Adsense

Tuesday, November 18, 2014

5 Vulnerabilities That Surely Need a Source Code Review


Approach for Source Code Review


The approach for SCR is fundamentally different from an Application Penetration Test. While an Application Penetration Test is driven by apparently visible use-cases and functionalities, the maximum possible view of the application in terms of its source code and configuration is usually available during an SCR. Apart from auditing important use-cases following standard practices, our approach consists of two broad steps:

Finding Security Weaknesses (Insecure/Risky Code Blocks) (Sinks)

A security weakness is an insecure practice or a dangerous API call or an insecure design. Some examples of weaknesses are:
  • Dynamic SQL Query: string query = "SELECT * FROM items WHERE owner = '" + userName + "' AND itemname = '" + ItemName.Text + "'";
  • Dangerous or risky API call such as RunTime.exec, Statement.execute
  • Insecure Design such as using only MD5 hashing of passwords without any salt.

Correlation between Security Weakness and Dynamic Input

Dynamic construction of an SQL Query without the necessary validation or sanitization is definitely a security weakness, however it may not lead to security vulnerability if the SQL query does not involve any untrusted data. Hence it is required to identify code paths that start with an user input and reaches a possibly weak or risky code block. The absence of this phase will leave huge number of false positive in the results.

This step generally involves enumerating sources and finding a path between source to sink. A source in this case is any user controlled and untrusted input e.g. HTTP request parameters, cookies, uploaded file contents etc.
Read more -|- Learn more »
Posted by at No comments:

Using Google.com to find Usernames and Passwords

Method 1: Facebook!
We will be using a google dork to find usernames and passwords of many accounts including Facebook!

The Dork: intext:charset_test= email= default_persistent=
Enter that into Google, and you will be presented with several sites that have username and passwords lists!


Method 2: WordPress!

This will look for WordPress backup files Which do contain the passwords, and all data for the site!
The Dork: filetype:sql inurl:wp-content/backup-*

Method 3: WWWBoard!

This will look for the user and passwords of WWWBoard users
The Dork: inurl:/wwwboard/passwd.txt

Method 4: FrontPage!

This will find all users and passwords, similar to above.
The Dork: ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-"

Method 5: Symfony!
This finds database information and logins
The Dork: inurl:config/databases.yml -trac -trunk -"Google Code" -source -repository

Method 6: TeamSpeak! (big one!!!!!)
This will search for the server.dbs file (a Sqlite database file With the SuperAdmin username and password!!!)
The Dork: server-dbs "intitle:index of"

Method 7: TeamSpeak2!!! (also big!)
This will find the log file which has the Super Admin user and pass in the Top 100 lines. Look for "superadmin account info:"
The Dork: "inurl:Teamspeak2_RC2/server.log"

Method 8: Get Admin pass!
Simple dork which looks for all types of admin info
The Dork: "admin account info" filetype:log

Method 9: Private keys! (not any more!)
This will find any .pem files which contain private keys.
The Dork: filetype:pem pem intext:private

And the Ultimate one, the regular directory full of passwords....
Method 10: The Dir of Passwords!
Simple one!
The Dork: intitle:"Index of..etc" passwd

Enjoy! ;)
Posted by at No comments:
Subscribe to: Posts (Atom)