Security Devicse and ZAP - new Web App Pentest Magazine by PenTestMag

Network and/or Application Penetration Tester Ref: 14951

Location: UK wide Salary: £25k-£75k base + bonus + package Job Type: Permanent

Multiple opportunities for Penetration Testers. Varying levels of experience will be considered. You will be offered first rate project exposure as well as on-going training, culminating in superb earning potential. Key competencies and experience required: • Use of a variety of network security testing tools and exploits to identify vulnerabilities and recommend corrective action • Manual penetration testing and a deep understanding of IP networking in a security context • Deep knowledge of IP networking protocols • Experience with security testing of Web-based applications • Intimate knowledge of at least one enterprise development framework • Proven ability to explain verbally the output of a penetration test to a non-technical client • Strong inter-personal and communication skills • Report-writing and presentation skills • Must be prepared to travel Desirables: • Code review skills • CHECK, CREST or TIGER qualification • Current UK driving licence Please email your CV to careers@acumin.co.uk quoting the reference above

Web Application Penetration Tester and Security Specialist Ref: RF14803

Location: South East Salary package: £400-£600 per day Job Type: Contract

This blue chip finance organisation is currently developing its internal information security function, and as such has identified a need for a lead security specialist with a particular focus on web application security. Responsibilities • Conduct technical security assessments against strategic initiatives prior to final release in to an operating environment. • Carry out such tests and assessments against internal standards as well as industry standards such as SAS70 and PCI-DSS. • Define and execute penetration tests as part of the review lifecycle for infrastructure, applications, and web applications. • Perform regular vulnerability assessments using scanning tools to ensure the on going security of systems to emerging and known threats. • Provide expertise in to forensics investigations and incident management as required. • Identify and manage required resources, creating reusable documentation, processes, and toolsets. Requirements: • Strong understanding of technical security principles around penetration testing, vulnerability management, and forensics. • Knowledge of current assessment techniques and toolsets such as OWASP guidelines, WebInspect and Fortify. • Prior working experience of industry standards and processes - PCI, ITIL, Prince, COBIT, COSO. • Demonstrable track record of security design, review, and implementation. Please email your CV to careers@acumin.co.uk quoting the reference above

Acumin Consulting Ltd Suite 22, Beautfort Court, Admirals Way, London E14 9XL

Telephone +44 (0)20 7997 3838 Fax +44 (0)20 7987 8243 Email info@acumin.co.uk

www.acumin.co.uk www.acuminconsulting.com

MOBILE SECURITY ONLINE SUMMIT

LIVE 11th JULY Join this free summit to hear industry experts and experienced practitioners share how your business can profit from the mobile phenomenon without being exposed to threats such as data leakage, malware attacks and unauthorised data access.

FIND 8 thought leadership webinars LEARN about the latest industry trends SHARE the knowledge

To register for free and view the full lineup go to http://www.brighttalk.com/r/rmC

Editor’s note Welcome Everyone!

This issue of WebAppPentesting is devoted to Web App Devices and provides the information from a narrow range of topics. We present both free professional tools that can be used to find vulnerabilities. We talk about general security software and take a closer look at ZED Attack Proxy – the free soft which is a winner of the 2011 Toolsmith Tool of the year award. Zed Attack Proxy or ‘ZAP’ is a flagship OWASP Project, easy to use in-line interception proxy, that provides a great hands on tool to quickly map, scan, spider your applications in development and rapidly identify many of the Top 10 OWASP web application vulnerabilities. Its ease of use is suitable for beginners but the comprehensive features have led to ZAP to be a favored tool by professional penetration testers. It has all the essentials for web application testing and is cross platform, available for Linux, Mac OSX and Windows. ‘You cannot build secure web applications unless you know how to hack them’ – says Simon Bennetts. A brilliant interview with Simon is brought to you by Gareth Watters. You’ll learn how to get engage in one of the biggest security project, which was created to answer the private need for the ‘right’ tools. We also present WebVulScan – one of the newest solutions on market. This has begun as student ambitious thesis. The scanner proved to have similar, and sometimes better detection capabilities to the similar tools available. Darmot Blair is describing how he created it and how you can make a good use of it. The scanner proved to have similar, and sometimes better detection capabilities to the similar tools available. Additionally, it can detect Stored Cross-Site Scripting vulnerabilty or check whether form authentication can be bypassed using SQL Injection. To all those who use anti-viruses, firewall solutions or authentication tokens Pentest together with iViZ prepared a piece of disturbing raport on security products vulnerabilities. According to iViZ study buffer and resource management access control errors – these are weaknesses far more common in security product than others. After you read about the threads you will probably want to read carefully directions on how to configure firewall correctly: Firewall Audit. While REST and SOAP are very much related they also differ substantially from each other. Both will provide a method in designing a web service, however, each entails a different approach. Whether you are designing a Web Service or conducting security testing on one, you should be aware of these differences and how to ensure that you are securing your web service, and determining the security vulnerabilities that exist within the web service. I personaly belive that the article from Daniel Wood provides information valuable to anyone from IT field.

