QASource's Quarterly Shieldcast: July, August and September 2015

We are proud to introduce QASource Shieldcast! This new QALounge feature provides a brief overview of the latest security testing tools to ensure that you are protected against overlooked vulnerabilities in your application and deliberate attacks on your system. In addition to detailing new tools and feature updates for existing ones, Shieldcast will offer tips for how to safeguard your team, their desktops, and your application.

Below is a summary of the information gathered by our experienced security testing team for Quarter 3:

Common Vulnerabilities and Their Utility:

• Cookie poisioning and cross-site scripting enables identity theft and session hijacking
• Hidden field manipulation helps with eShoplifting
• Parameter tampering is associated with fraud
• Buffer overflow is used for denial of service or closure of business
• Backdoor and debug options allow trespassing
• Forceful browsing is associated with breaking and entering
• HTTP response splitting is used for phishing, identity theft, and eGraffiti
• Stealth commanding is used to conceal weapons
• 3^rd party misconfiguration can debilitate an entire site
• Known vulnerabilities are exploited to take control of the site
• XML & web service vulnerabilities enable new layers of attack vectors and malicious use
• SQL injection allows for manipulation of database information

Protect Your Desktop:

1. Avoid clicking within spam emails, unknown pop-ups, unwarranted websites, or other windows.
2. Use a password generator application to create all of your passwords. No simple passwords!
3. Do not download software from unknown or virus-prone sites, such as BitTorrent, File Hippo, Soft32, etc.
4. Do not share or accept files through instant messaging services.
5. Do not store shared folders on the desktop. Unshare it as soon as the required team task is complete.
6. Be aware of any unwanted software that is installed on your system. Encourage your team to exercise this caution as well.
7. Do not save decrypted passwords in files or send passwords over instant messages.

Tools We Evaluated:

BeEF is an open-source browser exploitation tool for hijacking web browsers and performing client-side actions. The tool takes control of the end user browser, allowing for penetration testing.

W3AF is an open-source web application security scanner that also works as a vulnerability scanner and exploitation tool.

SQLmap is an open-source SQL injection tool, which allows for exploitation and testing of the SQL injection vulnerability of a web application. It supports MySQL, Oracle, Microsoft SQL Server, Microsoft Access, PostgreSQL, HSQLDB and IBM DB2 databases.

Be on the lookout for our Quarter 4 Shieldcast! If you have any thoughts about how to improve the security of your team's machines or web applications in general, leave a comment and start a discussion below. Also, don't forget to follow QASource on Facebook and LinkedIn for more quality content!