Welcome to the SecurityisFutile blog

I welcome comments and suggestions, I take criticism very lightly (at least most of the time). My goal for this blog is to document various experiments and research projects I feel are both relevant and prominent in the field of computer security (or lack there of) and share my results and experiences with other fellow computer security enthusiests. Most of my topics are based soley on open source technology and methodology, mostly due to availability and cost. I believe that effective security measures help keep people honest with their technology, for the most part. Security is futile (usless) or at least it feels that way when an inspired opportunist comes around and exploits your weaknesses. With that being said I leave you with a quote of inspiration; There is no security on this earth, there is only opportunity.-- General Douglas MacArthur

Friday, March 26, 2010

Simple Cross-Site Scripting (XSS) Techniques

Web application testing is essential in today's industry. Whether you work in the commercial, private, government sectors you need to ensure that both your data and your customer's data are protected by emerging and persistent threats. Cross-Site Scripting (XSS) vulnerabilities are caused by lack of proper input validation controls on the server (or the victims browser) for user-supplied input, usually executed through Java Script (once called Live Script). XSS vulnerabilities tend to lead to advanced social engineering attacks facilitated through Phishing scams, session hijacking, cookie theft and the list goes on. These threats are real and in order to protect your precious assets affected by these types of attacks you should employ some basic testing concepts when evaluating the security worthiness of your code. Here are some ways to test if your web application is lacking input validation controls:

( I do not condone unethical hacking. Use at your own risk!!!)

Test if parameters passed through a URL are susceptible to XSS attacks. Substitute my examples below for the web application and URL fields/parameters you are evaluating.

Initial Testing

Now substitute the value of the "user=" parameter with some injected java script

If the "user=" parameter does not supply any input validation from the server and the browser allows the java script injection your web browser will be populated with the web source code from the login.jsp page.

Additional Testing
I have found that a good bit of the XSS demonstrations and examples on the web show you how to execute java script in a vulnerable web parameter/field to display the alert pop up window with some random text. Assuming one of your parameters was vulnerable to the java script injection above in Example 1, lets try popping some alert messages using that same parameter/field, just substitute the value for "user=" with the following:

Varying Results and Considerations
There are many variables to consider when performing these types of tests.

1.)Not all web browsers will produce the same expected output. Microsoft Internet Explorer, Firefox, Safari, and so forth may not respond the same way to these tests. It is important to test the vulnerability in different browsers/versions of browsers to see which are and are not susceptible to the vulnerability.

2.) NoScript (Free Mozilla web browser product plug in) and other preemptive script blocking techniques are ways to mitigate these types of attacks. Enabling these features could alter or vary your expected results. However, these features are essential in protecting your assets against these types of issues.

Sources and Worthy Reading Material

OWASP: XSS Cheat Sheet

FireBlog: (Image used at the beginning of post)

Thursday, March 25, 2010

Splunk for OSSEC, theres an app for that!

Over the past couple of months I have invested a lot of time into researching and developing a suitable centralized security event management (SEM) solution for the enterprise, mostly powered by OSSEC and Splunk. Before today, I was using the default Splunk "Search" app with customized dash boards, reports and views as the front end UI to manage and monitor my OSSEC alerts. However, I still found myself wanting more features available to enrich my analytical capabilites when using Splunk to investigate my SEM data. So I turned to the Splunk community for answers.

When I started researching some of the applications found on http://splunkbase.com I was happy to see that Paul Southerington had recently posted/developed an app on the web site to support advanced parsing logic, saved searches, and dashboards for monitoring OSSEC alerts in Splunk. Now I use the add-on "Splunk for OSSEC" app to managed my OSSEC security alerts. And the best part...its FREE (one of my favorite words)! So yes folks, as Apple would say....theres an app for that!

