Collaborate Disseminate
Detection of outdated TLS/SSL protocols are one of the most common findings I have seen in many vulnerability scans and penetration testing reports. It is reported as a serious vulnerability too. Every time I see this, I wonder how easy or… Continue reading How easy or difficult it is to exploit older SSL/TLS protocols?
As a SaaS provider, we would like to be compliant to the requirements of our Singapore based prospective clients. And the Monetary Authority of Singapore mandates a TVRA (Threat and Vulnerability Risk Assessment) to be perfor… Continue reading Should TVRA be done physically by going to the datacenter?
On one of the web applications I am checking, running a nikto scan revealed the following ‘examples’ folder in the web-root with the following contents. While I will definitely suggest to remove them, does having these exampl… Continue reading JSP example scripts residing on the server
Our Nessus tool scans a few subnets covering about 1000 hosts. Post-scan, Nessus generates the report listing various vulnerabilities of ~600 hosts. In the list of that ~600 servers, 9 of them are IP addresses (lacking Revers… Continue reading GHOST servers or devices in Nessus report
Our environment has a few Windows 2012 R2 servers which is already patched against the WannaCry ransomware. The update installed was KB4012213.
Is this good enough to protect against the ongoing Petya attacks?
Anything el… Continue reading Are machines patched against WannaCry protected against the ongoing Petya attacks?
Our security vendor just conducted a Risk Assessment for our organisation and has provided us with the report. One of the ‘Threats’ identified by the vendor is ‘Theft’, and our 4 office locations have been listed among the as… Continue reading Risk Assessment – Probability of theft of a physical location
We are trying to integrate OWASP ZAP scans to our Build Cycle. When a new build reaches the QA team, they run an automation tool similar to Selenium, which opens a Firefox web-browser in a Windows machine and runs their test cases. Being completely new to ZAP, this is what I have setup now to get the scan results from those tests regularly.
Installed the ZAP tool in a Linux machine and it is running in
daemon mode with an api-key on port 8080
Made changes in Firefox settings in the Automation Test machine so
that each new Firefox profiles opened by Selenium will have the proxy pointed to <IP_of_ZAP_Machine:8080>.
A cronjob will run every midnight that does the following in this order:
Collects the URLs scanned by calling the URL
http://IP_of_ZAP_Machine:8080/XML/core/view/sites/?zapapiformat=XML
Generates a list of URLs which shows alerts for each ‘sites’
obtained from the previous step.
Example: http://IP_of_ZAP_Machine:8080/HTML/core/view/alerts/?zapapiformat=HTML&baseurl=https%3A%2F%2Fwww.example.com&start=&count= for the results of scan on https://www.example.com
Downloads the scan results in HTML format by calling all the URLs from the above step and putting all the HTMLs in a ZIP file.
Emails the ZIP file to my team.
Loads a new session so that the results e-mailed next midnight will contain results only from the previous midnight. The new session is loaded using the URL
http://IP_of_ZAP_Machine:8080/JSON/core/action/newSession/?zapapiformat=JSON&apikey=<my_api_key>&name=${newsessionname}&overwrite=
While I am getting the scan results as expected everyday, the questions is: Am I doing it right? Is there a more correct or established way of doing this?
Note: Results from all the steps are logged into a log file for future verification.
Continue reading Integrating ZAP to SDLC. Am I doing it right?
In one of our websites, there is a link pointing to a page to download some PDF files. Visitors have to submit their their name, job title, company, phone number and e-mail address and click a ‘submit’ button before landing a… Continue reading Should a webpage where visitors submit e-mail address and phone number be served only over HTTPS?