Web Application Security Forum - Vendor Talk

security plan automation (like RSAM) (1 reply)

toolbox — Sat, 26 Jan 2013 16:50:31 -0600

Hello posters,

We use RSAM (http://www.rsam.com/) to do move security plans through workflow, providing stats, and sending email notifcations. Does anyone know of similar products that could be used for this? We only need a web interface, workflow, automatic email alerts and ldap integration.

iGuard Biometrics Access Control Webserver Cross Site Scripting (no replies)

xc0r3 — Wed, 02 May 2012 06:03:27 -0500

iGuard Biometrics Access Control Webserver Cross Site Scripting Zeroday vulnerability !!

http://www.xc0re.net/index.php?p=1_25_iGuard-Biometrics-Access-Control-Webserver-XSS

Is Barracuda WAF any good? (3 replies)

nexz — Tue, 29 May 2012 10:07:01 -0500

All,

Any opinion on this?

Thanks!

web app scanner (2 replies)

toolbox — Thu, 04 Mar 2010 08:43:04 -0600

Hello sla.ckers.org posters,

I'm looking for recommendations on a generally easy-to use web application scanner. It doesn't need to be free. It can be an application or server-based, but I'd like to steer clear of appliances.

I need one that can handle form, cookie, HTTP, and NTLM authentication and provides decent reporting and logging. Missing critical but hard-to-find vulnerabilities is acceptable, as long as the tool catches the most common issues (xss, plain text credentials, injection, etc) quickly.

Thanks for the opinions. :-D

WAFs we wouldn't recommend people use (9 replies)

kuza55 — Wed, 04 Nov 2009 23:04:20 -0600

So, instead of people asking for responses about particular WAFs, I thought it might be better (and more amusing) to simply list the WAFs we know how to bypass, or have actual vulnerabilities in/exploits for.

Now, I realise everyone's a hippy and wants their free info, but I don't want to be awfully specific about the exact vulnerabilities, so you're going to have to take this on faith.
If anyone wants to post details, I can't stop you, but (as much as this seems to be acceptable development methodology) I'm not planning on posting details here so that WAF vendors can go do spot-fixes and keep claiming their stuff is secure because there are no known bypasses.

Feel free to chime in with a product you have a bypass for (for a common situation, e.g. generic filter evasion (aka, this WAF might as well not be there), or generic directory traversal filter evasion, etc) or have a vulnerability in (please don't post things like reflected xss/csrf in the management interface, scout's honour and all), even if it's been listed before, this way people can get a feeling for how common the knowledge is too.

So, without further ado, let me introduce WAFs I personally know are useless (or worse):

F5 ASM

Imperva's WAF (sorry, forgot the name)

NetScaler Web Application Firewall (2 replies)

Spoint — Mon, 28 Dec 2009 04:36:02 -0600

Hi guys,

Does anyone have been in touch with this WAF ?
And how did you feel it ?

Is it a good product compared to other WAF ????

Web Application security options (4 replies)

GMan415 — Fri, 30 Oct 2009 07:11:13 -0500

I know that there are lots of Hardware solutions available and seen some software solutions also. What makes one better than another? Any suggestions and comparison help would be greatly appreciated.

Thanks,

dotDefender (11 replies)

wimvincken — Sat, 22 May 2010 05:50:43 -0500

I have downloaded the dotDefender from Applicure
The thing is free for 30 days (evaluation). Everything seems to work fine, no problem, nice statistics and very easy to install on my Linux and IIS servers.

What I am interested in is does anyone has any experience with the dotDefender? Are there problems or issues and is it fast enough?

You can download it here: http://www.applicure.com/downloads/dotdefender and try it for yourself

Wim

questions about how securityfocus works (3 replies)

slacker — Wed, 29 Apr 2009 20:17:51 -0500

http://it.slashdot.org/comments.pl?sid=396432&cid=21780042

That post seems rather illuminating. It suggests, among other things, that a lot of Security Focus' vulnerabilities may come from changelogs. Is there a way to tell when a vulnerability has or hasn't come from a changelog?

http://www.securityfocus.com/bid/32842/info

Due to the release dates, I think that vulnerability was pulled from a changelog. It was published on December 15, 2008 when phpBB 3.0.4 was, itself, released on December 12, 2008, per http://www.phpbb.com/community/viewtopic.php?f=14&t=1352565.

One thing I am unsure about, though... why was the vulnerability updated on March 30, 2009? I ask because I recently saw it in my RSS feed for Security Focus - presumably because of this update.

Also, why, when a vulnerability is found to be bogus does Security Focus flag it as RETIRED? This, to me, seems highly misleading. Why not flag it as BOGUS? Maybe Security Focus is trying to control their reputation by not belaboring the fact that they accepted a bogus vulnerability? If so, that would be rather hypocritical, it seems to me, given that Security Focus doesn't seem to give others the same courtesy, as evidenced by what the slashdot.org link referred to as "bottom-fishing changelogs".

And why are these "bottom-fishing changelog" submitters even given credit? If I disclose an exploit to Wordpress but not to Security Focus and Wordpress fixes it and notes it in their changelog, will some random third party come along and essentially steal the credit for it? If the source of vulnerability claim is, say, Wordpress's changelog, shouldn't Wordpress receive the credit? If The Pirate Bay worked liked Security Focus seems to, people wouldn't be downloading Microsoft Windows - they'd be downloading TPBRema Windows or m00ns Windows.

Source Code Analysis (8 replies)

br0kan — Mon, 30 Mar 2009 13:45:16 -0500

Does anybody have any thoughts on Fortify vs. Ounce vs Klockwork vs. Coverity? Preferred choice?

WAF vendors (2 replies)

Gareth Heyes — Thu, 26 Mar 2009 15:19:41 -0500

We were debating WAF's at Bluehat and I mentioned a lack of contribution from them on sla.ckers. So here's your chance vendors, lets see some communication, some demo pages, some filter source. Anything!

Acunetix Web App Scanner has GPL'ed some sections ? (3 replies)

andresRiancho — Thu, 23 Oct 2008 23:55:50 -0500

List,

For some reason I finally decided to give Acunetix scanner a try, so I opened the very nice (?) CD case they gave me at OWASP with the evaluation version, and installed it in my box. The installation failed (I only tried with wine), and whenever I tried to run it I got a nice "report your bug" window (once again, my fault because I was trying it with wine). So... without being able to actually run the tool, I went to the directory and started reading some files, until something got my attention:

...
GPL
...

WTF? Then I did some more checking...

dz0@brick:~/.wine/drive_c/Program Files/Acunetix/Web Vulnerability Scanner 5/Data/Profiles/VulnXML$ grep GPL * -Rs | wc -l
596
dz0@brick:~/.wine/drive_c/Program Files/Acunetix/Web Vulnerability Scanner 5/Data/Profiles/VulnXML$

And well... yes... it seems that they have GPL copyright for all the VulnXML, which has some interesting information (at least for me), because they have all the errors database for SQL injection, and other "error based detection" vulnerabilities. I know that copyright is not the same as License... but... in this case I think that it could be? Or maybe the copyrights for those files are assigned to a company called GPL? (????)

After that, I decided to see which files weren't actually GPL:

dz0@brick:~/.wine/drive_c/Program Files/Acunetix/Web Vulnerability Scanner 5/Data/Profiles/VulnXML$ grep Copyright * -Rs | grep -v GPL
Blind_SQL_injection_(number_no_end).xml:
Blind_SQL_injection_(number).xml:
Blind_SQL_injection_(second_string_no_end).xml:
Blind_SQL_injection_(second_string).xml:
Blind_SQL_injection_(string_no_end).xml:
Blind_SQL_injection_(string).xml:
Sift_Unity_Cross-Site_Scripting.xml: Copyright Sift Group Ltd
dz0@brick:~/.wine/drive_c/Program Files/Acunetix/Web Vulnerability Scanner 5/Data/Profiles/VulnXML$

So... this is interesting... Some files don't have copyright, and one of them is copyrighted to "Sift Group Ltd".

Finally, I would like to ask you guys some questions:

- Anyone noticed this before?
- Is this a "licensing bug"?
- I'm just guessing but... maybe they HAD to leave this as GPL because they took the information from a GPL project?

If anyone has some insight info, please share ;)

Cheers,

TeamMentor (2 replies)

ntp — Fri, 19 Sep 2008 09:30:19 -0500

Does anyone have access to Security Innovation TeamMentor? It was announced in mid-April, 2007.

I checked out the demo and collateral, and it's coming along nicely. Too bad it costs $25k.

SI's e-Learning offerings (check out the demos!) also look great. I was hoping that their stuff would be priced better, especially considering that Holodeck is one of the cheaper fault-injection test harnesses at $1800.

Splunk (11 replies)

hexfortyfive — Tue, 05 Aug 2008 18:35:20 -0500

Anyone played with Splunk?

I read Raffy's slides from his talk at HITB2007 on visualization, and this got me really interested log analysis through visualization. I flipped through his book (the first one, not the new Applied Security Visualization) at my local bookstore and liked it even more.

