Raesene's Ramblings

Most of the questions I got after my talk were around how people can look to secure their application. I mentioned a couple of sites and it's probably worth expanding on the points made.
Web Application Security
For people looking to understand how to secure their web applications, in my opinion the best source of free information is the OWASP project . It's an umbrella for a number of web application security efforts.
They've got a wide variety of projects which target management, security testers and developers, but some of the best places to start for developers are the Owasp developers Guide which covers a wide range of topics about secure development in a fairly generic way, and there's also the Ruby on Rails Security Guide here or here which covers rails specific topics.
Both of those documents are relatively large but well worth delving into. For a quick few of the "most serious" web application security issues, OWASP also has the Top Ten project. The latest version, current in RC1 has some good summaries of the top risks, and is a good place to start getting an idea of the areas to be addressed...
There's also a newish book dedicated to the topic of security on rails. I picked up a copy at the conference (I'm a sucker for the O'Reilly stand!), so I've not had time to get all the way through it, but first impressions are that it'll be very good, with concrete examples of broken rails applications and how to fix them.

Just had the first day of the Scottish Ruby Conference. The venue was awesome, there'll doubtless be lots of good pictures up on places like flickr in due course, but here's a couple I snapped with my Nokia n900. The three track rooms were the Conference Hall, the Great Hall and my personal favourite the "new" library.
The talks were interesting as always, personal highlight for me had to be Jim Weirich managing to go from particle physics to functional programming seamlessly in a single talk!
my talk was on breaking things with ruby and was a pretty quick look at the world of penetration testing and some of the cool projects (primarily Metasploit) which use ruby in this area. My slides can be found here and if people are interested in more information on the topics I covered here's some good linkage to start with.
Metasploit
The Main Metasploit Website . This is the best place to start. There's also a wiki and source code repository on their redmine site here
Metasploit Unleashed. This is a free training course from Offensive Security which offers a good place to start with Metasploit, and covers a lot more ground than I could today.
Blog-wise there's a couple of places I consistently find good information on Metasploit. Carnal0wnage's blog and the Dark Operator blogs have lots of posts on what can be done with Metasploit, as well as the Official Metasploit Blog of course.
Also on twitter following @hdmoore, @carnal0wnage and @egyp7 is a good place to start.
Lastly if anyone's looking for videos demonstrating Metasploit, there's quite a few on Security Tube amongst other places.

If you've not already heard about it, the Scottish Ruby Conference is coming up in March in Edinburgh. There's a really interesting set of presentations lined up for this years conference, and the hardest thing, I reckon, will be picking between the three tracks!
I've been very lucky to get my talk accepted for this years conference, so I'll be talking about "Breaking things with ruby". It sits very nicely for me at the corner of two of my main computing interests. Using ruby and ... well breaking stuff!

After reading a post by Gursev Kalra here, I decided to have a shot at putting together a slightly expanded version of his ssl Cipher suite checking code in ruby.
I've got it working reasonably well in my tests and it can chuck out reports in text and XML . The code for the main script and a Metasploit module which does the same is here. Any feedback/suggestions welcome :)

I've been meaning to do a post on burp for a while, and courtesy of my new years resolution to stop procrastinating, here it is :)
I was thinking of a way to sum up burp, so far the best I've got is "If you're doing web application testing and not using Burp, you're missing out !", it is that useful...
Burp has been around for a while now as one of a group of handy web application proxy tools along with the likes of Web Scarab and Paros. Over time it's developed a huge range of handy features, which make web app. testing a lot more productive.
There's the basics, in terms of intercepting and modifying requests, which all the tools in this category tend to do quite well, but on top of that there's just loads of other things that Burp does.
The Web app scanner is a good targetable way to test for several types of common web app vulnerabilities. As an add-on in the latest beta, there's a wizard which lets you reduce the number of requests that Burps going to make, by removing duplicates and similar requests. If you've used many commercial web app. scanners you'll know that volume of requests generated can be a real problem, so anything that can help bring down the load is useful.
Another stand-out feature of Burp for me, is intruder which lets you pick a specific parameter or set of parameters from a request and easily modify them. As an example pretty much every time I see a URL that looks like request.asp?id=123 , it's going to be worth running burp Intruder over that parameter to see what pops up when you change that value.
One of the things I have found about burp is that it's easy to miss functions that are available and not get the best out of it. Luckily there's a blog which covers a lot of the new features as they come out. Also I need to mention the Burp Tip of the Day series of posts on Cktricky's blog which has loads of good tips on getting more out of Burp.

So, we're back from a bit of an unscheduled break for my web server. The hosting company had a bit of a problem with disks, so my VM has been out of action for a week or so.
Luckily, my backups worked pretty well so minimal content lost. I'm using the rather unorthodox backup over SMTP, which seems to work pretty well for smaller files. I knocked up a ruby class called Rbackup and just have a script running in cron nightly...
Actually had a trio of hardware failures over the festive period (2 hard disks and a graphics card), which just goes to show that checking backups (and restores!) is very important and not to be put off...

I got a Nokia N900 the other week and I've started playing around with the software.
At heart it runs Maemo Linux which is based on debian, so in theory any software that runs on debian should run on the phone !
Also unlike other smart phones which can be coaxed into running linux, the N900 has a shell out of the box and getting root access just requires a package install and issuing the "sudo gainroot" command.
So far I've found the ssh client pretty handy, and openvpn is available in the maemo-testing repository for all your vpn needs.
In terms of the hardware it's got a variety of interfaces which could be pretty cool for hacking testing. There's wifi and GPS for war-driving/walking and obviously having 3G data is pretty useful when out and about :)
Getting software to run on it, isn't always quite as straightforward as just apt-get, as the repositories don't have the breadth of the debian ones yet. So if it's not already available in maemo-extras/testing/devel then cross-compiling is the way to go.
The Cross-compile environment is reasonably straightforward to get set-up and there's instructions on the maemo wiki for packaging apps
So far I've ported nmap 5.00 across to it, and that runs just fine, kismet seems to run ok but the default console colours make it a bit unreadable, so more work there.
Ruby 1.8.7 is available in the repositories and I've had Metasploit running (albeit a bit slowly).
All in all it's definitely smarter than your average smart phone!

OWASP Scotland November meeting is next Thursday, the 26th. We've got something a bit different lined up with the main presentation being one on physical security and lock picking (hey if you can break into the server room and take the box, who needs SQL injection ;oP )
More information here

I've been using Dradis for a couple of months now. It's an interesting piece of software that's designed to help teams of people share information on penetration tests.
That said I find it useful on the tests I do even when I work alone.
Essentially Dradis provides the base environment for users to work in, either from the command line or the rails based web interface, and then pretty much lets them get on with it, so it can be a bit difficult to work out how you want to use it at first, but once you get used to it it's very handy!
What I've done is started to create templates for information that I need to collect during a test and areas to review, that way it reduces the number of times I get into writing the report and realised I've missed something ;o). Once you create the tree structure in Dradis, containing any information you want, you can export it as a single file and then re-use it as a template on future tests (for example one for web application tests, one for infrastructure etc)
you can also import information from other tools (nmap, nikto, nessus and burp at the moment) into Dradis, meaning you've got a single place to view all the information relating to the test.
It's well worth a look, as it's under active development there are new features coming pretty frequently. Also there are guides on the site for prospective developers and as it's all done in ruby it's nice and easy to start coding for!

The OWASP Scotland september meeting is all set for Tuesday the 15th of September.
We've got three good speakers lined up so, it's shaping up to be a good meeting.
More details here . Meeting is open to all, but if you're planning to come along, please RSVP to me at this address, so we can get an idea of numbers.