Happy New Year 7E1

Writing in Christmas to say thanks and to make a review of the year is already an habit since I decided to write in this blog five years ago. On the whole, this year has been exciting, like every last years, with many project, with ups and downs, with stressful time and relaxing time, with bad times and good times, but I think with the aim, always, of improving in each moment, with the aim of improving professionally and personally, being this last thing, “personally”, the most important fact for improving in a good professional relationship.

Working in many projects with lots of engineers, and not only in the same customer for the same project, make me happy because I can take in touch with many IT professionals and knowing many IT infrastructures at the same time to take the best things of each of them for improving the IT infrastructure of customers. Speaking with many people, younger or older, technical staff or chief or manager people is a pride and experience that has led me to work in multi-disciplinary teams abroad when I have been in Turkey, Russia or Czech Republic on holidays. In addition, this allow me to make interviews like what I did this summer to Jesús Corrales.

Speaking about studying and certifications, I passed the CISM (Certified Information Security Manager) exam and I took the CCNP re-certification where I review many concepts and I learnt many others like Hot potato and cold potato routing, Elephants or Long Fat Networks, SACK, or the Nagle's Algorithm. On the other hand, I applied for the F5 Certified BIG-IP Administrator which was two exams for getting this certification. In the meantime, you will have seen I keep writing in English language for improving my writing skill, of course, I started writing very bad at the beginning of the year but I think I'm writing with greater fluidity right now. Therefore, I have started to learn the French language this year and I hope keep studying this new language for the next years.

With regard to projects, I have been in many projects about security and networking. I started the year in the north of Spain (Oviedo) teaching about Virtual Private Networks (VPN) and Metro Ethernet, I also taught about Alcatel-Lucent Switching to the National Police of Spain and I have finished in Valladolid teaching about the Web Application Firewall of F5 Networks called ASM or Application Security Manager. In the meantime, I have had the luck to advise, install, configure and support load balancer solutions under F5 Networks and Radware, and Firewalls deployments under Fortinet for the public and private sector. I have also helped to deliver, support and maintain the Ariolo Cloud Services and I have installed probes and SIEM systems where I learnt about Traffic Direction Systems (TDS), I analysed that Telegram uses HTTP over HTTPS or when the Endesa ransomware was hunted by our SIEM.

Moreover, I have had the opportunity to give some speeches to civil servants of Extremadura and to a high school of Extremadura about security awareness, professional training and the private sector, and also about Bluetooth Security, Wireless Sensor Networks – WSN or Web Application Firewalls.

For the next year, I want to keep my CISA and CISM certification and to keep studying the French language. From time to time I'll read some books but what I want the most will be to share experiences and knowledge with other professionals and growing up in this amazing cyberworld.

Merry Christmas and Happy New Year.

WebSockets

I'm not a developer but if we want to protect our web services, we should understand how they work. This is why I'm reading, learning and studying about web services lately because I think there should be a narrow line between a Web Security Engineer and a Network Security Engineer. Both should speak the same language. Therefore, this is mandatory when we are installing for example a Web Application Firewall and we have to choose or configure an XML or JSON profile for protecting our web services.

HTML5 is a markup language with a lot of improvements regards HTML 4 and XHTML 1. For instance, we can forget flash and their upgrades, we have to change the way we know cookies thanks to the new Web Storage feature in HTML5, better multimedia interaction, and the new WebSocket feature, which we are going to write here today.

If we connect to some web application like those hosted in the www.websocket.org website, we can test and capture network traffic to analyse HTTP headers and the handshake process. In a WebSocket, we'll see new headers like Upgrade, Connection, Sec-WebSocket-Key, Sec-WebSocket-Version or Sec-WebSocket-Accept and others optional headers as well. In addition, we'll see the WebSocket protocol defines a ws:// and wss:// prefix to indicate a WebSocket and a WebSocket Secure connection, respectively.

WebSocket Headers

 

The handshake process is a little bit different from what we know with HTML 4. In a WebSocket, we'll have the Upgrade and Connection headers with the websocket and Upgrade values, respectively, for establishing a connection. Moreover, the web server will send a 101 code to the client for switching protocols. During data transfer, there will be a two-way and full-duplex communication with persistent connections between client and server. In the end, client and server can close the connection and it can be initiated by either peer.

WebSocket Handshake

 

We have new protocols, new methods and new standards but threats are still there. A variation of Cross Site Scripting Attack (XSS) is the Cross Site WebSockets Scripting Attack (XSWS) or the Cross Site WebSocket Hijacking Attack (CSWSH). For instance, we can find an Online Cross Site WebSocket Hijacker Tester from ironwasp.org, which is an online tool to easily check for CSWSH issues. There are more tools like a WebSocket Message Analyzer or a WebSocket Client in the IronWASP application for WebSocket Security Testing.

Online Cross-Site WebSocket Hijacking Tester

 

Internet is full of pentesting tools to learn about it and getting fun. Another tool for testing vulnerabilities in WebSockets is the socket_io_client developed by Krzysztof Kotowicz, which is a simple malicious Socket.IO client written in Python.

Malicious Socket.IO script

 

Technology are evolving increasingly faster and we have to adapt our appliances, tools and knowledge at the same speed for protecting our services and our information.

Regards my friends, don't forget to keep studying!!

XML and Web Services

Who was going to say that I was going to study about Language Processors again? My teacher Antonio Polo at Polytechnic School of Cáceres would kill me but it's truth, I'm reading about Web Services and studying concepts like WSDL, SOAP, AJAX or JSON. Why? Because web services are moving from HTTP/1.1 to HTTP/2 and the Web is moving from TCP to UDP then I need to upgrade my knowledge and remember all these stuff for protecting web services properly with Web Application Firewalls (WAFs).

I have written about Web Application Vulnerabilities and the importance of teaching OWASP at University but there is also a Web Service Security Testing Cheat Sheet by OWASP to protect our services against WSDL enumeration/scanning, parsing exploits, XML injections, XPath injection attacks or XML manipulation that we should know about it. However, first, we have to know which technologies and protocols web services use for mitigating these vulnerabilities.

XML vs JSON

The HyperText Markup Language (HTML) is not as extensible and versatile as Extensible Markup Language (XML) is due to the fact that tags for XML is unlimited and customizable, this is a great advantage of XML against HTML. However, JavaScript Object Notation (JSON) has objects with names and values inside arrays which is faster for parsing than XML when we have to send information to a web service.

XML vs JSON

 

SOAP vs REST

We need a design or an API to send information to a web server. Simple Object Access Protocol (SOAP) uses XML, which needs to be parsed with an schema, for sending SOAP messages that they are defined in the WSDL specification. However, SOAP is more rigid than the RESTful standard where we request an URI with an HTTP method (e.g. GET, PUT, POST, DELETE) and it returns the representation of an object. In addition, REST can use anything to represent data, even XML and JSON, and this is a reason why REST is the largest implementation in the WWW.

SOAP Message

REST Message

SAX vs DOM

Whether we use DTD or XSD schemas, there are two ways of parsing an XML document. Simple API for XML (SAX) which events are triggered while the XML is being parsed or Document Object Model (DOM) which events are not triggered while parsing. Therefore, the DOM standard parses the entire XML and a DOM tree is generated and returned. As a result, DOM is easier to use but has an overhead of parsing the entire XML before we can start using it.

DOM vs SAX

This has been my revision and developing lessons for today with the goal of knowing about web services for protecting our organization.

Regards my friends, drop me a line with the first thing you are thinking!!!

Preventing Web Scraping

When we have a full proxy between Internet and our LAN we can do everything, even protect our servers, ;-) this is what a WAF does, protecting against Web Application Vulnerabilities, Web Scraping or DoS Attacks. This time, I want to write about Web Scraping which is a technique to download automatically the whole web site for extracting competitor price tracking, email addresses, directory listings for obtaining leads and marketing information, search competitors' web sites for images, financial information, or other product data, and also for copying the web site for phishing attacks.

There are many tools to extract data from websites for cloning it or analysing it like the simple cURL or Wget or another more advanced like HTTrack. For instance, I used the Social-Engineer Toolkit (SET) two summers ago in a speech called “Innovation, yes but with Security” for making a PoC of Phishing Attack where I copied the Gmail and elpais.com websites.

Although there are still few companies worried about this threat, they are becoming more and more aware about protecting their public data for competitive reasons. Next, we are going to see some Web Scraping mitigation techniques to protect our websites.

Bot detection

This is a method where the preventing web scraping system applies several checks for bot detection. For instance, a check for detecting rapid surfing where counts how many different URLS the client has loaded and unloaded from the application within a defined period. Another check is to ensure the client accepts cookies and processes JavaScript. And another check could use JavaScript again to determine if the client behaves like a human being or a bot.

Bot detection configuration in BIG-IP ASM

 

Session Anomaly detection

This is a method for detecting clients who open a large number of new sessions. One check is counting the new sessions per second rate and another check is detecting a spike in the number of new sessions. This method could also use the IP reputation database for detecting malicious IP addresses which is an indicator as well for triggering a violation.

Session Anomaly detection configuration in BIG-IP ASM

 

Fingerprinting

This is a method of collecting browser attributes to detect malicious users. Some attributes are browser APIs like JavaScript API supported by the browser, expressions, localization information from the browser, fonts installed in the browser, screen parameters, time and plugins.

Fingerprinting configuration in BIG-IP ASM

 

Web scraping was a concept unknown for me a year ago but preventing web scraping today can be done and it's a fact for many organization who are worried about their public information.

Regards my friends, drop me a line with the first thing you are thinking!!!