Defense

Web Service Security: REST vs. SOAP by Daniel Wood

Creating a web service these days is fairly simple and routine, however, careful consideration should be made when considering which type of web service you will be using and how you will be securing it. Utilizing an insecure web service can wreak havoc within your company or organization if you end up exposing sensitive information to attackers or curious people. Depending on the type of data being ingested through your web service, service partners may also share the risk with you.

Firewall Audit

by Ayan Kumar Pan

A firewall is an important component of network security. We use firewalls because they makes us feel that our network is protected from the adversaries. But what happens if the firewall itself is configured wrongly. In that case, we have a false sense of security. For this scenario, we need a method to check whether the firewall is configured correctly or not; ergo, the firewall audit.

Raport

Security Products or Door for Hackers? A Report on the Vulnerability Trends in Security Products by Bikash Barai

As users of computers at work, home and everywhere in between, we rely on a slew of products such as anti-virus software, firewall solutions, authentication tokens and so on that we believe will help make our computer systems more secure. But how secure are such security products themselves? Is there a real risk that the fence itself might eat the crop?

Enjoy reading! Wojciech Chrapka & PenTest Team

06/2012(8)

Page 4

http://pentestmag.com

CONTENTS

Interview

Making of Zed Attack Proxy by Gareth Watters

From humble beginnings, tinkering around with 2006’s final release of the open source code of ‘Paros Proxy’, java developer and now security engineer Simon Bennetts created ZAP. An on-the-side project which went on to be a winner of the 2011 Toolsmith Tool of the year. Gareth Watters spoke to Simon recently about ZAP.

Close-Up

TEAM

Get it on with ZAP

Editor: Wojciech Chrapka wojciech.chrapka@software.com.pl

by Gareth Watters

Let’s take a look around Zed Attack Proxy and see what it’s all about, but before we go on Iet’s emphasize some of the greatest ZAP’s attributes. it’s ease of use, it’s free and open source, ZAP in fully internationalized, has extensive user guides and unlike some similar tools, has the ability to save sessions to go back to later for reports, which is an imperative requirement for PenTesters as report writing tends sometimes not to be our strongest area.

Student’s view

WebVulScan a Web Application Vulnerability Scanner by Dermot Blair

WebVulScan is a new free and open source tool used for testing the security of web applications. It is a web application itself written in PHP, which can be used to test local and remote web applications for security vulnerabilities. WebVulScan can detect similar vulnerabilities to other popular open source tools but it also tests for high risk vulnerabilties which are not commonly tested for such as Stored Cross-Site Scripting and Broken Authentication using SQL Injection.

CYBER STYLETTO

Cyber crime novella – Cyber Styletto – Chapter 7 by Mike Brennan and Richard Stiennon

Cyber crime novella – Cyber Styletto – Chapter 7

Betatesters: Thomas Butler, Dan Felts, Gareth Watters, Stefanus N., Francesco Consiglio, Harish Chaudhary, Wilson Tineo Moronta, Scott Stewart, Richard Harold, Ryan Oberto, William R. Whitney III, Marcelo Zúñiga Torres Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Marketing Director: Ewa Dudzic ewa.dudzic@software.com.pl Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. program To create graphs and diagrams we used by

Mathematical formulas created by Design Science MathType™

DISCLAIMER!

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

06/2012(8)

Page 5

http://pentestmag.com

Defense

Web Service Security: REST vs. SOAP Creating a web service these days is fairly simple and routine, however, careful consideration should be made when considering which type of web service you will be using and how you will be securing it. Utilizing an insecure web service can wreak havoc within your company or organization if you end up exposing sensitive information to attackers or curious people.

epending on the type of data being ingested through your web service, service partners may also share the risk with you. With moving towards cloud based services and infrastructure, the trend for data consumption has been increasingly heading towards the use of web services in order to push and pull data from different sources. The utilization of Web Services has been around for a long time, however, within the last 5 years and the advent of the ‘Cloud’ (the ‘Cloud’ has truly been around in an infancy stage since scientist Herb Grosch postulated the general premise of cloud computing (Ryan, Patrick S., Merchant, Ronak and Falvey, Sarah, Regulation of the Cloud in India (July 30, 2011). Journal of Internet Law, Vol. 15, No. 4, p. 7, October 2011. Available at SSRN: http://ssrn.com/abstract=1941494) in the 1950’s), usage has been amplified due to the increased need for data and the overall consumption requirements that applications require these days. Web Services can be developed in a multitude of ways using different architectural methods and protocols. The two most popular methods, both REST and SOAP, will be introduced briefly before jumping into the security for each.

