Web Application Security

You are currently browsing the archive for the Web Application Security category.

Following the Trail of Web-based Malware

December 14, 2011 in Hacking, Web, Web Application Security

Recently a client of mine alerted me to an email that was received by one of their HR staff members.  The body of the email is shown below:

Despite having received security awareness training, the staff member clicked on the link thinking this was a document that needed to be reviewed.  In actuality, it was a link to a malicious site. Fortunately, there were technical controls in place that prevented the user’s machine from being compromised, but I thought it would be illuminating to follow the trail of this attack.

Step 1

The email bypassed the client’s anti-spam and anti-malware defenses most likely because the link in the email was actually to a legitimate website rather than a known malicious site, the email came from a well known email provider, and there was little else in the message.  Below is the actual html contained in the email.  Notice the part in bold as this is the hyperlink used in the email.

After our legal department studied this contract carefully, they’ve notic= ed the following mismatches with our previous arrangements. We’ve compose= d a preliminary variant of the new contract, please study it and make sur= e that all the issues are matching your interests
 neymix.cuna.org/blog/wordpress/wsdno.htm?M0DJ854=3D318L77Y4SFO&3L6=3DG2DG= Z8C9F2O9DV2LFX&99G2R=3DI996N6O9B3WJQ8DVL&FV882F6=3D5CFM197E9&”>Contract.d= oc 72kb


 With Best Wishes
Elvina Riggs


Secure Checksum: 9d08e1116b5<= br>

Step 2

Once the user clicked on the link, they were taken to the site hxxp://moneymix.cuna.org.  This is a legitimate site operated by the Credit Union National Association, a credit union trade association.  Moneymix is a service offered by the association to other credit unions to provide social media content to the websites of credit unions that sign up for the service.  Hackers had injected a malicious iframe on this website that would then redirect the user to hxxp://ciredret.ru/main.php.

Step 3

The main.php script contained javascript that attempted to exploit several potential vulnerabilities on the user’s machine.  I was able to download the script and analyze it.  By inserting an “alert” statement into the script just prior to the actual execution of the code, we can get a good idea of what the script does. Below is a sample of the output:

 

This exploit checks the installed versions of a number of applications including browsers, java, flash and Adobe reader.  If it finds a vulnerable version, it attempts to exploit the vulnerability and compromise the machine.  This code appears to be very widely used as I found numerous copies of it on sites such as Pastebin.  A more readable version of the above code can be found .  Given that this script is being used on so many sites, it seems likely that it is part of one of the many commercial exploit packs that are available on the web.

Conclusion

Based on this research we can draw some conclusions about appropriate countermeasures to address this type of threat.  First, user awareness is key. Users must be educated about these types of threats so that they can identify and avoid them. Second, defense in depth is a must.  In this case the client had anti-spam and anti-malware technology on their mail gateway, but this threat still made it through. Additional countermeasures such as a web security gateway or proxy server are also recommended.  The last line of defense would be on the endpoint itself. Third, it is important to understand that even legitimate websites can be victimized and used to spread malware. Don’t assume that because a site is well known or in a particular industry that it is safe. Lastly, keep your systems patched, including third party applications. Ninety-five percent of known exploits are useless against a fully patched system.

Note: I contacted the administrators of the Credit Union National Association website to advise them of the fact that their site was compromised. To their credit they removed the offending file very quickly.

Mitigating the Apache Range Header DoS Vulnerability

August 26, 2011 in Web, Web Application Security, Web Server Security | 1 comment

A new Apache DoS vulnerability was reported recently by security researcher Kingcope on the mailing list that affects most default installations of Apache 1.3/2.x.  This report also included a working exploit called that has been shown to reliably exhaust the memory of the web server and cause it to crash.  RedHat has released an  related to this vulnerability.  Currently there is no patch available for this issue.

This exploit generates a very large range header value such as shown below:

Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15,5- 16,5-17,5-18,5-19,5-20,5-21,5-22,5-23,5-24,5-25,5-26,5-27,5-28,5-29,5-30,5-31,5-32,5- 33,5-34,5-35,5-36,5-37,5-38,5-39,5-40,5-41,5-42,5-43,5-44,5-45,5-46,5-47,5-48,5-49,5- 50,5-51,5-52,5-53,5-54,5-55,5-56,5-57,5-58,5-59,5-60,5-61,5-62,5-63,5-64,5-65,5-66,5- 67,5-68,5-69,5-70,5-71,5-72,5-73,5-74,5-75,5-76,5-77,5-78,5-79,5-80,5-81,5-82,5-83,5- 84,5-85,5-86,5-87,5-88,5-89,5-90,5-91,5-92,5-93,5-94,5-95,5-96,5-97,5-98,5-99,5-100,5- 101,5-102,5-103,5-104,5-105,5-106,5-107,5-108,5-109,5-110,5-111,5-112,5-113,5-114,5- 115,5-116,5-117,5-118,5-119,5-120,5-121,5-122,5-123,5-124,5-125,5-126,5-127,5-128,5- 129,5-130,5-131,5-132,5-133,5-134,5-135,5-136,5-137,5-138,5-139,5-140,5-141,5-142,5- 143,

