OSI Security - Penetration Testing & Web Application Security Consultants
  • Home
  • Try
  • Pricing
  • Services
    • Managed Monthly Penetration Testing Service
    • Managed Quarterly Penetration Testing Service
    • Email Security Review
    • Request a quote for Penetration Testing
    • Bug Bounty Penetration Test
    • Remote Support
  • Solutions
  • Company
    • Advisories
    • Customers
    • News and Press Releases
    • Blog
    • Contact
    • Careers
  • Home
  • Try
  • Pricing
  • Services
    • Managed Monthly Penetration Testing Service
    • Managed Quarterly Penetration Testing Service
    • Email Security Review
    • Request a quote for Penetration Testing
    • Bug Bounty Penetration Test
    • Remote Support
  • Solutions
  • Company
    • Advisories
    • Customers
    • News and Press Releases
    • Blog
    • Contact
    • Careers

Adding HTTP Strict-Transport-Security to the nginx web server

16/5/2017

 
The HTTP Strict-Transport-Security standard (HSTS) is a HTTP server header sent by SSL/TLS enabled websites to prevent communication over HTTP in order to protect content and authentication cookies from interception or alteration.

To enable this header on the nginx web server, modify the nginx.conf file. Within the server block, find and edit the location block and set the "add_header" directive with a value of e.g. Strict-Transport-Security "max-age=31536000"; (for 365 days).

E.g:

server {
 location / {
  add_header Strict-Transport-Security "max-age=31536000";
​ }
​}

Test your SSL anti-malware defences!

3/4/2017

 
Many of you would have seen our anti-malware solution test website known as WICAR (think EICAR AV Test File, but for web based attacks).
Picture
This is just a quick email to let you know we now have SSL enabled for our test malware attacks, so not only can you test your firewall, IDS/IPS, proxies, content filtering and desktop antivirus, but you can also check if you are protected against payloads delivered over HTTP/S or verify your SSL-inspection products are working.
​
Simply open the Test Malware page and click the [SSL] hyperlink to conduct the test over SSL to ensure your organisation is adequately protected (most attacks today are delivered over SSL to get around proxy inspection).
Picture

Testing for weak Diffie-Hellman HTTPS (Logjam) keys

10/8/2015

 
To test a HTTP/S server for weak Diffie-Hellman (DH) SSL / TLS ciphers, you may use the following command (Linux):

$ openssl s_client -connect [target]:443 -cipher "EDH"

EDH requires use of weak DH keys. If it connects, you may GET / HTTP/1.0 to confirm.

A secure host should not connect, e.g.

$ openssl s_client -connect www.gmail.com:443 -cipher "EDH"
CONNECTED(00000003)
139671352862352:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:

https://weakdh.org/

Auditing SonicWALL Firewall Rulesets

10/4/2013

 
Introduction:
At some point you may be required to audit the configuration of a SonicWALL device.
If you have physical/admin access to the management interface, then this is probably the easiest method - drill down every option and check for misconfiguration.

If not, obtain a configuration export file (file name is generally 'sonicwall-name-date.exp') such as sonicwall-SydneyDC-20100607.exp.

You will notice the file is a single line of Base64 encoding.
​
Method:
Either use software such as nipper (a tool to automatically decode multi-vendor firewall, router, switch etc.. configurations then analyse the settings and make recommendations in a pretty report) or Base64 decode it yourself and read the variables.

Linux: 'base64 -d file'
Windows (if you have ActiveState Perl): 'c:\bin\decode-base64.bat file'
​
Recommendation:
Often issues such as SSH v1 and SNMP will be present. Also check the firmware as SonicWALL is notorious for format string bugs.

Sender Policy Framework

3/7/2012

 
Introduction
Visit www.openspf.org for more information on this technology.
​
Method
It is held within a TXT record for the domain. You can query this with the host command under Linux/POSIX.
$ host -t txt [victim].com
[victim].com descriptive text "v=spf1 a mx include:[victim].com"
​
Recommendation
Consider adding SPF records to allow MX records to send email.
SPF helps prevent forging of the FROM address on the receiver end.
Customer MTAs which support SPF will reject fraudulent emails because the SPF record will not match the spammers IP source addresses when forging @[victim].com FROM addresses.

IT Management - Security Considerations when permitting corporate use of Facebook, YouTube, Twitter and other Social Media

25/11/2011

 
Recently, a client of ours requested some information regarding security considerations should a corporation permit employees to use social media such as Facebook, YouTube, Twitter and other sites.

It is a common problem. There are a few issues here which need to be considered;

1) Yes there are cross-site scripting issues with the websites. But the vulnerabilities are in the websites themselves, so youtube.com, facebook.com and twitter.com are managed by internal staff - if they are vulnerable then everybody is. It is really out of your control. The worms use to propagate, such as the recent Facebook worm which was posting adult images, abuse the [zero-day] vulnerability in the website... eventually the sysadmins discover the worm and close the gap.

2) The web browsers also play a part in exploitability. Internet Explorer 8+ has some mitigations for XSS. Chrome and Firefox also have some anti-XSS measures, but still lack complete protection. NoScript add-ons can be used for Firefox and Chrome to further mitigate attacks. Earlier browsers such as IE6 and older releases of Firefox interpret HTML and JavaScript differently, as well as Content-Type / Content-Disposition which may make a user of IE6 vulnerable to a facebook worm but not say IE7. So up-to-date SOE browsers are a good idea depending on what your patching is like.

3) When using XSS attacks the attacker or worm often needs a location to store their malicious JavaScript. NoScript will deny external locations unless explicitly permitted. But regardless, attackers sometimes use what would be considered trusted websites... so it is possible for someone to obtain a Google Sites account, upload JavaScript, then the browser will fetch the content from *.google.com ... instead of a suspect .cn domain etc.

4) There is the crossdomain.xml policy - http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html. This is dependent on the website.

5) Researchers occasionally uncover browser vulnerabilities which breach the internal browser cross-domain security policy... so the result may be a vulnerability despite proactive protections and hardened configuration.

6) Antivirus vendors such as TrendMicro provide browser add-ons which check and report all URLs accessed by clients world-wide. The Trend Micro Threat Intelligence cloud and other reputable AV companies will notice the worm after a handful of end-users report the malicious action of a site. In this case, a few users will be infected but after the cloud picks up on this, the URL will be blacklisted globally until the threat is eliminated, thus protecting end-users providing you're not the first few visitors to be infected.

7) Obviously if you have a HTTP AV / Content Filter proxy then this may detect some worms.

So to summarise, there are many different preventative measures you can take to avoid infection. Implementing all of the above may significantly reduce your risk, but after all is said and done, if the youtube.com / facebook.com / twitter.com domains are vulnerable, you are waiting on them to provide a fix.

If there is a known, unpatched worm spreading and the media has alerted users like the recent facebook adult photos and dead animals worm, you could temporarily ban access to those sites on the firewall until the worm is cleared to try and protect staff.

Another matter worth considering is whether there is a risk of staff seeing objectionable material such as pornography from the worm and the staff going on stress leave, workers compensation or suing for psychological damages etc etc.
Some organisations try to minimise law suits by implementing strict policies about what to do when someone sends you pornographic material and you unexpectedly open it. There is paper work to complete including who sent the email (they are permanently added to a blacklist), listing all who received the email, any 3rd parties that saw it on your screen, ensuring that email archive / data backup staff store the offending email if needed for court on tape, and email admin staff forcibly deleting copies from staff inboxes by conducting email audits.
​
Hopefully this gives you some insight into corporate considerations prior to blanket access of social media websites for staff.

Apache Directory listings enabled

14/11/2011

 
Introduction
​
The web server has directory listings enabled, which may reveal folder contents that might otherwise be hidden from an attacker looking for sensitive information,

Example URLs:
  • http://[target]/icons/

Recommendation:
Modify the apache2.conf file and set the folder “Options” directive to -Indexes, so that directory indexing is disabled and restart the service.

Risk:
Low.

Determining BIND DNS version using dig

8/8/2011

 
Introduction
By default BIND DNS reveals the version number when queried for a certain TXT record.

Command
# dig chaos txt version.bind @ns.[target].com

Result
An example is below:

; <<>> DiG 9.7.1-P2 <<>> chaos txt version.bind @ns.[target].com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18628
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "9.3.6-P1-RedHat-9.3.6-4.P1.el5"
;; AUTHORITY SECTION:
version.bind. 0 CH NS version.bind.
;; Query time: 329 msec
;; SERVER: [ip]#53([ip])
;; WHEN: Sat Aug 21 03:55:28 2010
;; MSG SIZE rcvd: 87

Recommendation
Using the 'version' directive in the 'options' section will block the 'version.bind' query - usually in /etc/named.conf.

Microsoft IIS WevDAV PROPFIND request reveals internal IP Address

19/1/2011

 
Intro
The server reveals its internal IP address when specifying a WebDAV PROPFIND request.

