07 December 2012

Automation

Posts relating to the category tag "automation" are listed below.

07 December 2012

Waffish Behaviour in 2012

In Scotland and northern England, a "waff" is a gust or puff of air, or a passing glimpse. It is also a verb meaning to flutter or cause to flutter. In this post I want to avoid hot air, waffle and waggish comments to highlight guidance on the deployment and use of web application firewalls (WAFs).

Crowd/queue control barriers

WAFs can be controversial in that they can be a blunt instrument to add some protection to web applications, may not be well understood, are often not configured well, can be expensive to acquire, require an ongoing resource commitment, may cause problems with valid business functionality, could lead to the delegation of responsibility for application security primarily to operations, and if not integrated with other software assurance activities, can lead to the mistaken assumption that applications are secure. These issues need to be considered, but WAFs are a valid tool to have in your arsenal of defences.

Some more recent, and older long-standing, viewpoints and uses are described in the sources listed in alphabetical order below:

If you have, or are thinking of using WAFs, do read all of the above and subsequent discussions about some of those papers, as well as listening to suppliers/vendors. Then make up your own mind.

Posted on: 07 December 2012 at 08:54 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

04 December 2012

Denial of Service Attack Defences

Another recent paper from Securosis addresses defending against denial of service (DoS) attacks.

The title sheet from the paper 'Defending Against Denial of Service Attacks'

Defending Against Denial of Service Attacks examines the types of attacks prevalent currently, and methods to maintain availability and minimise the adverse economic effect. The paper begins by identifying the threats‐protection racketeers, hacktivists, cyber war, exfiltrators, competitors, and business success itself.

The types of attack are described and defences for networks and applications are described. For applications, building security into the software development life cycle, web application firewalls (WAFs), anti-DoS devices and service providers, content delivery networks (CDN) are described. The need for a multi-faceted approach to application DoS protection is recommended in the paper.

I think some applications will just be more problematic than others and avoiding security vulnerabilities, minimising the attack surface and building in application-specific attack detection and response will help here too.

The paper includes links to further insightful sources of information, and recommends that to be effective, the process for defending against denial of service attacks needs to include activities before, during and after an attack.

Posted on: 04 December 2012 at 08:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 December 2011

Guide to HTML5 Web Security

Further to my previous notes about HTML 5 security, a superb reference document was published earlier this month.

An extract from a page in Michael Schmidt's document HTML5 Web Security showing how HTML5 vulnerabilities and attacks are described and illustrated in diagrammatic form

Michael Schmidt (Compass Security) wrote his master's thesis about HTML5 security in May 2011 and has published an extract for everyone to access.

HTML5 Web Security describes issues, vulnerabilities, threat & attack scenarios and countermeasures across 80 pages including numerous well thought-out diagrams, and is backed up with detailed references and an appendix full of attack details.

The main sections are:

  • 2.2 Cross-origin resource sharing
  • 2.3 Web storage
  • 2.4 Offline web application
  • 2.5 Web messaging
  • 2.6 Custom scheme and content handlers
  • 2.7 Web sockets API
  • 2.8 Geolocation API
  • 2.9 Implicit relevant features of HTML5
    Web workers, new elements, attributes and CSS, Iframe sandboxing and server-sent events

If you are already developing HTML, or planning to, read this document as soon as possible and update your requirements documents, specifications, design documents, coding standards, and test plans to incorporate the knowledge.

The document would be worth buying if it were a book, but it has generously been made available publicly. Yes, I am still reading the document, and so far have only one very minor complaint — it would be good to have a content list. Maybe in version 1.1?

Posted on: 27 December 2011 at 09:07 hrs

Comments Comments (4) | Permalink | Send Send | Post to Twitter

26 October 2010

Benign Unexpected URLs - Part 1 - Missing (404 Not Found Error) Files

Application information gathering such as enumeration of directories, files and other resources are a type of forced browsing and which may be made easier by using predictable resource locations.

Some requested URLs are likely to be an attacker exploring the application or trying to find a published vulnerability:

  • /.htaccess
  • /index.php?file=../../../../../../../../../etc/passwd
  • /plugins/editors/tinymce/jscripts/tiny_mce/plugins/tiny...
  • /statistik/usage_201007.html
  • /sumthin
  • /FormMail.pl

If these do not exist, they may raise a 404 status error, and be listed in web and application error logs.

As part of my presentation at AppSec Washington DC in two weeks time, and the related guidance document, I wanted to provide examples of URLs which publicly exposed web applications may receive for non-existent resources (and thus generate a 404 status error), but which are not necessarily malicious and probably not even suspicious. This is important because one of the primary benefits of application level intrusion detection and prevention is its very low false positive rate (falsely identified attacks).

If URLs are requested which do not form part of the allowable entry points to the application, what does that mean? An attacker might be undertaking reconnaissance, testing defences or looking for vulnerabilities—just the types of things an intrusion detection system should be looking for. However, they may be benign requests.