REpresentational State Transfer (REST)

REST is resource oriented architecture, which means that each unique URL is a representation of an object. 06/2012(8)

In order to get the contents of an object, an HTTP GET is used, while a POST, PUT, or DELETE is used to otherwise modify the object. Unlike REST, SOAP utilizes the definitions provided by the application designer to define the above verbs (i.e., getDataItem()). Due to the nature of REST, and the interaction between the client and the server, the data communication between them is stateless. Each data call is self-contained and holds all the information needed to successfully make a request and consume the data received by the call. Table 1. REST Data Elements

Data Element

Examples

Resource

Intended conceptual target of a hypertext reference

Resource Identifier

URL, URN

Representation

HTML document, JPEG image, XLS/DOC

Representation Metadata Media type, last-modified time Resource Metadata

Source link, alternates, vary

Control Data

If-modified-since, cache-control

REST is able to facilitate in data calls that transfer any resource which is identified via a resource identifier, such as a URL or hypertext reference. Resources can be represented by different data items such as PDF

Page 6

http://pentestmag.com

documents, JPEG images, TXT files, Spreadsheets, and so on. The data representation can be practically anything. In order for the data call to transfer the resource representation, it must be encapsulated by a type of communication connector. These connectors help facilitate the stateless nature of the REST web service and provide the ability for a client and server to communicate between one another. Table 2. REST Connectors

Connector Examples Client

Apache HTTP client, JDBC, NRE local, libwww-perl

Server

API (Apache API, ISAPI, NSAPI), libwww, Jetty

Cache

Cache-container, Akamai, browser-cache

Resolver

Bind (DNS lookup library)

Tunnel

HTTPS (SSL after HTTP CONNECT), SOCKS

The main advantages of using REST are: • REST is easy to build and does not require additional toolkits (as this is XML) • Returned results are human readable and can also be parsed fairly easily • REST is lightweight and doesn’t contain an unnecessary amount of markup padding The main disadvantages of using REST are: • The REST framework does not define security methods, leaving it up to individual developers to define • Relying on protocols such as OAuth (OAuth Version 1.0 – Version 2.0 is the latest of this writing) to secure a REST web service leaves it vulnerable to session-fixation attacks, compromising the credentials of the data consumer. WSDL also known as Web Services Description language is used to detail the services that are being offered by a server and is used within a SOAP web service. WADL, also known as Web Application Description Language, is much like WSDL, except for the fact that it is much easier to understand and write in comparison to WSDL. While it’s not as flexible as using WSDL (lack of SMTP server binding), it is almost equivalent for the purposes of REST services. 06/2012(8)

Simple Object Access Protocol (SOAP)

SOAP is an XML-based protocol for ‘information packaging’ which allows the exchange of structured and typed information (XML) between clients and the Web Service. While REST is not considered a standard by itself, SOAP is considered a messaging protocol that is defined on top of HTTP. Due to the inherent nature of SOAP running on top of HTTP, this causes a SOAP web service to inherit bugs and security vulnerabilities that exist within HTTP web service implementations. Regardless of the aforementioned, SOAP over HTTP remains the most popular choice for implementation of Web Services. UDDI and WSDL, supporting protocols, provide discovery and description based services with enough information that client applications can utilize the web service. Unfortunately, with the utilization of SOAP (including UDDI and WSDL), the threat landscape to a company or organization is increased due to the effect of circumventing firewall rules that may otherwise have restricted access to these functions. Since SOAP relies on HTTP as the transport mechanism, firewalls will allow the HTTP traffic to pass right through, unless the firewall has been configured to identify data calls and configured to selectively allow or block SOAP requests via identification of SOAPspecific HTTP headers. The SOAP specification, currently at SOAP Version 1.2 (W3C http://www.w3.org/TR/soap/) at the time of this writing, consists of the following: • SOAP processing model, defines how a SOAP message should be processed • SOAP Extensibility model, defines the modules and features within SOAP • SOAP underlying protocol binding framework, which SOAP messages utilize while being exchanged between SOAP nodes. • SOAP message construct, which defines the structure of a SOAP message The structure of SOAP messages consists of the encapsulating SOAP Envelope (SOAP-ENV), within the Envelope; you will have your message header and body. A typical SOAP data call will look like the following: GET /SensitiveData HTTP/1.1 Host: www.example.org

Content-Type: application/soap+xml; charset=utf-8 Content-Length: 299

SOAPAction: “http://www.w3.org/2003/05/soap-envelope”

Page 7

http://pentestmag.com

Defense • SOAP intermediaries are a weak point in which a hacker or ma licious user can compromise in order to conduct man-in-the-middle attacks (MiTM). • SOAP messages traverse over the network over HTTP, and thus make it easy to circumvent firewalls (this is seen as a double-edge sword)

<?xml version=”1.0”?>

<soap:Envelope xmlns:soap=”http://www.w3.org/2003/05/ <soap:Header>

soap-envelope”>

</soap:Header> <soap:Body>

<m:GetDataList xmlns:m=”http://www.example.org/

Security Related Specifications

data”>

I would be remiss if I were to fail to mention the plethora of security specifications for web services:

<m:DataName>SensitiveData1</m:DataName>

</m:GetDataList>

</soap:Body>

</soap:Envelope>

Put it all together and we have:

taList?DataName=SensitiveData1.

