Social Icons

Showing posts with label SQL INJECTION. Show all posts
Showing posts with label SQL INJECTION. Show all posts

Thursday, September 11, 2014

VEGA SCANNER : Powerful Open Source Web Application Vulnerability Scanner

1.   Vega is one free and open source scanner and testing platform to test the security of web applications by Subgraph, an open source security software company. Vega can help find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. 

Main Features:

    Automated Crawler and Vulnerability Scanner
    Consistent UI
    Website Crawler
    Intercepting Proxy
    SSL MITM
    Content Analysis
    Customizable alerts
    Database and Shared Data Model

2.   So to launch Vega in Kali Linux...go to Web Applications then to Web Vulnerability Scanners and select Vega

 Vega will flash an introduction banner and display a GUI

Vega has Scanner and Proxy tabs as u play with the interface as seen below. To use Vega as a Scanner,click on the Scanner tab , click on Scan on the top-left corner and select to start new scan
 You will see an input field asking for the target. The screen shot tested below is targeting www.thesecurityblogger.com. Choose target and click on Next:











3.   It takes time to scan but gives pretty exhaustive results and presents a summary too.

Tuesday, July 09, 2013

Saturday, September 03, 2011

HDFC CLEAN BOWLED by Hidden SQL Injection Vulnerability



1.  Howoften do we find ourselves getting irritated with the constant reminders from banks to change passwords every 15 days...to include few small cases,few caps,few numbers and few special characters and more often then not 40% of the account holders forget keeping a tab on what was the last password.....Inspite of heavy claims by most of the banks that they have the highly secured banking netwrok here comes a boomrang for HDFC...inspite of ample number of warnings by zSecure , a firm committed in providing comprehensive and cost-effective Penetration Testing services Networks, Servers and Web application,HDFC had no inkling of what they were warned about and what was supposed to be done....simply banking on some third party solution and getting into a SURRENDER SITUATION.....the story goes like this

HDFC was warned about Hidden SQL Injection Vulnerability by the firm ZSECURE.The subject vulnerability was discovered on 15-July-2011 and was reported on 17-July-2011 (reminder sent on 24-July-2011). The HDFC Bank’s team took around 22 days to respond to our e-mail and their first response came on 08-August-2011 with a message:

“Thank you for sending us this information on the critical vulnerability. We have remediated the same.“

After their e-mail, we again checked the status of said vulnerability and found that the vulnerability was still active on their web portal. We immediately replied to their email with additional proof of vulnerability and asked them to fix the same asap. Later on, after 2 days we again received an e-mail from their team with a message:

“We have remediated all the vulnerability reported on our website. Also we have got the application vulnerability assessment performed through one of our third party service provider and they confirmed that there are no more SQL Injection vulnerability.“

Their above response left us with an unexpected surprise. We were not able to believe that such a big organization doesn’t have proper vulnerability assessment in place because we already reported the vulnerability to them and even after conducting vulnerability assessment from a third party (as claimed) they were not able to find the active vulnerability in their web-portal.Thereafter, we sent complete inputs about the vulnerability to their security team and finally the vulnerable file was removed from HDFC’s web-server.

2.  The story goes on to confirm how much vulnerable we all are to such holes.Not blaming the bank singly,but the policies and the measures supposed to be taken and adopted have no firm policies on date.It is entirely left to the third party dependency solution....its high time for all banks to constantly take measures and keep itself updated to all new vulnerabilities hanging around......

Powered By Blogger