Nilesh Kumar

MHTML files

2012-01-10T18:16:00.000+05:30

Today my colleague Surendra had a query regarding a weird popup coming up while he was trying to access a website. Although even, I was not very familiar with the kind of message he was getting. All we wanted to know, if it's really anything malicious! He was trying to access some page, and the website was making some weird request to the webserver in order to load some object (here it was a calender) from the server:

mhtml:http://abc.com/resources/Calnder.mht

The warning message was like this:

Even I had not noticed like anything in the past, I did a little research on the topic. The browser was trying to load some MHTML page.MHTML is simply a MIME HTML format, used to combine all the external resources, which are generally loaded as external link, with HTML code into a single file. Generally this file has extension as .mht. So any .mht file contains mix of HTML code and other objects such as, Flash, images, applets, audio files etc. The content of .mht file is encoded in base64. (Wiki)

So when you are requesting a .mht file it will be loaded into multipart one-by-one, as the file may be large. Also, to minimize the lots of GET requests to server, it can be used. So IE uses mhtml:http:// format to request such type of files from the server. But again IE strips the mhtml part and makes the normal GET request to the web server. Again when it gets the response from the server again it prefixes the mhtml before it. So for example, if you request mhtml://http://abc.com/anyFile.mht, IE interprets the mhtml request for multipart/related content and sends a normal GET request to the server as http://abc.com/anyFile.mht. After receiving the response back it again prefixes with mhtml as mhtml:http://abc.com/anyFile.mht.

So, regarding his case, there was some script injection vulnerability with the way the Windows treats the MHTML long ago. So, Microsoft came up with a lock-down solution for the MHTML being used in the URL. Now you can’t use mhtml in urls/hyperlinks if that fix is applied on the server. But still MHTML can works behind the scene, the only thing is you can never request it as mhtml:http://. Generally .mht doesn’t contain script but if it contains that and the lock-down for the MHTML is applied on the server, it pops-up a message like you faced: “This webpage is trying to communicate with your computer using a protocol that your security setting don’t allow”. You can simply allow the pop-up by clicking yes to be rendered option. No harm in that.

So in his case, it may be the browser is trying to access some url in the mhtml:http:// format and mhtml have been locked down on the remote server or in your IE settings, that could be a reason you are getting the pop-up alert.

Again, all the above observations are based on my google, might not be 100% correct, but one might have got the picture a bit. So nothing malicious in that request.

Process listening on the ports

2011-12-13T17:30:00.002+05:30

Some times it becomes very necessary to confirm which exe or process is listening upon which port in order to determine the reason behind the running services on those ports. For example, if you find that there is one more web service running over another port, suppose 8082 apart from port 80, you may need to determine, after all which process. To see it type:
netstat -anb:

If you see the above output, you can see the inetinfo.exe process is running on two ports 80 and 3205 which in turn are http and sapdp05 respectively. Also, the respective PID or processID, which in this case is 2644 for inetinfo.exe. So, if you stop or kill the inetinfo.exe process, these services will stop.

I have seen in some PCs, specially in Win7 netstat -ab command does not work. So for determining about the process listening on a specific port you can do like this:
type netstat -ano | find "2644" as we know that PID 2644 is responsible for opening the port 80 (http) and 3205 (sapdp05) but we exactly don't know the process name. So we can map them like the following picture:
The PID 2644 is mapped to inetinfo.exe in the Windows task manager. But if you want to just stop port 80 (or say, don't want the inetinfo.exe should listen on port 80, ie. http) you need to stop WWW Publishing into Services.msc. This will allow inetinfo.exe to tun on port no. 3205 (sapdp05) which may be a required service but stop http (port 80).

So this way you can determine how to check which exe or process is responsible for running a specific service on a specific port.

Reverse Engineering with OllyDbg

2011-11-15T15:27:00.002+05:30

My Article on reversing exe has got published in Oct issue of "Exploiting Software-Hakin9" magazine. This article is about basic introduction to Reverse Engineering. I have chosen to show reversing of a sample exe file and how to patch it. The article more focuses on showing a practical example of reversing.
It could be downloaded here. The article is from Page no. 38 onwards.

Dealing with Non-technical users

2011-10-20T17:40:00.002+05:30

In Security profession, you always go with your finding to the people who has technical capabilities so that they may understand, what you want to explain to them. But what in a situation if you need to deal with ordinary, non technical users? They don't understand your security jargon, they only care about their business. I have been dealing with these sort people from long back! And when they are sitting in remote location, it's very tough!
The best way is to send them mails explaining the issue, its impact and how to fix them. Sometimes, they will co-operate with you some times, you are disappointed.
For example, if you need to deal with users running any Insecure Services (suppose FTP) on their machines, the following ways seem working:
1. First send a communication to them about the issue, eg, what the service is all about, how it could be exploited if not closed or secured.
2. If they respond, well, tell them to stop FTP from Services.msc.
3. Sometimes, they are not sure why FTP is running on their machine. They stop IIS admin and all, but FTP still running. Tell them to run fport, a McAfee tool to find the EXE which is responsible for running the service. netstat -ab is another equivalent command. Sometimes Inetinfo.exe may not be responsible for running FTP on your machine as there are lots of other application, which may run their own FTP servers.
4. Now you are sure, which process (EXE) is running the service, you may instruct the user to go and locate that service into Services.msc and stop it.

What, I want to say is , it really takes to be patient at your side, if users are non-technical, remote and a little non-cooperative. But again, its very necessary to take them to right way as they may pose a security risk to your organization.

Securing Connection Strings

2011-10-13T21:03:00.003+05:30

Today, again I came across the same scenario about which my colleague Sam had asked me once. He asked me about best practices for securing the connection strings. Well, for securing the Database connection string file. The general approach will be-irrespective of technology- its’ best practice to move the credentials out of source-code into a configuration file. It needs to be properly protected, using strong ACLs and strong encryption with properly protected keys. I shall give you an example of .NET which I am aware of and you can suggest developers to use the similar thing for Oracle and jsp pages.

Again there are different approaches for different technologies- for ASP.Net you can either use Windows authentication instead of using username/password, database (connection string) name in the source code. But that’s not possible, if you have got to mention the username/password, database name, put them in a separate configuration file such as app.config or web.config and encrypt them using various ways available in .NET such as, protected configuration:
The following configuration file fragment shows the connectionStrings section after it has been encrypted:

<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>
<CipherValue>AHHJHJh9w+++kdjkdkUIosdndns…. </CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>

When the encrypted connection string is retrieved at run time, the .NET Framework uses the specified provider to decrypt the CipherValue and make it available to your application. You do not need to write any additional code to manage the decryption process.
The bottom line is that don’t store them in source code and you have to encrypt the configuration file containing connection string. Tell them to put the connection string in configuration file and encrypt it. Again, they have to pay attention to key management. This is the best available solution however, it may be tailored as per the their needs.

His other query was about SSL if that can be used to connections between application and database servers.
Here there are two scenarios, first the app server and database server are on the same machine. In case of protecting connection between application server and database server doesn’t make any sense as the connection is not exposed to the public. Also, the application server and DB server both can be on same machine or separate machines. SSL is only used between application server/DB server machine and user browser to prevent Man in the Middle attacks like sniffing.
In worst case, if application server gets compromised (application vulnerabilities may be main culprit) SSL won’t do anything as the connection string if not encrypted can be easily read by the hacker.

Regarding the second scenario,one situation I may think of, if the both app server and DB server are on different sites. But in that case also, only the connection string credentials in transit can be protected with SSL, can’t be protected when app server is compromised.
The best bet is to encrypt the connection string file itself.

Open Mail Relay-How to test

2011-09-15T18:37:00.000+05:30

An open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users.This used to be the default configuration in many mail servers; indeed, it was the way the Internet was initially set up, but open mail relays have become unpopular due to their exploitation by spammers and worms. Many relays were closed, or were placed on blacklists by other servers.[Wikipedia]

How to test your mail server for open relay:
1. At command prompt type:
C:/>telnet mailserver.yourdomain.com 25

220 mailserver.yourdomain.com ESMTP MAIL Service Version 6.0.3894 ready at Tue, 22 Aug 2011 05:22:00 -0700

2. helo

250 mailserver.yourdomain.com Hello

3. mail from: sender@otherdomain.com

250 2.1.0 sender@otherdomain.com....Sender OK

4. rcpt to: recepient@someotherdomain.com

250 2.1.5 recepient@someotherdomain.com

5. data

354 Start mail input; end with .

This is a test mail. Please ignore this-Nilesh

.

250 2.6.0 Queued mail for delivery

6. quit

221 2.0.0 mailserver.yourdomain.com Service closing transmission channel

Connection to host lost.

You have successfully sent an anonymous mail abusing open-relay.