Method
Issue a PROPFIND request with a HTTP v1.1 empty Host header:

telnet example.com 80
Trying 123.123.123.123...
Connected to example.com.
Escape character is '^]'.
PROPFIND / HTTP/1.1

Host:
HTTP/1.1 302 Redirect
Content-Length: 140
Content-Type: text/html
Location: /
Server: Microsoft-IIS/6.0
Date: Tue, 08 Jun 2010 07:05:08 GMT
Document Moved
Object Moved This document may be found here

Recommendation
Reconfigure IIS to return the FQDN value instead:
http://support.microsoft.com/kb/q218180/
​

Refs
OSVDB 13431

Microsoft IIS Web Server with .NET reveals system path when requesting .ASHX filetype

4/8/2010

 
Introduction
IIS + .NET may reveal sensitive information when an exception occurs.
Often this information may include the system path to the webroot (i.e. C:\Inetpub\wwwroot) which may further aid in attacks where a malicious user may upload content, but is not sure where the file is located on the remote system.

Method
By requesting a document with an .ashx extention, the server reveals the path (e.g. D:\sites\secret\uploads). It also reveals the version of .NET in the footer, such as "Microsoft .NET Framework Version:1.1.4322.2407; ASP.NET Version:1.1.4322.2407". The Framework version can then be used to check for known vulnerabilities, such as NULL byte issues.

Recommendation
Within the Machine.config or Web.config file, specify a directive of "customErrors" of either "RemoteOnly" or "On".
See also: http://msdn.microsoft.com/en-us/library/h0hfz6fc.aspx

Portal requires username and password but is not encrypted using SSL

18/6/2010

 
Introduction
The portal requires users submit a username and password to authenticate. This communication is not encrypted.

Method
Check the HTML source code on the form page, and examine whether the FORM ACTION is GET/POST to a HTTPS:// URI.
​
Recommendation
1) Enable SSL and disable HTTP for the portal
2) Use two-factor tokens (one time password) for strong authentication.
3) Modify the HTML source to ensure the data is POST'ed to a HTTPS URL.

Enabling Custom Errors in Microsoft IIS 6

16/6/2010

 
1.In Microsoft Windows, open Administrative Tools, and then click Internet Information Services (IIS) Manager.
IIS Manager appears.

2.Under Internet Information Services, expand Servername (local computer), expand Web Sites, right-click either Websitename or Default Website, and then click Properties.
The Web Site Properties dialog box appears.

3.Click the Home Directory tab, and then click Configuration.
The Application Configuration Settings dialog box appears.

4.Click the Debugging tab.
​
5.Change the radio button from "Send detailed ASP error messages to client" to "Send the following text error messages" and specify an error.
    View my profile on LinkedIn

    Archives

    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    December 2015
    August 2015
    April 2014
    May 2013
    April 2013
    July 2012
    May 2012
    November 2011
    August 2011
    July 2011
    February 2011
    January 2011
    October 2010
    August 2010
    June 2010

    Categories

    All
    Apache
    Backdoor
    Best Practice
    Configuration
    Credentials
    Desktop
    DNS
    Encryption
    Exploit
    Firewall
    Hardening
    HTTP
    HTTP/S
    IDS
    Information Disclosure
    Linux
    Malware
    Man-in-the-middle
    Newsletter
    Patch
    Policy
    Samba
    Server
    Service
    SMB
    SMTP
    Unix
    VPN
    Vulnerability
    Web Browser
    Web Server
    Zero Day

    RSS Feed

NSW Government ICT Services (SCM0020) approved supplier
OSI Security is an approved supplier to the Victorian Government
OSI Security is an approved supplier to the Queensland Government
OSI Security is an approved supplier to the New Zealand Government
Picture
External Penetration Testing
Managed Security Services
​Source Code Review
Web Application Security Testing
Firewall Configuration and Rulesets
WiFi Access Point and Client Auditing
Forensics and Data Recovery
System Hardening and Configuration
Metasploit Pro
Tenable Nessus
Acunetix Web Scanner
Nexpose Vulnerability
Secunia Software Inspection
Elcomsoft Password Cracking
PortSwigger BurpSuite
HP Fortify
 
Contact
Clients
Advisories
Privacy policy
​
Ethics Statement
Disclosure Policy
OSI SECURITY ACN 144 579 751 © 2010 - 2025.
​ALL RIGHTS RESERVED. SYDNEY, AUSTRALIA.
Join newsletter

Picture

OSI Security is proud to support a number of recognised charities, development projects and industry groups...

The Australian Computer Museum Society Incorporated
Hackers Helping Hackers
sqlmap.org
Metasploit Framework
2600-AU Australia