ClearNet Security

I just completed an external pen test whereby the rules of engagement limited the scan windows to two hours per night.  Requests for longer were rejected.

I hadn’t run within this tight of windows in some time and now I remember why I hate it so much.

I spent more time jacking any and every configuration setting I could tweak to boost each tool for balls out speed and baby-sitting (because failing seems to be a popular thing to do if you’re a tool sprinting at 50 threads and spending 0ms between requests) that I didn’t get nearly the time I wanted to concentrate on what I was paid to do: bust in.   

As a case in point I was working a SQLi point that was allowing me to download their entire database, alas, I only ever retrieved four of the 200+ tables during any one window.  Worse is I spun my wheels for several critical hours exerting fervent trial and error effort tweaking tool options, largely in vain, in hopes of making things go faster.  The consequence was tool tweaking dominated my attention.  Creativity, the force summoned for powersploiting, remained unconscious.    

• On small startup type teams, the team is everything, a bad team member can kill the product and the company.
• On particularly agile teams, having agile people is better than having technology experts.

Defending boils down to skill and incentive.

Tools that provide visibility are required, but that’s another topic. Skill is also an obvious requisite.

How about incentives? What incentives are in place for security engineers to really dig in and be great defenders?

Tier one engineers working out of traditional MSSPs are paid in the $20 per hour range or lower and by the nature of their position they have minimal understanding of anything of substance about their clients’ networks.

Opposite that, I know a very talented group of engineers working at an expensive outsourced IT/software company whom are responsible for their company’s top paying customers. They breathe uptime. Heads roll and the company loses money when downtime occurs. Security is barely an afterthought. Lest they do see a security issue, they may skip notifying for why create more support tickets and work.

It doesn’t make sense to punish defenders for failing to prevent infiltration – that is to be expected today. Simply detecting one is a great accomplishment.

To move defenders to be great defenders, reward them for detecting infiltrations.

I think it would be great for company’s to hire an outside party to perform unauthorized activity at an increasing pace and breadth until someone responsible for monitoring sounds the alarm. Reward those who discovered the activity. Do it frequently. Change it up. Make a competition out of it. No doubt this would help weed out bad performers, be they internal or external.

This is very similar to what I’ve seen a few hospitals implement. If an employee stops and challenges a person without a badge then they receive a $100 bonus.

I’m not promoting pen. testing here, though it’s a good example of a challenge.  I think simple and frequent small scale tests tied to rewards would work wonders for many security groups and for the company’s wanting to keep their assets protected.

I ran into a technical logging obstacle and I finally passed it today.

Setup:

• A large number of linux servers deployed over disparate locations and connected via consumer cable and xDSL lines
• All of them are configured to forward logs to a remote central log server via syslog-ng and UDP (client prefers UDP over TCP)

Problem:

• We were noticing a growing percentage would stop forwarding logs to the central log server

Troubleshooting notes:

• Timing seemed random; many clients forwarded logs successfully for weeks or months, some clients would stop forwarding after a few weeks, a few would stop in a couple of days
• All other connectivity appeared fine when troubleshooting (e.g. ssh worked, http worked, icmp, etc.)
• On each server, syslog-ng was running, logging locally fine, and showed no error conditions (but we observed no outbound traffic when executing tcpdump port 514)
• We did notice if we restart syslog-ng, forwarding would work again and we would immediately observe new logs appearing on the central log server

Quick thoughts and things we tried:

• Okay, configs are likely good because all works when restarting
• Network issues? But then why does restarting syslog-ng have an immediate and somewhat lasting effect?
• Alright, let’s upgrade to the lastest sylog-ng 2.x suite (libol, eventlog, syslog-ng) because maybe we’re running into a weird bug

Finali:

• After upgrading a dozen or so and waiting a week, we noticed two or three stopped forwarding logs again
• We executed tcpdump port 514 and again observed no outbound traffic
• We restarted syslog-ng and as before, observed new logs appearing on the central log server. This time it caught our attention that our tcpdump window still showed no outbound traffic even after the syslog-ng restart. Ah, now we’ve identified the information we were neglecting to consider: multiple interfaces.