In the tables below, I have set out 20 common types of non-malicious unexpected missing file URLs which most public web sites could receive. If the site is not exposed to search engines and external parties, this list will need to be shortened.

Type A: URLs that Should Not Exist

The first type is URLs that are requested with the premise the page/file does not exist.

Category Comments and examples
404 Checks Web crawlers (spiders, robots) and site monitoring tools may send requests for URLs which do not exist to check the response includes a 404 status code.

/noexist_5f99a84006c367f0.html
/noexist_059734c26ad55a7b.html
/SlurpConfirm404.htm
/SlurpConfirm404/[anything]
/validurl_a9c4b6b91846c05cfcd2272044cb9266

Type B: Assumed Valid URLs

In this type, URLs are wrongly assumed to exist but are requested nevertheless.

Category Comments and examples
Old URLs Search engines may have indexed URLs which have been moved or no longer exist, or these may be referenced in indexes, user's bookmarks, on other websites and in office documents. These would also include user-generated content such as profiles, images etc that has subsequently been deleted. Temporary URLs created by the application (e.g. for time-limited report generation) and URLs provided to third parties that have expired also need to be considered.
New URLs New application entry points may be linked to before the resource exists during change management processes, or by mistake.
Unacceptable URLs Some applications and websites may exist in multiple contexts. For example, there may be an internal version of a corporate website with additional URLs (e.g. staff directory) which are not present on the external public site. This may be harder for internal users to identify if DNS is configured so that internal users see the internal site on the real domain. Links may be used from outside or sent to third parties.
URL Rewriting URL rewriting is often used to present human-readable addresses. These may include directory names (e.g. years, months and days for blog entries) which generate a not found error when requested independently. E.g. for /2010/10/26/Benign-Unexpected-URLs-Part-1-Missing-Files

/2010/10
/2010/
Code Libraries Relative URLs in third party code such as style sheets and JavaScript libraries may reference local content such as images and fonts. If these have not been copied as well, missing file errors will occur.
Device Specific Some browsing devices may try to find an alternative version of a site (e.g. optimised for a mobile device) by making requests that will lead to not found errors.

/pda
/mobile
Ownership Verification Files added to the site (often in the root) to verify site ownership (e.g. advertising services, webmaster tools, uptime and anti-malware monitoring) are re-requested by the originating site but have been removed.
Policy Files Policy files may be requested even if they do not exist.

/clientaccesspolicy.xml
/crossdomain.xml
/flash/crossdomain.xml
/w3c/p3p.xml
https://www.example.com/rules.abe
Robots Exclusion The robots exclusion file will be requested by search engine crawlers even if it does not exist.

/robots.txt
Site Maps Sitemap files that do not exist may be requested automatically by web crawlers and scanners.

/sitemap.gz
/sitemap.xml
Favicons Favicon images may be requested automatically by web browsers and used in the address bar and to help visually identify bookmarks; multiple file names and extensions may be requested until a valid file is found.

/apple-touch-icon-precomposed.png
/apple-touch-icon.png
/favicon.ico
/favico.ico
/favicon.png
/favicon.bmp
News Feeds and Trackbacks News readers and aggregators may try to (unsuccessfully) guess RSS and atom feed URLs.

/example/feed
/examplefeed

/example/trackback
Other Associated Files Web browsers and their plug-ins may request files associated with the content that do not exist. E.g. for /example.pdf

/example.pdf.th
/example.prn
Toolbars Toolbars such as Discuss for Internet Explorer/Microsoft Office may request URLs that do not exist.

/MSOffice/cltreq.asp
/_vti_bin/owssvr.dll
Malformed URLs Poorly built web crawlers may request URLs that don't exist because of incorrect parsing of links.

http://www.example.com/examplehttp://www.example.com
http://www.example.com/examplehttps://secure.example.com
http://www.example.com/example/ftp://ftp.example.com/otherexample
http://www.example.com/"http://www.example.com">otherexample
http://www.example.com/'http:/www.example.com/example'
http://www.example.com/"http:/www.example.com">Example</a>
http://www.example.com/example+%255bPLM=0%255d+GET+http:/www.example.com/otherexample
http://www.example.com/Javascript:...
Previous Site If a domain or IP address has been used for a completely different web site or application previously, there may be missing file errors reported for URLs that did exist on the previous site.

Type C: Incorrect URLs

Some URLs are not, and never have been, valid entry points but are requested normally due to a user's mistake of some sort such as a transcription error.

Category Comments and examples
Truncation URLs can become truncated in emails due to line wrapping or may not be correctly referenced in other files such as PDFs. Alternatively, the URLs may be complete but have additional whitespace characters (e.g. carriage return, line feed, tab, space) within them.

/exampl
/exampl[LF]e
Extra Punctuation URLs may be requested with additional punctuation suffix, perhaps due to an address that has been hyperlinked incorrectly in a sentence.

