Skip to main content

Posts

Showing posts from 2017

Certificate Pinning in mobile apps

What is certificate pinning: Certificate pinning is an countermeasure to any attempt of MITM (Man in the middle) attacks where an attacker tries to inject his own certificate to sniff the traffic between the client and the server. Why cert pinning is required: The question here is why it's required for mobile apps, why not for browsers? The reason is mobile apps are very obscure and very difficult to get about what's going behind the scene. The end user does not get any warning from the app about any possible malicious activities going on. However in case of a browsers on desktops the user is presented with various warnings about TLS such as domain name not matching etc. This alerts the user to sense that something is not right there. And he has option to accept/ reject it , while in mobile apps it's not the case. How to do it: Generally it's done on code level, where the developer binds (pins) a certificate with the app. It's sort of hard coding the cert na

When authentication is not really an authentication

When authentication is not really an authentication- just identity. We'll talk about a design flaw. Identity is just identification of entities such as a person, object etc- who they are. But when it comes to prove that who they are, the entities must supply some sort of credentials, such as passwords, certificates etc to prove their identity claim. Let's consider a hypothetical app which is thick client and 2-tier (which is never a good idea), but let's think about it. It has got following design: 1.The UI is protected by a login screen which requires AD (Windows) authentication of logged in user. The login screen is a separate exe. 2. Once the user is authenticated, a separate UI exe is launched with the logged in user's privilege. 3. The same login screen also provides details of the DB to be connected by this app once the authentication is successful. What risks we see here apart from the traditional 2-tier risks such as decompiling, business logic at clien

ZigBee test cases

Zigbee  is an IEEE 802.15.4-based specification for a suite of high-level communication  protocols  used to create personal area networks with small, low-power digital radios, such as for home automation, medical device data collection, and other low-power low-bandwidth needs, designed for small scale projects. Here are some generic test cases (please enlarge for the clearer view) :

Nice aricle on recent Equifax hack

Americans who either applied for new jobs, loans, or just wanted to check their credit score via Equifax are having a difficult time getting answers as to whether they are part of the breach of 143 million records that occurred Thursday. The company  disclosed yesterday  it was the victim of a massive cyberattack. From mid-May to the end of July this year, Equifax said criminals accessed files including names, Social Security numbers, birth dates, addresses and even driver’s license numbers. Since the revelation, the company’s site has been overwhelmed with worried website visitors that have brought the site to a crawl and at times rendered it unreachable. https://threatpost.com/many-questions-few-answers-for-equifax-breach-victims/127886/

LFI to DB and backdoor

I am decribing a high level, theortical way of converting LFI to DB compromise and creating a backdoor. A long time ago, came across an application which was vulnerable to LFI (Local File Inclusion). The LFI found was different from traditional one, since the filenmames were not being passed in any parameter, so was hard to detect also. A file called default.cgi contained code that which looks for a file in the directory and include it for some sort of processing, that was a business requirement, if not found, displayed 'File not found' error. So in order to exploit it one need to append a file name just after default.cgi? .  This way, could view any file from app server to OS level. Many sensitive files are easily accessible even from other folders too. /etc/passwd was accessible but /etc/shadow was not present, unfortunately.  After browsing through almost all the files present at the server, came across a few interesting files (conn.cgi) which contained the logic of

Solving SSL error in python: certificate verified failed

To do away the below SSL handshake errors, where the urllib is very strict in verifying ssl certificates, we can ask it to relax: Add the below lines:

When You face Binary translation is incompatiple VM

While moving my Kali Linux VM from my old Win7 machine to my new Win10 machine, I faced this strange issue, while starting the VM: After banging my head for along, I figured out that by default in new laptops, the virtualization is disabled on Intel processors and for enabling it we need to enter the BIOS setup. We need to turn it on by:  Entering the BIOS is a bit different inWin 10 machines: https://www.laptopmag.com/articles/access-bios-windows-10 Once that's enabled the VM bootup will be smooth!

