-
Improving ASP.NET Security with Visual Studio 2010 Code Analysis
Sacha Faust has published a great article on some of the security checking functionality in Visual Studio. From the article "Anyone doing ASP.NET development probably admits, openly or not, to introducing or stumbling upon a security issue at some point during their career. Developers are often pressured to deliver code as quickly as possible, and…
-
CGISecurity Turns 10!: Summary of the more interesting site posts throughout the years
To commemorate this site turning 10 I've created a list of my top 10 thought provoking/innovate posts that people who haven't been following this site may be unaware of. The Cross-site Scripting FAQ (2001) In 2001 someone informed me of this new threat involving the injection of HTML/Javascript into a site's response (XSS). At…
-
New Site Addressing Python Security
For you python developers out there, Craig Younkins sent the following to The Web Security Mailing List (which I moderate) this morning. "I'd like to invite you to a new community – http://www.pythonsecurity.org/ –which is now the central hub for security in Python. We're writing articleson security topics and how they pertain to Python, analyzing…
-
A reminder that CSRF affects more than websites
Maksymilian Arciemowicz has published an advisory outlining how one can perform CSRF attacks against FTP services, in this case Sun Solaris 10 ftpd. An attacker could embed a payload such as the following to execute commands on ftpd. <img src=”ftp://…..////SITE%20CHMOD%20777%20FILENAME”;> The NetBSD team addressed this issue by failing on large commands. The interesting thing…
-
Announcement: WASC Threat Classification v2 is Out!
I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is pleased to announce…
-
Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC
Microsoft has published a paper on its ASP.NET MVC framework, how to use it, and how utilization of an SDL eliminates the potential to introduce vulnerabilities such as XSRF. From the paper "On the Microsoft platform, most Web applications are based on ASP.NET and the Microsoft®.NET Framework. ASP.NET MVC is a new framework based on…
-
Announcing the Web Application Security Scanner Evaluation Criteria v1
“The Web Application Security Consortium is pleased to announce the release of version 1 of the Web Application Security Scanner Evaluation Criteria (WASSEC). The goal of the WASSEC project is to create a vendor-neutral document to help guide information security professionals during web application scanner evaluations. The document provides a comprehensive list of features that…
-
Hacking Short CSRF Tokens using CSS History Hack
Securethoughts has posted an entry on combining CSS history theft hacking to brute force short CSRF tokens and has created a POC demonstrating it. While not fast this is certainly achievable (assuming the token is still valid/hasn't expired once identified) on short CSRF token values, and has the advantage in that it doesn't perform site…
-
Amazon CSRF “hack” in detail?
UPDATE: According to an updated Wired news story this is a sham and no hacker was involved. RSnake recently posted an entry linking to the write up on how a Cross-Site Request Forgery flaw in amazon was used to get Gay and Lesbian books banned from amazon's site via their reputation system. From the person…
-
New Gmail Flaw Lets Attacker Control ‘Change Password’ Function
"A researcher today released a proof-of-concept for a vulnerability he discovered in Google Gmail that lets an attacker change a Gmail user's password, wage a denial-of-service attack on the account, or even access other Gmail users' email. The cross-site request forgery (CSRF) flaw — which researcher Vicente Aguilera Diaz from Madrid-based Internet Security Auditors first…
-
Protect Your Site With URL Rewriting
Bryan Sullivan over at Microsoft has published a lengthy article on the advantages of URL writing to prevent certain types of attacks. "Tim Berners-Lee once famously wrote that "cool URIs don't change." His opinion was that broken hyperlinks erode user confidence in an application and that URIs should be designed in such a way that…
-
The security industry needs to re-align its training expectations for QA
I've been involved in the security community for over 10 years and have worked for small, medium, andlarge companies. I have also worked in Quality Assurance and base my comments here on my experiences being a QA tester, and speaking with them as an outsider. I've seen advice in articles, and conferences discussing the need…
-
Web Application Scanners Comparison
anantasec posted a scanner comparison to the web security mailing list today. "In the past weeks, I've performed an evaluation/comparison of three popular web vulnerability scanners.This evaluation was ordered by apenetration testing company that will remain anonymous. The vendorswere not contacted during or after the evaluation. The applications (web scanners) included in this evaluation are:–…
-
Researchers from Princeton University Publish vulnerabilities in unpatched sites
Yesterday a couple of ‘researchers’ published that a couple of major sites were vulnerable to CSRF. A general rule of thumb is that unless you are explicitly protecting against CSRF, or are accidentally protected, then you’re vulnerable. CSRF in 2008 is what XSS was in 2002, somewhat understood and rarely protected against properly. Generally I…
-
Checking for ViewStateUserKey using FxCop
An anonymous user writes "ASP.NET has had a mitigation to prevent against CSRF/One-Click attacks since 1.1 with the use of Page.ViewStateUserKey property. You can now make sure that the property is being used using FxCop." Link: https://blogs.msdn.com/sfaust/archive/2008/09/25/checking-for-viewstateuserkey-using-fxcop.aspx
-
ViewStateUserKey Doesn’t Prevent Cross-Site Request Forgery
"ViewStateUserKey is not a completely effective mitigation against Cross-Site Request Forgery. It doesn’t work for non post-backs (I.e. GET requests), and it doesn’t work if the ViewState MAC is turned off. In several different places, we see a piece of advice repeated – use the ViewStateUserKey property to prevent One-Click Attacks. Often, this piece of…
-
WASC Announcement: 2007 Web Application Security Statistics Published
The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are the most prevalent…
-
Article: SDL Embraces The Web
Bryan Sullivan from Microsoft has posted an article on SDL use to secure web applications. "The Security Development Lifecycle (SDL) team recently released details of the SDL process that has been so successful in helping to make Microsoft products more secure. You can find these documents at microsoft.com/sdl. As you read through this SDL guidance…
-
Cross-site hacks and the art of self defence
Generally, browsers stop cross-site communication by following the "same-origin policy". This rule is pretty simple: if your site has a different origin – protocol, domain, and port don’t all match – you aren’t allowed to access information from or send requests to the other site. Without this simple rule, there would be no security on…
-
Tools: Grendel Scanner a new Web Application Security Scanner
While attending defcon I got to check out a talk on a new web application security scanner called Grendel scanner. For those of you who don’t know I used to work at spi dynamics on the webinspect product (now part of HP) and I got to say it is one of the more impressive looking…
-
Affiliate Programs Vulnerable to Cross-site Request Forgery Fraud
Intro The following describes a long-standing and common implementation flaw in online affiliate programs allowing for fraud. For those unfamiliar with affiliate programs, they provide a way for companies to allow 3rd parties/website owners to direct traffic to their site in exchange for a share of the profits of user purchases. Most view affiliate programs…
-
Rich data: the dark side to Web 2.0 applications
"All web applications allow some form of rich data, but that rich data has become a key part of Web 2.0. Data is "rich" if it allows markup, special characters, images, formatting, and other complex syntax. This richness allows users create new and innovative content and services. Unfortunately, richness affords attackers an unprecedented opportunity to…
-
Jason Taylor on Security Testing
Microsoft has a decent article on security testing for CSRF worth checking out. "Tester Question: What is a cross-site request forgery attack? How do I test our website to see if it is vulnerable to this attack?" Article Link: http://msdn.microsoft.com/en-us/testing/cc664492.aspx
-
Orkut Worm v2.0
"The Scrapkut worm uses active code injection to spread between victims and their friends on Orkut. The malicious code appears on a victim’s scrapbook, containing a link to a supposed YouTube video. People who click on the link are redirected to an external site hosting malware that's disguised as a Flash upgrade. Users duped into…
-
Performing Distributed Brute Forcing of CSRF vulnerable login pages
Update: Apparently this is described in a paper by sensepost that I wasn’t aware of. Check out there paper at http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf. We know that CSRF is bad, and that if your application is performing an important action to utilize a random token associated with the users session. I started thinking a bit about CSRF and…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack