Offline Web Application Scanners?

 Computing, Security  2 Responses »
Mar 172012
 

This is at least partially an appeal for information – if anyone knows of a web application scanner that does what I describe here, please let me know!

All the web application scanners I have come across so far seem to only try “online” scanning where the work is done by connecting to a web server using the same method as someone with a web browser would use. Or in other words the scanning tools replicate what an attacker might do. Hardly the wrong thing to do – it is probably the best method given that so much can only be determined by going through the web server.

In addition, there are also tools to scan the source code of web applications that you have written yourself. These pick out bits of the application that could do with looking at. Fair enough for a web developer, but I’m after something a bit different.

What I want is a tool that will when given the directory containing the website, will go through it looking for weaknesses like the following :-

  1. Look for problems with the permissions – such as directories and files writeable by the web server owner.
  2. Look for common applications and components – such as WordPress – and identify them, and indicate whether they’re out of date or not.
  3. Look for signs of exploits – PHP ‘shells’ and the like.
  4. Look for content that isn’t linked to as an indication that it shouldn’t be present.

Of course most people could think of a few more things to add to that list! It would be a handy additional source of information when it comes to securing a website.

Gay Marriage? Why Not?

 Politics, Religion  No Responses »
Mar 172012
 

Given that I’m not exactly a fan of state-sanctioned marriage and in the unlikely event of me marrying someone, it is not going to be a man (sorry guys!), I’m pretty disinterested in if gay marriage becomes legal or not. Just like anyone else who is heterosexual, the only effect that legal homosexual marriage has on me is that I might just find myself attending such a marriage as a guest.

But given that it makes no great difference to me, I’m in favour of the recent plans of the UK government to legalise gay marriage – if something has no harmful effects on anyone else, why should it be illegal? If two people want to make the public commitment of marriage, what right has anyone to forbid that?

The religious conservatives are up in arms about the plans of course – anything that sanctions anything to do with homosexuality is going to cause them to come out of the churches up in arms, and frothing at the mouth.
Of course they have a perfect right to protest against this. And they have a perfect right to forbid homosexual marriage amongst their own congregations.

But they do not have the right to impose their views on the rest of us.

The New iPad – Hit Or Miss ?

 Computing  No Responses »
Mar 072012
 

So tonight, Apple launched their new iPad so undoubted mass hysteria from the Apple fans but is it interesting?

Well of course it is – whatever the specifications, it is going to sell in huge numbers and have quite a big influence on the IT landscape. But ignoring that, what has changed ? And is it all good ?

The big change is the use of a high-density screen – 2048×1536 in a 9.7″ screen. The use of a high-density screen might seem like it is excessive given that each individual pixel is getting towards being too small to see. But it does make the overall effect better – text (when scaled appropriately) becomes clearer, etc. After all one of the reasons that reading paper is easier on the eye is that the greater density makes things clearer.

Software that does not scale the display is going to look a bit odd – after all this screen is very roughly the equivalent of an old 1280×1024 screen (commonly a 20″ screen) in 9.7″. But I dare say Apple has a trick up its sleeve to deal with that.

But it is a bit odd that this is still not a wide-screen format screen – most other slate makers use the wide screen format so films can scale up to the full size of the screen. But Apple wants black bars! Or letter-boxing if you insist although as a film fan I hate that.

With any luck the new iPad’s screen resolution should trickle into other products – whilst I’m not that keen on the iPad to go out and get one, I do want to see a high-density screen on my desktop at some point. And why not? Screens on the desktop have been not just stuck at the same resolution for a decade now, but actually decreasing in resolution – before HD TV became popular, 1920×1200 was a popular resolution on flat screens; now it is 1920×1080. Except if you have very deep pockets (although even that monitor does not have the density of the new iPad).

But what else ? Well, except for the new screen, it’s all a bit “Meh” … nothing shines out as a dramatic improvement.

For instance, it has a new processor. But it is only dual-core when some Android slates are getting penta-cores – usually advertised as quad core, but the many are using a processor with four high speed cores, and a single slow speed (and low power consumption) core.

And the rest of it looks pretty much the same as the old iPad – no memory slot for adding additional media, a proprietary dock connector and no micro-usb so you have to make sure you have the right cable with you. And so on.

And I still find it odd that the camera pointing towards the face is of a lower quality than the camera facing out – doesn’t the front facing camera get used more for video conferencing than the other ?

Exim: Setting Up A Smarthost Router With SMTP AUTH

 Working Notes  No Responses »
Mar 072012
 

When I discovered that yet again a certain ISP had blocked my ISP’s smarthost (grr … hotmail), I needed to come up with something for my server’s Exim configuration to automatically route mail through an alternative route. For various reasons I wanted only specific domains to be routed through this domain (I run this other server and it is kind of handy to have an independent mail server that isn’t dependant on it).

This is a slightly unusual setup for Exim.

I started off with setting up a couple of authenticators so that once everything else worked, Exim could actually login :-

myloginMD5:
  driver = cram_md5
  public_name = CRAM-MD5
  client_name = USERNAME
  client_secret = PASSWORD
myloginPLAIN:
  driver = plaintext
  public_name = PLAIN
  client_send = ^USERNAME^PASSWORD

At this point, you have a secret in your configuration file, so protect it! There also seems no obvious way to use particular authenticators with particular servers … not to say that this is impossible (it’s hard to find something to do with mail that is impossible with Exim), but I didn’t see a method to do this.

The next step is to run through your test procedure when making changes. Mine was :-

  1. Reconfigure Exim by sending it a HUP signal.
  2. Check the paniclog file to make sure it is still running.
  3. Run through a manual submission of a mail through the SMTP interface.
  4. Check the main log file to see it worked as expected.

And if you need help running through that test procedure, this would probably be a good time to read up a good deal more about Exim as you probably should not be doing this until you understand a little more.

You don’t really need two authenticators here – you just need one authenticator that matches that offered by the SMTP servers you plan to authenticate to.

The next step is to modify the SMTP driver. Search for the string “driver = smtp”, and change it to look like :-

remote_smtp:
  driver = smtp
  hosts_require_auth = LIST-OF-HOSTS
  hosts_require_tls = LIST-OF-HOSTS

What we are doing here is using the normal driver with two extra options that come into play for the list of hosts (colon separated of course) – one that requires that authentication be used, and another that requires that TLS be used.

The next step of course is to run through the test procedure again.

The final step is to create a new “smarthost” router that applies for a specified list of domains :-

smarthostplusauth:
  # Deal with SMTP hosts but specifically through an authenticated SMTP server
  driver = manualroute
  domains = LIST-OF-DOMAINS
  transport = remote_smtp
  route_list = * "server1::587 : server2::587"

This of course applies to only emails that matches your list of domains. If it gets used, the mail is routed through either of “server1” or “server2” on port 587. I used two servers in here, so that Exim would happily deal with a server that was unresponsive, but you might prefer to use a single server.

And of course it’s time to run through the test procedure again.

 

 Older Entries  Newer Entries