After summer holidays I am back at my desk - ready to continue my security software testing.
I already had a look at a lot of tools, and what I can say already now ist that these tools can not be compared simply using a comparison grid or chart.
So my approach is to look at the strenghts of each product, and to figure out what benefit it would provide to a security or penetrations everyday job.
So say tuned to see some results & screenshots soon.
Montag, 23. August 2010
Donnerstag, 15. Juli 2010
New Characters in French Language
Did you know the french have new characters in their language? Look at the pic. Yes, some say they look a bit cyrillic...
Testing Penetration Testing & Vulnerability Software
I'm currently testing various security software products - these include the following:
- Tenable Nessus
- Syhunt Sandcat
- NeXpose from rapid7
- Metasploit Express
- Qualys Guard
- Retina from eEye
- Burp Suite Professional
- Saint
- GFI LANguard
- Acunetics Scanner
I also would like to test Core Impact - but did not get an evaluation license up to now. According to Ron Mooney I only have the following option: paid license for $1500 for the 8-IP Workspace Restricted option. Trying to contact Vice President of Sales Stephen Pace to find out if that is really the only option. If that would be true this would be the only product that can not be tested before buying it.
I know these products can not really be compared - but from a penetration testers perspective the question is:
- which of these products gives me the greatest benefit?
- which product shows me vulnerabilies that I would not find using free tools/manually?
- how usefull are they compared to the cost?
Stay tuned for updates!
- Tenable Nessus
- Syhunt Sandcat
- NeXpose from rapid7
- Metasploit Express
- Qualys Guard
- Retina from eEye
- Burp Suite Professional
- Saint
- GFI LANguard
- Acunetics Scanner
I also would like to test Core Impact - but did not get an evaluation license up to now. According to Ron Mooney I only have the following option: paid license for $1500 for the 8-IP Workspace Restricted option. Trying to contact Vice President of Sales Stephen Pace to find out if that is really the only option. If that would be true this would be the only product that can not be tested before buying it.
I know these products can not really be compared - but from a penetration testers perspective the question is:
- which of these products gives me the greatest benefit?
- which product shows me vulnerabilies that I would not find using free tools/manually?
- how usefull are they compared to the cost?
Stay tuned for updates!
Dienstag, 6. Juli 2010
ACM update
Unfortunately ACM did not give me the free subscription they promised - I have not heard anything from them since the last incident.
Not hear anything?
Not completely true....
I still get those emails asking me to renew my ACM.org membership.
It seems they have modified their renewal process, but when I look at it I think chances are high that there is still some sort of hacking possible (eg. overwrite other peoples data).
But I leave that to someone else now...
Not hear anything?
Not completely true....
I still get those emails asking me to renew my ACM.org membership.
It seems they have modified their renewal process, but when I look at it I think chances are high that there is still some sort of hacking possible (eg. overwrite other peoples data).
But I leave that to someone else now...
Montag, 14. Juni 2010
Data Leak on German Internet Shop
A internet shop selling games in germany maintained several versions of their shop running under different domain names.
Obviously these versions where not all updated regularly, so I found a version of the shop that had a severe data leak.
It was possible to extract more than 10'000 customer addresses with their respective orders dating back to 2004.
The owner of the website was informed of the data leak by the german magazine C't (which was tipped of by The Hacker).
The leak was then closed within short time.
Montag, 22. Februar 2010
The 2010 ACM Hack Conclusion
ACM's Manager Member Services Cindy Ryan has finally reacted today 21:29 CET and asked "Maybe you can elaborate on the security issue you found?"
Which I did - so I hope they are going to fix this now.
I'll check again in a few hours, and once it's fixed I'll post some screenshots.
Update tue feb 23rd: acm.org has finally fixed the leak - and offered me a free subscription. thanks!
As the holes are fixed now, I'm going to give a short description of the problem.
Summary: Never use incremental customer or record numbers to display or update data from a database.
The ACM sended out emails offering extension for a subscription - the mail looked like this:
As you see the parameter in the url identifying the customer is kind of encrypted/encoded.
