A web developer’s diary

August 2, 2016

Developer Tools and Proxy Chaining

Filed under: PHP,Tools — Celia @ 1:40 pm

What do IE developer tools and Proxy chaining have in common? Nothing other than the fact I learnt about both today.

Earlier, when I had to do authorization level attacks while logging in as a low privileged user, I used to construct the whole HTTP request in proxies and send those to Burp repeater, tweaking it till I get the response I wanted. A colleague who happens to be a Share point developer also told me know to invoke Javascript directly even if its not linked from anywhere within HTML. Enter ‘IE Developer Tools : F12’.

That made my work easier and instead of using Burp, I used Developer Tools this time to show a proof of exploit. The development team was happy too as they were able to replicate the scenario much better.

Proxy Chaining: I have been doing this all along for 3 years without knowing that there is a specific term for it. Was having a specific proxy configuration problem with Acunetix. It just didn’t connect to the site even though the proxy configuration details were right. Got Burp Suite in between Acunetix and Site and voila, it worked.

This is called as ‘Proxy Chaining’ it seems. NICE!!

August 1, 2016


Filed under: Tools — Celia @ 6:23 am

I got an opportunity to try this Burp Extension last week. It is a simple jar file that can be uploaded to the extender tab. Installation was a breeze.

After installing, all I had to do was go through my target website and start navigating ( I didn’t even scan). As I kept on with the navigation, I saw that burp listed some of the javascript files as having security vulnerabilities. False Positives in this case is zero percent.

This tool is better than what Web Inspect and Acunetix offer in terms of finding ‘Components Having Known Vulnerabilities’ and behind Black Duck and Palamida. Of course, The latter tools are there solely for this reason.

But if you want to find such vulnerabilities quickly even without scanning, go for this one!



July 18, 2016

Application Security Metrics

Filed under: Application Security,PHP — Celia @ 9:07 am

This is something that I worked on last year when stakeholders in the risk management group wanted to measure the success of the Application Security Program.

But, how do you measure application security? Or rather the success of an application security center of excellence program? What can give you details that it is working? Is it ok to allocate the same budget every year? Should it be reduced? How would one know? Is the program on track? Is it improving? By, just having a secure SDLC process, doing secure code analysis and security testing alone, one cannot say that they have a sustainable application security program. To continue any task/activity, one needs to know where to reach and where they are. And that is something application security metrics will give you.

What should be done first? Answer: Inventory.

  1. Take an inventory of your assets first. Whether it is secure, insecure, or you don’t know whether it is even used for, it doesn’t really matter. It is amazing when you ask this question to any CISO on whether he has a fair understanding on how many assets he thinks the organization has. Here, we are not getting into hardware or software assets but just the basic web applications/services that an Org’s IT floats in internet or intranet.

Once the inventory is finalized, come up with an asset classification using a risk based approach. Some assets could be critical, some public. Some assets could be accessed by all and some accessed only within a closed trusted environment. Some assets are used by millions of users and some assets are used just by the CISO (ya, you read it right. His dashboard).

2. Once the inventory is finalized, then you go figure your security processes for each of your assets. Did all applications undergo all aspects of secure-SDLC?

In other words, ‘Security Coverage‘. Let’s say, you do code analysis only for 50 of your 100 applications, then your coverage is only 50% and you don’t have an idea about rest of the apps. ย With this simple metric, it becomes fairly simple on what one needs to do.


August 8, 2010

Building A Secure Web Application – Part 1

Filed under: Application Security — Celia @ 3:24 pm

Well, when I first thought of posting about this topic, a friend of mine suggested..

“Celia, forget about security. Once you put your application on the web, no matter what you do, it is always vulnerable.”

Another one said, “Gosh! Remember that we are from the service industry. Lets not overdo on that security aspect. The client will take care of it when he deploys it. Also, remember, we can do only what they ask for.. ”

As I pondered about this, I was wondering how I could strike a balance between these two people. Agreed, security is an ongoing thing. It seems like a race between the hackers and the crackers.. Today, we find a vulnerability and fix it. Tomorrow, there comes another issue.

Likewise, clients come in all flavors. There are some who really know a lot about what they want. These people are a delight to work with as their requirements are very clear. Also, they are quick to understand and know that building efficient security applications do take some royal effort. And there are some who think that application development shouldn’t take more than a week. There was this manager who once asked me, “After all, its just adding, editing, deleting and viewing. You are not doing rocket science. Why is it taking more time?”.

Yeah.. I agree to it. It would just take me one single query on the database to let an administrator login to a system. But it would take me atleast 10 other policy checks to prevent other users from manipulating this query. Wouldn’t this take some solid effort?

I hope people are atleast nodding a little now. Let me say one thing now. Even popular websites like gmail, facebook, youtube and msn have vulnerabilities. So, its not just because of a poor programmer’s pathetic code. Even experienced experts find it difficult to take care of all vulnerability issues when all their attention is focused on business logic.

In this case, what can be done? First thing:

Client: Client has to know that building secure web application takes some time. And some real effort.

Developer: The programmer needs to know how to secure their code and need to follow some security standard.

PM: The one who takes the real pressure. Needs to coordinate between the above two.

Security Consultant: The one who tells us what we already know ๐Ÿ™‚ .. well, jokes apart.. This is the person who makes our lives simpler. Who tells us what needs to be done to make our code secure and who reviews it before the app gets deployed in the production environment.

Now, just like how we have a separate team for application design, BI development and testing, we do need a separate group of security experts who concentrate just on the security aspect of the application. How a security expert will add value to the application, will be discussed in PART 2 of this article… ๐Ÿ™‚

August 2, 2010

Web Application Security

Filed under: Application Security — Celia @ 1:39 pm

Its been a long time since I posted, in this blog. I guess, from now on you can see frequent posts. I will be covering the ‘Web Application Security’ topic in general and will deal with every aspect of it.

To Start with, let me tell you the standard that has been adopted by the security world.

The standards available are

1) OWASP top ten security vulnerabilities

2) CWE/SANS Top 25 software vulnerabilities

Since OWASP broadly covers the most of the aspects, I will be taking this as my verification standard.

For all the vulnerabilities covered, example code will be that of php language.

Lets dive in..

Blog at WordPress.com.