Hosting generously provided by
|
|
Tool Release: tmin: Fuzzing test case optimizer
|
Posted 5/6/08 by Robert from the 'throw your fuzzer in the aiiirrrr like you's a true playaaaaa' department
Michal Zalewski has released tmin. From his announcement to bugtraq
"I'd like to announce tmin - a free, quick, and handy tool to quickly and
effortlessly minimize the size and syntax of complex test cases in
automated security testing. I found the tool to be remarkably useful, as
it saved me from hours of manual guesswork a number of times already - so
I thought it's good to share.
The tool is related to delta (http://delta.tigris.org), a sophisticated
test case optimizer for well-structured input formats - but tmin is
designed specifically for dealing with unknown or insanely complex data
layouts, including binary files (without the need to encode, tokenize, and
re-serialize testcases), for hands-off detection of common security fault
conditions, and for easy integration with GUI application testing
harnesses.
[ It is also capable of reducing the complexity of alphabets used in
datasets that cannot be further trimmed down in size, which is nice. ]
Download & documentation:
A quick teaser:
$ cat testcase.in
This is a lengthy and annoying hello world testcase.
$ cat testme.sh
#!/bin/bash
grep "el..*wo" || exit 0
exit 1
$ ../tmin -x ./testme.sh
tmin - complex testcase minimizer, version 0.03-beta (lcamtuf@google.com)
[*] Stage 0: loading 'testcase.in' and validating fault condition...
[*] Stage 1: recursive truncation (round 1, input = 53/53)
[*] Stage 1: recursive truncation (round 2, input = 27/53)
[*] Stage 1: recursive truncation (round 3, input = 14/53)
[*] Stage 1: recursive truncation (round 4, input = 10/53)
[*] Stage 1: recursive truncation (round 5, input = 8/53)
[*] Stage 1: recursive truncation (round 6, input = 7/53)
[*] Stage 2: block skipping (round 1, input = 7/53)
[*] Stage 2: block skipping (round 2, input = 6/53)
[*] Stage 2: block skipping (round 3, input = 5/53)
[*] Stage 3: alphabet normalization (round 1, charset = 5/5)
[*] Stage 3: alphabet normalization (round 2, charset = 5/5)
[*] Stage 4: character normalization (round 1, characters = 4/5)
[*] All done - writing output to 'testcase.small'...
== Final statistics==
Original size : 53 bytes
Optimized size : 5 bytes (-90.57%)
Chars replaced : 1 (1.89%)
Efficiency : 9 good / 49 bad
Round counts : 1:6 2:3 3:2 4:1
$ cat testcase.small
el0wo
Enjoy,
/mz"
Tool Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Layer 1 attack shuts down Peter Gabriel website
|
Posted 5/5/08 by Robert from the 'that's one way of shutting down bad music' department
As reported by thereg Peter Gabriel's website was attacked this morning, this time at .
From
"Real World, Peter Gabriel and WOMAD web services are currently off-line. Our servers were stolen from our ISP's data centre on Sunday night - Monday morning. We are working on restoring normal service as soon as possible.
If you want WOMAD tickets in a hurry they are available from various retailers like Ticketmaster, we hope to have our store running again soon and will keep you posted on developments.
"
If you're in charge of security planning at your infrastructure this would be a friendly reminder to review your access policies :) More info at theregister below.
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Good Worms Are a Bad Idea
|
Posted 5/5/08 by Robert from the 'mealworms rejoice' department
"Some bad ideas seem to live on forever. One of the big ones in computers is to use hacker tactics to perform white-hat operations on an Internet scale. The classic example of this is the "good worm" idea: a worm that spreads among computers to improve their security.
There have been attempts at this in the past, most famously Welchia, a worm that exploited the infamous Windows RPC/DCOM network vulnerability in order to patch it. There were also reports years ago of Hewlett-Packard launching a good worm, but this turned out to be a more conventional scanning system that in some ways presaged NAC.
The lesson from Welchia is that these things are a bad idea. As Spencer Katt puts it well, good worms resemble their evil twins in many unpleasant ways. They invade privacy, hog resources, and potentially create vulnerabilities in the systems they infect.
More to the point, releasing them is illegal and immoral. It's also pretentious: How dare you decide what code other people should be running on their systems? How dare you say that you know better how to manage my security than I do?"