GET /SensitiveData/GetDa

From the above, you can see that this typical data call includes not only the Content-Type, but also the SOAPAction specification reference, the SOAP Envelope, Header, and Body. When we are looking at SOAP and security, we usually find security tokens being passed within the SOAP Header. For example, a .NET application (using C#) will add the security token into the SOAP message via the following code: public override void SecureMessage(SoapEnvelope {

envelope, Security security)

userPasswordEquivalent,

PasswordOption.SendNone);

// Adds the token to the SOAP header. security.Tokens.Add(userToken);

Note It’s possible to include a token in the header, as well as encrypt the SOAP header using a username token profile utilizing X509 Certificates. The main advantages of using SOAP are: • Development tools have matured to increase the ease of building a web service • Strict syntax conformity • Data consumption is generally easy The main disadvantages of SOAP are: • SOAP does not provide native support for access control, confidentiality, integrity, and non-repudiation (SOAP Extensibility allows for these to be added on, such as WS-Security). 06/2012(8)

XML Signature XML Encryption XML Key Management (XKMS) WS-Security WS-SecureConversation WS-SecurityPolicy WS-Trust WS-Federation WS-Federation Active Requestor Profile WS-Federation Passive Requestor Profile Web Services Security Kerberos Binding Web Single Sign-On Interoperability Profile Web Single Sign-On Metadata Exchange Protocol Security Assertion Markup Language (SAML) XACML

Testing Web Services

UsernameToken userToken;

userToken = new UsernameToken(userName,

}

• • • • • • • • • • • • • • •

I like to look at conducting security testing of a web service as either one of two ways, depending on the environment and the service itself. Either it will created a hybrid mix of emotions; partial confusion, frustration, and even a bit of fun thrown in there for good measure – or it can become one of the more frustrating non-climatic life events you will ever experience. If this is a formal security test of the web service, then this would factor on how much information the developers have given you prior to testing the service, if you’re testing without permission, then that’s another discussion to be had regarding ethics. Testing REST web services can be challenging, while they are essentially web applications there are no standard parameters, which makes it much more difficult to conduct fuzzing against. SOAP contains more defined actions and parameters and usually makes for an easier go at testing. The first step in conducting testing on a web service, much like a network penetration test, is the discovery phase and enumeration phase. Try to gather as much documentation as you can prior to actually running tools against the web service. Inspect any WADL/WCF’s being used, if the REST service is using a particular programming language, API, etc. If you cannot find any

Page 8

http://pentestmag.com

documentation, your next step should be to setup a transparent PROXY (such as Burpsuite, see below) and run requests through the Proxy, analyzing the data calls. The best testing setup in my experience has been to utilize soapUI in combination with Burp. Burp has the Burp Extender which allows for custom plug-ins, with a great resource for web service pen testing provided by Ken Johnson over the Infosec Institute (http://resources.infosecinstitute.com/soap-attack-1/).

WSFuzzer A fuzzing penetration testing tool against HTTP SOAP based web services. http://sourceforge.net/projects/ wsfuzzer/

Testing Tools

McAfee WSDigger A tool to automate black-box web services security testing. http://www.mcafee.com/us/downloads/free-tools/ wsdigger.aspx

Depending on the type of web services testing you are conducting, as with any good handyman or carpenter, you want to have a good mix of tools in your toolkit. While this list is not exhaustive by any means, it does mention some of the better tools for conducting your testing. Stratsec Web Method Search Tool A dictionary attack tool that can be used to brute force the web method names for a given web service. • http://www.stratsec.net/Research/Tools/Web-MethodSearch-Tool • http://www.stratsec.net/Research/Publications/AWeb-Services-Security-Testing-Framework soapUI A functional testing tool for SOA and Web Service testing. It can also test for XSS, SQLi, Fuzzing, XML bombing, etc. http://www.soapui.org/About-SoapUI/ features.html

WebInject An automated testing tool for JSP, ASP, CGI, PHP, AJAX, Servlets, HTML Forms, XML/SOAP Web Services, REST, etc. http://www.webinject.org/

Portswigger Burp Suite Pro A very popular tool for conducting web application assessments and penetration testing (my personal favorite). http://www.portswigger.net/burp/ Microsoft FS2PV Cryptographic-protocol verification tool, finds security flaws and translates F# programs for analysis with Blanchet’s ProVerif http://research.microsoft.com/enus/downloads/d54de3ef-085e-47f0-b7dc-8d56c858aba2/default.aspx Microsoft FS2CV Automated cryptographic-protocol verification tool, allows implementation and verification of TLS • http://www.msr-inria.inria.fr/projects/sec/fs2cv/

