httpry is a specialized packet sniffer designed for displaying and logging HTTP traffic. It is not intended to perform analysis itself, but to capture, parse, and log the traffic for later analysis. It can be run in real-time displaying the traffic as it is parsed, or as a daemon process that logs to an output file. It is written to be as lightweight and flexible as possible, so that it can be easily adaptable to different applications.
What can you do with it? Here's a few ideas:
•See what users on your network are requesting online
•Check for proper server configuration (or improper, as the case may be)
•Research patterns in HTTP usage
•Watch for dangerous downloaded files
•Verify the enforcement of HTTP policy on your network
•Extract HTTP statistics out of saved capture files
•It's just plain fun to watch in realtime
Download:http://dumpsterventures.com/jason/httpry/
Friday, July 30, 2010
Thursday, July 29, 2010
Application Security Checklists
This checklist is a helpful reference when performing a web application security test. It is not a complete list though - there are often application-specific vulnerabilities and subtle issues that this does not cover.
Authentication
Logging in with an invalid user name does not reveal whether the user exists
Accounts are locked after a number of failed logins
An attacker cannot reset the lockout (e.g. by removing cookies)
Can't easily lockout an account to cause a denial of service
After login a redirect is issued, to prevent refresh attacks
Both "change password" and "logout" functions are provided
User is informed of last login time
Change password requires provision of old password
Passwords are proactively checked for strength
Password is never revealed (e.g. in the source of change password)
Session Management
Session tokens are at least 128-bit
Session tokens are unpredictable
A new session is allocated at login (i.e. session fixation is prevented)
Logout invalidates the session token on the server
Cookie has "secure" and "httponly" options set and is non-persistent
Sessions have an inactivity timeout
Sessions have an absolute timeout
Injection Attacks
Cross-site scripting
HTTP response splitting
SQL injection
LIKE pattern injection
LDAP injection
XPATH injection
Mail header injection
Directory traversal
Null-byte injection
Shell script / batch injection
Server-side script injection (PHP, Perl, etc.)
XML injection
Try to bypass filters using over-long utf-8 encodings
Try to bypass filters using wide-ASCII, or other Unicode equivalents
Content Checks
No script or CSS tags reference resources on other servers
No script or CSS tags on a page that can be accessed over HTTPS use URLs beginning http://
Use of eval, document.write, innerHTML, etc. does not cause XSS
Comments in files do not reveal sensitive information
Frames/iframes, if used, have frame spoofing protection
autocomplete=off is set on all forms asking for personal information
Private IP addresses
Server Side Script Behaviour
Arbitrary redirection
Arbitrary message inclusion
File upload features restrict uploaded content to prevent compromise
JavaScript Hijacking
Scripts that cause write actions require POST with a CSRF token
Scripts that act as an open proxy or mail relay
Exponential format accepted
Server compromise by uploading XML that sources a stylesheet
Source code disclosure through scripts that allow read access to files
Authorisation
All protected resources check for a valid session
All protected resources check for user permissions (forced browsing)
Parameter tampering does not allow access to others' data
Page-to-page flow is correctly enforced where required
Form POST targets perform the same authorisation as form views
Miscellaneous
cache-control: private or stronger is used on sensitive pages
All client-side validation is repeated on the server
Site supports HTTPS, and sensitive pages forbid HTTP access
All pages are displayed with status and address bars
All URLs are expected from a customer's point of view
No "Mixture of secure and insecure content" warnings
Server Configuration
There are no "orphaned" files (exist on the web server, but not linked)
No backup versions of files are accessible (may reveal source code)
No common insecure scripts (e.g. snoop servlet) are accessible
Error messages do not provide overly-detailed information
Special Cases
Dynamic login questions: question cannot be changed by the user
Application forms: restarting a transaction doesn't leak information
Smoke & mirrors: generated emails are appropriately protected
Domain auth: domain accounts cannot be locked out from the Internet
Forgotten password: understand any information leaked or risks created
SSL Client Certificates
Does login check user name matches certificate?
Can you lock out an account without holding the certificate?
Is certificate required for every request?
Does it check the certificate matches the session ID?
Can you login using a self-signed certificate?
Are test/pre-prod certificates separated from live?
Nested Web Service
Is the WSDL file accessible?
Does access to the web service require a web session?
Does it check the web session user matches the WS user?
Also, most of this checklist also applies to the web service.
Further, Very good article on Web Application Security Checklist:
http://www.enterpriseitplanet.com/security/features/article.php/2214631/Web-Application-Security-Checklist.htm
Various Security Checklists for your reference:
http://iase.disa.mil/stigs/checklist/
Authentication
Logging in with an invalid user name does not reveal whether the user exists
Accounts are locked after a number of failed logins
An attacker cannot reset the lockout (e.g. by removing cookies)
Can't easily lockout an account to cause a denial of service
After login a redirect is issued, to prevent refresh attacks
Both "change password" and "logout" functions are provided
User is informed of last login time
Change password requires provision of old password
Passwords are proactively checked for strength
Password is never revealed (e.g. in the source of change password)
Session Management
Session tokens are at least 128-bit
Session tokens are unpredictable
A new session is allocated at login (i.e. session fixation is prevented)
Logout invalidates the session token on the server
Cookie has "secure" and "httponly" options set and is non-persistent
Sessions have an inactivity timeout
Sessions have an absolute timeout
Injection Attacks
Cross-site scripting
HTTP response splitting
SQL injection
LIKE pattern injection
LDAP injection
XPATH injection
Mail header injection
Directory traversal
Null-byte injection
Shell script / batch injection
Server-side script injection (PHP, Perl, etc.)
XML injection
Try to bypass filters using over-long utf-8 encodings
Try to bypass filters using wide-ASCII, or other Unicode equivalents
Content Checks
No script or CSS tags reference resources on other servers
No script or CSS tags on a page that can be accessed over HTTPS use URLs beginning http://
Use of eval, document.write, innerHTML, etc. does not cause XSS
Comments in files do not reveal sensitive information
Frames/iframes, if used, have frame spoofing protection
autocomplete=off is set on all forms asking for personal information
Private IP addresses
Server Side Script Behaviour
Arbitrary redirection
Arbitrary message inclusion
File upload features restrict uploaded content to prevent compromise
JavaScript Hijacking
Scripts that cause write actions require POST with a CSRF token
Scripts that act as an open proxy or mail relay
Exponential format accepted
Server compromise by uploading XML that sources a stylesheet
Source code disclosure through scripts that allow read access to files
Authorisation
All protected resources check for a valid session
All protected resources check for user permissions (forced browsing)
Parameter tampering does not allow access to others' data
Page-to-page flow is correctly enforced where required
Form POST targets perform the same authorisation as form views
Miscellaneous
cache-control: private or stronger is used on sensitive pages
All client-side validation is repeated on the server
Site supports HTTPS, and sensitive pages forbid HTTP access
All pages are displayed with status and address bars
All URLs are expected from a customer's point of view
No "Mixture of secure and insecure content" warnings
Server Configuration
There are no "orphaned" files (exist on the web server, but not linked)
No backup versions of files are accessible (may reveal source code)
No common insecure scripts (e.g. snoop servlet) are accessible
Error messages do not provide overly-detailed information
Special Cases
Dynamic login questions: question cannot be changed by the user
Application forms: restarting a transaction doesn't leak information
Smoke & mirrors: generated emails are appropriately protected
Domain auth: domain accounts cannot be locked out from the Internet
Forgotten password: understand any information leaked or risks created
SSL Client Certificates
Does login check user name matches certificate?
Can you lock out an account without holding the certificate?
Is certificate required for every request?
Does it check the certificate matches the session ID?
Can you login using a self-signed certificate?
Are test/pre-prod certificates separated from live?
Nested Web Service
Is the WSDL file accessible?
Does access to the web service require a web session?
Does it check the web session user matches the WS user?
Also, most of this checklist also applies to the web service.
Further, Very good article on Web Application Security Checklist:
http://www.enterpriseitplanet.com/security/features/article.php/2214631/Web-Application-Security-Checklist.htm
Various Security Checklists for your reference:
http://iase.disa.mil/stigs/checklist/
Wednesday, July 14, 2010
NEW PROPOSED Top 7 Essential Log Reports
Top Log Report Candidate 1. Authentication and Authorization Reportsa. Login Failures and Successes
b. Attempts to gain unauthorized access through existing accounts
c. Privileged account access (success, failure)
d. VPN Authentication and other remote access (success, failure)
e. Please add more reports you find useful!
Top Log Report Candidate 2. Change Reports
a. Addition/Changes/Deletions to Users, Groups and Services
b. Change to configurations
c. Application installs and Updates
d. Please add more reports you find useful!
Top Log Report Candidate 3. Network Activity Reports [used to be called “Suspicious or Unauthorized Network Traffic Patterns” in the old Top 5 list]
a. Top Internal Systems Connecting Through Firewall // Summary of Outbound Connections
b. Network Services Transiting A Firewall
c. Top Largest File Transfers Through the Firewall
d. Internal Systems Using Many Different Protocols/Ports
e. Top Internal Systems With NIDS Alerts
f. Proxy Report on File Uploads
g. Please add more reports you find useful!
Top Log Report Candidate 4. Resource Access Reports
a. File
i. Failed File or Resource Access Attempts
b. Database
i. Top Database Users
ii. Summary of Query Types
iii. SELECT Data Volume
iv. All Users Executing INSERT/DELETE Commands
v. Database Backups
c. Email
i. Top Internal Email Addresses by Volume of Messages
ii. Top Attachment Types with Sizes
iii. Top Internal Systems Sending Spam // Top Internal Systems Sending Email NOT Through Mail Server
c. Please add more reports you find useful!
Top Log Report Candidate 5. Malware Activity Reports
a. Top systems with anti-malware events
b. Detect-only events from anti-malware tools (“leave-alones”)
c. Anti-virus protection failures by type
d. Internal malware connections (all sources)
e. Please add more reports you find useful!
Top Log Report Candidate 6. “Various FAIL”
a. Critical Errors
b. Backup failures
c. Capacity / Limit Exhaustion
d. System and Application Starts, Shutdowns and Restarts
e. Please add more reports you find useful!
Top Log Report Candidate 7. Analytic Reports [Mostly Using “Never Before Seen” (NBS) aka “NEW Type/Object” Analysis]
a. NEW (NBS) IDS/IPS Alert Types
b. NEW (NBS) Log Entry Types
c. NEW (NBS) Users Authentication Success
d. NEW (NBS) Internal Systems Connecting Through Firewall
e. NEW (NBS) Ports Accessed
f. NEW (NBS) HTTP Request Types
g. NEW (NBS) Query Types on Database
h. Please add more NBS or other analytic reports you find useful!
So, please help this project by commenting via whatever means!!!
BTW, I think I perused all the previous effor5ts to distill log reports (such as this one), but feel free to point me to such things as well.
Finally, if you are a SIEM or log management vendor, please consider supporting the resulting reports in your products – after they are finalized by the community and released by SANS.
Subscribe to:
Posts (Atom)