–CUT–

1268,5-1269,5-1270,5-1271,5-1272,5-1273,5-1274,5-1275,5-1276,5-1277,5-1278,5-1279,5- 1280,5-1281,5-1282,5-1283,5-1284,5-1285,5-1286,5-1287,5-1288,5-1289,5-1290,5-1291,5- 1292,5-1293,5-1294,5-1295,5-1296,5-1297,5-1298,5-1299

Accept-Encoding: gzip

This in turn causes Apache to make separate copies of the requested resource on the server which consumes memory resources, eventually causing the server to start swapping and ultimately to crash.  There is a web site that discusses the issue in great depth.

Fortunately, there are some Apache configuration settings that can be adjusted to mitigate this vulnerability:

  • Use mod_headers to completely disallow the use of Range headers.  For example, in your httpd.conf file add the lines:

RequestHeader unset Range 

RequestHeader unset Request-Range

Note that this may impact certain clients, particularly if a web server is used for serving content to e-Readers or providing streaming video. However, this should be safe for most websites that are not serving this type of content.

  • Limit the size of the request field to a only few hundred bytes.  For example, in your httpd.conf file add the line:

LimitRequestFieldSize 200

While this will keep the offending Range header short, it may break other headers such as a large cookie or security fields header settings.  Also, as the attack evolves you may have to further limit this or impose other LimitRequestFields settings.

  • Configure Apache to detect a large number of ranges in the request header and then either ignore the header or reject the request. For example, add the following lines to your httpd.conf file:

SetEnvIf Range (,.*?){5,} bad-range=1 RequestHeader unset Range env=bad-range

The value 5 is arbitrary and may need to be made larger depending on the type of content your site serves. For example, the value may need to be increased to 10 for sites that serve PDFs to eReaders for example, or that serve other types of large files such as video.

  • Finally, if you are using mod_security you can use the below rule to detect and block the attack.  Thanks to for this bit of code.

SecRule REQUEST_HEADERS:Range “^bytes=(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,” \ “phase:2,capture,rev:’2.2.1′,t:none,block,msg:’Range: Too many fields’,logdata:’%{matched_var}’severity:’5′,id:’958231′,tag:’RULE_MATURITY/5′,tag:’RULE_ACCURACY/7′,tag:’https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}’,tag:’PROTOCOL_VIOLATION/INVALID_HREQ’,tag:’http://www.bad-behavior.ioerror.us/documentation/how-it-works/’,setvar:’tx.msg=%{rule.msg}’,setvar:tx.id=%{rule.id},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}”

I believe that most sites could easily implement the first option (denying Range headers altogether) without any negative impact to site viewers.   I have tried all of these mitigation strategies on my web server and have not seen any adverse results.  Of course, you should always test these changes in a non-production environment prior to implementing on your production servers.

Webapp Scanner Review: Acunetix Versus Netsparker

April 11, 2011 in Research, Security Testing, Web Application Security | 1 comment

In the past, small businesses and independent consultants had to rely on freely available tools to aid in their security assessments of web applications due to the cost of commercial scanners.  Tools such as AppScan (IBM) and WebInspect (HP) can run into the tens of thousands of dollars which is outside the budget of most independent consultants and SMBs.  Freely available tools such as WebScarab and Burp have long been critical tools in the arsenal of the small consulting companies, and will remain so I am sure.  However, as useful as these tools are, they lack many of the time saving features available in most commercial tools and frequently one must use a dozen or more open source tools to even come close to the features available in one commercial tool.

Fortunately, in recent years, two companies have developed commercial webapp scanners that rival the features, the speed, the usability and the accuracy of any commercial tool on the market.  And they do it at a price point that just about any small business or independent consultant can afford.  and are commercial webapp scanners that won’t break the bank.  Both of these tools cost approximately $3000 for a one year subscription with unlimited scanning capabilities.  The focus of this article is to provide a comparison of these two tools in terms of accuracy, features, speed, and usability.

For this comparison I selected two well known vulnerable web applications: the Damn Vulnerable Web Application () and the IBM AppScan demo site called .  Both of these web applications were purposely developed with vulnerabilities in order to facilitate web application testing and research.  The DVWA application was installed on a VM on my network and is running CentOS 5.5, MySQL 5.0.77, PHP 5.1.6 and Apache 2.2.3.  Due to the way that DVWA works, it is important to note that the security setting was purposely set to the “low” setting.  Additionally, I dropped and recreated the database after each scan to ensure that previous scans did not interfere with subsequent ones.  The Testfire demo site is maintained by IBM and is running Microsoft ASP.NET.  These two applications provide me with two different applications to scan, each using different platforms, and each containing different types of vulnerabilities.  The versions of the scanners used in this test were Acunetix 7.0 (build 20110308) and Netsparker 1.8.3.3.  Lastly, when scanning with Netsparker I used the “Full Scan” scanning profile and when scanning with Acunetix I used the “Default” scanning profile (which includes all checks Acunetix supports).