[tt@00-e0-4d-8d-ce-3b ~]$ /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr
[]
tun0 Link encap:UNSPEC HWaddr
[]


We executed tcpdump -i tun0 port 514 on a server for which we had not observed log messages on the central log server in some time. By watching tun0, we now observed outbound UDP packets, but the central log server was still not receiving them. When we restarted syslog-ng on this server, we now noticed a significant change in the tcpdump output. The first three lines below were observed when the central syslog server was not receiving messages and the second three lines are after we restarted syslog-ng.

15:57:22.009114 IP 01-01-01-01.att-inc.com.40655 > 555.55.253.145.syslog: SYSLOG authpriv.notice, length: 132
15:57:22.187959 IP 01-01-01-01.att-inc.com.40655 > 555.55.253.145.syslog: SYSLOG syslog.info, length: 104
15:57:22.188023 IP 01-01-01-01.att-inc.com.40655 > 555.55.253.145.syslog: SYSLOG syslog.notice, length: 97
15:57:22.699615 IP 777-777-229-216.static.data393.net.60408 > 555.55.253.145.syslog: SYSLOG kernel.notice, length: 249
15:57:22.700051 IP 777-777-229-216.static.data393.net.60408 > 555.55.253.145.syslog: SYSLOG kernel.notice, length: 254
15:57:22.700108 IP 777-777-229-216.static.data393.net.60408 > 555.55.253.145.syslog: SYSLOG kernel.notice, length: 246

Problem discovered (some of the IP information above was changed for obvious reasons).

On reboot or startup, tun0 is brought up and syslog-ng forwarded logs with the correct source IP for this environment (the one assigned to tun0). The catch is when an openvpn connection would bounce on a live system (i.e. tun0 would go down), syslog-ng would fall back to using the source IP assigned to eth0 and continued to use that IP even after tun0 was brought back up, which broke the forwarding of logs in this environment. Syslog-ng required a restart after tun0 would go down in order to use the proper IP (as observed in the tcpdump output for tun0 above). The flapping openvpn connection was the culprit.

Try inotify.

Inotify is a Linux kernel feature that monitors file systems and immediately alerts an attentive application to relevant events, such as a delete, read, write, and even an unmount operation.

The Inotify-tools library provides a pair of command-line utilities to monitor file system activity:

• inotifywait simply blocks to wait for inotify events. You can monitor any set of files and directories and monitor an entire directory tree (a directory, its subdirectories, its sub-subdirectories, and so on). Use inotifywait in shell scripts.
• inotifywatch collects statistics about the watched file system, including how many times each inotify event occurred.

We just need to check two events:

• # IN_CREATE - File/directory created in watched directory
• # IN_MODIFY - File was modified

#!/usr/bin/ruby
require 'inotify'
require 'find'

raise("Specify a directory") if !ARGV[0]
directory = ARGV[0]

i = Inotify.new

t = Thread.new do
      i.each_event do |event|
        File.open(directory + "/#{event.name}") do |f|
          f.grep( /\b(?:\d[ -]*){13,16}\b/) do |line|
            puts "Detected credit card pattern in directory #{directory}, file #{event.name}\n"
          end
        end
      end
end

Find.find(directory) do |e|
  begin
    i.add_watch(e, Inotify::CREATE | Inotify::MODIFY)
  rescue
    puts "Skipping #{directory}: #{$!}"
  end
end

t.join

Not too bad for an hour of playing around. It works.

I used the ruby inotify version 0.0.2 from http://raa.ruby-lang.org/project/ruby-inotify/, but if you do that, then you need to fix line 47 - change it to

r = rb_thread_select (fd+1, &rfds, NULL, NULL, NULL);

• credit card number regex found here: http://www.regular-expressions.info/creditcard.html
• inotify-tools: http://inotify-tools.sourceforge.net/
• ibm inotify tutorial: http://www.ibm.com/developerworks/linux/library/l-ubuntu-inotify/index.html

removed for the time being...

