A Penton Media Property
July 9, 2008
If you want to view this on the web go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069673-0-0-0-1-2-207
----------------------------------------
ADVERTISEMENT
Windows IT Pro
Fundamentals CD Registration
Don't miss out on your chance to gain independent, expert advice on the
latest technologies and applications in this free Fundamantals CDs,
written by the experts at Windows IT Pro. Order one or all three CDs on
the following topics: SharePoint, SQL Server, and Exchange. But hurry!
This offer expires soon.
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069674-0-0-0-1-2-207
----------------------------------------
IN FOCUS
--Google's Ratproxy Web Security Auditing Tool
by Mark Joseph Edwards, News Editor
Last week I wrote about three tools you can use to help find security
problems in your Web sites. Those tools include Microsoft's UrlScan
(which has been available for quite some time), as well two relatively
new tools: the Microsoft Source Code Analyzer for SQL Injection tool,
and HP's Scrawlr. If you missed that article, you can read it on our Web
site at the URL below:
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069675-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069676-0-0-0-1-2-207)
Shortly after Microsoft and HP announced their new tool offerings,
Google coincidentally also announced a new security tool called
Ratproxy. According to Google, the tool is "a semi-automated, largely
passive web application security audit tool." The company added that the
tool is "meant to complement active crawlers and manual proxies more
commonly used for this task, and is optimized specifically for an
accurate and sensitive detection, and automatic annotation, of potential
problems and security-relevant design patterns based on the observation
of existing, user-initiated traffic in complex web 2.0 environments."
Ratproxy is a Web proxy server that you run your Web browser traffic
through. The tool inspects Web traffic, gathers information, and logs
its findings. Ratproxy can also test for various detrimental conditions,
as well as replay GET and POST requests (with or without altered request
parameters)--all of which can lead to the discovery of potential
security problems of varying levels of risk. Ratproxy isn't an automated
scanner that you point at the top-level URL of a domain and set loose
crawling a site. It's a manually operated tool that requires you to
interact with a site as a regular user would. Although that approach is
time consuming and could become tedious, it is in fact more of a
real-world approach that gives you a bit more control over what sort of
activity takes place during a scan.
The tool creates a variety of tracking information, including logging
Web session headers, complete content traces, etc. After you're done
interacting with a site through Ratproxy, you can generate a report in
HTML format. While reviewing the report, you can use functionality built
into the report to take further action, as I'll explain in a moment.
Google made Ratproxy available for free to anyone who wants a
copy--complete with source code. The code is written in C, but the
download package does not come with a pre-compiled executable, which
means that you have to compile it yourself. Fortunately that's pretty
easy to do if you've got a Linux system available with a GNU C Compiler
(GCC) environment installed. Just unpack the source code into a
directory, navigate to that directory, and issue the "make" command at
the command prompt. After the code compiles, you'll find an executable
called "ratproxy" in the directory where you unpacked the code. You'll
also find a script, ratproxy-report.sh, that can be used to generate an
HTML-based report from the Ratproxy log after scanning a site.
I took the tool for a test drive and found that it's pretty easy to use.
You can start the tool in passive mode or in two active testing modes.
In passive mode the tool will log various trace information, but it
doesn't do any active "disruptive" testing, meaning that it won't try to
alter content and replay it back to the site being tested. If you start
the proxy with the -X switch it'll perform various tests for cross-site
scripting and cross-site request forgery. When you use the -C switch the
proxy will automatically replay Web requests using modified parameters
where appropriate. And, you can use both switches at the same time.
After visiting a site via Ratproxy I then generated a report using the
ratproxy-report.sh script and found that the report is pretty easy to
read and understand. Each URL is listed as a separate item in the
report, complete with various related information, including a possible
risk level, type of risk, the actual URL used by the browser for that
item, payload information, Web site response, etc. Comprehending the
data does require some knowledge of HTML output as delivered by a Web
server, along with an understanding of how GET and POST requests are
structured and used. If you don't understand at least that much about
Web development, along with the potential security implications, then
the report isn't going to be of much use to you. However, you could pass
the report along to someone who can analyze it for you.
While reviewing the items in the report, you can manually replay
requests to a particular URL. If a URL involves GET or POST parameters
you'll see a yellow button labeled "edit values." When you click that
button a form is revealed where you can change parameters as you see
fit. To replay the altered parameters back to the Web site, simply click
the corresponding URL at the beginning of that report item. You'll then
need to generate a new report to see the results of altered requests.
Google says that it uses Ratproxy internally to test its own
applications. From my perspective, the tool looks like a good choice for
testing Web application security. It's not the only tool you'll need to
adequately test Web application security, but it's definitely a good
addition your suite of testing tools.
You can download a copy of Ratproxy at the first URL below. Be sure to
review the online documentation at the second URL, which explains far
more about the tool than what I've covered here. Also, be certain to
review the README file that comes with the package, as it contains a
long list of possible command-line switches you can use, in addition to
other important information you need to know before using the tool.
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069677-0-0-0-1-2-207 (http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069678-0-0-0-1-2-207)
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069679-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069680-0-0-0-1-2-207)
----------------------------------------
ADVERTISEMENT
MessageOne
Critical Challenges of ESI & Email Retention
Are you storing too much electronic information? It's absolutely
essential to implement and automate effective email retention policies
in balance with managing the costs and risks associated with
Electronically Stored Information (ESI). Get expert legal advice and
better understanding of what you are required to do as an IT
professional; also see the options that are out there to aid you in this
complex endeavor.
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069681-0-0-0-1-2-207
----------------------------------------
SECURITY NEWS AND FEATURES
--More Than 12,250 Laptops Lost at Airports Every Week
A new study sponsored by Dell reveals that over 12,250 laptops are lost
every week at airports, and well over 4,000 are never reclaimed.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069682-0-0-0-1-2-207
--Majority of Companies Don't Audit File Ownership and Access
According to Ponemon Institute, the majority of companies don't know who
owns particular files, who can access the files, nor who did access the
files.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069683-0-0-0-1-2-207
--Internet Crime Cost $239 Million Last Year
According to the Internet Crime Complaint Center, losses from cybercrime
in 2007 were 17 percent greater than in 2006, and the vast majority of
crimes were initiated via email.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069684-0-0-0-1-2-207
--Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts,
which inform you about recently discovered security vulnerabilities. You
can also find information about these discoveries at
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069685-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069686-0-0-0-1-2-207)
GIVE AND TAKE
--SECURITY MATTERS BLOG: Pwnie Awards Accepting Nominations
by Mark Joseph Edwards
The annual Pwnie Awards, which celebrate "the achievements and failures
of security researchers and the security community," is now accepting
nominations in 9 categories for this year's awards. Read the details in
this blog article on our Web site, then head over to submit your
nominations.
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069687-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069688-0-0-0-1-2-207)
--FAQ: Store BitLocker Passwords in Active Directory
by John Savill
Q. How do I configure my BitLocker recovery password to be stored in
Active Directory (AD)?
Find the answer at
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069689-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069690-0-0-0-1-2-207)
--FROM THE FORUM: Modify Root Directory Permissions on a Shared Drive
A forum participant writes that he needs to alter the permissions of the
root directory on a shared drive to prevent users from placing files in
that top-level directory. Apparently some of his Windows XP systems have
problems connecting to the shared drive when certain files exist in the
root folder. He wants to delete those particular files and adjust the
folder permissions to ensure that the files do not reappear. He also
wants to apply the permissions to the root directory so that they don't
change the permissions of any subdirectories. Lend your expertise at the
URL below.
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069691-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069692-0-0-0-1-2-207)
--SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and solutions.
Email your contributions to r2r@windowsitpro.com
(mailto:r2r@windowsitpro.com). If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.
RESOURCES AND EVENTS
Continuous Data Protection and Recovery for Microsoft Exchange
It's 3:00 p.m. and your Exchange server's hard drive array has failed.
You get a call from the president of your company wanting to know where
his email regarding a pending major purchase has gone. He and other
executives have been working on the project all day, and the deadline is
less than 30 minutes away. Download this white paper to learn about
continuous data protection (CDP), Exchange 2007's local continuous
replication and cluster continuous replication features, and other more
robust third-party offerings.
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069693-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069694-0-0-0-1-2-207)
Losing Productivity or Profit Due to Poor Document Management Processes?
The Doctor Is In!
You are invited to attend a "therapeutic" session to learn more about
leveraging your Microsoft Office SharePoint Server investment! In this
Web seminar you'll learn about a solution that enables small, mid-tier,
and global organizations to optimize their business processes through
certified technologies and solutions for paperless automation. Learn how
your business can capture, deliver, manage, and share quantities of
vital documents. Register today!
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069695-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069696-0-0-0-1-2-207)
The Shortcut Guide to SQL Server Infrastructure Optimization
As companies find more uses for SQL Server, there are inevitably more
SQL Server installations to deal with. This eBook shares some new
techniques for optimizing your SQL Server infrastructure and explores
why so many organizations aren't really optimizing their SQL Server
platforms.
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069697-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069698-0-0-0-1-2-207)
FEATURED WHITE PAPER
Sustainable Compliance: How to reconnect compliance, security, and
business goals
Large enterprises are seeking ways to actively streamline their
compliance activities, operationalize their security management
programs, and gain value from automating and integrating both.
Unfortunately, streamlining compliance activities has not proven to be
simple. Download this paper to get started reducing the impact of
compliance programs on your resources.
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069699-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069700-0-0-0-1-2-207)
ANNOUNCEMENTS
Get It All with Windows IT Pro VIP
Stock your IT toolbox with every solution ever printed in Windows IT Pro
and SQL Server Magazine, plus bonus Web-exclusive content on
fundamentals and hot topics. Order today to receive the VIP CD and a
subscription to your choice of Windows IT Pro or SQL Server Magazine!
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069701-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069702-0-0-0-1-2-207)
Windows IT Pro Master CD: Take the Experts with You!
Find the solutions you need within the thousands of searchable articles,
helpful bonus content, and loads of expert advice on the Windows IT Pro
Master CD. A Master CD subscription buys you portable access to the
entire Windows IT Pro article database plus access to all the new
articles that we publish exclusively on WindowsITPro.com every day. It's
like having a team of consultants in your pocket! Get real-world
solutions fast--order the Windows IT Pro Master CD today.
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069703-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069704-0-0-0-1-2-207)
Rev Up Your IT Know-How with Our Recharged Magazine!
The improved Windows IT Pro is packed with trusted content and enhanced
with a fresh new look! Subscribe today to
--Stay ahead of industry trends with comprehensive coverage of topics
such as Windows Vista and virtualization
--Solve tough technical problems with advice from veteran IT experts
such as Guido Grillenmeier and Mark Minasi
--Find real-world solutions easily, along with fast facts and quick tips
store.pentontech.com/index.cfm?s=1&promocode=EU2085R1&
(http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069705-0-0-0-1-2-207)
CONTACT US
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069706-0-0-0-1-2-207
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069707-0-0-0-1-2-207
You are subscribed to this newsletter as boy.blogger@gmail.com
Manage your Security UPDATE subscription at
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069708-0-0-0-1-2-207.
Be sure to add Security_UPDATE@email.windowsitpro.com
to your spam filter's list of allowed senders.
To contact us:
About Security UPDATE content -- mailto:letters@windowsitpro.com
About technical questions -- http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069710-0-0-0-1-2-207
About your product news -- mailto:products@windowsitpro.com
About your subscription -- mailto:windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- mailto:salesopps@windowsitpro.com
View the Windows IT Pro privacy policy at
http://ct.email.windowsitpro.com/rd/cts?d=33-10422-803-202-62923-1069711-0-0-0-1-2-207
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2008, Penton Media, Inc. All rights reserved.
No comments:
Post a Comment