PLANET WEBSECURITY

Don't read this unless you want to laugh for an hour

Nate McFeters

OK, posted another story beating the dead horse that is McAfee's HackerSafe on my ZDNet blog. It is hilarious, you should have a look, and hey, if you want to certify, let me know.

Video linked here for added laughs.

-Nate

BTW, my site is:

IS YOURS? [...]

Botnets with SQL Injection tools

Jeremiah Grossman

Dan Goodin of The Register has a gem of a story about the life of a teenage botmaster and how he got busted by the feds. While this smells of a low hanging fruit conviction, it provides compelling insight into just how little skill a person needs to illegally turn a tidy profit by compromising users machines and committing fraudulent acts. It also begs the question of how much the people with some decent skills are making whom also TRY NOT to get caught.

Who knows some of them could be the same people clever enough to install SQL injection tools on bots as a c [...]

Ghost Busters

GNUCITIZEN

A special guest blogger for this month is Eduardo Vela, also known as sirdarckcat, a security researcher from Mexico. Eduardo has been on the field for a couple of years, mainly focusing on web-app based vulnerabilities, privilege escalation, and IDS/filter evasion. Today, he is a student of computer sciences, does some research on his free time, and works for an important website as a security engineer. These are his words:

There a few conferences that are privately held (invite-only) and their level is commonly very high. One of them is Microsoft’s BlueHat conference. BlueHat is an internal Microsoft event, but they invite a lot of security researchers from around the world. A couple of friends presented in there, and well, [...]

Microsoft BlueHat + Seattle

Nitesh Dhanjani

I presented "Bad Sushi: Beating Phishers at their Own Game" with Billy at the Microsoft Blue Hat 2008 conference. It was a great opportunity to get to know the Microsoft security and product teams. I'd like to thank Billy Rios, Andrew Cushman, Katie Moussouris, Sarah Blankinship, Celene Temkin, and the rest of the Blue Hat team for inviting me.

Speaking of Microsoft, I'm moving to Seattle tomorrow. I'm looking forward to getting in touch with a lot of old friends there so that should be good. If you are in the area, just let me know - it will be good to catch up. [...]

Phishing Site in Email

Robert Hansen

I was looking at a phishing email last night for OANDA FXTrade. At first glance I could see something a little different about it. Instead of linking directly to the phishing site in the email, it contained an attachment (an html file) that you are supposed to double click on. The page is a flat HTML page, with nothing of substance on it, other than a form that tries to get you to submit your data to http://0×47f865c1/webview/images/fxtrade.php (which automatically redirects you to the correct website, if you go there directly).

That’s a fairly clever implementation of a phishing email, because the phishing page is actually on your local computer, not on the web. So it’s harder for anti-phishing researchers to find anything of [...]

Safari Carpet Bomb

Nitesh Dhanjani

I recently communicated 3 security issues in the Safari browser to Apple.

Apple let me know that they will fix 1 of the issues I reported. I will not discuss the vulnerability Apple has promised to fix until they release the fix because it is a high risk issue affecting Safari on OSX and Windows.

I let Apple know that I'd like to discuss the 2 issues they won't be fixing with the security community and they let me know they are fine with it. A quote from my last email to Apple:

...since you do not consider issue 1 and 2 to be security related, I will feel free to discuss my thoughts within the information security community. Just let me know if you would like me to wait for some amount of time before I do this.

Response from App [...]

Does secure software really matter?

Jeremiah Grossman

If you ask the average expert what organizations should do about Web security you’d almost universally hear what’s become like a religious commandment, “Thou shall add security as part of the application from the beginning. Blessed are those who develop secure code.” Amen. I am a loyal follower of security in the SLDC church. I’ll humbly try to ensure my code does what I preach others should also do. The problem is code security by itself will NOT deliver us unto to the pearly gates of Web security that many people wish for. There are other issues at play.

As an information security professional my responsibility is assisting organizations mitigate the risk of their website being compromised. If the process requires rewriting some insecure code, great, let’s do it. T [...]

Crossdomain.xml Invites Cross-site Mayhem

Jeremiah Grossman

This week I took a renewed interest in crossdomain.xml. For those unfamiliar this is Flash’s opt-in policy file that extends the same-origin policy to include more sites in the circle of trust. Normally client-side code (JavaScript, Flash, Java, etc.) is limited to reading data only from the website (hostname) in which it was loaded. Attempting to read data from other domains is met with security exceptions.

With crossdomain.xml a site owner may configure a policy to stating which off-domain sites are allowed to read its data (or parts thereof) and the client, Flash in this case, is responsible fo [...]

Somebody Changed My Password!

Sylvan von Stuppe

Okay, not really.

On a very popular website the other day, I went to change my password. It had two of the three really common boxes required for changing a password: New Password, and Repeat New Password. Yes, they fail to prompt the user for their current password.

And this is on a site that not only allows, but encourages users to stay logged in. Their documentation is pretty sparse as it is, but I've not found anything on the site explaining to the ordinary user that they shouldn't stay logged in from a shared computer (where it's even more likely that just anybody could change my password).

So I sent in a support request. I understand there was a lot of talk in my support request about passwords and stuff, so any automated tool would [...]

[WebAppSec] Automatic security and HackerSafe

Heiko Webers

Several people asked me about automatic assessment tools to check the security of an application stack. My opinion is that they may be a great support, but they cannot replace some manual work (oh, well, maybe). Rails test are a great way to make sure your application is safe, but you have to write them on your own. Security is not a plug-n-play product, but rather a process.

Automatic security
One automatic security scan is provided by McAfee. The HackerSafe certification is a service that detects vulnerabilities on web sites using automatic tools. If all tests pass, the site owner gets an HackerSafe logo, that he can put on his site. Over 80,000 sites, a [...]

NetBeans Groks JavaScript

Giorgio Maone

Even if I’m the NoScript guy, I write a lot of JavaScript all the day. As you probably know, even the JavaScript Annihilator is mostly written in JavaScript. Like Crock, I love the language, despite its current browser-bound shortcomings.

So far, my favourite editor for JS coding has been JEdit with its JavaScript plugin, providing syntax highlighting (of course!), on the fly syntax checking via Rhino and optional code complet [...]

Trifecta of WebAppSec Posts

Jeremiah Grossman

I remember a time not so long ago where good web application security content was extremely rare and difficult to come by. These days it seems every week something new is posted that’s worth taking the time to read. It’s hard to keep up with all of it and analyzing the details, so I’ll post what I can.

1) Dancho Danchev is masterful at noticing and analyzing what nefarious bag guys are up to, especially in the web security environment. In his most recent post, Stealing Sensitive Databases Online - the SQL Style, he talks about economies of scale in the recent massive SQL injection hacks. Essentially he asks rather opening if these massive attacks are attempts to pull smaller dat [...]

Who You Gonna Call?

Giorgio Maone

After hearing me crying for help, my friend Sirdarckcat went hunting and entrapped a poltergeist which haunts IE only.

Is it this the one Manuel Caballero was talking about?

Or was that a different cross-browser evilness?

However, I ain’t afraid of no ghosts :)

[...]

Agile Hacking: a homegrown telnet-based portscanner

GNUCITIZEN

So here is the scenario: the attacker has limited access to a box and he/she needs to perform a portscan from it. However, he/she does not want to download any tools to the target system. There might be various reasons for not wanting to upload a portscanner to the box. Perhaps, the attacker wants to minimize the footprint.

In my case, the reason why I had to come up with a solution to this problem is because I had to simulate an attack in which the attacker had gained access to a Internet-visible web server. In this case, I needed to perform a portscan of the backend database server and make sure that only required ports are visible (a customized mssql port in this case). For reasons that are irrelevant to this post, the custo [...]

Double encoding javascript

Gareth Heyes

I found a nice variation which allows multiple types of encoding without performing eval twice on the string. The code works using the Script function and because of this the code is rewritten by the javascript engine and converts the unicode into standard text.

First a base of unicode is used first “\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029″ then each section of the is encoded with hex or octal. The final result can be viewed below:-

alert(Script('\x5c\x7500\66\61\134\165\6006c\x5c\x75\x30\x30\x36\x35
\134\165\60\60\67\62\x5c\x75\x30\x30\x37\x34\x5c\x75\x30\x30\x32
\x38\x5c\x75\x30\x30\x33\x31\x5c\x75\x30\x30\x32\x39'))

The code can be executed like this:-

[...]