Thursday, July 2, 2009

Prevent Web Application Vulnerability Scanner

hi guys,
at least i decided to take this blog out of magazine releases news fashion, and pulled one of ideas out of my head, implement it, and write a little about it here.

anyway,let's get on the subject.
Certainly you have experience in working by WEB Application Vulnerability Scanners.They are all going to be improved and this is a big threat to all of web applications.both commercial and non-commercial web apps.
although there is many false positive in their results but most of them make the way of attacking luminous to us.It's great that you can find most of hidden directory in the web sites, check for SQL injection, Cross Site Scripting, Cross Site Request Forgery and so on.
This is great for pen-tester and a threat for security managers !
umm, the question that i asked myself many times was: how to scape from these web app scanners?
I scanned a Content management system(CMS) a few web application vulnerability scanners many many times.then sniffed the requests and the responses.after all i've founded that there is an unique USER-AGENT for each of these web app vuln scanners.in some of them you can change the USER-AGENT value,but in some this options is not implemented.and of course many users of these softwares that allow you to change, do not change the default value of USER-AGENT. So this is a good way to identify the web app vuln scanner softwares. however this can not fool elite users of these softwares.
It was still a possibility, not a fact. So i decided to examine this.
I fired up IBM Rational AppScan. Then check the request that AppScan Sent to remote http server. It was "Mozilla/4.0 (compatible; MSIE 6.0; Win32)" .
Also you can grab this USER-AGENT value by a short PHP code such as:







It will write down the USER-AGENT value of anything(browser, web app scanner and so on...) that request this page in data.txt besid itself.
Well,this is a good idea to foolish these scanners. So we fake a 404 error page for them.ha?!
ok let's write the code..





then i've scanned this page by AppScan automatically and it just detected the 404 error. then found out Manual test in Scan menu.I send a query and again 404 !
after all i saw AppScan Browser.I opend the page with it,and yes welcome message :-(

I checked it and found out that it use a different USER-AGENT, So i grab it and added in IF condition after an OR Logical Operator.then refreshed the page and finally 404 error :-)

finaly the code goes something like this:









be careful about what USER-AGENT you are fil*ter*ing in your code.if you fil*ter a usual USER-AGENT , so many of blameless visitors of your web site see 404 error page!!
well,may be it's not the best way and writing a secure program is better, but always there is something that you forget,and there is someone else that [ab]use it to smash your web app ! so this can be a guard between you and the Artificial Intelligence of these Web App vuln scanners.though you can not foolish an elite user with these kind of tricks.;)

that was all..

P.s. : this post is old! more or less for 7 months ago, I took this in draft for some skit reasons but now decided to publish it.

comments are welcomed ;-)

Friday, May 15, 2009

Snoop Magazine news Releases

Another Hi after a long time of silence on my blog. btw it's good, at least that's I'm still alive!

In this period of time we were working on Snoop Digital Security Magazine!

Well we have released 2 version of magazine!
one of them was No#2 of Snoop Magazine and contains below topics:

- Deep Look at SEH Overwrite Exploitation Techniques
- One Attack, One Solution.. (GreenSQL DB Firewall)
- Deep into Metasploit - Part 2
- Surf Jacking
- Analysis of CVE-2009-0658
- Introduction to Honeypots
- Using Dynamic IP Restrictions in IIS7
- Introduction to Cisco Security Solutions and CS-MARS
- Top 100 Network Security Tools
- Downadup/Conficker Detection
- .Net/Java Code Obfuscation


Next release was a special edition (No#2.5) for sake of releasing new ubuntu(9.04) and contains a couple of articles on (in)security aspects of this distro. topics are:


- Your Distro is Insecure: Ubuntu
- GnuPrivacyGuard HowTo
- Securing Ubuntu Linux
- Configure SSL in Ubuntu
- Getting Start with Firewall Builder
- OSX Tiger vs. Vista vs. Ubuntu

you can download all of these releases from Snoop Magazine web-site:
http://snoopmag.net/archive.html

after all i want to thanks all of my friends and colleague at Snoop-Security such as : Adel Karimi, Shahriyar Jalayeri, Alireza Mohammadzade, Mohammad Sadegh Babaei, Vahid Amirian and other fellas..

hope you find it useful.
/aMIr

Sunday, March 22, 2009

Happy Norooz and MS !exploitable extension review

hi guys,
yep after all of these insomnia i'm still alive.
Microsoft today release a WinDbg Extension in the name of "!exploitable" and after some tests i review this on "Snoop Security Researching Community" blog and you can read this post here:

http://www.snoop-security.com/blog/?p=6

another good news is that new issue of Snoop Security Magazine coming soon(cheers to Adel).
oh i forgot it! happy norooz everyone. i wish a good year for you and your family in peace and luck.

that was all
/aMIr

Monday, March 2, 2009

I need INT3 on my life process

I know it's long time that i'm not updating this blog, yep that's my bad.
These days i'm really confused and mixed up. I'm in process of reading , researching, writing and blah blah blah..
before the next season of year we'll release next number of Snoop-Secrity Digital Magazine. If you haven't downloaded the first release you can grab it at www.snoopmag.net and feel free to contact us about the articles contents, sections, and everything you think can help growing the value of this release.And if you wanna write article contact me, however we have sufficient number of articles for this release and we save your article for the next season(spring) release.
IMHO this coming release has more usefull stuffs. You can wait and see these changes in next release.
As i said in the beginnig i'am really confused and it's so much time that i'm awake!
God, please send INT3 on my life running process...