Last 50 'Research' Tagged Posts

Poll: How do you rank the importance of a vulnerability?

I've added a new poll to the WASC linkedin group that a few of you may be interested in. Specifically asking how people rank the importance of vulnerabilities. Poll Link http://www.linkedin.com/groups/How-do-you-rank-importance-83336.S.202840840

Paper: Web Application finger printing Methods/Techniques and Prevention

Anant Shrivastava has posted a whitepaper providing a rundown of application fingerprinting methodologies, as well as comparisons of various tools such as W3af, BlindElephant, and Wapplyzer. "This Paper discusses about a relatively nascent field of Web Application finger printing, how automated web application fingerprinting is performed in the current scenarios, what are...

WASC Announcement: 'Static Analysis Tool Evaluation Criteria' Call For Participants

I sent the following out to The Web Security Mailing List (which I moderate) announcing a new WASC Project. "The Web Application Security Consortium is pleased to announce a new project "Static Analysis Tool Evaluation Criteria (SATEC)". Currently WASC is seeking volunteers from various sections of the community including security researchers, academics,...

Results of internet SSL usage published by SSL Labs

Ivan Ristic (of modsecurity fame) has published the results of an evaluation against over 900,000 websites supporting SSL. The goal of this evaluation was to see how people really use/misuse ssl in the wild, as well as report on the usage of browser protections such as the Secure cookie flag, and Strict-Transport-Security....

Another use of Clickjacking, Cookiejacking!

Rosario Valotta has published an interesting attack against IE that takes advantage of clickjacking. In a nutshell it combines origin flaws within IE with clickjacking to trick a user into copying/pasting their own cookies from any site! Demonstration below The technical details can be found at https://sites.google.com/site/tentacoloviola/cookiejacking and his slides at https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnx0ZW50YWNvbG92aW9sYXxneDoxMWJlZTI5ZjVhYjdiODQx

NIST publishes 50kish vulnerable code samples in Java/C/C++, is officially krad

NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++. From the README "This archive contains test cases intended for use by organizations and individuals...

Easy Method For Detecting Caching Proxies

While thinking about some of the transparent proxy problems I came up with a fairly reliable way to detect caching proxies. Caching proxies can be either explicit or transparent, but are typically used in a transparent mode by an ISP to cut down on upstream bandwidth. A side effect (and benefit :)...

Phrack #67 is out for 25th anniversary!

To celebrate 25 years the phrack team has published issue #67. Introduction The Phrack Staff Phrack Prophile on Punk The Phrack Staff Phrack World News EL ZILCHO Loopback (is back) The Phrack Staff How to make it in Prison TAp Kernel instrumentation using kprobes ElfMaster ProFTPD with mod_sql pre-authentication, remote root FelineMenace...

Interesting IE leak via window.onerror

Chris Evans has posted an interesting bug in IE involving using JavaScript's window.onerror to leak cross domain data. From his blog "The bug is pretty simple: IE supports a window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror...

CGISecurity Turns 10!: Summary of the more interesting site posts throughout the years

To commemorate this site turning 10 I've created a list of my top 10 thought provoking/innovate posts that people who haven't been following this site may be unaware of. The Cross-site Scripting FAQ (2001) In 2001 someone informed me of this new threat involving the injection of HTML/Javascript into a site's response...

WASC Web Hacking Incident Database Semi-Annual Report for 2010

Fellow WASC officer Ryan Barnett has published an update to the Web Hacking Incident Database project. He sent the following to The Web Security List (a list which I operate) this morning. "Greetings everyone, I wanted to let you all know that we have released the new WHID report for 2010 -...

A reminder that CSRF affects more than websites

Maksymilian Arciemowicz has published an advisory outlining how one can perform CSRF attacks against FTP services, in this case Sun Solaris 10 ftpd. An attacker could embed a payload such as the following to execute commands on ftpd. <img src="ftp://.....////SITE%20CHMOD%20777%20FILENAME";> The NetBSD team addressed this issue by failing on large commands. The...

Paper: Feasibility and Real-World Implications of Web BrowserHistory Detection

Artur Janc and Lukasz Olejnik have published a whitepaper outlining CSS history techniques along with results of what they found from real world users. From the whitepaper"Browser history detection through the Cascading Style Sheets visited pseudoclass has long been known to the academic security community and browser vendors, but has been largely...

Mozilla releases browser checker to see if you're running vulnerable plugins

Mozilla has released a tool that identifies which browser plugins you have installed, identifies if it is vulnerable, and provides you with links to get the updates. Very handy! Browser Plugin Check: https://www.mozilla.com/en-US/plugincheck/

Release of Strict Transport Security http module for ASP.NET.

Sacha Faust has published an IIS http module for the Strict Transport Security protocol. From his blog "I’ve been tackling the problem of users connecting to online services from untrusted network. At work we typically call this the “Startbucks” scenario where a user is connecting to a random wifi and accessing corporate...

DAVTest: Quickly Test & Exploit WebDAV Servers

Chris Sullo sent us the following news entry "DAVTest attempts to aid a penetration tester when facing WebDAV enabled services by quickly testing file type upload capability and features, as well as checking for code execution. It supports MOVE and MKCOL, authentication, and uploading of included shell files." Download: http://security.sunera.com/2010/04/davtest-quickly-test-exploit-webdav.html

Be careful of "scheme relative urls" when performing 3xx redirects

Former coworker Sacha Faust has published an entry on how the lack of handling relative urls when implementing URL redirection can lead to open redirector's. Article: http://blogs.msdn.com/sfaust/archive/2010/03/30/saferedirect.aspx

Random FireFox URL handling Behavior

About a year ago I discovered this by accident and hadn't seen it published anywhere so thought it was worth mentioning. If you enter the following into the firefox URL bar it will follow them to www.cnn.com. [http://www.cnn.com] [http://]www.cnn.com [http://www].cnn.com Etc... You can also substitute [] for {} or " and it...

XSS, SQL Injection and Fuzzing Barcode Cheat Sheet

Someone has published an amusing cheat sheet that will allow you to fuzz barcode scanning systems for common input validation issues such as XSS and SQL Injection. They even provide an online barcode generator which allows you to create your own payloads. Not much else to say really :) Link: http://www.irongeek.com/xss-sql-injection-fuzzing-barcode-generator.php

Post on Abusing Windows Communication Foundation to Perform Remote Port Scans

Brian Holyfield has published an entry on using Windows WCF to perform backend port scanning. This is possible due to the callback functionality WCF provides. From his article "Last weekend at Shmoocon, I demonstrated how an attacker can trick certain WCF web services into performing an unauthorized port scan of machines behind...

2010 SANS Top 25 Most Dangerous Programming Errors Released

I was luck enough to assist in this project and I must say that a lot of great discussions took place. Unlike many other top x security lists, SANS/MITRE's methodology is fairly extensive and well documented giving you insight into how decisions were made. I do want to point out that top...

Weaning the Web off of Session Cookies Making Digest Authentication Viable

Timothy D. Morgan has published an excellent paper describing How UI limitations hinder adoption of HTTP based authentication How UI behaviors are/can be abused pertaining to HTTP auth Observations on Cookie limitations Proposals for browser vendors to allow for more widescale adoption of HTTP based auth such as digest From the paper...

WASC Threat Classification to OWASP Top Ten RC1 Mapping

Jeremiah Grossman and Bil Corry have created a nice visual mapping between the OWASP Top Ten and the WASC Threat Classification v2. More Information: http://jeremiahgrossman.blogspot.com/2010/01/wasc-threat-classification-to-owasp-top.html

Announcement: WASC Threat Classification v2 is Out!

I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is...

Adobe on Fuzzing Adobe Reader For Security Defects

Adobe has published an entry on their blog outlining how fuzzing plays a part in discovering security issues in their product prior to launching it. Its good to see a company such as Adobe publishing this information as its one of those things that is discussed frequently by the security community, however...

