Google experiment with Image Oriented CAPTCHA

Google is experimenting with a new type of image oriented CAPTCHA "What's up?" It is basically an image looking on which only a human can decide which side the picture is up. It's easier for human to make a judgment as what is the correct postion and a bit difficult for robots. The report, called "What's Up CAPTCHA?" (.PDF) outlines a new version, which uses image orientation, forcing a user to adjust randomly rotated images to their upright orientation.

Although it's pretty premature to judge it's efficiency right now but it's a step in right direction.

However RSnake has slightly views on the issue.

Cross Site SQL Injection (XSSQLI)

While going through a nice paper written by Cesar Cerrudo on 'Hacking Intranet with IE', I found an interesting term XSSQLI. Though it's not a new vulnerability,it's a combination of two attacks. Details:
XSSQLI is a term to describe a Cross Site Request Forgery (XSRF) + SQL Injection attack. This
attack consists in forcing a user to request a web application URL that will exploit a SQL
Injection vulnerability, as XSRF attacks the user can be forced to request a URL by using a
HTML IMG, FRAME, IFRAME, STYLE, etc. tag :
img src="”http://intranetsite/pagevulnerable?id="';"

When a victim browses a web page with the above HTML code an automatic request will be
made to “intranetsite” web application without the user noticing it. The difference with a classic
XSRF attack is that instead of the URL requested triggering some action in the target web
application it will exploit SQL Injection.

Within Intranets, some web applications implementations use Windows integrated authentication, this means that the user authenticates to the web application with his Windows credentials, which is done automatically by IE because of “Automatic logon only in Intranet zone” security setting. MS SQL Server (other DBMS could be attacked in this way too) also authenticate users with Windows integrated authentication, some web applications are configured to access SQL Server backend database authenticating with the current Windows user that's accessing the web application. If an
attacker exploits a SQL Injection vulnerability in this kind of web application isn't as valuable as other attack paths since the attacker could directly connect to SQL Server and run SQL statements as far his permissions allows him but by using XSSQLI in order to attack, for instance a SQL Server DBA, the attacker will be able to elevate privileges running SQL Server statements with DBA permissions.
Reference:http://www.argeniss.com/research/HackingIntranets.pdf

A filmi affair...

My colleague Chintan always gives me scintillating ideas to do something off- the- leak. I appreciate his analyzing power and innovative mind. This time he gave me stunning idea to make a film based on script which revolves around 'hacking'. I felt this idea as innovative one again. Seriously if we can make such sort of films--I am not talking about 3 hrs full length movie--but it can be a documentary too. The idea is to educate people with the general mistakes made by them in daily life and they get trapped in hacker's net. How hacker's can exploit the silly flaws in any application or make the user fool to damage their reputation and exploit them financially.

The dream is big...but not bigger...than our ambition. We can and strive towards it. Let the time come and we shall surely move into the direction.

Become a professional certified as ASS ;)

No joke...No indecent word either...it's Certified Application Security Specailist (Certified ASS).
A new certification for Application Security professionals. And the attractive feature of the certification is you need not take any exam. The main features of the certification is:
1. No need to study - Candidates use our exclusive certification process to prove their Stated History of Individual Training via self-validation, which reflects their real-world experiences.
2. No need to take exams - After self validation, candidates agree to the Oath of Office and Code of Ethics. This process ensures only the most experienced ASS achieve certified status, without the need for a test.
3. Lowest Cost - There is no cost to become a Certified ASS! While many candidates have long been considered ASS's, they can now validate that claim with true certification at no cost.
4. Reflects the real world of security - By eliminating costly training programs and standardized tests, the Institute created a process that matches the standard management, processes for enterprise application security, and consistent with today's industry best-practices.
Check yourself at : http://www.asscert.com/

Free Hacking sites

I came across RSnakes' blog containing a great repository of free hacking sites. You can just go there try your skills and learn a lot...absolutely free and no legal notices as well ;) I checked few ones and found them to be really cool and they are form beginners's level to advanced level.
You can check yourself:
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
http://testasp.acunetix.com/Default.asp
http://test.acunetix.com/
http://hackme.ntobjectives.com/
http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
http://zero.webappsecurity.com/
http://www.hackertest.net/
http://www.hackthissite.org/
http://www.mavensecurity.com/WebMaven.php
http://ha.ckers.org/challenge/
http://ha.ckers.org/challenge2/
http://demo.testfire.net/
http://scanme.nmap.org/
http://www.hellboundhackers.org/
http://www.overthewire.org/wargames/
http://roothack.org/

Happy hacking! :)

Devise security with ESAPI in your application

The OWASP Enterprise Security API (ESAPI) Toolkits help software developers guard against security-related design and implementation flaws. Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers. Using an ESAPI Toolkit realizes cost savings through reduced development time, and the increased security due to using heavily analyzed and carefully designed security methods provide developers with a massive advantage over organizations that are trying to deal with security using existing ad hoc secure coding techniques. Available platforms, frameworks, and toolkits (Java EE, Struts, Spring, etc...) simply do not provide enough protection! ESAPI Toolkits are designed to automatically take care of many aspects of application security, making these issues invisible to the developers.
The use of the ESAPI will also make it much easier for static analysis tools to verify an application, by building ESAPI calls into static analysis tool rulesets.
It has been deveoped for various technologies like .NET, Java,PHP etc... Some are still good way from completion. The main idea behind the implementation of ESAPI is it gives you flexibility to use it against any language without caring about how they are receiving input and how they are filtreing it. Just use a method like ESAPI.endoeForHTML(input) and it will encode all the inputs taken by the application. The main difference between a normal encoding function and ESAPI encoding function is that the ESAPI functions are very well researched and carefully implemented .

For example,

methods for Authenticating a users are:

createUser(accountName, pass1, pass2)
generateStrongPassword()
getCurrentUser()
login(request, response)
logout()
verifyAccountNameStrength(acctName)
verifyPasswordStrength(newPass, oldPass)

Handling UesrAuthentication:

So,
Wrap your existing libraries and services
Extend and customize your ESAPI implementation
Fill in gaps with the reference implementation

Reference:

http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

They won't accept!

I don't know what the problem is. They are dilly dallying the process. OK, I am not going to pressurise them but at least they should have lent their attention towards the issue.

I am talking about Clickjacking which I reported to Mozilla and Opera. After so much of conversation Mozilla at least responded somewhat positively. But in case of Opera, they have not been positive throughout the process. Even they didn't give their views regarding the issue.At least they should have responded me personally about their view on the issue. Any sort of response would have made me enthusiastic. Last week I posted some comments on an Opera's member blog. After a series of posting he even stopped responding. These things are discouraging.