Re: [SC-L] [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis?

[Greg Beeley]

Regarding the code snippet -- it does depend on the environment -- point well
taken.  But in this case (from what I can tell), unless you actually have the
file_exists() function *disabled* in php.ini, this is vulnerable to XSS.

- Greg

Sebastian Schinzel wrote, On 04/28/2010 04:03 AM:
> On Apr 28, 2010, at 7:10 AM, SneakySimian wrote:
>> > $file = $_GET['file'];
>>
>> if(file_exists($file))
>> {
>> echo $file;
>> }
>>
>> else
>> {
>>echo 'File not found. :(';
>> }
>>
>> Ignoring the other blatant issues with that code snippet, is that
>> vulnerable to XSS? No? Are you sure? Yes? Can you prove it? As it
>> turns out, it depends on a configuration setting in php.ini. The only
>> real way to know if it is an issue is to run it in the environment it
>> is meant to be run in. Now, that's not to say that the developer who
>> wrote that code shouldn't be told to fix it in a source code analysis,
>> but the point is, some issues are wholly dependent on the environment
>> and may or may not get caught during code analysis. Other issues such
>> as code branches that don't execute or do execute in certain
>> environments can be problematic to spot during normal source code
>> analysis.
> 
> So you suggest to actually perform n black-box tests where n is the set
> of all possible permutations of all variables in php.ini (hint: n will
> be very
> large)? This is certainly not feasible.
> 
> Your code shows a very simple data flow, which may or may not be
> exploitable. But this is not the point. The point of software security
> is to
> increase the reliability of the software when under attack.
> 
> Reliable software performs output encoding when user input is printed
> to HTML. This code does not perform output encoding and should therefore
> be fixed.
> 
> The discussion about whether or not this is exploitable on which platforms
> is a waste of time. In many cases, you will find yourself spending a lot of
> time in trying to get a running exploit, whereas the actual fix for the
> code
> takes a fraction of the time.
> 
> For me, penetration testing is solely a method to raise awareness and to
> gather new
> security requirements FOR a customer application FROM security researchers.
> Knowledge transfer from security researchers to the business is key here.
> It helps finding actual attacks but does not help the customer writing
> better
> code.
> 
> Code audits (where automated or manual) are the way to go to improve
> reliability by pointing out dangerous coding patterns.
> 
> My 0.02€...
> 
> Cheers
> Sebastian
> ___
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> ___
> 
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] Web Application Exploits and Defenses

[Rob Floodeen]

On the same subject, I'm looking for something along this line (and
that of hacme).  However I need it to be able to:
1.  Work on current MS Products
2.  Store it's data to a remote database
3.  Be accessible from Remote systems
4.  Clean target space

Why?  I need an external corporate webserver that is vulnerable for
some training I'm working on.  Currently we are using some hand
written html and php that feeds into MSSQL.  It works, but is not
exciting or current.  We explored the hacme, maven, webgoat (actually
use it as a secondary target in the dmz), etc.  But have not found
anything that simulates enterprise level operation.

If you would like more detail on what we are building and how, drop me
a mail, I don't wish to spam the list.

-Rob Floodeen


On Wed, May 5, 2010 at 9:44 AM, Kenneth Van Wyk  wrote:
> The folks at Google have released some web app training, along with a 
> vulnerable web app sandbox to play in.  The tool is called Jarlsberg.  Anyone 
> here take a look at it yet, and have an opinion about it?
>
> The description (see below) sounds kinda sorta like OWASP's WebGoat, except 
> that the vulnerable app itself is written in Python.  Oh, and the app is 
> available on the web, as well as in source code (under Creative Commons).
>
> http://jarlsberg.appspot.com/
>
> There's also an instructor's guide available at:
>
> http://code.google.com/edu/submissions/jarlsberg/Jarlsberg_Instructor_Guide.pdf
>
>
> Cheers,
>
> Ken
>
> -
> Kenneth R. van Wyk
> KRvW Associates, LLC
> http://www.KRvW.com
>
> Follow us on Twitter at: http://twitter.com/KRvW_Associates
>
>
>
>
>
>
> ___
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> ___
>
>

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Web Application Exploits and Defenses

[Kenneth Van Wyk]

The folks at Google have released some web app training, along with a 
vulnerable web app sandbox to play in.  The tool is called Jarlsberg.  Anyone 
here take a look at it yet, and have an opinion about it?

The description (see below) sounds kinda sorta like OWASP's WebGoat, except 
that the vulnerable app itself is written in Python.  Oh, and the app is 
available on the web, as well as in source code (under Creative Commons).

http://jarlsberg.appspot.com/ 

There's also an instructor's guide available at:

http://code.google.com/edu/submissions/jarlsberg/Jarlsberg_Instructor_Guide.pdf


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] Introductions Matt Parsons Video Blog is there an interest

[Matt Parsons]

I have been on this list for a while and see a lot of value to the
community.   I wanted to introduce myself to the software security community
through a video blog. 

http://parsonsisconsulting.blogspot.com/2010/05/matt-parsons-introduction-ci
ssp.html I plan on doing some hands on videos demonstrating OWASP top ten
vulnerabilities.   



I am interested in getting to know others on this list.  If you feel
comfortable please shoot me an email with what you do and what you hope to
achieve in the software security field.  I am not sure if others on the list
will find this valuable so I will let the moderator determine if it is
allowed.

 

 I am also an open networker looking to expand my software security contacts
via LinkedIN.
http://www.linkedin.com/in/parsonsconsulting

mparsons1...@gmail.com

 

Thanks,

Matt

 

 

Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office 

"Do Good and Fear No Man"  

Fort Worth, Texas

A.K.A The Keyboard Cowboy

  mailto:mparsons1...@gmail.com

  http://www.parsonsisconsulting.com

 
http://www.o2-ounceopen.com/o2-power-users/

 
http://www.linkedin.com/in/parsonsconsulting

 
http://parsonsisconsulting.blogspot.com/

  http://www.vimeo.com/8939668

  http://twitter.com/parsonsmatt

 

 

0_0_0_0_250_281_csupload_6117291

 

untitled

 

 

 

 

 

 

 

<><>___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___