Who's Online
There are currently, 107 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here
|  |
The Professional Security Testers Warehouse for the GPEN GSEC GCIH GREM CEH QISP Q/ISP OPST CPTS: Web Applications Security
[ Go to Home | Select a New Topic ] |
|
Air Force Lt. Gen. says: The enemy is banging away at our applications
Posted by cdupuis on Monday, 23 August 2010 @ 08:14:05 EDT (200 reads)
Topic Web Applications Security
Anonymous writes "by Chuck Paone
66th Air Base Group Public Affairs
8/17/2010 - HANSCOM AIR FORCE BASE, Mass. (AFNS) -- It's critical to find the right balance between the security and utility of an information technology network, the Air Force's chief information officer said here Aug. 13.
Speaking at a Hanscom Representatives Association luncheon, Lt. Gen. William T. Lord described that balancing act as one of "yin and yang," a term from ancient Chinese philosophy that describes the interdependence of seemingly contrary forces.
Security without utility is of little value; and utility without security is far too dangerous, General Lord said.
In harmony, however, the two provide an optimal operating environment, he said.
"We have to be able to put new devices -- shiny new objects, as we're sometimes accused of using -- on a network that doesn't care what the end-user device is," the general said.
The key is to build a network that is flexible and resilient enough to handle whatever it's being used for.
It's also important to protect not only the network, but also the work being done on the Internet, he said, calling for efforts to broaden security concepts.
While network defense used to be focused almost exclusively on building and enhancing firewalls, he said more needs to be done.
"The enemy vector used to be banging away at our firewalls; they're not any longer," General Lord said. "The enemy is banging away at our applications."
"We have over 19,000 (information technology) applications in the Air Force," he said, noting that Electronic Systems Center's IT Center of Excellence at Maxwell Air Force Base-Gunter Annex, Ala., examined about 200 of them. "All of them had over 50 vulnerabilities."
General Lord encouraged industry vendors to bring their proposed solutions for detecting and protecting against such vulnerabilities to ESC officials, noting that the center is where solutions can effectively be put into Air Force systems.
Industry officials should continue to "bring us your shiny new objects," he said. "But when you do, make sure you also tell us how we can integrate them onto an old infrastructure."
And if that's not possible, he said, tell Air Force officials how to upgrade the old infrastructure without having to lose capability during a transition.
"We need the network to be ready for today's modern applications, but frankly one can't slow up for the other," he said. "When they do lane expansion out on I-95 here, they're still doing it with two rush hours a day. We need to do the same thing."
General Lord also implored industry officials to focus on what the Air Force return on its IT investment will be.
"Here's that bright, shiny object and here's what you get out of it, or here's what you can give up with it -- manpower, legacy applications that we have to maintain, etc.," he said.
Determining what that return is can help solve a lot of problems, including the risk of running behind a rapidly evolving technology curve, he said, stressing that we need to avoid buying "yesterday's technology tomorrow."
"There are probably acquisition things that need to be fixed," he said. "There are process things that need to be fixed. There are resource management things we need to fix.
"But I think when you bring the return on investment with new combat capability, that can be the catalyst that begins to help us fix things," he said. "
Anonymous writes "HP To Acquire Code Security Software Maker Fortify
Fortify's products pick out exposures that result from errors in programming.
By Charles Bab*****, InformationWeek
--> Aug. 18, 2010
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=226700431
Hewlett-Packard will acquire Fortify Software to gain possession of its ability to perform analysis on source code to detect security risks and exposures.
For example, Fortify 360 Static Application Security Testing technology can examine source code and pick out exposures that result from poor or hurried programming. If a programmer has created a form where a user is to enter a zip code, but leaves space for 32 characters to be entered instead of five, 360 SAST would detect that. If the zip code were to be loaded from the form into a database, a 32-character space would open the door to an SQL injection attack. A hacker could put an SQL statement where the zip code was supposed to go and the database would act on it, once the injection was uploaded.
HP and Fortify collaborated on Hybrid 2.0, a product to protect software both in composition and in use. In addition to analysis of software under development, software needs protection once it's running. The former is called static analysis; the latter, dynamic analysis, and Hybrid 2.0 does both.
The two companies began working together last year on the product. The second version, Hybrid 2.0, was issued Feb. 22. In addition, Fortify static analysis capabilities have been integrated into HP Application Security Center and HP Quality Center software. Upon completion of the deal, HP will initially continue Fortify as a stand-alone business unit.
"The big question is if HP will integrate this product smoothly and invest in it further, unlike what they did with WebInspect," said Mandeep Khera, chief marketing officer for Cenzic, supplier of Hailstorm, a testing system for software vulnerabilities and an HP competitor. WebInspect checks web applications and services for security exposures. HP acquired WebInspec with its acquisition of Spi Dynamics in 2007 and continues to offer the product.
Fortify products "absolutely will be continued," HP said in response to a question from InformationWeek.
After the purchase is completed, Fortify products will become part of the HP software and solutions' Business Technology Optimization Applications portfolio.
Static analysis and dynamic analysis products helps prevent security breaches in production systems. Use of the systems is one component of meeting sound operations compliance requirements.
When Fortify products are added to HP's existing capabilities, "organizations will have a best-in-class solution to improve the security of their applications and services," said Bill Veghte, executive VP, software and solutions, in the announcement of the acquisition move.
"Joining HP will allow us to further integrate our proven technology and security expertise," said John Jack, CEO of Fortify, in the announcement.
In related activity, IBM acquired Ounce Labs, maker of static security testing products for source code, in July 2009. It added the Ounce product line to its rational software division, supplier of a wide range of development and test tools. "
Next generation web scanner. Identify what websites are running.
