-
WASC Threat Classification 2.0 Sneak Peek
Here is a sneak peek at the WASC Threat Classification v2.0. We’ve been working on this for more than a year and it’s been a very challenging, educational experience to say the least. Sections that are gray are currently in peer review and are not completed. Mission statement “The Threat Classification v2.0 outlines the attacks…
-
New Attack on AES
A new attack has been discovered against AES. "Abstract. In this paper we present two related-key attacks on the fullAES. For AES-256 we show the rst key recovery attack that worksfor all the keys and has complexity 2119, while the recent attack byBiryukov-Khovratovich-Nikolic works for a weak key class and has highercomplexity. The second attack…
-
Three Web Application Firewall Advisories, Whitepaper Published
Michael Kirchner and Wolfgang Neudorfer have published 3 advisories in various Web Application Firewall products. Artofdefence Hyperguard Web Application Firewal (Remote Denial of Service)http://www.h4ck1nb3rg.at/wafs/advisory_artofdefence_hyperguard_200907.txt phion airlock Web Application Firewall (Remote Denial of Service via Management Interface (unauthenticated) and Command Execution) http://www.h4ck1nb3rg.at/wafs/advisory_phion_airlock_200907.txt radware AppWall Web Application Firewall (Source code disclosure on management interface)http://www.h4ck1nb3rg.at/wafs/advisory_radware_appwall_200907.txt They have also…
-
Masked passwords must go?
"Websites should stop masking passwords as users type because it does not improve security and makes websites harder to use, according to two of the technology world's leading thinkers. Usability expert Jakob Nielsen and security expert Bruce Schneier both think websites should stop blanking out passwords as users type them in. They say the practice…
-
Generic Remote File Inclusion Attack Detection
"A big challenge for identifying web application attacks is to detect malicious activity that cannot easily be spotted using using signatures. Remote file inclusion (RFI) is a popular technique used to attack web applications (especially php applications) from a remote server. RFI attacks are extremely dangerous as they allow a client to to force an…
-
Browser Security: Lessons from Google Chrome
An article on security in Google's Chrome browser has been published. "The Web has become one of the primary ways people interact with their computers, connecting people with a diverse landscape of content, services, and applications. Users can find new and interesting content on the Web easily, but this presents a security challenge: malicious Web-site…
-
Phrack 66 is out!
Introduction TCLH Phrack Prophile on The PaX Team TCLH Phrack World News TCLH Abusing the Objective C runtime nemo Backdooring Juniper Firewalls Graeme Exploiting DLmalloc frees in 2009 huku Persistent BIOS infection aLS and Alfredo Exploiting UMA : FreeBSD kernel heap exploits argp and karl Exploiting TCP Persist Timer Infiniteness ithilgore Malloc Des-Maleficarum blackngel A…
-
SHA-1 collisions achievable
"The researchers, from Macquarie University in Sydney, Australia, found a way to break the SHA-1 algorithm in significantly fewer tries than previously required. Although the hash function was previously believed to withstand attempts numbering 263, the researchers have been able to whittle that down to 252, a number that puts practical attacks well within grasp…
-
New paper by Amit Klein (Trusteer) – Temporary user tracking in major browsers and Cross-domain information leakage and attacks
Amit Klein posted the following to the web security mailing list yesterday. "User tracking across domains, processes (in some cases) and windows/tabs is demonstrated by exploiting several vulnerabilities in major browsers (Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, and to a limited extent Google Chrome). Additionally, new cross-domain information leakage, and cross domain attacks are…
-
Insecure Magazine 21 (June) Released
Insecure magazine 21 has been released and covers the following. Malicious PDF: Get owned without opening Review: IronKey Personal Windows 7 security features: Building on Vista Using Wireshark to capture and analyze wireless traffic "Unclonable" RFID – a technical overview Secure development principles Q&A: Ron Gula on Nessus and Tenable Network Security Establish your social…
-
Compromising web content served over SSL via malicious proxies
Microsoft research has published an excellent paper describing many browser flaws. The use case primary involves an attacker hijacking the explicitly configured proxy used by the user and via HTTP code trickery they can access the content on an HTTPS established connection. It also outlines browser flaws involving caching of SSL certs ion combination with…
-
OpenSSH Protocol Pwned
"The flaw, which lies in version 4.7 of OpenSSH on Debian/GNU Linux, allows 32 bits of encrypted text to be rendered in plaintext, according to a research team from the Royal Holloway Information Security Group (ISG). An attacker has a 2^{-18} (that is, one in 262,144) chance of success. ISG lead professor Kenny Patterson told…
-
Gap Analysis of Application Security in Struts2/WebWork
