My buddy rsnake over at Ha.ckers.org posted a report from Larry Suto about tests he performed on web application scanners and comparing how well they cover a web applications code base.

The report is intesting on many fronts, one of which is the fact that the tool I help build at NT OBJECTives came out on top, but also because its the first type of review thats looking at a statistic that really compares scanners in a quantifiable way.

Some comment on the site from users of the other products or from the vendors themselves have made the claim that web scanners are not designed to be “point and shoot” as they say, and that a human should be training the scanner to each web app. I think they are doing users a disservice to work from that assumption.

A scanner should do as much as it can on its own, and let humans do their own pen testing, and/or help point pen testers to areas of interest. If your a organization with hundreds or thousands of web apps that need testing, do you really have the man power to teach your “automated web scanner” how to test each of those apps?

Do you really have time to spend clinking on every link, and filling out every form on a website with some 3000+ pages, or do you want the scanner that does the best job of doing all of this for you?

As many of you have seen, I have a “Hackme” site setup to go along with my podcast, and specifically for the Hands On Series podcasts. Well the current king of Web App Security blogging has setup a couple hacker challenges on his site. The ones on my site are really focused toward teaching, the ones on ha.ckers.org are setup for the fun, challenge and bragging rights.

I have had the mis-fortune of being completely swamped in work during the start of these last two, but when the third is up, Im cleaning my calender, turning off cell phones and ignoring any unnecessary chats so I can beat it as quickly as possible and get listed in the top ten. Knowing rSnake, I may decide to put together a small MightySeek team to work together to increase our chances, but I will see how it plays out.

Go have fun, and test your skills

• Ha.ckers.org Challenge #1
• Ha.ckers.org Challenge #2

Btw, #2 had a logic flaw which really opens up the next one to additional scrutiny to see whats possible to find during the next one.

Theres been alot of discussion lately about an issue thats near and dear to my heart. The capabilities and of web application security scanning is something I have been living and breathing for about 5 years with NT OBJECTIves. AT NTO I lead the development and research teams involved in building our own scanner called NTOSpider,  and have been trying to increase what is possible to test for in an automated tool.

This is a really difficult and challenging issue, with a bunch of issues that are fuzzy at best. I have high hopes that the WASSEC Project thats being hosted by the Web Application Security Consortium, because its going to bring a bunch of us from the app sec tool vendor space and the web app sec community  together to discuss the issue and attempt to come up with a good reference document for the ways to evaluate scanners.

I’m curious how we will be able to come up with any consensus, but with any luck and some hard work and compromise I think this could be a turning point to helping public understanding of this issue.

For those trying to follow the latest news of our web app sec community, someone has finally setup a feed planet called Planet Websecurity that I’m really impressed with. No, at this time MightySeek is not yet part of the RSS mashup, but I do hope to be at some point.

For those not familiar with Planet sites, they are basically RSS readers which download other RSS feeds and merge together into a single feed. This means you can subscribe to one and get all the postings from all the feeds in the Planet.

Visit Planet Websecurity to see this in action

After my run in with vBulletin I began a search for a secure and stable open sourced forum solution. My first thought was to find out what was running on sla.kers.org so I put in a call to rsnake and was told to keep looking because his solution sucked as well and that he was still on the hunt for a replacement. I’ve been looking at a bunch of the apps out there and so far I havent been all that impressed with the security design of the forum apps I’ve looked at.

This makes me wonder if web app sec is ever going to succeed, or if the web is just doomed to have problems for all time. Forum software is a very good example of the problem with many web apps, and web app development in general. To start its a very simple application, which if done right can be done securely. Of course the major challenge is that your taking user input and displaying it to other users. This immediately means your storing the data most likely into a database, which means you must secure against SQL Injection attacks. OK, thats not too hard, so that can be done. Next you need to make sure your filtering the inputs on the way in to remove any HTML tagging and escaping on the way out to be safe. The XSS part is a bit harder because there are clever people out there using a ton of different ways to bypass any filtering/escaping you do.� However, this can be accomplished with some focused attention, and you will then have a simple, secure and stable forum application.

So whats wrong with this? Feature creep.
Now that you have a basic forum in place, people will want to be able to format their text, which means you need to allow some  HTML tags, or have some custom tags like BBCode which you then convert to real HTML tags. At this point things are starting to get a little tougher, but with diligence its still all workable. Next users want to upload attachments, have avatars, have all sorts of moderation features, and so on and so on. Then to make matters even worse, new developers join the project and they are not always as aware or concerned about security issues, and soon the application is as buggy and vulnerable as the forum software you are trying to replace.

Is this solvable? Yes, but only with diligence, hard work and auditing. Did I mention hard work?

The folks at the Hardened PHP Project (makers of Suhosin) have started their Month of PHP Bugs initiative. This initiative is an effort to improve the security of PHP by bringing awareness to various security problems in PHP itself. This does not directly impact any PHP applications, but instead the language itself. As far as I understand, the plan is to disclose issues that can be resolved by way of just using Suhosin or the  Hardened PHP Project. Hopefully the PHP core team will finally wake up and start implementing some of the recommendations being suggested.

note: this post is likley to become a podcast if I can finish recording the show.

Cross Site scripting attacks are getting even more dangerous these days, and exploitable in many new creative ways. I will be discussing this issue in my next podcast, till then read up on it here or at ha.ckers.org

If you didnt get to BlackHat this year, then you may have heard about the really cool presentation about Cross Site Scripting. He uses XSS to hack intranets by writing a port scanner in javascript. If your into web app sec, you need to see this. It also really puts a point on the need to start learning about this issue and the very large problems XSS can cause. So get over to my XSS Hands on Series and start following along!

 

 Podcast Video [53:38m]: Play Now | Play in Popup | Download

The MightySeek podcast got a cool mention in the lastest issue of (IN)SECURE Magazine.