Friday, 23 April 2010

NetSparker Community Edition Review

For those of you who do not follow DarkNET , it is a well run blog where they add their perspective on security news and events. They also post a never ending stream of new tools and updates. They area great resource for keeping up to date on the latests toys and tools. They have come through for me once again by introducing me to  Netsparker Community Edition. The last fire and forget web scanner I was enticed to check out in this manner was a horrible flop. It was called Acunetix, perhaps you've heard of it? If you haven't don't bother, it's rubbish.

So as you can imagine I was not expecting great things from Netsparker. However, as I was downloading it I noticed that RSnake had also posted about it. Like many people in my field, I tend to have an ego, but when RSnake speaks, I listen. So I installed the community edition and gave it some quick run through. As expected, many of the best features are turned off in the freebie version, but that's okay. They left enough good stuff in there to whet my appetite(good job marketing guys). So here are the things I noticed right off the bat:

  1. The User Interface is very simple and straight forward. This is usually my first indication of a problem. In my experience, good products in this space tend to have absolutely wretched interfaces. they are tormented things that will try to bend your mind to it's will and subjugate you completely. The interface here is so simple most anyone could walk through setting up a scan. 
  2. The User Interface makes sense. Acunetix is a perfect example of the simplistic but terrible User Interface. It is very simple, but anything but straightforward. Trying to understand how to make it do some of the things you'd like it to do is not an easy task. Netsparker does not suffer these issues. It presents you with almost everything you could possibly need and even more importantly, nothing you don't.
  3. The sucker is FAST. I typically use IBM's Rational Appscan product. While AppScan is a good product, fast is never an adjective I would use to describe it. Netsparker is fast. Now part of why it is so fast is because the test profile is so limited in the community edition. So let's just look at the crawler. A 964 url page took appscan just over an hour to crawl. NetSparker did it in 15 minutes. It then ran all of it's tests in another 20-30 minutes. It may be that we will see these speeds drop dramatically with the full version, due to the expanded test profile.
  4. SQLi right away. One of the apps I tested it on had SQL Injection right on the login page. AppScan had failed to detect it, but manual testing revealed it inside 10 minutes. Netsparker caught it immediately. While this is far from a comprehensive look at it's detection rates, I say bravo to netsparker.
  5. Thoroughness. This is hard to gauge because it is the limited version. It FEELS like it is not very thorough. Part of this is psychological, because it runs so fast. Part of it is because it doesn't find some things because it is the 'community edition'. I can't shake the feeling that it is not being thorough, but I would really have to test the full version to make any honest assessment of this. 
  6. No False positives, sorta. I performed several test scenarios, and it did not really generate false positives. The ambiguous language here is due to what I think is a very neat feature. On one of the test sites I saw a distinction in the results between 'we know there is cross-site scripting' and 'we think there might be'. I appreciate that it is extremely difficult to eliminate false positives, and I think this approach is great.
  7. Testing framework. I have talked about this before, and I will talk about it again. We need to see testing harnesses, not just pas scanners. Once you are done with the scan, in Netsparker, it has tools you can use within the app to attempt to exploit the vulnerabilities. If you find a possible SQLi there is an actual injection tool built into the scanner to allow you to try and exploit it. It has similar tools for LFI and Command Injection. This, to my mind, represents the absolute right direction for these types of products to be heading in.
  8. Pricetag. The community edition is free but limited. They then have two unlocked versions. The standard and enterprise edition. the key difference being the number of sites licensed for. I'm not sure if this means you predefine what sites you are licensed for or what. However, the unlimited Enterprise Edition comes with a pricetag of only $3000, which is extremely reasonable in my opinion. It also makes the product worthwhile even as a second scanner. I am considering recommending we purchase an Enterprise license so that we can have two scanners to see if we catch anything with one that we don't with the other. 
So let me summarize briefly. The Community Edition of Netsparker shows some very significant promise. It would seem to indicate a well thought out and well developed product. However, for professional assessments I would definitely recommend you not try to use the Community Edition.  Without having tested the Enterprise Edition, I won't recommend it out of hand, but at a pricetag of only $3000, it seems like a good idea.

Netsparker Community edition is created by Mavituna Security, and can be downloaded here.

Wednesday, 21 April 2010

Mcafee 5958 Dat issue fix Update

Okay, so in my previous post I recommended copying the svchost.exe binary from the servicepackfiles\i386 directory. While in most cases this should work fine, there is still a possibility of version issues doing this. The better solution(although somewhat more tedious) would be to load the extra.dat file, and then go into the virusscan console, unlock it, and release svchost.exe from the quarantine. This should give you back the exact svchost binary that was removed before. I don't know if there's anyway to script releasing from quarantine, so that makes this somewhat less favourable of a solution from a wide scale deployment standpoint. However, this does guarantee that you'll get the EXACT same binary back that you lost. I've heard that Ford in particular is having an issue due to some special svchost binary they were using in their image. Because the version didn't match when they did the fix, it supposedly preventing the os from booting properly. For most people, either way will work fine, I just have to advise caution. I don't want somebody getting mad at me later because the fix I posted 'didn't work'.

This is another reason why I don't think it'd be a good idea for me to post the binary we created for the fix. It is using the specific svchost binary from our standard image and may not be right for everyone. Thanks to everyone who's been commenting/discussing here. I like seeing people helping each other out.

UPDATE: I thought this went without saying, but I'll make sure I mention it anyways. Please make sure to also add the extra.dat to your epo repositories. At this point, with 5959 out it probably is a moot point, but better safe than sorry.

Mcafee DAT 5958 Fix

As many people are already aware, McAfee released DAT 5958 today. This DAT contained a fault, which caused issues in hosts running Windows XP SP3. The fault led to a false detection of the W32/Wecorl.A worm, which was an MS08-067 based worm. This resulted in McAfee nuking svchost.exe killing all win32 services on the machine. This results in a laundry list of problems. The way to fix machines impacted by this is simple:

1. Boot the machine into safe mode
2. Take the extra.dat file mcafee is providing and load it into c:\program files\common files\mcafee\engine
3. Copy svchost.exe from c:\windows\servicepackfiles\i386\svchost.exe to c:\windows\system32\svchost.exe and c:\windows\system32\dllcache\svchost.exe
4. Reboot

This should remove the faulty signature and replace the damaged svchost from the the servicepack files. This test has been tested and works within our company. We have rolled it into a quick exe package for ease of use.