Posts

Showing posts from 2009

Six Simple rules to make your application hard to hack

I was going through an interesting post on ACE team's blog. I was really impressed the way they have listed few rules to prevent bad guys to check into your application.It is very comprehensive and detailed.

The main rules they are talking are:

Rule no. 1:Implement a Secure Development Lifecycle in your organisation.

Rule no. 2:Implement a centralised input validation system (CIVS) in your organisation.

Rule no. 3:Implement input/output encoding for all externally supplied values.

Rule no. 4:Abandon Dynamic SQL- This is very contentious issue. The 'Abandon' word has generated a lot of comments supporting and opposing it on the blog.

Rule no. 5: Properly architect your applications for scalability and failover

Rule no. 6:Always check the configuration of your production servers.

For more details please go to: http://blogs.msdn.com/ace_team/archive/2009/12/16/simple-rules-to-stop-bad-guys.aspx

My Phishing Presentation

Not a great thing I have done but wanted to upload the presentation I had given in my company's internal session :)
My Phishing

'Information Leakage-Improper Error Handling' dropped

From Owasp Top 10 2010 List, the issue 'Information Leakage-Improper Error Handling' has been dropped. But it's not the final list,its child release actually. Bu I feel it shouldn't be set aside because its still the one of the prevalent issues these days. That's why I mailed to Dave Wicher:
Hi Dave,

Excellent work, Congrats!

Just one little query- Don't you think that Information Leakage & Improper
Error Handling still deserves to be in Top 10?
Dave replied:

This topic is clearly a very prevalent issue that deserves attention by
most organizations. However, the typical impact of such a flaw is usually very low. Therefore, the overall risk of this type of flaw is lower than the other items in the top 10, which is why it was replaced in this update with one of the 2 new items.
Regarding dropping Info Leak/Error handling - It is incredibly

prevalent, no question. But their impact is typically very low, so the

overall risk is low, which is why it fell out of this new r…

OWASP Top 10 2010 (Candidate 1) released !

Image
The release candidate for the OWASP Top Ten for 2010 has been officially released at the OWASP AppSec DC Conference today (Nov 13, 2009). This document is now up for open comment until Dec 31, 2009. The document will be updated and released with a final version in early 2010, hopefully January.

The new additions are:
Security MisconfigurationUnvalidated Redirects and Forwards- This I was expecting that sometimes it may be included in OWASP Top 10 because the last year itself I had detected many Open Re directions on various reputed sites. Even after reporting to them they were not paying much attention to it. I think now they can think about it as it made a place in Top 10.But to my surprise they have excluded Information Leakage for the list which I think is more prevalent than SSL issues.



More information on:
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Content Security Policy of Firefox

Firefox support for Content Security Policy (CSP) has been in the news and is now available in test builds for web developers to try. Support for CSP isn’t slated for Firefox 3.6 but is likely to be included in the release after 3.6, mostly likely called 3.7.

This post is targeted at web developers and gives a quick overview of the three kinds of attacks that CSP helps to mitigate and also gives some quick examples so developers can get a sense of how it will work for them.

In case you don’t know what our Content Security Policy code is – and based on anecdotal evidence a lot of people don’t – it’s a set of easy to use tools that allow a web site owner to tell the browser where it should or should not load resources from. In particular it aims to prevent three different classes of common attacks we see on the web today: cross-site scripting, clickjacking and packet sniffing attacks.

Cross-site scripting attacks are largely the result of a mistake made on backend web servers where someone…

The right combination of HTTP/HTTPS and GET/POST

Image
I came across an excellent article where all the combination of HTTP/HTTP and GET/POST were compared to each other. It was in form of Metrics. It shows different problems with different combination.


The safest option for transmission of any sensitive data is to use POST statements over SSL/TLS. Any other option will expose data at some point in the communication.

netcraft tool bar detects XSS

Image
I installed the netcraft toolbar few times back to just be able to detect phishing sites. Moreover it also gives you the information like-- Risk rating, When it was started,rank of the page in terms of popularity and Country where it is originated from--about the site you are visiting.

But to my surprise it was quite useful in detecting XSS too. I was visiting a site I had previously detected XSS issue in it. As soon as the page loads the netcraft tool throws a message:
"The Page you are trying to visit is using Cross-Site Scripting(XSS).This is commonly used in Phishing Attack.Do you still want to go there?"

and then the site is categorized as Phishing site.


