Hosting generously provided by
|
|
12/29/2006 Backdooring UIML's and Existing JavaScript Applications
|
One of the more interesting aspects of so called 'Rich Internet Applications' involves such as (By Mozilla, been around awhile) and /XBAP (.NET 3.0 the new kid on the block).
Essentially these languages allow you to 'paint' buttons, menubars, grids, forms, messageboxes, and other GUI
components associated with HTML and Forms UI (including progress meters) by specifying certain XML tags. The
goal is to quickly develop applications using XML, and then using backend code to perform a function (usually
written in JavaScript or .NET).
If you're reading this you're probably interested in attacking these sorts of applications, same here! Ok we
know everything is xssable but how can impact a UIML based application? One example would be to find a
website using this type of technology and find an in it. Ok so far this is pretty standard however
instead of actively attacking the UIML application directly lets instead make a copy of it and sniff its usage
thereby making a 'trojaned' copy. If you can utilize an existing you can create a new link to your own
copy of the based (externally
hosted or with the trick)
application which essentially sniffs what the user is doing before performing the action (You record
everything they do, then perform the actual duties). Javascript does not support overloading however does allow
you to define a method twice, and the second declaration will win. If you can after the JS inclusion
(which is often the case) you can override it.
Much like an existing website a UIML application may perform a transaction or a duty containing sensitive user information
requiring a login first. If you emulate the application you will have the ability to know when the user has logged in and
once you can identify this, perform whatever duty it is that you want to do. While writing this news entry a paper
came to my attention discussing backdooring Ajax applications that was released during the CCC conference. Be
.
UPDATE:
Here are some sample UIML applications so you have an idea of exactly what I'm talking about.
XUL: (Mozilla Only)
WPF/XBAP: (.NET 3.0 Beta must be installed!)(IE Only)
WPF/XBAP/XAML: (.NET 3.0 Beta must be installed!)(IE Only)
WPF/XBAP : (Same req as above)
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
12/28/2006 Wikipedia's search engine will spell trouble for the SEO market
|
Wikipedia's founder has announced a search engine allowing users to control the search results in a way similar to how digg works.
I dabble in Search Engine Optimization (SEO) and I expect a huge shift if the other major search engines such as google and yahoo adopt similar models.
Typically people will improve their rankings by getting more sites to link to them and by page layout, however allowing a human to rank
a site against a given term is going to make these sorts of traditional SEO methods less relevant. This will cause SEO companies
to start paying for people's 'ranks' much like how people pay for digg's, or how people are paid to click on ads. Additional
information on wikipedia search engine can be found below. Somehow I suspect those sites with a lack of quality content that have deep pockets
are going to be the people to win the rank wars. Oh and did I mention amazon is backing them?
Link to this Story:
Article Link:
Link:
News RSS Feed: Web
|
|
|
|
12/21/2006 The lack of security enabled frameworks is why we're vulnerable
|
We've been stating for years 'developers need to learn to code securely' sure this is great, however is
essentially limited to skilled professionals. This isn't to say we shouldn't keep teaching however rather
than simply focusing on those paying attention we should start babysitting the remaining majority.
So how do you watch what a developer is doing? One of the things that needs to happen is to build better
libraries and frameworks (yes this statement sounds very marketechture but bear with me). Java stopped
the overflow issues (minus specific VM issues), and Microsoft's .NET has followed in Java's tracks and
done the same. Microsoft's .NET has also done one better and made development of vulnerable ASP.NET web
applications harder. ASP.NET detects if html is being taken in a user modifiable input, and if this input
is echoed checks to see if HTML has been injected. If it detects
(usually an ) it
prevents the application from behaving 'vulnerably' by halting it's execution, and displaying a warning message.
I always
hear the argument 'people who write applications vulnerable to buffer overflows, sql injection or cross site
scripting shouldn't be writing code!' and its a nice fantasy! New people are always learning to code, being put
into situations to develop things maybe they shouldn't be and this isn't going to ever stop. The majority of
skilled developers start out the same way and faulting them for 'learning the ropes' is just plain stupid.
We need to start hand holding what developers are doing by preventing them (by default) from making common
security mistakes. Just as important we need to provide overrides for those who 'know what their doing',
because hindering application development isn't going to fly. As mentioned above Java
and Microsoft's . NET Framework allow you to write unmanaged code if there's a need, however by default
manages it to prevent those darn buffer overflows from 'magically appearing'.
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
12/19/2006 PHP security under scrutiny
|
"Perhaps PHP should stand for Pretty Hard to Protect: A week after a prominent bug finder and developer left the PHP Group, data from the National Vulnerability Database has underscored the need for better security in PHP-based Web applications."
...
