The Basics of Web Application Security

Security is a massive topic, even if we reduce the scope to only browser-based web applications. These articles will be closer to a “best-of” than a comprehensive catalog of everything you need to know, but we hope it will provide a directed first step for developers who are trying to ramp up fast.

Source: The Basics of Web Application Security

IPv6 To Complicate Threat-Intelligence Landscape

Yet with the gradual — some would say “glacial” — move to the Internet Protocol Version 6 (IPv6) address scheme, the Internet’s address space will grow from merely big to nearly infinite. The vastness of the address space will cause problems for many threat-intelligence firms, from allowing attackers to use a new address for every attack to causing a rapid expansion in the size of the database needed to track the data on various sources, says Tommy Stiansen, chief technology officer for Norse, a real-time threat intelligence provider.

via IPv6 To Complicate Threat-Intelligence Landscape — Dark Reading.

Global WordPress Brute Force Flood

As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence. This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.

via Global WordPress Brute Force Flood | HostGator Web Hosting Blog | Gator Crossing.

This wordpress blog has been receiving these attacks since around the beginning of the year.   Getting rid of the admin account is a first step and using strong passwords is a second, I chose to just shut down access from the Internet entirely by disabling the wp-admin directory and wp-login.php access in httpd.conf.   That may not be practical for most sites however.  The error logs were getting quiet in the last 3 or 4 weeks and then this week they’re back up to full speed blocking with IPs from ranges all over the place.   It looks like I’m not the only one experiencing this according to here and here.

Update:  From my observations of the logs over these last few months these bots are hitting the sites very patiently, sometimes once an hour thus running under the radar of the security plug ins I tried.

Update II: More links here, here, and from here:

These rules will block access for the offending IP address for 5 minutes upon 10 failed login attempts over a 3 minute duration.

This won’t work.  Each IP from these bots may hit you once or twice an hour so any limit login plugin won’t detect them at any rate to ban them.  You can’t stop this on an IP basis.  Since my logs last rotated Sunday morning (almost 6 days ago) I have had 500 different IP addresses hit wp-login.php.  They all have been given 403 Forbidden responses yet they keep coming.

Attack Code, Metasploit Module Released For Serious Ruby On Rails Bugs

This just got (more) real: Researchers today unleashed exploit code for a pair of newly found vulnerabilities in the popular Web application programming platform Ruby on Rails (RoR), as well as a new Metasploit module for the most serious of the two flaws, raising concerns of potentially damaging attacks to come on Web servers and databases.

via Attack Code, Metasploit Module Released For Serious Ruby On Rails Bugs – Dark Reading.

Security experts recommend patching RoR apps now if you have not already done so. Said O’Donnell in a blog post yesterday:

The Web Won’t Be Safe or Secure until We Break It

If the user is logged in, then the image file loads successfully, which causes the executions of loggedIn. If the user is not logged in, then notLoggedIn is executed. The result is an ability to test easily and invisibly whether a visitor is logged in to a particular Web site that a Web developer does not have a relationship with. This login-detection technique, which leverages CSRF, can be applied to online banks, social networks, Web mail, and basically anything else useful to an attacker. The attacker behind http://coolwebsite/ just has to find the URLs that respond in a Boolean state with respect to login.

via The Web Won’t Be Safe or Secure until We Break It – ACM Queue.

Browser intranet hacking allows Web-site owners to access the private networks of their visitors, which are probably behind network firewalls, by using their browsers as a launch point. This attack technique is painfully simple and works equally well on enterprises and home users, exposing a whole new realm of data.