A friend told me recently his new security hire has two passions in life: security and poker. The word passion is strong and I can imagine this new hire’s use of that word and his subsequent explanation helped him to win the position. If his win was from describing his poker passion, then that’s cool and I have nothing to add.

Anyhow, this made me wonder if there's an area of security I could say I'm currently passionate for. One area did stand out and the distinction I made was between offensive and defensive security.

For me, defensive security is it.

I’m not convinced my career survival instincts are somehow overpowering my reason, but to me it feels like to be awesome at offensive security is to be an insect. Thinking back over several penetration tests I clearly remember wishing I had more knowledge of the workings of a particular exposed service or application.

This is not to say it’s not fun to be an insect at the right time. With penetration testing, it can be crazy fun to be an insect, surrounding by lots of other insects of different skills, and all attacking the same target with abandon. It’s not though when you run with a small crew and run into a service or app for which no one has familiarity.

Defense on the other hand is a lot less insect like. You can be really good yet skip out on the training for your newly deployed app server. Playing defense therefore is an evolutionary step up of sorts and requires more intelligence that playing the offensive insect (pun intended).

Ha. Only kidding.

My take is a small and intelligent team can play defense very well without the need to dive deep into their infrastructure's every exposure. That is why I like defense - you can grasp its entirety.

There is a good newsgroup thread running on Dailydave.
http://seclists.org/dailydave/2008/q4/0085.html

The takeaways are familiar reminders for the cognoscenti, but it’s still good to read and good for referencing.

“Patch management, IDS, Anti-Virus, scanners of all shapes and sizes. Audits” don’t work against competent attackers.

“And they [Penetration testers] agreed on two things: the threats you know about are not the ones you need to worry about; and every network is own-able. Every. Single. One.”

“If you accept the premise that it's not possible to protect every asset (or even protect any single asset completely), then the logical action is to identify the most valuable assets and secure them to the best of your ability” column by Dennis Fisher

“Baseline system and network behaviour. Analyse any abnormal behaviour. (Easier said than done. You may never see anything.)” (raus)

“I would also note that it's misleading to say you should throw in the towel because one unpublished vuln can pop your box. There is more to it than that if you are doing your job right. Can they pop it without being discovered... for how long, and how often?” (Dragos Ruiu")

Marc Maiffret opined:

“The biggest threat to the average computer user is not zeroday vulnerabilities but system misconfigurations and vulnerabilities within third party applications. Most organizations are only just starting to get a handle on patching Microsoft vulnerabilities let alone third party applications. This becomes even more apparent with consumers and small to medium sized businesses where they only have Windows Update and WSUS to depend on. There is simply no third party patching being done in these environments making it a LOT more likely for them to get owned with a 6 month old Adobe Acrobat vulnerability than some zeroday vulnerability. This is currently the lowest hanging fruit for attackers and does not require an attacker to have large sums of money to waste on buying zeroday attacks.

It’s clear security teams must deploy tools that add to their sense of understanding for what is normal activity. You want intuition and clarity. You want to have that gut-instinct and confidence that you can detect if something is not quite right. The way to do that is to deploy tools that enchance visibility (i.e. tools that show you traffic patterns and volumes, running applications, logins, tools that point out unusual activity, etc.).

Having never looked back until now, I decided to link to my more popular posts of time past. Here are five:

Unbalanced reliance on prevention

Competing for network based security assessments

Compromised, Where are the logs?

Attackers will win so what can you do?

Test commercial web app scanners for free and without restrictions

How soon will we see crazy apps built on top of something like macrosense? The more wile and guile types will welcome this to sweeten their malevolence.

• "What if you could look at your cell phone and see a heat map of where everybody in the city was at that very moment?"
• "Over time, it learns about where you like to go (fancy restaurants or punk rock clubs) and shows you other people like you, and where they are—right now."
• "Imagine a GPS that didn’t just tell you where you are or where your programmed destination is, but a GPS in your phone that actually predicts what you want to do and where you want to go."

