[Tool] AppPrint - Web and Application Server Fingerprinting/Mapping tool (Beta)

Posted a new tool on the site.
-- Description --
AppPrint scans IP range, IP or host for Web and Application servers. It scans port 80 for a particular target and tries to deduce the banner using httprint methodology. This gives best guessed banner for Web Server. In next step it uses method of forced plug-in invoke and scan for application server type. At this point it tries to fingerprint Tomcat, WebLogic, WebSphere, Orion, ColdFusion and Resin. It requires .NET framework installed. In future version we will build several other technology mapping and fingerprinting technologies like Ajax, RIA, Flash, Laszlo etc.
--

Read and Download

[net-security paper] Dissecting and Digging Application Source Code for Vulnerabilities

Application source code scanning for vulnerability detection is an interesting challenge and relatively complex problem as well. There are several security issues which are difficult to identify using blackbox testing and these issues can be identified by using whitebox source code testing methodlogy. Application layer security issues may be residing at logical layer and it is very important to have source code audit done to unearth these categories of bugs. This paper is going to address following areas:

1. How to build simple rules using method and class signatures to identify possible weak links in the source code.
2. How to do source code walking across the entire source base to perform impact analysis.
3. How to use simple tool like AppCodeScan or similar utility to perform effective source code analysis to detect possible vulnerability residing in your source base.

Read here

Tool Update - AppCodeScan 1.1

AppCodeScan 1.1 is posted on the site with following changes

1. Parsing of code is changed and now tool shows line number where pattern is found in both scanning and code walking functionality.
2. There were some bugs which are fixed to do recursive three layer scanning.

Download from here

Thanks for your feedback.

Cheers!

[Book] Web 2.0 Security - Defending AJAX, RIA, AND SOA

SOA, RIA, and Ajax are the backbone behind the now widerspread Web 2.0 applications such as MySpace, GoogleMaps, and Wikipedia. Although these robust tools make next generation web applications possible, they also add new security concerns to the field of web application security. Yamanner, Samy and Spaceflash type worms are exploiting “client-side” Ajax frameworks, providing new avenues of attack and compromising confidential information. Portals like Google, NetFlix, Yahoo and MySpace have witnessed new vulnerabilities in the past. These vulnerabilities can be leveraged by attackers to perform Phishing, Cross-site Scripting (XSS) and Cross-Site Request Forgery (XSRF) exploitation. Web 2.0 Security: Defending Ajax, RIA, and SOA is the book to cover the new field of Web 2.0 security. Written for intermediate-to-advanced security professionals and developers, the book explores Web 2.0 hacking methods and helps in enhancing next generation security controls for better application security posture. Readers will gain knowledge in advanced footprinting and discovery techniques, Web 2.0 scanning and vulnerability detection methods, Ajax and Flash hacking methods, SOAP, REST and XML-RPC hacking, RSS/Atom feed attacks, fuzzing and code review methodologies and tools, tool building with Python, Ruby and .NET, and much, much more. The book includes a companion CD-ROM with tools, demos, samples, code, and images.

More on Amazon

[Clubhack - Conference] Hacking Web 2.0 Art and Science of Vulnerability Detection


ClubHack - Pune, India.

Going to talk on following: Web 2.0 applications are on the rise and as Gartner has predicted by end of 2007, 30% of applications would be running with Web 2.0 components embedded in it. This change in scenario would provide various different entry points and security holes for attackers. Hacking Web 2.0 is the most required skill for security professionals to identify vulnerability and associated threat before an attacker exploits it. New attack vectors are on the rise like two way CSRF access, XSS through JSON, JS-Object, XML and Array streams, Client side eval() exploitations, XPATH injection, WSDL scanning, Web Services payloads through SOAP and REST, XML-RPC method exploitation etc. One needs to do both scientific and artistic analysis of application to identify these vulnerabilities and this talk will cover these emerging attack vectors with plenty of demonstrations and tools. You will take home thorough knowledge about Web 2.0 hacking and would be in position to apply at work immediately.

Go to Conference page

OWASP AppSec 2007 - .NET Web Services Hacking

AppSec at San-Jose was really fun. I was able to learn some good stuff. I talked on .NET Web Services Hacking. Here is my slide show.

