Wednesday, May 29, 2013

Penetration testing must be a part of the your web strategy because all it takes is one malicious attack....

If, like most people that grew up in the late 20th century, you are a Bill Watterson fanatic – Then you will surely remember getting a kick out of this (pun intended). http://bestofcalvinandhobbes.com/2011/10/a-swifty-kick-in-the-butt-is-for-sale/


While the humor in these is sufficient reward, many times you can draw on Bill’s caricatures for real life learning. In this case, I immediately associate it with any company that has an online presence but is not conducting periodic sweeps of its website to test its own vulnerability. Obviously “a kick in the butt” is not an academically precise comparison but it’s a start and maybe just what the doctor ordered. 

While CTO’s are aware of increasing vulnerabilities to their websites, they are content with the “I have never been hacked, so why should I care?” philosophy. To this line of thinking, I rebut with “All it takes is once”.

If you hold customer information, you have an obligation to be pro-active in plugging holes within your portal. If you lose client confidential information once, you lose much more than immediate revenue. You lose trust which will affect future streams of revenue. Negative publicity spreads way faster than compliments. The only reason this will not bother you is if you are a one-man tea stall on a lonely road with no ambition whatsoever to grow. In that case, may I ask what you’re doing online? 

While following standards in secure web design will get you most of the way there, smarter people will inevitably find a way around it. In comes “penetration testing”. HackVidhi’s super smart team of programmers are standing by to get their hands dirty by “ethically hacking” your website before malicious hackers get a chance to.  

Penetration testing is not typically a scripted model. There are no clear steps 1 and 2 and 3 to follow. It’s a skill that’s learned over multiple hours of reading, experimenting and …you got it, ethically hacking websites. To boot, you cannot be an ethical hacker without already being a web designer. Consequently, this team is already well versed with web design and can school your web design team on establishing best practices and check points for secure design. 

If this has somewhat caught your attention and you have another 2 minutes before those pop tarts pop in your microwave, go on to http://hackvidhi.com/PenTesting.php for a pictorial overview of our services and shoot us an email for a free first round of penetration test. You have no obligation to continue, you get a free report outlining the first couple of issues found (if any) and you now have a better idea of how your web design will hold up to intrusions. If you do see value in our services, we will contract with you for periodic penetration testing and function as an extension to your current development and test team. Our paid services can also serve as part of your audit needs to showcase that you are taking necessary steps to protect your private data and those of your clients.

If you have any questions or want to get started simply shoot us a quick email here - contactus@hackvidhi.com

Monday, May 13, 2013

In-house Penetration Testing vs Outsourced Penetration Testing



For the management of a company with online presence, web security is a big concern now a days. Pen-testing is a way of finding security loopholes in the website. From the management point of view, the biggest doubt about pen-testing is -


Shall we develop our in-house pen-testing team or shall we outsource the testing? Is it worth developing in-house pen-testing team?


We, HACKViDHI, strongly recommend you to outsource the pen-testing work instead of developing your own pen-testing team, following are couple of worth mentioning points explaining why you should choose outsourcing -



In-house Penetration Testing
Outsourced Penetration Testing
Frequency of full penetration testing cycle
Penetration testing is often not needed as frequently as functional testing. A simple bug fix might need a complete round of functional testing while the same big fix might not need a complete penetration testing cycle.
So having an in-house penetration testing team might be overkill as the penetration testing team will only be needed from time to time.

When it comes to outsourcing penetration testing, you will outsource it only when you will need it. This will lead to reduced cost estimates.
Penetration testing toolkit
Penetration testing involves using some automated tools along with manual efforts. In-house team needs to buy or develop all such tools or softwares in order to proceed. This means investing significant amount of time\cost in order to prepare penetration testing toolkit.
On the other hand if you are outsourcing it, the vendor company should already have the required toolkit. Since they will be reusing this kit for all their clients, they will charge you less than what you would have invested it to prepare the same kit.
This fact, again, will lead to reduced cost estimates for pen-testing.
Experience does matter
In-house penetration testing team will know only about the issues that have been found in previous releases of the website, they will not be having any idea about what other prevalent issues are going on in other websites as the team has limited exposure.
This can lead to ignoring some important vulnerability while giving extra attention to the vulnerabilities found in last release.
The vendor pen-testing company has exposure to lots of type of security issues as they have experience of testing different type of websites. So they have idea about the hot issues with latest tools and technologies.

This will lead to quality results with proper emphasis to proper type of issues.
Learning new attack dimensions - training cost
Penetration testing is a continuously emerging field as new threat vectors are being discovered each and every day. In-house penetration testing team needs to be aware of all advancements in the field of web-security; this means the team will need continuous trainings and learning resources. These trainings will require signification amount of investment.

Investing in trainings will be costly for the vendor company as well but they will be using the knowledge gained from those training for the benefit of multiple clients. So while giving cost estimation for pen-testing they will be splitting the training charges.
For you, this is again a cost saving fact.
 

If you are from an e-commerce domain, or are associated with online business in any manner, it is imperative to you to make sure that your business and your customers information is in safe hands. With HACKViDHi penetration testing services, you can find out the vulnerabilities of your online business and, using our consultation, can work towards fixing them up so that you can save your business and customers information from exposing.

To know more, contact us by e-mailing us to contactus@hackvidhi.com or visit our website for a free trial  at http://www.hackvidhi.com and we will get back to you. 



-Archana


Top Web Security Threats

Here is our presentation on top security threats in the field of web application development -

This presentation also talks about the impact on the website if any of those threats are exploited. The presentation does not cover technical details of the threats, it focuses more on business impact.


-Archana


Friday, April 19, 2013

e-ShopLifting: An Introduction


Dictionary defines shoplifting as “To steal merchandise from a store that is open for business”. E-shoplifting is the act of stealing articles/modifying pricing or similar fraud done by a malicious user (an e-shoplifter) from an online shopping store.

With advancement of technology and e-commerce, the online business has grown exponentially. Unfortunately, with same pace or has advanced the malware and attacks on the internet. E-Shoplifting is  majorly used to buy a product in a price lesser than mentioned in the website. It also refers to stealing the customer details such as his/her credit card number, which could further lead to much more than stealing from a particular shopping transaction.
The e-shopping works around four entities:
1. The online store - which lists the items for sale.
2.The customer - who intends to buy the items, adds them to his 
shopping cart and finally enters details to make the payment.
3. Payment Gateway - It receives from the online store, the payment details provided by the customer,  communicate to his bank, enables the money transaction and once transaction is done, sends an acknowledgement to the online store.
4. Bank - Bank verifies the information sent by the payment Gateway and completes the transaction.
In case of e-shoplifting, there comes one more entity:
5. The E-shoplifter aka hacker, who tampers the customer’s details before it reaches to the payment gateway.


Among various measures used by the online stores, most famous are,  sending checksum with other details to make sure the data is not tampered and verifying the amount debited in the acknowledgement from payment gateway. These measures are not enough and provide only limited security. The checksum used here can be calculated by the hacker and even if the store uses a private key, seeing the modern computer’s processing power, it is possible for the hacker to guess the key too. Furthermore, the verification of the bank acknowledgement also does not guarantee security, as the e-shoplifter who tampered all details being sent to bank can also change the amount in the acknowledgement to match it with his tampered version.


E-shoplifting may not be 100% avoided even with complex security measures but can be reduced to a great extent only by implementing and adopting few security best practices in the online store website and in e-shopping workflow.  


If you are from an e-commerce domain, or are associated with online business in any manner, it is imperative to you to make sure that your business and your customers information is in safe hands. With HACKViDHi penetration testing services, you can find out the vulnerabilities of your online business and using our consultation, can work towards fixing them up so that you can save your business and customers information from e-shoplifting. To know more, contact us by e-mailing us to contactus@hackvidhi.com or register to our website for a free trial at http://www.hackvidhi.com and we will get back to you.


Check our presentation on E-Shoplifting @ http://www.slideshare.net/hackvidhi/e-shoplifting-hackvidhi.

Friday, March 15, 2013

Login CSRF Prevention - White Paper

Here is our first very first white paper - "Login CSRF Prevention – A Proposal"

Here is the abstract -


Cross site request forgery stands at 8th position in OWASP top 10 list of 2013. CSRF exploits trust relationship between an authenticated user and the website which provided the authentication. This papers aims at providing basic introduction of CSRF and, its special type, login CSRF along with preventive measures that are commonly being used. This paper will also introduce a new proposal of Login CSRF defense mechanism, a mechanism which aims at addressing the shortcomings with currently used approaches. This proposal can also be used to prevent standard CSRF attacks, there are certain trade offs though.


Please download complete white paper from here - http://hackvidhi.com/WhitePapers.php.


Please do share your feedback and comments, we will be happy to hear you!


-Archana

Thursday, March 14, 2013

HACKViDHi Course in Web Programming and Ethical Hacking


Hello friends,

After a break from blogging, we are back to share some good news with all of you. This week, the HACKViDHi Course in Web Programming and Ethical Hacking has received more than 150 enrollments. We are looking forward to many more curious guys and gals getting benefited from this free course. Keep spreading the word.
http://www.hackvidhi.com/courses.php

See you all in summer !!

- Richa

CSRF - Using Secret Tokens is NOT enough!!

I recently came across a popular e-Commerce site; they are using Secret Tokens to avoid CSRF possibility; still they are vulnerable to CSRF!! Oddly enough, they are not doing it right.

Sending a random token is not enough, it is also necessary to keep track of what token has been sent with what request i.e. with a particular request what token is expected to come. 


This is approximate approach that they are using to protect their site -



  • they have a collections of valid CSRF tokens.
  • with each request they send one of the CSRF tokens from the repository.
  • when the request is submitted they check whether the returned token belongs to their collection of token, if yes, then they just allow the request!!

Its very easy to circumvent this approach, just get hold of any of their valid tokens and play it with any valid CSRF request; your CSRF request will go through. 

Amazed by their approach, I did some analysis on CSRF token trends for 50 Indian websites which include -
  • top 20 eCommerce websites 
  • top 10 travel domain websites 
  • top 10 Matrimonial websites
  • top 10 Job portal websites
The results came up with interesting statistics. I will be sharing those stats in my upcoming blog post.

Stay tuned!

-Archana