Download whatweb-0.4.5.tar.gz
Latest Version 0.4.5, 17th August 2010
License GPLv2
Author urbanadventurer aka Andrew Horton from Security-Assessment.com
Introduction
Identify content management systems (CMS), blogging platforms, stats/analytics packages, javascript libraries, servers and more. When you visit a website in your browser the transaction includes many unseen hints about how the webserver is set up and what software is delivering the webpage. Some of these hints are obvious, eg. “Powered by XYZ” and others are more subtle. WhatWeb recognises these cues and reports what it finds.
WhatWeb has over 250 plugins and needs community support to develop more. Plugins can identify systems with obvious identifying hints removed by also looking for subtle clues. For example, a WordPress site might remove the tag but the WordPress plugin also looks for “wp-content” which is less easy to disguise. Plugins are flexible and can return any datatype, for example plugins can return version numbers, email addresses, account ID’s and more.
There are both passive and aggressive plugins, passive plugins use information on the page, in cookies and in the URL to identify the system. A passive request is as light weight as a simple GET / HTTP/1.1 request. Aggressive plugins guess URLs and request more files. Plugins are easy to write, you don’t need to know ruby to make them.
Example Usage
Using WhatWeb on a handful of websites. (This is a screenshot of an older version)
Help
HELP
WhatWeb - Next generation web scanner.
Version 0.4.5 by Andrew Horton aka urbanadventurer from Security-Assessment.com
Homepage: http://www.morningstarsecurity.com/research/whatweb
Usage: whatweb [options]
Enter URLs or filenames. Use /dev/stdin to pipe HTML
directly
--input-file=FILE, -i Identify URLs found in FILE, eg. -i /dev/stdin
--aggression, -a 1 passive - on-page
2 polite - unimplemented
3 impolite - guess URLs when plugin matches
(smart, guess a few urls)
4 aggressive - try guess URLs for every plugin
(guess a lot of urls like nikto)
--recursion, -r Follow links recursively. Only follows links under the
path (default: off)
--depth, -d Maximum recursion depth (default: 10)
--max-links, -m Maximum number of links to follow on one page
(default: 250)
--spider-skip-extensions Redefine extensions to skip.
(default: zip,gz,tar,jpg,exe,png,pdf)
--list-plugins, -l List the plugins
--run-plugins, -p Run comma delimited list of plugins. Default is all
--info-plugins, -I Display information plugins. Optionally specific a comma
delimited list.
--example-urls, -e Add example urls for each plugin to the target list
--colour=[WHEN],
--color=[WHEN] control whether colour is used. WHEN may be `never',
`always', or `auto'
--log-full=FILE Log verbose output
--log-brief=FILE Log brief, one-line output
--log-xml=FILE Log XML format
--user-agent, -U Identify as user-agent instead of WhatWeb/0.4.5.
--max-threads, -t Number of simultaneous threads. Default is 25.
--no-redirect Do not follow HTTP 3xx redirects.
--proxy Set proxy hostname and port
(default: 8080)
--proxy-user Set proxy user and password
--open-timeout Time in seconds
--read-timeout Time in seconds
--custom-plugin Define a custom plugin call Custom,
Examples: ":text=>'powered by abc'"
":regexp=>/powered[ ]?by ab[0-9]/"
":ghdb=>'intitle:abc "powered by abc"'"
":md5=>'8666257030b94d3bdb46e05945f60b42'"
"{:text=>'powered by abc'},{:regexp=>/abc [ ]?1/i}"
--url-prefix Add a prefix to target URLs
--url-suffix Add a suffix to target URLs
--url-pattern Insert the targets into a URL. Requires --input-file,
eg. www.example.com/%insert%/robots.txt
--help, -h This help
--verbose, -v Increase verbosity, use twice for debugging.
--version Display version information.
Verbose Output
./whatweb -v www.morningstarsecurity.com
www.morningstarsecurity.com/ [200]
http://www.morningstarsecurity.com [200] WordPress[3.0.1], Google-API[ajax/libs/jquery/1.3.2/jquery.min.js ],
Google-Analytics[GA][791888], HTTPServer[Apache], UncommonHeaders[x-pingback], JQuery[1.4.2], Title[MorningSt
ar Security], MetaGenerator[WordPress 3.0.1], RSSFeed[http://www.morningstarsecurity.com/wp-content/themes/py
rmont-v2-white/style.css], MD5[2b47722f6e9ad3add669f5a4d2267642], Tag-Hash[bce4fdbac307d13d570d3a0d2d45b078],
Header-Hash[dba021c0aa225c8eede02c7dcc45b0d8], Footer-Hash[bd8866bbab7e53b19e03131a041d451a]
Footer-Hash => hash
Google-API => google javascript API (version: ajax/libs/jquery/1.3.2/jquery.min.js )
Google-Analytics => pageTracker = ...UA-123-1231
HTTPServer => server string
Header-Hash => hash
JQuery => script (version: 1.4.2)
MD5 => md5 hash of html
MetaGenerator => meta generator tag
RSSFeed => rss link type, rss link
Tag-Hash => tag pattern hash
Title => page title
UncommonHeaders => headers
WordPress => wp-content (certainty: 75), meta generator tag (version: 3.0.1)
Log Output
There are currently 3 types of log output. They are:
–log-brief Brief logging. Default output
–log-full Full logging. Complete output from each plugin
–log-xml XML logging. Same information as default output but in XML format
You can output to multiple logs simulatenously by specifying muliple command line logging options.
Brief Logging
Example usage: whatweb –log-brief b.log digg.com
http://digg.com [200] Cookies[1337,PHPSESSID,ccc], X-Powered-By[PHP/5.2.9-digg8], HTTPServer[Apache], UncommonHe
aders[keep-alive], Title[Digg - The Latest News Headlines, Videos and Images], RSSFeed[/opensearch.xml], OpenSea
rch[/opensearch.xml], Tag-Hash[4b33049ce0f31283b90597352194c9be], MD5[2b624548bc61501dcdca9639f2f9f338], Header-
Hash[2df7eaaa4480f28013aaf48ae9266b84], Footer-Hash[6e2c99013c0f12a0b9493ad54d2db2da]
Full Logging (may be removed in future)
Example usage: whatweb –log-full f.log digg.com
Identifying: http://digg.com
HTTP-Status: 200
[["Cookies",
[{:probability=>100,
:name=>"cookie names",
:string=>["1337", "PHPSESSID", "ccc"]}]],
["Div-Span-Structure",
[{:probability=>100,
:name=>"div structure",
:string=>"828d809947c3c760d41c720c9203993b"}]],
["Footer-Hash",
[{:probability=>100,
:name=>"hash",
:string=>"ca2ffbc939969a2246cde196f0fc4841"}]],
["HTTPServer",
[{:probability=>100, :name=>"server string", :string=>"Apache"}]],
["Header-Hash",
[{:probability=>100,
:name=>"hash",
:string=>"2df7eaaa4480f28013aaf48ae9266b84"}]],
["MD5",
[{:probability=>100,
:name=>"page title",
:string=>"455e6da4264cc6334b78a72c083ced77"}]],
["Mailto",
[{:emails=>
["?subject=Digg Story: Jennifer Aniston,wins the battle of the bikini with Model 23&body=I wanted to share this story with you: http://digg.com/d31RvOK?ern --- rn"Jennifer Aniston,wins the battle of the bikini with Model 23"rnActresses peeled off to reveal a two-piece as they filmed romantic comedy Just Go With It in Hawaii.rn+156 people dugg this story."]
:probability=>100,
:name=>"mailto:"}]],
["Title",
[{:probability=>100,
:name=>"page title",
:string=>"Digg - The Latest News Headlines, Videos and Images"}]],
["UncommonHeaders",
[{:probability=>100, :name=>"headers", :string=>"keep-alive"}]],
["X-Powered-By",
[{:probability=>100,
:name=>"x-powered-by string",
:string=>"PHP/5.2.9-digg8"}]]]
XML Logging
The XML logging is currently naive and may change. Please contact me if you have suggestions.
Example usage: ./whatweb –log-full f.log –log-xml x.log digg.com
<target>
<uri>http://digg.com</uri>
<http-status>200</http-status>
<plugin>
<name>Cookies</name>
<string>1337</string>
<string>PHPSESSID</string>
<string>ccc</string>
</plugin>
<plugin>
<name>Div-Span-Structure</name>
<string>828d809947c3c760d41c720c9203993b</string>
</plugin>
<plugin>
<name>Footer-Hash</name>
<string>ca2ffbc939969a2246cde196f0fc4841</string>
</plugin>
<plugin>
<name>HTTPServer</name>
<string>Apache</string>
</plugin>
<plugin>
<name>Header-Hash</name>
<string>2df7eaaa4480f28013aaf48ae9266b84</string>
</plugin>
<plugin>
<name>MD5</name>
<string>455e6da4264cc6334b78a72c083ced77</string>
</plugin>
<plugin>
<name>Mailto</name>
</plugin>
<plugin>
<name>Title</name>
<string>Digg - The Latest News Headlines, Videos and Images</string>
</plugin>
<plugin>
<name>UncommonHeaders</name>
<string>keep-alive</string>
</plugin>
<plugin>
<name>X-Powered-By</name>
<string>PHP/5.2.9-digg8</string>
</plugin>
</target>
Plugins
Plugins are easy to make.
Matches are made with:
* Text strings (case sensitive)
* Regular expressions
* Google Hack Database queries (limited set of keywords)
* MD5 hashes
* URL recognition
* HTML tag patterns
* Custom ruby code for passive and aggressive operations
List Plugins
./whatweb -l
Plugins Loaded
------------------------------
360-Web-Manager,0.1
ANECMS,0.1
ASP-Nuke,0.2
AVTech-Video-Web-Server,0.1
AWStats,0.1
Aardvark-Topsites-PHP,0.1
Acclipse,0.2
AdobeFlash,0.1
Advanced-Guestbook,0.2
Alcatel-Lucent-Omniswitch,0.1
Allinta-CMS,0.1
Antiboard,0.1
Apache-Default,0.3
ArGoSoft-Mail-Server,0.1
Arab-Portal,0.1
AtomFeed,0.1
Axis-Network-Camera,0.1
BM-Classifieds,0.1
BXR,0.1
Barracuda-Spam-Firewall,0.1
Basilic,0.1
BeEF,0.1
Belkin-Modem,0.2
Bing-SearchEngine,0.1
Biromsoft-WebCam,0.1
BlogSmithMedia,0.2
Blogger,0.1
BlognPlus,0.1
BlueNet-Video-Server,0.1
Brother-Printer,0.1
Burning-Board-Lite,0.1
BusinessSpace,0.1
CGI Backdoor,0.1
CGIProxy,0.1
CMSQLite,0.1
CMScontrol,0.1
CMSimple,0.1
CPanel,0.2
Campsite,0.1
Canon-Network-Camera,0.1
Cisco-VPN-3000-Concentrator,0.1
Citrix-Metaframe,0.2
CodeIgniterProfiler,0.1
ColdFusion,0.1
Comersus,0.2
CommonSpot,0.1
Concrete5,0.2
Confluence,0.1
Cookies,0.1
Coppermine,0.2
CruxCMS,0.1
CruxPA,0.1
CushyCMS,0.2
D-Link-Network-Camera,0.1
DMXReady,0.1