"The concerns come as attackers and security researchers have increasingly focused on finding flaws in Web applications. Earlier this year, one researcher highlighted the upward trend in Web flaws in general, and PHP in particular, when data for the first nine months of 2006 showed that vulnerabilities in Web applications had taken the top 3 spots in a list of most common flaws. The researcher, Steven Christey, found that about 45 percent of the vulnerabilities found as of September were either cross-site scripting flaws, database injection bugs, or PHP file inclusion vulnerabilities."
Article Link
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
12/18/2006 Top 10 Web Hacks of 2006
|
I assisted and in compiling a list of application security issues in the year 2006
that can be found on . That is all.
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
12/14/2006 Application Security Predictions of 2007
|
Ok I know I'm a little early but here's my yearly list of application security predictions. Admittedly I may be a year or two early on a few
of them, however read them over and give them some thought. - Robert (admin@cgisecurity.com)
Rich Internet Applications (RIA) .net 3.0 WPF and Adobe Flex
The next big buzzword is going to be
(RIA) even if you don't like it. We haven't seen the end
of thick client side applications as Microsoft (in ), mozilla's () and Adobe () are going to show us. These RIA
applications are going to change the way we use the web there's no doubt, and I'm not just jumping on the hype
wagon early. Users will begin to see these applications appear, get used to them and expect them to some extent.
RIA is the next AJAX (Double meaning implied :).
XSS, Phishing and Worms will continue
isn't going
away and as a matter of fact is only becoming more and more useful. Worms crossing over to handheld devices wouldn't be
surprising. Even worms borrowing CPU cycles to perform a task in a similar fashion to applications like SETI and
distributed.net wouldn't be to surprising. Attacking larger communities involving banking transactions with both phishing
and utilizing CSRF will begin
which is a nice segway to my next prediction.
Cross Site Request Forgery Will emerge
is in its infancy and is now
what XSS was 4 years ago. The power of will become apparent once the first site exploited for financial gain reaches
the media. Once money theft becomes involved expect regulatory changes including possible compliance guideline changes.
Frankly I'm beyond surprised that a web worm hasn't taken advantage of this already.
Web Feed Exploits
I about and included it in my list of 2006 predictions (so I had a little inside knowledge big whoop :). Since that
talk multiple advisories have been published and people are slowly starting to catch onto the things that you can do with including how they are used. Expect more from this area as well as a potential worm.
The Browser History Theft Business
As it is possible for a
marketer/attacker/person to identify which websites that you've visited, how you got there, and which pages you visited on
that website by exploiting functionality in CSS. This can be used by phishers
to see which sites you frequent to identify which website they should be phishing next. Expect to hear more about this
in the upcoming year. Read
for more information on what can be done.
Last Years Predictions:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
12/13/2006 PHP Ninja Stefan Esser Quits the PHP Security Team After Being Ignored For Reporting Issues
|
Apparently Stefan Esser (a key player in PHP's Security Response Team) has called it quits. Steffen is known for finding
various vulnerabilities in PHP and working with the PHP Security team to identify and prevent issues in PHP itself. From his
blog (Mirroring since his site appears to be getting slammed hard):
"Last night I finally retired from the PHP Security Response Team, that was initially my idea a few years ago.
The reasons for this are many, but the most important one is that I have realised that any attempt to improve the
security of PHP from the inside is futile. The PHP Group will jump into your boat as soon you try to blame PHP's
security problems on the user but the moment you criticize the security of PHP itself you become persona non grata.
I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin.
For the ordinary PHP user this means that I will no longer hide the slow response time to security holes in my advisories.
It will also mean that some of my advisories will come without patches available, because the PHP Security Response Team
refused to fix them for months. It will also mean that there will be a lot more advisories about security holes in PHP."
-
This is surely bad news to those of you using PHP and I surely hope that attitudes within the PHP developer community
start changing soon. This sort of attitude is often seen in closed source projects and reminds us that open source
projects are not immune.
ISC Link:
Blog Link:
Response Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
12/12/2006 Worms Get Smarter
|
The recent wave of Web worms on MySpace and other social networking sites represent a new generation of more sophisticated
worms -- ones that employ the pervasive scripting () flaws found on many Websites.
Early worms were more for wreaking havoc and proof-of-concept purposes (think Code Red and Melissa), but the new worms
discovered earlier this month on MySpace are more about stealing data. Example: the XSS exploit that spreads as a worm
and tries to force spyware onto a user's machine for nefarious purposes. That attack is a QuickTime movie that is
"backdoored" with an ,
which changes a user's profile to include links to a porn site that hosts spyware. Once a user goes to that site, he or she
is infected with the spyware.
Another variant of the QuickTime exploit poses as MySpace and phishes for usernames and passwords.