"The purpose of this paper is to discover what features and capabilities, if any, the Struts2/WebWork(hereafter referred to simply as Struts2) development team could add to increase the security ofapplications built with Struts2. The version analyzed was version 2.1.6, which was the latest versionavailable when the project was started. The purpose of this research is…
-
Web 2.0 Application Proxy, Profiling and Fuzzing tool
"This tool helps in assessing next generation application running on Web/enterprise 2.0 platform. It profiles HTTP requests and responses at runtime by configuring it as proxy. It identifies structures like JSON, XML, XML-RPC etc. along with key HTTP parameters like cookie, login forms, hidden values etc. Based on profile one can take decision to trap…
-
Metasploit Decloaking Engine Gets User’s Real IP
"This tool demonstrates a system for identifying the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services. No vulnerabilities are exploited by this tool. A properly configured Tor setup should not result in any identifying information being exposed." Essentially this uses flash and/or applets…
-
FBI CIPAV Spyware Snaring Extortionists and Hackers for Years
"A sophisticated FBI-produced spyware program has played a crucial behind-the-scenes role in federal investigations into extortion plots, terrorist threats and hacker attacks in cases stretching back at least seven years, newly declassified documents show. First reported by Wired.com, the software, called a "computer and internet protocol address verifier," or CIPAV, is designed to infiltrate a…
-
Improving Security with URL Rewriting
"Most web application security experts frown on the practice of passing session or authentication tokens in a URL through the use of URL rewriting. Usually these tokens are passed between the server and the browser through HTTP cookies, but in cases where users configure their browsers to not accept cookies, this is impossible. Some web…
-
Blackhat 2006 RSS Security Talk Video Available
In 2006 I gave a talk on hacking RSS feeds, and feed readers. I stumbled upon the video for blackhat 2006 by accident the other day and thought it was worth posting. Video: http://media.blackhat.com/bh-usa-06/video/2006_BlackHat_Vegas-V36-Auger_and_Sima-0day_subscriptions.mp4Slides: http://www.cgisecurity.com/papers/RSS-Security.pptPaper: http://www.cgisecurity.com/papers/HackingFeeds.pdf
-
Tool: XSS Rays
"I’ve developed a new XSS scanner tool that’s written in Javascript called XSS Rays for Microsoft. They have given me permission to release the tool as open source which is awesome because it can be used for other open source applications. I recommend you use it as part of the web development process to make…
-
Watcher: a free web-app security testing and compliance auditing tool
"Watcher is designed as a Fiddler plugin that passively monitors HTTP/S traffic for vulnerabilities. It gives pen-testers hot-spot detection for user-controlled inputs, open redirects, and other issues, and it gives auditors an easy way to find PCI compliance and other organizational issues. Here’s some of the issues Watcher has checks for now: Cross-domain stylesheet and…
-
Revisiting Browser v. Middleware Attacks In The Era Of Deep Packet Inspection
Dan Kaminsky has just published his latest paper on middleware attacks that I recommend checking out. "For CanSecWest this year, I thought it’d be interesting to take a look at the realm of Deep Packet Inspectors. It turns out we were doing a lot of this around 2000 through 2002, and then…well, sort of stopped. …
-
Google Blackhat SEO Hack
"Today’s aggressive and spooky abuse of trusted giants reveals just how sophisticated and manipulative these guys have become. By following Google Trends, and with some sharp SEO skills to take advantage of Google’s famed real-time indexing, Scammers are directly targeting Google’s search results, trusted by as many as 70 percent of Internet searchers. McAfee researcher…
-
Fuzzing for Fun and Profit
"Many different resources define fuzzing many different ways. I believe this definition is more suiting than most: "Fuzzing is targeting input and delivering data that is handled by a target with the intent of identifying bugs." Fuzzing can occur theoretically where ever input is possible. There are two kinds of fuzzing: "dumb" and "smart". Dumb…
-
CERT Advisory VU#435052: An Architectural Flaw Involving Transparent Proxies
For the past year in my spare time I've been researching a flaw involving transparent proxies and today CERT has published an advisory for this issue. If you have a vulnerable proxy on your intranet NOW is the time to patch (details of affected vendors in the cert advisory). QBIK New Zealand SmoothWall Squid Ziproxy…
-
The Multi-Principal OS Construction of the Gazelle Web Browser
I was reading slashdot and saw that Microsoft has released a paper outlining a new secure browser architecture. From the abstract "Web browsers originated as applications that people used to view static web sites sequentially. Asweb sites evolved into dynamic web applications composing content from various web sites, browsershave become multi-principal operating environments with resources…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack