Wednesday, December 12, 2012

Customized Best Practices from HackVidhi




A web application developer must always follow a set of best practices to ensure that his/her web application is secure. If followed properly, the best practices can guarantee a good fight against the malicious content and attacks. Yet, most of the application lack these practices and are vulnerable to web threats. For few, the practices were not followed due to the lack of time, few others had the functionality limitation while others had just a negligent attitude towards the security. The reason could be anything, but if exploited to the core, the consequences could be damaging.
The basic best practices you must follow in your web application -

  • Parameterized Queries: If your application deals with SQL, always write parameterized queries or prepared statements. This can save your application from SQL injection. In other terms, it won't allow an attacker to change the dynamic queries.
  • Save sensitive data: If your application stores sensitive files such as customer information, always store such files outside of the webroot. And if your application has limitation which does not allow you to do so, explicitly make sure to secure them using encryption.
  • Check for buffer-overflow:  Always make sure that there is enough buffer so that the flow of your application could not get choked by any bad intent. An efficient memory management should always be a  must-consideration.
  • Proper error-handling: One of the common strategy used by hackers is to make your web application fail and get the information out of the error thrown on the browser. So make sure that your web application has a proper error-handling mechanism implemented in it which will prevent leakage of any core information even if it fails.
This list is not complete yet. We can add few more points here and the list would still be incomplete

At HackVidhi, we help you understand these practices better. Along with all of our security testing services, you can exploit free consultation to make your website or web application secure and  we will also provide you a set of customized best practices tailor-made for your application. We believe in not only providing our clients the best services but also enriching their knowledge in the area of web security.
- Richa

Sunday, December 2, 2012

99% of Top Indian Websites can be 'UI Redressed'!!


Today I performed some analysis on current usage trend of X-FRAME-OPTIONS in top 500 websites of India (I used the sites listed here); this analysis came out with interesting statistics;



  • ·         92% of the top Indian websites don’t use X-FRAME-OPTIONS at all.
  • ·         Here the worth noticing point is that most of the 18% sites which use X-FRAME-OPTIONS are not of Indian origin, Alexa doesn't take into account the origin factor in enlisting top sites for a country; it sorts the websites based on number of hits.
  • ·         This eventually leads to the fact that only 1% Indian sites are actually using X-FRAME-OPTIONS!!
  • ·         Out of rest 99% top web sites (of Indian origin), half of them are relying on different frame-busting scripts to avoid this threat; and I will explain later that why scripts are not full proof, as there exists at least one way to break each of these scripts.
  • ·         Rest half of those 99% are not using any techniques to avoid UI Redressing attacks!!
  • To my surprise I even saw one web site using some strange value for this X-FRAME-OPTIONS header - ‘GOFORIT’, this too in a relatively popular telecom website.




This makes me very curious about the security practices that Indian websites are following. Web security if one of those areas which should not be overlooked; it should be given the amount of attention it deserves.



<Here is A brief overview of UI Redressing Attack; I am not going deep as a lot of useful material is available on the internet for UI Redressing Attack.>

UI Redressing attack in its basic form can be visualized as –




So the attack lies in having user see a different interface but actually interact with an altogether different interface. For instance in the example above the user will think that he is claiming his gift but actually he might be transferring his funds to some other bank account (of course if his account is open in some other tab). The most common vehicle of delivering this threat is to use iframe. Attacker embeds the webpage he wants to attack in his iframe and makes it invisible while making his own content visible; when a genuine user performs some actions on attacker’s page, the user is actually performing actions on background page as well.
There exist various advance mechanisms using which an attacker can manipulate user’s input on his page and force to send selective input on the hidden page. I will be writing about these advance exploitation mechanisms in a different article probably.


Possible Impacts-
Attacker can cause user to perform certain actions which he will not perform consciously; example of such actions include transferring funds from his online bank account, cancelling orders that he placed on some e commerce site or changing delivery address corresponding to those orders etc; the list can be endless.

Safety measure that websites are using to avoid this attack: FRAME-BUSTING-
Most of the websites today are using frame-busting techniques to overcome this threat; frame-busting as the name indicates involves detecting whether the page is being loaded in a iframe and then bust this frame to come out!! Different scripts are being used to achieve frame-busting in different sites.

How FRAME-BUSTING techniques\scripts can be circumvented-
There is a paper published by couple of Stanford University Students which talks about how the frame-busting scripts can be broken; this paper explains that eventually a way exists to break almost each of the scripts that websites are using currently to implement frame- busting. 


Moving Towards HTTP Header: X-Frame-Options-
This is better solution in comparison to frame-busting scripts. This header restricts the possibility of being the page framed; this header can have three possible values;
DENY-
This option means the page can never be framed by any page, even not by a page with the same origin.

SAMEORIGIN -
This option means the page can be framed, but only by another page with the same origin.

Allow-From-
This option means the page can be framed, but only by the specified origin.



-Archana

Wednesday, November 28, 2012

Pen-Testing as a Service (pTaaS)

Today the most popular term in software industry is probably 'SaaS --> Software as a Service ; which basically means 'Software on Demand'. In SaaS model software is hosted on some remote place and customer can access it using a web browser or so. The main benefits of SaaS models include-
  • customer needs not to worry about hardware and maintenance requirements of the software 
  • and in most of the cases customer has to pay only for what he is using i.e. in case of DynamoDB customer has to pay only for the amount of data he is storing or retrieving.
These  two benefits made SaaS a quite popular concept. 

