Monday, December 31, 2007

[Tool] AppPrint - Web and Application Server Fingerprinting/Mapping tool (Beta)

Posted a new tool on the site.
-- Description --
AppPrint scans IP range, IP or host for Web and Application servers. It scans port 80 for a particular target and tries to deduce the banner using httprint methodology. This gives best guessed banner for Web Server. In next step it uses method of forced plug-in invoke and scan for application server type. At this point it tries to fingerprint Tomcat, WebLogic, WebSphere, Orion, ColdFusion and Resin. It requires .NET framework installed. In future version we will build several other technology mapping and fingerprinting technologies like Ajax, RIA, Flash, Laszlo etc.
--

Read and Download

Thursday, December 27, 2007

[net-security paper] Dissecting and Digging Application Source Code for Vulnerabilities

Application source code scanning for vulnerability detection is an interesting challenge and relatively complex problem as well. There are several security issues which are difficult to identify using blackbox testing and these issues can be identified by using whitebox source code testing methodlogy. Application layer security issues may be residing at logical layer and it is very important to have source code audit done to unearth these categories of bugs. This paper is going to address following areas:

1. How to build simple rules using method and class signatures to identify possible weak links in the source code.
2. How to do source code walking across the entire source base to perform impact analysis.
3. How to use simple tool like AppCodeScan or similar utility to perform effective source code analysis to detect possible vulnerability residing in your source base.

Read here

Saturday, December 15, 2007

Tool Update - AppCodeScan 1.1

AppCodeScan 1.1 is posted on the site with following changes

1. Parsing of code is changed and now tool shows line number where pattern is found in both scanning and code walking functionality.
2. There were some bugs which are fixed to do recursive three layer scanning.

Download from here

Thanks for your feedback.

Cheers!

Wednesday, December 12, 2007

[Book] Web 2.0 Security - Defending AJAX, RIA, AND SOA

SOA, RIA, and Ajax are the backbone behind the now widerspread Web 2.0 applications such as MySpace, GoogleMaps, and Wikipedia. Although these robust tools make next generation web applications possible, they also add new security concerns to the field of web application security. Yamanner, Samy and Spaceflash type worms are exploiting “client-side” Ajax frameworks, providing new avenues of attack and compromising confidential information. Portals like Google, NetFlix, Yahoo and MySpace have witnessed new vulnerabilities in the past. These vulnerabilities can be leveraged by attackers to perform Phishing, Cross-site Scripting (XSS) and Cross-Site Request Forgery (XSRF) exploitation. Web 2.0 Security: Defending Ajax, RIA, and SOA is the book to cover the new field of Web 2.0 security. Written for intermediate-to-advanced security professionals and developers, the book explores Web 2.0 hacking methods and helps in enhancing next generation security controls for better application security posture. Readers will gain knowledge in advanced footprinting and discovery techniques, Web 2.0 scanning and vulnerability detection methods, Ajax and Flash hacking methods, SOAP, REST and XML-RPC hacking, RSS/Atom feed attacks, fuzzing and code review methodologies and tools, tool building with Python, Ruby and .NET, and much, much more. The book includes a companion CD-ROM with tools, demos, samples, code, and images.

More on Amazon

Tuesday, December 04, 2007

[Clubhack - Conference] Hacking Web 2.0 Art and Science of Vulnerability Detection


ClubHack - Pune, India.

Going to talk on following: Web 2.0 applications are on the rise and as Gartner has predicted by end of 2007, 30% of applications would be running with Web 2.0 components embedded in it. This change in scenario would provide various different entry points and security holes for attackers. Hacking Web 2.0 is the most required skill for security professionals to identify vulnerability and associated threat before an attacker exploits it. New attack vectors are on the rise like two way CSRF access, XSS through JSON, JS-Object, XML and Array streams, Client side eval() exploitations, XPATH injection, WSDL scanning, Web Services payloads through SOAP and REST, XML-RPC method exploitation etc. One needs to do both scientific and artistic analysis of application to identify these vulnerabilities and this talk will cover these emerging attack vectors with plenty of demonstrations and tools. You will take home thorough knowledge about Web 2.0 hacking and would be in position to apply at work immediately.

Go to Conference page

Tuesday, November 27, 2007

DeepSec - Talk on Ajax Security

I had great time at Vienna last week. Did web hacking training and talked on Web 2.0 security. Conference was great and able to learn a lot from other speakers. Here is my talk.

Tuesday, November 20, 2007

OWASP AppSec 2007 - .NET Web Services Hacking

AppSec at San-Jose was really fun. I was able to learn some good stuff. I talked on .NET Web Services Hacking. Here is my slide show.

Wednesday, October 31, 2007

OWASP - .NET Web Services Hacking

.Net Web Services Hacking - Scan, Attacks and Defense
Following topics will be covered.
1. Web Services Discovery strategies in Web 2.0 applications
2. Scanning and profiling Web Services.
3. Attacking and Fuzzing Web Services for Vulnerability detection
4. Defense strategies for Web Services with content filtering (HTTPModule) - Web Services Firewall

Some of the content will be covered from my books - Hacking Web Services and Web 2.0 Security - Defending Ajax, RIA and SOA.

Look forward to see OWASP and WASC folks.

Monday, October 15, 2007

web2wall : Web Application/Services Firewall - IHTTPModule for Web 2.0 application

Microsoft‘s .Net framework includes two interfaces - IHTTPModule and IHTTPHandler. These two interfaces can be leveraged to provide application-level defense customized to application-level, folder-level or variable-level. This can act as the first line of defense, before any incoming request touches the Web application source code level. This is Web application defense at the gates, for the .Net framework on IIS.

Web2wall is a simple binary module which can be loaded in your Web 2.0 applications. You can defend your application layer code by using regex patterns; this can help in filtering XML and JSON streams. This tool is in beta and more features will be added with time. We will resolve bugs to make the module much more robust.

Download

Saturday, October 06, 2007

AppCodeScan - Application Code Scanning tool

This tool is designed to help in performing whitebox testing. During whitebox testing one needs to scan complete application code for various different vulnerabilities like XSS, SQL injection, Poor validations etc. It is possible to discover these vulnerable points using this tool and one can follow code walking across the code base to trace this vulnerability.This tool works on following two areas:

Code Scanning - One needs to feed target code folder, rules pattern in regex (sample is provided for ASP) and list of file extension to scan. The tool will take this information and run against the target folder with depth of three (3) and scan each line for matching pattern. If pattern is found then it will report that line in the tool.
Code Walker - This little utility would help in walking across the code base and find variable or function. This will help to trace variables and their entire path in the large code base. This utility would help in negating false positives from the identified pattern.


This tool runs on .NET framework and still in initial beta state. We are working on it and more features will be added.

Download and Play

Tuesday, October 02, 2007

[Dubai-ISACA] I-SAFE Information Governance in this e- World

Speaking on - EMERGING TECHNOLOGIES: Web 2.0 on the rise and related technologies,strategies and security

This presentation is going to cover all aspects of emerging technologies in detail with real life cases and demonstrations. Following which, the session will explore security issues growing around these vectors and threats associated with it. Professionals will be able to collect enough know-how on emerging web technologies to apply this learning to their work place.

Read More

Monday, September 24, 2007

Tools are posted

Hi, I have posted following tools on the site

1. wsScanner - Web Services Footprinting, Discovery, Enumeration, Scanning and Fuzzing tool
2. scanweb2.0 - Web 2.0 Fingerprinting, Scanning and Discovery tools (Ruby scripts)
3. AppMap - Application footprinting and mapping tool using MSN APIs

It should help in assessment and audit.

Download from Blueinfy


Friday, September 14, 2007

HITB 2007 - Follow up...

HITB 2007 was great this time around as well. Both class and talk went really well. Speakers were good and was able to learn new stuff. All material is posted here.

I presented on Web 2.0 hacking, keeping focus on Ajax and Web Services. Added some new demos for better understanding. Presentation movie is not yet posted. Following is my presentation.



You can download slides from here
If you have any question feel free to drop me a note at shreeraj.shah@gmail.com

Enjoy...

Thursday, August 09, 2007

HITB 2007 - Class and Talk

Training - Advanced Web Application & Services Hacking [Here]
Speaking - Hacking Ajax and Web Services – Next Generation Web Attacks on the Rise [Here]

WEB 2.0 technologies for the Web application layer are still evolving. This framework consists of Web services, AJAX and SOAP/XML and while still evolving has thrown up new attack vectors. To combat the attacks one needs to understand the new methodology, tools and strategies. This presentation reveals emerging security threats, some of which will be demonstrated.

Logical evolution of Web applications has reached a new level with the introduction of WEB 2.0. WEB 2.0 is the combination of new technologies like Web services, AJAX and SOAP. It is important to understand this framework and the fundamentals, before looking at security threats. Ajax is becoming integral part of these new applications and its serialization aspect opens up new ways of hacking browser side application which can lead to XSS and XSRF.

Comprehending XML-based attack vectors LDAP/SQL injections, SOAP messaging attacks, AJAX and Web profiling. These shall be covered along with demonstration examples. Web services are the backbone of WEB 2.0 and it is important to understand security threats.

Wednesday, August 01, 2007

Change in contcat info...

Friends, Please kindly note my new email address and make changes to your address books. You can reach me at following email addresses.

shreeraj.shah_at_gmail.com
shreeraj_at_blueinfy.com

Thanks!

Tuesday, June 12, 2007

[DevX] Secure Your Wireless Networks with Scapy Packet Manipulation


With wireless networks beginning to dominate both home and corporate networking, new challenges on the security front are inevitable. The first step in securing a wireless network is determining the state of the network (without any prior knowledge) and then providing a defense against intrusions. Enter Scapy, an excellent packet-crafting tool written in Python by Philippe Biondi. Unlike other sniffers such as Kismet and Airodump-ng, Scapy is scriptable and extremely easy to use.

This article outlines a methodology for wireless network assessment and intrusion detection using proven techniques with tools such as Scapy.

Read Here

Saturday, May 19, 2007

Web 2.0 and Mod Security 2.0

Ajax and Web Services are two important aspects of Web 2.0 applications. In the past I wrote articles on defending application layer using Mod Security 1.0. New version of Mod Security is out there and Ryan C. Barnett has enhanced both the articles by adding 2.0 changes. They are posted on Mod Security site for community review. Here are pointers to both the documents. You may find it helpful.

Securing Web Services with ModSecurity 2

Ajax Fingerprinting and Filtering with ModSecurity 2

Monday, April 30, 2007

Web 2.0 Threats and Risks for Financial Services

Web 2.0 technologies are gaining momentum worldwide, penetrating in all industries as enterprise 2.0 applications. Financial services are no exception to this trend. One of the key driving factors behind penetration of Web 2.0 into the financial services sector is the “timely availability of information”. Wells Fargo, Merill Lynch and JP Morgan are developing their next generation technologies using Web 2.0 components; components that will be used in banking software, trading portals and other peripheral services. The true advantage of RSS components is to push information to the end user rather than pull it from the Internet. The financial industry estimates that 95% of information exists in non-RSS formats and could become a key strategic advantage if it can be converted into RSS format. Wells Fargo has already implemented systems on the ground and these have started to yield benefits. Financial services are tuning into Web 2.0 but are simultaneously exposing their systems to next generation threats such as Cross site Scripting (XSS), Cross Site Request Forgery (CSRF) and Application interconnection issues due to SOA.

Read my article

Saturday, April 07, 2007

Hacking Web 2.0 - Defending Ajax and Web Services

HITB 2007 at Dubai was fun and I presented on Web 2.0 hacking. If you would like to go through slides.

Tuesday, March 20, 2007

WEB 2.0 Hacking – Defending Ajax and Web Services


WEB 2.0 technologies for the Web application layer are still evolving. This framework consists of Web services, AJAX and SOAP/XML and while still evolving has thrown up new attack vectors. To combat the attacks one needs to understand the new methodology, tools and strategies. Steadily emerging as the first line of defense is the Web application firewall. This presentation reveals emerging security threats, some of which will be demonstrated.

Here

Advanced Web Application & Services Hacking



Training at Dubai for HITB 2007.

A growing concern has been Web application security Web and application servers are the target of regular attacks by attackers that exploit security loopholes or vulnerabilities in code or design. Adding to this concern are next generation applications; applications that are on the fast track and more appealing to the user, utilizing dynamic AJAX scripts, Web services and newer Web technologies to create intuitive and easy interfaces. The only constant in this space is change. In this dynamically changing scenario it is important to understand new threats that emerge in order to build constructive strategies to protect corporate assets.

This two day workshop will expose students to both aspects of security: attacks and defense. To think of newer Web applications without Web services is a big mistake. Sooner or later existing applications will be forced to migrate to the new framework. This workshop includes several cases, demonstrations and hands-on exercises with newer tools to give you a headstart over others in the field.

Here

Tuesday, March 13, 2007

ISACA-UAE - Web Application Workshop ...



One day conference at Dubai on Web Application Security.
Here

Sunday, March 11, 2007

RSS Security Threats With Financial Services

Web 2.0 technologies are penetrating deeper into the financial services sector as Enterprise 2.0 solutions, adding value to financial services. Analysts can leverage information sources to go beyond the obvious. Trading and Banking companies like Wells Fargo and E*Trade are developing their next generation technologies using Web 2.0 components; components that will be used in banking software, trading portals and other peripheral services. The true advantage of RSS components is to push information to the end user rather than pull it from the Internet. The financial industry estimates that 95% of information exists in non-RSS formats and could become a key strategic advantage if it can be converted into RSS format. Wells Fargo has already implemented systems on the ground and these have started to yield benefits. RSS comes with its own security issues that assume critical significance with regard to financial services. In this article we will see some of the security concerns around RSS security and attack vectors.

Read here

My Bio with respect to Web Security Contribution...

Anurag is running a reflection series on his blog for web security professionals. He is compiling a list of person along with their resources. He has posted mine this week. You can read it here

Wednesday, February 28, 2007

Web 2.0 with Banks - Web Risk: A Growing Web's Harder To Secure


Banks are moving towards Web 2.0 frameworks and adding risk to the application layer. This news item talks about it.

Read

Monday, February 19, 2007

Ajax scanning on AjaxWorld



Ajax Scanning technique for XSS is posted at AjaxWorld magazine.
Here

Thursday, February 15, 2007

Scanning Ajax for XSS Entry Points


The continuous adoption of Web 2.0 architecture for web applications is instrumental in Ajax, Web services and Flash, emerging as key components. Ajax is a combination of technologies such as JavaScript with the XMLHttpRequest object, DOM and XML streams. Cross site scripting (XSS) can make browsers vulnerable to critical information hijacking if exploited with malicious intent. XSS is already categorized as persistent, non-persistent and DOM-based. Ajax code loaded in browser can have entry points to XSS and it is the job of the security analyst to identify these entry points. It is difficult to decisively conclude that possible entry points to an application can be exploited. One may need to do a trace or debug to measure the risk of these entry points.

This paper introduces you to a quick way to identify XSS entry points in an application.

Read here

Friday, February 09, 2007

Stateful Web Application Firewalls with .NET


A Web Application Firewall (WAF), though still evolving, is crucial for strong application layer defense. Unfortunately, HTTP is a stateless protocol, and session management is addressed at the application layer and not at the protocol layer. It is possible to bridge WAF and session objects on the .NET platform to build a stateful WAF (SWAF).

Read Here

Monday, February 05, 2007

Slides to Share

I found slideshare.net an interesting place to share past talks. I have posted some of my past speaking engagements at RSA, Infosecworld, AusCERT, Bellua and HITB on it. You may like it.

Here

Tuesday, January 30, 2007

Ajax Fingerprinting for Web 2.0 Applications


Fingerprinting is an age old concept and one that adds great value to assessment methodologies. There are several tools available for fingerprinting operating systems (nmap), Web servers (httprint), devices, etc. Each one of these tools uses a different method – inspecting the TCP stack, ICMP responses, HTTP responses. With this evolution of Web 2.0 applications that use Ajax extensively, it is important to fingerprint Ajax tools, framework or library used by a particular web site or a page. This paper describes the method of doing Ajax fingerprinting with a simple prototype serving as an example.
Read Here

Monday, January 29, 2007

Detect Your Web Application's Vulnerabilities Early with Ruby


Web application fuzzing is a method of detecting a web application's vulnerabilities prior to deploying the application on a production system. Users of this approach send several malicious requests to the application and, based on the responses received, determine the application's security posture. Users also can apply fuzzing to perform tests on several different attack vectors such as SQL, XPATH, and LDAP injection, and error handling.

Read Here

Friday, January 19, 2007

Crawling Ajax-driven Web 2.0 Applications


Crawling web applications is one of the key phases of automated web application scanning. The objective of crawling is to collect all possible resources from the server in order to automate vulnerability detection on each of these resources. A resource that is overlooked during this discovery phase can mean a failure to detect some vulnerabilities. The introduction of Ajax throws up new challenges for the crawling engine. New ways of handling the crawling process are required as a result of these challenges. The objective of this paper is to use a practical approach to address this issue using rbNarcissus, Watir and Ruby.

Full paper

Friday, January 05, 2007

Book review - Microsoft Technet





Technet posted book review on Hacking web services
Here
--
Shreeraj Shah's Hacking Web Services (Charles River Media, 2006) is a valuable resource for those involved in development, deployment, or support of Web services. The book is a well-organized general security reference for Web services and their component technologies. And it does a good job of detailing what is involved in defending them in your infrastructure and through your development practices.

The book begins with a relatively in-depth introduction to Web services A case study titled "The Consequences of Procrastination" teaches you about the power of preemptive security procedures and the penalties of reactive systems. The chapter titled "Web Services Scanning and Enumeration" discusses how to use the wsChess, a .NET-based Web service security toolkit from Net-Square (net-square.com/wschess/index.shtml), to profile and footprint Web services.

The book includes a utility CD, which contains a sample .NET-based application called SOAPWall. This shows you how to block injection characters and buffer overflows in your .NET Web services. In addition, the CD provides demos of different types of Web service attacks.
--