This blog is created to keep track of my activities and place holder for sharing. Enjoy!
Monday, December 31, 2007
[Tool] AppPrint - Web and Application Server Fingerprinting/Mapping tool (Beta)
-- Description --
AppPrint scans IP range, IP or host for Web and Application servers. It scans port 80 for a particular target and tries to deduce the banner using httprint methodology. This gives best guessed banner for Web Server. In next step it uses method of forced plug-in invoke and scan for application server type. At this point it tries to fingerprint Tomcat, WebLogic, WebSphere, Orion, ColdFusion and Resin. It requires .NET framework installed. In future version we will build several other technology mapping and fingerprinting technologies like Ajax, RIA, Flash, Laszlo etc.
--
Read and Download
Thursday, December 27, 2007
[net-security paper] Dissecting and Digging Application Source Code for Vulnerabilities
1. How to build simple rules using method and class signatures to identify possible weak links in the source code.
2. How to do source code walking across the entire source base to perform impact analysis.
3. How to use simple tool like AppCodeScan or similar utility to perform effective source code analysis to detect possible vulnerability residing in your source base.
Read here
Saturday, December 15, 2007
Tool Update - AppCodeScan 1.1
1. Parsing of code is changed and now tool shows line number where pattern is found in both scanning and code walking functionality.
2. There were some bugs which are fixed to do recursive three layer scanning.
Download from here
Thanks for your feedback.
Cheers!
Wednesday, December 12, 2007
[Book] Web 2.0 Security - Defending AJAX, RIA, AND SOA
More on Amazon
Tuesday, December 04, 2007
[Clubhack - Conference] Hacking Web 2.0 Art and Science of Vulnerability Detection
ClubHack - Pune, India.
Going to talk on following: Web 2.0 applications are on the rise and as Gartner has predicted by end of 2007, 30% of applications would be running with Web 2.0 components embedded in it. This change in scenario would provide various different entry points and security holes for attackers. Hacking Web 2.0 is the most required skill for security professionals to identify vulnerability and associated threat before an attacker exploits it. New attack vectors are on the rise like two way CSRF access, XSS through JSON, JS-Object, XML and Array streams, Client side eval() exploitations, XPATH injection, WSDL scanning, Web Services payloads through SOAP and REST, XML-RPC method exploitation etc. One needs to do both scientific and artistic analysis of application to identify these vulnerabilities and this talk will cover these emerging attack vectors with plenty of demonstrations and tools. You will take home thorough knowledge about Web 2.0 hacking and would be in position to apply at work immediately.
Go to Conference page
Tuesday, November 27, 2007
DeepSec - Talk on Ajax Security
Tuesday, November 20, 2007
OWASP AppSec 2007 - .NET Web Services Hacking
Wednesday, October 31, 2007
OWASP - .NET Web Services Hacking
Following topics will be covered.
1. Web Services Discovery strategies in Web 2.0 applications
2. Scanning and profiling Web Services.
3. Attacking and Fuzzing Web Services for Vulnerability detection
4. Defense strategies for Web Services with content filtering (HTTPModule) - Web Services Firewall
Some of the content will be covered from my books - Hacking Web Services and Web 2.0 Security - Defending Ajax, RIA and SOA.
Look forward to see OWASP and WASC folks.
Monday, October 15, 2007
web2wall : Web Application/Services Firewall - IHTTPModule for Web 2.0 application
Web2wall is a simple binary module which can be loaded in your Web 2.0 applications. You can defend your application layer code by using regex patterns; this can help in filtering XML and JSON streams. This tool is in beta and more features will be added with time. We will resolve bugs to make the module much more robust.
Download
Saturday, October 06, 2007
AppCodeScan - Application Code Scanning tool
Code Scanning - One needs to feed target code folder, rules pattern in regex (sample is provided for ASP) and list of file extension to scan. The tool will take this information and run against the target folder with depth of three (3) and scan each line for matching pattern. If pattern is found then it will report that line in the tool.
Code Walker - This little utility would help in walking across the code base and find variable or function. This will help to trace variables and their entire path in the large code base. This utility would help in negating false positives from the identified pattern.
This tool runs on .NET framework and still in initial beta state. We are working on it and more features will be added.
