-
2010 SANS Top 25 Most Dangerous Programming Errors Released
I was luck enough to assist in this project and I must say that a lot of great discussions took place. Unlike many other top x security lists, SANS/MITRE's methodology is fairly extensive and well documented giving you insight into how decisions were made. I do want to point out that top x lists in…
-
Weaning the Web off of Session Cookies Making Digest Authentication Viable
Timothy D. Morgan has published an excellent paper describing How UI limitations hinder adoption of HTTP based authentication How UI behaviors are/can be abused pertaining to HTTP auth Observations on Cookie limitations Proposals for browser vendors to allow for more widescale adoption of HTTP based auth such as digest From the paper "In this paper,…
-
WASC Threat Classification to OWASP Top Ten RC1 Mapping
Jeremiah Grossman and Bil Corry have created a nice visual mapping between the OWASP Top Ten and the WASC Threat Classification v2. More Information: http://jeremiahgrossman.blogspot.com/2010/01/wasc-threat-classification-to-owasp-top.html
-
Announcement: WASC Threat Classification v2 is Out!
I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is pleased to announce…
-
Adobe on Fuzzing Adobe Reader For Security Defects
Adobe has published an entry on their blog outlining how fuzzing plays a part in discovering security issues in their product prior to launching it. Its good to see a company such as Adobe publishing this information as its one of those things that is discussed frequently by the security community, however is rarely discussed…
-
Experimenting With WASC Threat Classification Views: Vulnerability Root Cause Mapping
I currently lead the WASC Threat Classification Project and we're expecting to publish our latest version next month. One of the biggest changes between the TCv2 and TCv1 is that we're doing away with single ways to represent the data. In the TCv1 we had a single tree structure to convey appsec concepts. After months…
-
Clientless SSL VPN products break web browser domain-based security models
A new CERT advisory has been published outlining a weakness in the way web based SSL clients operate, resulting in a Same Origin Policy breakage. Here's the meaty details. "As the web VPN retrieves web pages, it rewrites hyperlinks so that they are accessible through the web VPN. For example, a link to http://<www.intranet.example.com>/mail.html becomes…
-
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Microsoft has been working on a tool called 'Nozzle' to prevent the exploitation of heap spraying attacks and released a whitepaper describing the process. From the whitepaper. "Heap spraying is a new security attack that significantly increasesthe exploitability of existing memory corruption errors in type-unsafeapplications. With heap spraying, attackers leverage their ability toallocate arbitrary objects…
-
Heading out to AppsecDC
I'll be heading out to AppSecDC to present Transparent Proxy Abuse on Thursday, so if you're attending and want to chat about appsec I'll be available after my talk. Here's a teaser of my presentation I'll be presenting a video demonstrating this abuse case against Squid and Mac OS X Parental Control software prior to…
-
TLS negotiation flaw published
Steve Dispensa and Marsh Ray have published a paper describing a weakness in the TLS negotiation process. This is the same attack discussed on the IETF TLS list. From the whitepaper "Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related…
-
Amazon EC2 cloud computing for password/crypto cracking
There is a rather lengthy set of posts on using cloud based computing services as ideal venues for crypto and password cracking. Link: http://news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html Link: http://news.electricalchemy.net/2009/10/password-cracking-in-cloud-part-5.html
-
Microsoft’s Enhanced Mitigation Evaluation Toolkit adds protection to processes
Microsoft has published the Enhanced Mitigation Evaluation Toolkit. This toolkit allows you to specify a process to add the following forms of protection (without recompiling). SEHOP This mitigation performs Structured Exception Handling (SEH) chain validation and breaks SEH overwrite exploitation techniques. Take a look at the following SRD blog post for more information: http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx. With…
-
Attacking Magstripe Gift Cards
Corsaire has published a rather lengthy paper on attacking gift card systems. While this is a little off topic it's a good read. "This paper is based on research conducted on a large number of UK gift cards. It has been created to complement the presentation “Stored Value Gift Cards: Magstripes Revisited”, which was delivered…
-
WASC TC v2 – Improper Input Handling Section Completed
