YAWAST 0.5 Released
Today, I’ve released the latest version of YAWAST, a security scanner for web applications that provides basic information about the application, and performs common checks so that you can move on to the fun part of testing more quickly. YAWAST also remains the only tool I’ve found that can perform an accurate test for SWEET32.
Here is the change log for version 0.5.0:
- #35 – Add check for SameSite cookie attribute
- #53 – Added checks for .well-known URLs
- #75 – Use internal SSL scanner for non-standard ports
- #84 – Improve the display of ct_precert_scts
- #86 – Add check for Tomcat Manager & common passwords
- #87 – Tomcat version detection via invalid HTTP verb
- #88 – Add IP Network Info via api.iptoasn.com
- #90 – Add HSTS Preload check via HSTSPreload.com
- #91 – Enhanced file search
- #96 – Scan for known SRV DNS Records
- #97 – Search for Common Subdomains
- #100 – Check for missing cipher suite support
- #102 – Use SSLShake to power cipher suite enumeration
- #76 – Bug: Handle error for OpenSSL version support error
- #98 – Bug: SWEET32 Test Fails if 3DES Not Support By Latest Server Supported TLS Version
- #99 – Bug: Cloudflare SWEET32 False Positive
- #101 – Bug: SWEET32 False Negative
- #103 – Bug: Scan fails if HEAD isn’t supported
- Various code and other improvements.
On the need for an open Security Journal
The information security industry, and more significantly, the hacking community are prolific producers of incredibly valuable research; yet much of it is lost to most of those that need to see it. Unlike academic research which is typically published in journals (with varying degrees of openness), most research conducted within the community is presented at a conference – and occasionally with an accompanying blog post. There is no journal, no central source that this knowledge goes to; if you aren’t at the right conference, or follow the right people on Twitter, there’s a great chance you’ll never know it happened.
Read more…TLS Certificates from the Top Million Sites
Thanks to the recent WoSign / StartCom issues with misused or flawed certificates, there was a question about how many of the certificates issued were actually active – so this seemed to be a good time to run a scan against the Alexa top 1 million sites to see what I could find.
Scan information: The scan was ran with an 8 second timeout – so any server that couldn’t complete a handshake within 8 seconds isn’t counted. The scanner attempted to connect to the domain on port 443, and if that failed, then attempted to connect to the “www” subdomain. No certificate validation was performed. The scan didn’t attempt any other ports or subdomains, so it’s far from a complete picture.
Read more…Ruby + GCM Nonce Reuse: When your language sets you up to fail…
A couple hours ago, Mike Santillana posted to oss-security about a rather interesting find in Ruby’s OpenSSL library; in this case, the flaw is subtle – so much so that it’s unlikely that anyone would notice it, and it’s a matter of a seemingly insignificant choice that determines if your code is affected. When performing AES-GCM encryption, if you set the key first, then the IV, and you are fine – set the IV first, you’re in trouble.
Read more…Testing for SWEET32 with YAWAST
Testing for SWEET32 isn’t simple – when the vulnerability was announced, some argued that the best solution was to assume that if a TLS server supported any of the 3DES cipher suites, consider it vulnerable. The problem is, it’s not that simple. On my employer’s corporate blog, I wrote about practical advice for dealing with SWEET32 – and pointed out that there are ways around the vulnerability, and some are quite simple.
Read more…Simple Messaging and Identity Management Protocol (SMIMP) - Final Version
The final version of the SMIMP specification is reproduced below. This is provided as a historic copy of this document in the final update performed.
Simple Messaging and Identity Management Protocol
Version: v0.1
Author: Adam Caudill ([email protected])
Copyright & Intellectual Property Statement
Copyright 2014 - 2016, Adam Caudill.
In the interest of this specification being used freely, this specification in released under the CC BY-SA 4.0 license. See LICENSE for more details.
Read more…Developers: Placing Trust in Strangers
Much has been said, especially recently, about that mess of dependencies that modern applications have – and for those of us working in application security, there is good reason to be concerned about how these dependencies are being handled. While working on YAWAST, I was adding a new feature, and as a result, I needed a new dependency – ssllabs.rb.
While most Ruby dependencies are delivered via Gems, ssllabs.rb is a little different – it pulls directly from Github:
Read more…Threat Modeling for Applications
Whether you are running a bug bounty, or just want a useful way to classify the severity of security issues, it’s important to have a threat-model for your application. There are many different types of attackers, with different capabilities. If you haven’t defined the attackers you are concerned about, and how you deal with them – you can’t accurately define just how critical an issue is.
There are many different views on threat models; I’m going to talk about a simple form that’s quick and easy to define. There are books, tools, and countless threat modeling techniques – it can easily be overwhelming. The goal here is to present something that can add value, while being easy to document.
Read more…When Hashing isn’t Hashing
Anyone working in application security has found themselves saying something like this a thousand times: “always hash passwords with a secure password hashing function.” I’ve said this phrase at nearly all of the developer events I’ve spoken at, it’s become a mantra of sorts for many of us that try to improve the security of applications. We tell developers to hash passwords, then we have to qualify it to explain that it isn’t normal hashing.
Read more…Seamless Phishing
Phishing attacks are a fact of life, especially for users of the largest sites – Facebook being the most common I’m seeing today. Pretty much everybody, from the SEC to antivirus companies have published guides on what users should do to avoid phishing – so I picked one at random and pulled out the key points:
- 1). Always check the link, which you are going to open. If it has some spelling issues, take a double-take to be sure — fraudsters can try to push on a fake page to you.
- 2). Enter your username and password only when connection is secured. If you see the “https” prefix before the site URL, it means that everything is OK. If there is no “s” (secure) — beware.
- 5). Sometimes emails and websites look just the same as real ones. It depends on how decently fraudsters did their “homework.” But the hyperlinks, most likely, will be incorrect — with spelling mistakes, or they can address you to a different place. You can look for these tokens to tell a reliable site from a fraud.
This is from Kaspersky – unfortunately the advice is far from great, but it follows pretty closely to what is generally advised. It’s quite common for people to be told to check the URL to make sure it’s the site they think it is, check for a padlock, and if everything looks right, it should be safe. Except of course, for when this advice isn’t nearly enough.
Read more…
About Me
Security researcher, engineer and software developer with more than 20 years of experience.
Work: I primarily focus on application security, usable security, secure communications, and cryptography. I build and lead strong and dynamic teams, who cover all facets of security and privacy.
Writing: I write about my research, security in general, development and software design, and leadership through my blog, essays, and various publications. I also engage in some creating writing when I can.
Photography: I am a purist fine art photographer, working primarily in black & white, and focused on sharing new perspectives of the world. Limited edition prints of my work are available on my online gallery. I also have a background in photojournalism, and volunteer in this field when I can.