[OWASP-TESTING] OWASP WAPT submission

Mauro Bregolin mauro.bregolin at gmail.com
Wed Aug 17 10:03:38 EDT 2005


...at last I got back after a few nice days offline.

 

Mark,

 

thanks for your comments.

 

Regarding certs, I never (did I?) recommended using a browser to check for
their validity. Browsers were used in the text to provide a couple of
examples. However, it's probably worth stressing explicitly what you are
saying - don't rely on browsers but on specialized tools to do the check.

 

Webdav: I agree that there's much more to say about that. However, in my own
experience, webdav problems are mostly linked to related vulnerabilities
(file listing exposures, buffer overflows, etc.) than to misconfigurations -
but let's not start a flame war on this, I'm sure opinions will differ
greatly.

Anyway, IMHO the bottom line is:

- if you don't use it or need it, remove it (and MANY times you simply don't
need it...)

- if you *really* need it, pay care to patch it and configure it properly.
This roughly means: grant permissions according to your application
requirements, and nothing more.

Anyone out there with a specific webdav configuration checklist saying a bit
more than the obvious? (ensuring appropriate permissions are required to
exec webdav methods, authorization required where necessary, etc. etc.)

 

I'll be back with an updated version incorporating the list's feedback -
including Javier's stuff about old, backup and unreferenced files (BTW, do
we have Dafydd Studdard's permission to use that material?)

 

Mauro

 

  _____  

From: Curphey, Mark [mailto:mark.curphey at foundstone.com] 
Sent: mercoledì 10 agosto 2005 17.25
To: Mauro Bregolin; Daniel Cuthbert
Cc: owasp-testing at lists.sourceforge.net
Subject: RE: [OWASP-TESTING] OWASP WAPT submission

 

Mauro, good job. Here are some quick comments. 

 

SSL

 

Shameless plug for SSL 

http://www.foundstone.com/resources/proddesc/ssldigger.htm

Designed to exactly what you describe (and more)

Key lengths are tied to cipher suites

You need to also comment on key exchange protocols (strong cipher with ADH
is not a good idea !)

 

Certs

 

You should not use a regular browser to check certificates. Many of the
API's used by the .NET framework do not adequately check CRL's and CRL
paths. You have to hand the full bang of certs you have etc. Look at API doc
for example. Many browser settings will determine how the relevant API is
invoked. This means certs can be invalid but still report as being valid in
some cases dependent on browser config. They also use the local clock to
determine date time matching so if your local clock is not accurate (i.e.
set forward by 3 months) you will not get a true indication of the cert has
expired. There are also fields you need to look for including usage (I often
see key signing certs on SSL servers). You should also explicitly ensure
people don't think certs are web server certs. JSSE, MSCAPI etc all have
classes where SSL is instantiated from the app itself. This is especially
important in web services where you are not relying on infrastructure to
provide the security. 

 

PS for shits and giggles https://www.verisign.net

 

Backup files - pet hate. Who cares if there is a sample file installed
UNLESS it has a vulnerability. Needs to be made clear to stop the scare
mongerers ;-) Also I think its important to explain the 404 issues and why
Nikto and tools like it usually report so many false positives. 

 

WebDav section needs work but sadly no time to comment now. 

 

 

  _____  

From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Mauro
Bregolin
Sent: Monday, August 08, 2005 4:55 PM
To: Daniel Cuthbert
Cc: owasp-testing at lists.sourceforge.net
Subject: [OWASP-TESTING] OWASP WAPT submission

Daniel and all,

please find attached my submission.
Feel free to review it and send comments, particularly if you have relevant
information regarding bibliographic references not mentioned in the text.

Topics are those specified in Daniel's email of June 27, plus a "bonus"
section on Session Riding.

Best regards to all,

Mauro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20050817/2d951e5f/attachment.html 


More information about the Owasp-testing mailing list