Experimenting With WASC Threat Classification Views: Vulnerability Root Cause Mapping

I currently lead the WASC Threat Classification Project and we're expecting to publish our latest version next month. One of the biggest changes between the TCv2 and TCv1 is that we're doing away with single ways to represent the data. In the TCv1 we had a single tree structure to convey appsec...

Clientless SSL VPN products break web browser domain-based security models

A new CERT advisory has been published outlining a weakness in the way web based SSL clients operate, resulting in a Same Origin Policy breakage. Here's the meaty details. "As the web VPN retrieves web pages, it rewrites hyperlinks so that they are accessible through the web VPN. For example, a link...

Nozzle: A Defense Against Heap-spraying Code Injection Attacks

Microsoft has been working on a tool called 'Nozzle' to prevent the exploitation of heap spraying attacks and released a whitepaper describing the process. From the whitepaper. "Heap spraying is a new security attack that significantly increases the exploitability of existing memory corruption errors in type-unsafe applications. With heap spraying, attackers leverage...

Heading out to AppsecDC

I'll be heading out to AppSecDC to present Transparent Proxy Abuse on Thursday, so if you're attending and want to chat about appsec I'll be available after my talk. Here's a teaser of my presentation I'll be presenting a video demonstrating this abuse case against Squid and Mac OS X Parental Control...

TLS negotiation flaw published

Steve Dispensa and Marsh Ray have published a paper describing a weakness in the TLS negotiation process. This is the same attack discussed on the IETF TLS list. From the whitepaper "Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle...

Amazon EC2 cloud computing for password/crypto cracking

There is a rather lengthy set of posts on using cloud based computing services as ideal venues for crypto and password cracking. Link: http://news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html Link: http://news.electricalchemy.net/2009/10/password-cracking-in-cloud-part-5.html

Microsoft's Enhanced Mitigation Evaluation Toolkit adds protection to processes

Microsoft has published the Enhanced Mitigation Evaluation Toolkit. This toolkit allows you to specify a process to add the following forms of protection (without recompiling). SEHOP This mitigation performs Structured Exception Handling (SEH) chain validation and breaks SEH overwrite exploitation techniques. Take a look at the following SRD blog post for more...

Attacking Magstripe Gift Cards

Corsaire has published a rather lengthy paper on attacking gift card systems. While this is a little off topic it's a good read. "This paper is based on research conducted on a large number of UK gift cards. It has been created to complement the presentation “Stored Value Gift Cards: Magstripes Revisited”,...

WASC TC v2 - Improper Input Handling Section Completed

I lead the WASC Threat Classification v2 project and we've just completed a section that I felt deserved its own post. Prasad Shenoy along with the WASC TC peer review team authored a really great section on Improper Input Handling meant to describe each aspect of input handling with a medium level...

Announcing the Web Application Security Scanner Evaluation Criteria v1

"The Web Application Security Consortium is pleased to announce the release of version 1 of the Web Application Security Scanner Evaluation Criteria (WASSEC). The goal of the WASSEC project is to create a vendor-neutral document to help guide information security professionals during web application scanner evaluations. The document provides a comprehensive list...

Strict Transport Security (STS) draft specification is public

Fellow coworker Jeff Hodges has announced the formal specification draft for Strict Transport Security. STS is a new proposed protocol for allowing a website to instruct returning visitors to never visit the site on http, and to only visit the site over https and is entirely opt in. This can prevent MITM...

Cross-protocol XSS with non-standard service ports

i8jesus has posted an entry on smuggling other protocol commands (such as ftp) in HTML forms, as well as edge case situations where running a tcp service (in this case ftp on a non standard port) can result in more XSS abuse cases. While not likely still worth a read. "Most people...

Article: Bypassing DBMS_ASSERT in certain situations

David "I like to beat up on oracle" Litchfield has published a new paper outlining how DBMS_ASSERT can be misused in such a way that SQL Injection is possible. From the whitepaper "The DBMS_ASSERT builtin package can be used by PL/SQL developers to protect against SQL injection attacks[1]. In [2] Alex Kornbrust...