But what happened when you clicked on the link is that the customer number got decrypted and appeared as cleartext in the subsequent pages:
https://campus.acm.org/public/qjstutrans/qjstutrans_control.cfm?form_type=Professional&clientno=9285516&promo=E25VLAT
By simply modifying the "clientno" parameter the data from other customers could be displayed.
As the form served also for updating the customers address information, it was also possible to change all the data in the db without any further authentication.
ACM does not stand alone here: more then 50% of the data leaks I find when testing customeres sites are due to the fact that they use sequential identifiers without tying them to a session or using a similar method to ensure a customer can only see and modify his or her own data.
I'll post another case of a eShop in Germany that has a similar problem here within the next few days.
Which I did - so I hope they are going to fix this now.
I'll check again in a few hours, and once it's fixed I'll post some screenshots.
Update tue feb 23rd: acm.org has finally fixed the leak - and offered me a free subscription. thanks!
As the holes are fixed now, I'm going to give a short description of the problem.
Summary: Never use incremental customer or record numbers to display or update data from a database.
The ACM sended out emails offering extension for a subscription - the mail looked like this:
As you see the parameter in the url identifying the customer is kind of encrypted/encoded.
But what happened when you clicked on the link is that the customer number got decrypted and appeared as cleartext in the subsequent pages:
https://campus.acm.org/public/qjstutrans/qjstutrans_control.cfm?form_type=Professional&clientno=9285516&promo=E25VLAT
By simply modifying the "clientno" parameter the data from other customers could be displayed.
As the form served also for updating the customers address information, it was also possible to change all the data in the db without any further authentication.
ACM does not stand alone here: more then 50% of the data leaks I find when testing customeres sites are due to the fact that they use sequential identifiers without tying them to a session or using a similar method to ensure a customer can only see and modify his or her own data.
I'll post another case of a eShop in Germany that has a similar problem here within the next few days.
The 2010 ACM Hack Part 4
I have sent the following mail to acm.org CEO John White:
===
Hello Mr. White,
It's 4 days no since I contacted you and told you that there is a severe data leak on the acm.org website: address data from your member database can be extracted and manipulated/overwritten.
After a reminder 24 hours later which I sent because nothing! was happening I got an email from Cindy Ryan:
"Thank you for pointing out the security issues you located on acm.org. We are in the process of updating these security issues. "
That was 3 days ago, but the leak has not been fixed up to now! Also there was no other attempt to contact from from your side besides this one email.
I attach a sample of 2500 addresses extracted from your db so you maybe this time you see that maybe you should do something about this...
Or can you afford to just do nothing?
If this leak is not closed within 24 hours I might publish the exploit to the web & media and contact the users in your database because I think you had enought time to fix it, its just not fair to not protecting
your users data, including mine!
As you state on your website "ACM strengthens the profession's collective voice through strong leadership, promotion of the highest standards, and recognition of technical excellence."
===
Plus CC to 10 other acm managers and workers
I hope this finally brings some action!
===
Hello Mr. White,
It's 4 days no since I contacted you and told you that there is a severe data leak on the acm.org website: address data from your member database can be extracted and manipulated/overwritten.
After a reminder 24 hours later which I sent because nothing! was happening I got an email from Cindy Ryan:
"Thank you for pointing out the security issues you located on acm.org. We are in the process of updating these security issues. "
That was 3 days ago, but the leak has not been fixed up to now! Also there was no other attempt to contact from from your side besides this one email.
I attach a sample of 2500 addresses extracted from your db so you maybe this time you see that maybe you should do something about this...
Or can you afford to just do nothing?
If this leak is not closed within 24 hours I might publish the exploit to the web & media and contact the users in your database because I think you had enought time to fix it, its just not fair to not protecting
your users data, including mine!
As you state on your website "ACM strengthens the profession's collective voice through strong leadership, promotion of the highest standards, and recognition of technical excellence."
===
Plus CC to 10 other acm managers and workers
I hope this finally brings some action!
Abonnieren
Posts (Atom)
