Vishing - Security Attack?

I got a mail from my bank in last month about 'Vishing'.It looks like old trick for new technologies.

Definition
"Vishing" is an activity where fraudsters trick unsuspecting customers into providing their personal and financial details over the phone.

Usual Methods
Usually fraudsters pose as representatives of large companies, banks or public authorities like Reserve Bank of India.
The details may be used to carry out fraudulent transactions in the customer's account.

Note:
Do not reveal your confidential banking details like account/card number, PIN, validity date of your debit/credit cards, CVV, or other passwords to anyone.

What is OWASP

Four years back, I was looking help for security testing and I found OWASP with many presentations, books and testing guides. It helps me lot for my deliverables. OWASP's top 10 is a popular one and reflects the current trend.

OWASP by the numbers (Last year report)

• 420,000 page views per month
• 6,381 Articles
• 15,000 downloads per month
• 21,000 members on mailing lists
• 2,600 wiki users
• 1,500 wiki updates per month
• 160 chapters worldwide
• 75 individual memberships
• 118 tool and documentation projects
• 17 Books
• 43 corporate/educational memberships
• 7 Board members (Jeff, Tom, Dave, Seb. Dinis, Matt, Eoin)
• 39 Committee Volunteers
• 3 Employees (Paulo, Kate, Alison)
• 25 projects funded

OWASP - Open Web Application Security Project
OWASP is a community of people passionate about application security. It is a non-profit(501c3 not-for-profit worldwide charitable organization), volunteer driven organization. All members are volunteers and all work is donated by sponsors. They all share a vision of a world where you can confidently trust the software you use. Unfortunately, the current software market doesn’t encourage security – that’s something they are trying to change. One of primary missions is to make application security visible so that people can make informed decisions about risk.

You can find lots of free and open source tools, documents, basic information, guidelines, presentations, video, and blogs at OWASP to help you get started.

• Worldwide free and open community
• Focused on improving the security of Web applications
• Promotes secure software development
• An open forum for discussion
• Publications, Articles, Standards
• Testing and Training Software
• Local Chapters and Mailing Lists
• Software libraries and tools

OWASP Software - WebGoat - Training application
WebGoat Project

• Cross Site Scripting
• SQL Injection Attacks
• Thread Safety
• Field & Parameter Manipulation
• Session Hijacking and Management
• Weak Authentication Mechanisms
• Many more attacks added

OWASP Software - WebScarab - framework for analyzing HTTP/HTTPS traffic
WebScarab Project

• Fragment Analysis – extract scripts and html as presented to the browser, instead of source code presented by the browser post render
• Proxy – observe traffic between the browser and server, includes the ability to modify data in transit, expose hidden fields, and perform bandwidth manipulation
• BeanShell – the ability to execute Java code on requests and responses before being transmitted between the browser and server; allows runtime extension of WebScarab
• Spider – identifies new URLs within each page viewed
• SessionID Analysis – Collection and analysis of cookies to determine predictability of session tokens

My Previous posts on Security
Security Attacks - OWASP Top 10
Security Testing - Webscarab tool
Security Testing - CSS or XSS

Security Attacks - OWASP Top 10

I was looking into cross site scripting for security testing. Look at OWASP top 10 attacks for year 2010, 2007, 2004. Few items have gone up or down, added and removed.

Year 2010 - Top 10

1. Injection
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards

Year 2007 - Top 10

1. Cross Site Scripting (XSS)
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross Site Request Forgery (CSRF)
6. Information Leakage and Improper Error Handling
7. Broken Authentication and Session Management
8. Insecure Cryptographic Storage
9. Insecure Communications
10. Failure to Restrict URL Access

Year 2004 - Top 10

1. Unvalidated Input
2. Broken Access Control
3. Broken Account and Session Management
4. Cross Site Scripting (XSS) Flaws
5. Buffer Overflows
6. Injection Flaws
7. Improper Error Handling
8. Insecure Storage
9. Denial of Service
10. Insecure configuration management

Lightweight Directory Access Protocol

Last few months, I'm trying to put a post for LDAP. Now LDAP is widely used in many companies. LDAP Testing is bit different from (native mode) user authentication. Again It is divided as single domain and multi-domain LDAP. Test team is treating LDAP as a another environment/stack to certify any product.

LDAP - Lightweight Directory Access Protocol. LDAP has become a mandatory in IT Projects. It is a set of protocols for accessing information directories. LDAP is based on the standards contained within the X.500 standard, but is significantly simpler. Also unlike X.500, LDAP supports TCP/IP, which is necessary for any type of Internet access.

The LDAP Interchange Format (LDIF), defined in RFC 2849, is a standard text file format for storing LDAP configuration information and directory contents. The dn attribute uniquely identifies the DN of the entry. In its most basic form, an LDIF file is:

• A collection of entries separated from each other by blank lines


• A mapping of attribute names to values


• A collection of directives that instruct the parser how to process the information

Descriptions for commonly used abbreviations:

• cn - Common Name


• ou - Organizational Unit


• dc - Domain Component


• dn - Distinguished Name


• rdn - Relative Distinguished Name


• upn - User Principal Name

Sample LDAP configuration:
Principal : cn=admin,cn=Users,DC=rmdomain,DC=com
Users baseDN : DC=rmdomain,DC=com
Group baseDN : DC=rmdomain,DC=com
Bind User DN : cn=admin,cn=users,dc=rmdomain,dc=com

To know more about LDAP

Wiki - Lightweight Directory Access Protocol
LDAP Concepts & Overview
LDAP Authentication

Security Testing - CSS or XSS

The Cross Site Scripting (also known as XSS or CSS) is one of the most common Security Testing in web applications. Recently It was implemented in our application. We certified our AUT for CSS.

Generally hackers try to embed malicious script into a vulnerable dynamic web applications. This malicious script is executed and hacker can steal the data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems.

To avoid cross site scripting vulnerabilities, the application should use encoded HTML content and it should not allow any URL or data, which contains <script and %3C%2Fscript.

In web so many tools are available to test this. I used a freeware called Webscarab. Also you can go through following links to know more about XSS.

Cross Site Scripting Definition - Wiki
Cross site Scripting FAQ
Sample Videos from Microsoft

Security Testing - Webscarab tool

Webscarab is a freeware. By using webscarab, we can do security testing for CSS and SQL injection. The URL is available here -> http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication.

Penetration testing is a method of evaluating the security of a computer system or network by simulating an attack by a malicious user, known as a cracker. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures.