Category Archives: Security Testing

Assessing a Web Site for Insecure Cookies

A cookie is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing. They primary purpose is to allow the server to be able to identify the user between visits as well as between requests (clicks).

There are three primary CWE’s regarding insecure cookies:

  • CWE-1004: Sensitive Cookie Without the “HTTPOnly” Flag / CWE-539: Information Exposure Through Persistent Cookies
  • CWE-315: Cleartext Storage of Sensitive Information in a Cookie
  • CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute

For those of you using the CyberSecOlogy test plan, the security of a cookie can easily be viewed using the Web Developer Plug-in or your ZAP proxy. The ZAP proxy make it easy as insecure cookies show up as alerts when you browse the site, spider the site or do an active scan.

For those who prefer the web developer plug in, simply click on the cookies tab and then again on “View Cookie Information.” This will show you each of the cookies and their attributes:

bad cookie image

In the image above, there are four security mistakes made:

  1. Never, ever ever store credentials in a cookie
    • CWE-1004: Sensitive Cookie Without the ‘”Secure” Flag / CWE-539: Information Exposure Through Persistent Cookies
  2. If you do (but don’t!) make sure you add “Secure.” Secure would have at least encrypted the cookie.
    • CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
  3. To prevent other processes in the browser from be able to access the sensitive data in the cookie, make sure you add “HttpOnly”
    • CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag

For the fourth, open your OWASP ZAP and and find the cookie titled “passwordEncoded” and paste the value in to ZAP’s decode tool and try and identify what the value of the password is. Is you can decode the password write it up as CWE-261: Weak Cryptography for Passwords.  You see that the password is nothing more than a simple MD5 hash.

Image showing a cookie encoded with an MD5 hash

OWASP’s Juice Shop Practice Site: A Refreshing Reminder

[Juice Shop:  Download it | Hack it | Tweet it | Alternative to it]

At a time when continuous integration is king and anyone with a web scanner is calling themselves a pen tester, OWASP’s Juice Shop project  is a refreshing reminder of the need for creative, out of the box security testers in our software security assurance programs.

With the popularity of agile methodologies and devOps, lengthy software security assurance activities can slow things down. To counter this, lengthy DAST scanning and code reviews have given way to automated security testing. For identifying simple vulnerabilities such as cross-site scripting and SQL injection, this is a good solution and allows organizations to scale their efforts beyond the range of manual testing. However, automated assessment without strong security involvement in the design phase can leave such security flaws as logic errors and weaknesses in complex workflows dangerously undiscovered. In an industry that has tasted the cost-savings of security test automation, adding expensive manual assessments back in to the release process can be a hard sell. And then came OWASP’s Juice Shop.

I was approached by the author of Juice Shop, Björn Kimminich, to do a write-up on the OWASP project. To confess up front, I didn’t know much about his project and readied my scanners for what I thought would be a fun point and shoot session. However, during my initial inspection I XSS’d the search field and a banner popped up telling me that I had completed a challenge.

Challenge accepted!

With a little more digging I found that the site contained an actual score board tracking what I and had not completed. My MLK weekend plans were now aborted and the obsessive security geek in my had taken over.

Fast-forward a lost weekend and a lot of Googling and I’m about ¾ths done with the challenges- which isn’t half bad for a middle-aged security exec. What is remarkable however, is that in spite of the fact there are 39 unique hacking challenges the majority of the exploitable flaws do not show up on a dynamic, authenticated scan! This is fairly serious considering some of these challenges include defrauding the Juice Shop out of money, taking over the admin account, and impersonating the Juice Shop’s CISO. None of these however were found by the several dynamic scanners I ran against the site.

So, what is my take-away from all this? Try running Juice Shop through your current assessment program and see how many of the findings your processes uncover. I suspect you’ll either be beefing up your security design reviews or adding manual pen testing back in to your process. Maybe even both…

Note: If you don’t have the time or technical patience to bring up your own instance, there’s an online practice site by Heroku that will save you the time.

Also see the Hackazon and Google Firing Range reviews.

Pen Testing is Dying- Here are the Six Things that are killing It

Don’t all kill the messenger at once but the sad truth is there are a growing number of organizations that are not seeing the ROI in pen testing and I’m afraid they have good reasons.

There is a concept in organizational behavior about there being two reasons for a culture’s behavior- the reason they give you when asked and the answer that is not verbalized.

When leaders are asked why they are decreasing their spending on pen testing the answers I am hearing sound very reasonable- the attack surface is too broad, the number of attack vectors has grown to an untestable number, etc etc. No argument here.

However, I would argue that there are also some other, probably bigger reasons that have a larger influence that do not get verbalized. In fact, I think there are six of them.
<li><strong>Supply and demand created a shortage of skilled testers</strong></li>
<p style=”padding-left: 30px;”>The security boom we’ve all been enjoying has created a huge need for security professionals.&nbsp; As a security professional I’m loving it. However, like all skills shortages there is a vacuum moving the bar for “senior level” down lower and lower. What was once considered an intermediate level tester is now considered a senior person.</p>
<p style=”padding-left: 30px;”>This is a reality that has no good answer. Personally, I prefer to have testers who have their <a href=””>OSCP certification</a> but with supply and demand this has become a luxury, not a baseline.</p>

<ol start=”2″>
<li><strong>Confusing automated assessments with pen testing</strong></li>
<p style=”padding-left: 30px;”>I find that the actual definition of what a pen test is has been evolving and some of that evolution seems to parallel the supply and demand issue. What we used to refer to as automated assessment tools have now become the pen test. Scanning a target with nmap, Nessus and Burp and pasting the results in to a template is not a pen test. There is certainly value in these activities as one of many parts of a holistic assessment but calling it a pen test has diluted the value of the term.</p>

<ol start=”3″>
<li><strong>The Rules of Engagement for pen tests typically protect the weakest link </strong></li>
<p style=”padding-left: 30px;”>Pop quiz- name a recent major breach that <em>didn’t</em> involve a targeted email as the point of entry? Yea, me neither.</p>
<p style=”padding-left: 30px;”>However, most pen test will have rules of engagement prohibiting spear phishing employees and the use of backdoors. I strongly suspect the perception of a pen test report would jump in value if it contained screenshots from the meterpreter session running on the CFO’s laptop while he transfers funds between banks. There are some really good reasons pen tests can’t mimic real life attacks but because of this their value is reduced.</p>

<ol start=”4″>
<li><strong>Length of engagements do not match real life</strong></li>
<p style=”padding-left: 30px;”>Another aspect of pen testing that doesn’t match real life threats are the length of engagement. In real life attacks, the bad actors don’t have a time limit. They can spend months or even years on their target. In a pen test, the tester has a week or two to do his assessment and write up the findings. We can’t expect a team of testers to be able to cover all possible vectors in a few weeks.</p>

<ol start=”5″>
<li><strong>Lack of incentive.</strong></li>
<p style=”padding-left: 30px;”>Billable hours pay your bills but they don’t exactly light a fire under an analyst’s rear end. I’ve often wondered what an assessment would look like if the client set up a pen test like a bug bounty, providing the team incentives for what they found.&nbsp; When a team of bad actors operating out of Eastern Europe can retire after one big score and you have pen testers working for billable hours there is a motivation mismatch.</p>

<ol start=”6″>
<li><strong>Pen Testing to Check a Box for your Auditor</strong></li>
<p style=”padding-left: 30px;”>For a pen tester to do a great job they need to be able to follow where their findings and instincts take them. A “pen test by numbers” will appease a requirement but unless it’s done with passion and purpose it’s not going to be great.</p>
&nbsp;Do I think pen testing is still valuable? Absolutely. But for all of the reasons above I think it is getting a bad rap. Disagree with me? I’d welcome your thoughts. <a title=”Twitter account” href=””>@CyberSecOlogy</a> #pentesting. Contact me via the form below:


Google’s Firing Range Test Site

[ Giigle Firing Range: Download it | Hack it | Alternatives to it]

Google's Firing Range

Yesterday, Google Security Engineer Claudio Criscione released version 0.42 of the web scanner test application called Firing Range. The author of the test app describes Firing Range as “a Java application built on Google App Engine and contains a wide range of XSS…” They make the source available on github or there is a public website available for target practice.