These attacks are the latest in a series of exploits hitting the wildly popular MySpace over the past few months, first with the
Samy worm, and then with a major phishing attack in October, along with publicly disclosed vulnerabilities on
the popular hangout site." - Darkreading
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
12/07/2006 MySpace, YouTube successes open door to Web 2.0 dangers
|
"But in the rush to add interactive features, security has often been overlooked. Several high profile attacks have exploited
weaknesses in sites using Web 2.0 technologies. The Yamanner worm hit Yahoo mail users, to
collect email addresses, while the Samy and Spaceflash worms spread among MySpace users changing buddy lists and profile
information. Such attacks have heightened concerns that Web 2.0, and Ajax in particular, are introducing new threats to life on
the Web.
Ajax is not that new and it hasn't introduced new vulnerabilities, just variations of old ones. The problem is that Ajax
applications tend to be very complex. There are many more interactions between the browser and server, and pages can even
pull in content from other sites. This makes it difficult to test the many possible permutations of user and service
interaction, allowing old vulnerabilities such as
() flaws to be unwittingly introduced in to the application." - TechTarget
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
12/03/2006 Myspace Phish Attack Leads Users to Zango Content
|
"A while ago on the Spywareguide Blog, I covered a technique being used in Peer to Peer land involving URLs being embedded in Quicktime movies, which would then pop open a website. This has now been taken to the next level, with an intensive and seemingly never ending Phish attack, the sole aim of which seems to be directing end-users to a collection of Zango movies on a pornographic website."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
12/01/2006 Myth-Busting AJAX (In)security
|
" The hype surrounding AJAX and security risks is hard to miss. Supposedly, this hot new technology responsible for compelling web-based applications like Gmail and Google Maps harbors a dark secret that opens the door to malicious hackers. Not exactly true. Even the most experienced Web application developers and security experts have a difficult time cutting through the buzzword banter to find the facts. And, the fact is most websites are insecure, but AJAX is not the culprit. Although AJAX does not make websites any less secure, it's important to understand what does. "
"In Google Maps, a user may mouse-drag through street maps without visiting additional pages. The mechanism for performing asynchronous data transfers is a software library embedded in all modern web browsers called XMLHTTPRequest (XHR) . XHR is the key to a website earning the “AJAX” moniker. Otherwise, it’s just fancy JavaScript.
If you’re thinking that none of this sounds security related, you’re right. AJAX technology makes website interactivity smoother and more responsive. That’s it. Nothing changes on the web server, where security is supposed to reside."
Ignoring the fact that I'm friends with Jeremiah I'm happy to see someone finally speak bluntly about ajax security issues.
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
11/30/06 Ajax Security: Stronger than Dirt?
|
"Ajax allows the development of more feature rich, asynchronous applications, but in doing so opens up new possibilities for attackers. We look at the relevant security issues and their possible solutions.
Ajax (Asynchronous JavaScript and XML) lurched into being in 2005 [1]. As a web services model, Ajax is touted as the next big
thing by many who work in web development. Like all big things however, Ajax is not without its faults, one of the most
pronounced being that not many people actually know what Ajax is, and what potential risks could be introduced into
enterprise environments by embracing it. This article examines what Ajax is, the security implications for Ajax applications, and details a range of potential attack vectors against this technology together with possible defences.
At its simplest level Ajax is anything but new, as it is based around old technologies, but pushed beyond their original scope.
Ajax is the latest inheritor of the Dynamic HTML mantle, and allows for the development of feature rich and practical web
applications. At the purest level all an Ajax web application does is use an XMLHttpRequest JavaScript object to poll data
from a remote web server and then manipulate this data to output to a web page utilising the DOM (Document Object Model) [2].
Up until now, Google, Yahoo and Microsoft have been big players in the Ajax development arena, but increasing numbers of high profile websites are turning to Ajax to provide an asynchronous, feature rich environment for their users, without sadly giving too much thought to potential inconveniences such as security.
It is best first to look at JavaScript and issues. Upon initial execution of an Ajax application the originating
web server transmits a series of JavaScript instructions to a web browser on a PC, which then executes the instructions it has
received. Clearly, the user of an Ajax application places significant trust in the application developers. The JavaScript code of an Ajax application is executable mobile code, and as such an obvious security risk. Typically, browser vendors deal with the thorny topic of JavaScript code execution by having it occur within a sandbox. In addition, the JavaScript security model prevents scripts from different domains from interacting with each other (and affecting the DOM)."
