time to learn.

-Michael Coates

---




/* ======================================= */
/* Provided by http://michael-coates.blogspot.com */
/* ======================================= */

import org.owasp.webscarab.model.ConversationID;
import org.owasp.webscarab.model.HttpUrl;
import org.owasp.webscarab.model.Request;
import org.owasp.webscarab.model.Response;

// define subroutines BEFORE the main part of the script executes,
// otherwise they won't be found

void printRequest(Request request){
out.println("========");
out.println(request.getMethod());
out.println(request.getURL());
out.println(request.getVersion());
String[] headers=request.getHeaderNames();
for(String header : headers){
out.println(header+" : " + request.getHeader(header));
}
out.println("========");
}

void printResponse(Response response){
out.println("========");
out.println(response.getStatus());
out.println(response.getMessage());
//print the headers
String[] headers=response.getHeaderNames();
for(String header : headers){
out.println(header+" : " + response.getHeader(header));
}
out.println("");
//print the content
byte[] data=response.getContent();
String data_response=new String(data);
out.println(data_response);

out.println("========");
}
// call this to fetch the requests one after another
void fetchSequential() {
out.println("===================================");
while (hasMoreRequests()) {
request = getNextRequest();
printRequest(request);
response = scripted.fetchResponse(request);
printResponse(response);

//Print the time
Date now = new Date();
long nowLong = now.getTime();
out.println("Current Time " + nowLong);
out.println("");
}
//Print the time
Date now = new Date();
long nowLong = now.getTime();
out.println("Done - Current Time " + nowLong);
out.println("");
out.println("");
}

// call this to fetch them in parallel
// the number of simultaneous connections is controlled by the Scripting plugin
// It is currently fixed at 4 simultaneous requests
void fetchParallel() {
while (hasMoreRequests() || scripted.isAsyncBusy()) {
while (scripted.hasAsyncCapacity() && hasMoreRequests()) {
request = getNextRequest();
scripted.submitAsyncRequest(request);
printRequest(request);
}

if (scripted.hasAsyncResponse()) {
while (scripted.hasAsyncResponse()) {
response = scripted.getAsyncResponse();
request = response.getRequest();

}
} else Thread.sleep(100);
}
}

// a counter, so we can know when to stop
int i=0;
int TotalRequests;
boolean hasMoreRequests() {
return i < TotalRequests;
}

/******************************************************************************
***************** USER EDITABLE SCRIPT STARTS HERE ***************************
* *
* Of course, you can modify the bits above, but you shouldn't need *
* to, if you follow the algorithm suggested below. *
* *
******************************************************************************/
//====Set the number below equal to the total number of requests====
TotalRequests=3;

// modify this routine to construct the next request - no changes needed
Request getNextRequest() {
// create a new request copied from the template
Request request = new Request(template);
i++; //need to increment the counter
return request;
}

//====Edit this section====
// create a template that contains the basics
Request template = new Request();
template.setMethod("GET");
template.setURL(new HttpUrl("http://www.google.com"));
template.setVersion("HTTP/1.0");
template.setHeader("User-Agent","WebScarab");
template.setHeader("Host","www.google.com:80");
template.setHeader("Accept"," text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
template.setHeader("Accept-Language"," en-us,en;q=0.5");
template.setHeader("Accept-Encoding"," gzip,deflate");
template.setHeader("Accept-Charset"," ISO-8859-1,utf-8;q=0.7,*;q=0.7");
template.setHeader("Keep-Alive"," 300");
template.setHeader("Proxy-Connection"," keep-alive");
//template.setHeader("Cookie"," Some cookie values here");

//====Choose Sequential or Parallel Requests====
// Choose how to submit the requests, sequentially, or in parallel
//fetchSequential();
fetchParallel();

Tuesday, July 1, 2008

Applications take a beating...and keep taking it

Let's consider the average web application. It may or may not be secure. It may have obvious vulnerabilities just waiting to be exploited or it could be relatively secure minus a more obscure vulnerability buried in the app. If an attacker were targeting this app, they would perform a series of steps to try and identify a vulnerability. Perhaps they would insert xss type string into various input fields? Maybe integers within the URL arguments would be incremented or replaced with SQL injection attempts. Another great target is the cookie values. Maybe these are modified or removed.

The problem I have is that the application just sits there and waits; waits to be compromised. This is akin to someone taking a stick and hitting you repeatedly while you do nothing. If the application is clearly being attacked, then I believe it should respond.

There are challenges in responding. First, it is tough to respond to an unauthenticated user. You don't know who they are and it would be nearly impossible to accurately track them from request to request. So lets consider only authenticated users. In fact, that is a good move because many of the more complex features are available to the authenticated users anyway. Second, we need to determine what is an attack versus what is user error.

Now, if we can detect a user that is performing basic malicious activity against our application, we can take action BEFORE they locate a vulnerability. Perhaps our action is to logout the user and lock the account? That would make it very difficult for our attacker to discover a vulnerability if their account was locked due to a security error and they had to contact a phone number to unlock it.

The response actions would have to be tuned to prevent taking action against innocent users. However, there are many cases where we can take responsive action with little fear of targeting the innocent. For instance, how many innocent users would modify a POST request and include a cross site scripting attack? Odds are this is bad.

If we identified a collection of detection points within our application and then collected any firings of these intrusion events we would be able to monitor the malicious activity of the users. Once defined thresholds had been reached, the application can perform a defensive response action such as warning the user or locking the account.

These issues are all being explored as part of the OWASP Summer of Code AppSensor project.

-Michael Coates