Posts

Showing posts from July, 2009

Now Hijacking EV-SSL

Close to the heels of SSLhijcking by Mozie in BlackHat last year, yet another attack on the SSL. This time on EV-SSL (Exteneded Validation-SSL). Mike Zusman and Alex Sotirov are releasing a pyhton based tool to hijack EV-SSL.The Python-based tool can launch an attack even with the secure green badge displaying on the screen.

All it takes is an attacker having a non-EV SSL certificate for a Website, and he or she can hijack any SSL session that connects to it. That's because the Web browser treats the EV SSL certificate with the same level of trust as an SSL domain-level certificate.

EV SSL sites display a green address bar when used with the newest versions of major Web browsers, and the bar bears the name of the Website's organization that owns the certificate, as well as the authority that issued it. The certificate shows the site is legitimate, and that the session is encrypted and secured.

Calls for EV SSL adoption have intensified of late amid concerns of MITM attacks target…

An Intoduction to HTTP Response splitting

Image
Here I am going to introduce you with HTTP Response splitting which I had written in reply to an Owasp Delhi member's question. Although it's not a comprehensive write up but can give you an insight to the matter.
An application is vulnerable to HTTP Response splitting a.k.a. CRLFinjection when it doesn't validate the user input properly.
For example, if requesting something like GET /myPage.asp?value=anyValueHTTP/1.1 returns response that includes a location header and 302response code:
HTTP/1.1 302 Found
........
........
Location: http://www.myApplication.com/myPage.asp?value=anyValue

Then it might be vulnerable. It means the application is returning the same URL which is requested by the user in Location header.

How to exploit:
Suppose a link crafted by an attacker is clicked by a valid user. I am crafting the script into it: http://www.myapplication.com/myPage.asp?value=12345foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aCont…

Hijacking SSL

SSL has been in centerstage of researches as well as attacks for quite long time. Last year in a conference in Germany researchers showed how to generate duplicate certificates exploiting MD5 hashing to break SSL. Later in Black Hat, Maxie showed how to exploit a field in SSL certificates to sign an own forged certificate to present it to the client. The main feature of this attack was that the client will never get any warning dialog box by the browser and subsequently the hacker doing an MITM can see the conversation between the client and server. The client will even get a PADLOCK sign to be assured that all things are going via encryption, but in reality it's not. Maxie released a tool SSLStrip to carry out these attacks.
The tool has been used by many researchers around the world to carry out the attacks. They all used Unix machines as many open source utilities makes it easier to run the tool on it.
My attempt was to run the tool on a Windows machine. It has been never easy to…

BlackHat Presentation on ATM hack withdrawn

Juniper's Researcher Barnaby Jack was to present a talk on how a flaw into ATMs of a particular vendor can be exploited. The talk was to be presented into BlackHatLas Vegas. The show was cancelled on the request of the affected vendor which sought some time to fix up the flaw. Juniper too agreed that the talk would have far reaching impact on ATM security. They are offering help to ATM vendors to fix up the flaw found in Jack's research.

This is not the first time a Black Hat presentation was withdrawn. In 2005, Cisco and Internet Security Systems (ISS), now owned by IBM, threatened to sue researcher Michael Lynn just hours before he was to deliver a talk about vulnerabilities in the CiscoIOS. Lynn quit his job at ISS and proceeded anyway. Soon after, he settled with the two companies, essentially promising not to further discuss the exploit.

Last year JeremiahGrossman and RSnake too delayed theirpresentation on Clickjacking after they received request from Adobe.

In 2007, securi…