ISACA Chennai Chapter website susceptible to XSS and Information Disclosure

Image
I was browsing through ISACA website and incidentally arrived at Chennai Chapter. I was surprised to see that it was vulnerable to XSS. However it was not severe in nature and was reflected one but these things actually hurt the image of an organization. Moreover it was delicately leaking the internal information. This is so user friendly that you can see the errors by clicking on 'Show error' link.
Following are screenshots:

Cross-Site Scripting


Improper Error Handling

HSBC's user friendly security measures :)

Here I came across a very funny article regarding the security implementation of HSBC Canada bank website..very funny indeed! Not only they are using easy to guess Personal Identification Question, but also they are implementing very restricted password choosing option that can be easily brute forced. Moreover they might be storing the user credentials in encrypted form--

"Since the bank is performing character matches on the password entered, there is no way that they are using a one-way hash algorithm to store the password. If they were, they would be able to match the whole thing or nothing at all. Instead, they have chosen to be able to retrieve the password and play with it. I can only hope that it isn’t stored in clear text"

More here

http://eternallyoptimistic.com/2009/08/24/so-funny-i-forgot-to-laugh/

Enjoy!

Web Services Security Model

Image
With evolution of web 2.0, web services has become an integral part of the business hence the security of Web Services (WS) has become more critical.
Although there's no single set of WS standards has been agreed on the industry is continuallly developing and evaluating specifications.
The W3C working group is currently working on three basic specifications for Web Services:
XML Signature: For verifying the integrity of data sent via web services and validating the sender.XML Encryption:for encoding the XML message
XKMS:For using PKI in web servicesIn 2002 Microsoft,IBM and Verisign announced Web Services Security Specification (WSS ) that proposed for addressing security in web services.
Organization for Advancement of Structured Information Standards came up with following:
SOAP Message Security 1.0The Web Services Security Token Profile 1.0The Web Services Security X.509 certificate token profile 1.0The OASIS WSS message- security model has three main components:
security tokendigital…

Open Redirection Vulnerability

An open redirect is a vulnerability that exists when a script allows redirection
to an external site by directly calling a specific URL in an unfiltered,unmanaged fashion, which could be used to redirect victims to unintended,malicious web sites.

An open redirect is a very simple vulnerability to exploit.

Consider the following example:
http://www.trustedbank.com/page.redir?target=http://www.anygovtsite.gov/

This is a well-intended URL that takes users to any other trusted site.

But this can be abused in one of the following ways:


The URL can be used for Phishing attack-

http://www.trustedbank.com/page.redir?target=http://www.duplicatesite.com/
The user visiting the trusted bank website will get redirected to the phishing site/malware site.
This can hurt the reputation of organization causing business loss.


This can be further escalated by mal-forming the link. Something like

the following can be used to cause the Denial of Service Attack:

http://www.trustedbank.com/page.redir?target=http://www.tr…

OWASP AppSec Asia Conference 2009, New Delhi

Image
2009 - OWASP India is back with more interesting and exciting stuff from AppSec World..With the successful launch of OWASP India Conference in August 2008, organized in New Delhi with participation from 350+ attendees from 80+ companies and government sector. OWASP India now proudly announces the biggest Information security conference in India in association with Canada based Information Security Conference (www.securitybyte.org). Securitybyte and OWASPAppSec Asia Conference 2009 is planned for 17th - 20th November 2009 in New Delhi. Event will cover end-to-end Information Security tracks that includes Application Security, Network / Infrastructure Security, Cyber Terrorism, Cloud security,SOA Security, Cyber Forensics, Wi-Fi security, Risk Management & Compliance, etc.

Brief list of Speakers in the conference:
Howard A. Schmidt, Advisor, NIST & PSG - ENISAJohnBumgarner ,SSCP Research Director for Security Technology, U.S. Cyber Consequences Unit
Shreeraj Shah, B.E., MSCS, MBA, …

An Introduction to PDF XSS

Here I am going to give a brief write up about PDFXSS.AmitKlien introduced a third kind of XSS attack-DOM Based XSS in which exploits client side vulnerabilities rather than Server Side flaws.He also observed how the # character can be used to, very conveniently, avoid sending attack payload to the server.DOM-based XSS typically uses JavaScript.Example (taken from Amit’s paper):<HTML><TITLE>Welcome!</TITLE>Hi <SCRIPT>var pos = ocument.URL.indexOf("name=") + 5; document.write(document.URL.substring(pos,document.URL.length));</SCRIPT></HTML>Exploiting PDF :Use the same technique using JavaScript it would execute it when a link in the following format is encountered:http://www.example.com/file.pdf#a=javascript:alert()
Threats:
After a successful attack the code is executed in the context of the site that hosts the PDF file.The attacker is in full control of the victim’s browser (think session hijacking, request forgery, etc.).Individual users a…

Automated CSRF attack tool MonekyFist

A pair of researchers here yesterday unleashed a tool that automatically executes dangerous cross-site request forgery (CSRF) attacks.
Shawn Moyer and Nathan Hamiel demonstrated how their tool, MonkeyFist, performs what they call "dynamic" CSRF attacks, or attacks on Websites that have put up preventative measures such as tokenization and session IDs . CSRF is when an attacker makes a Web request within the context of the victim's Web session.
The researchers say the emergence of integrated and aggregated content, such as buttons for Twitter or "Digg This," have opened up even more possibilities for these attacks, which take advantage of a pervasive but difficult-to-detect vulnerability in many Websites.
This "session-riding" attack basically lets the bad guy silently ride atop the victim's Web session. "You're [the attacker] already authenticated into a site, and the user's session, header, and cookie is already there," says Moyer,…

Now Hijacking EV-SSL

Close to the heels of SSLhijcking by Mozie in BlackHat last year, yet another attack on the SSL. This time on EV-SSL (Exteneded Validation-SSL). Mike Zusman and Alex Sotirov are releasing a pyhton based tool to hijack EV-SSL.The Python-based tool can launch an attack even with the secure green badge displaying on the screen.

All it takes is an attacker having a non-EV SSL certificate for a Website, and he or she can hijack any SSL session that connects to it. That's because the Web browser treats the EV SSL certificate with the same level of trust as an SSL domain-level certificate.

EV SSL sites display a green address bar when used with the newest versions of major Web browsers, and the bar bears the name of the Website's organization that owns the certificate, as well as the authority that issued it. The certificate shows the site is legitimate, and that the session is encrypted and secured.

Calls for EV SSL adoption have intensified of late amid concerns of MITM attacks target…

An Intoduction to HTTP Response splitting

Image
Here I am going to introduce you with HTTP Response splitting which I had written in reply to an Owasp Delhi member's question. Although it's not a comprehensive write up but can give you an insight to the matter.
An application is vulnerable to HTTP Response splitting a.k.a. CRLFinjection when it doesn't validate the user input properly.
For example, if requesting something like GET /myPage.asp?value=anyValueHTTP/1.1 returns response that includes a location header and 302response code:
HTTP/1.1 302 Found
........
........
Location: http://www.myApplication.com/myPage.asp?value=anyValue

Then it might be vulnerable. It means the application is returning the same URL which is requested by the user in Location header.

How to exploit:
Suppose a link crafted by an attacker is clicked by a valid user. I am crafting the script into it: http://www.myapplication.com/myPage.asp?value=12345foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aCont…

Hijacking SSL

SSL has been in centerstage of researches as well as attacks for quite long time. Last year in a conference in Germany researchers showed how to generate duplicate certificates exploiting MD5 hashing to break SSL. Later in Black Hat, Maxie showed how to exploit a field in SSL certificates to sign an own forged certificate to present it to the client. The main feature of this attack was that the client will never get any warning dialog box by the browser and subsequently the hacker doing an MITM can see the conversation between the client and server. The client will even get a PADLOCK sign to be assured that all things are going via encryption, but in reality it's not. Maxie released a tool SSLStrip to carry out these attacks.
The tool has been used by many researchers around the world to carry out the attacks. They all used Unix machines as many open source utilities makes it easier to run the tool on it.
My attempt was to run the tool on a Windows machine. It has been never easy to…

BlackHat Presentation on ATM hack withdrawn

Juniper's Researcher Barnaby Jack was to present a talk on how a flaw into ATMs of a particular vendor can be exploited. The talk was to be presented into BlackHatLas Vegas. The show was cancelled on the request of the affected vendor which sought some time to fix up the flaw. Juniper too agreed that the talk would have far reaching impact on ATM security. They are offering help to ATM vendors to fix up the flaw found in Jack's research.

This is not the first time a Black Hat presentation was withdrawn. In 2005, Cisco and Internet Security Systems (ISS), now owned by IBM, threatened to sue researcher Michael Lynn just hours before he was to deliver a talk about vulnerabilities in the CiscoIOS. Lynn quit his job at ISS and proceeded anyway. Soon after, he settled with the two companies, essentially promising not to further discuss the exploit.

