A login process containing SQL injection vulnerability can be bypassed by attackers. They need to manipulate username or password parameters and thus access to the application (even as administrator) without knowing the original user credentials. This is known as “Authentication Bypass via SQL-Injection”.

In this post, I want to explain how a penetration tester can use Burpsuite’s Intruder Tool to check automatically this type of vulnerability. I am also providing an authentication-bypass-list.txt file that contains various possibilities for checking sql injection.

Here are the steps that a pentester need to follow respectively:
Read the rest of this entry »

Bu yazımda mahremiyet ihlallerine konusuna devam etmek istiyorum.

Bu seferki ihlali gerçekleştiren Maliye Bakanlığına bağlı Gelir İdaresi Başkanlığı. Bu devlet kurumu gerçekleştirdiği bir online uygulama ile kira geliri beyan işlemini İnternet ortamına taşımışlar. Hizmet güzel ancak uygulamaya girme işlemi hiç güvenli değil. Aşağıdaki resimde görüldüğü üzere uygulamaya girmek ve kişisel bilgilere erişmek için sadece T.C. kimlik numarası ve Nüfus Cüzdan Seri Nosu gerekmektedir. Ancak bu tip kişisel bilgilere ulaşmak, İnternet ortamında yapacağınız ufak çaplı aramalarla mümkün olduğunu biliyoruz.

Bu uygulama sayesinde birçok kişinin kirada olan ev bilgilerine ulaşmak ve onlar adına kira beyanında bulunmak mümkün. Bir başkası tarafından kendisi adına yanlış kira beyanında bulunulduğu zaman ilgili kişinin bunu yetkililere nasıl anlatacağı, ispat edeceği ayrı bir konu.

Asıl burada merak ettiğim bütün devlet kurumlarına ait e-hizmetlere erişimler turkiye.gov.tr üzerinden e-devlet şifresi kullanarak yapılması hedeflenirken niçin birtakım devlet kuruluşlarının bu uygulamanın dışına rahatça çıkabilmeleri ve de bunu denetleyen, düzelten kimsenin olmaması. Kaldı ki Maliye Bakanlığı e-Yolluk ve e-Bordro uygulamaları ile zaten turkiye.gov.tr platformunda yer alıyor.

turkiyegovtr-maliye

In my previous post, I did mention the web application security check list for auditors. The check list has been now translated into English. For the details, see the Google project site.

Web Application Security Check List, version 2

OWASP-Turkey published in 2010 a check list for web application security which provides various security controls for web application developers and system administrators.

It was planned to create the second version of the check list. I have been involved in the project and within the past 6 months we have worked on the new check list and structured and enhanced the document. Today we have announced the new check list and published it in Excel and PDF formats.

Compared to the first version, the new security check list contains the following enhancements:

  • More security controls have been added. The new check list contains now 62 security controls.
  • The categorization is now based on OWASP Testing Guide categories.
  • Each security control is assigned to a verification requirement of OWASP ASVS (Application Security Verification Standard Project).
  • The document has been published in PDF as well as in Excel format. The Excel format provides tool functionality and shows implemented and unimplemented security controls in graphical representations.
  • Each security control has a status (Yes, No, Out-of-Scope) flag which is explicitly managed within the Excel tool.
  • A Turkish-English terminology of security terms has been added to the document.

Now, our next step is translation into English. I believe the document would be very helpful for anyone (e.g. developer, auditor, security architect, IT architect, system administrator, database administrator, etc.) focusing on security aspects during development and operations of web applications.

You can download the documents from Publications section as well.

Mahremiyet İhlalleri – 1 (Privacy Violations)

Kişişel bilgilerin mahremiyeti dünyada birçok yerde olduğu gibi ne yazıkki Türkiye’de de pek dikkat edilmeyen ve de kolayca zaafiyete uğratılan bir konudur. Toplum genelinde mahremiyet bilinci oluşmadığından devlet kurumları olsun özel kurumlar ya da kişiler olsun ellerinde var olan kişişel bilgilerin mahremiyetini gözardı edip erişimin herkese açık olduğu İnternet ortamında bu bilgileri paylaşabiliyorlar.