Figure 1. xxxxxxxxxxxxxxxxxxxxxx

06/2012(8)

Page 9

http://pentestmag.com

Defense • http://www.msr-inria.inria.fr/projects/sec/fs2cv/ fs2cv-draft.pdf TulaFale Automatically verify authentication and secrecy properties of SOAP protocols. • http://research.microsoft.com/en-us/downloads/a91c6 322-ae04-4b7c-9f8b-908f094d7a15/default.aspx • http://research.microsoft.com/en-us/um/people/four net/papers/tulafale-a-security-tool-for-web-servi ces.pdf

General Resources

List of Web Services Specifications: http://en.wikipedia. org/wiki/List_of_Web_service_specifications. Web Services Management (WSMAN) Specifications: http://dmtf.org/standards/wsman.

So Which One to Use, REST or SOAP?

This can be a difficult decision to make if security is of your utmost concern. While REST uses HTTPS to secure the transmission of the message over the network, SOAP can utilize WS-Security to offer confidentiality and integrity protection from the creation of the data call to the consumption of the data message through the client socket. This serves to ensure that the contents of the data call can only be read by the corresponding authorized process on a server instead of just ensuring the right server is authorized to read the data calls. This also ensures that the web service is not assuming that all data calls made within the secure session (HTTPS) are from the authenticated client; it requires each one to be signed. In case the ‘secure’ session has been compromised, this will ensure that the data calls are being properly consumed without the loss of confidentiality and integrity. Another method of ensuring the confidentiality and integrity are being protected is to create a Web Service that uses a hybrid model, both REST and SOAP; using REST for read-only data access and SOAP for access that requires read/write. A great method to avoid using different security schemes would be to use WS-Security for both the REST and SOAP implementations and then implementing a security intermediary (see earlier diagram) that pulls the header information from the data calls and to do the checks. It boils down to transport layer encryption, which is a point-to-point security mechanism and WS-Security which is an application layer, or end-to-end security mechanism. Implementing TLS will provide security for data calls traversing a network or the Internet over HTTPS, WS-Security will ensure the confidentiality and 06/2012(8)

Glossary • • • • • •

HTTP – Hyper Text Transfer Protocol MiTM – Man-in-the-middle attacks REST – REpresentational State Transfer SaaS – Software as a Service SOA – Service Oriented Architecture OAP – Simple Object Access Protocol

integrity of the data calls until after it has been consumed. As long as the REST web service has a way to authenticate clients, or a SOAP application utilizing WS-Security is using HTTPS – then both web services should be fairly secure. If you’re in need of non-repudiation, then REST over HTTPS (unless you’re using 2-legged OAuth) won’t do, you will need to use WSSecurity.

Summary

In conclusion, while very much related to one another, REST and SOAP are also very much different in their own ways. Both will provide a method in designing a web service, however, each entails a different approach. Whether you are designing a Web Service or conducting security testing on one, you should be aware of these differences and how to ensure that you are securing your web service, and determining the security vulnerabilities that exist within the web service. By following industry best practice and adhering to specifications and definitions within REST and SOAP, followed by security testing throughout the SDLC of the web service; you can ensure that your Web Service is as secure as you can make it. Each standard has their own nuance for securing itself, some easier and more readily available, others more obscure and difficult. Knowing how each web service is structured and how it operates will make it easier when testing them. u

Daniel Wood Daniel Wood, GPEN, CISSP Lead Associate and Sr. Cyber Security Engineer at Phase One Consulting Group, has been working in information security for the past six years, and has over twelve years of experience in web application development and application security experience. He currently supports the U.S Government in securing their network infrastructure and web applications.

Page 10

http://pentestmag.com

scanning isn’t enough Cyber Security Auditing Software

Device Auditing

• Device information remains confidential

Scanners

Nipper Studio

Audit without Network Traffic Authentication Configuration

• Settings that allow you to hide sensitive information in the report

Authorization Configuration Accounting/Logging Configuration Intrusion Detection/Prevention Configuration

• Low cost, scalable licensing

Password Encryption Settings

• Point and click GUI or CLI scripting

Timeout Configuration

• Audit without network traffic

Routing Configuration

Physical Port Audit VLAN Configuration Network Address Translation

It was refreshing to discover Nipper and to find that it supported so many devices that Cisco produces. Nipper enables Cisco to test these devices in a fraction of the time it would normally take to perform a manual audit. For many devices, it has eliminated the need for a manual audit to be undertaken altogether.

Network Protocols Device Specific Options Time Synchronization

Cisco Business Benefits to Cisco • Nipper quickly produces detailed reports, including known vulnerabilities. • By using Nipper, manual testing has been altogether eliminated for particular Cisco devices.

