Monday, September 24, 2007

Oracle Default Passwords

Hi,

Beware of database Default Accounts before you ship your database to production.
I saw this screen while installing Oracle. I think this kind of screen should be shown in all database tools and also there should be a warning mentioning the harm of keeping the default accounts ON in the database.

For now, enjoy this screen... :)


Thursday, September 20, 2007

Introducing - TechTrails

Dear Software Professional ,

So the rupee’s rising. Now why’s that causing sleepless nights for some software exporters? And hey, what’s the net impact on you? . Does this rise of the rupee present a great opportunity that could have far-reaching positive consequences ? What is the future of Indian IT industry ? What will happen when other low cost destinations for outsourcing catch up with India ? Will India sustain it’s cost advantage ? These are questions that impact your career and you need an answer on how and what you need to do to get ready for the next wave of Indian IT .


www.techtrails.com
has the answers for you .


This is the only web portal of it’s kind that will help you as a IT professional or a student planning a career in IT to get ready for the future . Thought leadership articles , interviews with industry leaders , tips and tricks , white papers www.techtrails.com has it all . Besides you would get invited to free seminars and panel discussions on topics that would impact you .

Over time the www.techtrails.com would be a place for 3rd wave Indian IT professionals to hang out , exchange information , share links to their blogs , upload content that would be of benefit to all who are a part of this community .


Registration to www.techtrails.com is Free ! Rush and register yourself to www.techtrails.com Now !

Monday, September 10, 2007

App Security Testing Cheat Sheet

Hi,

I thought to prepare a brief cheat sheet for Application Security Testing.

Please have a look and drop in your views. In case you wish to use it for your testing, please drop me a mail at dharmeshmm at gmail dot com to notify me about it.

Authentication Checks

1. Login and Change Password pages on SSL?
2. All sensitive pages (accepting SSN, Credit Card) over SSL?
3. Strong Password Policy? (Joe Accounts/Blank Passwords/Max Password Age/Min Password Age, etc)
4. Is Forgot Password page secure?
5. Password Change forced on 1st login?
6. Re-authenticate before moving to sensitive pages (Edit Account Info?)
7. Prompts old password before changing password?
8. Has "Remember Me" feature? If so, how's password stored?
9. Warns before allowing "Remember Me"?
10. Has CAPTCHA to prevent password guessing?
11. Does show error msgs like "Invalid User/Invalid Password"?
12. Can auth. be by-passed for priviledged URL's?
13. Is AutoComplete set to OFF?
14. Is password re-submitted on 'Back/Refresh' of browser?
15. SQL Injection in login?

Session Management

1. Is session id random enough?
2. Session Timeout present?
3. Stored in what form? (persistent cookie/in-memory cookie)?
4. Session Id expires on request tampering?
5. Sensitive data in cookie?
6. Can you see X user's data with Y's session id?
7. Session expires at server-side on logout?
8. Can logged out user's session be re-used?
9. Is new session id generated on login?
10. Is cookie over-written on logout?

SQL Injection Checks

1. SQL Injection : '
2. SQL Injection : ' OR 1=1 --
3. SQL Injection : '; waitfor delay'00:00:05'--

XSS Checks

1. XSS Javascript
2. XSS Encoded
3. XSS Cookie
4. Is CSRF possible?

Input Validation Checks

1. Use proxy to by-pass client side validation?
2. Generate errors for information disclosure?
3. Web Page source reveals sensitive application information
4. HTTP Headers manipulation
5. Viewstate manipulation
6. GET and POST parameter manipulation

Secure Storage Checks

1. Are passwords stored in clear text?
2. Is sensitive information like Credit Card encrypted?
3. What encryption algo used? Standard or Proprietary?
4. Is connection string in clear text?
5. Any passwords hard-coded in application?

Browser Checks
1. Check browser history? Are sensitive pages cached?
2. Is data cached by search engines or desktop search engine?
3. Any hard-coded secrets in javascripts?
4. Web Page code reveals sensitive comments?

File Checks

1. Is file upload /download allowed?
2. Can files be downloaded directly from URL?
3. Can malicious files be uploaded?


Environment Checks

1. Are default apps installed?
2. Are default accounts enabled? Do they have strong passwords?
3. Is firewall deployed?
4. Is code obfuscated?
5. Can detect server details using banner grabbing?
6. Are forms bot resistant?

In case you have your views, please feel free to write here or mail me at dharmeshmm at gmail dot com

Cheers,
Dharmesh.


Get into pay sites for free as a Googlebot

Ever wondered why Google returned search results that lead to sites that require a registration? How did Google index the site without a registration? Many sites want their site indexed in Google to receive more hits, so they allow Googlebots in. Because of this reason we can take advantage of this. All we have to do is disguise ourself as a Googlebot and many sites will let us in without registration.

To do this we have to change the User Agent. The user agent defines the browser and what version you are using. For example if you go to this site it will tell you what browser you are using, and it finds this info out by the user agent.

Changing the user agent is easy, to do this in Opera you have to uses these settings:

User Agent: Googlebot/2.1 Compatible: http://www.googlebot.com/bot.html

Firefox users can use this extension and import this file (right click and save) that has a huge list of user agent settings including Googlebot/2.1 and many other spiders/bots.

Internet Explorer users you will need to change the registry entries, to do this open notepad and copy this into it:

Windows Registry Editor Version 5.00 [HKEYLOCALMACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet Settings5.0User Agent] @="Googlebot/2.1" "Compatible"="+http://www.googlebot.com/bot.html"

Then save it as ua.reg and double click on it.

To revert the changes back, you will need to do the same but this time copy this in:

Windows Registry Editor Version 5.00 [HKEYLOCALMACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet Settings5.0User Agent] @="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Save as oua.reg and double click.

To see if it has worked go here and your browser should now be Googlebot v2.1

Enjoy!