onHacks

OWASP Testing Guide V3 Chinese Version is finally published! You can download in the OWASP China-Mainland chapter page. If you are interested in web application security, it is highly encouraged to check it out. There will be things learnt.

OWASP China Research Group

To better facilitate the activities of OWASP in China for consistent and perpetual continuity, OWASP China has formed regional groups mainly tasked to support the regional sharing and discussion. We welcome you to recommend an individual to take the lead. OWASP China Research Group currently aims to build upon and go into the depths of the foundation laid out by the OWASP Foundation, plus translation of the OWASP resources ectera. There will be activities such as training in different regions. OWASP China QQ Discussion Group 78238096

(My translation above)

I hope to improve China’s internet security. I succeeded Frank and Rip on the last iteration of this project, and that is why my December has been busy all along, and took much of my time.

Thanks a lot to the people below, and especially the many Microsoft people who worked so hard even during Christmas to produce this testing guide. Sorted from last name (Mandarin) :

• Aaron (DBAPPSECURITY)
• Joanne Cheng (Microsoft)
• Frank Fan (DBAPPSECURITY)
• Karin He (Microsoft)
• Adams Li (Microsoft)
• RIP (OWASP China Chair)
• Will Shen (Microsoft)
• Chao Wang (Microsoft)
• Wei Wei (Microsoft)
• Pak Ming Cheung (Microsoft)
• Eric Chio (Microsoft)

Hope that readers of the guide will benefit much from it!

China, Testing OWASP, Paper

Earlier I wrote a brief article on the theory of VM detection at “Concept of Virtual Machines and Honeypots Detection Techniques“. This time we will talk about technical details. As I use VirtualBox myself, this is one of the ways you can detect VirtualBox :

Under the registry key :

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\

VideoBiosVersion = VBOX   – 1

SystemBiosVersion = Sun xVM VirtualBox Version 2.1.4_OSE VGA BIOS
Sun xVM VirtualBox Version 2.1.4_OSE VGA BIOS
Sun xVM VirtualBox Version 2.1.4_OSE
Sun xVM VirtualBox Version 2.1.4_OSE
VirtualBox Version 2.1.4_OSE VBE Display Adapter
VirtualBox Version 2.1.4_OSE VBE Display Adapter

The above information indicates presence of VirtualBox.And there are even more giveaways!

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__
HKEY_LOCAL_MACHINE\HARDWARe\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier = VBOX HARDDISK

HKEY_LOCAL_MACHINE\HARDWARe\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier = VBOX CD-ROM

There are also hints in Device Manager, too. It can be easily queried programmatically.

DVD/CDROM : VBOX CD-ROM
Harddisk : VBOX HARDDISK

That’s just one solution. I strongly suggest to read Peter Ferrie’s paper.

I have found some resources for those interested : a Virtual Machine Threats paper and slide by Peter Ferrie ( Microsoftie now ), and Marshall Fryman blog entries here and here, and a codeproject demonstration. I hope you guys will find them useful.

===

A brief update. I haven’t been active for these 2 months. Since September I have been in involved some personal matters that took my time, and in October I just got onboard a new job (I was a developer for a server antivirus software for Microsoft Office SharePoint Server). Well, it isn’t about anticrime but the topic of cloud security.

Cloud security! Who haven’t heard of it?

My new job is to work on cloud computing on Windows Azure. Unfortunately I cannot reveal more. But don’t worry, I’m very serious in my anti-cybercrime endeavors. =)

Testing Virtualization

Large real PCAP datasets, food!

MU Dynamics released some PCAPs obtained from the SHMOO Group and wrapped the total of 15.0 GBytes, 26.3 million packets with indexing. According to SHMOO Group , “This archive contains data logged during the Capture the Flag Contest at DefCon. The Shmoo Group is publishing this data to promote the creation of more secure software and to offer data for research purposes.” For research purposes, now here comes the game to brainstorm. Go grep it if anyone needs it.

In case you don’t know, SHMOO Group’s SHMOOCON got some really high quality presentation and the best people from the security field to present each year. You should take a good look there to learn.

Testing Dataset, Forensics, PCAP

Here is a script that uses ClamAV to scan (optional, in Linux), a gmail account to send, and parse results from VirusTotal. This should handle most of the manual steps. I hope it’s beneficial to save some time. Feel free to modify and best if you can share the improvements. Should work with Windows.

Malware, Testing Script

I know that Gmail Antivirus is powered by Sophos, as some has tested in 2005.

It’s 2009 now. When I was writing “Who is Hacking Me? ~’Who Will Care’ is Wrong~“, I used local ClamAV to check how many can ClamAV detect, then sent the 53 binaries through Gmail to VirusTotal. Since Gmail is powered by Sophos, malware that went through Gmail should not be detected by VirusTotal.

I sent all the 53 binaries to Gmail, and scanned the binaries locally with ClamAV.

Then, I sent these 12 undetected binaries to VirusTotal.

All undetected by ClamAV, but Sophos detected 10 of them! It looks to me Gmail has switched AV vendor from Sophos to ClamAV!

Malware, Testing Gmail

Testing something is always a good practice before learning how to hack something, the methodologies we use in testing sometimes are applicable in hacking. So, I am planning to write some entries related to testing in the coming few months. See if we can have discover a systematic way to hack. Here is the first challenge, it is very simple.

Problem
Network managers always want to or are forced to control the information flowing around a network. Most of the time, filtering is a good way to do the control. Inside this big category, we always like to use block list to prevent information comes in or goes out, to and from the network.

Scenarios
Flora doesn’t want her daughter wallow in Japan pop star. Flora knows that her daughter always navigate to some sites with domain name ending as ‘.jp’, she is looking for a tool that can control what kinds of websites their PC can reach.

IT administrator in PC middle school discovered that their mail system started receiving porn advertisement and students are trying to share these links through the mail system, they are planning to have a filter that can block all such mail flows.

Justin loves blogging so much, he is writing them weekly. He loves to collect and read feedbacks from the audiences. However, he hates those spammer pasting unrelated advertisement on his posts. He want to figure out a way to stop them appearing from other audiences.

Solution
The trivial filtering solution to help these people out is bad word filtering. The basic idea is the same as general block list, users can specify the tokens they want to look for when deciding to block the information. In general, there are at least two different definitions to distinguish whether we found the bad word or not. Given an input message M,

1. Split the message M into a sequence of words Ws, we found a bad word bW is in the message only if Ws contains bW.
2. Take the message M as an input stream, we found a bad word bW when there is a list of consecutive characters equals bW.

Both definition has there own advantages and disadvantages, but we will keep this discussion later since the current topic is how to test the filter. Let’s say we pick the first definition for our filter, then what should we test? (Take some time to think about scenarios before continue reading)

Functional Test
According the input of this filter (input message M), we can design few functional test cases. Basic scenarios are,

• empty message [Expected: Accept];
• only a word (either good or bad word) [Expected: good - Accept, bad - Reject];
• two words (good and bad) with different delimiter [Expected: Depends on how the feature define delimiter];
• a list of word and contains (0, 1, 2, all) bad words [Expected: all reject];
• a bad word is embedded in a word (eg. assume evil is bad word, message conatins residentevil.com) [Expect: By design, this message will be accepted]

Beside these functional test cases, we should to have a lengthy message to check boundary cases of the feature. Assume the longest message we accept is N characters, we need to have message with length N, N+1 and N+2. On the other hand, globalization and localization test may be required, depends on who is your target user.

Security Concern
Then we would ask: is there other way to bypass the filter (eg. message using different encoding)? Is it possible to have code injection or script injection attack? Who can use the feature? Where is the bad word list? Who have rights to touch the list? These are security concerns when testing the feature. Drawing a data flow diagram always help to identify what kind of security issues we may have. However, this post only focus on functional testing a feature. May be next time we can discuss how to design security test cases of a feature.

Conclusion
We have only discussed some elementary skills to design the test plan of a feature. You can consider what kind of input the feature can have, both valid and invalid input. Output is another way to discover new scenarios, output is anything that the feature shown. Since we assumed that this filter only say accept or reject of a message and throw some exceptions (eg. input size exceed), the test cases we found here are almost dominated by what we found with the input. Now, you are able to test your program more systematically!

Have a good weekend!

Practice (Just for fun)
Should you want to have some practice, we can discuss how to test an IP block list filter. Here is a simple definition:

INPUT: Only allow IPv4 address, one at a time
IMPLEMENTATION: An IP block list is stored as a text file in the same folder of the filter, user need to directly modify the text file if he want to Add/Remove/Edit an IP address in the block list. The filter will perform a binary search to see if the input address is on the list. If it is, then it will announce reject, otherwise output accept.
OUTPUT: Accept/ Reject the address

Email, Testing Analysis, Black box, Email, Filtering, Testing