Sunday, October 25, 2009

SecurityByte & OWASP event in India




Blueinfy is conducting one day workshop and sharing research at this event.

Cloud Hacking – Distributed Attack & Exploit Platform

We are witnessing applications, networks and infrastructures moving towards cloud computing. These clouds are emerging as a common platform to perform distributed attacks. Web/Enterprise 2.0 technologies are adding a new dimension to compromise cloud security. In this talk following topics will be covered with real life cases, tools and demonstrations.

  • Fingerprinting and Footprinting clouds and resources
  • Clouds internals and discoveries
  • Cloud applications’ internal APIs and session hijacking & fixations
  • Privilege and authorization escalations in cloud computing
  • Network and Operating Systems hacks inside clouds
  • Exploiting client side of cloud users
  • Attack methods and exploits
  • Impact analysis of cross domain access inside cloud - Twitter, Facebook, LinkedIn, MySpace etc.
  • Google’s model and security threats – lessons to learn
  • Live hacks and demos
  • Tools to take away

Advanced Web Hacking – Securing Ajax, RIA and SOA

Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web-based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lots of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies.
Research and Talk

Friday, October 02, 2009

Web 2.0 Hacking class at DeepSec from Blueinfy

Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lot of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies. The course is designed by the author of --Web Hacking: Attacks and Defense--, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges. Application Hacking 2.0 is hands-on class. The class features real life cases, hands one exercises, new scanning tools and defense mechanisms. Participants would be methodically exposed to various different attack vectors and exploits. In the class instructor will explain new tools like wsScanner, scanweb2.0, AppMap, AppCodeScan etc. for better pen-testing and application audits.

Visit here for detail on event

Thursday, October 01, 2009

Secure Coding Class in Singapore

We are conducting class in Singapore from 25th-27th November. Detail over here

Description

Enterprise application source code, independent of languages and platforms, is a major source of vulnerabilities. The class is designed and developed to focus on enterprise architecture and application analytics to discover vulnerabilities. One of the CSI surveys on vulnerability distribution suggests that in 64% of cases, a vulnerability crops up due to programming errors and in 36% of cases, due to configuration issues. We will be covering analysis techniques, with tools, for assessment and review of enterprise application source code. Enterprise 2.0 and mashups, along with other different Web 2.0 concepts, reinforced by hands-on experience, will help in understanding next generation application requirements.

It is imperative to know source code review methodologies and strategies for analysis. The emphasis of the class would be to develop a complete understanding of source code analysis, audit methodologies, techniques and tools. Knowledge gained would help in analyzing and securing enterprise applications at all different stages - architecture, design and/or development. The course is designed by the author of "Web Hacking: Attacks and Defenses", "Hacking Web Service" and "Web 2.0 Security - Defending Ajax, RIA and SOA", bringing his experience in application security and research to the curriculum. Special focus is given to compliance and Top-25 errors for enterprise applications.

This class is hands-on and needs laptops to implement its numerous exercises designed to run hand-in-hand with their concepts. The class features real life cases, hands-on exercises, code scanning tools and defense plans. Participants would be methodically taken down to the source code level and exposed to the possible flaws in architecture, design and coding practices. The class would then focus on the proper ways of writing secure code and analyzing the code base.

Visit for full detail

Tuesday, September 29, 2009

Annual Conference IT Audit & Controls 2009

Conducting workshop and talk ...

W3 Conducting an Enterprise Application Audit DEMO
Date: Monday, 12 October 2009
Time: 9am - 5pm

The focus of this workshop is to analyze applications within an enterprise architecture to discover vulnerabilities. You will learn scanning, auditing and source code review methodologies – all critical tools to enable application analysis. The workshop features real-life cases, demonstrations, scanning tools and defense plans.
This workshop will cover:
• The most common vulnerabilities and proven methodologies for their detection
• Auditing for compliance and standards like PCI-DSS, OWASP Top 10 and CVE/CWE Top 25 errors
• Common programming errors and source-code scanning methodologies
• Conducting an architecture and design audit to ensure security
• Securing SDLC with best practices
• Effective scanning tools and approaches
• Mitigation strategies and frameworks

5 Auditing and Securing Web/Enterprise 2.0 Applications and Architectures
Date: Tuesday, 13 October 2009
Time: 10:30am - 12pm

• Web 2.0 threats, hacks and incidents
• Auditing and assessing the security of Web 2.0 architectures and design
• Web 2.0 vulnerabilities and mitigation
• Discovering JSON-based SQL injections, XML-driven XSS, CSRF 2.0, RSS feed injections, widget exploits, mashup hacks and more
• Auditing Web 2.0 source code and frameworks
• New tools, methodologies and audit strategies for Web 2.0

Monday, September 28, 2009

OWASP - Belgium chapter talk...

