DVWA and sqlmap

Today I have been using the Damn Vulnerable Web App in conjunction with Burpsuite and sqlmap, two key tools that are part of the Kali Linux distribution.

The DVWA is a comprehensive testing area that you can install on your own machine and attack with whichever tools you feel are fit for purpose. Today, I used Burpsuite to intercept some browser messages, pulling the PHPSESSID out of the network traffic, then I’ve used sqlmap to interrogate the databases (there’s 4 in DVWA) revleaing their table and column structure.

The aim of the DVWA exercises are set out in each area of the application. I’m supposed to using SQLi techniques to gather information that should be secure. I’ll get on with that tomorrow – right now, I’m enjoying exploring the options available to sqlmap which will certainly be of use in the future.

SEToolkit

Today, I’ve been exploring the abilities of TrustedSec’s Social Engineering Toolkit which comes packaged within Kali Linux.

The documentation provided is extensive and extremely thorough and helpful. The navigation within the toolkit is user-friendly an intuitive and the number of options is phenomenal! What a serious piece of kit this is! I am certainly looking forward to delving deeper and using its powerful capabilities.

One small issue I have come across, and this is likely a rookie error on my part!, is updating the Toolkit. The startup screen says ‘There is a new version of SET available.’. I’m running 7.6.3 and the current version is 7.6.5, apparently. One of the opening options is ‘4) Update the Social-Engineer Toolkit’ which you’d think would fix this version difference. But selecting that gives the message ‘You are running Kali Linux which maintains SET updates’ and returns me to the startup screen.

I’ve run apt-get update && apt-get upgrade (as I do every evening in a crontab) but this issue persists. On checking the Github page for the SET, there’s a pile of dependencies listed, so I have added those (all were already up-to-date) and I have tried cloning the github repo but this wouldn’t overwrite the existing folder. I also ran the python script to install the toolkit, again, to no avail. There’s an seupdate file in there but I can’t get it to run; maybe I need more info on that.

Do I delete the whole folder and reinstall? That seems somewhat drastic! As with what I opened, this is probably a rookie error and something I’ll learn with more experience, so I’d best get on and gain some.

Ruby on Rails error – “Missing helper file”

We came across an odd error today and managed to find a fix for it so we thought it best to share the solution!

Later updates of Ruby on Rails will probably fix this as there’s a bug in the current versions. We think this is just an issue with Mac OSX but may be wrong.

We’re currently running OSX Yosemite with Ruby version 2.2.1p85 on Rails 4.2.1.

The issue first came up when running some RSPEC tests – it was saying that there was a missing helper file:

Missing helper file helpers//users/***/***/**/App_name/app/helpers/application_helper.rb_helper.rb (AbstractController::Helpers::MissingHelperError)

Very strange!

Anyway, we found the cause was how the capitalisation in the file path was handled in Ruby. Changing the above App_name from a capitalised initial to a lower case app_name fixed the error. Hopefully, the Ruby guys n’ gals will follow suit and fix the bug soon! There’s a thread on Github too.

Deprecated iOS methods

I had a bit of a problem today designing a nice tabbed UI for iPhone.

I wanted to manipulate the existing image on the tab bar to change its colour and to prevent iOS from changing its shading when selected/deselected. I was using an old stack of code from the ‘appearance’ delegate of UITabBarItem.

The solution was to generate a local variable for the existing icon image and to set the rendering mode:

UIImage *inboxImage = [[UIImage imageNamed:@"inbox"] imageWithRenderingMode:UIImageRenderingModeAlwaysOriginal];

Then simply use this image on the TabBar after getting hold of it via the root controller:

UITabBarController *tabBarController = (UITabBarController *)self.window.rootViewController;
UITabBar *tabBar = tabBarController.tabBar;
UITabBarItem *tabInbox = [tabBar.items objectAtIndex:0];
[tabInbox setImage:inboxImage];

I hate coming across deprecated methods as the help documentation isn’t too hot. Stack Overflow is usually pretty good, though.

What is a litigation strategy?

A litigation strategy is a forward-thinking plan that affects cases that are yet to occur.  Such a strategy cannot be applied to cases, from either a defendant or claimant perspective, that already exist – that’s not a strategic process – it is reactive to someone elses strategy, or action.

A true strategic solution to litigation involves all claims from FNoL, and even before, if implemented rigorously/correctly.

This consistent end-to-end approach to all claims will change behaviours throughout the pre-litigation lifecycle due to the stated consistency existing all through the process. It is not envisaged that spend will be reduced on litigated cases; it will not. But those cases demonstrate the loyalty to the process/strategy that makes pre-lit cases settle with a reduced spend earlier within the process.

Is a Claimant strategy diametrically opposed? No. There are clear parallels that aren’t as far apart as you might think when you look at them closely.

It is where these two well-thought-out environments co-exist that real understanding is gained. Until that scenario occurs, you are not employing strategic thinking but remain predominantly reactive – if the end game isn’t influencing the opening whistle; you’re not doing it right.

If any of that sounds appealing to you – talk to us!

Credit hire & the cancellation regs

There’s lots of noise, perhaps not so much lately, regarding the 2008 regs that require a cancellation clause be incorporated in all credit contracts signed at the consumer’s home or place of work. I’ll not go into the progression of the various cases that covered these ‘unenforceable’ and, indeed, illegal contracts – that’s been done to death elsewhere.

However, what were the regulations supposed to do? Protect the consumer, right? In the credit hire context, is that the effect? I’d say no, in reality.

The hirer always has the ability to return the vehicle to the hire provider; there’s no obligation to continue with the vehicle. So, effectively, he can terminate the accruing costs under the terms of the agreed contract conditions and warranties. These provide ‘additional benefits’ to the consumer as dwelled upon in Dimond -v- Lovell. On returning the vehicle, the consumer can still avail himself of these benefits such as the right to continue with the credit agreement and for the hire provider to recover his losses from the tortfeasor.

Exercising the right to cancel leaves the consumer liable to pay, within a reasonable time, the accrued hire costs (at the “commercial rate”) and is left on his own to recover that contentious loss from the insurers of the at-fault party.

Consumer protection? Hardly!

Has anyone run this argument? Not that I know of and brains bigger than mine have been working on this for a long time. Although there was a recent case in the Appeal Court that addressed the cancellation regs in a different context that found against the serious affect of the regulations. See Robertson -v- Swift.

Data Storage

 

It seems there will be some red faces at travel insurer Staysure after their legacy systems were hacked and customer card payment details extracted.

Reports suggest that the data taken is not directly useful as the hack only obtained the card security code, rather than the card number also. Why the CVV was stored hasn’t been explained as yet and I am sure the Data Commissioner will be wanting that question answered. The card payment rules prohibit that information from being retained. Further, to store it in an unencrypted manner opens significant risk.

I am sure that there will be an in-depth investigation of all security policies and the necessary changes implemented. The FCA may yet impose fines once the scale of the security breach is exposed.

Hopefully, no customers have had their accounts used fraudulently.

 

 

Another year!

Happy New Year! I hope everyone’s festivities went well and this post finds everyone well.

Back to work now, thankfully!

It worries me to see the floods impacting parts of the country with the current period of extreme weather. I hope the ABI & the government are able to reach an agreement for the provision of flood cover in the future. The Statement Of Principles worked OK but has now expired.

Going forward we’re looking to Flood Re to ensure that consumers can protect their property from the most devastating damage. Floods are dreadful, destroying homes, businesses and memories. Adequate protective cover is essential for everyone in the country; not just those on high ground.