About Us
Overview
Our Team
Partners
Contact Us
Services
Overview
Solutions
Consulting
Education
Overview
Course Description
Research
Overview
Innovations
In The Public
Events & Announcements
Resources
White Papers & Articles
Advisories
Free Tools
white papers and articles

Often, experts at Net-Square have expounded their research work in the form of white papers and articles aiming to share the knowledge as well as provide guidance to enterprises seeking answers to a wide range of vital security issues and trends..

Top 10 Web 2.0 attack vectors

Web 2.0 is the novel term coined for new generation Web applications. start.com, Google maps, Writely and MySpace.com are a few examples. The shifting technological landscape is the driving force behind these Web 2.0 applications. On the one hand are Web services that are empowering server-side core technology components and on the other hand are AJAX and Rich Internet Application (RIA) clients that are enhancing client-end interfaces in the browser itself. XML is making a significant impact at both presentation and transport (HTTP/HTTPS) layers. To some extent XML is replacing HTML at the presentation layer while SOAP is becoming the XML-based transport mechanism of choice. Read More...

Top 10 AJAX security holes & driving factors

One of the central ingredients of Web 2.0 applications is Ajax encompassed by JavaScripts. This phase of evolution has transformed the Web into a superplatform. Not surprisingly, this transformation has also given rise to a new breed of worms and viruses such as Yamanner, Samy and Spaceflash. Portals like Google, NetFlix, Yahoo and MySpace have witnessed new vulnerabilities in the last few months. These vulnerabilities can be leveraged by attackers to perform Phishing, Cross-site Scripting (XSS) and Cross-Site Request Forgery (XSRF) exploitation. Read More...

Web Services - Attacks and Defense

Web Services is growing at a rapid rate and bringing into focus, new security issues in the web security landscape. How do we start assessing web services deployed at any corporate location? That is the fundamental question and once again it all starts with information gathering. UDDI, WSDL and SOAP are three cornerstones of this technology and they can be powerful tools for information gathering. Universal Business Registry (UBR) can help in footprinting using UDDI. UBR and technology fingerprinting can be used to perform discovery of web services. The scope in this paper is limited to only the first phase, namely the Web Services Information Gathering Phase. The entire methodology for web services information gathering is covered in this paper. The next two phases of the Assessment methodology are enumeration and defining attack vectors, both extensive topics too. These will be taken up in later papers. Read More...

Defending Web Services using Mod Security (Apache) Methodology and Filtering Techniques

Web services are vulnerable to several attacks. These attacks can lead to information leakage and further aid in remote command execution. By using WSDL an attacker can determine an access point and available interfaces for web services. These interfaces or methods take inputs using SOAP over HTTP/HTTPS. If these inputs are not defended well at the source code level, they can be compromised and exploited. ModSecurity operates as an Apache Web server module, ideal for defending web services against attacks that also include malicious POST variable content. This paper describes techniques to defend your web services layer using mod_security. Read More...

Web Application Footprints and Discovery

Web application assessment begins with IP address and ports (80/443) – this is very common practice. But there is flaw in this method. What if a web server is running with multiple virtual hosts? In other words, one server is running more than one web application.

In such a scenario, a web application assessment done on such IP/Port combinations may fail and produces partial results. Doing a reverse DNS on the IP and using it as HOST field in HTTP is an option, but may also fail most of the time.

So, where does the solution to this problem lie? The solution lies in the WHOIS information database and DNS server.

This paper describes how to fetch this information and follow up with the discovery process for web applications. Read More...

Web application defense at the gates - Leveraging IHttpModule

Web applications are vulnerable to many attacks, mainly due to poor input validation at the source code level. Firewalls can block access to ports but once a web application goes live and TCP ports 80 and 443 are accessible, the web application can be an easy prey for attackers. HTTP traffic is legitimate traffic for web applications ; all the more reason to include application-level content- filtering over unencrypted and encrypted communication channels. Application- level content filtering is possible to some extent but may not work over HTTPS (port 443). The only way to provide a strong defense is by applying powerful content- filtering at the application- level for both TCP port 80 and TCP port 443.

The .Net framework with ASP.NET provides the IHttpModule interface access to HTTP pipes – the lowest of programming layers – before an incoming HTTP request hits the web application. This can provide defense at the gates. In this paper, we look at how one can build this sort of defense in all three aspects – coding, deployment and configuration. Read More...

Web Services: Enumeration and Profiling

Web services hacking begins with the Web Services Definition Language or WSDL. A WSDL file is a major source of information for an attacker. Examining a WSDL description provides critical information like methods, input and output parameters. It is important to understand the structure of a WSDL file, based on which one should be able to enumerate web services. The outcome of this process is a web services profile or matrix. The scope of this paper is restricted to understanding this process. Once this is done, attack vectors for web services can be defined. The scope of attack vectors will be covered in the next paper. Read More...

One-way Web Hacking

One-way web hacking is a technique which relies purely on HTTP traffic to attack and penetrate web servers and application servers. This technique was formulated to demonstrate that having tight firewalls or SSL does not really matter when it comes to web application attacks. The premise of the one-way technique is that only valid HTTP requests are allowed in and only valid HTTP responses are allowed out of the firewall.

My research on one-way web hacking began as early as April 2000, when I was faced with the need to upload an arbitrary file on a compromised web server which had a restrictive firewall. Since then, many other techniques developed and the collection of all these techniques resulted into the creation of the one-way web hacking methodology.

One-way web hacking has been demonstrated at the Blackhat Briefings in Amsterdam 2001, Las Vegas 2001 and HACK 2002 in Kuala Lumpur. Read More...

Domain Footprinting for Web Applications and Web Services

A wide array of services, from banking and finance transactions to auctions and ticket reservations, are being offered to customers online. This means that an Internet presence for companies may encompass several domains for each of the different services being offered online.

Performing web application or web services assessment with “zero” level knowledge for clients can be a daunting task for the web analyst. It is important to locate and footprint all critical domains running web applications or web services.

One of my previous papers discussed host-level footprinting to find applications pointing to specific IP addresses [http://www.infosecwriters.com/texts.php?op=display&id=259]. This paper focuses on domain footprinting and discusses a complete approach to identify and footprint all possible domains running web applications or web services.

Web applications are crawled by all popular search engines. Domains running web applications or web services may have some links that may have been cached and archived by these search engines. This considerably simplifies our task. In this paper, we demonstrate how advanced search options offered by search engines like Google, A9, Yahoo, Alexa and others can be leveraged to obtain critical information about domains. Read More...

 

Web Application Footprinting & Assessment with MSN Search Tricks

Any search engine database is a very powerful source of information for web applications. The Search Engine’s spiders are well-powered to run frequently on sites and capture all possible links. As an end user, however, we are more interested in the searching interface and criteria these engines provide. By using their search options, end users can craft intelligent queries against a database and fetch critical information. There are several tools out there that query the Google database and fetch this sort of security-related information about web applications. This paper describes some of the queries that can be run against SEARCH.MSN in order to fetch important information that would eventually help in web application assessment.

SEARCH.MSN provides web services APIs to build applications using their search interface. More information can be gathered from http://search.msn.com/developer/

To be able to use SEARCH.MSN, you will require an Application ID. This can be obtained using MSN passport. Queries are limited to 10,000 a day and allow a total of 50 results for each query. This provides great flexibility to the application. As a security tool, substantial information can be queried from MSN search, making it a handy tool to have in your toolkit. For the examples outlined in this paper, some of the information is retrieved using this interface, with a sample application called wapawn. Read more...

Browser Identification for Web Applications

Browser Identification is not a new concept. With the focus having shifted to desktops from networks and servers, a topic such as remote browser identification needs to be revisited.

Browsers identify themselves to web servers in the USER_AGENT header field that is contained in requests sent to the server. Almost every release of browsers contains sloppy code that allows malicious servers or attackers to compromise user privacy and security.

The header that normally identifies a user’s web browser tells such servers exactly which attacks to use. Obfuscating the information contained in the USER_AGENT header field reduces the likelihood of browser-related attacks.

There are other methods of analysis and evaluation that help in accurately identifying browsers. Knowing about these methods is necessary for two reasons:

  • Increase awareness of browser-related attacks among desktop users.
  • Assist security consultants to factor in browser-related information when working on web application security testing assignments.
This paper outlines techniques that allow users to determine client browser types remotely. Read More...