Yeah, it’ll be wonderful when you’re driving along and the GPS announces the strip club is up on the right when your wife is riding along. Honey, I have no idea why the GPS thinks I want to go there. Stupid GPS.

News article: http://www.iht.com/articles/2008/06/22/business/22proto.php

If it is good at doing A, it sucks at doing B. This is the banal trade-off of security point solutions.

WSJ recently featured SIEM in an article titled: Looking for Trouble

What is a good SIEM? I would say one that is an anomaly and misuse detection system, a sink for other like systems, and a sink for other observable facts (e.g. logs).

What does a good SIEM do? For most I believe the best answer is one that only taps on your shoulder when there is a real problem.

What does a SIEM need to do to be good? Tricky question. I would say one that understands which streams of incoming data are good for doing A (or identifying A), understands why certain streams are bad for making inferences (e.g. it's not good to automatically infer something is really important because an IDS is sending 1000 alerts per minute), and one that’s forged an algorithm mix that works.

This post is really about the answer to the last question above.

SIEMs rely on both sides of the detection coin:

• Misuse: good at detecting known attacks using signatures
• Anomaly: good at detecting unknown attacks by modeling behavior

The misuse side of the coin is clean and shiny; you can see a picture of the SNORT icon. SNORT is an example of a solid misuse detection system.

The anomaly side of the detection coin is dirty - it’s hard to see anything clearly. Why?

It’s because there is no single anomaly technique representing perfection. Stated in another way, if you fall into the hole of anomaly detection techniques you’ll never hit bottom, the hole as no bottom.

• Statistics
• Probability
• Machine Learning: there are literally hundreds (maybe thousands?) of papers applying machine learning techniques to computer and network security

Anomaly detection is compounded by the fact that algorithms are often combined in different ways to detect different types of anomalies. The gigantic streams of comingled and fragmented data (e.g. logs, xflows, IDS alerts, HIDS alerts) means huge numbers of permutations.

Circling back, to build a smart SIEM that excels at its job, it must employ and combine algorithms in way that it focuses on using the good at doing A information. This means you have to experiment with mixing algorithms and chain them together so the output only taps you on the shoulder when there is a problem.

1. A simple example is taking the deluge of alerts a snort instance emits and wrapping them up in a statistics model. The better value may come from recognizing numerical changes (min, max, median, mean, standard deviation, etc.).

2. A more complicated example may be applying NLP (natural language processing) techniques to analyze logs and extract user information, coalesce misuse detection alerts, associate statistical values derived from modeling xflows, then layering additional algorithms on top to correlate and present compelling evidence of strange behavior (i.e. a problem).

We’ve heard and recently noticed companies scaling back their investments in the research needed to advance solving the hard problems the developers of SIEM face. It may indicate the bigger players are planning to coast for a while on the past decade’s techniques. Fall behind though, and you’re out.

Given the advances in computing power (a big reason why AI and machine learning are so hot), it is also becoming acceleratingly more difficult to keep up, understand, and evaluate techniques beneficial to both the builders and consumers of SIEM systems.

If you find yourself evaluating SIEM products, dig in and investigate how each works - you don’t want yesterday’s product.

A big event happened in July and it went largely unnoticed, or so it seems, so I'll announce it here. Info-zip, one of the most popular programs around, has released version 3.0! There are actually a lot of good and timely new features in the 3.0 release of the PKZip clone.

• large-file support (i.e., > 2GB)
• support for more than 65536 files per archive
• multi-part archive support
• bzip2 compression support
• Unicode (UTF-8) filename and (partial) comment support
• difference mode (for incremental backups)
• filesystem-synch mode
• among others.

Bzip2 compression is interesting, it modernizes zip a bit but the things that are really important is the large-file support and support for more than 65536 files per archive, those limitations have become almost regular problems for some of us lately.

A SecTor keynote presenter put forward something close to that line in a PowerPoint slide.

Don't buy technology to detect

I didn’t get all the details down given I was trying to zero in on his line of thinking once I read such a startling suggestion.

He did provide his reasoning (which was derived from surveying business consumers of security solutions). The gist of it was that companies were deploying detection technologies (aka SIEM/log management products) and were unable, technically or resource wise, to handle the added compulsorily work load spiked by the enhanced visibility.

Paraphrasing, he further suggested that companies should purchase products that do something, not ones that only do detection. He cited examples of business consumers whom lack knowledgeable staff to understand the alerts detection systems produce and ones unable to tackle the volume of alerts. I think we all can get that.

But is this really a practical suggestion? Prevention (i.e. tools that do something) is great, but detection is King! The conjecture to skip detection tools in favor or tools that do something is weak, especially if the data you are protecting has value.

How about the World Bank as a good example? It reads like they made prevention King and detection something much less.

I finished a 1-day whirlwind Powersploiting class taught by HD Moore. As a metasploit auxiliary author neophyte I hadn’t seen before how easy it is to write ruby snippets to customize and extend metasploit for one’s own purposes.

For example, using the scanner template below, you can write a custom TCP scanner in minutes. This often may be the quickest way to check one off items or in-house services which require more than a SYN-ACK to get the information you want.

Metasploit scanner features:

• access to all exploit classes and methods
• support for proxies, SSL, reporting
• built-in threading and range scanning

To run your new scanner, do:

Existing metasploit scanners: http://metasploit.com/dev/trac/browser/framework3/trunk/modules/auxiliary/scanner

I was a lead engineer at the company and we had a little introduction barbecue to introduce our new CEO. I went out of my way to go introduce my self and shake the new guy's hand. I got a somewhat chilling response. “Hi I'm Ian, I work in engineering, it's nice to meet you. Welcome to our company...”

His response: “Oh..”

I can't explain why but I wasn't really phased by this, I was kind of let down and I called it his first strike but it wasn't upsetting. It wasn't a condescending “oh, bless your heart.” It also wasn't really an “oh? well I don't like to be bothered by the little people” kind of response. It was more one of shock, kind of like “oh?! I didn't know I had an engineering team.” As far as strike go I think of it like a foul tip.

What's more funny to me is the following work day we had an all hands meeting for him to get up and describe what his new regime was going to be like. He opened up by explaining how he used, has and was into “personal coaching” with like a life coach or something similar. I have nothing really against it but in my mind in undermined his leadership and really made the discussion more about him than the company. It was strikes 2 and 3 at the same time. It's not really good to have a CEO that needs leadership coaching or personal life coaching, you kind of need to know where you stand. And if the CEO does need that stuff, you certainly don't advertise that to the company. You never know when he might have a “breakthrough” and realize that what he really really wants out of life isn't to run some damn software company, but to groom dogs or become a massage therapist.

It became worse when I started telling people. Tate immediately and outright just started laughing when I told him and then asked if they guy happened to be shorter than average, as it turned out this CEO wasn't the tallest guy I had ever meet.

He locked himself up in his office for about 1/3rd of his tenure. He produced a mission statement, by himself, complete with a catch phrase and a set of values. He was fired shortly after its unveiling. It's not exactly the Guy Kawasaki 3 word mantra.

Last year I spent hours of manual effort probing the Mastercard PCI test environment to discover all the vulnerabilities I could find. I was truly stressed. I was sure Mastercard setup vulnerabilities which were not discoverable by automated scanners. I was also excited: I wanted to compete and discover more vulnerabilities than the next guy.

How naïve huh? Well this year I did nothing. A colleague hit the Qualys “scan” button.

Screw going above the call of duty - I didn’t have to do any work and that was great. Hail PCI!