Link to this Story:
Article Link:
Link:
News RSS Feed: Web
|
|
|
|
11/30/06 Microsoft Anti-Cross Site Scripting Library V1.5 is Released
|
"For defence in depth, developers may wish to use the Microsoft Anti-Cross Site Scripting Library to encode output. This
library differs from most encoding libraries in that it uses the "principle of inclusions" technique to provide protection
against attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything
outside this set (invalid characters or potential attacks). The principle of inclusions approach provides a high degree of
protection against XSS attacks and is suitable for Web applications with high security requirements."
Link to this Story:
Article Link:
Download Link:
Link:
News RSS Feed: Web
|
|
|
|
11/28/06 Browser Port Scanning without JavaScript
|
Jeremiah 'Lord Nikon' Grossman Writes "Since my Intranet Hacking Black Hat (Vegas 2006) presentation, I've spent a lot of time researching HTML-only browser malware since
many experts now disable JavaScript. Imagine that! Using some timing tricks, I've discovered a way to perform . I
ts really hacky, but it can do the job."
Link to this Story:
Article Link:
Link:
News RSS Feed: Web
|
|
|
|
11/27/06 Finally someone speaking about RIA (Rich Internet Applications)
|
I was happy to see a post at chatting about RIA
and how we should start reading up on this new exciting technology. This is something I'm planning on sticking this in my 2007
. XUL and WPF/XAML are some exciting
new web technologies I strongly advise you start reading about.
Link to this Story:
Article Link:
Link:
News RSS Feed: Web
|
|
|
|
11/16/06 Attacking Permalinks
|
Everyone has seen urls such as http://site/2006/02/02 and you know that there's an application
in the backend somewhere but figuring out how to attack those urls can be tricky. A few of you
have probably tried attacking them by sending requests such as http://site/2006'>/02/02 and received
a 404 page. I started
thinking about this in conjunction with parameter identification. As an example you may be able to
append things such as 'script.php?admin=true' and yield hidden administrative access (the classic example).
Essentially you're appending a parameter and receiving a different application behavior. So I started to
think 'in a url such as /2006/02/02 the '2006' portion states the year, what are some common year parameter
names?'. I came up with 'y' and 'year'. The way that permalink url rewriting works is that your request for
/2006/02/02 gets rewritten by the webserver and may be sent to a backend script such as
'index.php?year=2006&month=02&day=02'.
Knowing that permalink internal rewrites use standard parameters, and
knowing that 2006 is a year I started tinkering around and sending requests such as
http://site/2006/02/02?year=-1. Now if the parameter isn't used the same page will be served, however if the
response is different, then the application has processed your additional appended parameter. When you
append the 'year' parameter to the permalink the internal redirection will appear as
'index.php?year=2006&month=02&day=02&year=-1'. Many applications will merge both parameters and combine the data
within them (concatenation) before the data is processed. The order of the merge of course may vary
(in this case '-12006' vs '2006-1') so ease of exploitation of a potential vuln may vary from application/framework.
In a nutshell you append additional 'guessed' parameters based off of the data format between the // and
if the application acts differently, then you now have a vector exposed for security testing purposes.
PS: If you haven't noticed I use permalinks however use mod_rewrite redirects to static files, so don't bother poking around :)
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
11/16/06 Web Application Security Professionals Survey Results
|
Jeremiah grossman sent out a survey a few weeks ago to the application security industry and he has posted
the results on his site.
"73% of those performing web application vulnerability assessments are not using or rarely using commercial scanner products.
It's hard to say if this is good/bad/increasing/decreasing or otherwise. Certainly people want tools. People love their open
source tools as a vast majority are using them. Be mindful that open source webappsec tools are mostly productivity tools, not
scanners like we asked about in #3, so they’re not opting for one over the other. There is a lot of room to dig in here with
future question as to why people use or don't use certain types of products."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
11/14/06 Top 10 Ajax Security Holes Post
|
RSnake provides some much needed insight into the AJAX craze.
"However, I'd like to point out, as I have before that really users should not consider AJAX to be another
security risk. It is the same old risk that we have always faced, except there is more client side code that
can be circumvented now. The more logic you create on the browser for parsing and security the more you must
insure that your backend also protects you at the same time, since all client side security can be circumvented
in one way or another"
Also linked is an article discussing 10 Ajax Security 'issues' along with RSnake's perspective.
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
11/08/06 Mod Security as an IPS
|
One of our readers 'J. Oquendo' "got bored" and wrote an article titled
'Securing LAMP and using ModSecurity as an IPS'.