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Whitepaper: Access through access by Brett Moore, attacking Microsoft Access
|
Posted 5/1/08 by Robert from the 'Flat files 4 lyfe' department
Brett Moore has published a great document on how to applications utilizing
Microsoft Access. He discusses default tablenames, sandboxing, reading local files and more. There aren't
many good papers on attacking MS Access and this is WELL worth the read. From the paper
""MS Access is commonly thought of as the little brother of Database engines, and not a lot of material has been published about methods used for exploiting it during a penetration test. The aim of this paper is to bring a lot of disparate information together into one guide.
MS Jet is often mistakenly thought of as being another name for MS Access, when in fact it is a database engine that is shipped as part of the Windows OS. MS Jet was however the core database engine used by MS Access up to version 2007. Since version 2007, MS Access has included a separate updated engine known as Access Connectivity Engine.
Although MS Jet is not as complex as more advanced databases such as SQL server or Oracle, it is still commonly used by smaller web sites that want quick and easy database storage. Therefore is often encountered during Web Application reviews and the potential for exploitation should be realised.
This paper will outline methods to identify different versions of MS Jet, some SQL Injection methods to use during tests, and some other techniques to access files, servers, and potentially gain command access"
Whitepaper Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers
|
Posted 4/28/08 by Robert from the 'parameterized queries 4 lyfe' department
"There’s been a lot of noise and violent thrashing over the last couple days regarding a flaw that was originally believed to be a flaw in Microsoft’s IIS (Internet Information Server), but has since been pointed out as simply a well thought out SQL Injection attack.
For those of you who aren’t familiar with attacks, it’s a pretty well known web application attack vector that exists in high volume on dynamic applications, say for instance, on your banking site. SQL Injection allows an attacker to subvert the logic of the currently running SQL query in order to interact with data more interesting to the attacker, bypass authentication/authorization, or run arbitrary commands on the operating system of the database server. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Automatic Patch-Based Exploit Generation
|
Posted 4/28/08 by Robert from the 'hackers soon to be obsolete' department
"The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P', automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P'. In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for vulnerable programs based upon patches provided via Windows Update.
In many cases we are able to automatically generate exploits within minutes or less. Although our techniques may not work in all cases, a fundamental tenet of security is to conservatively estimate the capabilities of attackers. Thus, our results indicate that automatic patch-based exploit generation should be considered practical. One important security implication of our results is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update, may allow attackers who receive the patch first to compromise the significant fraction of vulnerable hosts who have not yet received the patch. Thus, we conclude update schemes, such as Windows Update as currently implemented, can detract from overall security, and should be redesigned. "
Whitepaper Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Getting started with Web application misuse cases
|
Posted 4/25/08 by Robert from the 'misuse me' department
writes
"When developing applications it isn't enough to think about how they will be used. You must also consider how they will
be misused -- or abused -- so that you can prevent attacks. Kevin Beaver gives some examples of Web application weak spo
ts that your development team should consider."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Bruce Schneier rants about 1984
|
Posted 4/4/08 by Robert from the 'take that Orwell' department
"Big Brother isn't what he used to be. George Orwell extrapolated his totalitarian state from the 1940s. Today's information society looks nothing like Orwell's world, and watching and intimidating a population today isn't anything like what Winston Smith experienced.
Data collection in Nineteen Eighty-Four was deliberate; today's is inadvertent. In the information society, we generate data naturally. In Orwell's world, people were naturally anonymous; today, we leave digital footprints everywhere.
Nineteen Eighty-Four's police state was centralized; today's is decentralized. Your phone company knows who you talk to, your credit card company knows where you shop and NetFlix knows what you watch. Your ISP can read your email, your cell phone can track your movements and your supermarket can monitor your purchasing patterns. There's no single government entity bringing this together, but there doesn't have to be. As Neal Stephenson said, the threat is no longer Big Brother, but instead thousands of Little Brothers."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
IIS Vulnerability Documented by Microsoft - Includes Workarounds
|
Posted 4/4/08 by Robert from the 'posting news a few days late is better than nothing' department
SANS reports
"Microsoft has just put out an advisory for a privilege escalation vulnerability in Windows that affects IIS and potential SQL server (951306). Basically, authenticated users can use this vulnerability to become LocalSystem. This is probably more of a problem for shared hosting environments were clients could upload malicious code to the webserver and run the exploit to gain additional rights. SQL is less of a problem because permissions have to be explicitly given to allow a SQL user to run code.