DT-Centrepiece,0.1
DUclassified,0.1
DUforum,0.1
DUgallery,0.1
Dell-Printer,0.1
DiBos,0.2
DotCMS,0.2
DotNetNuke,0.3
Drupal,0.2
DublinCore,0.1
EMO-Realty-Manager,0.1
EarlyImpact-ProductCart,0.2
EazyCMS,0.1
Echo,0.2
Empire-CMS,0.1
Evo-Cam,0.1
ExpressionEngine,0.2
F3Site,0.1
FestOS,0.1
File-Upload-Manager,0.1
Flax-Article-Manager,0.1
FluentNET,0.1
FluxBB,0.3
FontFace,0.1
Footer-Hash,0.2
Forest-Blog,0.1
FormMail,0.2
FrogCMS,0.3
GoAhead-Webs,0.2
Google-API,0.1
Google-Analytics,0.2
Google-Hack-Honeypot,0.1
GuppY,0.1
HP-LaserJet-Printer,0.1
HTML5,0.2
HTTPServer,0.2
Header-Hash,0.1
IIS-SiteNotFound,0.2
IIS-UnderConstruction,0.2
IMGallery,0.1
IPCop-Firewall,0.1
IQeye-Netcam,0.1
ISPConfig,0.2
Index-Of,0.2
Intellinet-IP-Camera,0.1
Interspire-Shopping-Cart,0.1
InvisionPowerBoard,0.2
JAMM-CMS,0.1
JGS-Portal,0.1
JQuery,0.2
Jamroom,0.1
Jboss,0.1
Joomla,0.4
Kloxo Single Server,0.1
Liferay,0.1
Lightbox,0.2
Lime-Survey,0.1
Linksys-NAS,0.1
Linksys-Network-Camera,0.1
Linksys-USB-HDD,0.1
Linksys-Wireless-G-Camera,0.1
LocazoList-Classifieds,0.1
Loggix,0.1
Lucky-Tech-iGuard,0.1
MD5,0.2
MailSiteExpress,0.2
Mailman,0.1
Mailto,0.2
Mambo,0.2
MediaWiki,0.1
MetaGenerator,0.2
MetaPoweredBy,0.2
Microsoft-Sharepoint,0.1
MicrosoftODBCError,0.1
MikroTik,0.2
Minify,0.1
MnoGoSearch,0.2
Mobotix-Network-Camera,0.1
ModxCMS,0.2
Moodle,0.2
MovableType,0.2
My-PHP-Indexer,0.1
My-WebCamXP-Server,0.1
MyioSoft-Ajax-Portal,0.1
MysqlSyntaxError,0.1
NetBotz-Network-Monitoring-Device,0.1
Netious-CMS,0.1
Netsnap-Web-Camera,0.1
NovellGroupwise,0.2
Nukedit,0.1
ORCA-Platform,0.1
ORITE-301-Camera,0.1
OSCommerce,0.3
Oce,0.2
OkiPBX,0.2
Open-Blog,0.1
Open-Freeway,0.1
Open-Source-Ticket-Request-System,0.1
OpenCms,0.1
OpenGraphProtocol,0.1
OpenID,0.1
OpenSearch,0.1
PG-Roomate-Finder-Solution,0.1
PHP-Fusion,0.1
PHP-Layers,0.1
PHP-Link-Directory,0.1
PHP-Shell,0.1
PHPCake,0.2
PHPDirector,0.1
PHPEasyData,0.1
PHPError,0.2
PHPFM,0.1
PHPNuke,0.2
PHPraid,0.1
PageUp-People,0.1
Panasonic-Network-Camera,0.1
Parked-Domain,0.1
PasswordField,0.1
PhilBoard,0.1
Piwik,0.1
Pixel-Ads-Script,0.1
Pixie,0.1
Plesk,0.2
Pligg-CMS,0.1
Plone,0.2
PortalApp,0.1
PoweredBy,0.2
Pressflow,0.1
Prototype,0.2
QNAP-NAS,0.1
Quantcast,0.1
RSSFeed,0.1
RedirectLocation,0.2
RoundCube,0.2
RunCMS,0.1
SHOUTcast-Administrator,0.1
SMF,0.2
Saurus-CMS,0.1
Scriptaculous,0.2
SearchFitShoppingCart,0.2
SiemensSpeedStreamRouter,0.2
SilverStripe,0.2
SimpNews,0.1
Site-Sift,0.1
SkaLinks,0.1
SmodCMS,0.1
Snap-Appliance-Server,0.1
SnomPhone,0.2
Softbiz-Freelancers-Script,0.1
Softbiz-Online-Auctions-Script,0.1
Softbiz-Online-Classifieds,0.1
Sony-Network-Camera,0.1
Sony-Video-Network-Station,0.1
SquirrelMail,0.2
Star-Network,0.1
StarDot-NetCam,0.1
Stardot-Express,0.1
Subdreamer-CMS,0.1
Subrion-CMS,0.1
SyndeoCMS,0.1
TWiki,0.1
Tag-Hash,0.2
TaskFreak,0.1
Team-Board,0.1
Textpattern,0.1
The-PHP-Real-Estate-Script,0.1
Title,0.2
TomatoCMS,0.1
Tomcat,0.2
Toshiba-Network-Camera,0.1
ToshibaPrinter,0.2
Trac,0.1
Turbo-Seek,0.1
TypePad,0.2
TypoLight,0.2
Umbraco,0.1
UncommonHeaders,0.2
VBulletin,0.2
VP-ASP,0.2
VSNSLemon,0.2
Veo-Observer,0.1
VideoShareEnterprise,0.1
Virtualmin,0.1
VisionGS-Webcam,0.1
Vulnerable-To-XSS,0.1
WWWBoard,0.1
Web-Calendar-System,0.1
Web-Data-Administrator,0.1
WebDVR,0.1
WebEye-Network-Camera,0.1
WebGuard,0.2
WebPress,0.1
WhiteBoard,0.1
Winamp-Web-Interface,0.1
Windows-Internet-Printing,0.1
WindowsSBS,0.2
WoW-Raid-Manager,0.1
WordPress,0.2
WordPressSpamFree,0.2
WordPressSuperCache,0.3
X-ASPNetVersion,0.2
X-Powered-By,0.2
X7-Chat,0.1
XHP-CMS,0.1
Xerox-Printers,0.1
XtraBusinessHosting,0.2
Zen-Cart,0.1
Zeus-Cart,0.1
Zikula,0.1
Zoph,0.1
Zyxel-Vantage-Service-Gateway,0.1
anyInventory,0.1
boastMachine,0.1
coWiki,0.1
cpCommerce,0.1
eLitius,0.1
eSyndiCat,0.1
envezion~media,0.1
ezBOO-WebStats,0.1
i-Catcher-Console,0.1
iDVR,0.1
iRealty,0.1
iScripts-CyberMatch,0.1
iScripts-EasySnaps,0.1
iScripts-MultiCart,0.1
iScripts-ReserveLogic,0.1
iScripts-SocialWare,0.1
ispCP-Omega,0.2
jobberBase,0.1
mojoPortal,0.1
phPhotoAlbum,0.1
php-ping,0.1
phpBB,0.2
phpFreeChat,0.1
phpMyAdmin,0.1
phpPgAdmin,0.1
phpSysInfo,0.1
phpinfo,0.1
sabros.us,0.1
samPHPweb,0.1
syntaxCMS,0.1
uPortal,0.1
xGB,0.1
To view more detail about a plugin or plugins
./whatweb -I Joomla
Plugin Information
------------------------------
Joomla version 0.4 by Andrew Horton
[14] examples, [3] matches, [x] aggressive, [x] passive.
Description: Opensource CMS written in PHP. Homepage: http://joomla.org. Plugin can aggresively identify
version by comparing md5 hashes of 4 files. Valid up to version 1.5.15.
--------------------------------------------------------------------------------
Aggressive Plugins
There are currently aggressive plugins for Joomla, phpBB, FluxBB, OSCommerce and Tomcat.
With the passive plugin we know that ardentcreative.co.nz is running Joomla version 1.5
Be cafeful when using aggressive plugins with recursive site crawling. WhatWeb has no understanding of a website, instead it currently treats each URL separately. It also has no caching so if you use aggressive plugins with recursion you will fetch the same files multiple times.
Writing Plugins
View the tutorial on writing WhatWeb plugins at www.morningstarsecurity.com/downloads/How-to-develop-WhatWeb-plugins-1.1.txt.
A typical plugin looks like this:
There are 3 levels to a plugin. Simple matches, passive and agressive tests. You don’t need to know ruby to write plugins with simple matches. Passive and aggressive tests are written in ruby.
If you port a GHDB match, use :ghdb. I usually rewrite the GHDB matches with regular expressions, especially if they require inurl:
Example:
# http://johnny.ihackstuff.com/ghdb?function=detail&id=1840
{:name=>”GHDB: ”Powered by Vsns Lemon” intitle:”Vsns Lemon”",
:probability=>100,
:ghdb=>’”Powered by Vsns Lemon” intitle:”Vsns Lemon”‘}
Note the GHDB queries are case insensitive, as a Google query is. Support codes are intitle:, inurl: and filetype:.
Each plugin can access @body, @meta, @status and @base_uri variables.
Passive tests add matches to the m array, each match is a hash containing the name of the match, probability and more.
The entire hash is returned with Full output, Brief output returns just the match, :version and :string
To discover the regular expressions to match against, wget about 20-30 examples into the tests/ folder. Be aware that some software can have dramatic variations between versions.
First view the META data and HTML of a few examples.
The find-common-stuff tool can help discover unexpected similarities in the examples.
Recursive Spider
The recursion option is used to scan some or all of a website with whatweb. Recursive spidering will follow each link on a webpage if it is within the same website, then repeat the process on the followed pages.
The configurable settings for recursive spidering are:
–recursion, -r Follow links recursively. Only follows links under the path (default: off)
–depth, -d Maximum recursion depth (default: 3)
–max-links, -m Maximum number of links to follow on one page (default: 25)
Limitations of the spidering. This follows links in <a> tags, these are the HTML tags designed specifically for links. The spider does not obtain urls from other sources. Some good choices for future improvement are image tags, eg. <img src=”/images/boats.jpg”>, form tags, eg. <form action=”/vote.php”>, url paths in CSS files, etc.
Related Projects
WhatWeb is unique however there are some web projects with the same goal of identifying a website.
Blind Elephant
The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.
http://blindelephant.sourceforge.net/
WAFP – Web Application Finger Printing
Wafp identifies systems by requesting a large quantity of URLs and comparing md5 sums of the results against a database. This method is reliable for known systems in the database and it is simple to add new ones. Unlike whatweb, this method is intrusive and will create a lot of webserver log entries.
http://www.mytty.org/wafp
Wappalyzer
This is the most similar project to WhatWeb.
Firefox plugin identifies sites using 1 regexp each. Only looks for obvious identifiers like meta generator tags. Sends all recognized urls to a DB. Has nice icons
https://addons.mozilla.org/en-US/firefox/addon/10229
w3af
http://w3af.sourceforge.net
Very slight overlap of features in the grep and discovery scripts section.
HTTPRecon
No feature overlap, fingerprints the HTTP Server
http://w3dt.net/tools/httprecon/
http://www.net-square.com/httprint/httprint_paper.html
http://www.darknet.org.uk/2007/09/httprint-v301-web-server-fingerprinting-tool-download/
Nmap version scan
Nmap shows some info about HTTP servers when using version scan, eg. nmap -sV -p80 treshna.com
THC’s Amap
This tool is an application fingerprint scanner which can identify an HTTP protocol server. It doesn’t identify types of HTTP servers.
