Tuesday, 30 July 2013

Everything you wanted to know about SQL injection (but were afraid to ask)

Tuesday, 30 July 2013

Put on your black hats folks, it’s time to learn some genuinely interesting things about SQL injection. Now remember – y’all play nice with the bits and pieces you’re about to read, ok?

SQL injection is a particularly interesting risk for a few different reasons:

  1. It’s getting increasingly harder to write vulnerable code due to frameworks that automatically parameterise inputs – yet we still write bad code.
  2. You’re not necessarily in the clear just because you use stored procedures or a shiny ORM (you’re aware that SQLi can still get through these, right?) – we still build vulnerable apps around these mitigations.
  3. It’s easily detected remotely by automated tools which can be orchestrated to crawl the web searching for vulnerable sites – yet we’re still putting them out there.

It remains number one on the OWASP Top 10 for a very good reason – it’s common, it’s very easy to exploit and the impact of doing so is severe. One little injection risk in one little feature is often all it takes to disclose every piece of data in the whole system – and I’m going to show you how to do this yourself using a raft of different techniques.

I demonstrated how to protect against SQLi a couple of years back when I wrote about the OWASP Top 10 for .NET developers so I’m not going to focus on mitigation here, this is all about exploiting. But enough of the boring defending stuff, let’s go break things!

Read more

Wednesday, 24 July 2013

Of developers, security professionals and playing nice together on PaulDotCom

Wednesday, 24 July 2013

Last week I had a video chat with the guys over on PaulDotCom (which, of course is at pauldotcom.com) on a whole bunch of app sec related issues, specifically around how developers can become more security aware. We also spoke quite a bit on how developers and security people can generally get along with each other better than what they tend to at present which IMHO, is often a rather corrosive current state of affairs.

There’s a bit of banter in the introduction so if you just want to skip direct to the interview, jump over to about 12:30.

Tuesday, 23 July 2013

Bloody galah scammers still not getting the message

Tuesday, 23 July 2013

As regular readers will know by now, I’m not real fond of virus call centre scammers. You know, the ones who call you up while you’re making dinner or bathing and kids and tell you they’re from Microsoft and that your PC is infected with blah blah polymorphic blah? There’s a bunch of material on this blog already under the Scam tag where I’ve captured the experience and shared it for fun and education. Thing is, the bloody galahs keep calling me so I worked out a little scenario for them…

In this latest call from only a couple of hours ago I allow them into my “Scammer Honeypot” virtual machine decked out with Crocodile Dundee wallpaper (you know – “That’s not a knife, this is a knife”) and a nice array of Aussie wildlife noises to keep things interesting. Problem is those bloody dingos kept pulling out the ethernet cable so every time the scammers got control things would drop out shortly after. Plus an array of angry cockatoos, loud mouthed kookaburras and a pissed off koala (may have been a drop bear) keep things interesting for my new mates from Calcutta. Enjoy :)

Wednesday, 17 July 2013

Your website has never been hacked! (except for all the times that it has)

Wednesday, 17 July 2013

As part of my general wish to be a good netizen and advocate of website security, I made a responsible disclosure the other day, you know, the kind where you privately email an organisation and pass on security flaws in their online presence that they might not otherwise be aware of. Anyway, the response was, well, you decide:

To date we've not had a single security issue stemming from [insert risk I sent to them here]

Really? Not a single one? Clearly whatever defences this particular organisation has in place is akin to Lisa Simpson’s tiger repelling rock:

Lisa Simpson Tiger Rock

Lisa: Dad, what if I were to tell you that this rock keeps away tigers.
Homer: Uh-huh, and how does it work?
Lisa: It doesn't work. It's just a stupid rock.
Homer: I see.
Lisa: But you don't see any tigers around, do you?
Homer: Lisa, I'd like to buy your rock.

Or in other words, absence of evidence is not evidence of absence. Not knowing you’ve had a security incident is not the same as not having had a security incident and there are some interesting precedents that illustrate this rather well.

Read more

Tuesday, 16 July 2013

GT-R: The technology of speed

Tuesday, 16 July 2013

I have two enduring loves beyond the commonly accepted ones of health and family: technology and fast cars. It’s hard to be passionate about these two and not lust after a GT-R so after some years of lusting, I bought one. Being a technology blog, it wouldn’t be right not to share some of the goodness found within this machine so allow me to give you a taste of what happens when you cram enough cycles of computing power into four wheels and forgive me if the excitement boils over just a little bit :)

In case you’re not a car person, this is a GT-R:

Troy's GT-R

Actually that’s the one decent shot I have of mine (the rest are stock photos) and it’s a Nissan, Jim, but not as we know it. The Japanese have been making GT-Rs on and off for 44 years now but they really gained notoriety in the 90s as the top spec variants of their Skyline model. Down here where we only got a few of the machines on the local market, the Aussie press named it “Godzilla” for its monstrous performance ability and motorsport domination. The name kinda stuck around the world. It was so dominant in our local motorsport that it lead to the now infamous pack of arseholes speech by our racing luminary Jim Richards after continued domination of a category that was usually the domain of rather mechanically basic front-engine, rear wheel drive V8s.

There was a 7 year GT-R hiatus from 2002 but come 2009 the car you see above arrived although this time it was built as a GT-R from the ground up and was no longer a hot version of the Skyline platform. From the outset, Nissan set a massively high performance bar clearly targeting Porsche’s 911 Turbo and spending a great whack of time on Germany’s Nürburgring (a long time benchmark for performance cars) and generally did a lot of chest-beating about Anyone, Anytime, Anywhere.

That’s enough of the history lesson, let’s get into the good bits! And yes, there is some video I’ve put together down the very end.

Read more

Monday, 15 July 2013

Video: Cyber-security and the broken web

Monday, 15 July 2013

I’ve been doing a number of smaller presentations to user groups and private audiences lately and one of the things I’ve been focussing on is trying to give a sense of how fundamentally broken the security of much of what we’re working with is. I’ve been focussing on three areas: broken web (easily discoverable flaws), broken developers (fundamental misunderstandings about important security concepts) and broken devices (vulnerable equipment on the web).

This presentation was to the CIAOPS Virtual Technology Group (no, not that CIA, this CIA) run by fellow Aussie MVP, Robert Crane. He’s kindly made the video freely available on YouTube so it’s freely available to everyone. Enjoy!

Monday, 1 July 2013

How to build (and how not to build) a secure “remember me” feature

Monday, 1 July 2013

Here’s the scenario – a user logs in to your website, comes back tomorrow and… has to log in again. The idea of the “remember me” feature – and let’s face it, we’ve all seen this before – is that their authenticated state is persisted beyond the immediate scope of use. What this means is that they can close the browser, turn off the PC then come back tomorrow or next week or next month or however much later you determine is a reasonable timeframe and the site still knows who they are and offers them all the same features they had when they left it.

I’m talking about this little guy here:

"Keep me logged in" from Facebook

Seems easy, right? It can be, but as you’ll see it’s also not uncommon to make an absolute mess of it and even when you do get it right, there’s a queue of people ready to tell you how it is, in fact, not quite right enough. Let’s start with the really wrong stuff and work from there.

Read more