Nilesh Kumar

Here I came across a very funny article regarding the security implementation of HSBC Canada bank website..very funny indeed! Not only they are using easy to guess Personal Identification Question, but also they are implementing very restricted password choosing option that can be easily brute forced. Moreover they might be storing the user credentials in encrypted form-- "Since the bank is performing character matches on the password entered, there is no way that they are using a one-way hash algorithm to store the password. If they were, they would be able to match the whole thing or nothing at all. Instead, they have chosen to be able to retrieve the password and play with it. I can only hope that it isn ’t stored in clear text" More here http://eternallyoptimistic.com/2009/08/24/so-funny-i-forgot-to-laugh/ Enjoy!

With evolution of web 2.0, web services has become an integral part of the business hence the security of Web Services (WS) has become more critical. Although there's no single set of WS standards has been agreed on the industry is continuallly developing and evaluating specifications. The W3C working group is currently working on three basic specifications for Web Services: XML Signature: For verifying the integrity of data sent via web services and validating the sender. XML Encryption:for encoding the XML message XKMS:For using PKI in web services In 2002 Microsoft,IBM and Verisign announced Web Services Security Specification (WSS ) that proposed for addressing security in web services. Organization for Advancement of Structured Information Standards came up with following: SOAP Message Security 1.0 The Web Services Security Token Profile 1.0 The Web Services Security X.509 certificate token profile 1.0 The OASIS WSS message- security model has three main components: security t...

An open redirect is a vulnerability that exists when a script allows redirection to an external site by directly calling a specific URL in an unfiltered, unmanaged fashion, which could be used to redirect victims to unintended,malicious web sites. An open redirect is a very simple vulnerability to exploit. Consider the following example: http://www.trustedbank.com/page.redir?target=http://www.anygovtsite.gov/ This is a well-intended URL that takes users to any other trusted site. But this can be abused in one of the following ways: The URL can be used for Phishing attack- http://www.trustedbank.com/page.redir?target=http://www.duplicatesite.com/ The user visiting the trusted bank website will get redirected to the phishing site/ malware site. This can hurt the reputation of organization causing business loss. This can be further escalated by mal -forming the link. Something like the following can be used to cause the Denial of Service Attack: http://www.trustedbank.com/page.redir?...

2009 - OWASP India is back with more interesting and exciting stuff from AppSec World..With the successful launch of OWASP India Conference in August 2008, organized in New Delhi with participation from 350+ attendees from 80+ companies and government sector. OWASP India now proudly announces the biggest Information security conference in India in association with Canada based Information Security Conference (www.securitybyte.org). Securitybyte and OWASP AppSec Asia Conference 2009 is planned for 17 th - 20 th November 2009 in New Delhi. Event will cover end-to-end Information Security tracks that includes Application Security, Network / Infrastructure Security, Cyber Terrorism, Cloud security, SOA Security, Cyber Forensics, Wi - Fi security, Risk Management & Compliance, etc. Brief list of Speakers in the conference: Howard A. Schmidt , Advisor, NIST & PSG - ENISAJohn Bumgarner , SSCP Research Director for Security Technology, U.S. Cyber Consequences Unit Sh...

Here I am going to give a brief write up about PDF XSS . Amit Klien introduced a third kind of XSS attack-DOM Based XSS in which exploits client side vulnerabilities rather than Server Side flaws.He also observed how the # character can be used to, very conveniently, avoid sending attack payload to the server.DOM-based XSS typically uses JavaScript.Example (taken from Amit ’s paper): <HTML><TITLE>Welcome!</TITLE>Hi <SCRIPT>var pos = ocument.URL.indexOf("name=") + 5; document.write(document.URL.substring(pos,document.URL.length));</SCRIPT></HTML> Exploiting PDF :U se the same technique using JavaScript it would execute it when a link in the following format is encountered: http://www.example.com/file.pdf#a=javascript:alert( ) Threats: After a successful attack the code is executed in the context of the site that hosts the PDF file. The attacker is in full control of the victim’s browser (think session hijacking, request forgery, etc....

A pair of researchers here yesterday unleashed a tool that automatically executes dangerous cross-site request forgery (CSRF) attacks. Shawn Moyer and Nathan Hamiel demonstrated how their tool, MonkeyFist , performs what they call "dynamic" CSRF attacks, or attacks on Websites that have put up preventative measures such as tokenization and session IDs . CSRF is when an attacker makes a Web request within the context of the victim's Web session. The researchers say the emergence of integrated and aggregated content, such as buttons for Twitter or "Digg This," have opened up even more possibilities for these attacks, which take advantage of a pervasive but difficult-to-detect vulnerability in many Websites. This "session-riding" attack basically lets the bad guy silently ride atop the victim's Web session. "You're [the attacker] already authenticated into a site, and the user's session, header, and cookie is already there," says Moy...

Close to the heels of SSL hijcking by Mozie in BlackHat last year, yet another attack on the SSL . This time on EV- SSL ( Exteneded Validation- SSL ). Mike Zusman and Alex Sotirov are releasing a pyhton based tool to hijack EV- SSL .The Python-based tool can launch an attack even with the secure green badge displaying on the screen. All it takes is an attacker having a non-EV SSL certificate for a Website, and he or she can hijack any SSL session that connects to it. That's because the Web browser treats the EV SSL certificate with the same level of trust as an SSL domain-level certificate. EV SSL sites display a green address bar when used with the newest versions of major Web browsers, and the bar bears the name of the Website's organization that owns the certificate, as well as the authority that issued it. The certificate shows the site is legitimate, and that the session is encrypted and secured. Calls for EV SSL adoption have intensified of late amid conce...