How to set it up

The "Splunk for OSSEC" app was developed as an "add-on", such that you could install/extract the contents of the app ("ossec" directory) into the $SPLUNK_HOME/etc/apps directory so you could use the views/searches/reports globally within Splunk. However, I will walk through the process of setting this new app up under a new Splunk App, with private or restricted views (may require additional configuration changes to ensure the features of this app are isolated from all other Splunk apps you may have on your server).

(Follow at your own RISK!!!)

  • Requires OSSEC HIDS/Agent already setup/configured
  • Requires working Splunk v4.0.XX server (recomend 4.0.7+)
  • Requires OSSEC syslog forwarding configured and talking to Splunk (see my sprevious blog postings for more details on how to set this up)
  • Enable data input specified in "Splunk for OSSEC" app "inputs.conf" (udp:10002 sourcetype:ossec)
Getting it working
  1. Download Splunk for OSSEC from splunk base website: http://www.splunkbase.com/apps/All/4.x/App/app:Splunk+for+OSSEC+%28Splunk+v4+version%29..must have a valid Splunk users account on splunk website
  2. Log into splunk
  3. Go to Manager > Apps
  4. Click on Create app...
  5. Enter in a name for the new app (example: OSSEC)
  6. Enter in a Label (optional) will display in top left of page as "splunk>(your label)" and is used to identify your new splunk app(Example: OSSEC Alert Manager)
  7. Enter in Author (option)
  8. Click "Yes" radio button to make app visible
  9. Enter in a Description (example: UI for monitoring OSSEC alerts)
  10. Select "barebones" as a Template
  11. Click --> Save
  12. Now open up a terminal shell window on the Splunk server
  13. Extract the "ossec.tgz" compressed archive in the Splunk apps directory, as root
  14. Command: # tar zxf ossec.tgz -C $HOME; cp -rf $HOME/ossec/* $SPLUNK_HOME/etc/apps/Name of Splunk App
  15. Restart Splunk!
  16. Generate some OSSEC alert data, either from one of your OSSEC agents or the OSSEC server itself
  17. Now go back over to your Splunk Web UI in your browser
  18. From the Launcher panel, or from the "App" drop down list(on top right hand side of page) find the Label name you gave your new app and click the name (example: OSSEC Alert Manager)
  19. Click on "Views", "Searches & Reports" and "Dashboards" to see the new add-on features for your new app
  20. Check out the splunkbase page for this new app for additional details and configuration options, like monitoring the status of your agents in a dashboard window...pretty neat!!
You may find that some of the features work and some don't. I am using Splunk v4.0.6 (even though this version is not recommended) and found that for the most part everything works. I am sure Paul Southerington put a good bit of TLC into this product and I give him a lot of credit for what he has done.
Fixing Known Issues
Question: Why don't the new searches for this app work?
Answer: For some reason, at least if you are using Splunk v4.0.6, the saved searches for the "Splunk for OSSEC" app did not work for my install. Here is what I did to get them to work properly:
* Note: (You may have to do this for each search you have....it can be a pain!)

  1. In Splunk, go to Manager --> Searches and reports
  2. Click on the search (example: OSSEC Rebuild OSSEC Server Lookup Table) that is not working
  3. Copy the search string (note the search name...you will need it for one of the steps below)
  4. Delete/Disable the search
  5. Go to your new apps search window (the app hosting "Splunk for OSSEC") by clicking on "Search" from the menu/header
  6. Paste the search string you copied in step 3 above
  7. Click on "All time" as your date range to search for
  8. If the search returned successful, save the search using the original name for that search (noted in step 3 above)
  9. assign the description, label name, time range and permissions appropriate for your setup
  10. Now try to access the stored search from within "Searches & Reports"
  11. Your search should work correctly now! You should ensure that the OSSEC - Rebuild OSSEC Server Lookup Table search is working correctly, other wise some of the views, searches and OSSEC dashboard features will not function correctly if the ".csv" file has not been populated with your OSSEC HIDS server host names.
Happy Spelunking!!!