Hosting generously provided by
|
|
Bots Use SQL Injection Tool in Web Attack and Rant
|
Posted 5/15/08 by Robert from the 'catching the public up to speed' department
"The Asprox botnet, a relatively small botnet known mainly for sending phishing emails, has been spotted in the last few days installing an SQL injection attack tool on its bots. The bots then Google for .asp pages with specific terms -- and then hit the sites found in the search return with SQL injection attacks, says Joe Stewart, director of malware research for SecureWorks, who has documented his findings on the attack.
Stewart says the Asprox botnet’s SQL injection attack is likely a copycat of the recent SQL injection Website attacks from China, which deliver a Trojan that steals online gaming passwords. But this is the first SQL injection attack Stewart has seen using a botnet and a toolkit to do the dirty work. Asprox so far has infected over 1,000 Websites this way, he says.
“I’ve seen bots get other types of infection tools, but not SQL injection” tools, Stewart says. “It’s almost like they noticed the Chinese[-based] attack and copied their code into their own binary for their own attack... The hacks are so similar to the way the other SQL injection attacks are going." - DarkReading
3-4 years ago when I worked at SPI Dynamics (now HP) two PoC tools had been created for internal security research. They didn't
do anything malicious just test the concept of using search engines to find hosts and test them for a sql error message.
These tools worked so well in finding 'suspect' hosts that while it was very cool/scary, we decided speaking about it to the
public was a bad idea. It was only going to have negative affects and we didn't want to be accountable for introducing this
extremely handy method to the attackers as we knew how large the problem was. 3-4 years later this is the 'new' toolkit
to have on the block. This makes me wonder what is being discovered now that we won't be hearing about for another few years.
This is hardly the last you'll be hearing about . (what newbies now call google hacking)
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Tools: Peach Fuzzer Framework 2.1 BETA2 Released
|
Posted 5/14/08 by Robert from the 'peachfuzz' department
The following was sent to the daily dave list today by Michael Eddington
"The latest in the Peach 2 series has been posted. This release
includes many bug fixes, features, improvements, and supersedes 2.0 as
the recommended version to use.
* Fuzzers written in XML by defining data definitions
* Unittests to improve stability and reliability
* Improved COM support including properties
* Improved state machine
* Fuzz network clients easily by listening for connections, not just
creating them
* Remote publishers allow sending data through a Peach Agent to a remote host
* Improved Linux and OS X support via debugger.UnixGdb monitor (uses
beta pygdb module)
* Deterministic fuzzing will perform test count calculation in
separate thread to speed fuzzing
* Improved documentation. See the Peach 2 Tutorial which is quickly
becoming the Peach 2 Guide :)
(website)
(downloads)
(pygdb)
"
Tool Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Tools: The Browserrecon Project
|
Posted 5/14/08 by Robert from the 'all your fingerprints are belong to us' department
"Most of todays tools for fingerprinting are focusing on server-side
services. Well-known and widely-accepted implementations of such
utilities are available for http web services, smtp mail server, ftp
servers and even telnet daemons. Of course, many attack scenarios are
focusing on server-side attacks.
Client-based attacks, especially targeting web clients, are becoming
more and more popular. Browser-targeted attacks, drive-by pharming and
web-based phishing provide a broad aspect of threats during surfing in
the world wide web. Attacker might initialize and optimize their attacks
by fingerprinting the target application to find the best possible way
to compromise the client.
The is going to prove, that client-side
fingerprinting is possible and useful too. In this particular
implementation, currently available in php only, the given web browser
is identified by the used http requests. Similar to the http
fingerprinting provided within httprecon
() the header lines and values
are analyzed and compared to a fingerprint database.
The current implementation of browserrecon is provided as a php script
and ready for live testing on the project web site. However, all
web-based scripting languages that are able to access the http headers
sent by the client are able to provide the same functionality. Further
ports to ASP.NET, JSP and classic CGI are possible. Even the web server
itself or an inline device (e.g. a sniffer or a firewall) might be able
to do the same fingerprinting of the http request behavior.
A very similar approach for client-side application fingerprinting can
be applied to other services and clients too. For example mail clients
can be identified by their individual smtp and pop3 command chains. Or
ftp clients might be determined by their specific command sequences.
"
Tool Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Tool Release: tmin: Fuzzing test case optimizer
|
Posted 5/6/08 by Robert from the 'throw your fuzzer in the aiiirrrr like you's a true playaaaaa' department
Michal Zalewski has released tmin. From his announcement to bugtraq
"I'd like to announce tmin - a free, quick, and handy tool to quickly and
effortlessly minimize the size and syntax of complex test cases in
automated security testing. I found the tool to be remarkably useful, as
it saved me from hours of manual guesswork a number of times already - so
I thought it's good to share.