Last year JeremiahGrossman and RSnake too delayed theirpresentation on Clickjacking after they received request from Adobe.

In 2007, securi…

Google Anti-Malware website

Google has launched a new website Anti-Malvertising which is customized search engine. It lists all the incidents related to that particular website in the past when it was used for downloading any malware. The Google Safe Browsing Diagnostic page will show you the following points related to your search:

What happened when Google visited sites hosted on this network?Has this network hosted sites acting as intermediaries for further malware distribution?Has this network hosted sites that have distributed malware?The search engine checks third-party sites that track ad malware.

For example following is the result of a search action:


What happened when Google visited sites hosted on this network?

Of the 725 site(s) we tested on this network over the past 90 days, 127 site(s), including, for example, infinityyachts.in/, geospafitness.com/, aroundalibag.com/, served content that resulted in malicious software being downloaded and installed without user consent.

The last time Google tes…

Ardilla- New tool for finding SQL Injection and XSS

Three Researchers -- MIT's Adam Kiezun, Stanford's Philip Guo, and Syracuse University's KarthickJayaraman -- has developed a new tool 'Ardilla' that automatically finds and exploits SQL injection and cross-site scripting vulnerabilities in Web applications.
It creates inputs that pinpoint bugs in Web applications and then generates SQL injection and XSS attacks. But for now Ardilla is for PHP-based Web app only.
The researchers say Ardilla found 68 never-before found vulnerabilities in five different PHP applications using the tool -- 23 SQL injection and 45 XSS flaws.More information is awaited.For their attack generation techniques refer to their document at: http://www.cs.washington.edu/homes/mernst/pubs/create-attacks-tr054.pdf

Preventing Session Hijacking

What is Session Hijacking
Session Hijacking is an attack that when an attacker takes control of an already validated user.
When an application authenticates a user it assigns a random string called sessionID to the validated user and that sessionID is traversed every time there's an interaction between the logged in user and the application. Generally the sessionID remains valid till the user logs out. After that the particular sessionID becomes invalid. So sessionIDs are very importantconcept in session based application. SessionIDs itself can be captured by following ways:
PredictionCapture
Fixation
If an adversary takes hold of the sessionID he can impersonate the real valid user and the application won't have any way to differentiate between the real user and the attacker. This is the general concept of Session Hijacking.

Prevention to Session Hijacking
A combination of following methods can prevent the problem:
Use of a long random number or string as the session key. This reduc…

Web Services Testing vs Web Application Testing

Image
I have just performed Web Services Security Testing. It was my first encounter with WS testing. Learned a lot from the experience I gained. It's still premature thing, I mean there' s no an pr defined standard frameworks available as how to proceed for testing. Web Services Testing is much similar to conventional web application security testing , however it differs in some aspects. Web Services presents a new and expanded sphere to explore in addition to Web Applications. So it's critical to defend the web services also apart from Web Applications. For overview of Web Services please refer to myearlier post.
The similarities I found while testing Web Services:
Almost same cycle of testing as Web Apps like Information Gathering etc.Almost all the OWASP top 10 vulnerabilities.Susceptible to MITM ( Man in the middle) attack, however was not possible in our case as we have implemented certificate based encryption.Few dissimilarities I came through was:It's not a front end, …

HTTP Parameter Pollution

Image
At the OWASP AppSec Europe, researchers demonstrated a very interesting otherwise underestimated issue. Although not a new attack category but quite dangerous if executed flawlessly.
It exploits the fact how does your application behaves when receives multiple parameters with same name in same URL.
For example, .../bank.php?action=view&accID=101&action=withdraw
In URL above two one parameter 'action' has multiple occurrences with same name in same URL.
What will the web application do? It can do one of the following depending on the environment it is using:
It may only take the data from the first parameter
It may take the data from the last parameter
It may take the data from all parameters and concatenate them togetherNow we know that for the specific above URL the second action is quite dangerous!
Using this technique even WAF (Web Application Firewall) can be evaded, it won't filter the request.
Suppose a WAF is designed to detect and filter out attacks like SQL inj…

Just an eyewash ?

Rediff gave an eyewash? Too early to comment. The main page search engine is not executing normal scripts now but not able to thwart encoded ones.
I think they are now rectifying the problem step by step.

Apart from this every second search module is suffering like Product search, Shopping, Matcmaker, Astrology, Jobs endless.

Wherever is search module..high chance of vulnerability.

They should visit XSSed.com for more information about the vulnerability on their site.


Wait is longer... they might have just started the process of rectifying the problem. Let's wait for few days more.

CSRF attack manipulates Times Poll

Image
Again Time magazine has become a victim to CSRF attack. A person called Moot got the most votes not by the normal public bu by manipulating the poll process by Moot's supporters.
The supporters of Moot analysed the link that actually submit the user's vote to the application:

http://www.timepolls.com/contentpolls/Vote.do?pollName=time100_2009&id=1883924&rating=1
Then they created an auto Voter URL:http://fun.qinip.com/gen.php?id=1883924&rating=1&amount=1
The arguments the specified the ID of the person to be voted,the rating to be given to the person and how many times they are being voted.
With this information, the attackers could abuse the amount argument to vote more than one time:


http://fun.qinip.com/gen.php?id=1883924&rating=1&amount=200
Each time this URL was accessed, it was equivalent to 200 individual normal requests.
Time actually identified the manipulation and came with antiCSRF tokens that were MD5 hash of URL + salt value.

http://www.tim…

IE is really unsafe?

Is IE unsafe? I tend to conclude so, regarding my interactions with Giorgio on an issue of XSS in Paypal. This is because the flaw in IE that it doesn't encode the URL before sending it on the wire.
While interacting with Giorgio I came across something new to me: InputDecoding. As Giorgio says:
@Nilesh:
In the Paypal case, it’s not doing output encoding, it’s skipping input decoding (quite strangely).
The correct workflow should be:Input decoding (decodeURIComponent)Input validationOutput with output-specific (HTML or JavaScript) encodingThis Paypal page was missing all the 3, and only by luck the fact browsers different by IE properly encode the URL saves them from XSS.The InputDecoding as far as I can understand is the process of getting back the URLencoded input in original form so that application can understand it properly and exeute it. After executing the application once again must escpae the output in proper manner (HTML escape or Javascript escape).Again, regarding IE Gio…

WASC Web Vulnerabilities classification schema

I came across another effort to systematically organize web application vulnerabilities, include six categories published by the Web Application Security Consortium (www.webappsec.org). They are very clearly and neatly organized.The following descriptions of web vulnerabilities are modeled on the WASC schema.

Authentication – stealing user account identities
-> Brute Force attack
-> Insufficient Authentication
-> Weak Password Recovery Validation

Authorization – illegal access to applications
-> Credential / Session Prediction
-> Insufficient Authorization
-> Insufficient Session Expiration
-> Session Fixation attacks

Client-side Attacks – illegal execution of foreign code
-> Content Spoofing
-> Cross-site Scripting

Command Execution – hijacks control of web application
-> Buffer Overflow attacks
-> Format String Attack
-> LDAP Injection attacks
-> OS Commanding
-> SQL Injection
-> SSI Injection
-> XPath Injection

Information Disclosure – shows sensitive dat…

New Search Engine from Microsoft- Kumo!

Image
A new Web Search Engine from Microsoft "Kumo"--a Japanese word for 'cloud' or 'spider'. It is being said that to compete with others search engines major like Google and Yahoo, Microsoft has actually developed it. However it's not available publicly on net but earlier this month Kumo was released for internal testing for MS employees.
Several screenshots have also surfaced over the Internet. It looks refreshing!

More info at :
http://blog.seattlepi.com/microsoft/archives/163312.asp

It pays to be patient, Rediff awakes!

Image
A surprising series of events:

*Couple of months back I reported XSS and SQL Injection to Rediff. It was painstaking effort as I had to search for the person concerned for security incidents. I connected to him, he happily requested and accepted my advisory.

* No Update from them..the vulnerability still existent.

*No Update from them..the vulnerability still existent.

*.................

*No Update from them..the vulnerability still existent.

* Meanwhile I left the hope of feedback and saw somewhere on the net that there have been already reported XSS about their site. It proved their laxity and negligence. I ignored the issue.

* This month somebody discovered XSS again on Rediff ( like I had, few months ago).

* He posted it on Owasp Delhi Mailing List. I responded to the post and told them about my reporting.

* NitinSaxena (Owasp Delhi Chapter Lead), urged me to send him the all the communications by me to Rediff and advisory as well. He was willing to take is matter to Rediff's …