"Many times administrators often forget to do security checks from the ground up. They often will rely on simple
methods of testing a machine. An NMAP scan here, a Metasploit scan there... Let's build a secure LAMP machine from
scratch shall we. Here is what I've down to harden my "LAMP" servers."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
11/08/06 Detecting Web Application Security Vulnerabilities
|
An anonymous poster contributes
"Web application source code, independent of languages and platforms, is a major source for vulnerabilities. One of the C
SI surveys on vulnerability distribution suggests that 64% of the time, a vulnerability crops up due to programming erro
rs and 36% of the time, due to configuration issues. According to IBM labs, there is a possibility of at least one secur
ity issue contained in every 1,500 lines of code. One of the challenges a security professional faces when assessing and
auditing web applications is to identify vulnerabilities while simultaneously performing a source code review."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
11/03/06 Security Fix Released for PHP
|
"The PHP development team is proud to announce the immediate release of PHP 5.2.0. This release is a major improvement
in the 5.X series, which includes a large number of new features, bug fixes and security enhancements. Further details
about this release can be found in the release announcement 5.2.0, the full list of changes is available in the - PHP.Net
Patch Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
11/02/06 Happy Birthday Internet Worms
|
"Security threats and attackers are turning professional. Network managers still need to stop the script-kiddies from defacing their websites, but it is becoming increasingly important to stop the professionals who want to steal valuable information. The new attackers search for vulnerabilities in the application and exploit these weaknesses. Attackers are bypassing die traditional network- layer firewall and IDS defenses; their exploits appear as legitimate traffic to the network layer defense, but hiding in the application layer are deadly attacks. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/31/06 FBI raids Ph.D. student's apartment, investigates Web site
|
"The FBI and Transportation Security Administration are investigating an IU doctoral student who created a Web site that generated fake Northwest Airlines boarding passes. Informatics graduate student Chris Soghoian reported Friday on his blog that the FBI showed up at his home in Bloomington and demanded he take down the Web site. That same day, Massachusetts Congressman Edward Markey publicly called for his arrest because of the site" - IDSnews
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/31/06 Hacking Web 2.0 Applications with Firefox
|
"AJAX and interactive web services form the backbone of “web 2.0” applications. This technological transformation brings about new challenges for security professionals.
This article looks at some of the methods, tools and tricks to dissect web 2.0 applications (including Ajax) and discover security holes using Firefox and its plugins. The key learning objectives of this article are to understand the:
* web 2.0 application architecture and its security concerns.
* hacking challenges such as discovering hidden calls, crawling issues, and Ajax side logic discovery.
* discovery of XHR calls with the Firebug tool.
* simulation of browser event automation with the Chickenfoot plugin.
* debugging of applications from a security standpoint, using the Firebug debugger.
* methodical approach to vulnerability detection. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/30/06 Identifying Risks in the Development Cycle
|
Besides CGISecurity I have interests other than . I've created a new website to address
other security related documentation that I didn't feel fit here. The new website
will address things such as how to implement security into a development cycle with a heavy focus on teaching QA people how to test for and identify security risks.
The articles published on this site are designed to be very short, to the point, and informative. To kick start
the site I've written explaining the different groups within a development cycle and how security
can be included into there cycle portions.
Fill out the contact form if you have some feedback.
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/29/06 MySpace Accounts Compromised By Phishers
|
"MySpace, appears to have been compromised by phishers who have presented a spoof login form on the main site"
...
"Because the fraudulent login page is hosted on MySpace's own servers and does not exhibit any signs of external content, such as cross-site scripting (XSS) or open redirects, it is convincing and even security-conscious users are at risk of becoming victims. The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/19/06 ModSecurity 2.0 is out
|
"Ivan Ristic explains what's hot about the new release
Interview ModSecurity is an open source web application firewall that runs as an Apache module, and version 2.0 offers many new features and improvements. Federico Biancuzzi interviewed Ivan Ristic to discuss the new logging system, events tracking and correlation, filtering AJAX or AFLAX applications, and just-in-time patching for closed source applications"
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/19/06 IE7 Is out, and vulnerable
|
IE7 has finally been released but according to Secunia a vulnerability has already been published.
They also provide a test that can be performed to see if you're vulnerable.
Article Link:
Advisory Link:
Download IE7:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/17/06 Web Application Security Professionals Survey
|
The riffraff of the web application security space Jeremiah Grossman has polled a bunch of
application security professionals and published the results on his site.
"Two weeks ago I sent out an informal email survey to several dozen people I know in the web application security professional services business. People from large and small organizations who regularly perform penetration tests, vulnerability assessments, train others in secure software development, write articles and whitepapers, release tools, etc. In short, the “experts”. The questions were intended to shed more light on the industry from those who live and breathe webappsec every day. Of the pool of 40, I received 21 responses, and the results are interesting. The data set is small, so be careful reading too deeply into the results."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/17/06 Hacker Pumpkins
|
RSnake is having a hacker pumpkin carving contest. Check out the XSS'd tricked out
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/13/06 Zero day risks are Bullshit
|
"Patrick Clawson, newly appointed chief executive at PatchLink, poured scorn on the panic associated with “zero day vulnerabilities” calling it “bullshit”.
“I’m calling bullshit on the whole zero day thing. These vulnerabilities are announced on that day, not released, it’s in the year running up to that date where they cause problems. By the time something like Slammer becomes well known, it is a nuisance, but [as an IT manager] what you have to worry about, is what you don’t know.”"
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/12/06 Exploit code hiding in cache servers
|
"According to Finjan Software, which has just released its latest Web trends report, caching technology used by search engines, ISPs and large companies has been discovered to harbour certain kinds of malicious code even after the website that hosted it has been taken down.
Such "infection-by-proxy" code can remain in caches for as long as two weeks, giving it a "life after death" at a time it would conventionally be assumed to have been neutralised. Although caching does not always save copies of everything on a website, it will still store code embedded in html, including programming formats such as Javascript. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/11/06 Top 5 signs you've selected a bad web application package
|
5. The vendor's idea of a patch process involves you editing line X and replacing it with new code
4. The amount of total downloads is less than the application's age
3. It isn't running on the vendors homepage
2. The readme file states that you need to chmod a certain file or directory to 777 in order for it to work
1. If the application name contains 'nuke' in it, you're pretty much screwed.
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/11/06 Hailstorm of Microsoft Patches Released
|
"Microsoft today issued a record-breaking number of security updates, fixing at least 26 separate security holes in its Windows operating system and other products, including 16 vulnerabilities in Microsoft Office and Office components.
By my count, this is the largest number of flaws Microsoft has fixed in one go outside of a Service Pack. Among the problems addressed in the ten patch bundles released as part of its monthly patch cycle are four flaws in Office, as well as four security holes each in different versions of Microsoft Word, Excel and PowerPoint (one of the Word flaws is only present in the version made for Apple Macintosh systems)."
Also worth noting was a vulnerability discovered in .NET 2.0.
Patch Link:
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/10/06 Flash + JS + crossdomain.xml = phun
|
I was browsing Jeremiah Grossman's Blog and found an
talking about a file named crossdomain.xml and extended uses of it in regards to . In a nutshell there's this file called crossdomain.xml
used by flash to say 'I am www.domainb.com and I will allow users of www.domaina.com to make requests to me'. Unfortunately
people are misconfiguring their crossdomain.xml file and allowing everybody.
Vulnerable Example:
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
Per the adobe specification
"Another change to the Flash Player 7 framework is the use of cross-domain policy files. A policy file is a simple XML file that gives the Flash Player permission to access data from a given domain without displaying a security dialog. When placed on a server, it tells the Flash Player to allow direct access to data on that server, without prompting the user grant access.
The server can be in any location available to the Flash movie and does not have to be in the same domain. Cross-domain policy files, named crossdomain.xml, are placed at the root level of a server. When using a policy file you can use a wildcard character (*) in a domain name. For more information on policy files see Why Use Policy Files below."
I'm sure there are many other fun tidbits like this just awaiting to be discovered.
Article Link:
Chris Shiflett:
Crossdomain.xml Specification:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/10/06 Hacker cracks Google Blogger security
|
"Google was left red-faced on Saturday when a bug in its Blogger software allowed an unauthorised user to post a comment on the
official Google blog.
The post, which stayed up for around an hour before being pulled, claimed that Google had abandoned its click-to-call and Adwords partnership with eBay because of "monopolistic" concerns."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/09/06 Top 10 Web 2.0 Attack Vectors
|
"On the “server-side”, XML based Web services are replacing some of the key functionalities and providing distributed application access through Web services interfaces. These remote capabilities to invoke methods over GET, POST or SOAP from the Web browser itself provide new openings to applications. On other side, RIA frameworks running on XML, XUL, Flash, Applets and JavaScripts are adding new possible sets of vectors. RIA, AJAX and Web services are adding new dimensions to .
Here is the list of 10 attack vectors along with a brief overview of each:"
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/05/06 Palisade Articles on Web Application Security
|
"Palisade is a monthly online magazine that focuses on application security. In each issue, we discuss topics of current interest in developing and using secure software."
I stumbled upon this website by accident and it has quality articles worth checking out.
Site Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/04/06 Firefox Zero-Day Code Execution Hoax?
|
"A public claim by hackers that Mozilla's Firefox browser is vulnerable to multiple code execution vulnerabilities may be an overblown hoax.
On the heels of a ToorCon presentation where two security researchers—Mischa Spiegelmock and Andrew Wbeelsoi—warned that Firefox's implementation of JavaScript was badly flawed and could allow PC takeover attacks, Mozilla's engineers say the risk is limited to a denial-of-service issue."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/04/06 More fun with CSS history
|
There's been a big fuss that with . I started to think about expanding this and came up with a neat little trick
you can do involving online advertising.