The tool is related to delta (http://delta.tigris.org), a sophisticated
test case optimizer for well-structured input formats - but tmin is
designed specifically for dealing with unknown or insanely complex data
layouts, including binary files (without the need to encode, tokenize, and
re-serialize testcases), for hands-off detection of common security fault
conditions, and for easy integration with GUI application testing
harnesses.
[ It is also capable of reducing the complexity of alphabets used in
datasets that cannot be further trimmed down in size, which is nice. ]
Download & documentation:
A quick teaser:
$ cat testcase.in
This is a lengthy and annoying hello world testcase.
$ cat testme.sh
#!/bin/bash
grep "el..*wo" || exit 0
exit 1
$ ../tmin -x ./testme.sh
tmin - complex testcase minimizer, version 0.03-beta (lcamtuf@google.com)
[*] Stage 0: loading 'testcase.in' and validating fault condition...
[*] Stage 1: recursive truncation (round 1, input = 53/53)
[*] Stage 1: recursive truncation (round 2, input = 27/53)
[*] Stage 1: recursive truncation (round 3, input = 14/53)
[*] Stage 1: recursive truncation (round 4, input = 10/53)
[*] Stage 1: recursive truncation (round 5, input = 8/53)
[*] Stage 1: recursive truncation (round 6, input = 7/53)
[*] Stage 2: block skipping (round 1, input = 7/53)
[*] Stage 2: block skipping (round 2, input = 6/53)
[*] Stage 2: block skipping (round 3, input = 5/53)
[*] Stage 3: alphabet normalization (round 1, charset = 5/5)
[*] Stage 3: alphabet normalization (round 2, charset = 5/5)
[*] Stage 4: character normalization (round 1, characters = 4/5)
[*] All done - writing output to 'testcase.small'...
== Final statistics==
Original size : 53 bytes
Optimized size : 5 bytes (-90.57%)
Chars replaced : 1 (1.89%)
Efficiency : 9 good / 49 bad
Round counts : 1:6 2:3 3:2 4:1
$ cat testcase.small
el0wo
Enjoy,
/mz"
Tool Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Layer 1 attack shuts down Peter Gabriel website
|
Posted 5/5/08 by Robert from the 'that's one way of shutting down bad music' department
As reported by thereg Peter Gabriel's website was attacked this morning, this time at .
From
"Real World, Peter Gabriel and WOMAD web services are currently off-line. Our servers were stolen from our ISP's data centre on Sunday night - Monday morning. We are working on restoring normal service as soon as possible.
If you want WOMAD tickets in a hurry they are available from various retailers like Ticketmaster, we hope to have our store running again soon and will keep you posted on developments.
"
If you're in charge of security planning at your infrastructure this would be a friendly reminder to review your access policies :) More info at theregister below.
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Good Worms Are a Bad Idea
|
Posted 5/5/08 by Robert from the 'mealworms rejoice' department
"Some bad ideas seem to live on forever. One of the big ones in computers is to use hacker tactics to perform white-hat operations on an Internet scale. The classic example of this is the "good worm" idea: a worm that spreads among computers to improve their security.
There have been attempts at this in the past, most famously Welchia, a worm that exploited the infamous Windows RPC/DCOM network vulnerability in order to patch it. There were also reports years ago of Hewlett-Packard launching a good worm, but this turned out to be a more conventional scanning system that in some ways presaged NAC.
The lesson from Welchia is that these things are a bad idea. As Spencer Katt puts it well, good worms resemble their evil twins in many unpleasant ways. They invade privacy, hog resources, and potentially create vulnerabilities in the systems they infect.
More to the point, releasing them is illegal and immoral. It's also pretentious: How dare you decide what code other people should be running on their systems? How dare you say that you know better how to manage my security than I do?"
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Whitepaper: Access through access by Brett Moore, attacking Microsoft Access
|
Posted 5/1/08 by Robert from the 'Flat files 4 lyfe' department
Brett Moore has published a great document on how to applications utilizing
Microsoft Access. He discusses default tablenames, sandboxing, reading local files and more. There aren't
many good papers on attacking MS Access and this is WELL worth the read. From the paper
""MS Access is commonly thought of as the little brother of Database engines, and not a lot of material has been published about methods used for exploiting it during a penetration test. The aim of this paper is to bring a lot of disparate information together into one guide.
MS Jet is often mistakenly thought of as being another name for MS Access, when in fact it is a database engine that is shipped as part of the Windows OS. MS Jet was however the core database engine used by MS Access up to version 2007. Since version 2007, MS Access has included a separate updated engine known as Access Connectivity Engine.
Although MS Jet is not as complex as more advanced databases such as SQL server or Oracle, it is still commonly used by smaller web sites that want quick and easy database storage. Therefore is often encountered during Web Application reviews and the potential for exploitation should be realised.
This paper will outline methods to identify different versions of MS Jet, some SQL Injection methods to use during tests, and some other techniques to access files, servers, and potentially gain command access"
Whitepaper Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers
|
Posted 4/28/08 by Robert from the 'parameterized queries 4 lyfe' department
"There’s been a lot of noise and violent thrashing over the last couple days regarding a flaw that was originally believed to be a flaw in Microsoft’s IIS (Internet Information Server), but has since been pointed out as simply a well thought out SQL Injection attack.
For those of you who aren’t familiar with attacks, it’s a pretty well known web application attack vector that exists in high volume on dynamic applications, say for instance, on your banking site. SQL Injection allows an attacker to subvert the logic of the currently running SQL query in order to interact with data more interesting to the attacker, bypass authentication/authorization, or run arbitrary commands on the operating system of the database server. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Automatic Patch-Based Exploit Generation
|
Posted 4/28/08 by Robert from the 'hackers soon to be obsolete' department
"The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P', automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P'. In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for vulnerable programs based upon patches provided via Windows Update.
In many cases we are able to automatically generate exploits within minutes or less. Although our techniques may not work in all cases, a fundamental tenet of security is to conservatively estimate the capabilities of attackers. Thus, our results indicate that automatic patch-based exploit generation should be considered practical. One important security implication of our results is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update, may allow attackers who receive the patch first to compromise the significant fraction of vulnerable hosts who have not yet received the patch. Thus, we conclude update schemes, such as Windows Update as currently implemented, can detract from overall security, and should be redesigned. "
Whitepaper Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Getting started with Web application misuse cases
|
Posted 4/25/08 by Robert from the 'misuse me' department
writes
"When developing applications it isn't enough to think about how they will be used. You must also consider how they will
be misused -- or abused -- so that you can prevent attacks. Kevin Beaver gives some examples of Web application weak spo
ts that your development team should consider."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Bruce Schneier rants about 1984
|
Posted 4/4/08 by Robert from the 'take that Orwell' department
"Big Brother isn't what he used to be. George Orwell extrapolated his totalitarian state from the 1940s. Today's information society looks nothing like Orwell's world, and watching and intimidating a population today isn't anything like what Winston Smith experienced.
Data collection in Nineteen Eighty-Four was deliberate; today's is inadvertent. In the information society, we generate data naturally. In Orwell's world, people were naturally anonymous; today, we leave digital footprints everywhere.
Nineteen Eighty-Four's police state was centralized; today's is decentralized. Your phone company knows who you talk to, your credit card company knows where you shop and NetFlix knows what you watch. Your ISP can read your email, your cell phone can track your movements and your supermarket can monitor your purchasing patterns. There's no single government entity bringing this together, but there doesn't have to be. As Neal Stephenson said, the threat is no longer Big Brother, but instead thousands of Little Brothers."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
IIS Vulnerability Documented by Microsoft - Includes Workarounds
|
Posted 4/4/08 by Robert from the 'posting news a few days late is better than nothing' department
SANS reports
"Microsoft has just put out an advisory for a privilege escalation vulnerability in Windows that affects IIS and potential SQL server (951306). Basically, authenticated users can use this vulnerability to become LocalSystem. This is probably more of a problem for shared hosting environments were clients could upload malicious code to the webserver and run the exploit to gain additional rights. SQL is less of a problem because permissions have to be explicitly given to allow a SQL user to run code.
The advisory contains workarounds for IIS 6 and 7 that is claimed to blunt this vulnerability. The only negative impact of those workarounds is to add some extra work when adding users but does block the vector of attack."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Hackers jack thousands of sites, including UN domains
|
Posted 4/4/08 by Robert from the 'we don't need no stinking prepared statements' department
"Large numbers of legitimate Web sites, including government sites in the U.K. and some operated by the United Nations, have been hacked and are serving up malware, a security researcher said today as massive JavaScript attacks last detected in March resume.
"They're using the same techniques as last month, of an SQL injection of some sort," said Dan Hubbard, vice president of security research at Websense Inc., referring to large-scale attacks that have plagued the Internet since January.
Among the sites hacked were several affiliated with either the UN or U.K. government agencies, said Websense.
The exact number of sites that have been compromised is unknown, said Hubbard. He estimated that it's similar to the March attacks, which at their height infected more than 100,000 URLs, including prominent domains such as MSNBC.com. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Hacked: Turning a women's fashion website into a porn site
|
Posted 4/4/08 by Robert from the 'quit your damn complaining' department
"HACKERS have turned a bitchy blog about the world of women's magazines into a porn site.
The blog by a mystery woman who calls herself “MagHag” has become a must-read for industry insiders, due to its salacious gossip about the editors of Madison, Vogue, Harper's Bazaar, Cosmopolitan and Shop Til You Drop.
Those magazine editors were yesterday left reaching for their Chanel smelling salts after a hacker posted obscene pornography on the site.
“Your Site Hacked by beyrut - don't tell me to stop,” read the new coverpage on the blog 4inchheels.wordpress.com yesterday.
“Sorry admin ownz your sistem (no war),” the hacker proclaims on the site.
At the Carla Zampatti show in Sydney yesterday, the front row was abuzz with gossip that MagHag had been sabotaged by one of her own colleagues, as the revelations on her website were so close to the bone that magazines had reportedly launched a witch-hunt to identify and sack her."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Barack Obama site XSSed, redirected to Hillary's website
|
Posted 4/21/08 by Robert from the 'why couldn't they have xss'd hillary's site instead' department
"Yes () errors are all over the place. And YES they can affect very prominent web sites.
The discussion forum area on Barackobama.com is allegedly the victim of a XSS exploit that redirected comments from Obama's site to....HillaryClinton.com.
A hacker going by the alias of 'Mox' has claimed responsibility for the exploit. Mox argued that the Obama site was not 'hacked'.
It is because what I did was not hacking in the sense that I burrowed into some dusty served and changed the Obama site and stole all your credit card numbers. All I did was exploit some poorly written HTML code."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
XSS in ISP ad page allows compromise of any website
|
Posted 4/21/08 by Robert from the 'xss 4 lyfe' department
"When users visit a website like Wired.com, the DNS system maps the domain name into an IP address such as 72.246.49.48. But if a particular site does not exist, the DNS server tells the browser that there's no such listing and a simple error message should be displayed.
But starting in August 2006, Earthlink instead intercepts that Non-Existent Domain (NXDOMAIN) response and sends the IP address of ad-partner Barefruit's server as the answer. When the browser visits that page, the user sees a list of suggestions for what site the user might have actually wanted, along with a search box and Yahoo ads.
The rub comes when a user is asking for a nonexistent subdomain of a real website, such as http://webmale.google.com, where the subdomain webmale doesn't exist (unlike, say, mail in mail.google.com). In this case, the Earthlink/Barefruit ads appear in the browser, while the title bar suggests that it's the official Google site.
As a result, all those subdomains are only as secure as Barefruit's servers, which turned out to be not very secure at all. Barefruit neglected basic web programming techniques, making its servers vulnerable to a malicious JavaScript attack. That meant hackers could have crafted special links to unused subdomains of legitimate websites that, when visited, would serve any content the attacker wanted."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Are CAPTCHA's dead?
|
Posted 4/16/08 by Robert from the 'OCR 4 lyfe' department
"For the last few years, Captcha, the Completely Automated Public Turing test to tell Computers and Humans Apart, has been one of our main lines of defense against the machines that want to impersonate us.
Recently, though, the various most popular Captcha implementations have been cracked. Bots with character-recognition ability have gotten pretty reliably good at figuring out what the distorted text says. That means they can sign up for Gmail, Yahoo, and Windows Live accounts automatically, and use those accounts for their own malicious purposes -- typically to send spam.
Websense has an interesting analysis of the cracking of the Windows Live Captcha."
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Man hacks video game to propose to girlfriend
|
Posted 4/16/08 by Robert from the 'originality' department
"A software developer in the US used his programming skills to propose to his girlfriend by altering a copy of the game she was playing.
Bernie Peng spent a month hacking the code in Bejeweled so that when Tammy Li attained a particular score a ring appeared along with the marriage proposal.
Li accepted the proposal and the couple plan to marry on the weekend of US Labor Day at the end of August."
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Google bots now submit forms in effort to find new pages
|
Posted 4/16/08 by Robert from the 'autoform fill' department
"Google's search bots, which scour the web constantly for new pages, have begun a new, more active phase of their indexing jobs.
In a blog post last week, Jayant Madhavan and Alon Halevy of Google's crawling and indexing team said the company has begun an experiment in which its indexing software experimentally enters text in website forms to see what previously undiscovered pages may appear.
The post said: "In the past few months, we have been exploring some HTML forms to try to discover new web pages and URLs that we otherwise couldn't find and index for users who search on Google. This experiment is part of Google's broader effort to increase its coverage of the web. In fact, HTML forms have long been thought to be the gateway to large volumes of data beyond the normal scope of search engines.""
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
DNS lords expose netizens to 'poisoning'
|
Posted 4/16/08 by Robert from the 'Amit pwned your PRNG' department
"More than a decade after serious holes were discovered in the internet's address lookup system, end users remain vulnerable to so-called domain name system cache poisoning, a security researcher has warned.
Developers of the software that handles DNS lookups have scrambled to patch buggy code that could allow the attacks, but not to the satisfaction of Amit Klein, CTO of security firm Trusteer, who over the past year has uncovered serious new vulnerabilities in multiple DNS products.
Last July, he exposed flaws in Berkeley Internet Name Domain (BIND), the mostly widely used DNS server. The flaws allowed attackers to predict the pseudo-random number transaction number that the software uses when providing the numeric IP address of a requested web page. That, in turn, could allow the attacker to supply a fraudulent address that leads to a malicious destination.
"I'm not too comfortable with the quality of the solution from the security and predictability standpoint," Klein said during a session at last week's RSA security conference in San Francisco."
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Movie: Wargames 2 Trailer
|
Posted 4/4/08 by Robert from the 'what would professor falken think?' department
"WarGames: The Dead Code stars Matt Lanter as a computer geek named Will Farmer who engages a government super-computer named R.I.P.L.E.Y. and enters in a game of online terrorist-attack simulation (yes, instead of global thermonuclear war from the original movie). But apparently the game is actually part of a sophisticated piece of government spyware designed to find potential terrorists. Homeland Security, now believing Farmer is a terrorist, sets out to apprehend him. And the computer, of course, forgets that it’s just playing a game."
View the trailer at
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Scanless PCI security scanning available
|
Posted 4/1/08 by Robert from the 'I can't believe how much time jeremiah has to spend on this stuff, give that man something to do' department
"Using a combination of fines and incentives the payment card brands have working hard to boost PCI-DSS compliance rates among merchants. Meanwhile, ASVs have been doing their part by offering their services at drastically reduced prices and curtailing the security checklist to make certification as easy as possible. Every merchant who signs up is able to get PCI certified, but it does come at a price (not including bandwidth utilization). The problem is adoption rates are still slow, but that might all change with a new entry into the space, Scanless PCI."
Good news, if you are a whitehatsec customer you're already protected!
Additional details are at
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Gopher/Archie gaining popularity due to increase in web based attacks
|
Posted 4/1/08 by Robert from the 'April 1st' department
Due to the increase in devistating vulnerabilities abusing AJAX and Google to hack the web more users are switching
to 'safer' alternatives such as and .
Johnny Long was quoted as saying 'My next book on Archie hacking ' for idiots' will be out in late 2008
and I promise it will contain many search strings'. A google representative has confirmed that google
will be switching to in an effort to protect its users.
Users wishing to switch their websites are being urged all over to switch to the python
gopher server ''.
The lead pygopherd developer posted the following on his gophered blog "People laughed at us, first for using python and second for developing something for Gopher. Who's laughing now!""
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Hackers Flood Epilepsy Web Forum With Flashing Lights
|
Posted 3/31/08 by Robert from the 'I see lights everywhere department'
"Unknown miscreants had a good time two weekends ago when they posted hundreds of flashing animated images onto discussion boards hosted by the Landover, Md.-based Epilepsy Foundation.
Flashing lights or bold moving patterns can trigger often violent seizures among 3 percent of the estimated 50 million epileptics worldwide.
"I was on the phone when it happened, and I couldn't move and couldn't speak," RyAnne Fultz, who has epilepsy, told Wired News about her reaction to viewing one of the images on March 23.
Fultz's 11-year-old son walked over and closed the browser window after about 10 seconds. Fortunately, she suffered nothing more than a bad headache.
By then, the second day of vandalism on EpilepsyFoundation.org, the jerks had moved on to hijacking the browsers of anyone who clicked on certain forum posts, filling the screens with bright, flashing colors."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
Older News
The oldest application security website. Providing Web Security news since 2000.
Information contained on this website may not be copied without explicit permission.
Best Viewed with telnet.
Additional Site Sections:
|
|
|
Subscribe to CGISecurity.com
|
|
|
|
|
|
The Web Security Mailing List
|
|
|
|
|
Contact us
|
Post News, get linkage!
|
|
|
|