I lead the WASC Threat Classification v2 project and we've just completed a section that I felt deserved its own post. Prasad Shenoy along with the WASC TC peer review team authored a really great section on Improper Input Handling meant to describe each aspect of input handling with a medium level of detail. We've…
-
Announcing the Web Application Security Scanner Evaluation Criteria v1
“The Web Application Security Consortium is pleased to announce the release of version 1 of the Web Application Security Scanner Evaluation Criteria (WASSEC). The goal of the WASSEC project is to create a vendor-neutral document to help guide information security professionals during web application scanner evaluations. The document provides a comprehensive list of features that…
-
Strict Transport Security (STS) draft specification is public
Fellow coworker Jeff Hodges has announced the formal specification draft for Strict Transport Security. STS is a new proposed protocol for allowing a website to instruct returning visitors to never visit the site on http, and to only visit the site over https and is entirely opt in. This can prevent MITM situations where an…
-
Cross-protocol XSS with non-standard service ports
i8jesus has posted an entry on smuggling other protocol commands (such as ftp) in HTML forms, as well as edge case situations where running a tcp service (in this case ftp on a non standard port) can result in more XSS abuse cases. While not likely still worth a read. "Most people have thought about…
-
Article: Bypassing DBMS_ASSERT in certain situations
David "I like to beat up on oracle" Litchfield has published a new paper outlining how DBMS_ASSERT can be misused in such a way that SQL Injection is possible. From the whitepaper "The DBMS_ASSERT builtin package can be used by PL/SQL developers to protectagainst SQL injection attacks[1]. In [2] Alex Kornbrust showed that there are…
-
WASC Distributed Open Proxy Honeypot Update – XSS in User-Agent Field
"In case you missed it, the WASC Distributed Open Proxy Honeypot Project launched Phase III at the end of July. We have a few sensors online and as we start gathering data, we are starting our analysis. Our goal is to be able to release "events of interest" to the community to try and raise…
-
WASC Threat Classification v2 updates
We're nearing the completion of the WASC Threat Classification v2 (2 sections left!) and have added the following new sections since my last couple of posts. Null Byte Injection Integer Overflows We've also heavily updated the following sections Buffer Overflows (in depth discussion of heap vs stack vs integer overflows) SQL Injection (added SQL Injection…
-
Next Phase of WASC’s Distributed Open Proxy Honeypot Project Begins
Fellow WASC Officer Ryan Barnett has started the next phase of the Distributed Open Proxy Honeypot Project where people deploy open relay proxies and send the results to a central host for analysis. I met up with Ryan at blackhat where he showed me the central console displaying metrics for each proxy node (shown below).…
-
Hacking Short CSRF Tokens using CSS History Hack
Securethoughts has posted an entry on combining CSS history theft hacking to brute force short CSRF tokens and has created a POC demonstrating it. While not fast this is certainly achievable (assuming the token is still valid/hasn't expired once identified) on short CSRF token values, and has the advantage in that it doesn't perform site…
-
Nmap 5.00 Released
"Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 5.00 from http://nmap.org/. This is the first stable release since 4.76 (last September), and the first major release since the 4.50 release in 2007. Dozens of development releases led up to this. Considering all the changes, we consider this the…
-
Threat Classification v2 and the need for change
As I recently posted the WASC Threat Classification v2 is currently in a public working state and there's been a buzz on the mailing lists about it compared to other related projects. Vishal Garg posed a question I was expecting for awhile which is why does the TCv2 look so much different than TCv1? I've…
-
Months later, more products identified using exploitable transparent proxy architecture
It's been more than 3 months since I published my paper on abusing transparent proxies with flash, and 4 months since CERT's Advisory (VU#435052). Since that time additional products have been identified as being exploitable. Still Vulnerable Squid http://www.squid-cache.org/ Astaro http://www.astaro.org/astaro-gateway-products/web-security-http-https-ftp-im-p2p-web-filtering-antivirus/24916-socket-capable-browser-plugins-result-transparent-proxy-abuse.html QBik Wingate http://www.securityspace.com/smysecure/catid.html?ctype=cve&id=CVE-2009-0802 Tiny Proxy? https://packetprotector.org/forum/viewtopic.php?id=4018 Smoothwall, SchoolGuardian, and NetworkGuardian http://www.kb.cert.org/vuls/id/MAPG-7M6SM7 Products with fixes…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack