How to choose a strong and secure password? The obvious answer is to choose a very long password and the next answer in the list is to include as much special characters as possible. But doing so would make it more difficult to remember and would even force us to jot it in postits.

But the ideal solution would be to choose a password which takes longer time to crack. Hackers can find someway to crack our password, all we have to make them try stronger and harder. Passwords are usually cracked using a method called as Bruteforce attack where a malicious tool tries to match all the type of password combination available against the target system. More complex the password is, more are the combinations to be tried and less probable it becomes for the tool to guess our password right.

This website, HowSecureIsMyPassword, gives us an idea on how long it takes to crack a password with a normal desktop PC. We can try various combinations, longer password/different character sets and analyze the results.

So as mentioned earlier we should choose a password which takes at least more than ‘a year’ to crack. This arbitrary value – ‘a year’ is based on the assumption that we would change our passwords once in every year so by the time the cracker obtains our password, we would have changed it

Guys from Whatsmypass have published a list of Top 500 worst passwords, check it out here, and make sure that you don’t use any one of them.

Another site provides crack time matrix of different types of character sets, length based on the system which is used for cracking it. HowSecureIsMyPassword assumes that the cracker uses class D and estimates the time, link.

Check the site to calculate approx time taken to crack your password.

HowSecureIsMyPassword

How Secure Is Your Password Info
App Name	How Secure Is Your Password
License	free
Type	online
App URL
More Info	link

Google has launched Secure Google search hosted on SSL lately . This post talks on how to enable this Secure Google search to the browser search bar/search suggestions in Firefox, Chrome and IE browsers.

Updated: Added Screenshots for IE

1. Firefox

Go to the Mozilla Addons Page and add Google SSL Search Plugin

Select ‘Start using it right away in the dialog box that displays – Add “Google SSL” to the list of engines available in the search bar?

2. Chrome

Right Click on Chrome Omnibar(Address bar) and Select ‘Edit Search Engines’.

In the Edit Search Engines Dialog box add https://www.google.com/search?q=%s in the URL field and click on Make Default Button.

Dont forget to check the Chrome Extensions List for Security Testers, here (Internal Post)

3. Internet Explorer

• Access the Add Search Providers page

• In the Create Your Own enter https://www.google.com/search?q=TEST in the URL field

Click on the Install Button to see the following screen. Check the ‘Make this my default search provider’

Now the Search box in IE will display Google.

via Google Blog and TechDows

Gruyere is a vulnerable application which can be used to learn and understand web vulnerabilities. Detailed documentation is provided on the type of the vulnerabilities present in the application and ways to exploits it.

Update: Jarlsberg is now Gruyere

This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you’ll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you’ll learn the following:

• How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
• How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

Documentation Here

Some Exploit Screenshots

Information Disclosure – Read the contents of the database off of a running server by exploiting a configuration vulnerability.

Debug Dump Page URL – http://google-gruyere.appspot.com/457262944951/dump.jtl

The id changes based on your session.

Reflected XSS

Alert Dialog box which indicates the presence of Cross Site Scripting Vulnerability present in Jarlsberg

Stored XSS alert

Features

Jarlsberg includes a number of special features and technologies which add attack surface.

• HTML in Snippets: Users can include a limited subset of HTML in their snippets.
• File upload: Users can upload files to the server, e.g., to include pictures in their snippets.
• Web administration: System administrators can manage the system using a web interface.
• New accounts: Users can create their own accounts.
• Template language: Jarlsberg Template Language(JTL) is a new language that makes writing web pages easy as the templates connect directly to the database. Documentation for JTL can be found in gruyere/jtl.py.
• AJAX: Jarlsberg uses AJAX to implement refresh on the home and snippets page. You should ignore the AJAX parts of Jarlsberg except for the challenges that specifically tell you to focus on AJAX.

Vulnerabilities In Gruyere

• Cross-Site Scripting (XSS)
  • File Upload XSS
  • Reflected XSS
  • Stored XSS
  • Stored XSS via HTML Attribute
  • Stored XSS via AJAX
  • Reflected XSS via AJAX
• Client-State Manipulation
  • Elevation of Privilege
  • Cookie Manipulation
• Cross-Site Request Forgery (XSRF)
• Cross Site Script Inclusion (XSSI)
• Path Traversal
  • Information disclosure via path traversal
  • Data tampering via path traversal
• Denial of Service
  • DoS – Quit the Server
  • DoS – Overloading the Server
• Code Execution
• Information disclosure
• AJAX vulnerabilities
  • DoS via AJAX
  • Phishing via AJAX
• Buffer Overflow and Integer Overflow
• SQL Injection

Explore hosted version of Jarlsberg and start uncovering the vulnerabilities

Gruyere Hosted Version

Gruyere (Previously Jarlsberg) Info
App Name	Gruyere (Previously Jarlsberg)
License	free
Type	online code
App URL
More Info	link

This post lists 13 Chrome Extensions to aid security testers during their web application pen testing.

1. WebDeveloper

2. Firebug Lite

3. Pendule

4. Chrome Web Developer Tools

5. Simple REST Client

6. View Selection Source

7. Domain Details

8. Chrome Sniffer

9. User-Agent Switcher

10. Unencrypted Password Warning

11. JSONView

12. Cookie Editor

View and Edit the Cookies created by the site visible in the active page

13. Light Shot

14. Note Anywhere (Bonus)

HTML5 is a new and upcoming technology which has enough features to introduce potential security issues if not properly implemented. A new project has been initiated in Google Code to keep developers updated on the security concerns to be kept in mind while developing their apps with HTML5.

Description of Project in Authors Terms,

This project is an attempt to create a well maintained, informative and categorized cheat sheet to highlight HTML5 as well as other client side and related security issues and ways to avoid them. The project is meant to target web developers as well as security researchers and especially browser vendors since many of the problems we found are based on faulty or quirky implementations. Focus is on completeness, comprehensibility and timeliness as well as continuity – benefits many other related cheat sheets don’t exactly provide.

Time to this site if are a developer or security analyst.

HTML5 CheatSheet

HTML5 CheatSheet Info
App Name	HTML5 CheatSheet
License	free
Type	online
App URL
More Info	link

An XSS vulnerability has been discovered and disclosed to public in SharePoint Server 2007 and Microsoft Windows SharePoint Services 3.0. The vulnerability could allow an attacker to run arbitrary script that could result in elevation of privilege within the SharePoint site, as opposed to elevation of privilege within the workstation or server environment.

This vulnerability is discovered by High-Tech Bridge SA and has been notified to Microsoft 12 April 2010. On the day of writing of this post, the vulnerability remains unfixed.

Read HTBridge advisory here

Vulnerable URL :

http://TARGETSITE/_layouts/help.aspx?cid0=MS.WSS.manifest.xml%00%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&tid=X

Screenshot

Read more at Microsoft Security Advisory (983438)

As per PCI DSS, whenever a new version of OWASP Top 10 vulnerabilities are released, its implied that the current requirements are to be replaced with the latest OWASP updates. Current version of PCI-DSS was released in July 2009 and will include the new top 10 in the upcoming version.

Do check the post excel based OWASP testing checklist here

Implied PCI-DSS Requirement Changes

Grab a copy of OWASP Top 10 2010 here

Phishing techniques are becoming more popular and advanced that some phished sites seems visually challenging to be separated from its genuine counterpart.

Read this post about Indian Income Tax phishing site.

Take these Phishing quizzes to sharpen your skills to identify the fake sites.

1. Verisign’s – Phish No Phish

URL: https://www.phish-no-phish.com

2. OnGuard Online – Phishing Quiz

URL: http://www.staysmartonline.gov.au/games-videos/quizzes/flash_listing/quizzes/phishing_quiz/phishing_quiz.html

3. SonicWALL Phishing and Spam IQ Quiz

URL: http://www.sonicwall.com/phishing/

4. Washington Post – Catch a Phish

URL: http://www.washingtonpost.com/wp-srv/technology/articles/phishingtest.html

Backtrack is the most popularly used security distro used while during pentests. While we can partition our harddisk, install this OS and dual boot with our default OS; things can be made simpler by running BackTrack VM within our default OS. Using a security distro in a VM gives us few advantages like, portability & ability to quickly restore/duplicate the instances as required.

Running Backtrack

BackTrack4 VM can be downloaded from the backtrack site (link at the end of the post) and to run the VM, we need the free VMWare Player.

Install the VMWare Player and open the BT VM with it. We are good to go with the default configuration unless we have more RAM to spare (Its recommended to provide 512MB of RAM if you have around 2GB).

