Tuesday, January 27, 2009

Web Vulnerability Scanners Comparison

In the past weeks, I've performed an evaluation/comparison of three popular web vulnerability scanners.This evaluation was ordered by a penetration testing company that will remain anonymous. The vendors were not contacted during or after the evaluation.

The applications (web scanners) included in this evaluation are:
- Acunetix WVS version 6.0 (Build 20081217)
- IBM Rational AppScan version 7.7.620 Service Pack 2
- HP WebInspect version 7.7.869

I've tested 13 web applications (some of them containing a lot of vulnerabilities), 3 demo applications provided by the vendors (testphp.acunetix.com, demo.testfire.net, zero.webappsecurity.com) and I've done some tests to verify Javascript execution capabilities.

In total, 16 applications were tested. I've tried to cover all the major platforms, therefore I have applications in PHP, ASP, ASP.NET and Java.

The report can be found at http://drop.io/anantasecfiles/
The full URL to the PDF document: http://drop.io/download/497f0f4e/c1d8b2966f85fb8549a18cbe2d789224ea665f45/759c3010-ce68-012b-dcee-f407c7ff11c2/9eeb1f00-cea5-012b-aa7b-f219675fa758/report.pdf/report_pdf.pdf

I've included enough information in this report (the javascript files used for testing, exact version and URL for all the tested applications) so anybody with enough patience can verify and reproduce the results presented here.

Therefore, I will not respond to emails for vendors. You have the information, fix your scanners!

Friday, January 9, 2009

Windows XP Local Privilege Escalation

d@v|dfrom House of Hackers just posted a very easy way to escalate your privileges on Windows XP using the at command. Cool stuff :)
You can find the original post here.

Wednesday, January 7, 2009

MacRumorsLive feed hack details

I was watching the MacRumors live feed yesterday and I was lucky enough to see the hack live.

It was kind of funny, I was following the updates and at some point this text appeared:

STEVE JOBS JUST DIED:

A few seconds later the guys from MacRumors figured out that something happened and posted a retraction. And then the hacker posted another funny message:

Oh, wait, sorry. Steve did die. Our condolences.

And after that things started to get out of control. A lot of people started to post a lot of crap. You can see a screen shot here.

Anyway, I was curious what happened and started searching on Google. I was thinking they found an SQL injection or guessed their passwords or something like that.

However, things were much more simpler (as they usually are). Some guy/guys from 4chan found a directory listing for the admin directory.

Free Image Hosting at www.ImageShack.us

As if this wasn't bad enough, this directory was not properly configured and was showing the source code of PHP files instead of executing them.

More than that, you could read the htpasswd file (named .passwd) with all the password hashes :)

Wait, there is more :)

They didn't even need those passwords, because if you read some of the files from that directory you could get the URL of the administrative interface. From there you could post live updates and stuff. And guess what: this administrative interface wasn't password protected. Now, that's just funny :)

Free Image Hosting at www.ImageShack.us

Here is the response from arn, the guy that runs MacRumors.

The cause of the security breach is best described as "user error" due to admin files being inadvertently mirrored across multiple server instances with incorrect permissions. This allowed php code to be displayed rather than executed, which was clearly a "bad thing". Our actual admin panel is password protected, of course.