Hackers have long been known for their tendency to identify weaknesses in programs, but in today’s world, there are a number of programs that people put to use which are incredibly easy to keep safe. CMS or Content Management Systems are standard on the web today, being the software that runs blogs from all over the world. Two common examples of this are Joomla and WordPress, loved by users globally for their ease of use and high number of features. While these blogs are certainly a good way to get content out to the public, they do need to be updated with patches just as soon as those patches are made available because hackers do look for ways to exploit these programs and attack the web application security. While users might be aware that patching is needed, all too often it is not kept up with and when that happens, big problems can arise. SySmox experienced such a problem when a number of users who had not kept with the patching for their Joomla and WordPress installations unwittingly played a role in helping hackers attack the ISP’s shared hosting servers. The hackers were able to run scripts that caused problems and forced the tech support team to go to battle against the scripts to regain control over the servers by exploiting vulnerabilities in the kernel.
Skip the password using SQL Injection in cookies .
SQL Injection via cookies gives an attacker the ability to exploit using cookie parameter .
useraccountid= [sql injection]
Example1: useraccountid= x’ or username=’SYSMOX’#
*log on to account SYSMOX
Example2: useraccountid= x’ or 1=1#
useraccountid= x’ or username like ‘%25com’
In 2009 the twitter dns company got hacked some people think that twitter dns password got brute forced; or web application security flaws .
Attacker can inject via cooke :
Verbose Error Messages :
Description: Developers commonly include verbose error messages in the development of software applications. When software behaves unexpectedly, it generates messages that contain detailed information about how and where an error occurred. These messages are useful within the web development life cycle (since the application is often executed in a remote multi-tiered environment), but these verbose error messages often contain environment variables, path disclosure, and other platform information used to aid in debugging. This information is a valued resource to an attacker attempting to penetrate a system.
HTML Comments :
Description: HTML comments are commonly placed within the source code of a web page. Web site developers often mark portions of their pages with comments which are not normally viewable by the a web site visitor. These comments may contain sensitive information about the structure of the web site, or information intended only for the system owners or developers. These comments can provide an attacker with information about your system, network, or application behavior which may be useful in future attacks.
Known Directory :
Description: A Known Directory vulnerability indicates that a web server directory not intended for public viewing has a name that can easily be guessed, and thus can also be accessed. This directory may contain files with sensitive data or functionality for configuring the web server.
Known CGI File : (continue reading…)
When i was testing an iis server after defacement attack, the webmaster was confused how hackers gaina ccess to the server and changes the visual appearance of the site or a webpage .
1 – Hackers use xgallery (Absolute gallery): SQL injection to get admin passwords and upload backdoors .
2 -Hackers uploaed automatically tools to deface the server replace every index.
3 -Hackers record the defaced home pages in zone-h digital attack archives.
Hackers exploit Xgallery panel to bypass the upload : Web application security
This attack allows a hacker who can upload a “safe” file extension (jpg, html, etc) to upload an ASP script and force it to execute on the web server. The vulnerability occurs when a file name is specified in the form of “attacker.asp;.jpg” — the application checks the file extension and sees “jpg”, but the web IIS server will stop parsing at the first “;” and sees “asp”. The result is trivial code execution on any IIS server that allows users to choose the file name of their uploaded attachment.
Software security is not an operational issue.
Application security has become one of the highest priorities for organizations as hackers turn their attention to vulnerabilities that traverse traditional network security technologies like web application firewalls and intrusion detection systems
Application security is not an operational issue. The solution lies in building better software. Sysmox helps clients define, design, develop, deploy and maintain reliable and secure software with our Strategic. SySmox delivers a set of comprehensive services and business strategies to help our clients measurably improve their software development life cycle. By understanding and managing the inherent risk, SySmox is able to help its clients reduce their costs and improve their security.
SySmox consultants help organizations understand their security posture and identify the systemic causes of security flaws. SySmox creates meaningful and measurable plans to improve security throughout each stage of the software development cycle. incorporates Enterprise Programs as turn-key solutions as well as Individual Services, such as penetration testing, threat modeling, policy development and source code reviews help clients supplement their own efforts.
Web Application Security : Formal Trust and Authentication :
Secure web application design is not product-specific: it is helpful in securely designing and implementing any web application, regardless of the platform. This article, part of a series of security-related, but many of these concepts are relevant to any application development cycle, including non-web applications.
1 Formal Trust.
2 External Resources (Including Users).
3 Client Applications (Including Users).
4 Authentication (Trusting Identification).
Keeping computer security issues at bay is a full-time job. These columns provide general education, point out common security issues in implementations, and can aid you in both design and troubleshooting. However, they are not a substitute for a full-time security specialist individual or group in your organization.
Bear in mind that individual links are provided for reference; they may not be applicable to your specific architecture or configuration. Be sure to carefully check whether the procedures suggested or described apply to your configuration before implementing them. Also, be sure to test any change to your current configuration or process in a testing environment prior to applying them in any production environment.
1 Formal Trust :
Last month’s column, How to Design Secure Web Applications, briefly discussed formal trust in the context of input validation and architectural research and design. This column discusses formal trust as a general concept, including how it relates not only to input validation, but also to topics such as working with external data resources (including users), building client-server applications (both web-based and not), and most importantly, authentication.
The first thing to keep in mind about formal trust is that it barely resembles the personal act of trusting (such as,. the “Can I trust my friend Bob?” idea). Formal trust is usually a calculation based on existing policies and on informed opinion about the implementation environment and relevant architecture in which an application is intended to execute. When a security analyst calculates the formal trust relationships for a given application implementation, she examines the requirements of the policy and existing procedure, compares these resources to the facilities provided by the data and other supporting resources, and makes implementation and design decisions based on how closely the resources match the policy.
Perhaps a more approachable way to think of the process of calculating formal trust is comparing it to a hiring process. Candidates must be appropriate to the position that is open, but beyond reading their resumes, it is still necessary to do background checks, interview them, and perhaps test them. You usually do this whether or not you personally think that candidates are trustworthy. You do it both because your HR policy states proper procedure for hiring someone to fill the role you need to fill and because you cannot afford to take chances. In no way is the standard way your company hires resources meant to be a personal criticism of a candidate; it is just the way the policy says it must be done.
Application Penetration Testing :
As more organizations leverage the Internet for business and commercial transactions, attackers are focusing on applications to penetrate corporate security controls. Application developers continue to focus on functionality over security, which has presented an entirely new venue for attackers to launch exploits and compromise applications and business critical data.
SySmox application security assessment provides a customized, extensive, impartial, and periodic security analysis of onlineweb application ; internally developed or commercial enterprise web applications. This service provides a well-developed matrix of existing threats, application vulnerabilities, and real-world recommendations to address specific weaknesses. In addition, SySmox uses a combination of several proprietary and technical methods to check for vulnerabilities that cannot be identified through automated means.
This whitepaper discusses how hackers can use the default weblogic configurations to access and deploy backdoors .It will help to understand the risk of default password and the weblogic security :
The number of vulnerabilities discovered is still on the rise with an increase of more than 70% over the past two years .
The number of vulnerabilities discovered is still on the rise with an increase of more than 70% over the past two years .
sysmox delivers vulnerability management security solutions that provide websites of all sizes with a more effective way to secure and manage their most valuable digital assets.
Why Manage Vulnerabilities :
The reality today is that the amount of security information is virtually unmanageable and on top of this the number of newly discovered vulnerabilities is increasing while time for remediation is decreasing. This forces IT departments to reassess their approach to protect the corporate web server.
Attacker use wordpress vulnerabilities ; Oscommerce ; In-house … to target websites .
sysmox’s aim is to give you exactly the intelligence you need to address vulnerabilities fast and effectively before intruders cause serious harm to your website.
Whether you control security from a central security department or have distributed security responsibilities, our services assure that you receive security alerts tailored to your IT infrastructure.
After development, the Macromedia Flash communication application moves into production. At that time, you’ll want to properly configure the Macromedia Flash Communication Server . This should be done with security issues high on the priority list. Insecure server configurations can result in several negative situations, including unauthorized users who compromise information, steal server usage, cheat in games, or disrupt—or even shut down—the server. Below you’ll find a checklist of security configuration settings (as well as a few “best practice” tips) that you should consider as you set up your Flash Communication Server MX for real-time use by intranet or Internet users .
Genral administration setting :
Set a secure user ID and password. Don’t use “admin”, “administrator” (and so forth) as the user name. Pick a password with at least 8 characters, including digits and punctuation.
2 Use the <Allow> and <Deny> tags in the Server.xml file to restrict which client computers can connect to the Admin application.
3 Set the Admin tool to bind to a port that is not available to the general public. Block access to this port with your firewall.