What’s that web server running 1.0 (whatweb.exe)
This shares the same name and goal but is shit. It ONLY uses the HTTP Server string. For example ‘Apache/2.0.55 (Ubuntu) PHP/5.1.2′
http://www.spambutcher.com/whatweb.html
www.http-stats.com
Lots of info about HTTP server names
Funny & Unusual
Slashdot.org
X-Fry: You mean Bender is the evil Bender? I’m shocked! Shocked! Well not that shocked.
popurls.com
X-popurls-a: in the future every url will be popular for 1.5 seconds
reddit.com
HTTPServer:’; DROP TABLE servertypes; –
Notes
Version 0.3 Released at Kiwicon III (kiwicon.org), 2009.
Version 0.4, March 14th 2010
Version 0.4.1, April 28th 2010
Version 0.4.2, April 30th 2010
Version 0.4.3, May 24th 2010
Version 0.4.4, June 29th 2010
Credits
Written by urbanadventurer aka Andrew Horton from Security-Assessment.com
Homepage: http://www.morningstarsecurity.com
License: GPLv2
Anemone library (used for spidering) is written by Chris Kite
Homepage: http://anemone.rubyforge.org/
License: MIT
Community Plugins
Thank you to the following people who have contributed a plugin to WhatWeb.
Brendan Coles
Emilio Casbas
Louis Nyffenegger
Patrik Wallström
Thank you to Michal Ambroz for writing the Makefile and Man pages
BinPack: Las Vegas Edition Release
BinPack is a portable security environment for Windows.
With 100+ security tools in the repository, you can easily convert any system into a hacking platform in minutes.
For those weren’t able to score a BinPack disc, don’t worry we have setup a torrent of the iso. The disc contains a portable security environment customized for all the various Black Hat, DEFCON, and Security B-Sides attendees as well as the BinPack tool.
Here is the latest screenshot of the tool. There are several bugs to be worked out with this version, which is why there is two releases; one stable and one alpha.
Files:
We are also looking for mirrors of the software packages so please contact us if you can help.
And if you want to support this software through a donation, that would be much appreciated! We accept donations through paypal:
Anonymous writes "
 |
WebCruiser - Web Vulnerability Scanner, a compact but powerful web security scanning tool that will aid you in auditing your site! It has a Vulnerability Scanner and a series of security tools.
It can support scanning website as well as POC (Proof of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also an automatic SQL injection tool, an XPath injection tool, and a Cross Site Scripting tool! |
Key Features:
* Crawler(Site Directories And Files);
* Vulnerability Scanner: SQL Injection, Cross Site Scripting, XPath Injection etc.;
* SQL Injection Scanner;
* SQL Injection Tool: GET/Post/Cookie Injection POC(Proof of Concept);
* SQL Injection for SQL Server: PlainText/Union/Blind Injection;
* SQL Injection for MySQL: PlainText/Union/Blind Injection;
* SQL Injection for Oracle: PlainText/Union/Blind/CrossSite Injection;
* SQL Injection for DB2: Union/Blind Injection;
* SQL Injection for Access: Union/Blind Injection;
* Post Data Resend;
* Cross Site Scripting Scanner and POC;
* XPath Injection Scanner and POC;
* Auto Get Cookie From Web Browser For Authentication;
* Report Output.
System Requirement: Windows with .Net Framework 2.0 or higher
Download WebCruiser - Web Vulnerability Scanner "
Anonymous writes "As seen on the fantastic:
Peter Van Eeckhoutte's Blog
WATOBO is intended to enable security professionals to perform highly efficient (semi-automated) web application security audits. I am convinced that the semi-automated approach is the best way to perform an accurate audit and to identify most of the vulnerabilities.
WATOBO has no attack capabilities and is provided for legal vulnerability audit purposes only. It works like a local proxy, similar to Webscarab, Paros or BurpSuite
Additionally, WATOBO supports passive and active checks. Passive checks are more like filter functions. They are used to collect useful information, e.g. email or IP addresses. Passive checks will be performed during normal browsing activities. No additional requests are sent to the (web) application.
Active checks instead will produce a high number of requests (depending on the check module) because they do the automatic part of vulnerability identification, e.g. during a scan.
The functions of WATOBO:
- Supports session management.
- Detects logout and automatically takes a re-login.
- Supports filter functions
- Inline-Encoder/Decoder
- Includes vulnerability scanner
- Quick-scan for targeted scanning a URL
- Full-scan to scan a whole session
- Manual request editor with special functions
- Session information is updated
- Login can be done automatically
- Transcoder
- URL, Base64, MD5, SHA-1
- Interceptor
- Fuzzer
- Free, Stable and Open source!
- Script code easy to understand
- Easy to extend / adapt
- In real-world scenarios tested and developed
- Speed / usability
- Active and Passive checks
- Runs under Windows, Linux, BackTrack, MacOS
All these great features and functions make WATOBO one of the top free web assessment tools.
You can download WATOBO here
As reported by peterve the original post at http://www.corelan.be:8800/index.php/2010/07/23/watobo-the-unofficial-manual/ [www.corelan.be:8800] contains a pdf file that explains how to set up and use watobo. "
Original URL: http://www.theregister.co.uk/2010/05/13/diy_twitter_botnets/
'Script kiddies everywhere are salivating'
By Dan Goodin in San Francisco
Posted in Security, 13th May 2010 18:11 GMT
Free whitepaper – Taking control of your data demons: Dealing with unstructured content
A security researcher has unearthed a tool that simplifies the process of building bot armies that take their marching orders from specially created Twitter accounts.
TwitterNet Builder offers script kiddies a point-type-and-click interface that forces infected PCs to take commands from a Twitter account under the control of attackers. Bot herders can then force the zombies to carry out denial-of-service attacks or silently download and install software with the ease of their Twitter-connected smartphones.
"All in all, a very slick tool and no doubt script kiddies everywhere are salivating over the prospect of hitting a website with a DDoS from their mobile phones," Christopher Boyd, a researcher with anti-virus provider Sunbelt Software, writes here (http://sunbeltblog.blogspot.com/2010/05/diy-twitter-botnet-creator.html).