It was fun in presenting at OWASP Belgium chapter a week back before kicking the BruCON training on Web 2.0. Presented techniques on Web 2.0 assessments and some demos on scanning RIA and Flex apps.

PDF of presentation - here (http://www.owasp.org/index.php/File:Shreeraj_OWASP_Belgium.pdf)

Sunday, September 27, 2009

Talk on - Application Source Code Audit - Why, What and How

Enterprise application source code, independent of languages and platforms, is a major source of vulnerabilities. This talk is designed to focus on enterprise architecture and application analytics to discover vulnerabilities. One of the CSI surveys on vulnerability distribution suggests that in 64% of cases, a vulnerability crops up due to programming errors and in 36% of cases, due to configuration issues. We will be covering analysis and audit techniques, for assessment and review of enterprise application source code. Essentially all three important aspects of the audit will be addresses – Why it is needed, What to do and how to achieve.

Online meet - here (http://www.brighttalk.com/summit/itaudit2)

Thursday, September 10, 2009

ScanEx - Scanning for iframe and script Injections and External References (Beta)

This is a simple utility which runs against target site and look for external references and cross domain malicious injections. There are several vulnerable sites which get manipulated with these types of injections and compromised. The site gets registered with stopbadware and other databases as well. This tool helps in doing initial scanning to look from obvious injections. At this point it is looking into iframe and script tags as defined in regex file.

Download

Tuesday, September 08, 2009

Paper from Blueinfy Labs - Cross Widget DOM Spying

Widgets, Gadgets or Modules are very common and powerful feature of Web 2.0 applications. It converts single loaded page in the browser to multi-threaded application. It allows end user to work on multiple little utilities and windows from one page. Widget framework is supported by various Ajax libraries and lot of code is getting created by developers to allow this feature. Once framework is in place various different users can leverage APIs and libraries to develop their own little widget and deploy on the application domain. Any user of the application can register that widget and start utilizing its feature. This scenario opens up possibility of Cross Widget DOM Spying. This paper is going to describe that scenario and its understanding.

Read here

Thursday, September 03, 2009

Web 2.0 Hacking Training at BruCon...

Training Detail ...

Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lot of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies.

The course is designed by the author of "Web Hacking: Attacks and Defense", “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges. Application Hacking 2.0 is hands-on class. The class features real life cases, hands one exercises, new scanning tools and defense mechanisms. Participants would be methodically exposed to various different attack vectors and exploits. In the class instructor will explain new tools like wsScanner, scanweb2.0, AppMap, AppCodeScan etc. for better pen-testing and application audits.

For more details see Web 2.0 Hacking – Attacks and Defense

Thursday, August 27, 2009

Binging - Footprinting and Discovery Tool

Binging is a simple tool to query Bing search engine. It will use your Bing API key and fetch multiple results. This particular tool can be used for cross domain footprinting for Web 2.0 applications, site discovery, reverse lookup, host enumeration etc. One can use various different directives like site, ip etc. and run queries against the engine. On top of it tool provides filtering capabilities so you can ask for unique URLs or hosts. It is also possible to filter results by applying power of regular expression. Get your Bing API key and use this tool for your audit, assessment and research.

Thursday, August 20, 2009

AppPrint - Web, Application Server and Web 2.0 Fingerprinting tool (Beta)

AppPrint scans IP range, IP or host for Web and Application servers. It scans port 80 for a particular target and tries to deduce the banner using httprint methodology. This gives best guessed banner for Web Server. In next step it uses method of forced plug-in invoke and scan for application server type. At this point it tries to fingerprint Tomcat, WebLogic, WebSphere, Orion, ColdFusion and Resin. It also fingerprints Web 2.0 libraries and components. It requires .NET framework installed. In future version we will build several other technology mapping and fingerprinting technologies like Flash, Laszlo etc. Also, planning to add WAF fingerprinting module.