But if you get 550 error like this:
rcpt to: recepient@someotherdomain.com

550 5.7.1 Unable to relay for recepient@someotherdomain.com
The mail server does not allow open relay and won't forward spam all over the net.

Use SSH-Reject Telenet,RSH/RLogin

2011-08-03T19:20:00.009+05:30

The main problem with Telnet/rsh/rlogin/rcp is that they send the information over the wire unencrypted. So whatever you type, your username/passwords that go in clear text over the wire. Anybody can sniff it and make your life difficult. The remote shell utilities such as, rsh, depend on a pre authenticated IP connection. Anything coming from that IP is reliable for them. IP spoofing is not difficult!
So use SSH, Secure way to send information over network.The Secure Shell keeps unauthorized users out of our computers, both by encrypting passwords to protect them from sniffing, and by providing more positive authentication than simple password exchange. Instead of rsh, rcp, and rlogin, simply use the commands ssh, scp, or slogin.
How to tunnel Telnet through SSH:
1. Launch Putty and provide the destination host IP address.
2. Go to SSH->Tunnel.Enter the destination server name or address followed by a colon and the port PuTTY will forward to.

3.Click on the Open button. A terminal window will and prompt you to logon to the remote host using SSH. Enter your name and password to login to the remote host.
4.Now you can connect to this server using any non secure Telnet client. You must note here that you have to connect to the same port which is specified for the destination server in step 2.

Web Application:Authorization Issues

2011-07-01T19:34:00.002+05:30

I have written one article that got published in Hakin9 Magazine's July Issue.
This article is about different kind of Access Control mechanisms and issues with them in Web Applications.
Access Control, as the name suggests, is the mechanism of determining privileges of different
users to access the contents of an application. It can also manage fine-grained read and write
permissions on the files owned by a particular user. In other words, access control decides who has the authorization to use files, manipulate their contents, or visit a website. In the case of web applications, access control mechanisms allow different users different levels of access to web pages and functions.
Want to read more? It can be found here or clicking on the list of articles in the right side of the blog.

Lifetime of cryptographic Hash functions

2011-06-21T16:16:00.003+05:30

Many times developers ask which Hash is the best to work with currently. As I always suggest using SHA-2 family (SHA-224, SHA-256, SHA-384, SHA-512) as they are still not known to be broken, I found this chart very convincing and useful to compare between them:

As you can see only popular SHA-2 are still remain undefeated.
Reference: http://valerieaurora.org/hash.html

Wireless Security- Best Practices

2011-06-16T20:09:00.003+05:30

This article is about different kind of Best Practices that should be followed when using Wireless LAN.
A liitle lazy to write it again :) . The article has been published into June 2011 Issue of ClubHack Magazine (Page 20-24).

It can be downloaded here.

Disable NetBIOS

2011-05-12T17:15:00.000+05:30

NetBIOS an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol. [Reference:http://en.wikipedia.org/wiki/NetBIOS]

Risks of NetBIOS:
1)NetBIOS Null Session Enabled: A NetBIOS null session allows users to connect to a host remotely with no username and password and perform a limited set of administrative tasks. Null sessions allow the remote user to gather information such as:
1. List users
2. List groups
3. List shares (including hidden shares)
4. Policies (such as minimum password length, etc.) While the enumerated information is not an immediate risk, much of the information can be leveraged to launch an attack to gain user or administrative privilege. All steps should be taken to eliminate the vulnerability and/or reduce the information available to the attacker.

2)NBTSTAT : All Microsoft Windows platforms include support for the NetBIOS network protocol stack. The NetBIOS protocol provides the underlying support for Microsoft Windows file and resource sharing. One component of all Microsoft Windows NetBIOS implementations is the NetBIOS Name Service. The NetBIOS Name Service listens for name service requests on UDP port 137. It can be queried to retrieve a listing of currently logged in user accounts and groups. In addition, the MAC address for the network interface over which the query is performed is included in the response to a nbtstat -A request.
The DOS nbtstat command can be used to perform this operation.
To do so, open a DOS command prompt and run the following command: nbtstat -A target_system Where target_system is the IP address or hostname of the target system.
See the picture below:

It shows that the Sharing is enabled on the target machine-see the code <20>. The attacker can now use other similar commands to get access to the shared resource:
net view \\target-ip

It will list down all the shared resources on the remote machine. Now you can map them to your own disk:
net use K: \\target-ip\shared-resource-name

Now the shared resource on the remote machine is shared on your machine with Drive letter K:

The content of the shared resource is available to you. You can browse them as they are on your own computer. As the NetBIOS is not a big issue on LAN, it may be big risk if your PC is connected over WAN.
Blocking NetBIOS on the system can be done one of three ways: [Reference: Cisco.com]

1) Use a network router upstream from the affected system to block TCP port 139 and port 445 to your network.

2) Use a software firewall on the affected system and block TCP port 139 and TCP port 445.

3) Disable 'WINS TCP/IP Client' bindings in Windows NT or Windows 2000.

How to disable NetBIOS:

To disable NetBIOS in Windows XP:
a)Click ‘Start’ from the Start Menu
b)Go to ‘Control Panel’
c)Go to ‘Network Connections’
d)Click on the interface for you wish to disable Netbios
e) Select Internet Protocol (TCP/IP) and then the Properties button.
f) Now select the Advanced button.
g) Then click on the WINS tab.
h) From there, click Disable NetBIOS over TCP/IP.
i) Click Ok 2 times after you've finished making your changes and restart as requested.

To disable NetBIOS in Windows 2000:
a) Click 'Start' from the Start Menu
b) Click 'Settings'
c) Click 'Network and Dialup Connections'
d) Click on the interface for you wish to disable Netbios
e) Select the 'Internet Protocol (TCP/IP) component
f) Select 'Properties'
g) Click the 'Advanced' button
h) Select the 'WINS' tab
i) Click 'Disable Netbios over TCP/IP'
j) Click 'OK'

To disable NetBIOS in Windows NT 4.0:
a) Click 'Start' from the Start Menu
b) Click 'Settings'
c) Click 'Control Panel'
d) Double click on 'Network'
e) Click on the Bindings tab
f) Under 'Show Bindings for:' select 'all adapters'
g) Find the network card you wish to disable Netbios for and expand it
h) Select 'WINS Client (TCP/IP)', and hit the 'Disable' button
I) Then reboot for the change to take effect

Testing for SSH

2011-05-03T16:59:00.009+05:30

This is written for specific scenario so may differ from yours.
There are few ways to find if SSH is enabled on the remote machine or not.

1). Log onto the Linux machine and type the following command:

netstat –a or
netstat –a | grep ssh

It will list down all the services running on the machine. Look for ssh or port 22, if that is enabled you can see like ftp and smtp:

2). Another way is to use Putty to connect the remote Linux machine. Select ssh and port 22 and try to connect. If connection established, then ssh is there otherwise, probably not-It's not a fool proof method however.

3) One more option is run port scanner such as nmap. It will list down all the services running on the machine.

Insecure protocols

2011-04-12T16:20:00.007+05:30

Some basic insecure protocols and risk associated with them:

FTP/Telnet/Rlogin/rsh/Rexec: These are insecure protocols because they use plain text authentication. This means that when you authenticate to the telnet or ftp server you send your login and password across the network un-encrypted or "in the clear". Data and even the password are transmitted as plain text. In addition to sending the login and password in the clear telnet and ftp also send the data or payload in the clear as well. There are commonly available programs that constantly monitor the network for packets that contains passwords. Preferably, all telnet and rlogin servers and clients should be removed from all machines.

Disable them if not used.

SNMP: Simple Network Management Protocol (SNMP) is a protocol for network management. SNMP lacks any authentication capabilities, which results in vulnerability to a variety of security threats. These include masquerading, modification of information, message sequence and timing modifications, and disclosure. Someone could receive SNMP traps from your machines and manage your network (e.g. bring up/down interfaces, disable packet filtering systems, etc.). Also, IIRC the community string and password are sent in cleartext; some basic packet sniffing could grab both pieces of information.

Disable it if not used .

SMTP-Open Relay: An open relay (sometimes called an insecure relay or a third-party relay) is an SMTP e-mail server that allows third-party relay of e-mail messages. By processing mail that is neither for nor from a local user, an open relay makes it possible for an unscrupulous sender to route large volumes of spam. In effect, the owner of the server -- who is typically unaware of the problem -- donates network and computer resources to the sender's purpose. In addition to the financial costs incurred when a spammer hijacks a server, an organization may also suffer system crashes, equipment damage, and loss of business.

Disable it if not used .

NFS: NFS is a client/server implementation that makes remote disks transparently available on a local client. It utilizes several daemons and configuration files to enable file sharing. By default, this process is all undertaken without any separate authentication, which makes NFS a security risk. NFS runs on the UDP protocol, which is a connectionless protocol because it does not require any acknowledgement of packet delivery.

Disable them if not used .

How to close FTP/SNMP/SMTP: Go to Control Panel-> Add/Remove Programs->Add/Remove Windows Components-

Select FTP and SMTP to disable them:

Select SNMP to disable it:

Disable NFS : Uncheck NFS in the list, if checked and click OK, Next to Finish:

How to disable Telnet: Go to Run->type “Services.msc”-> Look for Telnet in the list->Right click and select Stop:

I have just tried to compile all the issues at one place for easy reference.

Enabling support for old plugins in Firefox 4.0

2011-04-01T18:02:00.005+05:30

With release of Firefox with new look and other security features (CSP,HSTS) I couldn't resist myself from updating my current version 3.6 to 4.0. But, to my disappointment, lots of plugins which are necessary to me for carrying out my day to day assessment were not supported in FF4.0.
I can't wait for them to extend their support to FF4.0. I got a nice trick to enable them.

Go to the following path on your Windows XP machine:
C:\YourUserDir\Application Data\Mozilla\Firefox\Profiles\8l13fo9x.default\extensions
There you will find folders named as your extensions e.g for Firesheep, its "firesheep@codebutler.com". Go inside them, you will find one install.rdf file. Open the install.rdf file and edit the em:maxVersion tag, change the value from 3.6 to 4.0.*. Restart the browser and your plugin will be enabled !
Reference:http://research.zscaler.com/2011/03/make-your-old-add-ons-work-with-firefox.html

Maximum Password Length: An indication of stroing it in cleartext?

2011-03-16T00:05:00.002+05:30

I stumbled upon one nice post by Kevin which I found very thought provoking.
He considers, if the website is imposing a length restriction on your passwords entered, it's possible that they are storing it in clear text. May be in backend the password field is VARCHAR with maximum length defined. On the other hand, if they are hashing the password before storing it, they need not worry about the length of the password entered by the end user as the hashed password will be of 'fixed' maximum size, no matter how long/short the user enters his password. Interesting!
But what about the few banking websites, I have found that they restrict me in password length and define minimum and maximum limit? I asked Kevin and his reply was convincing:

@Nilesh: Well, it might the case that these banks are storing passwords as plaintext, but there most likely are other explanations. They are probably (hopefully) encrypting (rather than hashing) customer passwords. Or perhaps it's a situation something similar to like Greg pointed out. I'd be VERY surprised if banks--even the small ones--were storing their customer passwords in cleartext. This was common maybe 8-10 years ago, but now there are regulatory issues that almost certainly mandate at least some semblance of security.

But anyways a food for thought!

Man-In-The-Browser Malware

2011-03-09T00:22:00.005+05:30

Have heard about the malware quite long time back but today I got a chance to study about it into one of the magazines (net-security.org). It's interesting, really amazing, a clever way to steal money from transactions without you sense anything suspicious happening.
Without going into technical details, this Man-In-The-Browser (MITB) Malware is known as 'URLZone'. In contrast to Man in the middle (MITM) attack where the communication is intercepted and changed in between client and server over the wire this MITB malware infects the client machine installs some exe's like unisntall02.exe on the client machine. It then sends back the ID to the Command and Control server that is used by the hacker.
How it works:
This is most interesting part which made me read the article till end.

It records for the requests which are going on POST and over https, which indicates that something valuable is being transferred.
When user makes the transaction the URLzone malware silently changes the recipients name with the hacker's name. All these can be defined into the configuration file of the malware.
The bank will see the request as genuine as the sessionID and other tokens will be valid and transfer the amount from the user to hacker's account.
Then it intercepts again the response from the bank and replace the hacker's name to the original recipient's name which the user/sender was expecting to see.
This is the brief overview of its functioning. For more you can refer to following magazine (reference):
http://www.net-security.org/dl/insecure/INSECURE-Mag-29.pdf
It's really interesting.

SMTP Injection-Part I

2011-03-08T03:19:00.011+05:30

Yet another injection attack! Same cause- Failure to validate user input. The application which I was assessing was almost injection free- means all the known issues like SQL Injection, XSS etc were not present until I found SMTP injection!

The application had one feedback/suggestion form, through which user can submit their comments. Typically, user-supplied input will be inserted into the SMTP conversation that the application server conducts with the mail server.
The form was having the following fields:
Your email address: Where user has to enter his email id
Subject: Enter the subject
Comments: User can put his comments
Entering the above information the user can submit the form by clicking on a nice Submit button. The mail will be fired to Admin of the website and few other stakeholders too.

So, for example if we specify the following:
Your email address: nileshkumar83@gmail.com
Subject: Flaws in the website
Comments: Your website has the lots of flaws that can be exploited..blah..blah.

Ideally clicking on Submit button should fire the email to Admin and few stakeholders not to anybody else!

Now suppose I inject the following in the Your email address field:
nileshkumar83@gmail.com%0aBcc:allotherpeople@thecompany.com

So this causes the mail command to generate the following headers:

To: admin@thecompany.com;stakeholder@thecompany.com
From: nileshkumar83@gmail.com
Bcc: allotherpeople@thecompany.com
Subject: Flaws in the website
Your website has the lots of flaws that can be exploited..blah..blah.

The %0a translated into new line and then follows Bcc command which send the mail to other people silently who are not directly concerned with the message.
So it may be used to create spam messages or malign anybody's image.
Another variant of the SMTP Injection is SMTP command injection in which can cause to create an entirely new message in which you can control the From headers as well. That is more dangerous. We'll talk about that in next part.

Few common web.xml misconfigurations-Part II

2011-02-04T23:01:00.003+05:30

Well my colleague Sam says, I am slowing down on posts as I had written last one long time back :).
Here's my first in this month, second and concluding part of the last months series.
Few more mis-configurations:
4. SSL Not Configured:
No need to tell explicitly why SSL is necessary. Its protects the transit communications from sniffing,tampering by encrypting it and also-more important provides authentication. So confidentiality is preserved. Configure it as following:

<security-constraint>

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

</security-constraint>

5. Not marking Cookies as 'HTTPOnly':

Cookies marked with HTTPOnly ensures that the cookies can not be accessed by javascripts in browsers making it more safe against most of the and common Cross-Site Scripting attacks (XSS)-still possible with Cross Site Tracing (XST) attacks though.
Use the following configuration:

<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>

6. No Session Time-Out:

As a best pratcice for session management always set time-out for the applications. If the user is idle for some specific amount of time, invalidate the session that will make the application more secure against hijacking:

<session-config>
<session-timeout>10</session-timeout>
</session-config>

The application will expire after 10 minutes of inactivity. Don't set any -ve values as it will make the application to not expire indefinitely.

7. Don't use URL parameters to store sessionIDs:

Sessions can be stored in two places mainly: Cookies and URL parameters. The last one is less secure as URLs can be logged/cached in some places like browser history. Make sure than you store sessionIDs in cookies:

<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>

An alternative to Paros+Ntlmaps

2011-01-14T18:19:00.007+05:30

In my last post , I had described about how to set up Paros with Ntlmaps to do security assessment of the application requiring NTLM authentication.
It always works for me properly, until today! After a long time , I stumbled upon one application which requires NTLM authentication. As a Paros lover (no reasons, just due to its simple interface, I love it), I launched Paros and Ntlmaps. But badluck for me, couldn't figure out why Ntlmaps was unhappy with me. My whole day went in troubleshooting! Even I ended up un-installing and installing Ntlmaps. Even I locked my Windows user-credentials after exceeding maximum no of attempts from my system to the application. Anyways I got it unlocked. Even my colleagues were absent today (Ronnie, Thyagu) who might have helped me in configuring Ntlmaps.

Anyways, it's funny that I had never paid attention to a functionality already there in Burp and WebScarab- I was laughing at myself!
These proxies already have built-in functionality for working with the applications requiring NTLM. It's just so simple-took two minutes to setup. I should have tried them earlier. Anyways, necessity is mother of inventions ;).
Following are the options:

In Burp: Go to Options-> do www authentication section. You can add credentials or just check "Prompt for credentials on authentication failure".

The Burp will prompt you for entering NTLM credentials whenever you will try to access sites requiring NTLM authentication. Enter the details manually:

It will be saved for your future use:

Similarly in WebScarab: Go to Tools->Credentials.
Here you can enter the NTLM credentials or simply check the "Ask when required". The credentials entered by you will come up there:

Very simple and powerful options, I should have explored it earlier!

How cookie can leak

2011-01-12T15:27:00.007+05:30

Today I was having a chat with my friend Vaibhav about few vulnerabilities in one of the applications. In order of that he asked me it's really necessary to mark cookie as "Secure". Well, depends...if your whole application is on https then you should always go for "Secure" attribute. Cookies set with the "Secure" keyword will only be sent by the browser when connecting by a secure means (HTTPS). Apart from that there is no distinction - if "Secure" is absent, the cookie may be sent over an insecure connection.

