The Glider

Normal 0 false false false EN-CA ZH-TW X-NONE MicrosoftInternetExplorer4 As botnets and other automated tools are hammering at websites trying to exploit SQL injection vulnerabilities, site operators are trying hard at defending their websites. ASProx and other botnets were hitting hard at the ASP + MS SQL platform, millions of websites fell victims to the SQL injection vulnerabilities already. Although there has been a decline of wild SQL scanning by ASPRox type of botnet, we are still not in the clear yet. The unauthenticated portion of some sites might be secure, but the authenticated portion might be totally vulnerable. Since most scans only target what can be seen by Googlebots, there are still tons of web pages out there vulnerable waiting for exploitation. If you have tons of vulnerabilities on your site, you likely will take some time to fix all of it as fixing code isn't the easiest and fastest thing to be done. A short term remediation to SQL injection can be web application firewall. Web application firewall (WAF) is similar to a network firewall except it also inspect the application layer information, such as cookies, form fields and HTTP headers. With Microsoft IIS as web server, one of the quickest and easiest WAF solution maybe Microsoft's Urlscan, it is an addon to IIS5 and built-in for later versions of IIS. Urlscan runs as an ISAPI filter, so it can be easily deployed and removed. Since version 3.0 of Urlscan, there are decent level of coverage on SQL Injection capabilities. The biggest complaint is that Urlscan do not inspect HTTP request body (POST data), so it could be missing attacks that are submitted using POST. I have recently played with another free WAF product on IIS called Webknight and found it to be easy to config and full of nice features. The default configuration file is reasonably tight. In most cases, you would probably want to loosen things up so Webknight won't break your site with false positives. It inspects SQL injection in header, cookies, URL and in POST data. The detection is based on hitting two of the preset SQL keywords. For most cases, this generally works well. It may render false positives with some more complex textarea field that expect various text. Overall, Webknight is a good WAF that can fulfill basic protection needs. Remember that WAF products are meant to be an extra layer of defense and/or a very short term mitigation until you fix up all the code. For mitigation, you are really just buying yourself more time before a compromise happens. While WAF do a good job at making the site harder to compromise, they have various limitation, the most effective long term mitigation is still fixing up the code. ------- Jason Lam, author of SANS web app courses - 319, 422, 538

The oldfashioned way to launch a network DDoS attack involved building one's own bot network that would flood the victim with unwanted traffic. However, the illicit marketplace for such services has matured, allowing a person to purchase DDoS services on demand, effectively renting a botnet for the event. Here's one ad for such services. It's in Russian; the translation follows. The ad scrolls through several messages, including: Will eliminate competition: high-quality, reliable, anonymous. Flooding of stationary and mobile phones. Pleasant prices: 24-hours start at $80. Regular clients receive significant discounts. Complete paralysis of your competitor/foe. Perhaps the most interesting aspect of the advertised service is the offer to flood the victim's phones. We often think of network-based DDoS attacks, but phone-based DDoS could be as devastating. If the service can, indeed, target stationary (landline) phones, then we're not just talking about SMS-based floods. These would probably be actual phone calls, probably initiated using VoIP, maybe via stolen Skype accounts with dial-out credits. Anyone knows more about such phone attacks? -- Lenny Lenny Zeltser Security Consulting - SAVVIS, Inc. Lenny teaches a SANS course on analyzing malware.

SAINT is the Security Administrator's Integrated Network Tool. It is used to non-intrusively detect security vulnerabilities on any remote target, including servers, workstations, networking devices, and other types of nodes. It will also gather information such as operating system types and open ports. The SAINT graphical user interface provides access to SAINT's data management, scan configuration, scan scheduling, and data analysis capabilities through a web browser. Different aspects of (...) - Security Tools / Saint, Vulnerability Scanner, Vulnerability Management

the Metasploit Project announced today the free, world-wide availability of version 3.2 of their exploit development and attack framework. The latest version is provided under a true open source software license (BSD) and is backed by a community-based development team. Metasploit runs on all modern operating systems, including Linux, Windows, Mac OS X, and most flavors of BSD. Metasploit has been used on a wide range of hardware platforms, from massive Unix mainframes to the iPhone. Users (...) - Security Tools / Metasploit, Automated Exploiter

“Contact: H D Moore FOR IMMEDIATE RELEASE Email: hdm[at]metasploit.com Austin, Texas, November 19th, 2008 — The Metasploit Projectannounced today the free, world-wide availability of version 3.2 oftheir exploit development and attack framework. The latest versionis provided under a true open source software license (BSD) and is backed by a community-based development…

athos has discovered a vulnerability in Openasp, which can be exploited by malicious people to conduct SQL injection attacks.

http://secunia.com/Advisories/32750/

NOTE: This RSS feed does not include information about updated Secunia advisories. You should note that Secunia on average issues more than 20 updated advisories per day, containing information about exploit and patch availability, new and in depth research, and all other details that are relevant. Learn more about receiving complete and customised Secunia advisory information:
http://secunia.com/advisories/business_solutions/

OpenASP 'default.asp' SQL Injection Vulnerability

“Kaspersky reports that the crackers are adding a JavaScript tag to the html of hacked sites. This causes surfers visiting the site to pull content from one of six gateway sites, which redirect to a server hosting malware located in China. A range of exploits are hosted on this site designed…

CVEs: CVE: Not Available

Platform: Web Application – SQL Injection

CVEs: CVE: Not Available

Platform: Web Application – Cross Site Scripting