/example.
/example).
/example,
Mis-Spelling URLs may be published/copied/typed incorrectly.

/exmple
Case Sensitivity URLs may be typed/requested in a case inconsistent with the server.

/Example

Type D: Testing

Your own functionality and security testing, or testing services performed on your behalf, will request URLs that do not exist. These might also be considered benign if the scanning is authorised and from a known source.

Category Comments and examples
Testing Scanners and manual testing may request numerous URLs to enumerate applications, to examine response messages & codes, to test access control and to identify unknown files and directories including those containing old and backup files.

Some of these could be being requested by an attacker, but they are usually not enough to identify one—Type D from an unknown source, or unauthorised, should not be assumed to be benign. Items such as incorrect case, truncation and mis-spelling (Type C) cannot be predicted in advance, but if they occur it may be necessary to add custom redirections to the correct URLs.

If you have further suggestions and examples, please share them. Tomorrow, I will extend the discussion of benign URLs to valid (non-missing) URLs.

Update 8th November 2010: Following a direct message, I have added /trackback and URLs referenced by client-side style and code libraries. Link to 'Tomorrow' enabled in last paragraph.

Posted on: 26 October 2010 at 07:06 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

15 October 2010

Image Recognition CAPTCHAs

Web users should be very familiar with challenge-response CAPTCHA test which are also known as Human Interactive Proofs (HIPs).

Stage set at Muse's 2010 concert in Webley Stadium, London, showing a icon-style images of human shapes

A lot of time is spent devising CAPTCHAs and trying to break CAPTCHAs in an automated manner. They are used where website owners want to try to ensure a real person is undertaking a transaction such as logging in or submitting content. Now, most web sites don't need to use CAPTCHAs and there can be accessibility problems, but they are often needed for more high-profile sites or when targetted automated attacks are occurring.

A new paper Attacks and Design of Image Recognition CAPTCHAs examines image recognition CAPTCHAs (IRCs) and analyses the effectiveness and security of the schemes considering:

  • ease of use by humans
  • difficulty to automate
  • universality
  • reistance to no-effort attacks
  • scalability
  • use of a secret database.

The authors describe the lessons learned, some fundamental guidelines for IRCs and propose an alternative IRC which relies on recognising an object by exploiting its surrounding context. This requires the user (hopefully a human) to select an item from a set of objects detached from the original image, and then place it back at its original position in the image. Its usability, robustness and copyright issues are discussed.

Posted on: 15 October 2010 at 09:05 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

22 September 2009

Accessible CAPTCHAs

One of the most common issues that arise when discussing accessibility and security, is the use of CAPTCHA images on web pages. These are used to differentiate between real human users and automated systems that might want to submit forms to register fake users, create spam or add links to malicious web sites in forum postings, blog comments and the like. CAPTCHAs are also in the news again after Google acquired reCAPTCHA, one of the larger free CAPTCHA providers.

CAPTCHAs also sparked a new topic in the Web Security Mailing List yesterday, Complex CAPTCHA Solutions raised the subject of the benefits and usability issues relating to CAPTCHA and alternative complex methods.

Partial image of the article 'Cracking the Captcha code' from Ability Magazine

An article in this quarter's issue (Issue 74 Summer 2009) of Ability Magazine discusses the problem and alternative approaches such as audio versions, logic puzzles and image recognition or even having a human operator available to help.

Using CAPTCHAs on web sites where there are particularly sensitive data or as part of authentication mechanisms before providing access to sensitive or high-value information, is almost never justified. The identification and authentication mechanisms should be sufficient in themselves.

The most appropriate use for CAPTCHAs is on high usage web sites where the criticality of information is low, and the benefits to successful abuse greater. But then the owners of these sites have the resources to develop effective CAPTCHA systems and spend time maintaining the robustness of the method against automated systems and other attacks. The larger the user base, the greater the incentive there is to break the method. See also suggestions on an effectiveness test and my discussion on the security implications of Web Content Accessibility Guidelines 2.0 compliance.

So, normally there are simpler ways to prevent spam on most sites that might consider using CAPTCHAs. There is a good summary on the WebAIM blog and discussion list, based on ideas like the Honeypot Captcha. These measures should be used in the first instance for response forms, forum registration and the like. Proceed from there only if a problem occurs, and spend time thinking about other security matters.

Ability Magazine can be obtained by subscription but it is also a free benefit to members of the British Computer Society (BCS) Assistive Technology Group, formerly the BCS Disability Group.

Update 28th September 2009: I just read Using Web Analytics to Assess CAPTCHA Usability on Smiley Cat Web Design which describes an assessment of how many visitors to a web page had difficulty with the CAPTCHA by looking at how often they reloaded it.

Posted on: 22 September 2009 at 07:27 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Automation : Web Security, Usability and Design
http://www.clerkendweller.com/automation
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/automation
Requested by 50.16.166.175 on Wednesday, 19 June 2013 at 15:43 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2013 clerkendweller.com