WASC Distributed Open Proxy Honeypot Update - XSS in User-Agent Field

"In case you missed it, the WASC Distributed Open Proxy Honeypot Project launched Phase III at the end of July. We have a few sensors online and as we start gathering data, we are starting our analysis. Our goal is to be able to release "events of interest" to the community to...

WASC Threat Classification v2 updates

We're nearing the completion of the WASC Threat Classification v2 (2 sections left!) and have added the following new sections since my last couple of posts. Null Byte Injection Integer Overflows We've also heavily updated the following sections Buffer Overflows (in depth discussion of heap vs stack vs integer overflows) SQL Injection...

Next Phase of WASC's Distributed Open Proxy Honeypot Project Begins

Fellow WASC Officer Ryan Barnett has started the next phase of the Distributed Open Proxy Honeypot Project where people deploy open relay proxies and send the results to a central host for analysis. I met up with Ryan at blackhat where he showed me the central console displaying metrics for each proxy...

Hacking Short CSRF Tokens using CSS History Hack

Securethoughts has posted an entry on combining CSS history theft hacking to brute force short CSRF tokens and has created a POC demonstrating it. While not fast this is certainly achievable (assuming the token is still valid/hasn't expired once identified) on short CSRF token values, and has the advantage in that it...

Nmap 5.00 Released

"Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 5.00 from http://nmap.org/. This is the first stable release since 4.76 (last September), and the first major release since the 4.50 release in 2007. Dozens of development releases led up to this. Considering all the changes, we...

Threat Classification v2 and the need for change

As I recently posted the WASC Threat Classification v2 is currently in a public working state and there's been a buzz on the mailing lists about it compared to other related projects. Vishal Garg posed a question I was expecting for awhile which is why does the TCv2 look so much different...

Months later, more products identified using exploitable transparent proxy architecture

It's been more than 3 months since I published my paper on abusing transparent proxies with flash, and 4 months since CERT's Advisory (VU#435052). Since that time additional products have been identified as being exploitable. Still Vulnerable Squid http://www.squid-cache.org/ Astaro http://www.astaro.org/astaro-gateway-products/web-security-http-https-ftp-im-p2p-web-filtering-antivirus/24916-socket-capable-browser-plugins-result-transparent-proxy-abuse.html QBik Wingate http://www.securityspace.com/smysecure/catid.html?ctype=cve&id=CVE-2009-0802 Tiny Proxy? https://packetprotector.org/forum/viewtopic.php?id=4018 Smoothwall, SchoolGuardian, and NetworkGuardian http://www.kb.cert.org/vuls/id/MAPG-7M6SM7...

WASC Threat Classification 2.0 Sneak Peek

Here is a sneak peek at the WASC Threat Classification v2.0. We've been working on this for more than a year and it's been a very challenging, educational experience to say the least. Sections that are gray are currently in peer review and are not completed. Mission statement "The Threat Classification v2.0...

New Attack on AES

A new attack has been discovered against AES. "Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the rst key recovery attack that works for all the keys and has complexity 2119, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class...

Three Web Application Firewall Advisories, Whitepaper Published

Michael Kirchner and Wolfgang Neudorfer have published 3 advisories in various Web Application Firewall products. Artofdefence Hyperguard Web Application Firewal (Remote Denial of Service) http://www.h4ck1nb3rg.at/wafs/advisory_artofdefence_hyperguard_200907.txt phion airlock Web Application Firewall (Remote Denial of Service via Management Interface (unauthenticated) and Command Execution) http://www.h4ck1nb3rg.at/wafs/advisory_phion_airlock_200907.txt radware AppWall Web Application Firewall (Source code disclosure on management...

Masked passwords must go?

"Websites should stop masking passwords as users type because it does not improve security and makes websites harder to use, according to two of the technology world's leading thinkers. Usability expert Jakob Nielsen and security expert Bruce Schneier both think websites should stop blanking out passwords as users type them in. They...

Generic Remote File Inclusion Attack Detection

"A big challenge for identifying web application attacks is to detect malicious activity that cannot easily be spotted using using signatures. Remote file inclusion (RFI) is a popular technique used to attack web applications (especially php applications) from a remote server. RFI attacks are extremely dangerous as they allow a client to...