Download and Play
Tuesday, October 02, 2007
[Dubai-ISACA] I-SAFE Information Governance in this e- World
This presentation is going to cover all aspects of emerging technologies in detail with real life cases and demonstrations. Following which, the session will explore security issues growing around these vectors and threats associated with it. Professionals will be able to collect enough know-how on emerging web technologies to apply this learning to their work place.
Read More
Monday, September 24, 2007
Tools are posted
1. wsScanner - Web Services Footprinting, Discovery, Enumeration, Scanning and Fuzzing tool
2. scanweb2.0 - Web 2.0 Fingerprinting, Scanning and Discovery tools (Ruby scripts)
3. AppMap - Application footprinting and mapping tool using MSN APIs
It should help in assessment and audit.
Download from Blueinfy
Friday, September 14, 2007
HITB 2007 - Follow up...
I presented on Web 2.0 hacking, keeping focus on Ajax and Web Services. Added some new demos for better understanding. Presentation movie is not yet posted. Following is my presentation.
You can download slides from here
If you have any question feel free to drop me a note at shreeraj.shah@gmail.com
Enjoy...
Thursday, August 09, 2007
HITB 2007 - Class and Talk
Speaking - Hacking Ajax and Web Services – Next Generation Web Attacks on the Rise [Here]
WEB 2.0 technologies for the Web application layer are still evolving. This framework consists of Web services, AJAX and SOAP/XML and while still evolving has thrown up new attack vectors. To combat the attacks one needs to understand the new methodology, tools and strategies. This presentation reveals emerging security threats, some of which will be demonstrated.
Logical evolution of Web applications has reached a new level with the introduction of WEB 2.0. WEB 2.0 is the combination of new technologies like Web services, AJAX and SOAP. It is important to understand this framework and the fundamentals, before looking at security threats. Ajax is becoming integral part of these new applications and its serialization aspect opens up new ways of hacking browser side application which can lead to XSS and XSRF.
Comprehending XML-based attack vectors LDAP/SQL injections, SOAP messaging attacks, AJAX and Web profiling. These shall be covered along with demonstration examples. Web services are the backbone of WEB 2.0 and it is important to understand security threats.
Wednesday, August 01, 2007
Change in contcat info...
shreeraj.shah_at_gmail.com
shreeraj_at_blueinfy.com
Thanks!
Tuesday, June 12, 2007
[DevX] Secure Your Wireless Networks with Scapy Packet Manipulation
With wireless networks beginning to dominate both home and corporate networking, new challenges on the security front are inevitable. The first step in securing a wireless network is determining the state of the network (without any prior knowledge) and then providing a defense against intrusions. Enter Scapy, an excellent packet-crafting tool written in Python by Philippe Biondi. Unlike other sniffers such as Kismet and Airodump-ng, Scapy is scriptable and extremely easy to use.
This article outlines a methodology for wireless network assessment and intrusion detection using proven techniques with tools such as Scapy.
Read Here
Saturday, May 19, 2007
Web 2.0 and Mod Security 2.0
Securing Web Services with ModSecurity 2
Ajax Fingerprinting and Filtering with ModSecurity 2
Monday, April 30, 2007
Web 2.0 Threats and Risks for Financial Services
Read my article
Saturday, April 07, 2007
Hacking Web 2.0 - Defending Ajax and Web Services
Tuesday, March 20, 2007
WEB 2.0 Hacking – Defending Ajax and Web Services
WEB 2.0 technologies for the Web application layer are still evolving. This framework consists of Web services, AJAX and SOAP/XML and while still evolving has thrown up new attack vectors. To combat the attacks one needs to understand the new methodology, tools and strategies. Steadily emerging as the first line of defense is the Web application firewall. This presentation reveals emerging security threats, some of which will be demonstrated.
Here
Advanced Web Application & Services Hacking
Training at Dubai for HITB 2007.
A growing concern has been Web application security Web and application servers are the target of regular attacks by attackers that exploit security loopholes or vulnerabilities in code or design. Adding to this concern are next generation applications; applications that are on the fast track and more appealing to the user, utilizing dynamic AJAX scripts, Web services and newer Web technologies to create intuitive and easy interfaces. The only constant in this space is change. In this dynamically changing scenario it is important to understand new threats that emerge in order to build constructive strategies to protect corporate assets.
