Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Looking for help against Chinese Hacking Team
From: ArcSighter Elite <arcsighter () gmail com>
Date: Mon, 15 Dec 2008 16:05:32 -0500

Hash: SHA1

Adriel T. Desautels wrote:
"Even stored procedures could be injected if no proper validation is
done, you know"

You can not perform SQL Injection against a web application that is
using properly designed  Parameterized Stored Procedures.  That means
that you would be using both Stored Procedures and a Parameterized
query. I don't think that I'm wrong, if I am then please prove it
because I don't know everything.

OWASP is the Open Web Application Security Project and it offers
sufficient resources to build a secure web application. If one follows
the OWASP guide and reads the OWASP material then they will be able to
build a sufficiently secure web application.  Do you disagree?

I do however agree that a Penetration Tester should not fix the
application, but the tester should be able to provide a clear and viable
method for remediation. We deliver a variety of security services to our
customers, one of those being Web Application Security Assessments. We
include viable and realistic methods for remediation in all of our
deliverables. Anyone that doesn't isn't doing their job.

On Dec 15, 2008, at 3:34 PM, ArcSighter Elite wrote:

Adriel T. Desautels wrote:
Hi there,
   The real problem here is that you don't know what you are doing
(yet). Let me pad that by saying that you're clearly not a security
expert and as such you shouldn't be expected to know how to solve this
problem.  The solution is simple though, especially if you're dealing
with SQL Injection.  Before I give you the solution for free (which is
posted all over the web) I'll ramble on a bit.

   First, when you went through your "waves" of security experts, what
was your decision criteria? I'll admit that there are not very many real
"experts" out there and that there are a lot of fraudulent ones.  A real
expert would have provided you with a solution to your problem
immediately while some of the others (on this list too) have no clue
what they are doing.  Unfortunately, most of your Certified Ethical
Hackers also don't have a clue (certifications are political and not
always a real representation of talent).

   Why am I taking the time to write this? Well honestly I am sick and
tired of the bad name that these "Fake" security experts are giving to
real experts. They offer "penetration tests" that start a $500.00, or
Web Application Security Assessments that start at $700.00 when it is
IMPOSSIBLE to do either at those prices.

   The fact of the matter is that your average and real "security
expert" will have a man hour rate of about 190-350 an hour.  The average
"good" web application penetration test will take more than 10 hours to
do. That does not include time to write reports, to do research, to
analyze unique issues,  or to do a lot of the other manually intensive
work that needs to be done to do the work properly.  Can that all be
done for $500.00? You do the math.... (the answer is no). Generally
speaking if you are asking for an application assessment you're going to
spend over $10,000.00. If you're not then you're getting ripped off.

   So anyway, the solution to your problem is as follows:

   1-) Your problem appears to be that you suffer from exploitable SQL
Injection Vulnerabilities.
   2-) Your solution is to implement Parameterized Stored Procedures in
conjunction with strong            input and data validation.

   Check out http://www.owasp.org as a reference, or you can hire my
team to do a kick-ass job and get you locked down good and tight. You
most probably have may other risks that you are unaware of that can be
dealt with by the right team.  If you have any questions I'm a big
proponent of free advice.

From: harveyfrank <joet () ticadvisors com>
Date: December 12, 2008 19:59:19 EST
To: pen-test () securityfocus com
Subject: Looking for help against Chinese Hacking Team

We've been battling the Chinese for several months now and have gone
several waves of US  security experts who have failed to stop them.
In their
defense, we are not on an unlimited budget and they've gotten us to a
where it looks as though somewhere among the site's 400 scripts is
injection vulnerability.

Automated testing by a few pen test products seems to think we're
fine. We
definitely are not.

Is it possible to hire a CEH to find the Chinese-discovered
for a few hundred dollars? (We aren't just being cheap, we've blown
our wad
on security that hasn't worked.) Would someone with intimate
knowledge of
the latest wave of Chinese attacks be required for this job?
Besides our
first rate security team that's just been beat, I've tried the $200
pen test
folks and they have all failed. Microsoft security help has also

Advice (Besides porting to Linux)? Help?
View this message in context:

Sent from the Penetration Testing mailing list archive at Nabble.com.


This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


Adriel T. Desautels
ad_lists () netragard com

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


Alluding my previous message, he isn't a security expert, and maybe I
misunderstood about he wants to know HOW they're breaking in. Maybe I
was wrong. In the meantime, I totally agree with you that
non-knowledgeable security people are making bad fame to true experts.
But think about your post. Even stored procedures could be injected if
no proper validation is done, you know. Second, owasp will give him a
framework about pen-testing web applications, although is gives some
workarounds it's not designed to be some sort of secure coding guide.
Secondly, we got something wrong here. The pen-tester shouldn't fix the
application; developers must. And of course, input validation is the
issue, behind SQL injection, BoFs, remote includes; isn't new, don't you

Adriel T. Desautels
ad_lists () netragard com

Yes, stored procedures could be injected.
Don't try to deny that, even in standard products such as Oracle or
MSSQL there has been issues around this type of injection, and they will
continue to happen; so what you can expect from a custom app? If you
have some developing experience, then you may know that most database
architectures provides you with ways to do parameterized queries (here,
I'm talking about JDBC for Java, ADO, Linq for Microsoft, and Python's
DBC, in my experience). But: they don't prevent you into CONSTRUCTING a
parameterized query FROM a non-properly validated string; I'm wrong?
You're given developing tips to some guy that is supposedly to be
performing as penetration tester, and the guy is looking for a desperate
way to stop the attacks, now think: what it will take long? set up and
IDS or fix the web-app? I'm talking about a short-term solution here,
and I think this is what he asked for. If assuming the security isn't
very high, then It will have to consider also fixing XSS issues, remote
includes, weak acls, session hijacking, the list goes on. Do you think
it will solve his problem only by reimplementing. We're talking about
months here, if you have done some developing. Even with XPers, there
will be a lot of time until they have all the issues fixed. So, standing
from the pen-tester approach, again: set up preventive measures such as
IDS if you can't afford downtime, then LET THE DEVELOPERS fix the issues
he could find and report to them.

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]