Websecurify

Here you will learn about the latest developments in the web application security space and more.

Heartbleed Arrives In The Suite

Our mission is not just to create web security tools but to help keep the Web as safe as possible. This is the reason why we have just launched an emergency response tool to detect the presence of Heartbleed across your entire public estate.

Screenshot 01

The tool is based on Recon testing engine. Recon uses several techniques to identify related targets by exploring public information such as DNS, search engines, virtual host databases and more. Once targets are discovered, a quick and harmless check is performed to identify if they are vulnerable to Heartbleed.

This tool is free of charge! We do use our proprietary technology for testing but we believe that at this time people need to get as much support as they can. There are other tools out there that will help you achieve more or less the same result but none of them identify targets automatically as far as we know. This tool will be a good addition to those other tools especially when your Web estate is big.

How Stable Is This Tool

This tool was put together in the quickest possible fashion so expect to see bugs. That being said, the Heartbleed detection is accurate. We will concentrate efforts to keep improving the tool in the upcoming days in order to provide as much support as we can.

If you find a bug, please report and we will fix it as soon as we can. Please don't abuse the service.

Post your comments.

Chrome Web Store Integration

Starting from today, you will be able to find all Websecurify Suite tools, packaged as hosted apps on Google Chrome Web Store. This is an exciting news as it takes us even closer to our mission to deliver cross-platform web application security toolkit, using a modern stack of technology with almost native user experience.

Screenshot 01

Websecurify Suite Is A Totally Different Value Proposition

You see, traditional web security tools are mostly static. Once installed you need to keep them updated. Usually updates do not happen as often as they should, meaning that you will be missing vital features that may be instrumental to the discovery of critical security bugs in the applications you test. Additionally, traditional security tools recreate from scratch what browsers are designed to do anyway, producing sometimes inconsistent behaviour, which leads to many false-possitives especially when it comes down to client-side bugs.

Websecurify Suite solves these problems in a very neat way. Our tools are in-fact modern web applications, delivered over the web but cached locally for offline use. Unlike SaaS (Software As A Service) web security tools, there are no servers involved when testing. All tests are performed from your own browser, leveraging the latest technology that is available. Unlike Desktop security tools, the Suite is always updated while you are online because of its web roots, and you get more consistent and realistic results because we use an actual browser to discover vulnerabilities.

Screenshot 02

We call this "the best of both worlds" and now our hosted chrome applications take this concept even further by abstracting away the web browser that supports everything. All tools are now accessible as normal desktop applications. They even come in their own frame/window producing that native look and fill you are used to but still powered by the powerful mix of technology we provide on the web. It is different and we believe it is better.

Getting The Hosted Apps

The easiest way to get the hosted apps for now is to follow the links outlined here: Scanner, Recon, Httpview, Formfuzz, Jsonfuzz, Xmlfuzz, Retest, Resend and others. As the Chrome Web Store integration matures you should be able to discover the apps naturally via the Web Store search facilities and the related section in the app details. Links will be also available on the Suite market.

We are looking forward to see how the apps develop. Let us know what do you think.

Post your comments.

Landing TeslaStorm

We are very proud to announce our latest application security solution called TeslaStorm. In recent months our team collaborated with the engineers from Tesla Motors to create the ultimate electric car targeted at information security enthusiasts and professional penetration testers.

Screenshot 01

TeslaStorm is all-in-one, web application security testing system available from the comfort of your car. Now you can complete your penetration tests before you even arrive at your clients' premises. Combined with the ease of use of our security toolkit, Tesla cars have now become the ultimate sidekick to every infosec professional. Once you step inside the car, TeslaStorm will make you feel like Michael Knight, only in the digital world.

Available Tools

TeslaStorm comes with the full suite of tools. You will be able to do scanning, fuzzing, replaying requests and observing responses when you are not driving and much more. There is even a direct link to our online Suite, where you will be able to get the latest updates and purchase more tools in order to make your car the ultimate cyber weapon that have ever existed.

Now you have no excuse why you should not try your luck against the 100s of Bug Bounty programs while you are stuck in a traffic jam. For more information and to subscribe for a trial, just get in touch.

Post your comments.

Httpview Time Filters And More

You are perhaps already familiar with Httpview, our client-side request/response observer, which acts as an intercepting proxy without the need to install an actual proxy. Earlier versions of the tool did not expose a good way of filtering and sorting the collected data. However, starting from today you will have access to a full-featured request filtering facility that goes beyond the standard filters you are already familiar with.

Screenshot 01

The key filters that we have exposed so far allow you to categorise the collected data by HTTP method names, URL (regular expressions) and time. The first two are pretty standard but the last one is the most interesting and somehow unique. The idea was borrowed from our Mac OS X Proxy application that we have recently launched in ALPHA. The time filter essentially allows you to preview only the data that was collected within the selected time-frame. For example, the "Last 10 Minutes" filter will only show data that was collected in the last 10 minutes - obvious indeed.

Why Does It Matter

Time filters are a very useful mechanism and can be used to simply our work. For example, when doing a manual inspection of a web application, it could be very confusing to go through all of the collected data at once. A time filter can help us concentrate only on the most recent actions and therefore reduce the overall complexity.

Httpview filters and more are now an integral part of the next generation of the online Suite, soon to become the default toolkit.

Post your comments.

Finding XML Entity Injection Problems

XML is a wonderful specification but could be very insecure if misused. I personally believe that XML is insecure because of its over-complicated abstractions that allow you to do a lot of things painlessly but also opens the gates all sorts of problems. One such class of problems is known as entity injection attacks.

Screenshot 01

What Is Entity Injection

Well, entity injection is an known and very old trick, which allows an attacker to insert XML entities (a special mechanism in XML) into XML documents and as such access arbitrary resources. XML entities come in the format of &entityname; are effectively act as text replacement. For example if the entity &name; is linked to the text John the XML document <doc>Hello &name;!</doc> will effectively become <doc>Hello John!</doc>. This is just one of the trivial cases but there is so much more one can do.

The more severe kind of entity injection is when SYSTEM entities are in use, a.k.a externals. A system entity has the following syntax defined at the top of the document as part of the DTD section:

<!DOCTYPE document [
<!ENTITY entity-name SYSTEM "URI/URL">
]>

If the DTD declaration is processed, which is the default behaviour in many frameworks, then an attacker may be able to access any file from the local file system and sometimes even make arbitrary HTTP requests to internal servers. As you may have guess already, this is a severe attack that often leads to a full compromise of the target system.

How To Find XML Entity Injection Problems

Identifying entity injection is relatively straightforward process. It works by simply constructing a document with a valid DTD declaration that contains at least one external entity. In the body of the document we simply try to to use the entity name in various ways in order to achieve the desired effect. For example, a document like the one illustrated bellow could potentially be used to read the contents of /etc/shadow file if the remote server is vulnerable and the contents of the entity is echoed back to the user:

<!DOCTYPE document [
<!ENTITY get SYSTEM "/etc/shadow">
]>
<name>&get;</name>

To test complex XML structures we need not only to vary the URI the entity is pointing to, in order to avoid security filters, but also use the entity on its own or in combination with valid data within elements or inside element attributes. This exercise could get quickly very complex and tedious, especially with large documents, and this is why the best way to find this particular kind of vulnerability is to use a fuzzer.

Using a Fuzzer

This is where Xmlfuzz is entering the picture. Xmlfuzz is a smart XML fuzzer, which works by first understanding the structure of a XML document and then trying various combinations of invalid input in order to find vulnerabilities, including the XML entity injection kind. This is done by walking the tree structure (recursively) of the XML document and injecting pieces of data which we know that could result in abnormal behaviour.

Screenshot 01

The process works swiftly even on very large and complex documents and can be repeated as many times as we want to fuzz documents that are already fuzzed once in order to find out more interesting scenarios - feature known as a second level fuzzing. Xmlfuzz is straightforward to use. The tool takes just a valid HTTP request with a valid XML document as part of the request body. The rest is automatically done for your own convenience.

For more information and a wall-trough how to start a fuzz simply follow the "Fuzzing XML" article on Websecurify Learning Portal.

Post your comments.

Current Status

After extensive testing, we believe that the next version of our testing technology is almost production ready. We will be looking to make the final switch next week so we need to get as much of your feedback as possible. Do not hesitate to get in touch to tell us what do you think. Just visit NextSuite and give it a good bash.

Changes & Improvements

Among the many features we have implemented you will find the following major changes:

  • We have implemented our latest testing framework called Sparta, which does a superior job at detecting various classes of vulnerabilities and also paves the way to future improvements.
  • We have rewritten all applications from scratch. This change alone brought a lot of useful UI improvements including more configurable options, responsive design and much, much more.
  • We have drastically reduced the application size and memory consumption. Now it takes just a moment to start an application and update once we deploy changes. We see almost 300% to 600% percent size reduction across all applications.
  • We have made several of our premium applications free to use. This change was no-brainer, after all we want to make sure that you get the maximum benefit from our tools. For us, this is paramount.

Again, we are planning to make all of these changes final next week so please do let us know if you find any bugs that needs to be fixed.

Post your comments.