This from the new PCI information supplement: (regarding the required annual penetration testing for compliance)

The penetration tests should attempt to exploit vulnerabilities […] attempting to penetrate both at the network level and key applications

Really? I laughed when I read this, seriously. It made me think for a second about how many consultants really have the skills to chef-boy-ar-dee exploits under pressure. It’s clear too; this is not about a vulnerability sweep, they want you to bust in.

Penetration testing [..] should occur from both outside the network trying to come in (external testing) and from inside the network.

Wow. True penetration testing from inside the network? How many internal networks have you seen that would survive a blitzkrieg attack from a good penetration test team?

“resources must be experienced penetration testers”

What does that mean?

I’m sure the PCI council is of compos mentis, and I’m not trying to rain on the PCI council or ASVs or QSAs, though it’s funny the council points out that “The PCI DSS does not require that a QSA or ASV perform the penetration test”. That statement wouldn’t be because most of them couldn’t penetration test there way out of a paper bag even if they were handed a loaded metasploit gun, right?

With the huge number of companies bemoaning PCI compliance, I just don’t see most getting a true penetration test. I guess I could be reading too much into this. Maybe the skills bar level I consider for experienced penetration testers is way higher than what the PCI council considers experienced or what others consider experienced or good?

Do you have penetration testing skills? What does that mean to you? Do you think most of the companies that buy a penetration test actually get one?

A recent WSJ article titled “Trading on the Wisdom of Crowds” sparked my interest as it may relate to security. Are there ways to build a business around helping organizations understand the risk to their data assets by using predictive market models? Or maybe building it around betting on commercial applications?

“Betting odds are generally taken as the best indicator of probable results in presidential campaigns," this newspaper explained in 1924.

I’m placing a bet that retail store XYZ gets owned and reveals grandma’s credit card details in ‘08. I’m placing another bet that application ABC will have a remote admin level vulnerability by October ’08.

Alas, we must have more transparency and trust in the publicly disclosed information to play. Participation is key as well:

Predicting markets seem to work so long as there are enough traders whose aggregate information is fully reflected in bets.

Would enough people find it worthwhile to become active traders? Maybe. There was an active predictive market created around the following question:

What will the government's 2007 computer security grade be?

It’s probably a big stretch to build a successful predictive market business around the types of security bets which would benefit organizations. By that I mean if I was responsible for a commercial application in which 75% of the traders were betting on my application being owned within the year, I’d probably work hard to change the odds (i.e. allocate resources to improving the security of my app).

I recorded a tidbit which came from a comment spoken at one of this year's RSA panel tracks. I hadn't thought of this issue on a big scale. It was a comment on how disruptive an environment which frequently "resets" virtual servers as part of normal business is to security.

It's obvious such an environment can have a significant impact on security tools, especially those which strive to learn patterns or look at history or both.

I was just imagining if I was a security admin responsible for a large block of EC2 virtual servers. As part of that, maybe the use of these blocks of servers is similar to a class lab whereby students get to install and do anything they want on the servers. When they're done, the instructor runs around and resets all the servers. Extrapolate this and it can lead to a hard problem, security speaking, for general cases.

I haven't meditated on this issue, but I'm guessing it'll become more visible in short time.

If your software licensing ethics tend to contort a tad here and there, then you may find the below tricks helpful when you want to evaluate commercial web app scanners. Partaking in these tricks is slippery, and you may fall into ethical perdition, so prepare yourself!

Super simple trick #1: Request search and replace proxy

Fire up a proxy that supports request search and replace.

Let’s say an app restricts you to scan only their target site (e.g. demo.testsite.net), but you want to point the scanner to a different target.

No problema.

As shown above, I typed in demo.testsite.net for Search, and blog.clearnetsec.com for Replace. Every HTTP request passing through this proxy with a Request-URI matching the string demo.testsite.net will get replaced with blog.clearnetsec.com. The result? The app scans my blog.

Note: Super simple trick #1 only works for apps which restrict via the hostname. If the app is smarter and adds IP validation, then move along to Sort of simple trick #2.