Thursday, July 16, 2009

Web2Fuzz - AppSec Labs Tool....

This tool is coded by our research and consulting team to test Web 2.0 applications. It is simple utility to check vulnerabilities while doing pen-testing and assessment. It is effective to use with Web2Proxy.

Here is tool detail..
Web2Fuzz (Beta)
Web 2.0 Application Auto Fuzzing tool

This tool helps in fuzzing next generation application running on Web/enterprise 2.0 platform. It can be used with Web2Proxy by harvesting JSON, XML, JS-Object etc. from already profiled HTTP requests. Adding various fuzz loads and injecting them into particular request. One can encode fuzz load in various forms to pollute/poison Web 2.0 streams. It is possible to analyze responses by using various techniques like response behavior, stream structure or patterns. Tool contains sample payload and pdf/slides can help you in giving better understanding of its behavior.


Saturday, June 06, 2009

Web Hacking Training at Syscan

We are conducting 2 days hands-on training at Syscan 09. This event is going to be in Singapore starting from 30th June.

Training detail over here...

Wednesday, April 29, 2009

OWASP Event at Poland

Blueinfy is having training for a day at OWASP

Web 2.0 Hacking – Attacks & Countermeasures, by Shreeraj Shah, Blueinfy

Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lot of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies.

Detail on training

There is a talk on Web 2.0 Exploits as well. Agneda

Saturday, April 25, 2009

Web2Proxy (Beta) - Web 2.0 Application Proxy, Profiling and Fuzzing tool

This tool helps in assessing next generation application running on Web/enterprise 2.0 platform. It profiles HTTP requests and responses at runtime by configuring it as proxy. It identifies structures like JSON, XML, XML-RPC etc. along with key HTTP parameters like cookie, login forms, hidden values etc. Based on profile one can take decision to trap and fuzz requests to identify potential vulnerabilities. This tool needs .NET framework and tested on Windows platform. We are adding several new features to upcoming edition.

Blueinfy's tool page
Demo page for tool

Friday, March 27, 2009

Next class in Singapore...

We are having a class in Singapore on 12th April.
Here is the detail on it.

Looking forward to meet few folks.

Wednesday, February 25, 2009



Article on Web 2.0 cases and challenges is part of (IN)Secure magazine.

You can read it over here (March 09).

Abstract for the article.

Web 2.0 applications are emerging at a rapid pace and also penetrating deeper into the corporate structure as Enterprise 2.0 applications. Adaptations of Ajax, Flex, SOA, RSS Feeds, JSON structures, etc. are used continuously across applications. Old applications are getting a new look through these technologies and platforms, while fresh applications are written using only these building blocks.

By the end of 2008 we have seen and assessed a good amount of applications that are now well molded into a Web 2.0 framework. A Web 2.0 application adaptation is not restricted to one industry segment but applicable to all verticals like financing, insurance, portals, etc. If the Internet is the network of networks then Web 2.0 can be perceived as the application of applications.

Monday, January 26, 2009

Infosecworld 08 - Presenting Research...

H8 Defending Against the Worst Web-Based Application Vulnerabilities in 2009 DEMO
Date: Wednesday, 11 March 2009
Time: 9:45am - 1pm
Track: Application Security

• Next generation attacks: SQL over JSON, XSS with RSS feeds, XPATH over SOAP
• Understanding the wide-spread XSS and CSRF attacks – why they help to build the worst kind of next generation Web-based worms and viruses spread through cross domain iframes
• Why scanning and detecting these application layer vulnerabilities are important for corporate enterprises
• How to defend against these attacks by providing content filtering over HTTP both for incoming and outgoing
• Source code scanning for Web 2.0 applications to protect applications against developer's mistakes
• Key tools and methodologies for both attacks and defense

Go To InfoSecWorld

Tuesday, January 20, 2009

HITB in Dubai


At HITB Dubai we are going to have web security training and presentation on our new research methodology for Application Source Code Scanning for Web 2.0 Applications.

Here is a link to the training - GO