What's on your mind?

HP BAC integration

whips04r — Mon, 18 Aug 2008 04:55:37 GMT

Heard rumour that there's rumour of some AMP integration with BAC...would love to know more if it's true! So, spill the beans please...

sercurity

ninja3313 — Tue, 16 Sep 2008 22:18:30 GMT

just starting out on this whole security thing, mostly web programming, and i think i already got hacked i keep getting a questioin if i want to change one of my system files to .htm (my guess is that they want to download it although still wouldnt make much sense). just a funny story i guess any way where to get started on the security, any suggestions? in a web programming direction prefer asp or php.

QTP and WebInspect integration information required

sukant.kaushik — Tue, 09 Sep 2008 06:22:54 GMT

I had been working to find out how WebInspect and QuickTest Professional are integrated.

I would like to know how the integration allows leverage existing QuickTest Professional scripts to conduct automated security testing.

How we can use QuickTest Professional scripts for testing security defects with WebInspect?

Kindly, provide any information or share any document or link which can actually tell how to use QTP scripts with WebInspect?

What happened to WebInspect Direct

ctronner — Thu, 15 May 2008 17:35:00 GMT

Its on the website, but if you click it, it brings you to WebInspect software?

no love for .php5? + Information Leakage check behaviour

whips04r — Thu, 10 Apr 2008 01:22:58 GMT

Just noticed there's no checks in WebInspect that involve the .php5 extension. Many hosting services, where PHP4 still exists and is utilised by way of the .php extension, require that .php5 extension be used in order to utilise PHP5.

Just ran a little test (using the default "standard" policy, restricted to directory and subdirectories only, path truncation disabled) on a directory containing the following:

tests/index.php5 (the target...aka: tests/ )

tests/debug.php

tests/debug.php3

tests/debug.php5

tests/debug/index.php5 (aka: tests/debug/ )

(note: the files simply display their corresponding filename and contain no links)

However WebInspect only found:

tests/

tests/debug/

So why didn't Check #1376 find 'debug.php'?

and why didn't Check #1377 find 'debug.php3'?

What's confusing me is that those files are found by those checks when path truncation is enabled...

Session Fixation/Hijacking Attacks

chrisgillham — Wed, 09 Apr 2008 15:05:54 GMT

Are there any plans to add detection capability to WebInspect to determine, at least a basic level, if website suffer from session fixation/hijacking vulnerabilities? We are seeing this as a growing issue and finding on manually perform VA tests.

Chris Gillham
Maritz Inc.

Scheduled Code Assessment

whips04r — Sun, 30 Mar 2008 20:26:52 GMT

Is there any means to schedule code assessments (i.e. the Static Analysis provided by DevInspect) with the HP ASC suite? DevInspect is the only HP ASC product I know of that has the Static Analysis engine, so is it possible to use DevInspect outside of an IDE and have it generate reports akin to those generated by WebInspect?

Testing Rich Internet Applications

lweller — Mon, 11 Feb 2008 11:43:33 GMT

I have come across many applications that use Adobe Flash or Flex technology. Is it appropriate to use the SOAP policy when assessing such applications using WI or QAI?

An example application is written in (M)XML and/or ActionScript.

Thanks,

-L

PA-DSS Compliance Template

whips04r — Wed, 13 Feb 2008 00:01:11 GMT

PA-DSS should be finalised in March this year (2008), in the meantime a draft was released in November 2007.

I wonder, does the current PCI Data Security Compliance Template incorporate checks for PA-DSS? Or should we expect a new, PA-DSS, Compliance Template to be made available? If a new template will be made available, when should we expect this?

Webcast - How Prevalent Are SQL Injection Vulnerabilities?

erik.peterson — Wed, 17 Jan 2007 11:52:21 GMT

A past blog posting entitled 'How Prevalent Are SQL Injection Vulnerabilities?', is now also available as a webcast.

Abstract:

According to Mitre, web application vulnerabilities have now claimed the top three spots on the CVE request list, with SQL injection taking the silver medal. While these statistics are significant, they only provide insight into vulnerablities in new applications and should not be interpreted as the vulnerabilities actually found 'in the wild'. Despite this fact, SQL injection remains a popular attack vector. Using the Google Search API, we sought to obtain empirical evidence of the prevalence of SQL injection vulnerabilities present on the Internet today.

During this on-demand webcast, you will learn:

The risk posed by SQL injection
How atackers leverage search engines to identify websites vulnerable to SQL injection
How the Google API can be used to build an automated tool for identifying SQL injection
Emperical evidence demonstrating the prevalence of SQL injection vulnerabilities on the Internet
Secure programming techniques for protecting websites from SQL injection

- michael

Universal XSS

mbaggett — Wed, 03 Jan 2007 16:49:44 GMT

Wow... why didn't you guys catch that one?

;)

http://www.gnucitizen.org/blog/danger-danger-danger/

Regd: License

kiran — Tue, 06 Feb 2007 08:39:21 GMT

Hi,

has anyone knows about the licenses options available for webinspect, devinspect, QAinspect

AFAIK, webinspect is tied to server based

DevInspect/QAInspect are tied to named user license. Can anyone knows details of this named user license.

Named user license will it be tied to specific user or workstation.

Web Hacking Exposed 2 Webcast

caleb — Fri, 10 Nov 2006 11:33:41 GMT

We just opened up a new webcast that involves me and Joel Scambray talking about our new book Web Hacking Exposed 2. We throw in some great webhacking examples. Should be fun to watch. If you have any feedback on it let me know

https://download.spidynamics.com/Registration/hackingexp_web.asp

Determining if a browser or a script is calling your Ajax functions

mbaggett — Fri, 10 Nov 2006 11:01:01 GMT

I know you guys were looking at how IE & Mozilla could do something to allow the back end apps to determine if it was a user in a browser making an call to your ajax functions or a script running in the browser. Would this work..

At application initiation the browser and server negotiate a shared secret. The browser stores the shared secret outside the DOM. Then uses it to digitally sign each request. The digital signature can be a field added to the header by the browser. By itself the signature would allow you do determine that it is the browser and not a script. You could also do some things to force sequencial function calls. For example if the server wants to ensure a function1 is called before function2 you could use a challenge-response varient that is passed between functions. So

1) Client shared secret signed request to function1

(Signature can be similar to kerberos.. Encrypt IP, date &time with shared secret)

2) Server function1 chooses nonce, encrypts with shared secret and includes in response header

3) Client browser decrypts adds 1 to nonce, reencrypts and includes in call to function2.

4) Function2 on server decrypts with shared secret. Verify nonce+1

A script could no longer go straight to function2.. right?

I guess it requires some significant changes on both the browser and a new object model in ajax.

Thoughts?

Mark

Ajax Testing Question

edw — Wed, 18 Oct 2006 13:32:19 GMT

I have read and heard a lot of information about the new dangers related to Ajax enabled sites. I am really interested in methods being used by the "pros" to test ajax heavy sites.

Request modifications must happen the same way as traditional web app testing ocurrs. Catch the request in a proxy identify the changes you want to make and analyze the responses...

The problem with ajax enable sites is that the requests are not necessarily pre-defined and the creation of the requests are likely tied to workflow executed by the user. As a tester this creates some unique challenges. Somehow the tester must execute the javascript that generates the requests in a way that emulates a user's activity. Capture those requests, and modify them to test for weaknesses.

One method is to identify all the javascript functions loaded by a page and use the Javascript Shell bookmarklet (http://www.squarefree.com/shell/) to execute the functions while capturing the requests in a proxy. This method requires a phenomenal amount of application knowledge to perform. It is not fast or easy.

What are methods do you use for ajax site testing?

Hackers and Coke

caleb — Thu, 21 Sep 2006 18:33:46 GMT

I thought this was hilarious. Two hacks one for getting access to the debug menu on coke machines (which works on our machine in the office) and one for obtaining a "free 2nd coke".

Nice to see creativity is still alive.

Coke Debug Menu:

http://www.i-hacked.com/content/view/12/48/

http://justinhazen.com/poptrick/

Blackbox vs Crystal Ball approach to webinspect

mbaggett — Sat, 21 Oct 2006 04:26:41 GMT

Do you wake up in the middle of the night thinking of ways you think web inspect could be better?

It occurs to me that 99% of what I am using webinspect for is testing apps that I own. How much faster and better would webinspect be if it didn't have to guess about thinks is on the web server? What if you had me put a small agent on the server that webinspect would query for information about the app? Here are just a few ways I think that would help.

No more crawling... here is a directory listing.

Dont have to try linux and windows variants of attacks you know what it it ( ex:dont search for boot.ini for directory traversal)

Speaking of directory traversal.. Dont guess at how many ../ you need if you know the file structure

Grab config files not accessible in web path. (know table names, DB connection settings, etc(

Take a look at session tables while apps are running

"Hey agent, I just uploaded file xyz, where is it stored on the server" - Webinspect

Do basic source code analysis to get a list of fields to attack

Im just thinking I get better, faster scans the more you know about the app.

maybe an early edition isn't a interactive agent that webinspect queries for data but is a small script which generates xml to feed Webinspect at the start of an assesment.

You could digitally sign communicatons from webinspect to the agent so that you protect customers from themselves. You can assume we will forget to remove the agents ;)

Just a thought. Maybe now I can go back to sleep.

SPICON, whos going to be there?

erik.peterson — Fri, 06 Oct 2006 15:54:51 GMT

Are you going to be at SPICON? If so sound off and let SPI and your fellow SPI Dynamics customers know or just let SPI know what you hope to see while you are there. Needless to say we are looking forward to the event.

[Please visit the site to access the poll]