-
My experience coleading purple team
I've been fortunate enough to manage a red team program for several years and since it's inception it has gone through many changes. What started out as adhoc engagements trying to see how far we could get/what problems we could find, turned into a mechanism to work more closely, and regularly with operations/it teams. More…
-
Extensive IOS hacking guide released by Security Innovation
Security Innovation has published a very extensive guide to IOS hacking that's worth checking out. Here's the table of contents 1. Setting Up iOS Pentest Lab……………… 51.1 Get an iOS Device……………….5 1.2 Jailbreaking an iOS Device……………… 7 1.3 Installing Required Software and Utilities ……………… 102. Acquiring iOS Binaries……………… 133. Generating iOS Binary (.IPA file) from…
-
Google’s intentions are good, but implementation leave MORE users vulnerable to hacking than before
In 2010 I wrote an article about a flaw Google discovered, and published working exploit code when no fix or mitigation existed. This allowed attackers to immediately start using the flaw to hack Google's own users (in this case, the world). Since then Google has announced a new program 'Project Zero' which from the project…
-
Malicious CA’s continue to cause headaches
Google published today that yet another CA has been caught generating certs for Google's domains. This problem is likely occuring on a much larger scale and seems to be detected by chance. Some have suggested crawling the internet and starting a DB, and while this may detect some issues it's limited for the following reasons…
-
WASC Announcement: Static Analysis Technologies Evaluation Criteria Published
The Web Application Security Consortium (WASC) is pleased to announce the Static Analysis Technologies Evaluation Criteria. The goal of the SATEC project is to create a vendor-neutral set of criteria to help guide application security professionals during the process of acquiring a static code analysis technology that is intended to be used during source-code driven…
-
Five pieces of advice for those new to the infosec industry
I've worked in the security field in various roles (script kiddie, security researcher, incident response, application security engineer, security consultant, strategy, etc..) and thought I'd share a few points to those of you starting out in the security industry. Things are worse than you expect The reality is that companies, even large ones, are…
-
Security Industry Plagiarism: Finding 3 examples in 5 minutes with Google
UPDATE: One of the authors has posted two responses including an apology (accepted). I was taught in grade school that if you plan on writing something, never plagiarize. If you want to republish portions of existing content ensure you properly quote/reference them, and never represent this content as your own original work. Unfortunately it seems…
-
Updating the WASC Threat Classification
I've been pretty busy the past few months which has resulted in zero site updates. The good news is I've kicked off the next phase of the WASC Threat Classification and our first update is the completion of the TC's missing crypto section.
-
Quick defcon/blackhat preparation list
A couple of people had asked me what are some things that you can do prior to attending hacker cons such as Blackhat and Defcon. Kurt Cobain said it best "Just because you're paranoid, doesn't mean they're not after you'. Here's a short list (albeit not complete as I don't plan to publish all…
-
Summary of Google+ browser security protections
Ray "Vanhalen" Kelly has written a post describing the security mechanisms used by Google+, as well as compares them to facebook. In particular he reviews each HTTP protection header and provides a good explanation of the purpose of each protection. Link: https://www.barracudanetworks.com/blogs/labsblog?bid=1743
-
Paper: Web Application finger printing Methods/Techniques and Prevention
Anant Shrivastava has posted a whitepaper providing a rundown of application fingerprinting methodologies, as well as comparisons of various tools such as W3af, BlindElephant, and Wapplyzer. "This Paper discusses about a relatively nascent field of Web Applicationfinger printing, how automated web application fingerprinting is performedin the current scenarios, what are the visible shortcomings in the…
-
Oracle website vulnerable to SQL Injection
Someone has published a SQL Injection in labs.oracle.com at http://www.thehackernews.com/2011/07/oracle-website-vulnerable-to-sql.html . That is all.
