The FORWARD project blog » Google

Skipfish: A new web application security tool from Google

sebolani — Mon, 22 Mar 2010 08:44:08 +0000

Last Friday, Google released a new security tool known as Skipfish, written by Michal Zalewski, a Polish security researcher and author of various tools and books, with contributions and feedback from Google’s information security engineering team. Skipfish aims to help web application developers secure and reveal various possible security flaws of their applications. Since web applications become more and more complex, developers need similar tools to check and validate the security of their code. Michal Zalewski wrote in a blog article, “The safety of the Internet is of paramount importance to Google, and helping web developers build secure, reliable web applications is an important part of the equation.”

Quoting from skipfish’s README file, ”A number of commercial and open source tools with analogous functionality is readily available (e.g., Nikto, Nessus); stick to the one that suits you best.That said, skipfish tries to address some of the common problems associated with web security scanners”. Specifically, it tries to achieve high performance and claims to achieve over 500 requests per second against Internet targets, over 2000 requests per second against LAN/MAN networks and over 7000 requests per second against local instances. It is designed to be highly adaptive, reliable and produce accurate results.

Skipfish has a large list of security checks, divided in categories according to their impact. High risk issues include server-side SQL injection, explicit SQL syntax in GET/POST parameters, command injection, XML/XPath injection, format string and integer overflow vulnerabilities. Medium and low risk issues include various other checks, including XSS injection, Directory traversal/bypass, attacker supplied scripts/CSS inclusion and many other.

Running Skipfish is easy and customizable, the output is generated to a html file, full report is included. A screenshot of a command line execution can be seen below and a screenshot of a sample html output here.

Skipfish is written in C language and is available for download through Google code under Apache 2.0 License here. Detailed documentation is included in README file in source tarball or in the wiki.

Attack through new IE exploit

Hermann Helmreich — Tue, 26 Jan 2010 12:55:41 +0000

Internet Explorer is again exploited by hackers. The attack, named “Aurora”, against Google and some other American companies was based on this new exploit of the Internet Explorer, announced McAfee. The exploit has already been reproduced by the Metasploit-Team, which has added the exploit to its framework.

Therefore the danger of this exploit has grown because also Script-Kiddies are able to use this exploit. The BSI recommended using another browser to not get victim of this exploit. Microsoft recommends to set the security options to “high” or to disable JavaScript on which the exploit is based.

A video explaining the attack “Aurora” can be found here.

A new effective attack against Google’s reCAPTCHA

Thanasis Petsas — Thu, 17 Dec 2009 19:33:00 +0000

A new effective attack against Google’s CAPTCHA mechanisms was invented by a security researcher lately. The whole attack procedure is presented in a paper that was released on Saturday. The attack is based on OCR (Optical Character Recognition) techinques that used to evade Googles’ reCAPTCHA (CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart, for more information click here). reCAPTCHA is a recent security measure that Google uses so as to stop malicious scripts of doing important tasks without has been done first a specific authentication process. This process requires the sense of sight, that a computer script can’t have, so that optical puzzles can be solved first, in order to continue with the task execution.

As the Register informs, the success rate of this attack is very significant considering number and size of active botnets of the Internet. To be more specific, in the same article is mentioned what Jonathan Wilkins of iSEC Partners had said: “The method had a total success rate of 17.5 percent against reCAPTCHA. The rate is significant because of the wide use of botnets by spammers and other miscreants. Even a modest-sized network of 10,000 infected machines with a success rate of 0.01 percent would yield 10 successes every second. That could translate into 864,000 new accounts every day.”

The whole article can be found here.