Bunun en bariz örneğini KEY ödemelerinin yapıldığı dönemde yaşamıştık. Bir çok gazetede KEY alacaklılarının T.C. kimlik numarası ve Ad-Soyad bilgisi yayınlandı. Oysa T.C. kimlik numarasının kişisel bilgi olması sebebi ile mahremiyetinin sağlanması gerektiği es geçildi. KEY olayı sadece bir örnektir. Arama motorlarında biraz zaman harcayarak birçok web sitesinde T.C. kimlik numaralarına ulaşmak hala mümkündür.

Bu blogda ülkemizde karşılaştığımız mahremiyet ihlallerinden zaman zaman bahsetmek istiyorum. İspark ile başlayalım. İspark online park borcu sorgulama hizmeti sunmaktadır. Bu hizmet sayesinde plaka ve CAPTCHA güvenlik kodunu girerek istediğiniz araca ait park borçlarını öğrenebiliyorsunuz. Sadece kendimizin bilmesi gereken özel bir bilgi herkes tarafından erişilebilir durumdadır ve bu açık bir mahremiyet ihlalidir.

İspark örneğinin diğer bir düşündürücü yanıda CAPTCHA kontrolünün gerektiği gibi yapılmamış olmasıdır. Bu açığı kullanarak bu sorgulama sistemine kayıtlı bütün araçların borçlarını listeleyen bir program yazmak mümkündür. CAPTCHA kontrolü, insan ile bilgisayar programlarını birbirinden ayırt etmek için kullanılır. Dolayısı ile CAPTCHA’nın içindeki güvenlik kodunun otomatik programlar tarafından tanınamaması esastır. İspark, CAPTCHA kodunu direk kaynak koda parametre olarak koyarak bu gereksinimi görmezden gelmiş. Aşağıdaki ekran görüntülerinden bu sorun açıkça gözülmektedir.

Almanya’da bu tür bilgilere erişim ancak son kullanıcı ile güvenli bir yol üzerinden gizli parola değişimi gerçekleşti ise İnternet üzerinden gerçekleştirilmektedir. Aksi takdirde bilgi verme işlemi posta yolu ile gerçekleşmektedir. Posta sistemi de Türkiye’deki ile karşılaştırıldığında oldukça güvenlidir. Posta dağıtıcısı şayet ilgili mektubun üzerindeki alıcı ismi posta kutusunda yazmıyor ise postayı oraya bırakmaz. Mektuplar hiçbir zaman uluorta bırakılmaz, her zaman kilitli posta kutusuna atılır.

Benzer bir mahremiyet ihlalini, TMSF “Zamanaşımı Hesapları Önbildirim Sorgulama” servisi aracılığı ile yapmış ve de birçok kimsenin bankalarda unuttukları para bilgilerine erişime izin vermişti.

Başta da belirttiğim gibi mahremiyet ihlalleri sorunu toplumun bu konuda hassasiyet kazanması sayesinde gelişebilecek bir konudur. Umarım bu konuda toplum bilincimiz de zamanla gelişir.

I have completed the review of the book “Secure and Resilient Software Development” for IACR (International Association for Cryptologic Research) book review program.

The review can be summarized as follows:

This book is a “must read” resource for security experts focusing on application security and for application designers and developers who need to integrate security into their systems. It provides various aspects of application security for each phase of software development. The authors have practical experience in application security and wrote a practice-oriented book. The chapters are well-structured and arranged in a good logical order. I would strongly recommend this book to security architects, security trainers, application designers and developers. But I would not recommend the book for students who might have less security and development knowledge due to missing real-life project experience. The broad content of the book could be quite complicated for students to follow.

You can download the review from the Publications section as well.

I have recently completed the review of the book “Architecting Secure Software Systems” for IACR (International Association for Cryptologic Research) book review program.

The review can be summarized as follows:

This book focuses on both theoretical and practical aspects of designing secure software systems. While its theory part is quite well-written, its practical part is not well-structured. I would strongly recommend it to people who need to get only an overview of secure software design, but not for security experts who want to study a specific topic in detail.

You can download the review from the Publications section as well.

I will now continue reviewing the book “Secure and Resilient Software Development” as the next one.