Alas, TwitterNet Builder requires accounts to be public, so spotting people who use the software is fairly straightforward. A quick search revealed accounts here (https://twitter.com/SimonRRobertson), here (https://twitter.com/DeadRaccoons) and here (https://twitter.com/KorruptzNet) that appeared to be using the DIY kit, although it appeared these might be harmless demonstrations rather than brazen attacks.
Still, it would be fairly straightforward to modify the tool so it uses private accounts, or even stealthier still, uses base64 encoding so commands appear indecipherable to the naked eye, as a previous Twitter-based bot herders (http://www.theregister.co.uk/2009/08/13/twitter_master_control_channel/) did.
As law enforcement and white-hat hackers have cracked down on IRC servers and other traditional forms of command and control channels, bot herders have looked for alternate methods to update their fleets of compromised machines. Twitter is by no means the only example of this cloud-based model. Other services that have been tapped include Facebook (http://www.theregister.co.uk/2009/11/03/trojan_cnc_pokes_facebook/), Google's AppEngine (http://www.theregister.co.uk/2009/11/09/bot_herders_coopt_google_appengine/) and Google Groups (http://www.theregister.co.uk/2009/09/14/google_groups_control_trojan/). ®
As seen on the great SecurityDatabase web site: http://www.security-database.com/
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
Damn Vulnerable Web App (DVWA) is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
Version v1.0.6
- Fixed a bug where the logo would not show on first time use. 03/09/2009 (ethicalhack3r)
- Removed ’current password’ input box for low+med CSRF security. 03/09/2009 (ethicalhack3r)
- Added an article which was written for OWASP Turkey. 03/10/2009 (ethicalhack3r)
- Added more toubleshooting information. 02/10/2009 (ethicalhack3r)
- Stored XSS high now sanitises output. 02/10/2009 (ethicalhack3r)
- Fixed a ’bug’ in XSS stored low which made it not vulnerable. 02/10/2009 (ethicalhack3r)
- Rewritten command execution high to use a whitelist. 30/09/09 (ethicalhack3r)
- Fixed a command execution vulnerability in exec high. 17/09/09 (ethicalhack3r)
- Added some troubleshooting info for PHP 5.2.6 in readme.txt. 17/09/09 (ethicalhack3r)
- Added the upload directory to the upload help. 17/09/09 (ethicalhack3r)
Vulnerabilities
- SQL Injection
- XSS Stored/Reflected
- LFI (Local File Inclusion)
- RFI (Remote File Inclusion)
- Command Execution
- Upload Script
- Login Brute Force
- Full Path Disclosure
- PHP-IDS
- And much more...
Installation
Database Setup To set up the database, simply click on the Setup button in the main menu, then click on the ’Create / Reset Database’ button. This will create / reset the database for you with some data in.
If you receive an error while trying to create your database, make sure your database credentials are correct within /config/config.inc.php
$_DVWA[ 'db_user' ] = 'your_database_username';
$_DVWA[ 'db_password' ] = 'your_database_password';
$_DVWA[ 'db_database' ] = 'your_database_name';
Everyone is welcome to contribute and help make DVWA as successful as it can be. With out the DVWA community DVWA would not be what it is today.
More information, Official Web Site: DVWA
The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit.
They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all. The Top 25 list is a tool for education and awareness to help programmers to
prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped.
Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses.
Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.
The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. It leverages experiences in the development of the SANS Top 20 attack vectors http://www.sans.org/top20/) and MITRE's Common Weakness Enumeration (CWE) (http://cwe.mitre.org/).
MITRE maintains the CWE web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. The CWE site contains data on more than 800 programming errors, design errors, and
architecture errors that can lead to exploitable vulnerabilities.
The 2010 Top 25 makes substantial improvements to the 2009 list, but the spirit and goals remain the same. The structure of the list has been modified to distinguish mitigations and general secure programming principles from more
concrete weaknesses. This year's Top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence and importance. The new version introduces focus profiles that allow
developers and other users to select the parts of the Top 25 that are most relevant to their concerns. The new list also adds a small set of the most effective "Monster Mitigations," which help developers to reduce or eliminate
entire groups of the Top 25 weaknesses, as well as many of the other 800 weaknesses that are documented by CWE.
Finally, many high-level weaknesses from the 2009 list have been replaced with lower-level variants that are more
actionable.
Get your own copy at: http://cwe.mitre.org/top25/archive/2010/2010_cwe_sans_top25.pdf
Web Security Dojo
A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo
What?
Various web application security testing tools and vulnerable web applications were added to a clean install of Ubuntu v9.10.
Why?
The Web Security Dojo is for learning and practicing web app security testing techniques. It is ideal for training classes and conferences since it does not need a network connection. The Dojo contains everything needed to get started - tools, targets, and documentation.
Where?
How?
To install Dojo you can install and run VirtualBox, then "Import Appliance" using the Dojo's OVF file. Go here for Virtual Box instructions. As of version 1.0 a VMware version is also provided.
Who?
Sponsored by Maven Security Consulting Inc (performing web app security testing & training since 1996
Targets include:
Tools:
Upcoming Features:
- More tutorials and documentation, including video tutorials
- ISO release of live CD version, for direct install to hard drive
- More targets
- More tools
- Enhancements/contributions to existing tools and targets
- Debian packages for existing tools and targets to enhance VM creation and collaboration with other projects.
- More detailed future changes on SourceForge in the feature request and bug trackers
GET IT AT: http://sourceforge.net/projects/websecuritydojo/files/
Pangolin is an automatic SQL injection penetration testing tool developed by NOSEC. Its goal is to detect and take advantage of SQL injection
vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user"s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.
Release Notes
1.Support Microsoft SQL Server 2008;
2.Improved SQL Injection for MySQL. Support detecting function Unhex().