We have seen a lot of cases where the cookie is leaked and sent over from https to http:

1. If your page contains mixed contents, ie. if you are including some links that is on http then the cookie may be leaked. For example, if your application uses url https://example.com and you are including someother links in the page using http://, the browser may warn you as "this page contains both secure and nonsecure items".

2. If you are visiting page with https:// link but you click on a third party link which is on http:// that may leak the cookies.

3. The browser may cache the cookies if not marked as secure.

So mainly there are 4 conditions:

* HTTP Cookie, with "Secure" will be returned only on HTTPS connections
* HTTPS Cookie, with "Secure" will be returned only on HTTPS connections
* HTTP Cookie, without "Secure" will be returned on HTTP or HTTPS connections
* HTTPS Cookie, without "Secure" will be returned on HTTP or HTTPS connections (could leak secure information)

So, HTTP Cookies can be read by HTTP or HTTPS. HTTPS Cookies can only be read by HTTPS, that is if you set Secure = True on the cookie.
Also how and when to setup "Secure" flag, you can visit my last posts-this and this

References:
http://www.w3.org/Protocols/rfc2109/rfc2109
http://stackoverflow.com/questions/2163828/can-cookies-set-using-http-be-read-using-https

Corrections,if any, is always appreciated!

Few common web.xml misconfigurations-Part I

2011-01-08T17:26:00.005+05:30

While doing code review usually I find various misconfigurations. I am trying to compile them here.
Although they might not be a comprehensive list and something I may miss, but will touch most of the common points:

1. Authentication & Authorization Bypass:

<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>

The above configuration shows how to setup web-based control. Here the assumption is that the everything in 'secure' directory must be accessible by 'admin' user only by using methods listed in  tags i.e, GET and POST. No other methods should be allowed. But that is not the case!

In fact any HTTP method which is not explicitly enlisted here (HEAD,or any junk values like, JEFF,TEST etc) can be used to access the resources under 'secure' directory. It's also called HTTP verb tampering.

Arshan Dabirsiaghi has a nice paper that summarizes this issue.
The solutions is just simply remove all above elements from above code and configuration will be properly applied to all requests.

2. Absence of Secure Flag: Sometimes some websites revert back to non-SSL connection or can be accessed over non-SSL connections (http://). This leaves the sessionID vulnerable to capturing which may lead to session hijacking. The sessionID must be marked with 'secure' flag.
In order to do that the following configuration can be defined in web.xml:

<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>

3. Customized Error pages are not defined: Sometimes the application faces unexpected error and is not able to handle it properly following which it displays it directly to the end user in form of stack traces or other signs. This may be a useful information for an adversary to launch attacks as it may reveal sensitive information about the code/platform/technology of the application and also tell about the application's input validation strategies. The developer should avoid these errors to be leaked to the end user. They should define some custom pages in the web.xml so that in case of error the applications should present a generic and customized page to the user instead of specific information-no matter what error occurs.

The following setting can be used:
Using the following configuration a nice error page will be displayed whenever the application responds with an HTTP 500 error. You can add additional entries for other HTTP status codes as well.

<error-page>
<error-code>500</error-code>
<location>/path/to/error.jsp</location>
</error-page>

Disclosure of Anti-CSRF Token in URL

2010-12-07T14:41:00.004+05:30

Is it a problem? I think no, as long as the token is Per Page, One-time use token.
Actually in one of the application, we had recommended to implement anti-CSRF tokens. When the application came back to us for verification process, we found that the application was implementing some sort of CSRF tokens, which were:
1) Going in GET request ie. were being added to URL.
2) Were being generated per page.
3) Were one-time tokens.

The only concern was the token in GET request. I mean it can be said that it is certainly not a best practice but the potential risk is very minimal. In a scenario where it can be exploited depends on following constraints:
1. The victim should be logged into the application (obvious).
2. The CSRF token must be transmitted in a GET request.
3. The attacker must be able to capture the token or from a repository (log files, browser cache etc).

4. The attacker needs to trick the victim to click on the crafted link.

5. The victim's session that holds the exposed token should be still valid ie, it is not timed-put,invalidated,logout, expire etc.

The 5th point is major hurdle in executing CSRF in this scenario. In our case, although the application was exposing tokens in URL but it was generating them per page/request and one-time only. So even if you have got the token for the current GET request there is minimal chance that you can execute it as next time the user will be browsing the same page with some other unique token.Even if the CSRF token is exposed and the attacker is somehow able to figure out the associated user, the token is only valid for the lifetime of one request.
Also I had consulted with few security experts and one of them Ryan Barnett says:

Is the csrf token per/page or one-time use for each request? The difference being if a client accesses the same page multiple times is the token changed? If not, then GET may be an issue.

I have seen the following csrf token implementation strategies:

1) Per Session token
2) Per Page token
3) Per Page, One-time use token

#3 is the most secure as it prevents token reuse.

--
Ryan

So our application was changing the request and was one-time, so it was good enough!
We might have suggested them to put it into PUT request but again they had to do again some levels of coding. And as far as the things are secure enough in GET why to go for PUT. I am not supporting tokens in GET but trying to make a balance between security and client.

Mould it as per your need

2010-12-05T18:20:00.004+05:30

We had a discussion with our colleagues over XSS issue found in one application. Initially there was not input validation at all-you can insert simple script tag and execute XSS. Following our recommendations they filtered out certain special characters like (>,<," etc) also they encoded them at time of output. Fair enough? No. Actually they implemented half of the recommendations- ie. they worked on blacklisting and left out whitelisting. There are a number of models to think about when designing a data validation strategy, which are listed from the strongest to the weakest as follows. 1.Exact Match (Constrain) 2.Known Good (Accept) 3.Reject Known bad (Reject) 4.Encode Known bad (Sanitize) They were implementing last two of strategies only. So the application was now filtering out normal XSS vectors like "><script>alert(...);</script> based attacks. But what happens when we provide eventhalders like onmouseover,onload etc-XSS executed. When we brought this to customers' notice they said that alphabets and " (double quotes) are valid inputs in the comment fileds, how can we filter them out, not even whitelisting approach will work here as these are valid characters. So after a brainstorming session with them we advised them to mould as per their need. It's not like that you blindly follow strategies mentioned above for whole application. We suggested them for that specific case where " (double quotes) and alphabets were valid inputs (in comments fields) don't filter " (double quotes) but atleast filter even handlers-onload,onfocus etc by using this sample script: .replaceAll("(?i)<.*?\\s+on.*?>.*?", "");

It removes on* attributes like onLoad or onClick

My point is that in some cases you need to shape your strategies as per your need to strike a fine balance between security and user-friendliness.

Firesheep-Session Hijacking tool

2010-11-14T20:19:00.003+05:30

Beware! Now even any Jack can hijack your session with a new Firefox plugin tool- Firesheep. All what he needs to do is to just install this tool in Firefox and start sniffing the communications on a public unencrypted Wi-Fi. Public Wi-Fi systems are generally unencrypted at Airports, Cafes etc.
Some web sites like Facebook serves the login page on https but all the internal pages at http, once authenticated. That makes this kind of websites more prone to sniffing, and an unencrypted Wi-Fi adds more problems. After authentication this kind of websites generally assigns some session identifiers to the user which can be easily sniffed and can be used to impersonate.
Surely, it's not a new concept, but what makes Firesheep more dangerous is that it's just a click-and-hijack tool that a novice user can also use at the public places to sniff other's credentials. The author's of this tool wanted to draw attention of people on those kind of websites which don't implement HTTPS fully for whole site. Hotmail took the lesson and recently added HTTPS for its whole site.
So, the main caution one should practice is to access the sites on HTTPS rather than HTTP. For the sites who don't use HTTPS all the time, don't browse them using public Wi-Fi's. There are lots of plugins available for Firefox like 'ForceHTTPS' which can be used to access the sites on HTTPS only.
Recently Zscalar released a tool 'Blacksheep' which you can use to detect the Firesheep, if somebody is using it in your network. BlackSheep is a Firefox add-on which warns users if someone is using Firesheep on their network. It also indicates the IP address of the machine that is spying on you.It periodically sends some fake session IDs similar to the sites like Facebook, and when Firesheep starts to capture it, it detects it and shows user the warning (See pic below).
But safe option use HTTPS all the time, if possible and don't browse to sensitive sites in public places. Be safe!

Sample screen shot of Blacksheep in action on my machine:

Few more settings for NTLMaps

2010-11-10T19:16:00.005+05:30

This is in continuation of my previous post on How to use NTLMAPS tool for pen-testing application requiring NTLM authorization. I was quite thorough and detailed about the steps about how to connect the tool in between the proxy and server-until one day I found a mail from Mark Wityszyn:

Hi Nilesh,

I've been struggling with the same problem for while now and keep coming back to NTLMAPS but have never manage to get it to work for web server authentication.

Would you be willing to share you configuration options from NTLMAPS?

Then I realized, I have missed the configuration settings that is to be made in the server.cfg file of NTLMAPS.

Here it is:

Go to the server.cfg file which will be in the ntlmaps folder and search and change the following lines with your settings:

PARENT_PROXY_PORT: specify here your Paros/Burp 'local' proxy port no.

NT_DOMAIN: domain name of the network

USER: userid which needs to be authenticated

PASSWORD: password for user-id above

Hope that helps.

ViewState and CSRF

2010-10-22T23:26:00.003+05:30

Today, me and my colleagues- Chintan and Ronnie were having a long discussion about ViewState's ability to thwart CSRF attacks. While Chintan's argument was that CSRF is possible even the application is implementing ViewState, Ronnie's thought was it's virtually impossible to launch a CSRF attack on ViewState enabled application. My idea was that it's not impossible but very difficult and takes a great expertise to launch the attack. We also saw various articles were mentioning the ViewState as a countermeasures to CSRF, at the same time they were not denying the fact that this can also be circumvented.
For sake of doing some research over topic I stumbled upon some articles and came to some conclusion:
When attempting to exploit a CSRF issue, the attacker will try to remove the viewstate from the page, since often viewstate is not required for a page to function properly. If the page complains when the viewstate is removed, the attacker will try logging into the application, visiting the page, and then copying the viewstate from the page into the CSRF exploit. Depending on the application, ASP.Net may accept the viewstate on behalf of the victim. Viewstate may be omitted or substituted because not all applications depend on the viewstate being present or initialized.

To mitigate the CSRF weaknesses, ASP.Net 1.1 introduced the Page.ViewStateUser-Key property. The property can be used to add entropy to the viewstate. When ASP.Net receives a postback it will use the ViewStateUserKey along with the validation key to calculate the page viewstate’s HMAC. By adding a unique value per user per page, it will not be possible for an attacker to substitute his own viewstate when creating a CSRF exploit.

Now starting .Net 1.1 the applications are 'almost' secure against the CSRF. Having said that it is also recommended to implement anti-CSRF token in the application. That will make the application's defense against CSRF more robust.

Your Cookie attribute will be overwritten

2010-10-16T23:03:00.005+05:30

In one of the applications , there was a vulnerability-they were not marking the cookie as 'HTTPOnly' but marking it as 'Secure'. I recommended them to as a best practice, flag the cookie as 'HTTPOnly' as well.

Set-Cookie: JSESSIONID=AJ122112KJYS.......; secure

Now they fixed it- They were setting the Cookie (Set-Cookie) as soon as the application loads in the browser and marking it as 'Secure'. Once the user is successfully authenticated they were regenerating the session ID and again (Set-Cookie) and this time marking it as 'HTTPOnly' only.

Set-Cookie: JSESSIONID=7H8TKLSDOPC56.......; HTTPOnly

Fine! but really? They were using the Set-Cookie header two times. First time they were marking it as 'secure' and again after regenerating it marking it as 'HTTPOnly'. Now this was the problem. Setting the cookie with Set-Cookie again overwrites the earlier attribute of Cookie. That means if you are setting cookie as 'secure and again setting with some other attribute , for example, 'HTTPOnly' then your cookie is no longer 'secure' now.

So best practices is flag it simultaneously with both the attributes:

Set-Cookie: JSESSIONID=7H8TKLSDOPC56.......; HTTPOnly; secure

Nice link: http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies
Thanks to Sripathi Krishnan for sharing this.
It says:Overwriting cookies: if a new cookie with the same NAME, domain, and path as an existing cookie is encountered, the old cookie is discarded. Otherwise, even if a subtle difference exists (e.g., two distinct domain= values in the same top-level domain), the two cookies will co-exist, and may be sent by the client at the same time as two separate pairs in Cookie headers, with no additional information to help resolve the conflict.

Open Redirection-How to Secure it

2010-10-05T17:30:00.002+05:30

When the OWASP has also included this issue in it's Top Ten 2010 list and also I have been finding lots of unvalidated redirects in the applications assessed everyday, I was just giving standard recommendation to developers to go for whitelisting approach. Include a set of valid domains- to which only your users should be forwarded- into your application. Once you have identified a “whitelist” of trusted domains, put the list in a configuration file on the server or database. From a secure coding perspective, the redirection servlet or script should not take a URL as a parameter. Instead, require that the servlet accepts an index that maps to the list of trusted domains.
But as I am not very good in coding I was not able to assist them in coding.
Eventually today I stumbled upon a very nice article here. It describes the best practices for redirecting users to trusted domains and how to 'code' that.
Please visit: http://mikeware.us/goodcode/?p=260

Cookie 'Secure' attribute-really secure?

2010-09-15T17:55:00.002+05:30

Today I just stumbled upon a discussion somewhere over net. I saw reply from Jeff (Chair, OWASP) to question about 'secure' attribute of cookie-how much secure it is? Well, it's a bit tricky, means when server is sending the secure attribute to the client (browser), the client must have initiated the SSL connection before it happens. Otherwise the server will send the set-cookie:secure flag on non-ssl channel itself. So you will need to ensure that the client has established a SSL connection to the server before the server sends a set cookie response.
In Jeff's words:

If what you expect is full SSL protection for your cookies, there are two problems with this. First, as you've noted, your cookie might get exposed in a "set-cookie" header that you inadvertently include in a non-SSL
response.

Second, and probably worse, the "secure" flag doesn't really mean use SSL all the time. If you do send the "set-cookie" header in a non-SSL response, the client has the option to remember that, and send the cookie back in
non-SSL requests -- even though the "secure" flag is set.

So, How will you work with a Proxy on NTLM...?

2010-09-04T11:53:00.015+05:30

Most SharePoint environments today are using NTLM (the default) as the authentication protocol. NTLM authentication is a challenge-response scheme, consisting of three messages, commonly referred to as Type 1 (negotiation), Type 2 (challenge) and Type 3 (authentication). For more information on NTLM go to http://en.wikipedia.org/wiki/NTLM as discussion over NTLM and its working in out of scope for this post.
The problem with setting up Web Proxies (Paros, Burp etc) is that they work fine with other types of authentication (Custom, Basic) but where there's NTLM is used the chain breaks between the proxy and the server resulting in non function of the application.
As soon as the proxy wants to connect to the server it gets the following '401:Unauthorized' response:
HTTP/1.1 401 Unauthorized Server: Microsoft-IIS/7.5 WWW-Authenticate: NTLM X-Powered-By: ASP.NET MicrosoftSharePointTeamServices: 14.0.0.4762 Date: Sat, 04 Sep 2010 06:38:22 GMT Content-Length: 0

You can't capture requests/responses through the proxies at all. I was also facing the same problem. Ronnie suggested me to use a tool which will sit between the proxy and application server. Which will handle all the NTLM communications between the proxy and the server...cool! The tool is called NTLMaps and can be downloaded here: http://ntlmaps.sourceforge.net/
'NTLM Authorization Proxy Server' (NTLMAPS) is a proxy software that allows you to authenticate via an MS Proxy Server using the proprietary NTLM protocol
Now the scenario was like this:

How to setup the chain:
1. Set the proxy server address in your browser to any port, lets say-localhost:8080

2. Set the Local proxy setting in the Web Proxy (Paros) as the same as you did for the browser so that the can communicate with each other on same port- localhost:8080
3. In Connection section of the Paros set the Outgoing proxy port no. as 5865. By default, the NTLMAPS tool runs on the same port. Now Paros will forward all requests obtained by browser to NTLMAPS at 5865.

4. Now start the NTLMAPS tool:

5. Now go to your browser and access the application. You will be able to capture request -response as usual as if you were working with custom authentications! The tool does the NTLM communications for you in the background without your knowing. You can see the communications also on the screen:

Happy Pentesting ! :)

Privilege Escalation with Like Query

2010-08-13T10:30:00.002+05:30

Continuing with my last post "DoS with Like Query", another impact of it I want to discuss here. As I had said that the % and _ qualifier is often overlooked by developers to filter as its not so devastating as other characters. They are used for matching zero or more characters and single character respectively. I got a taste of it again when I was assessing an application recently.

The application had several roles. Role A can't access data of Role B (that's obvious :) ). The Authorization checks were properly implemented-so no chance of Privilege Escalation.

When I was examining the application closely, it has various search modules based on several conditions. If you search for a record after filling up a long form with fields with name, location, unit, suggestion no., suggestion name..blah,blah,blah. The one thing I noticed that the application was using the 'Supplier Name' field to search the records and listing down only those records which has matching name of the 'Supplier Name'. One more thing, the application was free from 'standard' SQL Injection. From 'standard' I mean, the application was not vulnerable to single quotes, double quotes or any other SQL related queries. But again the same mistake- it was not filtering % in the fields.
The 'Supplier Name' was going like a hidden field. If nothing matches, the response page was throwing a message:
No suggestions found.
Supplier Name: % John D'souza%

Now it was more than enough to suggest that the application is running Like query for searching the records "WHERE supplier_name Like {hidden_supplier_name}%'".

Here the % does the trick. Replace the hidden_supplier_name with % and the application was displaying not only records (suggestion nos) of the respective logged in supplier, but also it liste down contents of whole database. Needless to say that it contained data of other supplier's also.
Moreover if the database has millions of records, it can create DoS also.

You can treat it as a form of SQL injection also as you are exploiting the LIKE query SQL statement. So beware of % also. ;)

Basic Reverse Engineering

2010-08-12T14:21:00.006+05:30

My article on basic introduction on Reverse Engineering of Flash and .Net files. The magazine Hakin9 in which the article published can be downloaded here.

The article is from Page#16 to Page#19.

Anti-CSRF measures and XSS

2010-07-06T10:33:00.003+05:30

During an assessment of an application, I and my colleague Ronnie were discussing about a scenario in the application. The application had login section behind which there were few pages that were vulnerable to Reflected XSS. Application was also vulnerable to CSRF.Needless to say that we suggested anti-CSRF measures for the application. Although we also suggested anti-XSS measures but the anti-CSRF measures were good enough to mitigate any attempt to exploit the reflected XSS flaws on the pages behind authentication. The application was rejecting any external request.

So any attempt to exploit the reflected XSS will bear no fruit in scenario like this.

Anyways we had recommended fixing both flaws independently but I wanted to have a discussion over the issue.

Lots of people responded to that. All were with the same suggestion- do fix both issues, don't take chance.

But what I found most convincing were these arguments from MustLive and Lava:

MustLive says:

Hello Nilesh!

My suggestion to you and all people in such cases - always fix all holes.

There were similar cases in my practice, mentioned by you, when developers

was trying to argument to not fix XSS due to CSRF protection. Like in 2006

when I found many holes in WordPress 2.0.3 and developers trying to tell me

regarding one XSS that they have anti-CSRF tokens at that page, so no need

to fix that hole, but I said them that all holes must be fixed, and they

fixed. So fixed hole it's fixed exactly this hole (not some other hole).

........

Nilesh, you must understand, that there are methods which allow to bypass

anti-csrf filters, so if XSS will be left unfixed, then sometime it can be

used for attack.

........

Best wishes & regards,

MustLive

Administrator of Websecurity web site

http://websecurity.com.ua

Lava says:

Nilesh,

ClickJacking can be used to bypass Anti-CSRF measures in many instances.

........

Tomorrow we might have a new technique to bypass CSRF countermeasures.

And everytime that happens the application would be open to two attacks CSRF as well as XSS.

Moreover, if the attacker can perform a Session fixation attack and use his session's Anti-CSRF tokens to perform XSS, the user would still be in trouble.

........

Cheers,

Lava

http://www.andlabs.org

True, I agree with both of them. If any new technique comes tommorow which can bypass anti-CSRF filters (even today Clickjacking is there); then XSS would get exploited.

We had also similar concerns so we recommended developers to deal with both issues separately. But we just wanted to make our arguments more strong and asked people to provide us their valuable comments.

Thanks to all!

My article in Hakin9

2010-07-01T10:47:00.003+05:30

I am very pleased to inform that my article "SSLStrip on Windows" got published in a prominent magazine-Hakin9. I am bit excited because it's my first ever publication.
I am encouraged to write more.

Click here to download the July issue of the magazine.

SSLStrip Video

2010-06-11T18:25:00.012+05:30

SSLStrip is still haunting me ;). In my organization I was told to make a video of it. I know its a very old concept now but I have to comply by the instructions. So I made it and thought to place on my blog. There won't be any audio with it. So if you are unaware of what the tool does or how it does please refer to my previous post.
Caution : The video may not be so professional and finishing touch. Inconvenience is regretted! :)

XSS and WAF

2010-06-03T10:34:00.002+05:30

Many people depend on Web Application Firewall to protect their applications without applying security on the application itself. They assume that it can make them secure automatically as it will thwart a lot of attacks. They also argue in favor of that. I don't say that WAFs are ineffective. I argue that your application should be secure itself in first place irrespective of WAF is deployed or not deployed. WAFs are also vulnerable and can be bypassed then its only your application security mechanism can thwart the attacks. Lots of time researchers have shown how to bypass WAFs.
But recently I came across a nice post by Sando Gauci of EnableSecurity in which he exploited the XSS in admin interface of a WAF and disabled the WAF completely. So the application behind can be reached without any restriction! I found it very useful to teach people and to stress on application security. Here is the attack in action.

Demo of a cross site scripting in dotDefender's admin interface from Sandro Gauci on Vimeo.

NULL Prefix attack against SSL certificates

2010-05-15T15:02:00.004+05:30

I was show casing the SSLStrip tool in my office. Everybody was asking how it works. Security Researcher Moxie had released two tools SSLSniff and SSLStrip during Black Hat 2009. These tools were capable of doing MITM on SSL connection. They exploited a weakness in signing the certificates. SSL heavily rely on X509 certificate structure to prove authenticity.
For the SSL it is the 'common name field' of the X509 certificate that is used to identify authentic servers. For example, Paypal will used 'www.paypal.com' in the common name field.
The signing process heavily relies on the above convention. The Certificate Authorities will sign 'www.paypal.com', they don't care whether you are requesting for 'anything.paypal.com' or 'anything1.anything.paypal.com'- as long as you prove that you are paypal.com.
The Trick:
X509 certificates are commonly formatted using ASN.1 notation. ASN.1 supports many string types but all of them are represented as some variations of PASCAL. In PASCAL character string the NULL characters are treated as normal characters. They don't have any special meaning.
So NULL characters can be included into the common name field of X509 certificates. So a signing request like www.paypal.com\0.fakeorganization.com will be treated valid. The Certificate Authority will ignore prefix and sign the root domain fakeorganization.com.
Now the the thing is most contemporary SSL/TLS implementation treat the field in X509 as C strings. And in C '\0' (NULL) means end of the string. So www.paypal.com\0.fakeorganization.com and www.paypal.com will be treated as identical.
So the owner of the certificate for www.paypal.com\0.fakeorganization.com can successfully present his certificate to the connections intended for original www.paypal.com.
Here MITM happens on SSL. SSLSniff tool works at this theory.
You can sign your own certificates using the valid certificate you got from Certificate Authority.
Actually there is field in X509 certificates which needs to be set FALSE in order to restrict domain owner to act as a Certificate Authority.
Most CA's didn't explicitly set basicConstraints:
CA=FALSE
A lot of web browsers and other SSL implementations didn't bother to check it, whether the field was there or not.
Anyone with a valid leaf node certificate could create and sign a leaf node certificate for any other domain.
The blueanarchy.org can create a valid certificate as paypal.com and use it.
Reference:http://www.thoughtcrime.org/about.html

Holistic Approach to Code Review

2010-05-15T14:06:00.002+05:30

These days I am doing code review. Good, I am learning one more new thing apart from Network scanning and Server security assessment. Code review is a very complex process. You have to be familiar with at least one language, rest of languages you will automatically learn as time passes.
Automated code review is a process where you run the scanning tools like Fortify on the code base followed by manual auditing of them. The scanner flags the whole code base with vulnerabilities based on its perception. Now its job of the auditor to differentiate between real issues and false positives. Here the real pain starts. You don't have command over each and very language. So taking help of the language specific resources is required. Now the situation is I have got familiar with almost all major language ( .NET, Java, PHP) specific vulnerabilities. Doing Black box assessment you never come to know , where the real problem lies. But Code review gives you the complete picture of the vulnerability and improves your security analysis ability. I am still a beginner in code review but I follow these processes to make it easier:

1. Always talk to developers first. The more you will involve developers in your code review process the more effective will be the analysis. You get confidence that whatever you are doing is based on right understanding of the code. On the other hand developers also get happy that you are taking him into confidence instead of declaring something vulnerable straightaway.

2. Have a note book and pen handy to understand the flow of the program. Understanding the source of the taint and where does it reflects in the code is necessary to catch the real vulnerabilities. Just seeing that the taint from user is entering the program and reflecting in some other part of the program doesn't always mean that it is vulnerable to Cross site scripting, for example. Again here, talking to developers benefit, as they might be implementing some centralized input filtering/validation mechanism. So don't just jump to any conclusion.

3. Use an advance text editor. The test editor should be capable of searching a term in the whole code base. One such text editor is Notepad++. It searches the term in whole code base and highlights them so that you can see where all places the particular term is being used. It helps you in joining the pieces and seeing the complete picture.

4. Have sufficient time to do code review as you need to apply your thoughts more than once to pick up real vulnerabilities. So always ask your customers for sufficient time.

5. Being connected to Internet always help at the time of code review. Certain terms, functions or methods always annoys you as you have may not have seen them before. Google helps a lot in understanding them.

6. Not only you should pick up real and applicable vulnerabilities in the context of the application- as it decreases the no. of issues- also you should propose the countermeasures in the report. That makes developers happy and confident.

7. Everybody loves his own program. Programs are like developers baby. Don't always pinpoint the weaknesses of the program, also appreciate them if you find any robust mechanism used in the program. That way you make them friendly and always they will come to use to get their code reviewed. So both happy.

8. The scanner may flag any issue as High, Medium or Low. It's your responsibility to give them appropriate ranking based on application's context.

9. Last but not least. Train developers about the vulnerabilities in real world. Give them training, involve them and encourage them to review their codes before production. Tell them how it saves efforts and money. If you have a scanning tool that supports plug ins for IDE, install at their machines so that they can do development and review hand by hand.

The above points are based on my little experience till date in doing code review. I have still a lot to learn and the points above may or may not hold true in every condition :)

DoS with LIKE query

2010-04-14T17:50:00.004+05:30

I was assessing an application. The application was properly sanitizing all the characters which have special meaning for SQL Injection attack. So SQL Injection was not possible in the application. But then again I came across few search modules in the application where it was taking input of part numbers to proceed.
I entered single quote(') and the application was perfectly filtering it returning "Parts can't be found". Then out of curiosity I entered '%' character and observed the response. Now the application stuck into the loop of the search continuously searching.The two things I deduced from it:
1. The application was using LIKE query to search matching terms.
2. This can be used to perform a DoS by overloading the database.

The % and _ qualifier is often overlooked by developers to filter as its not so devastating as other characters. They are used for matching 0 or more characters and single character respectively.

$searhterm = mysql_real_escape_string(“%anything”); // still %anything
mysql_query(“SELECT * FROM messages WHERE subject LIKE ‘{$searchterm}%’”);

The intention of the query above is to search the contents matching user specified $searchterm.
In normal conditions the query will execute fast. But when entered a term with a leading % quantifier the query takes too long to perform as it can't find the index. It progressively goes slower as amount of data in table grows.
Same is the case with _ (underscore).
Although these are valid inputs, we need to filter them out. in PHP there is a function which actually excludes the terms specified.
Use addcslashes() for escaping the above characters:

$searchterm = addcslashes(mysql_real_escape_string(“%anything_”), “%_”); // $searchtearm == \%something\_
mysql_query(“SELECT * FROM messages WHERE subject LIKE ‘{$sub}%’”);

Here, the input is processed by the database’s prescribed escape function and is then filtered
through addcslashes() to escape all occurrences of % and _.

In case of my application it can be determined by the fact that entering % one or more times was causing the whole application to be non responsive for a longer time

Reference: http://dev.mysql.com/

Secure Network Architecture Desing

2010-04-10T13:56:00.003+05:30

Few days back I was going through an article on "Managing Network Security". Although it was a bit technical, it presented some fundamental idea about designing secure network architecture of an organization. I just picked up few points from the article easy-to-grasp, left the detailed and technical ones.
Design a secure network architecture:

1. Make sure hosts are not permitted to access the Internet directly. They should access
it through content filtering proxies capable of scanning the packets for malicious code. If
they need to be connected by a NAT rule on the firewall, ensure that the necessary network
and security controls (such as desktop firewall, antivirus and antispyware tools) are
present on the host.

2. All emails should pass through a secure mail gateway that is capable of filtering email threats.

3. Implement strong authentication for accessing networked resources.

4. Host hardening lowers the chances of system compromise or exploitation. Stick to best
practices of system installation, followed by hardening and conducting of regular vulnerability
scans. Hardening hosts and network devices directly after installation considerably reduces the attack surface.

5. If your organization uses wireless as a network connectivity option, ensure that proper
security controls are placed to safeguard the flowing of data through a wireless network.
Some of the security measures to be taken are:
a) Secure the wireless access via VPN tunnels or strong encryptions like WPA2.
b) Wireless access points should be hardened and endpoint security measures should be taken.
c) Implement wireless IPS and rogue device detection techniques.

6. Implement a strong password policy in your organization to safeguard online accounts
against password attacks such as brute force, dictionary or hybrid password attacks.

7. Use automated tools to gather network information on a regular basis and analyze them. Create the latest network map based on the information and a list of assets belonging
to your organization. This assists in the detection of rogue devices on wired or wireless
networks. Maintain and update the switch port, router port configuration document. Keep
unused ports disabled on all network points.

8. Use a Security Information and Event Management tool to obtain meaningful security
logs and events correlations. SIEM/SIM tools assist in infrastructure security by providing
important logs to centralized security server and correlate them at that point. It helps IT
security operations personnel be more effective in responding to external and internal
threats.

These points figure out an ideal architecture of an oragnization or how it should be.

Unknown Root Certifiacte Authority in Firefox-Miscommunication Drama

2010-04-07T11:36:00.003+05:30

Mozilla has detected that an unknown certificate named as "RSA Security 1024 V3" is installed in the Firefox browser whose owners are unknown. Even RSA has denied that it is holding anything like current certificate. As per Kathleen Wilson these are the details of the certificate and he has recommended to remove it from NSS where all trusted certificates are maintained:
OU = RSA Security 1024 V3
O = RSA Security Inc
Valid From: 2/22/01
Valid To: 2/22/26
SHA1 Fingerprint:
3C:BB:5D:E0:FC:D6:39:7C:05:88:E5:66:97:BD:46:2A:BD:F9:5C:76

In the first communication the RSA says that it doesn't own this root. As per Kathleen:

“…I have not been able to find the current owner of this root. Both RSA and VeriSign have stated in email that they do not own this root.

Therefore, to my knowledge this root has no current owner and no current audit, and should be removed from NSS."

Mozilla now says it has received official word from RSA that they do in fact own the root CA.

Katleen says:

An official representative of RSA has sent me email to confirm that RSA
is still in possession of the private key for the "RSA Security 1024 V3"
root certificate.

RSA has also agreed that the "RSA Security 1024 V3" root certificate
should be removed from NSS.

This is a bit funny!

More Read: http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/b6493a285ba79998/26fca75f9aeff1dc#26fca75f9aeff1dc

COM Parsing

2010-04-01T13:32:00.001+05:30

I came across a very good post about a tool for COM parsing.This tool parses the Type lib info of the activex file and gets all the interfaces and members with in the interface and their addresses in the dll file.

More information: http://ronniereverseengineering.blogspot.com/2010/03/com-vftable-parser.html

Official Gmail Blog: Detecting suspicious account activity

2010-03-30T10:51:00.000+05:30

I had written long time back about this:
Official Gmail Blog: Detecting suspicious account activity

http://nileshkumar83.blogspot.com/2009/03/gmail-provides-hijack-detection-tool.html

Weak Password recovery mechanism

2010-03-12T15:40:00.004+05:30

Sarah Palin's Yahoo mail account was hacked during 2008 presidential election, reason? Phishing,MITM, XSS or Virus/Trojan? No, the correct answer is: using her publicly available information,somebody was able retrieve her password determining the answers for Password reset mechanism.
These things are very abundant in today's websites. Some websites use damn weak password recovery mechanism. Even Password reset question is dead easy to guess like: the city where you born into,what is your pet's name, what's your father's middle name or which is your favorite film.
The last one is damn easy to guess,reason being, you often chat to your friends about your favorite film or list favorite films.
I was surprised to see that Indiatimes web mail is very lenient in employing mechanisms for recovering the forgot password. I am valid user of Indiatimes web mail. After a very long time I unsuccessfully tried to login into my account. Because I had forgot my password, I tried to recover my password after clicking on the "Forgot Password?" link.
The first step was to ask my indiatimes user id. Providing that in the second step will be at "Security Question and Answer" page. I had set my security question as " My favorite film" and answer was quite obvious. Everybody a bit close to me can simply guess that in 1-2 attempts.
I admit that I am responsible for setting such a lenient security question.
But next thing was shocking. When I provided my favorite film's name it straightaway showed my password 'in front of me'. I was shocked to see this. Very generous!
Had anybody before me tried this thing he would have simply got my password!
Even I had already provided my alternate e-mail address but instead of sending the password it showed upfront.
Simply I gain access to somebody's weak security question's answer and that too in just one step!

SSLStrip on Windows whitepaper

2010-03-01T15:54:00.008+05:30

I was today just googling my white paper on 'SSLStrip on Windows'. I was surprised that Google was now suggesting 'SSLStrip Windows' as you start typing 'SSLStrip...' It indicates that lot of people are searching for the term. The Google search listed me some results among which few were linking to sites where I had uploaded the document e.g. my blog and scribd.com.
Another result which came up was was linking to www.rmccurdy.com/scriptssslstrip%20in%20windows.pdf which took me by surprise and I was full of mixed feelings. I was happy that somebody has found it useful but at the other hand I was bit sad that he is not mentioning my name anywhere as a reference on his site. I stressed on my memory and recalled that the guy's full name is 'Robert McCurdy'. Actually we have had a lot of communications regarding his doubts over running SSLStrip on windows.

Well Robert, thanks for uploading it to your site.
Now one more location to download the paper :)
www.rmccurdy.com/scriptssslstrip%20in%20windows.pdf
apart from:
http://www.scribd.com/doc/17219610/SSLStrip-on-WindowsWhite-Paper

Using an AirPcap device in Windows with Wireshark

2010-03-01T13:29:00.007+05:30

Capturing wireless traffic in a Windows environment is unfortunately not as easy as a setting
change. As with most Windows-based software, drivers in Windows are often not open source and do not allow for configuration change into monitor mode. With this in mind, we must use a specialized piece of hardware known as an AirPcap device.

Once you have obtained an AirPcap device you will be required to install the software on the accompanying CD to your analysis computer.

The configurable options include:
• Interface - Select the device you are using for your capture here. Some advanced analysis scenarios may require you to use more than one AirPcap device to sniff simultaneously on multiple channels.

• Blink LED - Clicking this button will make the LED lights on the AirPcap device blink.
This is primarily used to identify the specific adapter you are using if you are using multiple
AirPcap devices.

• Channel - In this field, you select the channel you want AirPcap to listen on.

Extension Channel - This option is only available on 802.11n capable AirPcap devices (AirPcap nX) and allows you to select an extension channel.
• Capture Type - The options are 802.11 Only, 802.11+Radio, and 802.11+PPI. The 802.11 Only option includes the standard

Include 802.11 FCS in Frames - By default, systems strip the last four checksum
bits from wireless packets.

• FCS Filter - This option will allow you to filter out packets based upon whether they have a
valid or invalid FCS.

AirPcap supports decryption of wireless traffic in two modes. Driver mode, configurable from
the AirPcap Control Panel, only supports WEP.
It is recommend that decryption keys be configured using Wireshark mode, which supports WEP, WPA, and WPA2, and is managed from the wireless toolbar inside of Wireshark.
You can enable this toolbar when you have an AirPcap adapter plugged into your analysis computer by opening Wireshark, going to the View dropdown menu, and placing a checkmark next to the Wireless Toolbar option.

You will need to set the Decryption Mode drop-down box to Wireshark, and add your appropriate encryption key by clicking the Decryption Keys button, clicking New, selecting the key type, and entering the key itself.

Analyzing Wireshark dissection of the 802.11 header:

We can immediately determine this by looking at the Type listing under the Frame Control section of the packet.

XML Injection

2010-02-20T12:31:00.015+05:30

Description:

XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intend logic of the application. Further, XML injection can cause the insertion of malicious content into the resulting message/document.

How to Exploit:

Inserting hacker@evil.com</Email><UniqueID>0</UniqueID><Email>hacker@evil.com in Email field will yield the following result:

<UserRecord>
<UniqueID>123</UniqueID>
<Name>Henry Ackerman</Name><Email>hacker@evil.com</Email><UniqueID>0</UniqueID><Email>hacker@evil.com</Email>
<Address>123 Disk Drive</Address>
<ZipCode>98103</ZipCode>
<PhoneNumber>206-123-4567</PhoneNumber>
</UserRecord>

This will add more one record in XML database with UniqueID=0.

One Live Example:

In order of doing a Web Application Server Assessment we came across something which was vulnerable to XML Injection. We found that the input field was not properly validating the input given by the user. That means there was no XML validation on part of contents and length of the input supplied by the user. The application didn’t have XML Schema (xsd file) against which the XML was being validated.

The application had one admin module where User management function was implemented. The admin can add user, delete user, manage its profile and assign roles and privileges to them.

We entered valid user information in all the respective filed in order to add a user:

We captured the request in proxy. All the data in respective fields were going into XML format as you can see in the here:

We inserted a valid XML payload confirming to the all the required fields required to add a valid user and that adheres to the valid XML structure. You can see the highlighted payload which is being inserted into ‘CustomerView’ filed of the XML:

Upon forwarding the result the application successfully accepts the request and instead of creating a user in the name of ‘validuser’ the application creates another user in the name of ‘hackman’:

Thus an attacker acting as Man in the Middle attack will successfully create a user of his choice and login into the application in unauthorized way.

Countermeasures:

• Do not trust client input.

• Validate input: length, range, format, and type.

• Validate XML streams.

• Constrain, reject, and sanitize input.

• Encode output.

• Restrict the size, length, and depth of parsed XML messages.

Reflected XSS on SearchSecurity.com

2010-02-06T12:11:00.006+05:30

SearchSecurity.com- A prominent online Information Security website which is resource for IT Security professionals for latest security news,attacks,security topics,whitepapers etc is itself vulnerable to reflected XSS.
The XSS is possible in response page which gives error message if the login fails.

An error page, which is handling requests for a non existing pages, a classic 404 error page.

If we request some non-existent the application returns following response:

Requesting http://example.com/non-existent_page.htm will return

Sorry non_existent_page not available

Here the application is embedding the requested page's name in the response.So if a user requests http://example.com/<script>alert("XSS in reponse page");</script> the application will execute the script when returning a response to the user.

Similarly the Login page of the SearchSecurity.com returns error message in response page.

....html?Error=Password+provided+is+incorrect.

So replacing it with

....html?Error=<script>alert("XSS");</script> will execute in the browser.

Also the application provides login-specific errors.
If username doesn't match :Email provided does not exist
If Password doesn't match :Password provided is incorrect

So Guessing usernames and passwords should not be very difficult for a determined attacker.

Preventing Banner Grabbing in Web Servers

2010-01-27T18:07:00.002+05:30

After a lot of googling I found nothing significant...then a friend of mine Vaibhav actually helped me with his precious knowledge.
This is a quick reference for preventing Banner Grabbing:

For Apache Server:

Edit your httpd.conf file and make sure the following directives are present:

ServerSignature Off

ServerTokens Prod

Disabling the ServerSignature token instructs Apache to not print version information when an error page such as a “404-Not Found” is displayed. The ServerTokens directive, when set to Prod, instructs Apache to only display “Server: Apache” in the banner. If you do not want to display “Apache” in the Server tag but want to display fake in-formation such as “Server: Not-allowed,” you will need to

1. Download the Apache source code.

2. Edit the file httpd.h and change the value of the string “Apache” in the line

#define SERVER_BASEPRODUCT "Apache"

to something else:

#define SERVER_BASEPRODUCT "Not-allowed"

3. Recompile, reinstall, and restart Apache.

***************

A different approach for changing the name in a source file is to replace the ap_set_version( ) function, which is responsible for construction of the server name in the first place. For Apache 1, replace the existing function (in http_main.c) with one like the following, specifying whatever server name you wish:

Static void ap_set_version(void)

{

/* set the server name /

Ap_add_version_component(“Microsoft-IIS/6.0”);

/ do not allow other modules to add to it */

Version_locked++;

}

For Apache 2, replace the function ( defined in core.c):

Static void ap_set_version(apr_pool_t pconf)

{

/ set the server name /

ap_add_version_component (pconf, “Microsoft-IIS/6.0”);

/ do not allow other modules to add to it */

Version_locked++;

}

****************

Using third party module: mod_security

A different approach to changing the name of the serve is to use a thirde-party module, mod_security. For this approach to work, you must allow Apache to reveal its full identity, and then instruct mod_security to change the identity to something else. The following directives can be added to Apache configuration:

# Reveal full identity (standard Apache directive)

ServerTokens Full

# Replace the server name (mod_security directive)

SecServerSignature “Microsoft-IIS/6.0”

Apache modules are not allowed to change the name of the server completely, but mod_security works by finding where the name is kept in memory and overwriting the text directly. The ServerTokens directive must be set to Full to ensure the web server allocates a large enough space for the name, giving mod_security enough space to make its changes later.

Microsoft IIS4 and IIS5:

1. Stop the World Wide Web Publishing service, and then edit

%systemroot%/system32/inetstrv/w3svc.dll

2. You can use notepad to edit it, or get a free hex editor.

3. Change both instances of 'Microsoft IIS/4.0' or 'Microsoft IIS/5.0'

inside the file. Both instances are located almost next to each other.

4. Restart the World Wide Web Publishing service.

Here is the output to a GET / HTTP/1.0:

GET / HTTP/1.0

HTTP/1.1 200 OK

Server: web server>

Date: Sat, 07 Apr 2001 02:13:48 GMT

Connection: Keep-Alive

Content-Length: 1270

Content-Type: text/html

Set-Cookie: ASPSESSIONIDQQQQGVFK=MJMLILDDLINNBHMPJIBEJCGL; path=/

Cache-control: private