-
My experience coleading purple team
I've been fortunate enough to manage a red team program for several years and since it's inception it has gone through many changes. What started out as adhoc engagements trying to see how far we could get/what problems we could find, turned into a mechanism to work more closely, and regularly with operations/it teams. More…
-
Presentation: Problems you’ll face when building a software security program
A video for a talk I gave at LASCON last year made it online that some folks may find interesting. I rarely give public talks, but felt this information would have been useful to learn earlier in my career. Basically it goes through problems I've had to deal with building out appsec programs at companies…
-
Google’s intentions are good, but implementation leave MORE users vulnerable to hacking than before
In 2010 I wrote an article about a flaw Google discovered, and published working exploit code when no fix or mitigation existed. This allowed attackers to immediately start using the flaw to hack Google's own users (in this case, the world). Since then Google has announced a new program 'Project Zero' which from the project…
-
Poll: How do you rank the importance of a vulnerability?
I've added a new poll to the WASC linkedin group that a few of you may be interested in. Specifically asking how people rank the importance of vulnerabilities. Poll Linkhttp://www.linkedin.com/groups/How-do-you-rank-importance-83336.S.202840840
-
Updating the WASC Threat Classification
I've been pretty busy the past few months which has resulted in zero site updates. The good news is I've kicked off the next phase of the WASC Threat Classification and our first update is the completion of the TC's missing crypto section.
-
Paper: Web Application finger printing Methods/Techniques and Prevention
Anant Shrivastava has posted a whitepaper providing a rundown of application fingerprinting methodologies, as well as comparisons of various tools such as W3af, BlindElephant, and Wapplyzer. "This Paper discusses about a relatively nascent field of Web Applicationfinger printing, how automated web application fingerprinting is performedin the current scenarios, what are the visible shortcomings in the…
-
WASC Announcement: ‘Static Analysis Tool Evaluation Criteria’ Call For Participants
I sent the following out to The Web Security Mailing List (which I moderate) announcing a new WASC Project. "The Web Application Security Consortium is pleased to announce a new project "Static Analysis Tool Evaluation Criteria (SATEC)". Currently WASC is seeking volunteers from various sections of the community including security researchers, academics, vendors, software developers…
-
Results of internet SSL usage published by SSL Labs
Ivan Ristic (of modsecurity fame) has published the results of an evaluation against over 900,000 websites supporting SSL. The goal of this evaluation was to see how people really use/misuse ssl in the wild, as well as report on the usage of browser protections such as the Secure cookie flag, and Strict-Transport-Security. Details can be…
-
Another use of Clickjacking, Cookiejacking!
Rosario Valotta has published an interesting attack against IE that takes advantage of clickjacking. In a nutshell it combines origin flaws within IE with clickjacking to trick a user into copying/pasting their own cookies from any site! Demonstration below The technical details can be found at https://sites.google.com/site/tentacoloviola/cookiejacking and his slides at https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnx0ZW50YWNvbG92aW9sYXxneDoxMWJlZTI5ZjVhYjdiODQx
-
NIST publishes 50kish vulnerable code samples in Java/C/C++, is officially krad
NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++. From the README "This archive contains test cases intended for use by organizations and individuals that wish to…
-
Easy Method For Detecting Caching Proxies
While thinking about some of the transparent proxy problems I came up with a fairly reliable way to detect caching proxies. Caching proxies can be either explicit or transparent, but are typically used in a transparent mode by an ISP to cut down on upstream bandwidth. A side effect (and benefit 🙂 of caching is…
-
Phrack #67 is out for 25th anniversary!