At first glance, Firing Range looks sparse. However, those who don’t look past the landing page and launch a tool or two are not going to be able to appreciate the elegance of the test site. Firing Range is a unique and valuable addition to the web’s portfolio of test sites.

While the Hackazon test site provides what I have described as a “torture test” for scanners Firing Range is more of a “Rubik’s cube.” Most scanners will complete a test of Firing Range in well under an hour and nothing about the site is resource intensive or attempts to hide vulnerabilities from the test tool. Instead, Firing Range takes the opposite approach and focuses on completeness of the assessment. That is, every test page is directly available within the first two levels of the landing page and all the test pages are labeled for the target test. For example, all of the pages that test for reflective cross site scripting are available from the reflected cross site scripting page. This page is then broken in to clearly defined sections:

Firing Range Screen Capture

Firing Range on its own should not be considered a single source for testing a scanner (and I do not believe the author ever meant for it to be). However I believe that it will soon become a gold standard when assessing a scanner’s ability to detect and report on cross-site scripting.

Google's Firing Range


  1. For evaluating a scanner’s strengths and weaknesses in detecting and reporting on cross-site scripting, you won’t find a better tool than Firing Range.
  2. The author has carefully and thoroughly labeled each test and offered explanations where needed.
  3. Firing Range allows an assessor to map the true positive findings and false negative findings.



  1. Firing Range makes no attempt to test a scanner’s ability to test in real life situations such as complex workflows like you would find in an eCommerce site.
  2. Firing Range tests very little beyond cross site scripting. It would be great to see this model extended to other vulnerability families.

The Needed Contributions and Needless Death of Alan Turing

Alan Turning ImageThis week a claim was made that the sixty-five year old Turing test was finally passed. If this proves true, it will be one of the greatest computing milestones of the decade. While the achievement is being debated this is a good time to revisit the author of the test and his remarkable life and tragic death.

If you were to make a list of computer scientists who have most changed the World, Alan Turing’s name would follow closely behind Bill Gates and Steve Jobs. While Gates and Jobs are household names, Turing’s contributions to defeating the Nazi’s, the field of cryptography and being considered by most as the father of modern computing go largely unknown outside of geek academia. Perhaps even more tragic is the lack of public knowledge surrounding the circumstances of his suicide.

During WWII the Nazi’s had developed ciphers that prevented the Allies from reading their intercepted communications. Being able to communicate without the enemy being able to understand gives an opponent a great advantage. Turing and his team devised a number of techniques for breaking these ciphers aiding the war effort.

After the war he went on to study physics where he is generally considered the “Father of Modern Computing.” One of his many influences during this time was creating the Turning Test- a test that essentially is passed if a computer can convince human interviewers that it too is a human.

In spite of his amazing contributions, his accomplishments were overshadowed during his lifetime by the fact that he was gay. In 1952 he was convicted of the crime of “homosexuality.” To avoid going to prison Turing accepted being injected with high levels of estrogen as a method of chemical castration. This all proved to be too much for him and a few weeks before his 42nd birthday Alan Turing took his own life by ingesting cyanide.

The suicide rate for LGBT teens in our Country is four times higher than that of their straight cohorts. This is in large part attributed to the bullying they experience for being gay. Of the roughly 1,500 gay teens who commit suicide each year, how many Turings has the world lost? What great discoveries has the world been robbed of by their untimely deaths?

If you like this blog entry please click one of the social media buttons below. No haters need reply…


11/13/2014 Update: The Association for Computing Machinery reported today that the prize money for building a machine that can pass the Turing Test has now quadrupled to $1,000,000 thanks to an infusion of cash from Google.