Seguridad Agile: mayo 2013

2013/05/22

Leak mortal

Hace años que las bases de datos de los sitios web son hackeadas y suponemos que gracias a la información obtenida, hay personas y empresas que pierden cuentas, valores en Internet, imagen, privacidad y dinero. Han habido leaks que quizás llevaron a que soldados, agentes encubiertos o informantes fueran apresados o muertos, pero son personas que actuan por convicción o dinero y al participar deberían aceptar o al menos conocer las reglas.

El último leak interesante fué contra la policía en Sudáfrica[1], donde se pueden ver las denuncias de víctimas e informes de delatores.

Supongo que ahora esperarás que haga la crítica habitual a los diseñadores, desarrolladores y administradores por no haber protegido el sitio de sqli, por no haber encriptado los datos. Bueno, ya está, ahí lo hice.

En esta ocasión me interesa más el punto de vista del que está en la lista.

Como se puede apreciar a ojo, dos de cada tres de las denuncias asociadas a palabras interesantes no tiene nombre, probablemente se trate de denuncias anónimas. ¿Y el tercio restante?

	total	con nombre
drugs	285	120
murder	252	173
kill	565	402
kidnap	32	25
gang	129	94
rape	216	151
total	15796	12501

El escenario que yo imagino es este: algún criminal que fué apresado por una denuncia pero no supo nunca quien lo denunció, la encuentra en el leak, con el nombre, teléfono, ciudad y mail del denunciante. ¿Sigo?

Reflexioná. Si sos informático, no seas el responsable de esto.

(actualización: de paso nos enteramos de quién ha sido víctima de violación y otras cosas que a la gente le encanta que difundan sin permiso)

Y no olvides que cada palabra que pongas acá en Internet, vivirá por siempre[2] y si no la usa algún criminal informático antes, irá a un data warehouse y el año que viene o dentro de diez años cuando cambie lo que es "políticamente correcto", será correlacionada con algún pecado y la vas a pagar.

[1] http://www.itweb.co.za/index.php?option=com_content&view=article&id=64268:SAPS-hack-spells-negligence&catid=265

[2] http://en.wikipedia.org/wiki/Big_data

2013/05/15

Cheat Sheet cultura seguridad

Cheat sheet siempre me suena a eat shit, pero bueno, es un problema que tengo.

Las instrucciones para construir la demo están en [1].

Estamos viendo de hacer pronto la segunda parte, permanecé en sintonía.

Comparto con los asistentes al meetup[2] y cualquier otro interesado, la hojita que mostré con las listas de conceptos que me parece útil tener en cuenta.

Está en beta, hay cosas que faltan, vale volver en unos pocos días. La pongo en inglés por que es como me manejo habitualmente, pero si alguien necesita que la traduzca, me lo pide e irá al backlog.

[1] http://seguridad-agile.blogspot.com/2012/09/cafein.html
[2] http://www.meetup.com/agiles-bsas/events/118145402/

Information Security Principles

Confidentiality
Integrity
Availabiliy

Information Access Properties

Authentication
Authorization
No repudiation

Design Principles (Saltzer, Schroeder)

Economy of mechanism
Fail-safe defaults
Complete mediation
Open design
Separation of privilege
Least privilege
Least common mechanism
Psychological acceptability

Other concepts

Defense in depth
Security through obscurity
Surface attack reduction
Window of opportunity
Shannon maxim: the enemy knows the system
Kerckhoffs's principle: A cryptosystem should be secure even if everything about the system, except the key , is public knowledge.

Threat modelling

OWASP Application Threat Modelling

STRIDE

Spoofing identity
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege

DREAD

Damage
Reproducibility
Exploitability
Affected users
Discoverability

Taxonomies

Seven Kingdoms

Input validation and representation
API abuse
Security features
Time and state
Errors
Code quality
Encapsulation
Environment

Checklists

OWASP Top Ten 2013

Injection
Broken authentication and session management
Cross-site scripting (XSS)
Insecure direct object reference
Security misconfiguration
Sensitive data exposure
Missing function level access control
Cross-site request forgery (CSRF)
Using components with known vulnerabilities
Unvalidated redirects and forwards

SANS top 25 software errors

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Missing Authentication for Critical Function
Missing Authorization
Use of Hard-coded Credentials
Missing Encryption of Sensitive Data
Unrestricted Upload of File with Dangerous Type
Reliance on Untrusted Inputs in a Security Decision
Execution with Unnecessary Privileges
Cross-Site Request Forgery (CSRF)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Download of Code Without Integrity Check
Incorrect Authorization
Inclusion of Functionality from Untrusted Control Sphere
Incorrect Permission Assignment for Critical Resource
Use of Potentially Dangerous Function
Use of a Broken or Risky Cryptographic Algorithm
Incorrect Calculation of Buffer Size
Improper Restriction of Excessive Authentication Attempts
URL Redirection to Untrusted Site ('Open Redirect')
Uncontrolled Format String
Integer Overflow or Wraparound
Use of a One-Way Hash without a Salt

2013/05/05

w3af on raspberry pi

w3af on raspbian (debian 7.0)

Si necesitas versión en español, pídela y la haré.