The advisory contains workarounds for IIS 6 and 7 that is claimed to blunt this vulnerability. The only negative impact of those workarounds is to add some extra work when adding users but does block the vector of attack."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Hackers jack thousands of sites, including UN domains
|
Posted 4/4/08 by Robert from the 'we don't need no stinking prepared statements' department
"Large numbers of legitimate Web sites, including government sites in the U.K. and some operated by the United Nations, have been hacked and are serving up malware, a security researcher said today as massive JavaScript attacks last detected in March resume.
"They're using the same techniques as last month, of an SQL injection of some sort," said Dan Hubbard, vice president of security research at Websense Inc., referring to large-scale attacks that have plagued the Internet since January.
Among the sites hacked were several affiliated with either the UN or U.K. government agencies, said Websense.
The exact number of sites that have been compromised is unknown, said Hubbard. He estimated that it's similar to the March attacks, which at their height infected more than 100,000 URLs, including prominent domains such as MSNBC.com. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Hacked: Turning a women's fashion website into a porn site
|
Posted 4/4/08 by Robert from the 'quit your damn complaining' department
"HACKERS have turned a bitchy blog about the world of women's magazines into a porn site.
The blog by a mystery woman who calls herself “MagHag” has become a must-read for industry insiders, due to its salacious gossip about the editors of Madison, Vogue, Harper's Bazaar, Cosmopolitan and Shop Til You Drop.
Those magazine editors were yesterday left reaching for their Chanel smelling salts after a hacker posted obscene pornography on the site.
“Your Site Hacked by beyrut - don't tell me to stop,” read the new coverpage on the blog 4inchheels.wordpress.com yesterday.
“Sorry admin ownz your sistem (no war),” the hacker proclaims on the site.
At the Carla Zampatti show in Sydney yesterday, the front row was abuzz with gossip that MagHag had been sabotaged by one of her own colleagues, as the revelations on her website were so close to the bone that magazines had reportedly launched a witch-hunt to identify and sack her."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Barack Obama site XSSed, redirected to Hillary's website
|
Posted 4/21/08 by Robert from the 'why couldn't they have xss'd hillary's site instead' department
"Yes () errors are all over the place. And YES they can affect very prominent web sites.
The discussion forum area on Barackobama.com is allegedly the victim of a XSS exploit that redirected comments from Obama's site to....HillaryClinton.com.
A hacker going by the alias of 'Mox' has claimed responsibility for the exploit. Mox argued that the Obama site was not 'hacked'.
It is because what I did was not hacking in the sense that I burrowed into some dusty served and changed the Obama site and stole all your credit card numbers. All I did was exploit some poorly written HTML code."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
XSS in ISP ad page allows compromise of any website
|
Posted 4/21/08 by Robert from the 'xss 4 lyfe' department
"When users visit a website like Wired.com, the DNS system maps the domain name into an IP address such as 72.246.49.48. But if a particular site does not exist, the DNS server tells the browser that there's no such listing and a simple error message should be displayed.
But starting in August 2006, Earthlink instead intercepts that Non-Existent Domain (NXDOMAIN) response and sends the IP address of ad-partner Barefruit's server as the answer. When the browser visits that page, the user sees a list of suggestions for what site the user might have actually wanted, along with a search box and Yahoo ads.
The rub comes when a user is asking for a nonexistent subdomain of a real website, such as http://webmale.google.com, where the subdomain webmale doesn't exist (unlike, say, mail in mail.google.com). In this case, the Earthlink/Barefruit ads appear in the browser, while the title bar suggests that it's the official Google site.
As a result, all those subdomains are only as secure as Barefruit's servers, which turned out to be not very secure at all. Barefruit neglected basic web programming techniques, making its servers vulnerable to a malicious JavaScript attack. That meant hackers could have crafted special links to unused subdomains of legitimate websites that, when visited, would serve any content the attacker wanted."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Are CAPTCHA's dead?
|
Posted 4/16/08 by Robert from the 'OCR 4 lyfe' department
"For the last few years, Captcha, the Completely Automated Public Turing test to tell Computers and Humans Apart, has been one of our main lines of defense against the machines that want to impersonate us.
