Showing posts from 2013

Reversing Firmware

The article will explore various strategies for reversing firmware, with some examples. Finally, some best practices are mentioned.

LINK here: 

Salted hash implementation in Login, in nutshell

Ajax Security Issues

My article on Ajax issues:

Android Master Key Vulnerability—PoC

Came across nice write up:

ZigBee Security Assessment

ZigBee (802.15.4) is a relatively new protocol compared to Wi-Fi (802.11), but with low power consumption and long battery life it is ideal for Home Network Systems such as thermostats etc. The reason behind ZigBee devices being low power consuming because it work on very low frequency and have a fewer commands to send compared to Wi-Fi.

Since it's relatively new protocol and not much popular, there are fewer tools/ frameworks to test it. However some good software/ hardware are available. They can be purchased/ downloaded from respective sites.

Atmel RZ Raven USB Stick (hardware)
Atmel JTAGICE mkII On-Chip Programmer (hardware)
Atmel 100-mm to 50-mm JTAG standoff adapter (hardware)
50-mm male-to-male header (hardware)
AVR Studio for Windows (software, free)
KillerBee Firmware for the RZUSBSTICK (software, free)
A Windows host for programming the RZ Raven USB Stick (one-time operation)

Issues to be looked into ZigBee:
Similar to 802.11 ZigBee may also suffer from same issues, lik…

Capturing localhost traffic in IE with Burp

Though it was easy to capture the traffic of web service running on local pc in Firefox, it was little tricky in case of IE. I have heard that .Net and IE don't send traffic to localhost through a proxy, so here the proxies such as Burp, Paros fails. So only way is to use Firefox or other browsers which support it or in case of IE, this is workaround:

Go to Windows-> System32-> Drivers-> Hosts and make the following entry:

Now access the site as

Now the Burp/ Paros would be able to capture the traffic!

Flawed CSRF token implementation

The sole purpose of (secret) CRSF token is to help the application identify authenticated or unauthenticated requests. Any request that doesn’t contain csrf tokens are treated as unauthenticated one thus rejected by the application as the csrf tokens are only available to the authenticated users.
But contrary to that, in one application, the csrf tokens are generated before login and worse, it’s not regenerated after successful authentication of the user. This defeats the purpose of anti-csrf approach.

Anti-CSRF best practices:

    Don’t issue csrf tokens before authentication
    Always regenerate the tokens after successful authentication, if issued before authentication
    Use POST methods for critical transactions embedding csrf tokens
    Don’t send the csrf tokens in GET requests as they may reveal it in browser logs etc

In few Ruby based apps, where the token was being generated before authentication and same was being used.

Mitigation: (taken from 'Symbolic Security Analysis of …

Before you move to the cloud

The term is new, but concept is not. Throughout the history of computing, IT organizations have been using their own infrastructure to host applications, data, servers etc. Now most of them are renting the infrastructure, with remote servers to host their application or data. Organizations called service providers exist especially to provide, manage and maintain the infrastructure on which their client organization’s application or data are hosted. The client organization gets access controls to manage their applications and data hosted on the remote server. This is the main idea behind cloud computing. More here....

Proxy Chaining


XSS Challenge


XSS in Ajax

The following functions needs to be inspected for XSS as they might be 'possible' pointers to XSS. They could be a pointer to possible xss attacks: eval() document.write() innerHTML() write()
Safe function: Instead of using innerHTML, one should use innerText() XSS payload in Jason and their effects: A nice example from iSec Partners: var inboundJSON = {"people": [
{"name": "Joel", "address": “<script>badStuff();</script>", "phone": “911"}
someObject.innerHTML(inboundJSON.people[0].address);               // Vulnerable
document.write(inboundJSON.people[0].address);                             // Vulnerable
someObject.innerText(inboundJSON.people[0].address                     // Not Vulnerable

Android Application Assessment

A nice article on a detailed assessment strategy of Android applications. Well explained and comprehensively written.
Article describes different stages in android assessment, tools, methodologies and native tools with screenshots.
You can find the article here: Android Application Assessment

Also have a look at Web application Security Course offered by InfosecInstitute.

Arbitray File Download

I just stumbled upon one great article. A nice article about what the arbitrary file download is and how dangerous it would be if exploited. Later the difference between arbitrary file download and LFI/ RFI has been discusses, which is a often confused topic.
What is Arbitrary File Download?
As the name suggests, if the web application doesn’t check the file name required by the user, any malicious user can exploit this vulnerability to download sensitive files from the server.
What is LFI/ RFI:
Often confused, LFI/RFI is different from the Arbitrary File Download vulnerability. However, both are used in combination if directory traversal is turned on in the server. LFI and RFI stands for Local File Inclusion and Remote File Inclusion vulnerability. Both are of similar nature, except the mode of exploitation. Both take advantage of unfiltered input file parameters used by web applications, predominantly PHP. LFI, while exploited uses any local file which is available at the sa…

Anti CSRF header

Recently I came across an application which was preventing crsf attacks using a unique non-traditional approach. In traditional approach the csrf is thwarted by embedding unique random tokens, called nonce, in each sensitive page. But this application, which was making ajax calls and used jQuery, was creating a header to identify the valid and invalid requests altogether. The idea is to generate a custom header, x-session-token in this case, with every request which is considered sensitive and includes any sort of transaction. For example:
xhr.setRequestHeader('x-session-token', csrf_token) At the server level, server checks for this header if found request is fulfilled, otherwise rejected.
We need to use xhr calls for making use of this technique, not useful in regular POST and GET requests. Since, I was not aware of this kind of countermeasures, probably, since most of the applications I did were using standard requests. So, I searched a bit and found even Google also uses …