Secure Coding Guidelines for Java

I have published an (Turkish) article about secure coding guidelines for Java within OWASP-Turkey Documents. The article aims at helping IT-architects and developers to understand the main security aspects during design and development phases.

The guideline contains generic countermeasures (e.g. Do not write repeated codes) as well as Java-specific countermeasures (e.g. How to use doPrivileged() method in a secure way). It is mainly grouped into the following sections:

  • Design
  • Confidentiality and Privacy
  • Access Control
  • Input Validation
  • Serialization

The main references for the article are as follows:

The article is available in OWASP-Turkey Documents. You can download it in the Publications section as well.

Secure Software Development with SAMM

SAMM (Software Assurance Maturity Model) is an OWASP project and provides well-structured strategy and guidelines for integration of security within software development processes.

In the 7th issue of Web Security Magazine managed by OWASP-Turkey, I have written an introduction article to SAMM. In this article, I focused mainly on the following topics:

  • What is SAMM and what are the main aims of SAMM?
  • How is the structure of SAMM? What are the main components (i.e. business functions, security practices, maturity levels, security activities) of SAMM?
  • What are the 4 business functions (i.e. governance, construction, verification, deployment)?
  • What are the 12 security practices (i.e. strategy&metrics, policy&compliance, education&guidance, threat assessment, security requirements, security architecture, design review, code review, security testing, vulnerability management, environment hardening, operational establishment)?
  • How do you apply SAMM within development projects? What are the main SAMM documents/tools (e.g. assessment worksheet, scorecards, roadmap template)?

The article is in Turkish and you can read it in this link. You can download it as pdf from the Publications section of this blog as well.

If you are interested in SAMM and need more information, I would suggest you visiting the following links:

Feedbacks from Application Pentest

I have recently completed penetration testing of a SAP portal application for a customer. It was a short-time (5 days) assignment which required execution of tool-supported automatic pentest (with IBM Appscan), manual pentest and preparation of final presentation that explains findings and countermeasures.

In such short time pentests, it is very important that test plan is scheduled efficiently. In the following, I want to summarize some important aspects that are relevant for executing pentests successfully and efficiently:

Read the rest of this entry »

Password Patterns

In December 2009, a critical data breach in the Internet has been experienced. Around 32 million user passwords of rockyou.com web portal were stolen by a hacker which had used SQL injection for his attack. He got all passwords and made them anonymously (i.e. without usernames) available in the Internet to download.

Security experts started analyzing the passwords and Imperva released a study regarding the security level of the passwords. They have come up with the following results:
Read the rest of this entry »

OWASP Enterprise Security API (ESAPI) provides a security control library for helping programmers to integrate security into their applications. It is not a new framework, but it provides a common interface and reference implementations that can be benefited from other frameworks.

Security is a complex issue. The “weakest chain” is a well-known problem. If you need to provide security, you should consider all possible threats and relevant solutions. If you forget a control to integrate, then you would probably loose.

ESAPI aims to close this gap by providing a more “complete” best-practices for security controls. Let’s look at an encryption example in Java. In Listing 1, an AES symmetric encryption example which encrypts the given plain text with the secret key is shown. For readability, some details (e.g. includes, exceptions, comments etc.) are omitted.

Read the rest of this entry »

My Comments for Security Reportage

There is a series of security reportages organized by Turkish network security community and published within their security bulletins.

For the 25th issue, I have given my comments for the following questions in the reportage:

  • Can you introduce yourself?
  • How did you start working on security?
  • How do you see information security in Turkey?
  • What are your opinions and suggestions for developing security products in Turkey?
  • What do you suggest improving IT security in Turkey?
  • Is an official institution required for managing Cyber Security in Turkey?
  • What do you suggest for beginners of IT Security?
  • Which security topics would we discuss in 2015 in the world?
  • What do you think about security certificates?
  • What is the most critical security problem that you have experienced?
  • Which is the last security book you read? Which books do you suggest reading?
  • Who is your hero in IT security and why?
  • Which security tool/software do you use the most?
  • Which websites/blogs do you suggest following?
  • Would you choose security as your working subject again if you had one more chance to choose?

You can read my comments to these questions in this link (in Turkish).