Browser Security: Lessons from Google Chrome

An article on security in Google's Chrome browser has been published. "The Web has become one of the primary ways people interact with their computers, connecting people with a diverse landscape of content, services, and applications. Users can find new and interesting content on the Web easily, but this presents a security...

Phrack 66 is out!

IntroductionTCLH Phrack Prophile on The PaX TeamTCLH Phrack World NewsTCLH Abusing the Objective C runtimenemo Backdooring Juniper FirewallsGraeme Exploiting DLmalloc frees in 2009huku Persistent BIOS infectionaLS and Alfredo Exploiting UMA : FreeBSD kernel heap exploitsargp and karl Exploiting TCP Persist Timer Infinitenessithilgore Malloc Des-Maleficarumblackngel A Real SMM RootkitCore Collapse Alphanumeric RISC ARM...

SHA-1 collisions achievable

"The researchers, from Macquarie University in Sydney, Australia, found a way to break the SHA-1 algorithm in significantly fewer tries than previously required. Although the hash function was previously believed to withstand attempts numbering 263, the researchers have been able to whittle that down to 252, a number that puts practical attacks...

New paper by Amit Klein (Trusteer) - Temporary user tracking in major browsers and Cross-domain information leakage and attacks

Amit Klein posted the following to the web security mailing list yesterday. "User tracking across domains, processes (in some cases) and windows/tabs is demonstrated by exploiting several vulnerabilities in major browsers (Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, and to a limited extent Google Chrome). Additionally, new cross-domain information leakage, and cross...

Insecure Magazine 21 (June) Released

Insecure magazine 21 has been released and covers the following. Malicious PDF: Get owned without opening Review: IronKey Personal Windows 7 security features: Building on Vista Using Wireshark to capture and analyze wireless traffic "Unclonable" RFID - a technical overview Secure development principles Q&A: Ron Gula on Nessus and Tenable Network Security...

Compromising web content served over SSL via malicious proxies

Microsoft research has published an excellent paper describing many browser flaws. The use case primary involves an attacker hijacking the explicitly configured proxy used by the user and via HTTP code trickery they can access the content on an HTTPS established connection. It also outlines browser flaws involving caching of SSL certs...

OpenSSH Protocol Pwned

"The flaw, which lies in version 4.7 of OpenSSH on Debian/GNU Linux, allows 32 bits of encrypted text to be rendered in plaintext, according to a research team from the Royal Holloway Information Security Group (ISG). An attacker has a 2^{-18} (that is, one in 262,144) chance of success. ISG lead professor...

Gap Analysis of Application Security in Struts2/WebWork

"The purpose of this paper is to discover what features and capabilities, if any, the Struts2/WebWork (hereafter referred to simply as Struts2) development team could add to increase the security of applications built with Struts2. The version analyzed was version 2.1.6, which was the latest version available when the project was started....

Web 2.0 Application Proxy, Profiling and Fuzzing tool

"This tool helps in assessing next generation application running on Web/enterprise 2.0 platform. It profiles HTTP requests and responses at runtime by configuring it as proxy. It identifies structures like JSON, XML, XML-RPC etc. along with key HTTP parameters like cookie, login forms, hidden values etc. Based on profile one can take...

Metasploit Decloaking Engine Gets User's Real IP

"This tool demonstrates a system for identifying the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services. No vulnerabilities are exploited by this tool. A properly configured Tor setup should not result in any identifying information being exposed." Essentially this uses...

FBI CIPAV Spyware Snaring Extortionists and Hackers for Years

"A sophisticated FBI-produced spyware program has played a crucial behind-the-scenes role in federal investigations into extortion plots, terrorist threats and hacker attacks in cases stretching back at least seven years, newly declassified documents show. First reported by Wired.com, the software, called a "computer and internet protocol address verifier," or CIPAV, is designed...

Improving Security with URL Rewriting

"Most web application security experts frown on the practice of passing session or authentication tokens in a URL through the use of URL rewriting. Usually these tokens are passed between the server and the browser through HTTP cookies, but in cases where users configure their browsers to not accept cookies, this is...

Blackhat 2006 RSS Security Talk Video Available

In 2006 I gave a talk on hacking RSS feeds, and feed readers. I stumbled upon the video for blackhat 2006 by accident the other day and thought it was worth posting. Video: http://media.blackhat.com/bh-usa-06/video/2006_BlackHat_Vegas-V36-Auger_and_Sima-0day_subscriptions.mp4 Slides: http://www.cgisecurity.com/papers/RSS-Security.ppt Paper: http://www.cgisecurity.com/papers/HackingFeeds.pdf

Tool: XSS Rays

"I’ve developed a new XSS scanner tool that’s written in Javascript called XSS Rays for Microsoft. They have given me permission to release the tool as open source which is awesome because it can be used for other open source applications. I recommend you use it as part of the web development...

Watcher: a free web-app security testing and compliance auditing tool

"Watcher is designed as a Fiddler plugin that passively monitors HTTP/S traffic for vulnerabilities. It gives pen-testers hot-spot detection for user-controlled inputs, open redirects, and other issues, and it gives auditors an easy way to find PCI compliance and other organizational issues. Here’s some of the issues Watcher has checks for now:...

Revisiting Browser v. Middleware Attacks In The Era Of Deep Packet Inspection

Dan Kaminsky has just published his latest paper on middleware attacks that I recommend checking out. "For CanSecWest this year, I thought it’d be interesting to take a look at the realm of Deep Packet Inspectors. It turns out we were doing a lot of this around 2000 through 2002, and then…well,...

Google Blackhat SEO Hack

"Today’s aggressive and spooky abuse of trusted giants reveals just how sophisticated and manipulative these guys have become. By following Google Trends, and with some sharp SEO skills to take advantage of Google’s famed real-time indexing, Scammers are directly targeting Google’s search results, trusted by as many as 70 percent of Internet...

Fuzzing for Fun and Profit

"Many different resources define fuzzing many different ways. I believe this definition is more suiting than most: "Fuzzing is targeting input and delivering data that is handled by a target with the intent of identifying bugs." Fuzzing can occur theoretically where ever input is possible. There are two kinds of fuzzing: "dumb"...

CERT Advisory VU#435052: An Architectural Flaw Involving Transparent Proxies

For the past year in my spare time I've been researching a flaw involving transparent proxies and today CERT has published an advisory for this issue. If you have a vulnerable proxy on your intranet NOW is the time to patch (details of affected vendors in the cert advisory). QBIK New Zealand...

The Multi-Principal OS Construction of the Gazelle Web Browser

I was reading slashdot and saw that Microsoft has released a paper outlining a new secure browser architecture. From the abstract "Web browsers originated as applications that people used to view static web sites sequentially. As web sites evolved into dynamic web applications composing content from various web sites, browsers have become...

Security assessment of the Transmission Control Protocol (TCP)

The following email was sent to Full Disclosure today. I haven't had a chance to read this monster 140 document yet but it sure sounds interesting. "The TCP/IP protocol suite was conceived in an environment that was quite different from the hostile environment they currently operate in. However, the effectiveness of the...

PHP filesystem attack vectors

ascii writes "On Apr 07, 2008 I spoke with Kuza55 and Wisec about an attack I found some time before that was a new attack vector for filesystem functions (fopen, (include|require)[_once]?, file_(put|get)_contents, etc) for the PHP language. It was a path normalization issue and I asked them to keep it “secret” [4],...

The security industry needs to re-align its training expectations for QA

I've been involved in the security community for over 10 years and have worked for small, medium, and large companies. I have also worked in Quality Assurance and base my comments here on my experiences being a QA tester, and speaking with them as an outsider. I've seen advice in articles, and...

Microsoft's SDL and the CWE/SANS Top 25

"Bryan here. The security community has been buzzing since SANS and MITRE’s joint announcement earlier this month of their list of the Top 25 Most Dangerous Programming Errors. Now, I don’t want to get into a debate in this blog about whether this new list will become the new de facto standard...

