Friday, January 30, 2009

Protecting users from password theft

A very good article from Chris Eng (Veracode), about how developers can design a strong password scheme in the applications to protect users from password theft. 

Suppose that your database is stolen (hope no) is  the data protected? the thiefs could revert back the passwords easily?  In my lasts pentest the passwords were stored in clear texts..... so it's common practice to have the password stored in an insecure way, or even clear text.

Here is a good practice for your developers or customers:

Veracode - How to protect your users from password theft

-CMM
By - No comments:
Labels: ,

Wednesday, January 28, 2009

PCI for dummies


Qualys, the leader provider of vulnerability scans, has published a free e-book entitled "PCI for dummies", if you want to get a grasp of what it is the PCI (Payment Card Industry), and learn how to comply with it, you can download your copy here:


Enjoy 

-CMM
By - No comments:
Labels: ,

DVL 1.5 - a hacking playground


A new version of the most vulnerable distribution was released yesterday. This Linux distribution is known for providing resources to learn security and hacking.  It's loaded with training material, vulnerable software, and tools. 

It's a very interesting distribution to have in your lab, for testing
your tools in a controlled environment.

The new version 1.5 (Infectious disease) it's a 1.6 GB ISO image, and it's available to download here

Happy hacking

-CMM
By - No comments:
Labels: ,

Web Application vulnerability scanners comparison

Today a saw a message from "Anantasec" in the mailing "pen-test" about a evaluation/comparison of Web Application scanners. 

The products analyzed are IBM Appscan (7.7.620 SP2), HP Webinspect (7.7.869)  and Acunetix (6.0), all commercial products.

The analysis only evaluate the results of the scans against 16 applications, it doesn't compare features, options or capabilities of the products.

After reading the report i have some doubts about the origin of it. Maybe could be a biased analysis for Acunetix? It's an Anonymous writer, a blog with just one post.. it makes me wonder. (damn, no interesting metadata in the document )

Personally i used all the scanners and i'm happy with Appscan, i'm missing the scheduling option of Webinspect. Also Acunetix improved a lot in the latest versions, and could be an interesting option when considering price/value.

An interesting fact of the analysis is that each of the scanners performed better when scanning the demo application of their company :)
 
Here is the report from Anantasec, draw your own conclusions

Remember to use more than one tool for the task, to have complimentary result, and also that the scanner will not discover all the vulnerabilities on the application, so don't rely on them.

I always use ProxyStrike when doing the manual analysis of the application, and i discover XSS and SQL that none of the scanners mentioned before does. Btw a new version is coming!

If you want more options on Web application scanners don't forget the Open Source options, right now there is a clear leader in this field, W3aF, it's very complete and even have more plugins or checks than the commercials one, and is multi-platform.

What are you using?

-CMM
By - No comments:
Labels: , ,

Tuesday, January 27, 2009

Information Gathering III: Yasni and 123people


After the posts about Information Gathering about individuals using Spokeo and Pipl, now it's the turn of Yasni and 123People.


has an standard search page, where you have to put the name of the person you want to search information about. The result page is organized in "All, Personal, Business, News, Other Web pages and Comments", and the quantity and quality of the results is very good.

An interesting feature of Yasni is the Tag cloud about your target, in some cases is useful to check if it is really your target (assuming you know something about him/her).

Yasni also offers an "Agent search", which they say it will perform an exhaustive deep web search, and will return the results in 24 hours. I'm waiting for the firsts examples to arrive :)

The last people search engine i will review in this miniseries is "123people", one of the most used service on the net, and personally one of the best in the results organization. 

123 people results are organized in "web links, Amazon, Phone Numbers, Videos, News, Microblogs, Pictures, Blogs and Documents, and Social network profiles", 123people also has a Tag cloud like Yasni. 

123People has an email alert service, for receiving updates about your targets.

Right now we can say that the results are very similar between  the different services and we have to wait to see which will reign the people search engine terrain.

I have my preferences with 123people and Pipl,  but i recommend to use as much as possible when  performing an information gathering about a target.  All this services are oriented to the web and the social networks, there are other kind of services that will provide more information but they aren't free and the information is only available for certain countries, i will write a post about this services soon.

What's is your choice? 

-CMM
 
By - No comments:
Labels:

Thursday, January 22, 2009

Information Gathering II : Pipl.com


Well after writing about Informationg Gathering and Spokeo, now it's the turn of Pipl.com as you can tell from the name is oriented to search information about individuals.

The application doesn't need a registration, this is good, and the search parameters that you can use is the Name, Last Name, City and Country, but also they  recently added the reverse lookup, where you can use an email address, nickname or phone number!

As usual i started searching for myself, and Pipl shielded more results than Spokeo. In the results we can find online profiles (Facebook, Myspace, etc), photo albums, Youtube accounts, Amazon accounts, blog posts, documents, pictures (with thumbnails) and many other kind of results.

Really is an interesting tool, and is improving over the time.

About the differences between Spokeo and Pipl, is that Spokeo aim to be more of a tracking tool of what is your "friends" doing, than  a one shot search and investigation. Also Spokeo just allow you to do 1 free check, and if you want more you must pay.

Finally one thing that i would like to see in these tools is an API to automate the search, and stop worrying about the changes in the results and the performance of my parsers.

Stay tuned because there are two new contenders in the arena of people search that i am testing this week.
 
Enjoy your investigations ;)

-CMM
By - No comments:
Labels: ,

Wednesday, January 21, 2009

HITB 2008 videos

The videos of the Hack In The Box Conference 2008 are available through Bittorrent, you can download the torrent here:


Also remind that you can download the slides from here

-CMM
By - No comments:
Labels:
Subscribe to: Posts (Atom)

Wfuzz 2.2.0 released

I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...

  • Wfuzz 2.1 released !
    I'm pleased to announce  a new version of WFuzz! Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for findi...
  • Scan for shellshock with wfuzz
    In the last few weeks everyone has been talking about Shellshock, the vulnerability affecting bash and having security ramifications everyw...
  • Wfuzz 2.2.0 released
    I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...