I thought I’d take a moment to post about some web security tools I use pretty often, which help as a security consultant when responding to various web hacking related incidents. These tools have helped me write my own scripts whenever I’m in a jam and need something good and quick to do the job.

Application Log File Forensics: The Hard Way

The first thing a security professional or administrator usually think of when handling an application security incident is to check the logs for the applications, databases, and other application-tiers involved.  Often, these logs are either on the servers that run the applications themselves, or possibly in a central logging location.  If a certain attacker tool can be identified from the log files (or other sources such as full packet-capture), then it may be of interest to run that exact same tool against your own application-under-target (preferably in a mocked-up lab or test environment, if it mirrors production well enough).

The most popular web servers, Apache httpd and Microsoft IIS, do create local log files by default.  According to most compliance regulations and standards (e.g. COBIT, HIPAA, GLB, PCI-DSS, FISMA, EU Directive on Privacy and Electronic Communications, ISO 17799/27002, CA SB1386 and similar), logging must be centrally located, or may have other required provisions.  This may include application-layer information, such as the log information from Apache and IIS.  It may be very likely that your organization already has centralized logging where this information is available.

If centralized logging does not exist, it may be a good time to start up a project to enable it.  The Apache Cookbook, 2E, is the best place to go in order to configure httpd to start sending syslog information.   It’s about as simple to add “ErrorLog syslog:user” into the httpd.conf file, but this only logs error messages, not authentication/access_log messages.  The book gives two prescriptions, one using “AccessLog “|/usr/bin/logger” combined” if your OS supports the logger command properly.  The other is to run a custom log message through a Perl script, as seen below:

CustomLog |/usr/local/apache/bin/apache_syslog combined
cat > apache_syslog
#!/usr/bin/perl
use Sys::Syslog qw( :DEFAULT setlogsock );
setlogsock('unix');
openlog('apache', 'cons', 'pid', 'user');
while ($log = <STDIN>) {
syslog('notice', $log);
}
closelog;

Microsoft IIS will need to go through the Event Log, which can be converted to syslog messages using a third-party software package such as Snare or MonitorWare Agent.  If IIS logs can also be converted to w3c standard log format, then Apache log analyzer tools such as AWStats could also be used.  W3C also has their own log analysis tool that also does HTML validation, called the Log Validator.  These may be useful to run following your own scan of the application using the same or similar attacker tool, as they will not only point out where in your application the scan/tool covered, but also where you may have the most errors or lack of quality/security controls.

The book Practical Information Security Monitoring also makes some suggestions for log collections, including the use of Sawmill or Splunk to sort/search log messages and gain further information and detail.  There may also be further adjustments you will want to do at the application (or other tier) layer, such as logging POST data.  We discussed logging HTTP referrers on our old post: Using Google Analytics to Subvert Privacy.  Practical Information Security Monitoring talks about Oracle audit logging, but there is also a detailed article on Pete Finnigan’s blog on Oracle forensics and UKOUG.  At the recent BlackHat DC conference, David Litchfield gave a talk on The Forensic Investigation of a Compromised Oracle Database Server, which may also be of interest (once the slides are available).  There are also some new books coming out on the topic of Oracle Forensics in the next few months / year.

Web Application Incident Handling: The Easy Way

Most of the logfile “digging” takes time, even when consolidated and using expert tools and analysis.  There are some very easy approaches that we’ve come up with, or seen others using and talking about.  These tools integrate well at the HTML and Script layers.

Over a year ago, Mario Heiderich started the PHP-IDS project, as a way to build protection and monitoring capabilities into PHP applications. Several side projects spurred up as a direct result of the incredible work that was put into PHP-IDS, mainly its default_filter.xml regular expressions. This XML file of regular expressions provides capabilities to detect a vast range of attacks, including XSS, CSRF, SQL Injection, Directory Traversal, Local/Remote File Execution, DoS, and Information Disclosure. Part of the success behind the PHP-IDS project, was the constant testing and attacking of PHP-IDS regex filters, which can be reviewed extensively in this sla.ckers.org thread. More info on PHP-IDS can be found in the PHP-IDS FAQ.

Romain Gaucher, wrote Scalp, an Apache log analyzer in Python, which leverages PHP-IDS’ default_filter.xml to detect attack strings in logs. I’ve used Scalp on numerous occasions, including a recent attack attempt on tssci-security.com. By nature, Scalp cannot examine POST content because Apache logs do not contain POST data. (See PHP-IDS or mod_security for those purposes)

Simply use Scalp by running it as follows (keep in mind there may be false positives with regards to the attack type, though it is very good at pulling attack queries from the log):

./scalp.py --log access_log --filters ./default_filter.xml --html --tough --exhaustive

Arshan Dabirsiaghi recently released OWASP Scrubbr. Scrubbr works by detecting input data in a specified database that does not match up with a specified AntiSamy policy file. Because Scrubbr uses an AntiSamy policy to validate data, does not mean it necessarily detects XSS in your database. Note, one does not require AntiSamy to be implemented in an application to use Scrubbr. Using Scrubbr, you have the capability of validating each and every column capable of holding strings of every row of every table in a database.

Together, Scalp and Scrubbr make for excellent web application security forensic tools. Scalp can help detect attacks in Apache logs, and Scrubbr can help you clean your database of content that does not match your site’s policy.

There is no doubt in my mind that some very strong experts out there have put WAF or WAF-like technology to good use.  However, WAF is dead and dying regardless.

I think that very large-installation, Internet-facing web applications require Anti-DDoS technology in the form of an appliance, preferably one that does rate-based behavior detection.  I often feel that those same organizations also require SLB appliances, although I prefer to see these integrated with a switch fabric in a chassis-based, large backplane network switch.  In a year’s time, SLB Layer-2 technology could be replaced by VMware DRS clustering and/or an equivalent like Microsoft PRO.  I was always a fan of Anycast to replace SLB at Layer-3.  I continue to suggest these models/architectures today.

Can whitelist WAF technology be used by those same devices in the short-term (Anti-DDoS or SLB appliance)?  Absolutely, as long as it’s done by an expert and tuned to the applications.  Should these devices sometimes be separated out of a traditional operational role, due to auditability and for compliance scoping purposes?  Probably not.  Should they perform monitoring, debugging capability, or solving hard production problems?  Probably not.

The reason that the first question is a yes, and the others are a no is because Anti-DDoS and SLB devices are already performance-ready-capable of providing WAF whitelisting functionality (note: not in all cases, but this works especially well for devices that provide rate-based behavior detection before mitigation).  Monitoring does NOT require an inline device.  All it requires is network taps (or potentially port-mirroring, but most professionals recommend taps over SPAN ports).  Also, infrastructure is changing rapidly, so it’s not wise to invest in a dying model.

Additionally, I know that companies like Sourcefire and Reflex Systems are integrating at the VMsafe API layer, which is a hypervisor introspection layer much like XenAccess.  This is really where much of the AV/IDS/IPS/HIMS/DLP/WAF/blacklisting-whitelisting technology belongs.  VNET will also change the introspection layer (in addition to almost completely eliminating the physical network layer and SIM/SEM/SIEM/NMS/EMS moves & changes), as it simply adds to introspection functionality.  I have already alluded to Cisco AXG becoming a VNET “module”, but what if Reflex Systems or StoneSoft start integrating WAF not only as a VNSS (Virtual Network Security System), but also at the hypervisor introspection layer?

Fortunately, for application security, server virtualization and the evolutions it’s bringing with it e.g VNET and VMsafe, are going to dominate traditional networks and cut their existing budgets.  Unfortunately for application security, the new virtualization evolution also brings with it tons of object reuse (there are at least two new controls channels available to adversaries), and new ways of establishing covert channels.

This means a few things.  First of all, the word “firewall” is dead, and therefore, the word “web application firewall” and the associated acronym, WAF, are also dead.  Imagine today if there existed a control channel that, when taken over by adversaries, it became a covert channel that had unlimited object reuse control of every physical RAM on every computer in existence all at once.  This is cloud computing, but virtualized.

Not only that, but we are saying that adversaries have already bypassed traditional firewalls by using the application layer i.e.  Hacking Intranets from Jeremiah Grossman.  Thus, this master, covert control channel is already on its way to being built (at least as man-in-the-browser).  Imagine for a second that you don’t use NoScript with Firefox and additionally implement the features of Chrome by using multiple Firefox profiles.  Imagine for a second that you are a regular user, with all of those Clickjacking and modern application attacks available to anyone who wants to get to you.

Like many of us used the words “brick-and-mortar” to describe backwards-companies during the dotCom bubble, I think “fire-and-wall” well-describes organizations that continue to cling to traditional networks and network security as answers to Internet, Enterprise IT, and any operational risk.

Do I intend to sell you on the idea that we should all instead jump to Fortify RTA or Microsoft SRE?  No.  There are potential consequences to any of this.  This is only the functionality required to reduce risk to applications, not the assurance that risks have been removed.

TCSEC says that we need to balance functionality and assurance.  But nobody ever bothered to do any assurance.  Assurance is the Microsoft SDL, SDL Pro, and SDL-IT.  @Stake and Foundstone are gone and have split into tons of fractured security evaluation and risk assessment boutiques that have 1-300 developer-security-tester guru’s that mix SAST and DAST with expert review.

But the SAST+DAST market is less than $100M, while WAF is at least 20% more than that (although probably inflated).

I hate to be the bearer of bad news, but you don’t just say “DO BOTH” because nobody will do the SAST+DAST work.  We tried that last time, when tcp_wrappers and the DEC firewall came about  The underground that wanted to keep their covert control channels alive started dumping rootkits on pre-pwned Unix machines.  Then Dildog and others made it possible to easily access Windows machines, and after that – botnets and the like have reigned.  There are already backdoors in our web applications.  OWASP Scrubbr is not going to save us all by itself.

Who did the work back then?  OpenBSD?  Certainly not Microsoft, and even today their SDL appears to be failing by some, but imagine if it did not exist at all.  We obviously have to do better with assurance practices.

Can functionality-based controls work easier, better, and faster than assurance ones?  Are they that less complex and easier to train?  Or is there just more written about them because it’s easier to SELL them by baking them into products rather than customizing them to an ISV organization or an Enterprise development team?

If you are part of the group that is spending $120M on WAF technology, then you are hurting the SAST+DAST market because you’re taking away that spending.  Clearly, risk analysis is not taking place and people are spending based on familiarity in addition to PCI-DSS requirement 6.6, which all but forces the inequality to happen.

Look at the best in exploitation-countermeasure functionality-based controls that work on object reuse problems e.g. DEP, ASLR, SafeSEH, SafeInt, et al.  Are adversaries still bypassing these?  Security researchers in the offensive-research space are.  These countermeasures are closer to the code (even HIPS is closer than network-based IPS), like many WAF suggestions.  Is is true that we still require assurance even after 15 years of exploitation-countermeasure optimization?  I remember when stack-guard protections were first coming out – they were seen as a huge joke (i.e. toy/researcher technology), much like Fortify RTA, CORE GRASP, Microsoft AntiXSS-SRE/AntiCSRF, GDS Security GPF, and HDIV are seen now.

I know to many of you out there, this looks like a rant, and I really could go on forever about this topic.  So, go to the datacenter, give your WAFs a hug, and continue to buy into the “functionality is better than assurance” argument.  You’ll feel better in the morning, right after you forget that you just opened up your database to any talented people who want to make money from the data in it.

Also, pen-testing is dead.  We no longer need to prove that applications are insecure.  We know they’re insecure – no matter how many functionality controls you layer on top of them.  Unless YOU prove that the applications that YOU are responsible for ARE secure, you are working against the rights of users, consumers, cardholder data, personally identifiable information tied to healthcare and financial records, trade secrets, and the ability to control our critical infrastructure.  Enjoy.

Jim Manico invited Dre and I to join him with Brian Holyfield on this week’s OWASP Podcast. Topics of discussion included our thoughts on web application security, WAFs, training, among others. Give it a listen, and tell us what you think.

OWASP Podcast Series #6 (direct download link)

Brian introduced a tool he has been working on, SPF – Secure Parameter Filter, which has the features we would like to see in WAFs, and would recommend people checking out as an alternative to implementing a commercial WAF as a short-term fix.

Hey all, I’d like to introduce all of you to a new site Tyler Reguly and I, along with Romain Gaucher and Jay Graver set up last week, SSLFail.com. The site’s purpose is to point out the failures in various sites’ SSL implementations. We’ll be publishing tutorials, and informative articles on SSL in addition to pasting screenshots of high profile sites’ failures.

We came up with the idea for the site when Romain came upon an SSL failure with Gmail. Tyler then blogged about it, and then I was getting errors with Facebook.

The interesting things about Gmail, when you go to https://gmail.com, Firefox was the only browser we tested to follow the 301 Redirect to another domain (www.google.com) with a proper SSL certificate. IE7 and Google Chrome on the other hand, asked the user for confirmation before the redirect. Is this a Firefox SSL failure? I don’t know, and several others I’ve spoken with aren’t sure how a browser should handle it either.

Anyways, just wanted to point out this new site, which has already gotten some attention from lonervamp at terminal23 and hype-free.

As many of you have probably already heard, SANS, in a combined effort with MITRE released the CWE/SANS Top 25 Most Dangerous Programming Errors. There have been numerous discussions on both the Secure Coding List and Webappsec mailing lists, along with a column from Gary McGraw and 11 reasons why Top 10 (or Top 25) lists don’t work. This post is not about that.

Back in 2004, OWASP published the Secure Software Contract Annex (referred to as OWASP Contract hereon out) to help software buyers and sellers achieve a meeting of the minds on application security. The OWASP Contract was generously placed in the public domain so that end-users could use it without license burdens. Since that time, the OWASP Contract has been widely used, even included in a Government acquisition guide (with full attribution). Now SANS has published their SANS Application Security Procurement Language (referred to as SANS Contract) along with the release of the CWE Top 25.

There is no question, that the SANS Contract contains a ton of language from the OWASP Contract. Roughly 75% of the SANS Contract is taken from the OWASP Contract (see below for a side-by-side comparison).

In comparison the original contract put out by OWASP, the SANS-added contract language is very biased. The OWASP Contract was meant to be fair, and balanced — between the software developers and the software buyers. In the SANS Contract, the terms have been slanted to solely benefit software buyers and SANS. Yes, SANS; through including terms that require developers “pass competency tests on application security,” which map directly back to SANS-offered application security training and certification exams. In their contract, the vendor bears the burden of almost every term.

In no way do I intend that this post undermine the incredible efforts the MITRE organization has done with the Common Weakness Enumeration project. Steven M. Christey of MITRE even suggests “promoting these efforts *NOW* while people are still paying attention.”

Instead of looking to the CWE/SANS Top 25 and SANS Application Security Procurement Language, I suggest everyone review the OWASP Application Security Verification Standard and OWASP Secure Software Contract Annex. These two OWASP documents, brought together, set the bar for application security, and take a truly positive approach. No longer are we enumerating badness — creating lists of things to watch out for — but what makes an application truly secure. Take it one step further, and look at Andrew van der Stock’s OWASP Coding Standard to what developers should be doing.

So I leave you all now with the following comparison between the two contracts and leave the rest up for discussion.

Side-by-side comparison (diff -u output)

OWASP Contract (Dec 2004)	SANS Contract (Jan 2009)
WARNING: THIS DOCUMENT SHOULD BE CONSIDERED GUIDANCE ONLY. OWASP STRONGLY RECOMMENDS THAT YOU CONSULT A QUALIFIED ATTORNEY TO HELP YOU NEGOTIATE A SOFTWARE CONTRACT.	DISCLAIMER THIS DOCUMENT SHOULD BE CONSIDERED GUIDANCE ONLY. IT IS STRONGLY RECOMMENDED THAT YOU CONSULT A QUALIFIED ATTORNEY TO HELP YOU NEGOTIATE A SOFTWARE CONTRACT
5. PERSONNEL AND ORGANIZATION (a) Security Architect Developer will assign responsibility for security to a single senior technical resource, to be known as the project Security Architect. The Security Architect will certify the security of each deliverable.	Personnel The Vendor shall identify in writing the person who will be responsible for overall security of the application development, management, and update process throughout the Contract period. The person identified shall be a single senior technical security specialist, to be known as the project Security Lead. The Security Lead shall certify in writing the security of each deliverable.
Security Training Developer will be responsible for verifying that all members of the developer team have been trained in secure programming techniques.	Security Training The Vendor shall be responsible for verifying that all members of the developer team have been successfully trained in secure programming techniques.
Trustworthy Developers Developer agrees to perform appropriate background investigation of all development team members.	Background Checks of Developers Vendor shall perform appropriate background investigation of all development team members and shall certify that all individuals who will be involved in this Contract and the software development process have cleared the background investigation.
Vulnerabilities Are Expected Both Client and Developer will strive to identify vulnerabilities as early as possible in the lifecycle.	Vulnerabilities, Risks and Threats The Vendor shall agree in writing that he will strive to identify vulnerabilities, risks and threats as early as possible at any time during the software lifecycle.
Developer and Client agree to work together to understand and document the risks facing the application. This effort should identify the key risks to the important assets and functions provided by the application. Each of the topics listed in the requirements section should be considered.	The Vendor shall identify the key risks to the important assets and functions provided by the application. The Vendor shall conduct an analysis of the attached 25 most common programming errors and document in writing that they have been mitigated.
Developer agrees to provide secure configuration guidelines that fully describe all security relevant configuration options and their implications for the overall security of the software. The guideline shall include a full description of dependencies on the supporting platform, including operating system, web server, and application server, and how they should be configured for security. The default configuration of the software shall be secure.	The Vendor shall provide secure configuration guidelines in writing to the Purchaser that fully describe all security relevant configuration options and their implications for the overall security of the software. The guideline shall include a full description of dependencies on the supporting platform, including operating system, web server, and application server, and how they should be configured for security. The default configuration of the software shall be secure.
Developer agrees to provide documentation that clearly explains the design for achieving each of the security requirements.	The Vendor shall provide written documentation to the Purchaser that clearly explains the design for achieving each of the security requirements.
Developer agrees to provide and follow a set of secure coding guidelines. These guidelines will indicate how code should be formatted, structured, and commented. All security-relevant code shall be thoroughly commented. Specific guidance on avoiding common security vulnerabilities shall be included. Also, all code shall be reviewed by at least one other Developer against the security requirements and coding guideline before it is considered ready for unit test.	The Vendor shall provide and follow a set of secure coding guidelines. These guidelines will indicate how code should be formatted, structured, and commented. All security-relevant code shall be thoroughly commented. Specific guidance on avoiding common security vulnerabilities shall be included. Also, all code shall be reviewed by at least one other Developer against the security requirements and coding guideline before it is considered ready for test.