Security metrics on flaws detected during architectural review?

I recently attended a private event where there was a talk on security metrics. Security metrics can be used to determine if action x is reducing risk y. Software security metrics typically involve counting the number of defects discovered over time to see if things are getting better. Most of these metrics...

CWE & SANS TOP 25 Most Dangerous Programming Errors

"Most of the vulnerabilities that hackers exploit to attack Web sites and corporate servers are usually the result of common and well-understood programming errors. A list of 25 of the most serious such coding errors is scheduled to be released later today by a group of 30 high-profile organizations, including Microsoft, Symantec,...

Article: Security Assessment of the Internet Protocol

The following was sent to the Full Disclosure mailing list last yesterday. "In August 2008 the UK CPNI (United Kingdom's Centre for the Protection of National Infrastructure) published the document "Security Assessment of the Internet Protocol". The motivation of the aforementioned document is explained in the Preface of the document itself. (The...

MD5 considered harmful today: Creating a rogue CA certificate

UPDATE: I've added a link to the presentation slides and some other sites providing coverage of this. The following paper was published today at the CCC conference by Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger. "We have identified a vulnerability in the...

Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones

"German researchers have discovered more than 300 cybercrime servers full of stolen credentials on more than 170,000 people -- and it is only the tip of the iceberg, they say. Researchers at the University of Mannheim's Laboratory for Dependable Distributed Systems were able to access nearly 100 so-called "dropzone" machines, and say...

Software [In]security: Software Security Top 10 Surprises

"Using the software security framework introduced in October (A Software Security Framework: Working Towards a Realistic Maturity Model), we interviewed nine executives running top software security programs in order to gather real data from real programs. Our goal is to create a maturity model based on these data, and we're busy working...

Metasploit Decloaking Engine

"The Metasploit Decloak Engine is now back online with a handful of new updates and bug fixes. Decloak identifies the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services. The first version was announced in June of 2006 and was eventually...

Google Chrome Receives Lowest Password Security Score

"Google's new web browser may be fast and slim, but the password management features it offers are full of bugs. Chapin Information Services (CIS) reported critical vulnerabilities in this software during its beta period, all of which were unfixed at release time. Among the problems are three in particular that, when combined,...

Internet Explorer 8.0 Beta 2 Anti-XSS Filter Vulnerabilities

Rafel Ivgi has published an extensive list of IE8 XSS filter evasions. "Aspect9 has discovered several vulnerabilities in Microsoft Windows Internet Explorer 8.0 Beta 2. This new version of Microsoft's famous browser includes new security improvements such as a Cross Site Scripting(XSS) filter. This version also includes a new object that safely...

Google publishes Browser Security Handbook

Michal Zalewski from google has published an an extremely in depth guide describing the various behavioral differences between the major browsers. "I am happy to announce the availability of our "Browser Security Handbook" - a comprehensive, 60-page document meant to provide web application developers and information security researchers with a one-stop reference...

Computer scientists find audio CAPTCHAs easy to crack

"The Carnegie-Mellon University team behind the reCAPTCHA service is continuing to expand its effort to mix basic security and useful work. CAPTCHAs are the distorted text that helps various online services ensure that the entity opening an account is a human, not a bot bent on using the service to dish out...

Oracle Forensics Part 7: Using the Oracle System Change Number in Forensic Investigations

David Litchfield has published a new tool and paper on forensics on Oracle Databases. From his email to the Websecurity mailing list. "I've just posted a new tool and paper for Oracle forensics. The tool, orablock, allows a forensic investigator to dump data from a "cold" Oracle data file - i.e. there's...

.NET Framework rootkits - backdoors inside your framework

"The paper introduces a new method that enables an attacker to change the .NET language, and to hide malicious code inside its core. It covers various ways to develop rootkits for the .NET framework, so that every EXE/DLL that runs on a modified Framework will behave differently than what it's supposed to...