Sort of simple trick #2: IPTables magic

This trick can add license evading umpf to your smokin’ renegade style. :)

Let’s say the app tries to validate you are only scanning the sites you're licensed for by checking the target IP addresses (regardless of how the hostnames are resolved). For example, maybe the demo version of the app allows you to only scan IP address 55.55.55.55.

No problema.

One line explanation: Setup a linux box to do routing, configure a VIP, and add two IPTable NAT rules.

The long answer.

Setup a linux box. A linux VMware image works too. Configure the network as normal – give it a standard IP, gateway, list of name servers, etc., as you would when configuring any other box on your local subnet.

Once you got that, then check out the script below.

Follow? If not, I’ll explain in more detail.

• Again, the first thing you need is a normal networked working linux box.
• There are 4 steps to facilitate a destination IP switch-a-roo:
• Configure a Virtual IP. Pick an IP located on a different subnet, don’t pick an IP on the same subnet as the primary IP.
• Enable IP forwarding.
• Setup a DNAT (Destination NAT) rule to replace the destination IP on the fly. The first IP (e.g. 55.55.55.55) is the licensed locked IP. The second IP is (e.g. 216.241.191.205) is the IP you want to scan.
• Setup a SNAT (Source NAT) rule to replace the source IP on the fly. The first IP (e.g. 192.168.1.101) is your workstation IP. The second IP is the primary IP address of the linux box.

The last step there, #4, is overloaded. Once you go through the steps above on the linux box, then you need to change the IP address of your workstation with the app scanner installed. You want to pick a new IP for your workstation which is on the same subnet as the VIP you configured on the linux box. You also want to change your workstation to use the linux box as your gateway to the Internet, so change the default route address to match the IP of the VIP on the linux box.

That should do it. Replace the IPs in the IPTable rules above with the IPs that work for you and scan away.

Note: You can’t always do the IPTables trick by itself; one reason is due to virtual hosting. If only one website is being hosted on the IP, then you probably can do this. If the target IP is hosting lots of domains, then you need to chain the request and replace proxy with the IPTables magic to ensure each Request-URI is for the correct host and domain.

For example, GET http://216.241.191.205/... HTTP/1.1 may not be the same as GET http://blog.clearnetsec.com/... HTTP/1.1

Super Simple trick #3: VMware snapshots

Most everyone is likely familiar with this trick. If you have a web app installed in a VMware image and you have a working license (e.g. trial license), but it expires at a certain time and date, the trick is to create a snapshot of the VMware image with the app in a working state.

Anytime you want to scan, change your host OS clock back to a time that is within the licensing window (or ensure your VMware guest image doesn’t sync the clock with the host OS when you restore the snapshot), and restore the snapshot.

Note: Some apps may call home when first launched, so it helps to create the VM snapshot when you have the app open and ready to scan.

Trick addendum:

For those web app scanners which restrict you from scanning SSL enabled sites, have no hesistation, you can work around that too.

One way is via stunnel. From www.stunnel.org.

Encrypted version with STUNNEL

+---------+      | |     +--------+    +---------+
| non-SSL | -ST- | | --- | Apache | -- | non-SSL |
| enabled |      | |     | WITH   |    | enabled |
| client  |      | |     | SSL    |    | server  |
+---------+      | |     +--------+    +---------+
   CLIENT        NET     WEB SERVER      SERVICE

client=yes
verify=0
[psuedo-https]
accept = 8080
connect = blog.clearnetsec.com:443
TIMEOUTclose=0

Quick alternate to #1 for Apache fan boys and girls:

Via Apache 2.2.x, with mod proxy and mod rewrite enabled, setup a proxy like so:

ProxyRequests On
<Proxy *>
RewriteEngine on
RewriteRule ^(.+) http://blog.clearnetsec.com/$1 [P] (or something close to this)
Order deny,allow
Deny from all
Allow from all
</Proxy>

Configure your browser or app scanner to use this Apache proxy server and all Request-URIs passed through will be re- written to target http://blog.clearnetsec.com/.

YMMV. Have fun.