Penetration Testing mailing list archives
Re: Looking for help against Chinese Hacking Team
From: "Adriel T. Desautels" <ad_lists () netragard com>
Date: Mon, 15 Dec 2008 17:03:40 -0500
What I wrote was "properly designed Parameterized Stored Procedures" not Stored Procedures or Parameterized Stored Procedures. if you do not create your Parameterized Stored Procedures properly then you might be open to limited SQL Injection. If you do a really bad job then you might be open to serious SQL Injection. I wouldn't call a Parameterized Stored Procedure that was vulnerable to SQL Injection a properly designed one, would you?
Therefore, you can not perform SQL Injection against a properly designed parameterized stored procedure. The subject was indirectly "how to defend against SQL Injection", not how to defend against XSS, RFI, LFI, etc.
http://www.owasp.org/index.php/Avoiding_SQL_Injection#Parameterized_Stored_Procedures On Dec 15, 2008, at 4:05 PM, ArcSighter Elite wrote: Yes, stored procedures could be injected. Don't try to deny that, even in standard products such as Oracle or MSSQL there has been issues around this type of injection, and they will continue to happen; so what you can expect from a custom app? If you have some developing experience, then you may know that most database architectures provides you with ways to do parameterized queries (here, I'm talking about JDBC for Java, ADO, Linq for Microsoft, and Python's DBC, in my experience). But: they don't prevent you into CONSTRUCTING a parameterized query FROM a non-properly validated string; I'm wrong? You're given developing tips to some guy that is supposedly to be performing as penetration tester, and the guy is looking for a desperate way to stop the attacks, now think: what it will take long? set up and IDS or fix the web-app? I'm talking about a short-term solution here, and I think this is what he asked for. If assuming the security isn't very high, then It will have to consider also fixing XSS issues, remote includes, weak acls, session hijacking, the list goes on. Do you think it will solve his problem only by reimplementing. We're talking about months here, if you have done some developing. Even with XPers, there will be a lot of time until they have all the issues fixed. So, standing from the pen-tester approach, again: set up preventive measures such as IDS if you can't afford downtime, then LET THE DEVELOPERS fix the issues he could find and report to them.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adriel T. Desautels wrote:"Even stored procedures could be injected if no proper validation is done, you know" You can not perform SQL Injection against a web application that is using properly designed Parameterized Stored Procedures. That means that you would be using both Stored Procedures and a Parameterized query. I don't think that I'm wrong, if I am then please prove it because I don't know everything. OWASP is the Open Web Application Security Project and it offerssufficient resources to build a secure web application. If one follows the OWASP guide and reads the OWASP material then they will be able tobuild a sufficiently secure web application. Do you disagree? I do however agree that a Penetration Tester should not fix theapplication, but the tester should be able to provide a clear and viable method for remediation. We deliver a variety of security services to our customers, one of those being Web Application Security Assessments. Weinclude viable and realistic methods for remediation in all of our deliverables. Anyone that doesn't isn't doing their job. On Dec 15, 2008, at 3:34 PM, ArcSighter Elite wrote: Adriel T. Desautels wrote:Hi there, The real problem here is that you don't know what you are doing(yet). Let me pad that by saying that you're clearly not a security expert and as such you shouldn't be expected to know how to solve this problem. The solution is simple though, especially if you're dealing with SQL Injection. Before I give you the solution for free (which isposted all over the web) I'll ramble on a bit.First, when you went through your "waves" of security experts, what was your decision criteria? I'll admit that there are not very many real "experts" out there and that there are a lot of fraudulent ones. A realexpert would have provided you with a solution to your problemimmediately while some of the others (on this list too) have no clue what they are doing. Unfortunately, most of your Certified Ethical Hackers also don't have a clue (certifications are political and notalways a real representation of talent).Why am I taking the time to write this? Well honestly I am sick and tired of the bad name that these "Fake" security experts are giving to real experts. They offer "penetration tests" that start a $500.00, or Web Application Security Assessments that start at $700.00 when it isIMPOSSIBLE to do either at those prices. The fact of the matter is that your average and real "securityexpert" will have a man hour rate of about 190-350 an hour. The average "good" web application penetration test will take more than 10 hours to do. That does not include time to write reports, to do research, to analyze unique issues, or to do a lot of the other manually intensive work that needs to be done to do the work properly. Can that all be done for $500.00? You do the math.... (the answer is no). Generally speaking if you are asking for an application assessment you're going to spend over $10,000.00. If you're not then you're getting ripped off.So anyway, the solution to your problem is as follows:1-) Your problem appears to be that you suffer from exploitable SQLInjection Vulnerabilities.2-) Your solution is to implement Parameterized