Wednesday, September 28, 2016

OWASP WordPress Security Implementation Guide

An email came across the OWASP leaders list today about securing WordPress.  If your interested to strengthen your WordPress server there are some free and helpful tools you may not be aware that exist.

OWASP WordPress Security Implementation Guide
The OWASP guide describes security cross-domain techniques and tips for strengthening security on your WordPress servers.  The guide is not version specific so you should check to see if there are any version specific vulnerabilities you need to be aware of for your particular version.

WordPress Nuke
Project by Munir Njenga (OWASP Chapter Leader, Kenya) applies some the techniques described by the OWASP WordPress security guide and applies them to a plugin that you can install on your WordPress server.  The plugin is being tested with WP version 4.6.1 and work in progress.

WordPress is an amazing application for managing your blog.  WordPress packs some powerful extensibility features for integrating 3rd party tools.  There is also a lively community of developers working on these tools and there's virtually a plugin for almost anything you want to do.  Like many highly extensible and useful software products, WordPress is challenging to secure and my reason to post.

Monday, September 19, 2016

OWASP 2016 Board Election Interviews

Following are the linkings for OWASP's 2016 Board of Directors.  I'm running for the board this year so I have indexed each of the links to start at my response but feel free to listen to all the responses.

OWASP Podcast Interview Part 1 of 4, Developer Participation [Audio]
OWASP Podcast Interview Part 2 of 4, Vendor Neutrality [Audio]
OWASP Podcast Interview Part 3 of 4, Most Important Issues [Audio]
OWASP Podcast Interview Part 4 of 4, Members, Projects, Conferences, and Chapters [Audio]

Friday, September 16, 2016

View Into the World of Facebook Metadata

Updated on September 17, 2016

A research paper I found offers an interesting view into the world of Facebook metadata and why metadata is valuable but there's more.  The two researchers, one from FB, to be expected, but the other is from Carnegie Mellon University(CMU).  This is meaningless to a casual reader but CMU maintains a relationship and conducts security research for the U.S. Government.  At times this relationship has come under fire revealing interests in dark programs, "Why was the Black Hat talk on Tor de-anonymization mysteriously canceled?".  Of course, there is the possibility the relationship between the researchers on the FB research project may be entirely coincidental.  Many security professionals participate on projects with others across industry.  CMU also shares many positive security projects with the public and industry like their Secure Coding efforts.  Even so if we take circumstantial evidence at face value, the United States Government may have an interest in the Facebook posts/comments that users choose not to publish.

Monday, September 12, 2016

Presenting DeepViolet TLS/SSL at Black Hat Europe 2016

November 1-4, 2016 I am presenting on DeepViolet TLS/SSL at the Black Hat security conference event in London.  To learn more about DeepViolet TLS/SSL scanning API and tools check out the OWASP project landing page.  Or to see the session description on Black Hat's web site, DeepViolet TLS/SSL Scanner.

A few months ago I was presenting on another unrelated security project, OWASP Security Logging Project, at OWASP AppSec EU in Rome Italy.  International trips are expensive.  Many thanks to the generosity of my manager and my employer, Oracle!

Speed Development & Fun with OWASP JSON Sanitizer

A time saving tip occurred to me while working on a cloud security tools project and implementing the OWASP JSON Sanitizer.  The sanitizer does not differentiate between malformed JSON sent by attackers or those originating from developer error.  So it's helpful in both cases but let me explain.

The time saving point is that as your developing your application depending upon the tools you use to transform JSON it may be more or less easy to make mistakes.  Finding mistakes in your JSON is time consuming and detail oriented work.  JSON is a little easier to read than XML but it's little comfort with large or complex documents.  The sanitizer saves time since it corrects errant JSON making it well-formed.  I found this behavior useful during development to alert to problems during development and perhaps even post deployment.  Consider the following code fragment,

// Simple sanity checks before we call sanitizer
if( json == null || json.length() < 1 ) {
  throw new MyException("Missing request");
// OWASP JSON Sanitizer
String sanitizedJson = JsonSanitizer.sanitize(json);
if( !json.equals(sanitizedJson) ) {
  logger.error("RAW JSON, detail="+json); 
  logger.error("SANITIZED JSON, detail="+sanitizedJson);
  String msg = "Raw/Sanitized JSON not eq.  Attack or malformed JSON, see log.";
  throw new MyException(msg);


If there is a difference between raw and well-formed sanitizer JSON then it's likely, 1) your program has a bug (e.g., encoding, malformed), 2) an attacker is tampering with client JSON to exploit your parser.  Regardless of which case is true, you need to review the JSON to see what went wrong.  Once deployed, you can configure a log4j appender to send alerts so you can investigate offline.  I don't claim the technique is unique or innovative but it was unexpectedly helpful so I thought I would share the idea.

Wednesday, September 7, 2016

OWASP Dependency Check 1.4.3 Released

OWASP Dependency Check 1.4.3 released.  Following is the announcement from the OWASP Leader's List,

OWASP dependency check is a great tool to include in you CI automation suite.  Use dependency check to alert on known insecure libraries your developers are using and encourage moving to libraries with less known vulnerabilities.

Share It!