Security Audit / Websecurity

Post here if your message doesn't fit into another forum but is still about web development. Includes site critiques, web hosting and server questions, helpful software and resources, and more.
Post Reply
User avatar
Albert Wiersch
Site Admin
Site Admin
Posts: 3412
Joined: Sat Dec 11, 2004 9:23 am
Location: Near Dallas, TX
Contact:

Security Audit / Websecurity

Post by Albert Wiersch » Thu Jul 22, 2010 12:10 pm

This person/company contacted me "out of the blue" about some potential security issues with our online web checking service at:
http://www.onlinewebcheck.com/

I have addressed the major issues brought up. There was definitely an issue I overlooked that was brought to my attention - which I have fixed.

If anyone is looking for an inexpensive security audit for their site, then you may want to look into this person/company as they seem to offer a great value as far as security audit pricing is concerned. The downside is that English does not appear to be their first/primary language (website is not in English).

Contact info (translated English version):
http://translate.google.com/translate?h ... l=uk&tl=en
Image
Albert Wiersch

MustLive
Rank 0 - Newcomer
Rank 0 - Newcomer
Posts: 1
Joined: Sat Dec 04, 2010 6:19 am
Contact:

Re: Security Audit / Websecurity

Post by MustLive » Sat Dec 04, 2010 6:28 am

Hello Albert!

In addition to previous vulnerabilities, today I wrote you about new vulnerabilities at your site. These are Cross-Site Scripting (WASC-08) and Insufficient Anti-automation (WASC-21) vulnerabilities.

Always attend to security of all of yours web sites, web software and to security audit.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

User avatar
MikeGale
Rank VI - Professional
Rank VI - Professional
Posts: 708
Joined: Mon Dec 13, 2004 1:50 pm
Location: Tannhauser Gate

Re: Security Audit / Websecurity

Post by MikeGale » Sun Dec 05, 2010 4:26 pm

This looks interesting but I didn't initially see enough to get a good handle on it.

What are the reports like? In English? Is there an online sample of what you get?

User avatar
Albert Wiersch
Site Admin
Site Admin
Posts: 3412
Joined: Sat Dec 11, 2004 9:23 am
Location: Near Dallas, TX
Contact:

Re: Security Audit / Websecurity

Post by Albert Wiersch » Mon Dec 06, 2010 11:56 am

MustLive wrote:Hello Albert!

In addition to previous vulnerabilities, today I wrote you about new vulnerabilities at your site. These are Cross-Site Scripting (WASC-08) and Insufficient Anti-automation (WASC-21) vulnerabilities.
Thanks! The cross-site issue should be addressed. I am considering what to do about the weak anti-automation issue.

For people who might be interested in more details, I use PHP and was using something like this:

Code: Select all

<input id="subject" value="<?php echo($subject); ?>" name="subject" type="text">
Which is insecure because $subject could contain a script that could be executed on the end-user's system. The solution is to use the htmlspecialchars() function so embedding a script is not possible:

Code: Select all

<input id="subject" value="<?php echo(htmlspecialchars($subject)); ?>" name="subject" type="text">
Image
Albert Wiersch

User avatar
MikeGale
Rank VI - Professional
Rank VI - Professional
Posts: 708
Joined: Mon Dec 13, 2004 1:50 pm
Location: Tannhauser Gate

Re: Security Audit / Websecurity

Post by MikeGale » Mon Dec 06, 2010 3:32 pm

Thanks for that Albert.

I don't use PHP a lot, can you confirm I've got this right.

On your server somehow the variable $subject could contain code. So you encode the result which will disable any script links (< goes to < etc.).

This is not a direct vulnerability but a mechanism through which a compromised "variable/mutable-element" can be deployed.

User avatar
Albert Wiersch
Site Admin
Site Admin
Posts: 3412
Joined: Sat Dec 11, 2004 9:23 am
Location: Near Dallas, TX
Contact:

Re: Security Audit / Websecurity

Post by Albert Wiersch » Mon Dec 06, 2010 4:12 pm

Hi Mike,

Yep, that sounds right.

An end user could potentially set $subject to something like this:

Code: Select all

"><script>... do something ...</script>
Which would result in the output:

Code: Select all

<input id="subject" value=""><script>... do something ...</script>" name="subject" type="text">
Which would cause the script to execute on the user's browser.

I suppose it could be used to insert nefarious code from another site and make it look like it was from our site.

Just have to remember to always use that htmlspecialchars() function wherever needed!
Image
Albert Wiersch

User avatar
MikeGale
Rank VI - Professional
Rank VI - Professional
Posts: 708
Joined: Mon Dec 13, 2004 1:50 pm
Location: Tannhauser Gate

Re: Security Audit / Websecurity

Post by MikeGale » Tue Dec 07, 2010 2:03 pm

I see more of the scenario you're looking at.

Thanks.

The first line of defence then, is that process that takes user input and defuses some potential hacks. (Like that code you write to make sql injection fail.)

Post Reply