Update: check http://seguridad-agile.blogspot.com/2015/11/choco-pi.html for a cool and tasty case

Dreaming about plugging in a tiny box in a free port, wait a few minutes and walk away with a network scan and a vulnerability assessment in your pocket? Perhaps running an automated exploit too? So are you ready for load average: 2.85, 2.40, 1.72? You are not alone.

Step 0

Install raspbian[1] on your raspberry pi B[2]

$> sudo apt-get update
$> sudo apt-get upgrade

First attempt

Install w3af[3] from the repos

$> sudo apt-get install w3af

$> w3af_console

/usr/bin/w3af_console: 3: /usr/bin/w3af_console: /usr/bin/python2.5: not found

$> whereis w3af_console

w3af_console: /usr/bin/w3af_console

$> cat /usr/bin/w3af_console

Rename python2.5 to python, bad start.

$> w3af_console

28 seconds later...

w3af>>> profiles
w3af/profiles>>> use fast_scan
The plugins configured by the scan profile have been enabled, and their options configured.
Please set the target URL(s) and start the scan.
w3af/profiles>>> back
w3af>>> target
w3af/config:target>>> set target http://192.168.1.102/
w3af/config:target>>> back
w3af>>> start
Auto-enabling plugin: grep.error500
The thread: <WorkerThread(Thread-9, started daemon -1319824272)> raised an exception while running the request: <bound method fingerprint_404._send_404 of <core.controllers.coreHelpers.fingerprint_404.fingerprint_404 instance at 0x1a8d3c8>>
Exception: w3afMustStopException found by _send_404, someone else will handle it.
The thread: <WorkerThread(Thread-14, started daemon -1361767312)> raised an exception while running the request: <bound method fingerprint_404._send_404 of <core.controllers.coreHelpers.fingerprint_404.fingerprint_404 instance at 0x1a8d3c8>>

try again...

w3af>>> version
w3af - Web Application Attack and Audit Framework
Version: 1.1 (from Debian Package 1.0-rc3svn3489-1)
Author: Andres Riancho and the w3af team.

oops! it's too old! but its new! I've just installed it from the repo! I can not ask for help: "Please upgrade to the latest version". We have to clean up the mess.

# dependencies.pl

# parses an apt log searching for a package
# and prints all the packages that were
# installed to fulfil it's dependencies.

my $found = 0;
my $stop=0;
my $result='';
while (( $line = <> ) && !$stop) {
chomp;

if ($found==1) {
    foreach my $val (split(' ', $line)) {
      if (! ( $val =~ m/[()]/ ) and ! ($val =~ /Install/ )) {
        my ($name,$arch) = split(':',$val);
          $result .= "$name ";
    }
      }
      $stop=1;
   } elsif ($line =~ m/Commandline: apt-get install w3af/) {
      $found=1;
   }
}
print $result . "\n";

Run this script to remove w3af and it's dependencies.

$> sudo apt-get remove $( cat /var/log/apt/history.log | perl dependencies.pl)

Second attempt

Install w3af from github.

$> git clone https://github.com/andresriancho/w3af.git

$> ./w3af_console

It will start crying for dependencies, be kind with it and resolve them:

$> sudo apt-get install python-setuptools git libxslt-dev python2.7-dev libsqlite3-dev libxml2-dev python-pip

$> sudo pip install PyGithub GitPython pybloomfiltermmap esmre nltk pdfminer futures pyOpenSSL lxml scapy-real guess-language cluster msgpack-python python-ntlm

$> sudo pip install -e git+git://github.com/ramen/phply.git#egg=phply

Run it again and again

$> ./w3af_console
$> sudo pip install chardet
$> sudo pip install -e git+git://github.com/ramen/phply.git#egg=phply

$> ./w3af_console

Do you accept the terms and conditions? [N|y] y

I'd only tried the console because I don't have an hdmi monitor and did not want to burn my eyes with the tv output, so I used ssh from a "real" computer.

Later, I connected with ssh -X and tried the gui:

$> ssh pi@192.168.1.105 -X

$> ./w3af_gui

Resolve until it runs

$> sudo apt-get install graphviz python-gtk2 python-gtksourceview2

$> sudo pip install xdot

If you are using a 2GB card like me,

rootfs 1838936 1488260 257636 86% /

keep an eye on df. If you are running out of space, remember to purge /var/cache/apt/archives. pip does not keep temporary files, but apt-get installs the packages in the root partition. Remember that 4GB is the recommended size.

