Now that we have started to sink our teeth into 2008, we can begin to act upon new goals, new ideas and new avenues for self improvement. We look to bring a new commitment to you - our loyal clients and colleagues. We’re looking forward to a year full of security advances. A year of searching through press releases and information leaks to bring you the most interesting news and discussions from the security world.

What do we have in store with the first issue of 2008? We’ll be looking at a recent vulnerability at the Canadian Passport Agency that led to a compromise of Canadian passport application information. We’ll also be checking back in with OWASP, and they’ve had a busy year as well. Looking to keep up with the cutting edge of the security industry? We’ve provided you with a calendar of upcoming security conferences, as well as links to two new security-related tools that should be a part of any toolkit.

Through the release of Navigations I hope one message is clear: Security is an on-going battle, and we are committed to bringing you the most relevant updates to keep you ahead of the game.

To a successful year, a safer enterprise, and good reading.

Nish Bhalla
Founder, Security Compass

In the News

Case Study: Canadian Passport Agency Leak

As first reported in a Globe and Mail report [1], a parameter manipulation vulnerability was discovered in the Canadian Passport Agency's online registration website. By manipulating one of the parameters passed through the URL, a user was able to gain access to confidential data contained in passport forms of other users navigating the system.

How can this type of vulnerability happen? Most web applications pass information between the server and client browser, either through the URL, form fields, cookies or HTTP headers. Unfortunately, developers often pass extra information to identify the current user or other system information. The problem with this technique is that the end user has the ability to alter these fields before passing the information back to the server. Any parameter being passed to the client, whether visible or hidden, can easy be altered using an external web proxy such as Paros[2]. If a web application makes the assumption that the data being passed to the client will be sent back to the server unmodified, a user may alter the expected behavior of the application by altering the parameter values. In the Canada Passport Agency case, the user was able to view the passport submission forms of other users currently on the system by modifying one of the passed parameters, most likely a user ID parameter.

So what is the defense? The first, and most effective solution, is to minimize the amount of sensitive information that the application passes between the server and client through the URL, form fields, cookies or HTTP headers. In fact, in the most secure application, the only piece of information used to track the current user should be a session ID. Of course session ID generation has its own security consideration or the application may be vulnerable to other categories of attack [3]. All sensitive client data in this case would be stored on the server side and only accessed through the session ID. If storing data in the session is not an option for a application, then enough care must be taken to verify that any information passed through the URL, form fields, cookies or HTTP headers is validated upon submission to the server and properly linked to the current user.

For more information on mitigation techniques for parameter manipulation attacks the OWASP Guide to Building Secure Applications[4] has a section dedicated to parameter manipulation.

References

1. http://www.theglobeandmail.com/servlet/story/RTGAM.20071204.wpassport1204/BNStory/National/home
2. http://www.parosproxy.org/index.shtml
3. https://www.owasp.org/index.php/Session_hijacking_attack
4. http://www.owasp.org/index.php/OWASP_Guide_Project

Case Study: Harry Potter Security

Despite the reported $20 M spent on security to protect the confidentiality of the story prior to its release, digital photographs of the book appeared all over the internet five days prior to the scheduled debut. In this article, we'll extract lessons learned that can be applied to any security strategy. Click here for the full article.

For the Mind

2007 Security Conferences

Awareness is the first step towards protecting your web applications. The following is a calendar of the top security conference and training events around the globe:

Feb 27-29	IT Underground	Prague, Czech Republic	Official Website
Feb 28-29	OWASP Asia Pacific & Australia	Queensland, Australia	Official Website
Feb	Security Opus	San Francisco, CA	Official Website
Mar 10-12	InfoSec World	Orlando, FL	Official Website
Mar 25-26	Secure Development World	Alexandria, VA	Official Website
Mar 26-28	CanSecWest	Vancouver, BC	Official Website
Mar 27-28	BlackHat Europe	Amsterdam, Netherlands	Official Website

From the OWASP

OWASP Code Review Project Completed

The project's overall goal is to act as a reference document for the purpose of performing code review. This project provides examples in the most common web application development languages (Java and C# .NET).

The code review guide has been completed and is available at http://www.lulu.com/content/1415989.

OWASP Web Services Security Project Needs Your Help

The OWASP Web Services Security Project is aimed at centralizing existing web services and SOA security-related resources. The project will mainly serve as a launchpad with updates and references to numerous OWASP pages and external resources on WS security tools, XML security, secure SOA architecture and design, and much more.

The project needs your help. For project details and ways in which you can contribute, please visit: http://www.owasp.org/index.php/Category:OWASP_Web_Services_Security_Project.

OWASP Testing Guide

The OWASP Testing Guide aims to create a best practices framework for penetration testing. Users of the guide can implement the framework in their own organization. Along with the framework a low level penetration testing guide is provided that describes how to find certain security vulnerabilities.

For more information, or to help with the next version of the guide, please visit: http://www.owasp.org/index.php/OWASP_Testing_Project.

On the Edge

Exploit-Me - Vulnerability detection from within Firefox

The Exploit-Me tools are a set of Firefox plugins to test for common security vulnerabilities in web applications. In the first release the Exploit-Me tools includes XSS-Me to test for reflected Cross-Site Scripting vulnerabilities and SQL Inject-Me to test for SQL Injection vulnerabilities. By building the tools directly into Firefox the Exploit-Me tools makes it easier for developers and QA personnel to test for vulnerabilities during the development cycles.

For more information, please visit http://securitycompass.com/exploitme.shtml.

Jasypt - Encryption made easy

Jasypt, or Java Simplified Encryption, is a java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works. Transparent integration with Hibernate, Spring and Acegi makes this library an integral part of any developer's toolkit.

For more information, please visit www.jasypt.org.

BeEF - The Browser Exploitation Framework

BeEF, or the Browser Exploitation Framework, is a tool to demonstrate, in real-time, the impact of Cross-Site Scripting (XSS) and browser vulnerabilities.

For more information, please visit http://bindshell.net/tools/beef.