This two day workshop will expose students to both aspects of security: attacks and defense. To think of newer Web applications without Web services is a big mistake. Sooner or later existing applications will be forced to migrate to the new framework. This workshop includes several cases, demonstrations and hands-on exercises with newer tools to give you a headstart over others in the field.
Here
Tuesday, March 13, 2007
Sunday, March 11, 2007
RSS Security Threats With Financial Services
Read here
My Bio with respect to Web Security Contribution...
Wednesday, February 28, 2007
Web 2.0 with Banks - Web Risk: A Growing Web's Harder To Secure
Banks are moving towards Web 2.0 frameworks and adding risk to the application layer. This news item talks about it.
Read
Monday, February 19, 2007
Thursday, February 15, 2007
Scanning Ajax for XSS Entry Points
The continuous adoption of Web 2.0 architecture for web applications is instrumental in Ajax, Web services and Flash, emerging as key components. Ajax is a combination of technologies such as JavaScript with the XMLHttpRequest object, DOM and XML streams. Cross site scripting (XSS) can make browsers vulnerable to critical information hijacking if exploited with malicious intent. XSS is already categorized as persistent, non-persistent and DOM-based. Ajax code loaded in browser can have entry points to XSS and it is the job of the security analyst to identify these entry points. It is difficult to decisively conclude that possible entry points to an application can be exploited. One may need to do a trace or debug to measure the risk of these entry points.
This paper introduces you to a quick way to identify XSS entry points in an application.
Read here
Friday, February 09, 2007
Stateful Web Application Firewalls with .NET
A Web Application Firewall (WAF), though still evolving, is crucial for strong application layer defense. Unfortunately, HTTP is a stateless protocol, and session management is addressed at the application layer and not at the protocol layer. It is possible to bridge WAF and session objects on the .NET platform to build a stateful WAF (SWAF).
Read Here
Monday, February 05, 2007
Slides to Share
Here
Tuesday, January 30, 2007
Ajax Fingerprinting for Web 2.0 Applications
Fingerprinting is an age old concept and one that adds great value to assessment methodologies. There are several tools available for fingerprinting operating systems (nmap), Web servers (httprint), devices, etc. Each one of these tools uses a different method – inspecting the TCP stack, ICMP responses, HTTP responses. With this evolution of Web 2.0 applications that use Ajax extensively, it is important to fingerprint Ajax tools, framework or library used by a particular web site or a page. This paper describes the method of doing Ajax fingerprinting with a simple prototype serving as an example.
Read Here
Monday, January 29, 2007
Detect Your Web Application's Vulnerabilities Early with Ruby
Web application fuzzing is a method of detecting a web application's vulnerabilities prior to deploying the application on a production system. Users of this approach send several malicious requests to the application and, based on the responses received, determine the application's security posture. Users also can apply fuzzing to perform tests on several different attack vectors such as SQL, XPATH, and LDAP injection, and error handling.
Read Here
Friday, January 19, 2007
Crawling Ajax-driven Web 2.0 Applications
Crawling web applications is one of the key phases of automated web application scanning. The objective of crawling is to collect all possible resources from the server in order to automate vulnerability detection on each of these resources. A resource that is overlooked during this discovery phase can mean a failure to detect some vulnerabilities. The introduction of Ajax throws up new challenges for the crawling engine. New ways of handling the crawling process are required as a result of these challenges. The objective of this paper is to use a practical approach to address this issue using rbNarcissus, Watir and Ruby.
Full paper
Friday, January 05, 2007
Book review - Microsoft Technet
Technet posted book review on Hacking web services
Here
--
Shreeraj Shah's Hacking Web Services (Charles River Media, 2006) is a valuable resource for those involved in development, deployment, or support of Web services. The book is a well-organized general security reference for Web services and their component technologies. And it does a good job of detailing what is involved in defending them in your infrastructure and through your development practices.
The book begins with a relatively in-depth introduction to Web services A case study titled "The Consequences of Procrastination" teaches you about the power of preemptive security procedures and the penalties of reactive systems. The chapter titled "Web Services Scanning and Enumeration" discusses how to use the wsChess, a .NET-based Web service security toolkit from Net-Square (net-square.com/wschess/index.shtml), to profile and footprint Web services.
The book includes a utility CD, which contains a sample .NET-based application called SOAPWall. This shows you how to block injection characters and buffer overflows in your .NET Web services. In addition, the CD provides demos of different types of Web service attacks.
--