3.New option added Scan->Extend scan mode. Optimize ability to Inject.
4.Improved Cookie detection. Multiple URL redirection will be Inject correctly.
Pangolin FAQ
Netword & Media resources:
- PANGOLIN: Automatización de inyección SQL(Spanish) http://www.hacktimes.com/?q=node/57
- Scanning an Oracle-based website with Pangolin (Flash)
http://www.red-database-security.com/videos/oracle_videos.html
- Web Application Testing with Pangolin (Video & Screenshot)
http://blog.red-database-security.com/2009/03/05/web-application-testing-with-pangolin-video-screenshot/print/
Video Show
Anonymous writes "The three authors of the manifesto are Josh Corman, an analyst with The 451 Group; David Rice, formerly with the National Security Agency and author of Geekonomics, a book about the real cost of insecure software; and Jeff Williams, the chairman of OWASP, an organization focused on Web application security. The trio announced the project at the SANS Institure AppSec Conferenc in San Francisco Monday.
The Rugged Software Manifesto
- I am rugged... and more importantly, my code is rugged.
- I recognize that software has become a foundation of our modern world.
- I recognize the awesome responsibility that comes with this foundational role.
- I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
- I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
- I recognize these things - and I choose to be rugged.
- I am rugged because I refuse to be a source of vulnerability or weakness.
- I am rugged because I assure my code will support its mission.
- I am rugged because my code can face these challenges and persist in spite of them.
- I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.
Official Announcement Document - 
If you want Rugged Software, join us and help define the principles, and technologies that will help others become Rugged too. Our first project is to define how people and organizations can know if they are Rugged.
Visit their website at: http://www.ruggedsoftware.org/ "
As seen on the DarkReading website:
SQL injection, plain-text passwords leave databases exposed
Jan 12, 2010 | 01:47 PM
By Kelly Jackson Higgins
DarkReading
"`"> "> --> Romanian hackers continue to have a field day with SQL injection flaws in major Website applications: A vulnerability in a U.S. Army Website that leaves the database wide open to an attacker has now been exposed.
"TinKode," a Romanian hacker who previously found holes in NASA's Website, has posted a proof-of-concept on his findings on a SQL injection vulnerability in an Army Website that handles military housing, Army Housing OneStop. TinKode found a hole that leaves the site, which has since been taken offline, vulnerable to a vulnerable to a SQL injection attack. "With this vulnerability I can see/extract all things from databases," he blogged.
TinKode was able to gain access to more than 75 databases on the server, according to his research, including potentially confidential Army data. He also discovered that the housing site was storing weak passwords in plain text. One password was AHOS, like the site's name.
"Four-character passwords that are the same name as the database table names are inexcusable," says Robert "RSnake" Hansen, founder of SecTheory.
Hansen says the ease with which TinKode discovered the SQL injection flaw highlights the state of Web security. "[This is] a good example of how terrible our security posture is, and he didn't even have to do anything tricky to find the exploit," he says.
TinKode is among a group of hackers out of Romania who have been disclosing SQL injection flaws in high-profile Websites during the past few months. Most recently hacker "unu" demonstrated a major SQL injection hole in an Intel channel partner events Website that exposed personal passport information. Unu was able to hack into the front-end Web app and, like TinKode, found that the server administrators had their passwords stored in clear text.
SQL injection is a common Website vulnerability that is increasingly being used as a foot in the door to the back-end database.
"Every organization has these problems," Hansen says. "They may not realize it, but they're just waiting for a smart kid to come along and copy off every critical piece of information they have."
Burp Suite v1.3 is now available for free download at http://portswigger.net/suite/
This is a major upgrade with a host of new features, including:
- A new message editor/viewer optimised for HTTP requests and responses,
with colourised syntax, mouse-over decoding, and quick conversion functions.
- Facility to add comments and highlights to the proxy history and site map.
- Support for viewing and editing AMF-encoded messages.
- Improved handling of SSL server certificates, to eliminate browser SSL
warnings and connection problems with thick clients.
- Copy to file / paste from file to facilitate working with binary content.
- New display filters.
- Greatly enhanced extensibility.
- Configurable DNS resolution, to override your computer's own resolution,
facilitating work with non-proxy-aware clients.
- Fine-grained upstream proxy rules.
- Exporting of HTTP messages and metadata in XML format.
For more details see:
http://blog.portswigger.net/2010/01/burp-suite-v13-released.html
Cheers
PortSwigger
|
|
Login
Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.
Old Articles
| Tuesday, October 20 | | · | Nikto 2.1.0 has been released |
| Wednesday, August 26 | | · | Replicating the Gonzalez Cyber Attacks through Penetration Testing |
| Wednesday, May 20 | | · | SamuraiWTF Web Application testing Virtual Machine |
| Friday, May 08 | | · | moth - vulnerable web application vmware |
| Monday, May 04 | | · | Web App Security, Web Apps Testing Checklist, Protecting Passwords |
| Wednesday, April 29 | | · | Is the ennemy already living side by side with you without your knowledge |
| Tuesday, January 27 | | · | Caught In the Web Webinar with Shon Harris, Wayne Burke, and Benjamin Bock |
| Saturday, July 26 | | · | Web Application Security: Don't Bolt It On; Build It In |
| Thursday, April 10 | | · | ProxyStrike - Active Web Application Proxy |
| Tuesday, April 01 | | · | What You Need to Know about PCI Compliance and Web Application Security Policy |
| Friday, February 08 | | · | The Web Hacking Incidents Database (WHID) annual report for 2007 |
| Thursday, January 24 | | · | A new version of WFuzz web application brute forcer was released |
| Tuesday, December 04 | | · | SWFIntruder |
| Tuesday, November 27 | | · | Interesting tester plugins for Firefox |
| Monday, November 12 | | · | Nikto 2 has been released |
Older Articles
|
