Pentesting Web Services with Proprietary Formatted Input


From time to time I come across a web service that expects its input in some proprietary format, usually JSON distorted in one way or another. A vulnerability scanner knows nothing about that stuff and can't properly fuzz it. (At the time of this writing Acunetix and Burp Pro support JSON only in HTTP responses.) In this case one has to resort to pure manual testing or partially automatic test with a fuzzer. Both approaches have their limitations, and I decided to finally find a way to run an automated scanner against proprietary web services.

MagicTree Build 1559

I've just uploaded MagicTree build 1559, which includes fixes for bugs we have found while working on the PenTest Magazine article.

We are working hard on the next release of MagicTree. We hope to have it out before the end of September.


Taming Vulnerability Data - Our article on MagicTree in PenTest Magazine

Update 2011/09/17: MagicTree build 1559 mentioned in the article is available for download.

PenTest Magazine has published our article Taming Vulnerability Data in its September extra issue along with a MagicTree review by Aby Rao.

Interview with Data News

Belgian IT magazine Data News has published the interview with Filip Waeytens and me (Alla) today. It is about penetration testing, hacking and IT security in general. Here is the PDF in Dutch. The whole issue can be viewed here.

Binding Burp to a privileged port

Sometimes it is useful to run an intercepting proxy (running non-root user) on a privileged port. On debian-based systems it is possible using authbind facility.

The first step is to record the necessary port number in authbind config:

$ sudo touch /etc/authbind/byport/443
$ sudo chown abb:abb /etc/authbind/byport/443
$ sudo chmod 755 /etc/authbind/byport/443

After that, run Burp with authbind to let it use privileged port configured above:

Web Site is Alive Again

Our web server has temporarily succumbed to bit rot. Now it is migrated to a sparkling new virtual machine, DNS updated and everything seems to be ticking along as it should. Sorry for any inconvenience this might have caused.

(Really) Testing for SSL/TLS Re-negotiation

SSL/TLS Re-negotiation vulnerability (CVE-2009-3555) allows a man-in-the-middle to insert plain text in the beginning of an encrypted stream. It used to be possible to check if the server supports re-negotiation using OpenSSL s_client (see here). However, recent versions of OpenSSL disable insecure re-negotiation completely, so if you run s_client against a vulnerable target and request re-negotiation, it exits, same as if the target does not support re-negotiation:

Exploiting SQL Injection in ORDER BY on Oracle

Consider the following piece of code:

$sql = "SELECT something FROM some_table WHERE id=? ORDER BY $column_name";

The WHERE clause is parametrized, but the ORDER BY isn't. This happens often enough. Assuming that $column_name comes from user input, this code is vulnerable to SQL injection.

Building libvirt with ESXi driver

Libvirt is a toolkit to manage virtual infrastructures. It is supposed to support VMWare ESXi hypervisor, but the package in Ubuntu 10 repository is compiled without necessary drivers (as of time of writing). One can find libvirt compilation instructions here, but they are not Ubuntu-specific nor mention ESXi.

Why Investing in IT Security is Bad for Your Business: A Model

Consider a simple economic model. There are N companies that make doodahs. I am going to make two assumptions about the doodah market.

1. The market for doodahs is very competitive, so the profit margins are thin - a doodah maker that has a higher cost of production quickly goes out of business. This is not a very strong assumption - most modern markets are like this.


Subscribe to RSS - blogs