This page contains a Flash digital edition of a book.
Test security | 19
malware to spread more rapidly Web 2.0
between machines as virtualisation In the past few years the Web has
becomes more widespread. BIOS level evolved from servers generating
root kits are old news, and it should content, to a more responsive and
be expected in due course root kits dynamic mixture of client/server
which target virtual hardware like the communications. At the same time
keyboard controller will be released. JavaScript injection attacks have
As the conflicker and sasser worms evolved from perceived session-
spread using hard drives, DVD and USB stealing attacks using cross site
devices by using the auto-run feature, scripting (XSS), to full exploitation
hosted virtual machines became frameworks which allow far more
infected from the host machine. The serious attacks.
physical hosted drives when shared Anton Rager demonstrated by XSS
between hosted machines auto-ran proxy the feasibility of JavaScript
and installed the worm on the hosted exploitation frameworks. Further
machine. Microsoft released a patch frameworks have since been released
which effectively disabled auto run in like BeEf proxy, XSS shell and
Windows Server 2008 in Feb 2009. Backframe. These frameworks allow
for more serious attacks to occur like
Penetrating the virtual world intercepting key presses made within
Penetration testing of virtual the victim’s browser, capturing browser
machines is no different from testing requests made and injecting requests
conventional hosts. Open ports are into the victims browser. Penetration
discovered and services running over testers now have to check for the more
those ports are tested for security dangerous XSS attacks, in various
flaws. Additional virtual support forms (reflective and persistent) with
software like WMI management common character encodings or
might also be found running on virtual browser-specific variations to bypass
machines. Interacting manually with the different input/output XSS filters.
individual virtual machines proves Matters become more complex
that the patching is recent and an if programming languages or file
updated virus system is running. An types are used which themselves are
additional problem is identifying subject to common XSS attacks due
offline virtual machines, and backup to common misconfiguration or old
Virtual machine sprawl,
images (stored offline/online) may insecure versions.
which is the uncontrolled
not be sufficiently patched before Services like Twitter, EBay, YouTube
creation and expansion
being exposed to a dangerous and LinkedIn which allow users
of the number of virtual
environment like the Internet. The to upload and modify their own
backup images themselves might be content pose a number of problems
machines, can allow
infected with malware, which needs to when performing penetration tests
worms and viruses to
be considered if an organisation had as penetration testers must test if spread throughout the
recovered in the past from a malware malicious JavaScript can be directly
data centre. As un-patched
infection. uploaded to the website, and confirm
Hosting servers that host and that the websites input and output
and insecurely configured
manage multiple virtual machines filters can cope with the various
hosted machines will be
(four or more), require more in-depth behavioural nuances when the various vulnerable to the same
and focused penetration testing to web browsers/engines render web
flaws as stand-alone
ensure that no security flaws exist pages.
operating systems and
which might adversely affect the For instance to bypass input/out
dependent hosted machines. Simple filtering of the JavaScript static word
can become reservoirs of
denial of service attacks might occur (used to run code), it is common to malicious agents if not
by killing the hosting machine; or by add a new line (represented by \n)
properly managed.
privilege escalation. within the word making JavaScript
T.E.S.T | June 09 June 09 | T.E.S.T
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52
Produced with Yudu - www.yudu.com