Sahi is an automation tool to test web applications. Sahi injects javascript into web pages using a proxy and the javascript helps automate web applications.

Sahi is an open source testing tool for web applications, with the facility to record and playback scripts. Developed in Java, C and Javascript, this tool uses simple Javascript to execute events in the browser.

Features:

In-browser controls
Intelligent recorder
Text-based scripts
Ant support for playback of suites of tests
Multi-threaded playback from a command line
HTTP and HTTPS support
AJAX support

Sahi runs as a proxy server which intercepts traffic from the web browser and records the web browsing actions. Sahi can play back those recorded actions by injecting Javascript into the browser so it can access elements in the web page. This makes the tool independent of the website/ web application.

Read more and download it here:

http://www.darknet.org.uk/2010/03/sahi-web-automation-application-security-testing-tool/

Less than 24 hours ago, I made a blog post about the TechCrunch.com website getting defaced with porn. Well, they cleaned it up only to get owned again! How’s that for a secure web server?

The second hack (image below) features a foul-mouth rant aimed against site founder Michael Arrington. It also includes a link to the same online smut and warez-peddling Torrents site “promoted” via the previous attack.

Arrington, the crackers brag, should be grateful they didn’t delete setup and registrations on TechCrunch’s back end database when they attacked the site.

Source:  http://www.theregister.co.uk/2010/01/27/techcrunch_hacked_again/

 

Cybercrime threats posed to targeted organizations are increasing faster than many organizations can combat them, according to the 2010 CyberSecurity Watch Survey conducted by CSO magazine, the leading resource for security professionals, and sponsored by Deloitte’s Center for Security &Privacy Solutions. Moreover, the survey suggests the threat of cybercrime is heightened by current security models that are only minimally effective against cyber criminals.

More than 500 respondents, including business and government executives, professionals and consultants, participated in the survey. The survey is a cooperative effort of CSO, the U.S. Secret Service, Software Engineering Institute CERT® Program at Carnegie Mellon University and Deloitte’s Center for Security &Privacy Solutions, a new security solutions innovation center.

Read Full Article at http://opensource.sys-con.com/node/1259111

1. Web Applications: An attractive target for hackers

How do you cost effectively defend web applications from hackers? Your organization relies on mission critical business applications that contain sensitive information about customers, business processes and corporate data. Moving away from proprietary client/server applications to web applications gives you a simpler, cost-effective, highly extensible delivery platform. These applications are more than a valuable tool to power your business operations; they are also a valuable and vulnerable target for attackers.

Web applications are increasingly the preferred targets of cyber-criminals looking to profit from identity theft, fraud, corporate espionage, and other illegal activities. The impact of an attack can be significant, and include:

Costly and embarrassing service disruptions

Down-time

Lost productivity

Stolen datav
Regulatory fines

Angry users

Irate customers

In addition to protecting the corporate brand, federal and state legislation and industry regulations are now requiring web applications to be better protected.

As you take action to protect web applications in a timely and effective manner, you must balance the need for security with availability, performance and cost-effectiveness. Protecting web applications requires both zero-day protection and rapid response with minimal impact to operations without impacting performance or changing system architectures.

2. Web applications are increasingly vulnerable.

Rapid growth leads to emerging problems

The number of corporate web applications has grown exponentially and most organizations are continuing to add new applications to their operations. With this rapid growth come common security challenges driven by complexity and inconsistency. New awareness into web application vulnerabilities, thanks to organizations such as the Open Web Application Security Project (OWASP), has helped organizations identify application security as a priority. But according to a June, 2006 survey (www.symantec.com/ about/news/release/article.jsp?prid=20060919_01), while 70 percent of software developers indicated that their employers emphasize the importance of application security, only 29 percent stated that security was always part of the development process.

Overlooked online application vulnerabilities

Unfortunately, it is not just application flaws that are leaving systems vulnerable. In addition to application issues, every web application relies on a large stack of commercial and custom software components. The operating system, web server, database and all the other critical components of this application stack, have vulnerabilities that are regularly being discovered and communicated to friend and foe alike. It is these vulnerabilities that most organizations overlook when they’re considering web application security.

As new vulnerabilities are found, patches become a critical part of managing application security. The process of patch management is complex and difficult to do successfully. Even the most proactive IT team must often reassign critical resources to deploy urgent patches, disrupting normal operations. The time required to patch responsibly lengthens the window of time a hacker has to exploit a specific vulnerability. With thousands of vulnerabilities and patches being announced each year the problem continues to grow. Even organizations with the most efficient patching processes in place can’t rely on this alone to protect them from attacks targeting web application vulnerabilities.

Hackers look for the path of least resistance

Today’s sophisticated attackers target corporate data for financial and political gain. They know they can more easily exploit vulnerabilities in web application stacks versus trying to defeat well built network and perimeter security. Hackers have a myriad number of vulnerabilities techniques to use including:

SQL Injection

Cross Site Scripting

Buffer Overflow,

Denial of Service

The number of application vulnerabilities in commercial applications and open source applications is growing at an alarming pace; anywhere from 200 to 400 new vulnerabilities are identified every month.

According to zone-h.org, 45% of attacks make use of vulnerabilities rather than configuration issues or use brute force. Attackers are working hard to find and exploit new vulnerabilities in web applications faster then they can be patched. The window of time, from when a hacker identifies a vulnerability to when it is communicated and eventually patched, makes a fast response defence- strategy critical to prevent a potentially damaging intrusion.

3. Required: A remote online web application security-testing service

Web applications are increasingly vulnerable and protecting them requires a system that can:

Ensure compliance today

meet the evolving needs of an organization for tomorrow

Respond quickly

To meet this challenge, by the optimal solution should locate these vulnerabilities as they are seen from the hacker’s point of view. Therefore a remote online Web application security testing service will best address those needs.

A web application security scan should reveal vulnerability for these attacks:

SQL Injection

Blind SQL Injection

Installation Path Disclosure

.Net Exception

Command Execution

PHP Code Injection

Xpath Injection

CRLF Injection

Directory Traversal

Script Language Error

URL Redirection

Remote File Inclusion

LDAP Injection

Cookie Manipulation

Source Code Disclosure

Cross-Site Scriptingv
Cross-Frame Scripting

The security scan must test vulnerabilities for a wide variety of website components:

Web Servers

Web Server Technologies

HTTP Methods

Backup Files

Directory Enumeration

Directory Indexing

Directory Access

Directory Permissions

Sensitive/Common Files

Third Party Application

The online web application security service must:

Remotely crawl the entire website.

Analyse each file.

List the vulnerabilities found along with the severity levels of each vulnerability.

Launch a series of web attacks to discover security.

Include option to make a tailor made attack

Be able to adapt to any web site configuration.

Produce dynamic tests, which will create relevant reports of online scan findings.

Provide a constantly updated vulnerability assessment

Include an automatic False Positive Prevention Engine.

Provide Enhanced Report Generation for Scanning Comparison. – Must include the ability to create comparison and trend analysis of your web applications vulnerabilities based on scan results generated over a selected time periods.

Recommend solutions in order to fix, or provide a viable workaround to the identified vulnerabilities

Author: Avi Bartov
Article Source: EzineArticles.com
Provided by: Programmable pressure cooker

When scoping an application security penetration test, Or thus suggest that you remember the following:

The principal focus of the testing should on the application under test. This means that the vulnerability of the surrounding environment is not under test, nor are for example Internet facing firewalls, except in their relationship to the application. Therefore it would be appropriate for the Vendor to confirm that the firewalls are configured correctly for this application and that no unnecessary ports are allowed through. Conversely, the vendor should be instructed not to test your firewalls beyond this.

The test should include a paper review of the architectural design, before beginning testing. The review should validate the physical placement of the various network components servers, and identify potential issues or security weaknesses.

It should be left to the vendor to use their judgment as to which particular tests are relevant to a particular application. There are two exceptions to this.

• If it can be seen that the vendors proposed testing is not comprehensive enough, then the project should insist on extending the scope to include additional areas of testing.
• If in the opinion of the project, the tests proposed would have a undesirable effect on production infrastructure or applications. In this case steps must be taken to achieve the same testing via an alternative manner. For example, this may involve the use of application disaster recovery equipment.