DVWA Scan Results

DVWA was developed with specific vulnerabilities (such as SQL injection, XSS and others) in specific pages of the application.  The DVWA application has 9 specific vulnerabilities that were tested for.  The goal of the test was to see how many of these specific vulnerabilities each tool would be able to identify, how many other vulnerabilities they could detect, and how many false positives each tool reported.  The tables below show the results of the scans against the DVWA application.  Acunetix correctly identified 7 of the 9 known  vulnerabilities while Netsparker discovered only 4 of 9.   Both scanners accurately detected the command injection, file inclusion, SQL injection and file upload vulnerabilities.  Both scanners failed to detect the CSRF and blind SQL injection vulnerabilities.  The three vulnerabilities that Netsparker failed to detect that Acunetix did detect were the brute force attacks and the XSS bugs (reflected and stored).  Netsparker does not currently check for brute force attack vulnerabilities which explains its failure to detect this vulnerability.  This feature is expected to be available in a future release according to MavitunaSecurity.

Both Netsparker and Acunetix identified a number of other vulnerabilities in the DVWA application that while valid, were not specifically part of the test.  The table below provides a list of these vulnerabilities.  In some cases the tools found the same vulnerabilities in the same pages, but in many cases they differed quite a bit. Some of those worth noting are:

  • Acunetix identified XSS vulnerabilities in cookie parameters of nearly every page.  Netsparker does not currently have a check to identify this type of vulnerability, but will in a future release.
  • Acunetix identified that passwords are submitted via the GET method rather than POST.
  • Netsparker was able to identify file inclusion vulnerabilities in a number of pages that were missed completely by Acunetix.
  • Acunetix identified that session cookies do not have the Secure flag set, even though SSL is not enabled.  While this is not exactly a false positive, it certainly does not make sense to have the Secure flag enabled when SSL is not in use.
  • None of the vulnerabilities detected by either tool could accurately be classified as a false positive.

Testfire Scan Results

The tables below show the results of the scans against the Testfire application.  Acunetix correctly identified 9 of the 16 known vulnerabilities while Netsparker discovered 8 of 16.  Both scanners correctly identified SQL injection bugs in login.aspx and transaction.aspx.  They also both correctly identified XSS bugs in customize.aspx, comment.aspx, and search.aspx.  Both scanners failed to detect SQL injection in account.aspx, ws.asmx and / as well as XSS in disclaimer.htm.  Acunetix was able to detect an Xpath injection vulnerability, a check that is not currently included in Netsparker.  Netsparker, on the other hand, detected an LFI in default.aspx that Acunetix missed.

Both Netsparker and Acunetix identified a number of other vulnerabilities in the Testfire application that while valid, were not specifically part of the test.  The table below provides a list of these vulnerabilities.  In some cases the tools found the same vulnerabilities in the same pages, but in many cases they differed significantly.  Some of those worth noting are:

  • Acunetix detected that the application is vulnerable to password guessing attacks.
  • Netsparker found a bug that allows for HTTP header injections.
  • Both scanners detected that ASP.NET debugging was enabled and that the ViewState was not encrypted.
  • Netsparker went further and detected that MAC validation was not used in the ViewState data.
  • Again, Acunetix identified that session cookies did not have the Secure flag set, even though SSL is not enabled.
  • None of the vulnerabilities detected by either tool could accurately be classified as a false positive.

The Skinny on the Scanners

Both Acunetix and Netsparker performed similarly at detecting vulnerabilities in the Testfire application.  Acunetix did slightly better against the DVWA application.  Neither of them discovered all the vulnerabilities in the applications, but they performed in a manner that is consistent with other commercially available tools.  In fact, it is arguable that these two tools, which are two of the least expensive on the market, out-perform some of the better known, higher cost solutions.  Several studies have examined some of these more expensive webapp scanners and the results are rather surprising (see the links at the end of this article).

As far as Acunetix and Netsparker are concerned, they each have particular strengths and weaknesses that make them more or less appealing depending on how one intends to use the tool.  Let’s start with Netsparker.  The most compelling feature of Netsparker is its ability to confirm vulnerabilities, thereby saving the tester time having to confirm them manually.  The creators claim that Netsparker is false positive free which may be a bit of an over-statement.  However, Netsparker does have an internal exploitation engine that will attempt to verify a vulnerability by safely exploiting it.  If it is able to do so, then Netsparker will list the vulnerability as “confirmed” in the report.  The screen capture below shows an example of this.