You run www.sitea.com and www.siteb.com and www.sitec.com are competitors of yours. Now you know these
companies use www.ad1.com and www.ad2.com to serve up ads on. What you don't know is how effective these ads are,
simply put without direct access to the web server logs you can't tell really. Well this isn't entirely true!
Lets say VisitorA visits your site www.sitea.com. You can use the CSS history stealing trick to see if they
have visited www.siteb.com and/or www.sitec.com. If they've visited a competitor you'll know that
this person is semi serious about whatever reason they're visiting your site for. Using the same CSS trick
you could also enumerate a list of links (only enumerated if the link was visited) against each competitor
website to see what they viewed on this site. This could include seeing which products/services they are
interested in, if they visited the 'contact us' page and possibly if they also visited the 'thank you for
submitting your data' (Letting you know they submitted a form). Now that you know where your visitor has
been you can utilize the same trick on websites advertising your competitors to see where they came from.
Why bother? Well now you know which ads are in fact paying off for them and can advertise with the same company.
A more elaborate example would be dynamically generating a discount if the current visitor has visited a competitor
potentially winning a deal. I suspect this use of the CSS 'trick' is going to
spread like wildfire for many of the obvious reasons above. This begs to ask the question is this legal?
UPDATED: 10/4/06
I was thinking of the uses of this regarding phishing. Say they followed my amazon phishing email, I can now
track which banks they use and other websites to see which site I should phish next (a sort of victim profiling
if you will). Even more interesting would be the creation of generic phishing emails bringing a user to a site,
and dynamically generating a phishing site based off of the urls that they've actually visited. Hmmm need to think
about this some more.
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
10/03/06 Application Security: Countering The Professionals
|
"Security threats and attackers are turning professional. Network managers still need to stop the script-kiddies from defacing their websites, but it is becoming increasingly important to stop the professionals who want to steal valuable information. The new attackers search for vulnerabilities in the application and exploit these weaknesses. Attackers are bypassing die traditional network- layer firewall and IDS defenses; their exploits appear as legitimate traffic to the network layer defense, but hiding in the application layer are deadly attacks. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
09/28/2006 XSS Gone Wild!
|
For various reasons I'm going to report this as neutral as possible.
Apparently F5 and Acunetix both web security vendors were found to have in their website according
to Rsnake's forum. To be honest with you yeah it is embarrising but s!@# happens however that isn't why I'm posting this news
story. I'm posting it because of the backlash denying these vulnerabilities has caused. If any issue is found in your site
and publically disclosed, admit it/fix it and move on.
Darkreading Link:
RSnake Forum:
Lord XSS Blog:
POC Screenshots at n074h4x0r:
SecureiTeam Blog:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
09/24/2006 IE 7 plus Vista security measures stop latest IE 0day
|
A great article at ZDNet explaining how Vista + IE7 stopped the latest IE 0day
from exploiting the machine.
"The initial security warnings are hardly perfect. I've seen similar ActiveX opt-in dialog boxes for other built-in ActiveX components. How is an unsuspecting user supposed to know which one is safe and which is dangerous? And the list doesn't work on a per-site basis. If I had visited a site that legitimately used the VML control last week, before this exploit hit the news, I would probably have approved it. And once I had done that, it would have been on the safe list for good. There's no way to undo that decision, as far I can tell. Once you tell IE7 that an installed control is OK, any site can try to use it."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
09/19/2006 Web based vulns top newly discovered issues
|
"The takeaway is that researchers are paying a lot more attention to web vulnerabilities, and if companies don't want to get caught up in that, then they need to pay attention to those flaws," said Steven Christey, the security researcher that authored the draft report and the CVE Editor for The MITRE Corp., a nonprofit government contractor.
The jump in web-based vulnerabilities is fueled by the simplicity of exploiting many of the most common web vulnerabilities, the enormous number of web applications freely available, and the difficulty in eradicating flaws.
" - TheRegister
TheRegister Link
Blog Link (With additional links and charts):
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
09/12/2006 Microsoft Patch Tuesday
|
5 patches have been released by microsoft to address vulnerabilities discovered in Internet Explorer, Indexing Service,
Publisher, Reliable Multicast Program, and the Server Service. Additional information about each issue can be found at
the SANS link below. To protect yourself from these issues run
Sans Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
09/11/2006 More RSS Security Issues Discovered
|
GNUCitizen has discovered an RSS reader vulnerability in Sage (a firefox plugin).
"I turned off HTML tags and continued on as normal. However, something odd happened. When rendering my whitepaper “Awakening the Sleeping Giant” an insert of JavaScript was executed in my browser. How bazaar I thought. The security enabled feature makes me vulnerable. Sage was vulnerable to XSS! I immediately contacted pdp (architect). We worked on it for 30 minutes and for those 30 minutes all you could hear were sinister laughs."
My Blackhat Presentation Link:
My RSS Whitepaper:
Advisory Link:
Link to this Story:
RSS Security Issues Repository Link:
Link:
News RSS Feed: Web
|
|
|
|
09/08/2006 RSS Security Issues Discovered in ICQ
|
"Security problems found in the ICQ Toolbar v1.3 may allow attackers to control and change configuration settings and to inject scripting code in RSS feed contents and execute it in the contetxt of the feed interface (IE's Local Zone)"
I released a paper and gave a presentation at blackhat this year about these sorts of risk sand fully expect a flood
of advisories in major products such as this.
My Blackhat Presentation Link:
Advisory Link:
Link to this Story:
RSS Security Issues Repository Link:
Link:
News RSS Feed: Web
|
|
|
|
09/05/2006 Microsoft Research Builds BrowserShield
|
"With BrowserShield, Wang argues, many such attacks could be blocked. BrowserShield can be used as a framework that rewrites HTML pages to deny any attempt at executing harmful code on browsers.
"We basically intercept the Web page, inject our logic and transform the page that is eventually rendered on the browser," Wang said. "We're inserting our layer of code at run-time to make the Web page safe for the end user." - eWeek
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
08/25/06 Hackme Casino v1.0 Released
|
"Hacme Casino is an online casino, built with Ruby on Rails, with plenty of AJAX functionality. It has security vulnerabilities baked-
in, and is meant to help educate developers and testers about web application security in the context of new technologies.
If you are interested in the security aspects Ruby on Rails and AJAX, give Hacme Casino a try. Its a completely self-contained Ruby W
EBrick server and Rails application in a simple exe.
Vulnerabilities:
Cross-Site Request Forgery
Improper Session Management
Good, old fashioned cheating!"
Download Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
08/25/06 Pentagon hacker says charges have been manufactured
|
"The hacker at the centre of an extradition storm after he broke into the US Military and NASA computer systems has said the charges against him in the US have been manufactured to ease his extradition there.
"For it to be extraditable under their computer laws in America you have to have caused $5,000 worth of damage and lo and behold they say that every computer I was on I caused exactly $5,000 worth of damage so it is patently a falsely structured argument," - The Register
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
08/24/06 Stealing User Information Via Auto Form Filling
|
Rsnake has an interesting blog entry (yes it's a few days old, I don't read it daily, so whatever)
regarding utilizing XSS to steal auto form fill values.
"Some (not all) automated input automation tools do so blindly. That is, they don't ask for user input when
they input data. In fact they don't really do much validation at all, except the names of the common form
fields. So what does the attacker do? They create a form submission inside their script with all the
common field names that they are interested in. Once the automated input box enters all that information it
captures it and logs it." - RSnake
For those of you who haven't checked out his blog and are interested in web security, and blackhat SEO I advise you do.
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
08/22/06 Frontpage takes down superhacker
|
"Kevin Mitnick, the notorious former hacker turned security consultant and tech celebrity, has been targeted by Pakistani crackers in a series of web face defacements attacks.
Four websites associated with Mitnick's various ventures were sprayed with digital graffiti on Monday in an apparently personal attack. The sites defensivethinking.com, mitsec.com, kevinmitnick.com and mitnicksecurity.com (which all run on Linux, incidentally) were defaced with offensive messages that said "hacking was for homos", among other things. We'll leave it to psychologists to say what that message says about the perps of the attack, but irony obviously isn't their main stock in trade."
"Misconfigured FrontPage extensions were used to carry out these attacks, Zone-h reports"
Say it ain't so Kevin!
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
08/18/06 Paper: Accessing Java Clients with the BeanShell
|
"Assessing the security of Java applications, and particularly client- server applications, can be a tedious process of
modifying the code, compiling, deploying, testing and repeat. This becomes even more difficult when the source code to
the application is not available. What security testers require is an easy means of interacting with the internals of a
Java application during execution without recompiling the code.
The BeanShell (http://www.beanshell.org) provides an interpreted, scripting environment that can plug in to any Java
application or applet and allows users to inspect and manipulate objects dynamically. This paper demonstrates a technique
for using the BeanShell to assess the security of a typical Java client-server application."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
08/09/06 Ruby On Rails Mandatory Security Patch Issued
|
"We're still hard at work on Rails 1.2, which features all the new dandy REST stuff and more, but a serious
security concern has come to our attention that needed to be addressed sooner than the release of 1.2 would
allow. So here's Rails 1.1.5!
This is a MANDATO | |
