Liteweight XSS and SQL Injection testing tools

March 30, 2008

Sometimes it is nice to have a quick tool that will scan a site for basic XSS or SQL Injection vulnerabilities. It is even nicer if you don’t have to go through some long drawn out setup procedure just to see if a field has any tasty morsels to chew on. Enter a free suite of tools call Exploit-Me by
Security Compass – Application Security.

The suite currently consists of two tools:

  1. XSS-Me – a tool to test for Cross-Site Scripting vulnerablities
  2. SQL Inject-Me – a tool to test for SQL Injection vulnerabilitie

The beauty of the Exploit-Me suite is the tools are Firefox add-ons and don’t require a proxy.Install the add-on and when you are on a page you want to test, just open the sidebar and go to town.

Take a peek. I think you’ll like them.

-Kevin Riggins


D**m Vulnerable Linux – excellent pen/web app test learning tool

March 28, 2008

You may all be aware of this, but I was not. Last night I was looking for a LiveCD to use for testing some web app testing tools against. A couple of fine folks, Craig and Wesley suggested I check Damn Vulnerable Linux. So I did.

After a couple hours of download time, the thing is 1.5 GBs, I fired up a virtual machine, booted the iso, started apache and began poking about. They have put together a fine set of vulnerable applications and web pages that are very useful for both learning about pen/web security testing and testing new tools you might come across. The testing part is good for keeping the intarweb police jackboots off you neck 🙂

Check it out.


Firekeeper – How did I miss this one

March 27, 2008

I can’t remember where I saw this yesterday, it may have been on Internet Storm Center. Anywho, there is a Firefox add-on/extension/thingy called Firekeeper. From their webpage at Firekeeper – detect and block malicious sites.

Firekeeper is an Intrusion Detection and Prevention System for Firefox. It is able to detect, block and warn the user about malicious sites. Firekeeper uses flexible rules similar to Snort ones to describe browser based attack attempts. Rules can also be used to effectively filter different kinds of unwanted content.
Features of Firekeeper include:

  • Ability to scan HTTP(S) request URL, response headers and body, and to cancel processing of suspicious requests
  • Encrypted and compressed responses are scanned after decryption/decompression
  • Privacy friendly – no data is send to external servers, all scanning is done on the local computer
  • Very fast pattern matching algorithm (taken directly from Snort).
  • Interactive, verbose alerts that give an ability to choose a response to detected attack attempt.
  • A detailed view of suspicious response headers and body
  • Event logging
  • Ability to use any number of files with rules and to automatically load files from remote location.

I have played around with it a bit and it is quite nifty.

Caveat: It breaks twitterfox. I will be posting a bug report about that.


RSS Feed on Feedburner

March 25, 2008

I have moved my RSS feed to feedburner for anyone who is watching.


Meaningful Conversation

March 24, 2008

Scott Young over at PickTheBrain writes in this post about a couple of ways to improve the quality of the conversations we have with people.

He points to two basic rules that can help make conversations more meaningful.

  1. The conversation is not about you.
  2. You need to give trust to get trust.

I will leave it you to explore his take on these two tenets from a general conversational perspective. However, it strikes me that if we, as Information Security professionals, would incorporate these rules into our conversations with our respective constituents, we might be met with a little less resistance. Of course, I am speaking from the perspective of being a corporate drone.

Having a conversation with the Information Security dude or dudette is viewed with a certain amount of trepidation by many who are “forced” to deal with us. In my experience, most of this trepidation is caused by us and not the poor supplicant 🙂 Why do you think they feel this way? Let’s look at number 1 above first.

1. The conversation is not about you.

Pretty simple statement. Harder to put into practice than it appears though. Let’s change it a little; the conversation is about them. They are looking, whether they know it or not, for the best method of accomplishing their goal in the most secure manner available that is appropriate for the business risk they have chosen to accept. Which, by the way, is a topic for another post. If we approach things from this perspective, it becomes a collaborative endeavor, not an adversarial one. Of course, I am not suggesting that there will not be times when we are required to tell people they can’t do something in the manner they desire. But as long as we avoid just saying no and try to help them find a way that is also acceptable from an infosec perspective, we have still remained their helper and not their roadblock.  If they view us as their helper, they will be less concerned when they need to talk to us.  They will involve us earlier and finally will be more likely to share more information with us.

2. You need to give trust to get trust.

This one is even more difficult. Why should they trust you? Do they know you? We have to build relationships with the people we work with. For those of us who work in the corporate world, this is a little easier. I talk to the same folks day after day and we have the opportunity to get to know each other and build trust.  I have to trust that they believe I have their best interests at heart and they have to trust that I am not out to “get them” or stop them for being successful.  Following rule 1 above goes along way towards building this trust.  Those who don’t have the luxury of long term relationships with the folks you are dealing with have to find some way to establish that trust quickly and right at the beginning.  Again, approaching it from a rule 1 perspective will help a great deal.

So there is my two cents worth about something that has been a problem in several companies for which I have worked.

I have not done the subject matter justice, but it was on my mind so here it is.

Too focused

March 22, 2008

I am a big fan of Seth Godwin’s blog which can be found here:

If you are not familiar with Mr. Godwin, I highly recommed perusing his blog. While not an infosec blog, his insights into marketing and perception are useful in many ways.

He had a post that pointed to this YouTube video. Watch the video and then read on:

Did you watch it? It’s important that you did for what follows.

I was reading a discussion about Risk Assessment methodologies on the CISSP forum the other day. In it, many many different methodologies were referenced/pointed out. Obviously, having a number of methodologies to choose from is great since just about every assessment seems to be different than the last. But watching the video helped me to remember that when we are using a methodology or using questionnaires or otherwise performing an assessment, we need to be careful that we are not be blinded by watching for the passes.