While its difficult to specifically prescribe which tests are appropriate for any generic set of applications, in principal you should consider the following where applicable:

• Password cracking scan of password files on servers.
• An on-box scan for security vulnerabilities.
• An examination of client-side application for information that reveals information about how the application functions that could be used for a more focused attack.
• Examination of client-side code and locally stored information such as cookies and session information. This should include alterations to such information in an attempt to:

- subvert authentication checking – establish the bounds of server reliance on client data fields – test for other unexpected results and potentially access confidential information.

• Bounds checking and application validation for both accidental and mischievous input. The test should ensure that applications correctly respond to unexpected data formats or sizes.
• Potential for buffer overflows.
• Examination of application-to-application interaction between resources such as the web service and back-end data feeds. Attempts are made to access application resources by impersonating other system functions or sources.
• An examination of application-level traffic passing between various host systems for passwords, CGI parameters, and other data that might be reused as part of an exploitation attempt.
• Conduct authenticated user testing to see if they can abuse the system as a “customer”.
• Attempted permission escalation by, for example, referencing application components with higher server-side permissions, or exploitation of race conditions to identify lax permission or authentication checking.
• Susceptibility of the application to replay attack and man in the middle attacks.
• Other session orientated attacks, including an analysis of system responses to such data.
• Susceptibility of the application to specially crafted packets delivered independently of the front end application checking.
• Investigation of robustness and resilience of application Authentication mechanisms.
• Software-specific manufacturer-recognised exploits
• Content sharing vulnerabilities
• Presence of deployment process vulnerabilities
• Presence of activation process vulnerabilities
• Request process vulnerabilities
• File and user permission vulnerabilities
• Cluster connectivity vulnerabilities
• Excess build and configuration weaknesses
• Application of applicable security patches, fixes and updates
• Legacy application code development weaknesses
• SQL injection weaknesses
• Cross-scripting vulnerabilities
• Potential to fraud the application
• Encryption and authentication vulnerabilities
• Defacement weaknesses
• Redirections vulnerabilities
• Administration rights & controls
• Sniffer attack vulnerabilities

Some applications may have a number of identical components in the architecture, e.g. a web-enabled application may have 4 web servers in parallel for loading reasons. In these cases, the project should ensure that the vendor is testing all instances of the components. Extending the web server example further, this would mean that each web servers operating system would need to be tested to ensure that any hardening processes undertaken had been completed on each of the servers.

This does not mean that each instance of the actual application code running on each web server is subjected to all tests. In other words it should be sufficient to conduct data validation tests against only 1 of the servers

It happens more often that one would think, but there have been many cases of penetration tests launching attacks against networks that were not authorised for testing. Therefore the project must ensure the vendor knows the limits that they are working under. It is worth asking the vendor what methods they use to limit unintentional damage to your network.

Lastly, the vendor should be reminded by the project that any information collected is to be treated in confidence, and that they must take appropriate steps to ensure any data retained by them is secured and destroyed securely when no longer required.

Author: Penny Reyes
Article Source: EzineArticles.com
Provided by: Smart cooker

Backtrack is a linux-based penetration testing suite of tools  used by security professionals to perform assessments. Backtrack has been fully customized as a penetration testing tool.

BackTrack 4 (codenamed “pwnsauce”) includes a new kernel, a larger and expanded toolset repository, custom tools that you can only find on BackTrack, and more importantly, fixes to most major bugs that we knew of. You can install and use it as your primary operating system, run it as a live cd, from a usb drive, or as a virtual machine.

Some of the tools included in the suite are: Metasploit, Kismet, Autoscan, Nmap, Ettercap, Wireshark, etc. These tools can be used for network, system and wireless reconnaissance, enumeration and penetration.

I use the backtrack suite in teaching my ethical hacking class. It is a great tool for anyone interested in learning to perform security assessments.

Other suites with similar functionality can be found in a previous post.

Consider the fallout if someone hacked your Website and altered the content of your site.

What would that do to your customer base?

Do you think their confidence in your ability to conduct business over the Internet would change?

What are the potential security threats to your Web application server? The threats are many. In fact, nearly every device that connects directly to the Internet on a broadband or dedicated (always on) connection is scanned multiple times.