Multi-Platform Support for

Warning Messages (Banners)

Network Administration Services

Network Service Analysis

Password Strength Assessment

Software Vulnerability Analysis

Network Filtering (ACL) Audit

Wireless Networking

VPN Configuration

* Limitations and constraints will prevent a detailed audit

Nipper Studio reduces manual auditing time by quickly producing a consistent, clear and detailed report. This report will; 1.

Summarize your network’s security

Highlight vulnerabilities in your device configurations

Rate vulnerabilities by potential system impact and ease of exploitation (using CVSSv2 or the established Nipper Rating System)

Provide an easy to action mitigation plan based on customizable settings that reflect your organizations systems and concerns.

Allow you to add previous reports and enable change tracking functionality. You can then easily view the progress of your network security.

for free at enquiries@titania.com T: +44 (0)845 652 0621

www.titania.com

Defense

Firewall Audit A firewall is an important component of network security. We use firewalls because they makes us feel that our network is protected from the adversaries. But what happens if the firewall itself is configured wrongly. In that case, we have a false sense of security. For this scenario, we need a method to check whether the firewall is configured correctly or not; ergo, the firewall audit.

his article sheds light on the basics of firewalls, the different types, the firewall audit and its necessity, and the various methods to conduct a firewall audit..

What is a Firewall?

words, it filters the network traffic. Its primary goal is to make the local network, which is implementing the firewall, secure and trusted. Depending upon the type of functions they perform, firewalls can be categorized as follows (Figure 3) [1].

A firewall is a hardware-based or software-based system which is designed to control the flow of incoming and outgoing traffic in the network, and all traffic must pass through the firewall (Figure 1). This is performed by defining a set of rules on what to allow (Allow list) and what not to allow (Deny list). The firewall checks the traffic against these lists. If the traffic is in the â&#x20AC;&#x2DC;Allow listâ&#x20AC;&#x2122;, it is forwarded; else it is dropped (Figure 2). In other

Network-Level Firewalls

Figure 1. Firewall implementation

Figure 2. An example of Firewall Access Control- Windows Firewall

06/2012(8)

It works at the network level by inspecting packet headers and filtering traffic based on the IP address of the

Page 12

http://pentestmag.com

Raport

Security Products or Door for Hackers? A Report on the Vulnerability Trends in Security Products As users of computers at work, home and everywhere in between, we rely on a slew of products such as anti-virus software, firewall solutions, authentication tokens and so on that we believe will help make our computer systems more secure. But how secure are such security products themselves? Is there a real risk that the fence itself might eat the crop?

s users of computers, we all worry about how secure they are against hacking. To address this fear, we invest in anti-virus software, firewalls, encryption software, remote access tokens and a slew of PC and web security products in the hope that they will effectively keep away hackers and malware away. Last study of iViZ, which is based on data between January 2011 and February 2012, suggests that security products are no more secure than other types of software. In fact, several security products themselves serve as gateways for security threats to enter your computer. Even worse, these threats may remain undetected because the product vendor too may be unaware of the vulnerability.

This study does not suggest that people should stop using security products; in fact, the goal is simply to make people aware of security risks that could occur from the most unexpected parts of their IT infrastructure, and to help them take steps to prevent damage to their valuable personal or business information. However, what you can certainly do to secure your applications and infrastructure, even better is to test them more thoroughly and rigorously so that any vulnerabilities are identified before hackers make use of them. In 2011, some of the largest providers of security products, including RSA, Comodo, Barracuda Networks, VeriSign, HBGary and Symantec were victims of attacks from malicious parties, with serious consequences.

Figure 1. Vulnerability Trend in All Products

06/2012(8)

Page 18

http://pentestmag.com

Interview

Making of ZAP Interview with Simon Bennets

Gareth Watters: Please introduce yourself and tell us about how you came about to create ZAP?

Simon Bennetts: Well, I’ve just started working for the Mozilla Security Team, this is my first official ‘security’ job – before that I was a developer. For the last 20 or so years I’ve been designing and building applications, and for over half that time I’ve been leading teams building Java web applications. I first got involved in security around 4 years ago, after the first serious penetration test of one of my applications. I thought I knew enough about security, but the penetration test proved otherwise! Looking back it actually wasn’t too bad, but at the time it was a shock, so I set about learning as much as I could about web security. I started playing around with vulnerable apps and various security tools, and as I’m a developer I started looking at the code of various open source tools to see how they worked. And the Paros Proxy seemed like a good tool to start with – it was useful without being too complicated, and being written in Java made it easy for me to understand. But there were some things I didn’t like about it, and before long I started making tweaks to the code to make it work the way I wanted it to. As I learned more about security I started giving talks to other developers and QA people, starting off with the OWASP Top Ten and basic pen testing techniques. 06/2012(8)

Simon Bennets, creator of Zed Attack Proxy And one of the first questions people asked was – what tools should we use? I explained that you could do a lot with “a browser and a bad attitude;)” but I knew that the right tools make things easier, so I had a good look around to find the best tool to recommend. I had some fairly specific criteria – it had to be free, cross platform and ideally open source. It needed to do

Page 22

http://pentestmag.com

Close-Up

Get it on with Zed Attack Proxy Let’s take a look around Zed Attack Proxy and see what it’s all about, but before we go on Iet’s emphasize some of the greatest ZAP’s attributes. Its ease of use, it’s free and open source, ZAP in fully internationalized, has extensive user guides and unlike some similar tools, has the ability to save sessions to go back to later for reports, which is an imperative requirement for PenTesters as report writing tends sometimes not to be our strongest area.

ou can download Zed Attack Proxy from http:// code.google.com/p/zaproxy/. Note: If you don’t already have it installed, you need to download and install java http://www.java.com. ZAP is at it’s heart an interception proxy and has to be configured in-line between your browser and your application. For instructions to configure ZAP as a proxy for

all the major browsers go to http://code.google.com/p/ zaproxy/wiki/HelpStartProxies. When you open ZAP for the first time you will be prompted to create an SSL Root CA Certificate as in Figure 2. In the context of this article, we will be working with the secure login to a vulnerable web application. Therefore we shall create a SSL Root CA certificate.

Figure 1. Setup of ZAP for use in a Penetration Test

06/2012(8)

Page 26

http://pentestmag.com

ITOnlinelearning offers Network Security courses for the beginner through to the professional. From the CompTIA Security+ through to CISSP, Certified Ethical Hacker (CEH), Certified Hacking Forensic Investigator (CHFI) and Security Analyst/Licensed Penetration tester (ECSA/LPT).

Tailored Advice and Discounts 0800-160-1161 or Please Call one of our Course Advisors for help and Tailored Advice -during oﬃce hours (Mon-Fri 9am-5.30pm)

Telephone: 0800-160-1161 International: +44 1795 436969 Email: sales@itonlinelearning.co.uk support@itonlinelearning.co.uk Registered Oﬃce: 16 Rose Walk, Sittingbourne, Kent, ME10 4EW

Student’s View

WebVulScan a Web Application Vulnerability Scanner

ebVulScan is an easy-to-use tool that tests for high risk, commonly exploited, vulnerabilities and produces accurate results for the user while keeping the level of false positives to a minimum. As a scan progresses, details of the scan are dynamically displayed to the user. When a scan is complete, a detailed PDF report is emailed to the user which shows the user exactly where, and how, the vulnerabilities found were exploited and provides recommendations for eliminating the vulnerabilities. WebVulScan is hosted on Google Code and can be accessed and downloaded at: http://code.google.com/p/webvulscan/.

The goals of this project

This project was undertaken as an academic final year project because of the author’s interest in web application security, the challenges that this posed for developers of automated tools and to assist IT management with assessment of risk. A comparative study of some of the other web application vulnerability scanners available was also carried out in order to examine and compare their features, accuracy and what vulnerabilities they test for. As there are over a hundred different vulnerabilities that can exist in a web application, testing for all, or even half of these, would be outside the scope of this project. It was essential that the scanner to be implemented tested for vulnerabilities that are a high risk and 06/2012(8)

are still commonly exploited today, as testing for low risk out-of-date vulnerabilities would be pointless. Therefore, the initial goal of this project was to implement tests for the OWASP (Open Web Application Security Project) top ten list of the most critical vulnerabilities of 2010. OWASP are a non-profit worldwide organisation whose aim is to make people aware of application security so they can make informed decisions on the security of their applications. OWASP maintain a top ten list of the most critical web application vulnerabilities known as the “Top Ten” project and 2010 was the latest version when this project began. However, while analysing the requirements and identifying how one might test for these vulnerabilities, it was discovered that all of the top ten vulnerabilities cannot be effectively tested with an automated scanner. For example, vulnerability number seven on the list, which is named “Insecure Cryptographic Storage” and typically exists when an application does not encrypt data at all, or does not sufficiently encrypt it when it is stored, could not be tested with a web application vulnerability scanner as the scanner would not have access to all instances where the data was stored such as backups. One could possibly develop an automated scanner that tests for this vulnerability, which is developed exclusively for their system, and can access their database. However, the aim of this project was to develop a general scanner that could be used to test any web application where the

Page 34

http://pentestmag.com

Cyber Styletto

Cyber Styletto Monday, December 24, Peninsula Suite, The Peninsula Hotel,

tokes showed the team how to attach the implants to theirmolars and demonstrated their opmalicious computer network attack on a traffic eration. “A simple bite at the backof the mouth, management system in California causes the deaths of like you’re cracker, turns on,” black he said.“Another eighteating innocentapeople. Yvonne Tran, aitformer hat computer bite turns hacker it off.”now working as a contractor for a government

agency called CyberCom, is called in to investigate. Her handler and former lover, Rohan Stokes, and Silk sat back inexecutives one of the luxurious chairs Yvonne’s at Network Systems, theinCalifornia designedHarbour the computer server,and suite,looked out manufacturer towards that Victoria view have no idea how the system could have been grinned. “And whathappens at dinner? On, off, on, off, commandeered so completely, or how many every time you takeother a bite?” critical systems have been infiltrated. Tran and her team – composed of former Special Forces civilian computer “Doesn’t work that military way. As long asand your molars don’t experts - must pinpoint the location makecontact it won’t change the setting.” where the probe originated, and stop the perpetrators before they launch a much bigger attack on Christmas Day When the group was satisfied the hardware worked, aimed at killing thousands of they split up.Buck and his team, except for Woody, Americans.