6. DEVELOPMENT ENVIRONMENT (a) Secure Coding Developer shall disclose what tools are used in the software development environment to encourage secure coding. (b) Configuration Management Developer shall use a source code control system that authenticates and logs the team member associated with all changes to the software baseline and all related configuration and build files. (c) DistributionDeveloper shall use a build process that reliably builds a complete distribution from source. This process shall include a method for verifying the integrity of the software delivered to Client. 7. LIBRARIES, FRAMEWORKS, AND PRODUCTS (a) Disclosure Developer shall disclose all third party software used in the software, including all libraries, frameworks, components, and other products, whether commercial, free, open-source, or closed-source. (b) Evaluation Developer shall make reasonable efforts to ensure that third party software meets all the terms of this agreement and is as secure as custom developed code developed under this agreement.	II. DEVELOPMENT ENVIRONMENT (a) Secure Coding The Vendor shall disclose what tools are used in the software development environment to encourage secure coding. (b) Configuration Management The Vendor shall use a source code control system that authenticates and logs the team member associated with all changes to the software baseline and all related configuration and build files. (c) Distribution The Vendor shall use a build process that reliably builds a complete distribution from source. This process shall include a method for verifying the integrity of the software delivered to Client. (d) Disclosure The Vendor shall document in writing to the Purchaser all third party software used in the software, including all libraries, frameworks, components, and other products, whether commercial, free, open-source, or closed-source. (e) Evaluation The Vendor shall make reasonable efforts to ensure that third party software meets all the terms of this agreement and is as secure as custom developed code developed under this agreement
(e) Security Analysis and Testing Developer agrees to provide and follow a security test plan that defines an approach for testing or otherwise establishing that each of the security requirements has been met. The level of rigor of this activity should be considered and detailed in the plan. Developer will execute the security test plan and provide the test results to Client.	III. TESTING (a) General The Vendor shall provide and follow a security test plan that defines an approach for testing or otherwise establishing that each of the security requirements has been met. The level of rigor of this test process shall be detailed in the plan. The vendor shall implement the security test plan and provide the test results to Client in writing.
9. SECURITY ISSUE MANAGEMENT (a) IdentificationDeveloper will track all security issues uncovered during the entire lifecycle, whether a requirements, design, implementation, testing, deployment, or operational issue. The risk associated with each security issue will be evaluated, documented, and reported to Client as soon as possible after discovery.	Tracking Security Issues The Vendor shall track all security issues uncovered during the entire software lifecycle, whether a requirements, design, implementation, testing, deployment, or operational issue. The risk associated with each security issue shall be evaluated, documented, and reported to Purchaser as soon as possible after discovery
10. ASSURANCE(a) AssuranceDeveloper will provide a “certification package” consisting of the security documentation created throughout the development process. The package should establish that the security requirements, design, implementation, and test results were properly completed and all security issues were resolved appropriately.(b) Self-Certification The Security Architect will certify that the software meets the security requirements, all security activities have been performed, and all identified security issues have been documented and resolved. Any exceptions to the certification status shall be fully documented with the delivery. (c) No Malicious Code Developer warrants that the software shall not contain any code that does not support a software requirement and weakens the security of the application, including computer viruses, worms, time bombs, back doors, Trojan horses, Easter eggs, and all other forms of malicious code.	IV. DELIVERY OF THE SECURE APPLICATION The Vendor shall provide a “certification package” consisting of the security documentation created throughout the development process. The package shall establish that the security requirements, design, implementation, and test results were properly completed and all security issues were resolved appropriately. Self-Certification The Security Lead shall certify to the purchaser in writing that the software meets the security requirements, all security activities have been performed, and all identified security issues have been documented and resolved. Any exceptions to the certification status shall be fully documented with the delivery. No Malicious Code Developer warrants that the software shall not contain any code that does not support a software requirement and weakens the security of the application, including computer viruses, worms, time bombs, back doors, Trojan horses, Easter eggs, and all other forms of malicious code.
11. SECURITY ACCEPTANCE AND MAINTENANCE (a) Acceptance The software shall not be considered accepted until the certification package is complete and all security issues have been resolved. (b) Investigating Security Issues After acceptance, if security issues are discovered or reasonably suspected, Developer shall assist Client in performing an investigation to determine the nature of the issue.	V. SECURITY ACCEPTANCE AND MAINTENANCE Acceptance The software shall not be considered accepted until the Vendor certification package is complete and all security issues have been resolved. Investigating Security Issues After acceptance, if security issues are discovered or reasonably suspected, Vendor shall assist Purchaser in performing an investigation to determine the nature of the issue