OWASP - .NET Web Services Hacking

.Net Web Services Hacking - Scan, Attacks and DefenseFollowing topics will be covered.
1. Web Services Discovery strategies in Web 2.0 applications
2. Scanning and profiling Web Services.
3. Attacking and Fuzzing Web Services for Vulnerability detection
4. Defense strategies for Web Services with content filtering (HTTPModule) - Web Services Firewall

Some of the content will be covered from my books - Hacking Web Services and Web 2.0 Security - Defending Ajax, RIA and SOA.

Look forward to see OWASP and WASC folks.

web2wall : Web Application/Services Firewall - IHTTPModule for Web 2.0 application

Microsoft‘s .Net framework includes two interfaces - IHTTPModule and IHTTPHandler. These two interfaces can be leveraged to provide application-level defense customized to application-level, folder-level or variable-level. This can act as the first line of defense, before any incoming request touches the Web application source code level. This is Web application defense at the gates, for the .Net framework on IIS.

Web2wall is a simple binary module which can be loaded in your Web 2.0 applications. You can defend your application layer code by using regex patterns; this can help in filtering XML and JSON streams. This tool is in beta and more features will be added with time. We will resolve bugs to make the module much more robust.

Download

AppCodeScan - Application Code Scanning tool

This tool is designed to help in performing whitebox testing. During whitebox testing one needs to scan complete application code for various different vulnerabilities like XSS, SQL injection, Poor validations etc. It is possible to discover these vulnerable points using this tool and one can follow code walking across the code base to trace this vulnerability.This tool works on following two areas:

Code Scanning - One needs to feed target code folder, rules pattern in regex (sample is provided for ASP) and list of file extension to scan. The tool will take this information and run against the target folder with depth of three (3) and scan each line for matching pattern. If pattern is found then it will report that line in the tool.
Code Walker - This little utility would help in walking across the code base and find variable or function. This will help to trace variables and their entire path in the large code base. This utility would help in negating false positives from the identified pattern.


This tool runs on .NET framework and still in initial beta state. We are working on it and more features will be added.

Download and Play

[Dubai-ISACA] I-SAFE Information Governance in this e- World

Speaking on - EMERGING TECHNOLOGIES: Web 2.0 on the rise and related technologies,strategies and security

This presentation is going to cover all aspects of emerging technologies in detail with real life cases and demonstrations. Following which, the session will explore security issues growing around these vectors and threats associated with it. Professionals will be able to collect enough know-how on emerging web technologies to apply this learning to their work place.

Read More

Tools are posted

Hi, I have posted following tools on the site

1. wsScanner - Web Services Footprinting, Discovery, Enumeration, Scanning and Fuzzing tool
2. scanweb2.0 - Web 2.0 Fingerprinting, Scanning and Discovery tools (Ruby scripts)
3. AppMap - Application footprinting and mapping tool using MSN APIs

It should help in assessment and audit.

Download from Blueinfy


HITB 2007 - Follow up...

HITB 2007 was great this time around as well. Both class and talk went really well. Speakers were good and was able to learn new stuff. All material is posted here.

I presented on Web 2.0 hacking, keeping focus on Ajax and Web Services. Added some new demos for better understanding. Presentation movie is not yet posted. Following is my presentation.



You can download slides from here
If you have any question feel free to drop me a note at shreeraj.shah@gmail.com

Enjoy...

HITB 2007 - Class and Talk

Training - Advanced Web Application & Services Hacking [Here]
Speaking - Hacking Ajax and Web Services – Next Generation Web Attacks on the Rise [Here]

WEB 2.0 technologies for the Web application layer are still evolving. This framework consists of Web services, AJAX and SOAP/XML and while still evolving has thrown up new attack vectors. To combat the attacks one needs to understand the new methodology, tools and strategies. This presentation reveals emerging security threats, some of which will be demonstrated.

Logical evolution of Web applications has reached a new level with the introduction of WEB 2.0. WEB 2.0 is the combination of new technologies like Web services, AJAX and SOAP. It is important to understand this framework and the fundamentals, before looking at security threats. Ajax is becoming integral part of these new applications and its serialization aspect opens up new ways of hacking browser side application which can lead to XSS and XSRF.

Comprehending XML-based attack vectors LDAP/SQL injections, SOAP messaging attacks, AJAX and Web profiling. These shall be covered along with demonstration examples. Web services are the backbone of WEB 2.0 and it is important to understand security threats.