For understanding anonymity, it is quite important to know the terminology of anonymity. Pseudonymity, unlinkability, undetectability and unobservability are the most relevant terms which need to be well understood. Since 2000, Martin Hansen and Prof. Pfitzmann have been working on the terminology document of anonymity and explain all important terms, their relations and differences with examples and known mechanisms to achieve anonymity and the others.  The last version can be downloaded from this link. And the history of the terminology can be followed here.

The document contains also translations of many anonymity-relevant words into different languages. Turkish was missing and I translated that part into Turkish. It can be downloaded from here.

In the following, some definitions from the terminology are cited:
Read the rest of this entry »

A privacy case study of Facebook users

After Mark Zuckerberg, the owner of Facebook, said privacy is no longer a ‘social norm’, Facebook changed its privacy policy and set default privacy settings of most user personal data as “public” without their consent. Facebook has been criticized drastically for this change and was forced to improve its privacy settings. And now Facebook says the new settings are much better and easier.

It is a known fact that people are the weakest link in the security chain. Strong privacy settings should be supported with the wisdom of users. They need to known possible threats and how to protect themselves. Considering Facebook, it is inevitable to keep friends list “secure”. That means one should add a person to his friend list if only he is sure about the identity of this person. This is critical because Facebook’s privacy protection system is mostly based on this distinction.
Read the rest of this entry »

SSL Renegotiation Vulnerability

In November 2009, the renegotiation vulnerability over SSL/TLS based protocols was published.  SSL renegotiation is a new SSL handshake over an already established SSL connection.

The attacker sits between the client and the server and applies MITM attack. The idea of the attack is as follows:
Read the rest of this entry »

Two nice articles from Dinis Cruz (Chief Owasp Evangelist) regarding application security assessment by IBM:

For a customer project, we were asked a tool for database encryption. After some googling, I came across IBM Database Encryption Expert, which seems a great tool:

  • It encrypts and decrypts transparently the files on file systems and provides clear text context only for the authorized specified in the access control policies
  • It provides encryption of DB2 databases in offline mode (e.g. backup of databases)
  • It provides encryption of DB2 databases in online mode as well
  • It provides an interface for key management (encryption keys are stored within the DB2 database of Security Server in encrypted form)

Here is a video showing the tool in interaction.

What I wonder is the performance of online encryption. Does anybody have any experience with this issue?

Google Advanced Search

I  often use Google advanced search parameters. It helps to find target information in shorter time. in addition, irrelevant information can be easily removed from the search results. Here are some examples:

site: To filter results according to domain name

“security” site:ibm.de (security relevant information from ibm.de domain)
“security” site:com (security relevan information from all .com domains)

inurl: To filter results according to certain keywords in url

inurl:security (all web pages which contain the keyword “security” in their urls )
inurl: security site:ibm.com (all web pages from ibm.com which contain the keyword “security” in their urls )

ext/filetype: To filter results according to file type

security ext:ppt (security presentations)

There are other parameters as well: intitle, intext, cache etc. For more details, see http://www.googleguide.com/advanced_operators.html

Saldırı Ağaçları

1. Saldırı Ağaçları Nedir?

Fikir olarak ilk defa Bruce Schneier [1] tarafından ortaya atılan saldırı ağaçları (attack trees) [10] bir sistemin tasarımı ve işletimi esnasında dikkate alınması gereken güvenlik risklerini bir saldırganın gözüyle ele alarak mümkün olan bütün tehditleri ve bu tehditlerin farklı özelliklerini (olabilirlik, maliyet v.b.) tespit etmeyi amaçlar.

Zincirin en zayıf halkası misali bir sistem de ne kadar gelişmiş güvenlik çözümleri sunsa da ancak saldırıya açık yönü kadar güvenlidir. Bu sebeple, meydana gelebilecek bütün güvenlik saldırıları düşünülerek tasarlanmış bir sistem için ancak gerçek güvenlikten bahsedilebilir. Saldırı ağaçları, sistemin bütün açıklarını belirleyerek gözden kaçması mümkün olan noktaları belirlemeyi sağlamaları yönüyle önemlidirler.

Bu yazımda saldırı ağaçlarının nasıl tasarlandığını ve ağaçların güvenlik sorunlarının ve çözümlerinin analizine nasıl yardım ettiğini anlatacağım.
Read the rest of this entry »