To celebrate 25 years the phrack team has published issue #67. Introduction The Phrack Staff Phrack Prophile on Punk The Phrack Staff Phrack World News EL ZILCHO Loopback (is back) The Phrack Staff How to make it in Prison TAp Kernel instrumentation using kprobes ElfMaster ProFTPD with mod_sql pre-authentication, remote root FelineMenace The House Of…
-
Interesting IE leak via window.onerror
Chris Evans has posted an interesting bug in IE involving using JavaScript's window.onerror to leak cross domain data. From his blog "The bug is pretty simple: IE supports a window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror handler and then…
-
CGISecurity Turns 10!: Summary of the more interesting site posts throughout the years
To commemorate this site turning 10 I've created a list of my top 10 thought provoking/innovate posts that people who haven't been following this site may be unaware of. The Cross-site Scripting FAQ (2001) In 2001 someone informed me of this new threat involving the injection of HTML/Javascript into a site's response (XSS). At…
-
WASC Web Hacking Incident Database Semi-Annual Report for 2010
Fellow WASC officer Ryan Barnett has published an update to the Web Hacking Incident Database project. He sent the following to The Web Security List (a list which I operate) this morning. "Greetings everyone, I wanted to let you all know that we have released the new WHID report for 2010 – http://projects.webappsec.org/Web-Hacking-Incident-Database-2010-Semi-Annual-Report A…
-
A reminder that CSRF affects more than websites
Maksymilian Arciemowicz has published an advisory outlining how one can perform CSRF attacks against FTP services, in this case Sun Solaris 10 ftpd. An attacker could embed a payload such as the following to execute commands on ftpd. <img src=”ftp://…..////SITE%20CHMOD%20777%20FILENAME”;> The NetBSD team addressed this issue by failing on large commands. The interesting thing…
-
Paper: Feasibility and Real-World Implications of Web BrowserHistory Detection
Artur Janc and Lukasz Olejnik have published a whitepaper outlining CSS history techniques along with results of what they found from real world users. From the whitepaper "Browser history detection through the Cascading Style Sheets visited pseudoclass has long been known to the academic security community and browser vendors, but has been largely dismissed as…
-
Mozilla releases browser checker to see if you’re running vulnerable plugins
Mozilla has released a tool that identifies which browser plugins you have installed, identifies if it is vulnerable, and provides you with links to get the updates. Very handy! Browser Plugin Check: https://www.mozilla.com/en-US/plugincheck/
-
Release of Strict Transport Security http module for ASP.NET.
Sacha Faust has published an IIS http module for the Strict Transport Security protocol. From his blog "I’ve been tackling the problem of users connecting to online services from untrusted network. At work we typically call this the “Startbucks” scenario where a user is connecting to a random wifi and accessing corporate data through online…
-
DAVTest: Quickly Test & Exploit WebDAV Servers
Chris Sullo sent us the following news entry "DAVTest attempts to aid a penetration tester when facing WebDAV enabled services by quickly testing file type upload capability and features, as well as checking for code execution. It supports MOVE and MKCOL, authentication, and uploading of included shell files." Download: http://security.sunera.com/2010/04/davtest-quickly-test-exploit-webdav.html
-
DAVTest: Quickly Test & Exploit WebDAV Servers
Chris Sullo sent us the following news entry "DAVTest attempts to aid a penetration tester when facing WebDAV enabled services by quickly testing file type upload capability and features, as well as checking for code execution. It supports MOVE and MKCOL, authentication, and uploading of included shell files." Download: http://security.sunera.com/2010/04/davtest-quickly-test-exploit-webdav.html
-
Be careful of “scheme relative urls” when performing 3xx redirects
Former coworker Sacha Faust has published an entry on how the lack of handling relative urls when implementing URL redirection can lead to open redirector's. Article: http://blogs.msdn.com/sfaust/archive/2010/03/30/saferedirect.aspx
-
Random FireFox URL handling Behavior
About a year ago I discovered this by accident and hadn't seen it published anywhere so thought it was worth mentioning. If you enter the following into the firefox URL bar it will follow them to http://www.cnn.com. [http://www.cnn.com] [http://]www.cnn.com [http://www].cnn.com Etc… You can also substitute [] for {} or " and it will also work…
-
XSS, SQL Injection and Fuzzing Barcode Cheat Sheet
Someone has published an amusing cheat sheet that will allow you to fuzz barcode scanning systems for common input validation issues such as XSS and SQL Injection. They even provide an online barcode generator which allows you to create your own payloads. Not much else to say really 🙂 Link: http://www.irongeek.com/xss-sql-injection-fuzzing-barcode-generator.php
-
Post on Abusing Windows Communication Foundation to Perform Remote Port Scans
Brian Holyfield has published an entry on using Windows WCF to perform backend port scanning. This is possible due to the callback functionality WCF provides. From his article "Last weekend at Shmoocon, I demonstrated how an attacker can trick certain WCF web services into performing an unauthorized port scan of machines behind a firewall. For those…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack