Have you ever wanted (i.e., needed) to install a piece of software on a client's resource (e.g., laptop) and couldn't because a., their uber paranoid security team locked it down, b., to much effort to crack it open using devious methods, c., and heres the kicker - you have an ethical (and contractual) objection not to? Me too!
It was one of those days I had some idle time for whatever the legitimate reasons were. I was being bugged by a vendor to give their absolutely, positively, false positive free, error free application security scanners a try. But how can I? After all, I barely had enough rights to even login.
Off the top of my head I had an idea that seem simple enough to try. Sure, I could have come up with a dastardly social engineer scheme to be granted admin rights (REM the aforementioned boundaries), or an easier route would be to just install virtual environment. But that meant going back to the first problem statement, or does it? Can you say portal app.
Did you know that VMware Player is a portable application? Knowing this dubious trick, I now have a way to setup a platform were I can pretend to be the almighty admin. Now onto avoiding the next snare in our path, access to the installation image of a Microsoft Windows operatin system.
Since the demise of my Technet account, I could no longer just pop over and download what I wanted anymore. So that left me no other option given I left my ISOs in my other pants pocket. And of course an idea popped into my head that essentially is an nonoption option and something to avoid for all the obvious reasons. Don't tell me you haven't done this one before, download "free" software from some nefarious website with a product key that had a only a slight chance of actually working. (Not to mention all of the "tag alongs"...)
Guess what I found? Out of the goodness of Microsoft's heart, (Yay Microsoft! Yeah I said it...), they provide VM images free of charge for just this sort of purpose. Their actual intent is to give developers a test bed to run the various incarnations of the Internet Explorer browser against their web site. What they actually gave us is a fully functioning operating system that happens to have the browser installed. The only downside, it expires after 90 days. But for my purposes this was 89 more days then I needed.
And at the time this blog was written, its available without having to give up any of your personal information. You know the drill; register, wait for creds, check your email and then login. (In reality, you probably already provided all of your personal information just by visiting their site.) Not paranoid much, just saying...
The URI is:
Check here to goto https://dev.windows.com/en-us/microsoft-edge/tools/vms/windows/
You might also want to check out their scanner that suppose to help you find what configuration settings are missing.
Check here to goto https://dev.windows.com/en-us/microsoft-edge/tools/staticscan/
[BTW, if you didn't first peek at the link to where the URI is taking you, you're doing it wrong.]
Also, here is a list of websites to test the vendor's fabulous guarantee to not fail tool against. A couple of list to choice from:
https://www.vulnhub.com/
http://blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html
Google, (yes I said Google, the source of all evil, oh wait isn't that Microsoft?) if you don't like the choices I've provided.
The rest is pretty straight forward. See Dick install, see Jane configure, see Spot install and configure blindfolded with one paw tied behind his back, now run. Because the dog can apparently kick your butt.
Monday, December 28, 2015
Thursday, December 17, 2015
Secure HTTP Headers
Two of my favorite websites to comb through is CyberPunk and Kitploit. Sure there are plenty of other websites that post the same type of content, but comparatively both sites does an excellent job of staying current with all things security, plus the layout is easy to navigate, ascetically pleasing and for someone like me subjects are categorized so it makes finding stuff not such a pain in the 4th point of contact.
The reason for the web crush(es), is the timely discovery of tools written by fellow security wonks like Scott Helme who created a tool that checks the HTTP Headers for security settings. Nothing earth shattering but when it comes to defense in depth, it doesn't hurt to add a couple of more layers.
Implementing the following configuration enhancement can help any web facing application to combat the likes of cross-site-scripting attacks or clickjacking based attacks.
Cross Site Tracing – TRACE echoes back to the client whatever string is sent to the server and is meant for debugging purposes. This includes cookie and Web Authentication strings, since they are just simple HTTP headers themselves. On IIS update the verb on Request Filtering to DENY for TRACE.
Strict-Transport-Security - HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value "strict-transport-security: max-age=31536000; include Subdomains".
Content-Security-Policy - Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
Public-Key-Pins - HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
X-Frame-Options - The X-Frame-Options header tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing the site it can defend against attacks like clickjacking. Recommended value "x-frame-options: SAMEORIGIN".
X-XSS-Protection - The X-XSS-Protection header sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block".
X-Content-Type-Options - The X-Content-Type-Options headers stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. Recommended value "X-Content-Type-Options: nosniff".
Server - This header seems to advertise the software being run on the server but you can remove or change this value.
X-Powered-By - The X-Powered-By header can usually be seen with values like "PHP/5.5.9-1ubuntu4.5" or "ASP.NET". Trying to minimize the amount of information you give out about your server is a good idea. This header should be removed or the value changed.
The reason for the web crush(es), is the timely discovery of tools written by fellow security wonks like Scott Helme who created a tool that checks the HTTP Headers for security settings. Nothing earth shattering but when it comes to defense in depth, it doesn't hurt to add a couple of more layers.
Implementing the following configuration enhancement can help any web facing application to combat the likes of cross-site-scripting attacks or clickjacking based attacks.
Cross Site Tracing – TRACE echoes back to the client whatever string is sent to the server and is meant for debugging purposes. This includes cookie and Web Authentication strings, since they are just simple HTTP headers themselves. On IIS update the verb on Request Filtering to DENY for TRACE.
Strict-Transport-Security - HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value "strict-transport-security: max-age=31536000; include Subdomains".
Content-Security-Policy - Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
Public-Key-Pins - HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
X-Frame-Options - The X-Frame-Options header tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing the site it can defend against attacks like clickjacking. Recommended value "x-frame-options: SAMEORIGIN".
X-XSS-Protection - The X-XSS-Protection header sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block".
X-Content-Type-Options - The X-Content-Type-Options headers stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. Recommended value "X-Content-Type-Options: nosniff".
Server - This header seems to advertise the software being run on the server but you can remove or change this value.
X-Powered-By - The X-Powered-By header can usually be seen with values like "PHP/5.5.9-1ubuntu4.5" or "ASP.NET". Trying to minimize the amount of information you give out about your server is a good idea. This header should be removed or the value changed.
Subscribe to:
Posts (Atom)