Recently, though, the various most popular Captcha implementations have been cracked. Bots with character-recognition ability have gotten pretty reliably good at figuring out what the distorted text says. That means they can sign up for Gmail, Yahoo, and Windows Live accounts automatically, and use those accounts for their own malicious purposes -- typically to send spam.
Websense has an interesting analysis of the cracking of the Windows Live Captcha."
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Man hacks video game to propose to girlfriend
|
Posted 4/16/08 by Robert from the 'originality' department
"A software developer in the US used his programming skills to propose to his girlfriend by altering a copy of the game she was playing.
Bernie Peng spent a month hacking the code in Bejeweled so that when Tammy Li attained a particular score a ring appeared along with the marriage proposal.
Li accepted the proposal and the couple plan to marry on the weekend of US Labor Day at the end of August."
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Google bots now submit forms in effort to find new pages
|
Posted 4/16/08 by Robert from the 'autoform fill' department
"Google's search bots, which scour the web constantly for new pages, have begun a new, more active phase of their indexing jobs.
In a blog post last week, Jayant Madhavan and Alon Halevy of Google's crawling and indexing team said the company has begun an experiment in which its indexing software experimentally enters text in website forms to see what previously undiscovered pages may appear.
The post said: "In the past few months, we have been exploring some HTML forms to try to discover new web pages and URLs that we otherwise couldn't find and index for users who search on Google. This experiment is part of Google's broader effort to increase its coverage of the web. In fact, HTML forms have long been thought to be the gateway to large volumes of data beyond the normal scope of search engines.""
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
DNS lords expose netizens to 'poisoning'
|
Posted 4/16/08 by Robert from the 'Amit pwned your PRNG' department
"More than a decade after serious holes were discovered in the internet's address lookup system, end users remain vulnerable to so-called domain name system cache poisoning, a security researcher has warned.
Developers of the software that handles DNS lookups have scrambled to patch buggy code that could allow the attacks, but not to the satisfaction of Amit Klein, CTO of security firm Trusteer, who over the past year has uncovered serious new vulnerabilities in multiple DNS products.
Last July, he exposed flaws in Berkeley Internet Name Domain (BIND), the mostly widely used DNS server. The flaws allowed attackers to predict the pseudo-random number transaction number that the software uses when providing the numeric IP address of a requested web page. That, in turn, could allow the attacker to supply a fraudulent address that leads to a malicious destination.
"I'm not too comfortable with the quality of the solution from the security and predictability standpoint," Klein said during a session at last week's RSA security conference in San Francisco."
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Movie: Wargames 2 Trailer
|
Posted 4/4/08 by Robert from the 'what would professor falken think?' department
"WarGames: The Dead Code stars Matt Lanter as a computer geek named Will Farmer who engages a government super-computer named R.I.P.L.E.Y. and enters in a game of online terrorist-attack simulation (yes, instead of global thermonuclear war from the original movie). But apparently the game is actually part of a sophisticated piece of government spyware designed to find potential terrorists. Homeland Security, now believing Farmer is a terrorist, sets out to apprehend him. And the computer, of course, forgets that it’s just playing a game."
View the trailer at
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Scanless PCI security scanning available
|
Posted 4/1/08 by Robert from the 'I can't believe how much time jeremiah has to spend on this stuff, give that man something to do' department
"Using a combination of fines and incentives the payment card brands have working hard to boost PCI-DSS compliance rates among merchants. Meanwhile, ASVs have been doing their part by offering their services at drastically reduced prices and curtailing the security checklist to make certification as easy as possible. Every merchant who signs up is able to get PCI certified, but it does come at a price (not including bandwidth utilization). The problem is adoption rates are still slow, but that might all change with a new entry into the space, Scanless PCI."
Good news, if you are a whitehatsec customer you're already protected!
Additional details are at
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Gopher/Archie gaining popularity due to increase in web based attacks
|
Posted 4/1/08 by Robert from the 'April 1st' department
Due to the increase in devistating vulnerabilities abusing AJAX and Google to hack the web more users are switching
to 'safer' alternatives such as and .
Johnny Long was quoted as saying 'My next book on Archie hacking ' for idiots' will be out in late 2008
and I promise it will contain many search strings'. A google representative has confirmed that google
will be switching to in an effort to protect its users.
Users wishing to switch their websites are being urged all over to switch to the python
gopher server ''.
The lead pygopherd developer posted the following on his gophered blog "People laughed at us, first for using python and second for developing something for Gopher. Who's laughing now!""
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Hackers Flood Epilepsy Web Forum With Flashing Lights
|
Posted 3/31/08 by Robert from the 'I see lights everywhere department'
"Unknown miscreants had a good time two weekends ago when they posted hundreds of flashing animated images onto discussion boards hosted by the Landover, Md.-based Epilepsy Foundation.
Flashing lights or bold moving patterns can trigger often violent seizures among 3 percent of the estimated 50 million epileptics worldwide.
"I was on the phone when it happened, and I couldn't move and couldn't speak," RyAnne Fultz, who has epilepsy, told Wired News about her reaction to viewing one of the images on March 23.
Fultz's 11-year-old son walked over and closed the browser window after about 10 seconds. Fortunately, she suffered nothing more than a bad headache.
By then, the second day of vandalism on EpilepsyFoundation.org, the jerks had moved on to hijacking the browsers of anyone who clicked on certain forum posts, filling the screens with bright, flashing colors."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Web developers, fix thy Flash
|
Posted 3/31/08 by Robert from the 'xss the bug that never dies department'
"While software makers have taken steps to close the security holes, Web site owners continue to host older files created by
older authoring programs that are vulnerable to () attacks, Rich Cannings, information security engineer
of search giant Google, told security professionals attending the conference on Wednesday. Using a specially-crafted Web address, an attacker could use a vulnerable Flash file on a major Web site to gain access to the user's account on that site, once the victim logs in. A bad Flash file on a banking site, for example, could put that bank's customers at risk, allowing an attacker the ability to access the victims' funds.
Cannings originally disclosed the issues in December, but has seen very little activity on the part of Web-site developers to fix the flaws. The security researcher tested major Web site that he uses regularly and found that every single one still hosted old Flash files. He notified each company, and made sure they had fixed the issues, before presenting his findings, he said.
"Things really haven't changed much since December," Cannings said. "There is still a lot of bugs out there."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Blackhat SEO: XSS the trick that keeps on kicking
|
Posted 3/28/08 by Robert from the 'xss4lyfe department'
"Last week's massive IFRAME injection attack is slowly turning into a what looks like a large scale web application vulnerabilities audit of high profile sites. Following the timely news coverage, Symantec's rating for the attack as medium risk, StopBadware commenting on XP Antivirus 2008, and US-CERT issuing a warning about the incident, after another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site's web application security practices - or the lack of.
What has changed since the last time? The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves."
Using for SEO purposes has been
in the blackhat community. I suspect abuses such as these
against search engines will cause them to switch to a more user driven voting system (like digg) for term results.
Article Link:
Example Index:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
The essentials of Web application threat modeling
|
Posted 3/26/08 by Robert from the 'who let the threats out! woot. woot woot woot woot department'
"A critical part of Web application security is mapping out what's at risk -- a process called threat modelling. The term "threat" modelling is actually a misnomer. It's more like "vulnerability" or "risk" modelling, since we're technically looking at weaknesses and their consequences -- not the actual indication of intent to cause disruption (a threat).
Semantics aside, threat modelling -- even at a high level -- needs to be on your radar and part of your development process if Web application security is important to your business. Think about it. There's a lot happening within your Web applications that you may not be aware of. It's really easy to fall into the trap of assuming all's well in Web-land as long as the basics of a firewall, SSL, and strong passwords are in place. This dangerous assumption boils down to not really knowing what's at risk. It's the bane of information security today.
Let threat modelling help fill the gaps. It really does work. Here are the essential steps for getting started: "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
Older News
The oldest application security website. Providing Web Security news since 2000.
Information contained on this website may not be copied without explicit permission.
Best Viewed with telnet.
Additional Site Sections:
|
|
|
Subscribe to CGISecurity.com
|
|
|
|
|
|
The Web Security Mailing List
|
|
|
|
|
Contact us
|
Post News, get linkage!
|
|
|
|