When the locked account bypassed

Generally the accounts are locked when the attempt to login exceed a certain no. of unsuccessful attempts. The userids are locked by the application to thwart any further attempt to brute force. Generally the threshold is 3 unsuccessful attempts. But I recently came across an application where there was a flaw which leads to bypass the account lockout. Suppose an account is already locked and we try to provide the correct userid and password as now we remember the correct combination. It acts like the below: 1. In one tab we'll access the login page and enter the userid/ password correctly. But the app will not let you in because the userid is locked and displays account locked message. 2. Now try accessing an internal url of the application in the second tab in the same browser since two tabs share the session id in most of the browsers. 3. The application lets you in the second tab! This behavior of the application puzzled us until we inspected it closely and came to

3 key 3DES, 2 key 3DES and effective security

There was a recent discussion around effective security and effective key length of 3DES algo. Basically the 3 DES is 3 times DES. There would be 3 keys (K1, K2, K3 ) involved in the operation. The size of a key in DES is 64 bit, but due to padding the actual keys being used for the encryption are 56 bits of the length. So, in 3DES the the total key size would be 168 bits. Now there are 3 options in 3DES: Option 1, where K1, K2, and K3  are independent, the length would be 168 bits. Option 2, where 2 keys are similar , eg, K1=K3, still the actual length is 168 bits but the 'effective' length would be 112 bits. (also called 2-key 3DES) Option 3, the least secure where all three keys are same, ie, K1=K2=K3, still the actual length is 168 bits, the 'effective' key length would be 56 bits. Now due to a know attack on 3DES, Meet-In-the-Middle (MeetITM), the 'effective' security of the above options are reduced as following: Option 1: 112 bits Option 2: 80 b

SecureString for managing passwords in memory

As the brush with 2-tier apps continues, the usual recommendations to manage the memory from leakage is to overwrite it quickly once its use is over. Although, it does not prevents the leakage completely, it reduces the attack surface by a considerable extent. Fortunately, for .Net application there's a method called SecureString. This class allows you to keep string data encrypted in memory. But a few things to keep in mind. Liked the below points from a discussion from stackoverflow post: Do you know how many times I've seen such scenarios(answer is: many!): 1.A password appears in a log file accidentally. 2.A password is being shown at somewhere - once a GUI did show a command line of application that was being run, and the command line consisted of password. 3.Using memory profiler to profile software with your colleague. Colleague sees your password in memory. Sounds unreal? Not at all. 4.Some tools such as  RedGate software that could capture the "value"

Memory leakage in 2-tier applications

The 2-tier applications use front-end to directly communicate to DB. There's no separate business logic tier. All the business logic are at client side. Thick client applications (mostly) are classic examples of that. Applications developed in .Net and Java could be found in big nos. inside any organization. Sometimes it's difficult to straightaway move to 3-tier architecture. Businesses are reluctant to accept this approach due to: - Moving towards 3-tier involves a great amount of coding efforts and  money. - Sometimes the applications are almost end of life and are not being retired just because of there;s no good reason to do so.  - Most of the above applications are Intranet applications. Business claims that being an internal application, this is less susceptible to attack. But they forget one very big risk under these claims- sensitive information in memory dumps.  The application being 2-tier connects to DB while constructing the connection string using DB

File Upload through Null Byte Injection continued...

Just after writing the previous post, we came across a scenario where the application was expecting a pdf and back-end was php. But the application was not accepting the Null Byte injected files as described in last post. We found that it was validating PDF magic no. and application types in headers. So, we repeated the the exact steps of the last post and additionally we changed the signature and content type and the application uploaded it successfully. So we renamed our file shell.php as shell.phpA.pdf and replaced A with Null, so the strings became shell.php[NULL] .pdf, which the interpreter read and created a file shell.php on the server. Only issue is that there's not code to execute since all the contents were pdf contents. But our aim was to bypass this and it was successful. This post concludes.

File Upload through Null Byte Injection

Sometimes, during file upload we come across situation wherein there would be check on the file extension at the client side as well as server side too. If the application does allow only .jpeg extension to be uploaded, the client side java script checks for the extension of the file before passing the request. We all know that how easily this can be defeated. Some applications, checks for the extension at the server side also. That's not easy to bypass. However there are some ways with which it still can be bypassed. Most of server side scripts are written in high level languages such as Php, Java etc who still use some C/C++ libraries to read the file name and contents. That leads to the problem. In C/C++ a line ends with /00 or which is called Null Byte. So whenever the interpreter sees a null byte at the end of the a string, it stops reading thinking it has reached at the end of the string. This can be used for the bypass. It works for many servers, specially php servers. T