Around the same time, the company I work for finally decided that we need a log aggregation and analysis tool so that we know wtf is happening on our servers. So we called up Splunk, and I was impressed by a demo. Now we have them coming in to set Splunk up on our network and slurp up the logs from all our servers, firewalls, etc.

The demo impressed me. Hopefully this upcoming proof of concept doesn't disappoint.

Javeline Platform (2 replies)

fragge — Mon, 30 Jun 2008 10:37:13 -0500

Wasn't sure where to put this..

http://www.javeline.com/

Anyway, Javeline Platform is an AJAX framework which integrates XML and JavaScript and melts them into their own JSL syntax. I've been playing around with it for a few days learning the syntax and properties of different containers/components. There isn't much support at all, and it takes a steely resolve to sit through hours of wondering "why on earth has my list suddenly stopped displaying data", but this could be quite a powerful tool (if only they had decent tutorials, a manual and a forum), especially when they release another product they're working on, DeskRun (allows you to package a full zip of your web app and convert it into an exe which can access the filesystem and act like a normal windows app - very nifty). Anyway, just thought I'd let you guys know in case you wanted to take a look and try and build a few things with it.. Its easy to learn, just frustratingly fragile (the littlest things stop your xml data from actually converting and being listed properly.... UGH).

Cheers.

AJAX IM (4 replies)

CrYpTiC_MauleR — Sat, 01 Nov 2008 01:14:28 -0500

I want to use the following on one of my sites http://www.ajaxim.com/ and was wondering if I take all the measures to sanitize and validate the information being send to the server does that protect me? I know since its client-side all security done to the JS app can be tampered with, but what other security issues can an AJAX app such as this otherwise cause to my site? I haven't dabbled with AJAX much so still learning of its potential risks. Thanks in advance.

NeXpose (10 replies)

rsnake — Thu, 26 Aug 2010 00:57:26 -0500

I got this email today, and I thought I'd forward it off... Any comments?

Quote

Was wondering if you knew much about Rapid7’s NeXpose product and whether its reputable or not. It’s apparently one of very few commercial products out there that scans various platforms & technologies, incl. some webapp and DB stuff (web 2.0 stuff - JavaScript, AJAX, Flash Flex, ActionScript, ASP.NET 2.0 (Atlas) and .NET 3.0). Ive also heard a top guy at Foundstone took a high level job there. Ive searched for some objective reviews of their product but haven’t come across a whole lot.

Vulture Applicative Firewall (1 reply)

Malkav — Thu, 24 Apr 2008 14:14:46 -0500

i am on mission from god to implement a PoC for a client for a hardened (like in "oh my god, this box is a fracking tank") vulture box. i open this thread for two reasons :

1 : if you have experience with its success and failures, i'd be happy to hear from it

2 : report my own findings, and c/c the documentation i'll write. maybe i'll post the whole box design as a howto.

EDIT:

oh bugger, i forgot the url [vulture.open-source.fr]

yeah i know it's in french. i do not choose the products, and managers aren't particularly known for their language proficiency :)

opensource webmail/collaboration platform review (7 replies)

Malkav — Wed, 05 Nov 2008 06:03:28 -0600

i recently installed a fully fledged postfix/dovecot on a new server, but he wanted a webmail/calendar/whatever too, and i don't know those products very well.

so i tried horde, and roundcube. both do their job (altough roundcube is largely heavier (mainly due to javascript))

did you have to pentest webmails/CP recently ? would you recommend one in particular ? the only requirement is that it can run in lighttpd-fcgi and over PostgreSQL.

i am no php coder, so if i had to code one, it would be perl or RoR. and i have not much time.

as i dedicated most my time spent on this one to harden the underlying freebsd 7, i think i'd be pretty pissed of if some random kiddy started to attack the database via SQLi (or worse, sent mail with JS. XSS via mail. NOOoOOoooOoOoO)

Avast (8 replies)

rsnake — Fri, 19 Sep 2008 08:12:10 -0500

Whelp, this appears to be a major false positive for Avast: http://ha.ckers.org/blog/20080318/yahoo-mail-gives-users-trojan-horses/#comment-66615

Anyone have any better luck with the other AV vendors for this kind of detection? I've played with half a dozen and most of them appear to be so-so, but I've also done almost no testing against the different signatures out there.

F5 WAF (3 replies)

rsnake — Thu, 26 Mar 2009 10:31:13 -0500

Does anyone have experience with the F5 WAFs? I've been asked by at least one of my clients about it, and I was curious if anyone here had done an install, if it's any good compared to the other WAFs, what the interface looks lie, list price, et al?