Re: [WEB SECURITY] Links for tutorials on false positives

[sutapa dey <sutapaeie10@xxxxxxxxxxx>]

--0-1824329396-1259662753=:44058
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hi Joshua,

Thanks a bunch for the detailed reply. :)
As part of my security testing assignments and manually verifying the vulne=
rabilities found, I felt that lots of emphasis are put on the http response=
 we get from the app server when we try to verify the vulnerability mainly =
via browser. I fully agree with the fact that we should rely on specialized=
 engines/plug-ins/modules for validating the vulnerabilities. But for the m=
ore straight forward ones like cross-site scripting, I have found in many c=
ases we can directly execute them via browser.
But the biggest challenge is to decipher the server responses as in many si=
tuations it is not a straight forward 200OK or 404NOTFOUND. So I hope later=
 someday there will be rules/guidelines to decide which http response can b=
e a false positive and based on what justifications.

Regards,
Sutapa=20

--- On Mon, 30/11/09, Joshua Thomas <mr.omnipresent@gmail.com> wrote:

From: Joshua Thomas <mr.omnipresent@gmail.com>
Subject: Re: [WEB SECURITY] Links for tutorials on false positives
To: "sutapa dey"=0A <sutapaeie10@yahoo.co.in>
Cc: "YGN Ethical Hacker Group" <lists@yehg.net>, "NeZa" <neza0x@gmail.com>,=
 websecurity@webappsec.org
Date: Monday, 30 November, 2009, 5:23 PM

Hello Sutapa,=A0
Ideally when we run any tool (AppSec/ InfraSec) results are generated. Now =
there can be 3 cases -1. Actual vulnerabilities - The ones which are really=
 there is reported by the tool ( POSITIVES)=0A2. Unreal vulnerabilities - T=
he ones which are reported but are not there (FALSE POSITIVES)3. Un-FOUND v=
ulnerabilities - The ones which are not reported but they do exist (FALSE N=
EGATIVES)
=0ANow, to identify which are real and/ or real but not reported the only w=
ay is to MANUALLY VERIFY. This process ranges from simple tests to complica=
ted.=A0[I am not sure if you will find all the tutorials, documents reveali=
ng how these tests are to be performed since it comes from knowledge of the=
 entity you are scanning... i.e., (Example)=A0=0Aa> AppSec - Let's say your=
 tool found a XSS (Cross site scripting). Now what you could do is go to th=
e link reported by the tool and try tampering the parameter to =A0inject th=
e script, or code (as applicable) to validate if it is real=0Ab>InfraSec - =
Let say you tool reports Anonymous FTP with write able permissions - Now wh=
at you have to do is to manually launch the FTP client and check if it acce=
pts anonymous logins and if you could upload/ write/ delete any file on tha=
t server=0A]
Now here is one POINTER - While Validating some of these vulnerabilities, y=
ou might un-intentionally change/ affect the Integrity, Availability or Rel=
iability of the entity. So those case in which you think which it could aff=
ect the above mentioned CIARs (Confi, Integrity, Availability and Reliabili=
ty) you might want to get a approval from the client if you are allowed to =
perform such testing (Exploitation activities). So what you can do is mark =
those as PROBABLE VULNERABILITIES and ask for confirmation.=A0=0A
EXAMPLE (Vulnerability in Plug and Play Service Could Allow Remote Code Exe=
cution (Microsoft ID: MS05-039) was reported by your tool on IP X1.X2.X3.X4=
 ... Now you report that this vulnerability might be present and it could b=
e false positive and ask the client to confirm if this can be tested. Once =
you get the confirmation here are the things you could do for starters -=A0=
=0A
1. Note down the BUGTRAQ ID, CVE ID, or any ID (ID=3D Security identifier) =
and google if this can be exploited. Security Focus, Packetstorm, milw0rm p=
rovides some sort of exploitation code which you could leverage for this ac=
tivity (**CAUTION** SOME OF THESE CODES ARE Proof-Of-Concepts, and can affe=
ct Availability of the service/ server i.e., could lead to Denial of Servic=
e... This you should not test unless explicitly suggested by Client. Try to=
 evaluate the Risk of such activity before proceeding since these entities =
might be in a production environment)=0A
2. Every vulnerability scanning tool has some sort of engine, plugins, modu=
les - so for mid-level users I would suggest you analyse these modules and =
plugins for how these vulnerabilities are reported and identified. Not only=
 you would learn lot of techniques but you might end up write some customiz=
ed code of your own.=0A
3. Advanced - (RESEARCH PURPOSE ONLY) - you could replicated these entities=
 in Virtual environments and attach debuggers and try how these services/ p=
rocess (vulnerable ones) react to different inputs (networked/ locally/ cal=
ls) and try writing you own exploit codes (POC/ Shell etc)=0A

For client service purpose 1 & 2 is applicable since there would be time li=
mits for these kind of engagements. 3 would be for specialized usage or per=
sonal/ educational/ research purposes ONLY=0A
>From the steps 1 & 2 you would be able to identify/ verify False Positives =
and Positives. For identifying False Negatives some experience is required =
(from Step 3 kind of activities or=A0previous experiences)=0A

Hope this helps. Feel free to shoot out to all of us if you have some speci=
fic vulnerabilities in mind, since this group consists of some really brill=
iant white-hats =A0
=0A
Best Wishes=A0Joshua


P.S It's an art .. So try to be creative and artistic :)=A0

=0A=0A=0A=0A      The INTERNET now has a personality. YOURS! See your Yahoo=
! Homepage. http://in.yahoo.com/
--0-1824329396-1259662753=:44058
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

<table cellspacing=3D"0" cellpadding=3D"0" border=3D"0" ><tr><td valign=3D"=
top" style=3D"font: inherit;"><div id=3D"yiv2054031471">Hi Joshua,<br><br>T=
hanks a bunch for the detailed reply. :)<br>As part of my security testing =
assignments and manually verifying the vulnerabilities found, I felt that l=
ots of emphasis are put on the http response we get from the app server whe=
n we try to verify the vulnerability mainly via browser. I fully agree with=
 the fact that we should rely on specialized engines/plug-ins/modules for v=
alidating the vulnerabilities. But for the more straight forward ones like =
cross-site scripting, I have found in many cases we can directly execute th=
em via browser.<br>But the biggest challenge is to decipher the server resp=
onses as in many situations it is not a straight forward 200OK or 404NOTFOU=
ND. So I hope later someday there will be rules/guidelines to decide which =
http response can be a false positive and based on what
 justifications.<br><br>Regards,<br>Sutapa <br><br>--- On <b>Mon, 30/11/09,=
 Joshua Thomas <i>&lt;mr.omnipresent@gmail.com&gt;</i></b> wrote:<br><block=
quote style=3D"border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; p=
adding-left: 5px;"><br>From: Joshua Thomas &lt;mr.omnipresent@gmail.com&gt;=
<br>Subject: Re: [WEB SECURITY] Links for tutorials on false positives<br>T=
o: "sutapa dey"=0A &lt;sutapaeie10@yahoo.co.in&gt;<br>Cc: "YGN Ethical Hack=
er Group" &lt;lists@yehg.net&gt;, "NeZa" &lt;neza0x@gmail.com&gt;, websecur=
ity@webappsec.org<br>Date: Monday, 30 November, 2009, 5:23 PM<br><br><div i=
d=3D"yiv1981802323">Hello Sutapa,&nbsp;<div><br></div><div>Ideally when we =
run any tool (AppSec/ InfraSec) results are generated. Now there can be 3 c=
ases -</div><div>1. Actual vulnerabilities - The ones which are really ther=
e is reported by the tool ( POSITIVES)</div>=0A<div>2. Unreal vulnerabiliti=
es - The ones which are reported but are not there (FALSE POSITIVES)</div><=
div>3. Un-FOUND vulnerabilities - The ones which are not reported but they =
do exist (FALSE NEGATIVES)</div><div><br></div>=0A<div>Now, to identify whi=
ch are real and/ or real but not reported the only way is to MANUALLY VERIF=
Y. This process ranges from simple tests to complicated.&nbsp;</div><div>[I=
 am not sure if you will find all the tutorials, documents revealing how th=
ese tests are to be performed since it comes from knowledge of the entity y=
ou are scanning... i.e., (Example)&nbsp;</div>=0A<div>a&gt; AppSec - Let's =
say your tool found a XSS (Cross site scripting). Now what you could do is =
go to the link reported by the tool and try tampering the parameter to &nbs=
p;inject the script, or code (as applicable) to validate if it is real</div=
>=0A<div>b&gt;InfraSec - Let say you tool reports Anonymous FTP with write =