Every device connected to the Internet receives an Internet Protocol (IP) address. That address has two components, a network component and a host component. A hacker can launch a program to ‘ping’ every host address within a given network and log the results. Simple analysis of the results reveals which addresses are assigned to active devices by responding to the ‘ping’. Armed with a list of active devices, the hacker launches other scans to determine the operating system or application programs the active device runs. Many operating systems and applications have security vulnerabilities that the hacker exploits.

So, what can the hacker do if he or she discovers vulnerabilities on your Web application server?

Let’s examine 5 Web application security threats.

1. Defacement and Altered Content. Once a hacker gains access to your system, the content is at his mercy. As previously stated, what would be the fallout if someone altered the content of your Web Server? If you rely upon your Web Server or Website to generate revenue or drive customers to your business, defacement or altered content could irreparably damage your relationship with your customers and prospects.

2. Data Theft. Another potential threat is data theft. If your site has e-mail addresses, account numbers, or other sensitive data, a hacker may steal that data and exploit it to his or her own gain. Imagine having to explain to your customers that the information stolen from your server led to identity theft or the unauthorized use of their financial data.

3. Unauthorized Access to Applications and System Resources. Sometimes a hacker uses your system for his or her own purposes merely denying you the ability to efficiently and effectively use your system. The fallout ranges from a minor inconvenience to a major catastrophe.

4. Denial of Service Attacks. Some hackers launch denial of service attacks, which overwhelm the connection and deny you and your customers access to your Website. Again, the fallout ranges from a minor inconvenience to a major catastrophe.

5. Propagation of Viruses, Worms, and Other Malware. Sometimes a hacker may access your system to use it as a springboard to launch viruses, worms or other forms of malware. This is done on your system to cover the hacker’s tracks.

The point is, take the security of your system seriously and employ all of the methods at your disposal to harden your site against attack.

Author: Tomer Shoha
Article Source: EzineArticles.com
Provided by: Pressure cooker

Most organizations are constantly in the software purchase/create -deploy-patch cycle. All security conscious folks realize that this a an undesirable state of affairs.  The question really is what to do about. Are software/product vendors willing to certify that their product is secure? Are they willing to allow potential buyers to test the security of their products? Not just functionality as is usually done but test the actual software i.e.code review. Now what’s the likelihood of vendors actually handing over source code to potential customers? I’ll say less then nil! There are products like Fortify that provide this and other application security related services.  Last week, they even rolled out a SaaS product. Some say the ultimate solution is a non-profit organization that will perform such software vetting and maybe assign some sort of assurance rating. The bottom line is that consumers have to demand something other than the status quo. If  enough of us, with enough buying power, demand it, I believe the market will respond.

When I first started running Ubuntu as my laptop OS of choice, it was partly  because I got fed up with having to rebuild my Windows XP OS whenever it would pick up some particularly stubborn piece of varmint during my browsing of hacking sites around the web. The second reason, however, was that most security tools I wanted to use were native to Linux and it was just easier to install them on my Ubuntu laptop and always have them available. You never know when you might get the urge to….um…nevermind.  I tried running them as virtual machines in VMware for a while but I found  the inability to use all the computing resources on the laptop a little limiting. There are several pretty good suites out there that do good job of compiling tools ( eg. Backtrack, my fave ) but it lacks some of the tools found in other suites.

I was quite pleased when I came across Katana, which is a multi-boot suite that combines multiple security distributions ( and you can add more ) to one bootable USB. By default, it comes with the following:

- Backtrack 4
- the Ultimate Boot CD
- Organizational Systems Wireless Auditor (OSWA) Assistiant
- the Ultimate Boot CD for Windows
- Got Root? Slax
- Ophcrack Live
- Damn Small Linux
- Damn Vulnerable Linux

It also includes “over 100 portable Windows applications”. Katana v1.0 can be downloaded from the developer’s site here.

The Northern Virginia Chapter of the Information System Security Association ( ISSA ) will be hosting its monthly chapter meeting for December tomorrow. The speaker with be LTC Ken Fritzshe, Phd, CISSP of the US Army. He will be discussing Application Security. More info at the ISSA-NOVA website.