Adjust Backtrack VM RAM

Default Credentials

Backtrack VM comes with the default login credentials (which can be changed later, ofcourse)

bt login:  root
Password:  toor
. . .
root@bt:~#  startx

We should be able to see the BackTrack OS up and running by this time. If you face any difficulties with the screen resolution, install/upgrade your VMWare tools.

BackTrack VM Up and Running

Change Default Credentials

Once the OS is loaded, access the terminal from the taskbar and use the ‘passwd’ command to change the password.

bt~#  passwd
bt~#  New Password : ******
bt~#  Re-enter Password: ******

Enable Networking to Access Internet

Many a times internet might not work at the first shot. If it doesn’t do as mentioned below.

1. First find out the IP address/Default Gateway of you the HOST PC (Assuming that it’s an Windows OS, do ‘ipconfig’ in DOS Terminal)
2. Choose any arbitrary IP address, should be in the range of the IP of the host, and ensure that its not used.
3. In the BackTrack Terminal, type the following commands

bt~#  ifconfig eth0 up
bt~#  /etc/init.d/networking start

Once you have BackTrack running and Internet enabled, you are all set to use the tools bundled with this OS.

Backtrack VM Download Info
App Name	Backtrack VM Download
License	free
Type	OS
App URL
More Info	link

VMWare Player Download (Free):

Skipfish is an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Installation on Ubuntu/BackTrack (via Redspin)

Use the following commands in the terminal windows to install and run Skipfish. Replace OUTPUT_FOLDER and TARGETSITE with the domain name and the target’s URL respectively. Also change the wget URL to the URL of the latest version of Skipfish download available.

wget http://skipfish.googlecode.com/files/skipfish-1.29b.tgz
tar zxvf skipfish-1.01b.tgz
sudo apt-get install libidn11-dev
cd skipfish
make
cp dictionaries/default.wl skipfish.wl
./skipfish -o OUTPUT_FOLDER http://www.TARGETSITE.com

Trial Run

Installed SkipFish and ran on the target site, specs below.

Guest OS : BackTrack4 VM

Host OS : Windows Vista

RAM : 512MB

Application Size : Medium ( < 1000 Unique Pages )

Internet Speed : 1 MBPS

Skipfish Verbose

Skipfish displays the scan run statistics continuously during the run. Once the scan run is complete, we get to see the scan summary (shown in the below screenshot).

Skipfish Console (Click to Enlarge)

Scan Output

Once the scan is complete, results are saved in HTML format. Its a simple tree interface that displays the details of the vulnerability along with the HTTP Header trace for each request.

NOTE: The target application which was used to test the application is a custom and private application and has been removed from the server. Please do not run scanner on any of the domains you dont own.

Skipfish Scan Report (Click to Enlarge)

Observations

• Installation and setup is super easy.
• Definitely not a heavy weight, memory hogging scanner.
• Did not find some of the basic vulnerabilities other scanners had found.
• Scan ran for ~14hours for that medium sized app.

Features

• High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.

• Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.

• Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.

The tool is believed to support Linux, FreeBSD 7.0+, MacOS X, and Windows (Cygwin) environments.

List of High and Medium Vulnerabilities Skipfish Attempts to Identify

A rough list of the security checks, for High and Medium vulnerabilties, offered by the tool is outlined below.

• High risk flaws (potentially leading to system compromise):
  • Server-side SQL injection (including blind vectors, numerical parameters).
  • Explicit SQL-like syntax in GET or POST parameters.
  • Server-side shell command injection (including blind vectors).
  • Server-side XML / XPath injection (including blind vectors).
  • Format string vulnerabilities.
  • Integer overflow vulnerabilities.
  • Locations accepting HTTP PUT.

• Medium risk flaws (potentially leading to data compromise):
  • Stored and reflected XSS vectors in document body (minimal JS XSS support present).
  • Stored and reflected XSS vectors via HTTP redirects.
  • Stored and reflected XSS vectors via HTTP header splitting.
  • Directory traversal (including constrained vectors).
  • Assorted file POIs (server-side sources, configs, etc).
  • Attacker-supplied script and CSS inclusion vectors (stored and reflected).
  • External untrusted script and CSS inclusion vectors.
  • Mixed content problems on script and CSS resources (optional).
  • Incorrect or missing MIME types on renderables.
  • Generic MIME types on renderables.
  • Incorrect or missing charsets on renderables.
  • Conflicting MIME / charset info on renderables.
  • Bad caching directives on cookie setting responses.

Google Skipfish Info
App Name	Google Skipfish
License	free
Type	code
App URL
More Info	link