Visa Card Features Buttons and Screen to Generate CCV Dynamically

A co worker sent me this link yesterday afternoon. "Using what appears to be Visa's mutant hybrid of a credit card and a pocket calculator, users can enter their PIN into the card itself and have a security code generated on the fly. The method can stop thieves in two ways. Those...

Continuing Business with Malware Infected Customers

"Today’s media is full of statistics and stories detailing how the Internet has become an increasingly dangerous place for all concerned. Figures of tens of millions and hundreds of millions of bot-infected computers are regularly discussed, along with approximations that between one-quarter and one-third of all home computer systems are already infected...

Uninformed Journal Release Announcement: Volume 10

Uninformed is pleased to announce the release of its 10th volume which is composed of 4 articles: Engineering in Reverse - Can you find me now? Unlocking the Verizon Wireless xv6800 (HTC Titan) GPS Author: Skywing - Using dual-mappings to evade automated unpackers Author: skape Exploitation Technology - Analyzing local privilege escalations...

PHP 5.3 and Delayed Cross Site Request Forgeries/Hijacking

"Although PHP 5.3 is still in alpha stage and certain features like the PHAR extension or the whole namespace support are still topics of endless discussions it already contains smaller changes that could improve the security of PHP applications a lot. One of these small changes is the introduction of a new...

Fyodor speculates on new TCP Flaw

Fyoder (the author of nmap if you've been sleeping under a rock) has posted a write up on the recent TCP Dos flaw. UPDATE: According to a post by Robert Lee this isn't the issue. "Robert Lee and Jack Louis recently went public claiming to have discovered a new and devastating denial...

W3C Working Draft for Access Control for Cross-Site Requests Published

"This document defines a mechanism to enable client-side cross-site requests. Specifications that want to enable cross-site requests in an API they define can use the algorithms defined by this specification. If such an API is used on http://example.org resources, a resource on http://hello-world.example can opt in using the mechanism described by this...

ViewStateUserKey Doesn’t Prevent Cross-Site Request Forgery

"ViewStateUserKey is not a completely effective mitigation against Cross-Site Request Forgery. It doesn't work for non post-backs (I.e. GET requests), and it doesn't work if the ViewState MAC is turned off. In several different places, we see a piece of advice repeated - use the ViewStateUserKey property to prevent One-Click Attacks. Often,...

WASC Announcement: 2007 Web Application Security Statistics Published

The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are...

Affiliate Programs Vulnerable to Cross-site Request Forgery Fraud

Intro The following describes a long-standing and common implementation flaw in online affiliate programs allowing for fraud. For those unfamiliar with affiliate programs, they provide a way for companies to allow 3rd parties/website owners to direct traffic to their site in exchange for a share of the profits of user purchases. Most...

DNS Vulnerability Leaked By Matasano Security After Being Asked Not To By Vulnerability Discoverer

"Two weeks ago, when security researcher Dan Kaminsky announced a devastating flaw in the internet's address lookup system, he took the unusual step of admonishing his peers not to publicly speculate on the specifics. The concern, he said, was that online discussions about how the vulnerability worked could teach black hat hackers...

Fallout From the Fall of CAPTCHAs

"CAPTCHA went from relatively obscure security measure perfected in 2000 by researchers at Carnegie Mellon University to deployment by most of the major Web e-mail sites and many other Web sites by 2007. Sites such as Yahoo Mail, Google's Gmail and Microsoft's Hotmail all used -- and, for that matter, continue to...

Widescale DNS flaw discovered

A pretty nasty DNS vulnerability has been discovered in 81 products by Dan Kaminsky. This vulnerability type seems to be the same described by Amit Klein and involves abusing the PRNG involved in transactions on DNS queries. Long story short if you run a vulnerable caching DNS server you can have your...

Microsoft outlines extensive IE8 security improvements

Microsoft has posted a very extensive article outling the security improvements to IE8. Improvements have been made to the following area's. - Cross-Site-Scripting Defenses - Safer Mashups (HTML and JSON Sanitization) - MIME-Handling Changes (Restrict Upsniff and Sniffing Opt-Out) - Add-on Security - Protected Mode - Application Protocol Prompt - File Upload...