This is a very powerful feature indeed and one that can save the tester time when performing an analysis of a web application.  Netsparker also has a very intuitive and simple interface.  This can be both a positive and a negative.  For the tester who wants to quickly run a scan and get reliable results without having to spend a lot time learning how to use the tool, Netsparker is a great choice.  However, I found that it did not provide the same amount of flexibility and configurability as Acunetix.

The strength of Acunetix lies in its ability to quickly detect a wide variety of vulnerabilities with little need for advanced tuning and configuration.  However, for those who desire more control over the tests and like to “get their hands dirty”, Acunetix provides the flexibility and built-in tools that even the most advanced pen testers will appreciate.  For example, Acunetix has a built-in SQL injection exploitation tool that allows the tester to actively engage with a backend database through a vulnerable application.  The screen capture below shows an example of this tool.

As can be seen, using the SQL injection tool I was able to list the databases via a SQL injection vulnerability and even manipulate them if so desired.  Acunetix also includes an HTTP sniffer, an HTTP fuzzer, an authentication tester, a port scanner, Google hacking database queries and much, much more.  Acunetix also allows you to create customized scanning templates.

If you are performing white box testing or have access to the application server being tested, Acunetix Acusensor is a particularly powerful tool for detecting bugs in PHP and ASP.NET.  Acusensor works by combining black box scanning techniques with feedback from sensors placed inside the source code while the code is executed on the application server.  This allows Acunetix to detect more vulnerabilities with fewer false-positives, provide source code line number and stack trace information related to the vulnerability, and improves its ability to detect SQL injection bugs without having to rely on web server error messages.  When a scan was run against the DVWA application with Acusensor enabled, the results were quite different than when run without it.  Acunetix with Acusensor detected a total of 156 vulnerabilities as opposed to 73 without it.  Moreover, Acunetix also detected the specific blind SQL injection bug in /vulnerabilities/sqli_blind which it missed without Acusensor enabled.  Thus, with Acusensor enabled, Acunetix detected 8 of the 9 specifically crafted vulnerabilities in DVWA.   Below are screen captures demonstrating the effectiveness of scans with and without Acusensor enabled.

DVWA Scan Results Without Acusensor Enabled

DVWA Scan Results With Acusensor Enabled

Summary

The world of web application security testing is constantly evolving and thankfully we now have tools that are affordable and provide a very strong set of features to aid the security tester in her work.  In this article I have performed a thorough comparison of two such web application scanners (Netsparker and Acunetix) in order to determine their relative strengths and weaknesses.

Netsparker is a very good tool for point and shoot type testing.  It does not require a great deal of knowledge to use the tool, it has a very good user interface, and it does a decent job detecting the most important vulnerabilities.  It has good reporting features that are easy to read and intuitively designed.  Moreover, its ability to confirm detected vulnerabilities is a very nice feature that is unique to this scanner. This feature can be a real time saver as the tester does not need to validate those vulnerabilities that have been confirmed by Netsparker.  The downside of Netsparker is that it does not provide a high level of control and flexibility that more experienced testers are likely to require.  It also does not include many additional tools that are useful for performing more manual testing.  Finally, Netsparker does not appear to have the same number and breadth of checks that Acunetix has.

Acunetix is a very robust scanner with lots of features that will allow advanced users the flexibility and control that they will desire.  While it’s user interface is not bad, it is not as streamlined as Netsparker’s and the learning curve is a little steeper.  However, the payoff is a very powerful tool with excellent reporting capabilities.  The Acusensor technology is especially useful and greatly improves the tool’s ability to find vulnerabilities in PHP and ASP.NET applications.  This is a must in any situation in which the tester has the ability to install Acusensor on the targeted application servers.  It combines the best of white-box and black-box testing to provide a very detailed report on the application’s security.  Both Netsparker and Acunetix did a very good job of not reporting false positives.  None of the reported vulnerabilities in my tests were discovered to be false positives.

Notes

  • I would like to thank MavitunaSecurity for providing me with a Netsparker evaluation license in order to perform this review.  They were very responsive to all my questions and provided helpful information during my tests.
  • Both and provide free (limited) versions of their tools that can be downloaded from their web sites.
  • No single tool is capable of finding every vulnerability that may exist in a web application.  It is useful to employ multiple automated scanners if possible as this approach will be more likely to uncover potential vulnerabilities.  It is also critical to supplement automated testing with manual tests in order to find issues in business logic and authentication which are often difficult to test with automated scanning.  Automated scanners are just one tool in the security tester’s arsenal and should not be relied on as the sole source of information when testing web applications.
  • Below are links to previous comparisons of webapp scanners by other researchers:

Copyright © 2011 InfoSecStuff.com — All Rights Reserved