from.hell

Yeah.. migration proces continues well.. wp successfully migrated to hades! =]

1.- Overlong UTF-8:
As REQUIRED by UNICODE 3.1, and noted in the Unicode Technical Report #36, UTF-8 is forbidden to interpretate a character’s non-shortest form.

2.- Ill formed sequences:
As REQUIRED by UNICODE 3.0, and noted in the Unicode Technical Report #36, if a leading byte is followed by an invalid successor byte, then it should NOT consume it.

3.- Integer overflow:
Unsigned short has a size of 16 bits (2 bytes), that is UNCAPABLE of storing unicode characters of 21 bits, and represented on UTF with 4 bytes (1111 0xxx 10xx xxxx 10xx xxxx 10xx xxxx). PHP attempts to sum a 21 bits value to a 16 bits-size variable, and then makes no checks on the value.

The firefox one

Firefox is supposed to consider the non-shortest form exception (point #1 in the PHP vulnerabilities), and section 3.1 of the Unicode Technical Report #36 but apparently there’s a flaw on it. This is specially problematic for the reasons that an overlong unicode sequence not taken into consideration may allow several types of filter bypasses.

http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html

OWASP guide v3
http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

OPEN SOURCE BLACK BOX TESTING TOOLS

General Testing

. OWASP WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
. OWASP CAL9000: CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing
efforts. Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing
Checklist, Automated Attack Editor and much more.
. OWASP Pantera Web Assessment Studio Project
. SPIKE - http://www.immunitysec.com
. Paros - http://www.parosproxy.org
. Burp Proxy - http://www.portswigger.net
. Achilles Proxy - http://www.mavensecurity.com/achilles
. Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
. Webstretch Proxy - http://sourceforge.net/projects/webstretch
. Firefox LiveHTTPHeaders, Tamper Data and Developer Tools - http://www.mozdev.org
. Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html
. Grendel-Scan - http://www.grendel-scan.com

TESTING FOR SPECIFIC VULNERABILITIES

Testing Flash
. OWASP SWFIntruder - http://www.owasp.org/index.php/Category:SWFIntruder,
http://www.mindedsecurity.com/swfintruder.html

Testing AJAX
. OWASP Sprajax Project

Testing for SQL Injection
. OWASP SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
. Multiple DBMS SQL Injection tool - SQL Power Injector
. MySQL Blind Injection Bruteforcing, Reversing.org - [sqlbftools]
. Antonio Parata: Dump Files by SQL inference on Mysql - [SqlDumper]
. Sqlninja: a SQL Server Injection & Takeover Tool - http://sqlninja.sourceforge.net
. Bernardo Damele and Daniele Bellucci: sqlmap, a blind SQL injection tool - http://sqlmap.sourceforge.net
. Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/
. SQLInjector - http://www.databasesecurity.com/sql-injector.htm
. bsqlbf-1.2-th - http://www.514.es

Testing Oracle
. TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
. Toad for Oracle - http://www.quest.com/toad

Testing SSL
. Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm

Testing for Brute Force Password
. THC Hydra - http://www.thc.org/thc-hydra/
. John the Ripper - http://www.openwall.com/john/
. Brutus - http://www.hoobie.net/brutus/
. Medusa - http://www.foofus.net/~jmk/medusa/medusa.html

Testing for HTTP Methods
. NetCat - http://www.vulnwatch.org/netcat

Testing Buffer Overflow
. OllyDbg - http://www.ollydbg.de
o "A windows based debugger used for analyzing buffer overflow vulnerabilities"
. Spike - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
o A fuzzer framework that can be used to explore vulnerabilities and perform length testing
. Brute Force Binary Tester (BFB) - http://bfbtester.sourceforge.net

o A proactive binary checker
. Metasploit - http://www.metasploit.com/projects/Framework/

o A rapid exploit development and Testing frame work Fuzzer
. WSFuzzer

Googling
. Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm

SOURCE CODE ANALYZERS - OPEN SOURCE / FREEWARE
. OWASP LAPSE
. PMD - http://pmd.sourceforge.net/
. FlawFinder - http://www.dwheeler.com/flawfinder
. Microsoft's FxCop
. Splint - http://splint.org

OWASP Testing Guide v3.0
. Boon - http://www.cs.berkeley.edu/~daw/boon
. Pscan - http://www.striker.ottawa.on.ca/~aland/pscan
. FindBugs - http://findbugs.sourceforge.net

ACCEPTANCE TESTING TOOLS - OPEN SOURCE

Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and
typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to
perform security specific tests in addition to functional tests.

. WATIR - http://wtr.rubyforge.org
o A Ruby-based web testing framework that provides an interface into Internet Explorer.
o Windows only.
. HtmlUnit - http://htmlunit.sourceforge.net
o A Java and JUnit based framework that uses the Apache HttpClient as the transport.
o Very robust and configurable and is used as the engine for a number of other testing tools.
. jWebUnit - http://jwebunit.sourceforge.net
o A Java based meta-framework that uses htmlunit or selenium as the testing engine.
. Canoo Webtest - http://webtest.canoo.com
o An XML based testing tool that provides a facade on top of htmlunit.
o No coding is necessary as the tests are completely specified in XML.
o There is the option of scripting some elements in Groovy if XML does not suffice.
o Very actively maintained.
. HttpUnit - http://httpunit.sourceforge.net
o One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a
bit limiting for security testing.
. Watij - http://watij.com
o A Java implementation of WATIR.
o Windows only because it uses IE for its tests (Mozilla integration is in the works).
. Solex - http://solex.sourceforge.net
o An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
. Selenium - http://www.openqa.org/selenium/
o JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
o Mature and popular tool, but the use of JavaScript could hamper certain security tests.