able permissions - Now what you have to do is to manually launch the FTP cl=
ient and check if it accepts anonymous logins and if you could upload/ writ=
e/ delete any file on that server</div>=0A<div>]</div><div><br></div><div>N=
ow here is one POINTER - While Validating some of these vulnerabilities, yo=
u might un-intentionally change/ affect the Integrity, Availability or Reli=
ability of the entity. So those case in which you think which it could affe=
ct the above mentioned CIARs (Confi, Integrity, Availability and Reliabilit=
y) you might want to get a approval from the client if you are allowed to p=
erform such testing (Exploitation activities). So what you can do is mark t=
hose as PROBABLE VULNERABILITIES and ask for confirmation.&nbsp;</div>=0A<d=
iv><br></div><div>EXAMPLE (Vulnerability in Plug and Play Service Could All=
ow Remote Code Execution (Microsoft ID: MS05-039) was reported by your tool=
 on IP X1.X2.X3.X4 ... Now you report that this vulnerability might be pres=
ent and it could be false positive and ask the client to confirm if this ca=
n be tested. Once you get the confirmation here are the things you could do=
 for starters -&nbsp;</div>=0A<div><br></div><div>1. Note down the BUGTRAQ =
ID, CVE ID, or any ID (ID=3D Security identifier) and google if this can be=
 exploited. Security Focus, Packetstorm, milw0rm provides some sort of expl=
oitation code which you could leverage for this activity (**CAUTION** SOME =
OF THESE CODES ARE Proof-Of-Concepts, and can affect Availability of the se=
rvice/ server i.e., could lead to Denial of Service... This you should not =
test unless explicitly suggested by Client. Try to evaluate the Risk of suc=
h activity before proceeding since these entities might be in a production =
environment)</div>=0A<div><br></div><div>2. Every vulnerability scanning to=
ol has some sort of engine, plugins, modules - so for mid-level users I wou=
ld suggest you analyse these modules and plugins for how these vulnerabilit=
ies are reported and identified. Not only you would learn lot of techniques=
 but you might end up write some customized code of your own.</div>=0A<div>=
<br></div><div>3. Advanced - (RESEARCH PURPOSE ONLY) - you could replicated=
 these entities in Virtual environments and attach debuggers and try how th=
ese services/ process (vulnerable ones) react to different inputs (networke=
d/ locally/ calls) and try writing you own exploit codes (POC/ Shell etc)</=
div>=0A<div><br></div><div><br></div><div>For client service purpose 1 &amp=
; 2 is applicable since there would be time limits for these kind of engage=
ments. 3 would be for specialized usage or personal/ educational/ research =
purposes ONLY</div>=0A<div><br></div><div>From the steps 1 &amp; 2 you woul=
d be able to identify/ verify False Positives and Positives. For identifyin=
g False Negatives some experience is required (from Step 3 kind of activiti=
es or&nbsp;previous experiences)</div>=0A<div><br></div><div><br></div><div=
>Hope this helps. Feel free to shoot out to all of us if you have some spec=
ific vulnerabilities in mind, since this group consists of some really bril=
liant white-hats &nbsp;</div><div><br></div>=0A<div><br></div><div>Best Wis=
hes&nbsp;</div><div>Joshua</div><div><br></div><div><br></div><div><br></di=
v><div>P.S It's an art .. So try to be creative and artistic :)&nbsp;</div>=
<div><br></div><div><br></div>=0A</div></blockquote></div></td></tr></table=
><br>=0A=0A=0A=0A      <!--1--><hr size=3D1></hr> =0AThe INTERNET now has a=
 personality. YOURS! <a href=3D"http://in.rd.yahoo.com/tagline_yyi_1/*http:=
//in.yahoo.com/" target=3D"_blank">See your Yahoo! Homepage</a>.
--0-1824329396-1259662753=:44058--