Stored Procedures inconjunction with strong input and data validation.Check out http://www.owasp.org as a reference, or you can hire my team to do a kick-ass job and get you locked down good and tight. You most probably have may other risks that you are unaware of that can bedealt with by the right team. If you have any questions I'm a big proponent of free advice.From: harveyfrank <joet () ticadvisors com> Date: December 12, 2008 19:59:19 EST To: pen-test () securityfocus com Subject: Looking for help against Chinese Hacking TeamWe've been battling the Chinese for several months now and have gonethroughseveral waves of US security experts who have failed to stop them.In theirdefense, we are not on an unlimited budget and they've gotten us to apointwhere it looks as though somewhere among the site's 400 scripts isa SQL injection vulnerability.Automated testing by a few pen test products seems to think we'refine. We definitely are not. Is it possible to hire a CEH to find the Chinese-discovered vulnerabilityfor a few hundred dollars? (We aren't just being cheap, we've blownour wad on security that hasn't worked.) Would someone with intimate knowledge of the latest wave of Chinese attacks be required for this job? Besides ourfirst rate security team that's just been beat, I've tried the $200pen test folks and they have all failed. Microsoft security help has also failed. Advice (Besides porting to Linux)? Help? -- View this message in context: http://www.nabble.com/Looking-for-help-against-Chinese-Hacking-Team-tp20986210p20986210.htmlSent from the Penetration Testing mailing list archive at Nabble.com.------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------Adriel T. Desautels ad_lists () netragard com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------Alluding my previous message, he isn't a security expert, and maybe I misunderstood about he wants to know HOW they're breaking in. Maybe I was wrong. In the meantime, I totally agree with you thatnon-knowledgeable security people are making bad fame to true experts. But think about your post. Even stored procedures could be injected ifno proper validation is done, you know. Second, owasp will give him a framework about pen-testing web applications, although is gives some workarounds it's not designed to be some sort of secure coding guide.Secondly, we got something wrong here. The pen-tester shouldn't fix theapplication; developers must. And of course, input validation is theissue, behind SQL injection, BoFs, remote includes; isn't new, don't youthink.Yes, stored procedures could be injected. Don't try to deny that, even in standard products such as Oracle orMSSQL there has been issues around this type of injection, and they willcontinue to happen; so what you can expect from a custom app? If you have some developing experience, then you may know that most databasearchitectures provides you with ways to do parameterized queries (here,I'm talking about JDBC for Java, ADO, Linq for Microsoft, and Python'sDBC, in my experience). But: they don't prevent you into CONSTRUCTING aparameterized query FROM a non-properly validated string; I'm wrong? You're given developing tips to some guy that is supposedly to beperforming as penetration tester, and the guy is looking for a desperateway to stop the attacks, now think: what it will take long? set up and IDS or fix the web-app? I'm talking about a short-term solution here, and I think this is what he asked for. If assuming the security isn'tvery high, then It will have to consider also fixing XSS issues, remoteincludes, weak acls, session hijacking, the list goes on. Do you think it will solve his problem only by reimplementing. We're talking about months here, if you have done some developing. Even with XPers, therewill be a lot of time until they have all the issues fixed. So, standing from the pen-tester approach, again: set up preventive measures such as IDS if you can't afford downtime, then LET THE DEVELOPERS fix the issueshe could find and report to them. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJRsabH+KgkfcIQ8cRApOVAKCRnG+RRHC/cFCHoOZ3KbGRH351oQCeKOIl mxXZoFXl+uBYvdxmThgLAfw= =gaby -----END PGP SIGNATURE-----
Adriel T. Desautels ad_lists () netragard com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Re: Looking for help against Chinese Hacking Team, (continued)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 15)
- Re: Looking for help against Chinese Hacking Team Daniel Clemens (Dec 16)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 16)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 15)
- Re: Looking for help against Chinese Hacking Team Sam Stelfox (Dec 15)
- RE: Looking for help against Chinese Hacking Team George M. Garner Jr. (Dec 16)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 18)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 15)
- Re: Looking for help against Chinese Hacking Team ArcSighter Elite (Dec 15)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 15)
- Re: Looking for help against Chinese Hacking Team ArcSighter Elite (Dec 15)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 15)
- Message not available
- Re: Looking for help against Chinese Hacking Team ArcSighter Elite (Dec 16)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 16)
- Re: Looking for help against Chinese Hacking Team ArcSighter Elite (Dec 16)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 16)
- Re: Looking for help against Chinese Hacking Team Mike (Dec 18)
- Re: Looking for help against Chinese Hacking Team David Howe (Dec 18)
- Re: Looking for help against Chinese Hacking Team p4ssion (Dec 18)
- Re: Looking for help against Chinese Hacking Team ArcSighter Elite (Dec 15)