In the term SaaS, 'service' word is being used as figuratively i.e. its like outsourcing your software's infrastructure and maintenance needs. When I said pTaaS i.e. Pen-Testing as a Service, I meant it literally rather than figuratively; i.e. by pTaaS I meant outsourcing your penetration testing work. 

The biggest hurdle in outsourcing some XYZ service is the amount of information that needs to be exchanged between the client and service provider; if the information exchange involves sharing something confidential then probably that service XYZ cannot be outsourced. As penetration testing in itself is a form of black box testing so it can be easily outsourced as pen-tester hardly needs any implementation or even design information. 

Although some forms of pen-testing can be better categorized as gray or white box testing but that's  not actual pen-testing; this is what I feel at least. Pen-Testing is basically thinking from an attacker's or hacker's point of view and then probing a piece of software for security vulnerabilities. Lesser information (off course about the targeted software) a pen-tester has in the beginning of the pen-testing, more effective and more practical pen-testing results are going to be !! When someone knows the internal details of a product YYY then for him it is comparatively easy to figure out the issues with that product YYY. But the real art lies in starting with zero information and then ultimately figuring out a way to compromise the whole product; this is what our pen-testing services are all about. 

If you allow us to do this service for you, then;


  •  we will be doing a complete analysis of your website by exploring all possible issues because of  which your website can be compromised;
  • and finally we will be sharing a detailed report of how those issues can be exploited along with the suggestions to fix those issues.

PS: In my last post I promised to discuss about UI Redressing attack and usage statistics for 'X-FRAME-OPTIONS'; please excuse me for changing the topic today; I will be writing on that topic very soon.

-Archana

Monday, November 26, 2012

Creating Website for Dummies -DreamWeaver and GoDaddy - Amazing Combo !!

Disclaimer: If you are an expert web designer then this blog post is not for you :) ; this is meant only for Dummies like me who doesn't have even very basic knowledge of website creation concepts.

My core interest is in Testing (i.e. breaking things, complaining about problems, shouting here and there on why things are not working etc. etc. :D) ; I never thought about the amount of effort that is actually needed to get a simple thing like static website working. Seriously, finding issues in working things is lot lot lot lot more easier that actually get those things working.

I was searching for easy solution to create a website with static content; hosting server 'GoDaddy' I immediately finalized (based on my brother's recommendation) but I  was not sure about the tool to use for creating those static pages. While browsing internet I suddenly saw Dreamweaver which reminded me my college days. I used Dreamweaver little bit in college, but that was around 4-5 years before and I didn't remember a bit about what Dreamweaver was like at that time.

So based on that fact that at least name of Dreamweaver is looking familiar; I downloaded trail version from here (CS6). Luckily I found this link for a video on internet in which integration of Dreamweaver to FTP server of GoDaddy was explained; the Dreamweaver version that they are showing in the video is probably some older version, still it was not tough to figure out the same settings in CS6. With 3-4 lines of settings for remote server in Dreamweaver I was able to directly sync my content with the content on GoDaddy FTP server!! I am not going to explain minute details of those settings here as I believe Dreamweaver UI is very intuitive and using the video, for which I shared the link above, it is very easy to figure out exact steps.

Our website is still under construction but the easiness provided by Dreamweaver (at least in syncing the content)  is awesome!!.

Keep tuned for coming post on UI Redressing attack and usage statistics for 'X-FRAME-OPTIONS'  in reference to Indian websites.

-Archana

Saturday, November 24, 2012

HackVidhi - Story of Inception


A warm midnight of October this year, myself and Archana bumped into a discussion of how her random attempt of placing an order online for a commodity (and not actually completing the order) resulted in a successful order notification and she was left with an order placed worth Rs 17,000 of a commodity that she neither intended to buy nor had she paid for it!!
I have once placed an order that I wanted to modify later and was left with no other way of editing my order but to write to customer care using their “Post us” form. Not to say the perplexed I was heartlessly filling the form rapidly thinking over what I could post in this form to inform them about an alteration I needed to make in my order.  When I was done with posting my query I started thinking if there was a different brain thinking ‘what all’ could be posted on this form rather than just what could be posted on such forms.

There are spams floating all around offering products that mislead the consumers to online frauds.
These represent a much larger gamut of such experiences in an online customer’s day to day life that makes him rethink over the fidelity of online endeavors and the fatality of them if precautions are overruled. For all we know in an online world the thick layer of underlying security vulnerabilities exposed by high traffic web applications and numerous bare loopholes make a great motivation for a series of malicious brains making their way into the world of tremendous possibilities termed as hacking.


The question comes, are today’s online businesses have enough investment awareness to protect their systems from potential attacks or the red carpet laid to welcome their customers are eventually trafficking the hackers.

The mere thought process took us through a joy ride of much interesting discussion on how we can explore these possibilities and help online business hear the Ninja's nocks on their doors!
Result of our discussion was Hackvidhi - a simple and thoughtful initiative to provide quality assurance services for the magnitude of security vulnerabilities unleashed by millions of dollars worth insecure information travelling through trapped tunnels.
At HackVidhi and in this blog we will continually talk about

-          Most common Web App Security threats

-          Current Hacking trends and Math of Security Risks
-          Dynamics of site exposures and Threat Modeling
-          Preventive measures and our offerings
-          Penetration Testing : Raising the bars
-          Specialized service for Web Application Security

Look for our upcoming posts on Web Application Security hazards, making your Web App your secure home, Keys to your own doors of Assured and Secured success and a lot more.