dressed in Cathay ComputerWorks uniforms, took the van and headed for the airport to do reconfor the night’s mission. They took Colin and Stokes with them,although Stokes wouldn’t be allowed out of the van. Woody stayedwith Yvonne. They hadn’t been able to get a uniAbout Authors form in the sizeXXXXL, and didn’t want to attract undue Richard Stiennon, Chief Research Analyst at custom-made ITattention by trying to haveone at any of Harvest, is a world renowned expert on cyber and author of “Surviving Cyberwar.” U.S. $13.37 thesecurity tailors in town. He’d have to work inthe background Mike Brennan, Editor & Publisher of MITechNews. when teamcyber went onforitsmore mission. Com, the has covered security than a decade.

Gian DeTorre is the pen name of an award winning

whose work has Itfiction waswriter justand asliterary well.critic Yvonne could use him to run interbeen published in the U.S. and around the world. ference. Sheneeded to get to Asiaworld-Expo, the convention center a fewminutes from the airport. Cathay had a shop there where visitorscould purchase smart phones and laptops, and the demo models tiedinto CCW’s network. If she could get close enough, she’d be able toaccess the company’s database and finally ping the IP address thathad launched the cyber attack on Silicon Valley. But getting that closewas a problem. She couldn’t just stand in public and run a programto infiltrate the CCW server.

She transferred a worm she’d written to access the server fromher laptop to her smart phone. It was a new 06/2012(8)

model they’d surely havein stock. If she could switch her phone with one of the displays, itmight look like she was just playing with the functions while decidingwhether to buy, instead of hacking Chinese intelligence. A salesman met them before Woody was even finished walkingthrough the doorway. He was a skinny kid, maybe as big around asone of Woody’s legs, but what he lacked in size he made up for inaggressiveness.

Page 38

http://pentestmag.com

In the upcoming issue of the

PHP Vulnerabilities Available to download on June 23th

If you would like to contact PenTest team, just send an email to maciej.kozuszek@software.com.pl or ewa.dudzic@software.com.pl . We will reply a.s.a.p. PenTest Magazine has a rights to change the content of the next Magazine Edition.

Now Hiring Teamwork Innovation Quality Integrity Passion

Sense of Security

Compliance, Protection and

Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally. Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to careers@senseofsecurity.com.au and quote reference PTM-TS-12.

info@senseofsecurity.com.au www.senseofsecurity.com.au

FULLY UPDATED! Join the discussion @ p2p.wrox.com

blet oid Ta Andrtion Development ™

Applica

PUSHING THE LIMITS

Android 4

Wei-Meng Lee

Reto Meier

“This book is a valuable read for any enterprise CIO and IT leader.” — Mike Blake, Chief Information Officer, Hyatt Hotels Corporation

iPad

™

Application Development

Learn to:

Professional

iOS 5

p2p.wrox.com

Programmer to Programmer™

g Easier!

Making Everythin

™

Phone 7 WindowsDev elopment

Nathan Clevenger

Application

in the Enterprise Developing and Deploying Business Applications

Flash , Flex , and AIR ®

Development for Mobile Devices

Windows Phone 7 Programming ®

Join the discussion @ p2p.wrox.com

Wrox Programmer to Programmer™

PROTOTYPING

Learn to: • Choose a development environment and use Windows Phone 7 developer tools • Create your own cool and interactive Windows Phone 7 apps • Submit and sell your app in the Windows Phone Marketplace

for Android and iOS Developers

IN FULL COLOR!

Foreword by Eric Hautala, General Manager, Windows Phone 7, Microsoft Corporation

Bill Hughes Indrajit Chakrabarty

™

Jermaine G. Anderson

Zhinan Zhou, Robert Zhu, Pei Zheng, Baijian Yang

Designing for the iPad ™

AUGMENTED REALITY

Building Applications that Sell

TONY MULLEN

Want to Craft Killer Code for mobile application? We’ve got a mini-book for that... From Android to Apple and everything in-between…

UPDATED FOR iOS 5

Programmer to Programmer™

Professional

Augmented Reality Browsers for Smartphones

Programming for junaio, Layar, and Wikitude Lester Madden

SERIOUS SKILLS.

Chris Stevens

Also available as e-books

Develop your knowledge with

12 – 3 9 3 6 6

Simply visit www.wiley.com/go/mobdevminibook to download your free copy today