-
WASC Announcement: ‘Static Analysis Tool Evaluation Criteria’ Call For Participants
I sent the following out to The Web Security Mailing List (which I moderate) announcing a new WASC Project. "The Web Application Security Consortium is pleased to announce a new project "Static Analysis Tool Evaluation Criteria (SATEC)". Currently WASC is seeking volunteers from various sections of the community including security researchers, academics, vendors, software developers…
-
Results of internet SSL usage published by SSL Labs
Ivan Ristic (of modsecurity fame) has published the results of an evaluation against over 900,000 websites supporting SSL. The goal of this evaluation was to see how people really use/misuse ssl in the wild, as well as report on the usage of browser protections such as the Secure cookie flag, and Strict-Transport-Security. Details can be…
-
Another use of Clickjacking, Cookiejacking!
Rosario Valotta has published an interesting attack against IE that takes advantage of clickjacking. In a nutshell it combines origin flaws within IE with clickjacking to trick a user into copying/pasting their own cookies from any site! Demonstration below The technical details can be found at https://sites.google.com/site/tentacoloviola/cookiejacking and his slides at https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnx0ZW50YWNvbG92aW9sYXxneDoxMWJlZTI5ZjVhYjdiODQx
-
NIST publishes 50kish vulnerable code samples in Java/C/C++, is officially krad
NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++. From the README "This archive contains test cases intended for use by organizations and individuals that wish to…
-
How not to publish SCADA security advisories
"Luigi Auriemma" has posted an interesting series of SCADA vulnerabilities to the bugtraq security list this morning. From his email "The following are almost all the vulnerabilities I found for a quick experiment some months ago in certain well known server-side SCADA softwares still vulnerable in this moment. In case someone doesn't know SCADA (like…
-
The OWASP AppSec USA 2011 Call for Papers (CFP)
Lorna Alamri writes in the following announcement "The OWASP AppSec USA 2011 Call for Papers (CFP) is now open. Visit thefollowing URL to submit your abstract for the September 22-23, 2011talks in Minneapolis, Minnesota: http://www.appsecusa.org/talks.html We're excited to announce that speakers will be in good company withour first keynote, OWASP founder Mark Curphey, who will…
-
Easy Method For Detecting Caching Proxies
While thinking about some of the transparent proxy problems I came up with a fairly reliable way to detect caching proxies. Caching proxies can be either explicit or transparent, but are typically used in a transparent mode by an ISP to cut down on upstream bandwidth. A side effect (and benefit 🙂 of caching is…
-
Announcing WASC Web Hacking Incident Database (WHID) Mail-list
Ryan Barnett (Leader of the WASC Web Hacking Incidents Database Project) has announced a new mailing list where users can subscribe to hear about the latest hacking incidents. From his email to The Web Security Mailing List "Greetings everyone,I wanted to let everyone know that we have setup a mail-list for those of you who…
-
WASC Party at RSA
The Web Application Security Consortium (in which I am a co founder) is throwing a party at RSA this year in San Francisco. Here's the formal announcement. "Take a Break @ RSA and Meet-up with Your Peers at the WASC Meet UP Join your Web application security peers for lunch at Jillian's@Metreon. Take a…
-
Tracking and understanding security related defects: Useful data points for shaping your SDLC program
In addition to CGISecurity, I also run a website called QASEC.com where I post SDLC related content. I've just published a lightweight article discussing tips and tricks for tracking software level vulnerabilities in larger organizations. Abstract:"If you work in infosec for a large organization it can be difficult to easily track the state of every…
-
Most common password for Gawker users is 123456
Gawker was recently compromised and had its source code and user passwords leaked onto the web. The Wall Street Journal has published a list of the top 50 passwords with the #1 password being '123456'. The full list can be found at http://blogs.wsj.com/digits/2010/12/13/the-top-50-gawker-media-passwords/
-
New Silicon Valley security conference – BayThreat
A handful of people from silicon valley (myself included) have been discussing the lack of good hacker conference in the bay area (RSA does not count) for some time and decided to meet up during defcon to see what we could do about this. It was concluded that the only logical thing to do, was…
-
Phrack #67 is out for 25th anniversary!
To celebrate 25 years the phrack team has published issue #67. Introduction The Phrack Staff Phrack Prophile on Punk The Phrack Staff Phrack World News EL ZILCHO Loopback (is back) The Phrack Staff How to make it in Prison TAp Kernel instrumentation using kprobes ElfMaster ProFTPD with mod_sql pre-authentication, remote root FelineMenace The House Of…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack