Websecurify

This story is not about a new feature in the online Suite. This story is about speed, efficiency and more importantly the commitment that we have made to our customers.

The story is simple and very familiar. Yesterday, one of our loyal subscribers sent us an intriguing email. He has identified some interesting vulnerabilities using both the Scanner and Recon tools but he did not know what to do with them. We realised quickly that this is a valid concern and it is something we should improve. Fast forward a couple of hours later, we not only offered our help to manually examine the report and give guidance but also we extended the reporting structure to provide additional information such as description of the impact, proposed solution and links for more information. Check it out:

We rolled out the feature in 3 hours from the time we were contacted and that is why we are so proud of the product that we've made. It is not only innovative, fast, beautiful and simple but also constantly up-to-date. No release cycles. No waiting. Everything just happens.

To some this may look like a trivial matter but to our customers it is a big deal especially when you need the much needed support. Software doesn't have to be difficult, time consuming and static.

That being said, we have other great features and tools to be realised very soon. To be kept always updated, just follow us on twitter, facebook or google+.

Some great UI improvements should be already available to you if you are subscribed to the Suite. We managed to squeeze them with the rest of the daily updates. Most of the improvements are related to speed, interoperability and consistency. However, we also introduced a new convenience button as part of the application toolbar, which allows you to quickly launch any other application from the Suite.

We are also working on a brand new tool, which we will release very soon so stay tuned.

Last year we released a small but very powerful extension for Google Chrome called PanicMode. Once turned-on, PanicMode will block any outgoing traffic that is not encrypted. In other words, PanicMode guarantees that your browsing experience remains private whatever you do.

In this blog post I want to show you how you can take this concept further to create a more secure browsing experience by combining PanicMode with other features available out-of-the-box in Chrome.

User Profiles

Do you know that in Chrome you can have separate browsing sessions by using different user profiles? To configure this simply access the Chrome preferences and look under Settings -> Users. Creating a new user profile is as simple as clicking on the "Add new user" button. Alternatively you can access the little avatar icon from the top right corner of the main Chrome window and select the "New User" option.

User profiles are a very nifty feature in Chrome. By having multiple profiles you can segregate different browsing sessions based on function. For example, you may want to create a separate user profile just for social media applications, another for banking and a default profile for everything else. This not only allows you to organise your browsing habits but also it improves security.

In order to explain why security is drastically improved by having separate user profiles, imagine that we do all things from the same browser. In one tab we have Facebook or another social media website while in another we are checking our online banking or email. While browsers try to prevent some types of attacks by implementing a security mechanism called Same Origin Policies (SOP), it is still possible to use web application vulnerabilities to make an evil application from one tab to access information from an application opened in a complete different tab. What is even worse is that most times you don't even need to have any applications visibly open in tabs. All is needed is for us to login once and forget to logout.

Here is a better way to explain this situation. Imagine that we login into our webmail. We check for new emails and we close the tab or we leave it open. We do not perform any logout. Later on we navigate to an evil web site. The evil website is now in a good position to exploit a web vulnerability in our webmail and as such gain access to our emails.

User profiles enhance the Same Origin Policies (SOP) mechanism by keeping applications separate by function. In other words, if you do banking from one profile and you use it for this purpose only than the chances for getting compromised by another "evil" website, via a web attack, are slim.

Installing PanicMode

There is another aspect to your browser security that you need to consider and that is that most applications that you will access today are available over unencrypted channels. In other words, if an attacker is observing your network, they will be able to see everything that you are doing online. They will also be able to pretend to be you on web applications that you have logged in. As you can see, this is a serious concern not only from privacy but also from security point of view.

Here comes PanicMode to the rescue. Once installed and turned-on, PanicMode will revert all non-encrypted traffic to use encryption. This way you can ensure that communication that originates from your browser to your online bank are private and secure. PanicMode is quite harsh as it is completely non-bias and it doesn't try to improve your browser experience if the sites your are accessing break because they do not support encryption. Non encrypted sites will simply break and you will see the error on the screen.

This deliberate breaking of insecure websites is not convenient for everyday browsing. If you turn PanicMode on even for 2-3 minutes you will quickly realise how insecure and broken the web really is today. However, breaking insecure but critical web applications is absolutely essential if you care about your security. You simply don't want to give a chance for the application developer or your browser to make a mistake. Even the tiniest mistakes can be used against you. If I am an attacker sniffing the network typically I only need to capture one insecure/unencrypted request in order to hijack your user account. You don't want that to happen, do you? Neither do I.

PanicMode is absolutely free and it is perhaps one of the tiniest extensions in the Chrome Web Store. It is completely unobtrusive and transparent. You don't have to configure it or do anything special with it. Once installed just turn it on.

Other Uses of Profiles

User profiles can be used used for all kinds of situations. A developer may want to have a separate profile with just dev extension and relaxed security policies. That is not suitable for everyday browsing.

As a side not, don't forget to install our free web application security scanner for Google Chrome in your development profile.Corporate websites can be accessed from a completely different profile to avoid incidental leakage of sensitive data. Emails, and social media can be all available in their own profiles. You can take this concept as far as you need and install extensions such as PanicMode or Suite depending on the purpose.

Needless to say, we are very excited about BadAssProxy. What we are even more excited about how we are planning to use it to deliver one of the most innovative web application security products of the year (it is only the end of February but we actually believe in this). Everything is neatly illustrated in the following diagram:

From the diagram you can see that our online Suite will support BadAssProxy as a frontend, which you can use not only to control the proxy and its capabilities but also launch other tools as the those found in the Fuzzers and Scanners categories. This will provide you with a powerful web application security testing environment that goes way beyond what is currently available. Way beyond.

We have already started implementing the features so stay tuned for more information and updates.

We are very happy to announce the first release of BadAssProxy. The project is hosted by GNUCITIZEN but sponsored by us so expect some good things to happen in the near future.

What is BadAssProxy (BAP)

BadAssProxy is a modern http intercepting proxy designed for developers and web application security professionals. What differentiates this proxy from other proxies is that it is using several interesting techniques for better performance and reliability.

The proxy employs a multi-process architecture similar to what you have with the Google Chrome web browser. The heavy lifting is performed by our own/GNUCITIZEN proxy utility called proxify. The UI is a modern web application running on a web server. The business logic is handled by nodejs while the application is rendered inside an instance of Chromium via node-webkit. Everything is assembled in such a way so that all components work seamlessly together.

This architecture is absolutely deliberate and as a result of years of experience building web application security tools. It is hard to explain why we choose this technology stack but the end product is more than satisfactory. In fact, it is pure awesomeness.

If this is not enough to make you try BadAssProxy here is something I need to stress to you: it is not written in Java. Most other proxies are, which puts them in a completely different league. BadAssProxy has the potential to go way beyond what is currently possible although we are not there yet.

Future Plans

At the moment we have a Windows-based proof of concept. Versions for Mac and Linux will follow soon. We are planning to keep this software free for use and support it as much as we can. We are also planning to release a professional version which will pack our own security testing technology and more. This will happen around version 3 as per the current milestones. How fast we will get there depends all on us.

Additionally, we want to enable the community to extend the product and customise it to their needs. A plugin architecture will follow soon and we promise to make it as simple as possible. It is fair to say that we have big plans for this product and we are certain that we can reinvent and refresh this technology all over again.

Web proxies have been stuck in no-innovation land for long time now and we are determined to change this for good or bad.

If you have any recommendations, suggestions or even bugs, just get in touch. We are always interested to hear from you.

Last month Websecurify presented at the Local LNUG (London Node User Group) meeting. Needless to say, it was a blast and we had a lot of fun. The following video is from my presentation, illustrating some of the features of the online Suite and the kind of cool stuff we did with Nodejs.

I am looking forward to attend this meeting again and present what else we did with Nodejs especially around creating custom proxies with the help of proxify.