Skip to main content


Showing posts from 2013

Reversing Firmware

The article will explore various strategies for reversing firmware, with some examples. Finally, some best practices are mentioned. LINK here: 

Salted hash implementation in Login, in nutshell

The best approach would be hashing the passwords, instead of encrypting them as key management becomes an issue. Benefits of passwords in form of salted hash: ·          Real passwords are never stored/ displayed/ logged in the system ·          Salts makes dictionary attack very impractical as it’s very difficult to generate    re-computed hash table as salts are random ·          It’s easier to implement as no need of key management A general approach would be like this (when storing): ·          Generate a long random salt using cryptographically strong functions such as SecureRandom in Java, when user is first time registering himself ·          Use the above salt and hash it with the user’s chosen password using standard and strong hashing algos like SHA 256 ·          Now strore the Username, salted hash and respective salt in DB When retrieving (authenticating user): ·          When the user submits his username-passw

ZigBee Security Assessment

ZigBee (802.15.4) is a relatively new protocol compared to Wi-Fi (802.11), but with low power consumption and long battery life it is ideal for Home Network Systems such as thermostats etc. The reason behind ZigBee devices being low power consuming because it work on very low frequency and have a fewer commands to send compared to Wi-Fi. Since it's relatively new protocol and not much popular, there are fewer tools/ frameworks to test it. However some good software/ hardware are available. They can be purchased/ downloaded from respective sites. Atmel RZ Raven USB Stick (hardware) Atmel JTAGICE mkII On-Chip Programmer (hardware) Atmel 100-mm to 50-mm JTAG standoff adapter (hardware) 50-mm male-to-male header (hardware) AVR Studio for Windows (software, free) KillerBee Firmware for the RZUSBSTICK (software, free) A Windows host for programming the RZ Raven USB Stick (one-time operation) Issues to be looked into ZigBee: Similar to 802.11 ZigBee may also suffer from same

Capturing localhost traffic in IE with Burp

Though it was easy to capture the traffic of web service running on local pc in Firefox, it was little tricky in case of IE. I have heard that .Net and IE don't send traffic to localhost through a proxy, so here the proxies such as Burp, Paros fails. So only way is to use Firefox or other browsers which support it or in case of IE, this is workaround: Go to Windows-> System32-> Drivers-> Hosts and make the following entry: Now access the site as Now the Burp/ Paros would be able to capture the traffic!

Flawed CSRF token implementation

The sole purpose of (secret) CRSF token is to help the application identify authenticated or unauthenticated requests. Any request that doesn’t contain csrf tokens are treated as unauthenticated one thus rejected by the application as the csrf tokens are only available to the authenticated users. But contrary to that, in one application, the csrf tokens are generated before login and worse, it’s not regenerated after successful authentication of the user. This defeats the purpose of anti-csrf approach. Anti-CSRF best practices:     Don’t issue csrf tokens before authentication     Always regenerate the tokens after successful authentication, if issued before authentication     Use POST methods for critical transactions embedding csrf tokens     Don’t send the csrf tokens in GET requests as they may reveal it in browser logs etc In few Ruby based apps, where the token was being generated before authentication and same was being used. Mitigation: (taken from 'Symbolic Security Analy

Before you move to the cloud

The term is new, but concept is not. Throughout the history of computing, IT organizations have been using their own infrastructure to host applications, data, servers etc. Now most of them are renting the infrastructure, with remote servers to host their application or data. Organizations called service providers exist especially to provide, manage and maintain the infrastructure on which their client organization’s application or data are hosted. The client organization gets access controls to manage their applications and data hosted on the remote server. This is the main idea behind cloud computing. More here ....

Proxy Chaining

The issue: While doing one assessment, we faced one issue of our ZAP proxy throwing response ‘401 Unauthorized’ while we were trying to fuzz one application. The application was using NTLM authentication, where the client needs to send the domain name, username and user-password’s hash combination to the server, in order to entertain the requests. NTLM is windows challenge/ response authentication protocol. For more info on NTLM working: . So, we were not able to fuzz the parameters as it was sending back ‘401 Unauthorized’ response, don’t know for what reason despite us providing the windows credentials to ZAP [Fig-1].  Fig-1 So, we had no other option except trying other similar web proxies. We tried WebScarab and provided Windows authentication by going Tools-> Credentials [Fig-2]                                                                               

XSS Challenge

XSS in Ajax

The following functions needs to be inspected for XSS as they might be 'possible' pointers to XSS. They could be a pointer to possible xss attacks: eval() document.write() innerHTML() write() Safe function: Instead of using innerHTML, one should use innerText()   XSS payload in Jason and their effects: A nice example from iSec Partners: var inboundJSON = {"people": [ {"name": "Joel", "address": “<script>badStuff();</script>", "phone": “911"} ] }; someObject.innerHTML(inboundJSON.people[0].address);               // Vulnerable document.write(inboundJSON.people[0].address);                             // Vulnerable someObject.innerText(inboundJSON.people[0].address                     // Not Vulnerable

Android Application Assessment

A nice article on a detailed assessment strategy of Android applications. Well explained and comprehensively written. Article describes different stages in android assessment, tools, methodologies and native tools with screenshots. You can find the article here: Android Application Assessmen t Also have a look at Web application Security Course offered by InfosecInstitute.

Arbitray File Download

I just stumbled upon one great article. A nice article about what the arbitrary file download is and how dangerous it would be if exploited. Later the difference between arbitrary file download and LFI/ RFI has been discusses, which is a often confused topic. What is Arbitrary File Download? As the name suggests, if the web application doesn’t check the file name required by the user, any malicious user can exploit this vulnerability to download sensitive files from the server. What is LFI/ RFI: Often confused, LFI/RFI is different from the Arbitrary File Download vulnerability. However, both are used in combination if directory traversal is turned on in the server. LFI and RFI stands for Local File Inclusion and Remote File Inclusion vulnerability. Both are of similar nature, except the mode of exploitation. Both take advantage of unfiltered input file parameters used by web applications, predominantly PHP. LFI, while exploited uses any local file which is

Anti CSRF header

Recently I came across an application which was preventing crsf attacks using a unique non-traditional approach. In traditional approach the csrf is thwarted by embedding unique random tokens, called nonce, in each sensitive page. But this application, which was making ajax calls and used jQuery, was creating a header to identify the valid and invalid requests altogether. The idea is to generate a custom header, x-session-token in this case, with every request which is considered sensitive and includes any sort of transaction. For example: xhr.setRequestHeader('x-session-token', csrf_token)   At the server level, server checks for this header if found request is fulfilled, otherwise rejected. We need to use xhr calls for making use of this technique, not useful in regular POST and GET requests. Since, I was not aware of this kind of countermeasures, probably, since most of the applications I did were using standard requests. So, I searched a bit and found even Go