Archive

Archive for November, 2009

XSS: Cross Site Scripting

November 10, 2009 Leave a comment

To better understand what scanning tools are looking for I’ve been doing some research on Cross Site Scripting (XSS) and Injection exploits (SQL and Command to be covered in a future post). The types of XSS I’ve run across are reflected and stored – with numerous variations of each.

Reflected XSS

According to OWASP.org:

Reflected attacks are those where the injected code is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web server. When a user is tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a “trusted” server.

Stored XSS

From the same article, OWASP.org:

Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.

Countermeasures

One of the most important countermeasures for XSS and many other vulnerabilities is data validation.  If you let users enter whatever they want to in your web app, they will, and you and your users will be adversely affected by it.  I won’t copy down all the countermeasures, but here are some sites with useful info:

Hands-on Practice

I used IronGeek’s Mutillidae and OWASP’s WebGoat to gain a better understanding of what XSS is and how to safeguard against it.  Mutillidae is a lot simpler and straight forward (though you’ll need something like XAMPP to get it started), I’d suggest using it first and then WebGoat (downloads with Tomcat and Java – all you have to do is launch a .bat file) won’t be as perplexing.

RSnake provides a quite comprehensive list of the numerous ways XSS can be executed in his XSS Cheat Sheet (all examples use the generic alert(XSS!); example, but you can easily exercise your imagination a little bit).

Categories: OWASP Top 10 Tags: , ,

nessusrc

November 6, 2009 Leave a comment

I was given a nessusrc file to run with and not much explanation.  I was able to successfully run a few scans, but nothing too exciting came from them.  I thought (naively) that if I were to install some vulnerable webapps on the VM (Mutillidae or Damn Vulnerable Web App) I would get some more interesting results; of course I was wrong.  I figured it probably had something to do with the plugins that were running and other settings defined in the nessusrc file, so this is my attempt at explaining what I find.

Renaud was kind enough to reply to someone else’s question on the same topic.  He described the sections of the nessusrc file as follows:

SERVER_PREFS: these are the options which are sent back to the nessus daemon. They are all documented on the nessusd side – see /usr/local/etc/nessus/nessusd.conf

SCANNER_SET: the list of port scanners that are enabled by the user. You can merge this section within PLUGIN_SET, because scanners are plugins

PLUGIN_SET (currently absent in my file): the list of plugins which are enabled/disabled. The format is <id> = [yes|no].

SERVER_INFO: is un-necessary, it simply contains information about the last nessusd you connected to (this is used for XML export)

PLUGINS_PREFS: acts like the SERVER_PREFS section, except that very few options are thoroughly documented. However the most important ones (like SMB password) should be self-explanatory.

He also points us to update-nessusrc, which is a Perl script written to simplify the loading of plugins in your scans.  The script is dependent on several Perl modules, some of which are not included in the base Perl package.  TheGeekStuff.com provided a guide that helped me get through manually installing the necessary modules I was missing.  (Beware if you have just installed the basic Perl module, you will be missing some modules that the ones listed as requirements for update-nessusrc are dependent on – HTML-Parser, HTML-TagSet, URI, and possibly a few others.)

For those new to Perl, when configuring the update-nessusrc script to work with your setup, make sure you enclose the host address, user_name, and user_pass in single quotes.  Not enclosing them in quotes got me a “open_sock_opt_hn: invalid socket address” error and an hour of searching for what that meant.

Categories: Nessus Tags: ,

Install Bare-bones Debian 5 (Lenny) on VMWare Workstation

November 2, 2009 1 comment

I’m just getting started with creating my own virtual environment so that I can start figuring out Nessus, WebInspect, Nmap, and several other scanning tools.  This is the process I followed to setup a bare-bones (no GUI) Debian 5 linux system.

Download ISO

  1. Download the 8MB .iso image – mini.iso

Create and Configure VM

  1. File > New > Virtual Machine
  2. Custom, Next
  3. Choose desired workstation compatibility (e.g., Workstation 5)
  4. Installer disc image file (.iso), locate downloaded .iso from step 1
  5. Guest OS – Linux
  6. Version – Other 2.6.x kernel, Next
  7. Enter desired VM name and location for VM
  8. Select number of processors (e.g., 1)
  9. Select memory to allocate, 256MB should be plenty, Next
  10. Choose desired network connection (because of my location on my network I chose NAT), Next
  11. I/O Adapter type, leave default (LSI Logic), Next
  12. Create a new virtual disk, Next
  13. Virtual Disk Type – SCSI
  14. Max disk size 8GB (I chose to split into 2GB chunks, but it’s up to you), Next
  15. Name disk file or leave default, Next
  16. Check ‘Power on this virtual machine when finished’, Finish

Install and Configure OS

  1. You must be connected to the internet for this installation
  2. Choose Advanced options, hit enter
  3. Choose Expert install, hit enter
  4. Choose language – default (highlighted), enter
  5. Choose country – default (highlighted), enter
  6. Choose locale – default (highlighted), enter
  7. Choose other locales – hit ‘tab’, and then enter
  8. Choose keyboard – default (highlighted), enter
  9. Choose keymap – default (highlighted), enter
  10. Detect network hardware – default (highlighted)
  11. Start PC card – default (highlighted)
  12. PCMCIA (should be blank) – tab and then enter
  13. Detect network hardware  – default (highlighted)
  14. Config network – default (highlighted)
  15. Primary network – default (highlighted)
  16. Auto DHCP – choose YES
  17. Hostname – name it what ever you like, tab and then enter
  18. Domain name (should be blank) – hit tab then enter
  19. Choose mirror – default (highlighted)
  20. Protocol for file download – default (highlighted)
  21. Debian archive mirror country – default (highlighted)
  22. Debain archive mirror – choose whatever one is possibly closest to you
  23. HTTP Proxy (should be blank, unless you’re behind a proxy) – tab then enter
  24. Debian version to install – default (highlighted)
  25. Download installer components – default (highlighted)
  26. Installer components to load (choose nothing, should be default) – tab then enter
  27. Configure the clock – default (highlighted)
  28. Set clock using NTP  – default (highlighted)
  29. NTP server to use – default, hit tab then enter
  30. Select your timezone, enter
  31. Detect disks – default (highlighted), enter
  32. Partition disks – default (highlighted), enter
  33. Partition method – choose ‘Guided – use entire disk’, enter
  34. Select disk to partition – default (highlighted), enter
  35. Partitioning scheme – default (highlighted, unless you’d prefer something else), enter
  36. Partition overview – default (highlighted), enter
  37. Write changes to disks – choose yes
  38. Install base system – default (highlighted)
  39. Kernel to install – choose linux-image desired (at the time of this I’ve chosen -2.6.26-2-686)
  40. Drivers to include in the intitrd – default (highlighted)
  41. Setup users and pass – default (highlighted)
  42. Enable shadow pass – default (highlighted)
  43. Allow login as root – default (highlighted)
  44. Root pass, tab and then enter
  45. Confirm root pass, tab and then enter
  46. Normal user account – choose no and then enter
  47. Configure the pack manager – default (highlighted)
  48. Use non-free software – default (highlighted)
  49. Use contrib software – default (highlighted)
  50. Services to use – default, tab then enter
  51. Select and install software – default (highlighted)
  52. participate in package usage – default (highlighted)
  53. Choose software to install – choose nothing (deselect selected), tab and then enter
  54. Install the Grub boot loader – default (highlighted)
  55. Install Grub 2 – default (highlighted)
  56. Install the Grub boot loader to master boot record – default (highlighted)
  57. Grub password (should be blank) – tab and then enter
  58. Finish the installation – default (highlighted)
  59. System clock set to UTC – default (highlighted)
  60. Installation is complete – default (highlighted)
  61. System reboots
Categories: linux Tags: ,