I am using an extra pendrive with ext4 to host w3af with no problems.

Some people would say "why didn't you use http://pwnpi.sourceforge.net?[4]"

Well, it's more fun this way and learn about it later and I don't have another sd card.

(update: there is a pretty list at http://resources.infosecinstitute.com/pentesting-distributions-and-installer-kits-for-your-raspberry-pi/ )

One way or another, the nerd thing:

Step two

Be careful, don't fry your computer

Thanks to Andrés Riancho from w3af for the advice on monitoring w3af.

There is a single file [5] to modify.

First you have to import gpio and add some setup code

import RPi.GPIO as GPIO
GPIO.setmode(GPIO.BCM)
GPIO.setup(channel, GPIO.OUT) // for each channel

Then you turn on the leds

GPIO.output(channel, True/False) // for each channel

Event based blinking effect without PWM

GPIO.output(channel, not GPIO.input(channel))

I left this out in order to keep the leds on when the script is over

GPIO.cleanup()

update: Andrés asked me for the code, here it is:

diff --git a/core/controllers/core_helpers/status.py b/core/controllers/core_
helpers/status.p
index 8aa19bf..353f154 100644
--- a/core/controllers/core_helpers/status.py
+++ b/core/controllers/core_helpers/status.py
@@ -19,6 +19,7 @@ along with w3af; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA

'''
+import RPi.GPIO as GPIO
import time

import core.controllers.output_manager as om
@@ -33,6 +34,12 @@ class w3af_core_status(object):
     the different methods to (get) the information required.
     '''
     def __init__(self, w3af_core):
+        GPIO.setmode(GPIO.BCM)
+        GPIO.setup(25, GPIO.OUT, initial=GPIO.LOW)
+        GPIO.setup(24, GPIO.OUT, initial=GPIO.LOW)
+        GPIO.setup(23, GPIO.OUT, initial=GPIO.LOW)
+        GPIO.setup(4, GPIO.OUT, initial=GPIO.LOW)
+
         # Store the core to be able to access the queues to get status
         self._w3af_core = w3af_core

@@ -49,6 +56,8 @@ class w3af_core_status(object):
         # The current fuzzable request that the core is analyzing at each phase
         # where a phase means crawl/audit
         self._current_fuzzable_request = {}
+        print "#### INIT ####\n"
+        GPIO.output(25, True)

     def pause(self, pause_yes_no):
         self._paused = pause_yes_no
@@ -81,6 +90,8 @@ class w3af_core_status(object):
             audit_fr = self.get_current_fuzzable_request('audit')

             if crawl_plugin == audit_plugin == crawl_fr == audit_fr == None:
+                print "#### STARTING SCAN ####\n"
+                GPIO.output(24, True)
                 return 'Starting scan.'

             status_str = ''
@@ -110,6 +121,8 @@ class w3af_core_status(object):
         self._running_plugin[plugin_type] = plugin_name
         self._latest_ptype, self._latest_pname = plugin_type, plugin_name
+        print "#### SET RUNNING PLUGIN: %s ####\n" % plugin_name
+        GPIO.output(23, not GPIO.input(23))

     def get_running_plugin(self, plugin_type):
         '''
@@ -129,6 +142,9 @@ class w3af_core_status(object):
         :return: If the user has called start, and then wants to know if the
         core is still working, it should call is_running() to know that.
         '''
+        print "### RUNNING ###\n"
+        GPIO.output(23, not GPIO.input(23))
+
         return self._is_running

     def is_paused(self):
@@ -170,6 +186,10 @@ class w3af_core_status(object):
         self._is_running = False
         self._running_plugin = {}
         self._current_fuzzable_request = {}
+        print "### SCAN FINISHED ###\n"
+
+        GPIO.output(23, True)
+        GPIO.output(4, True)

     def get_current_fuzzable_request(self, plugin_type):
         '''
@@ -282,11 +302,10 @@ class w3af_core_status(object):
                       ' ETA (%(aeta)s)\n'

         status_str += 'Requests per minute: %(rpm)s'
-
         return status_str % data

def round_or_None(float_or_none):
     if float_or_none is None:
         return None
     else:
-        return round(float_or_none, 2)
\ No newline at end of file
+        return round(float_or_none, 2)

References

[1] http://www.raspbian.org
[2] http://www.raspberrypi.org

[3] http://w3af.org
[4] http://pwnpi.sourceforge.net
[5] https://github.com/andresriancho/w3af/blob/master/core/controllers/core_helpers/status.py
[6] http://code.google.com/p/raspberry-gpio-python