-
Second life URI Handler vulnerability
PDP has a good example of when the non web world can be exploited by web world functionality. In his writeup he described how second life's URI handler can be used to steal the encrypted password hash that can be replayed and used to login to a users account. "Keep in mind that most attacker…
-
Oracle Forensics Papers Released
David Litchfield has published multiple papers on Oracle Database Forensics. From his site "Since the state of California passed the Database Security Breach Notification Act (SB 1386) in 2003 another 34 states have passed similar legislation with more set to follow. In January 2007 TJX announced they had suffered a database security breach with 45.6…
-
Raising the bar: dynamic JavaScript obfuscation
"Couple of days ago one of our readers, Daniel Kluge, pointed us to a web page with some heavily obfuscated JavaScript code. The operation was typical and consisted of a compromised site that had an obfuscated iframe which pointed to the final web site serving various exploits. The obfuscation of the iframe was relatively simple…
-
Joanna Rutkowska Pwns challengers at blackhat
"In their presentation, titled "Don't Tell Joanna, The Virtualized Rootkit Is Dead," the researchers detailed how to use counters that are external to a system to detect a virtualized rootkit's pull on CPU resources or other telltale footprints. It's got to be an external counter, given that a virtualized rootkit sits at the hypervisor level…
-
Dangerous Java flaw threatens virtually everything
"Google's Security team has discovered vulnerabilities in the Sun Java Runtime Environment that threatens the security of all platforms, browsers and even mobile devices. "This is as bad as it gets," said Chris Gatford, a security expert from penetration testing firm Pure Hacking. "It’s a pretty significant weakness, which will have a considerable impact if…
-
Security on AIR: Local file access through JavaScript
Fukami has published a post to The Web Security Mailing List outlining some risks with Adobe's AIR platform. I can tell you first hand that these sorts of applications are going to start popping on on many large sites in the next year…. "In general every file on local file system can be accessed by…
-
Bug hunters face online-apps dilemma
"Web applications pose a dilemma for bug hunters: how to test the security without going to jail? If hackers probe traditional software such as Windows or Word, they can do so on their own PCs. That isn’t true for Web applications, which run on servers operated by others. Testing the security there is likely illegal…
-
WASC Announcement: Distributed Open Proxy Honeypot Project Data Released
The Web Application Security Consortium (WASC) is pleased to announce the inital release of data collected by the Distributed Open Proxy Honeypot Project. This first release of information is for data gathered from January – April, 2007. During this timeframe, we had 7 internationally placed honeypot sensors deployed and sending their data back to our…
-
A black market for search terms and user interests?
<thinking-out-loud>Google has recently added search history and this got me thinking about how this information could be useful. Currently gmail is linked to all of google and if you search for something while logged into google and have search history turned on, it gets recorded. Now you have data on what the user is searching…
-
Ad networks tracking users without cookies
I read Jeremiah’s post about tracking users without cookies and had a conversation with him about it and how ad services companies could track users when cookies are not available. While the Basic auth method works it will only work with firefox since IE has disabled this ability after years of being abused by phishers/fraudsters.…
-
JavaScript bug hunting tool demonstrated, and ethical release of POC code
"The tool, called Jikto, can make an unsuspecting Web user’s PC silently crawl and audit public Web sites, and send the results to a third party, Hoffman said. But, in a change of plans, Hoffman did not publicly release Jikto. "The higher-ups first say we can, and then they change their mind," he said after…
-
Read RSS and get hacked
Computerworld referenced some research that I had done on RSS Security in an article discussing how RSS and other web based feeds can be used as deployment vectors for malware. For those of you reading this entry coming from an RSS feed, no worries I haven’t owned you as it wouldn’t be in my interest…
-
Captcha Recognision via Averaging
"This article describes how certain types of captchas (such as the ones used by a German online-banking site) can be automatically recognized using software. The attack does not recognize one particular captcha itself but exploits a design error allowing to average multiple captchas containing the same information." Article Link: http://www.cip.physik.uni-muenchen.de/~wwieser/misc/captcha/
-
Exploiting JSON Framework : 7 Attack Shots
Aditya K Sood writes "This article define the layout of the exploiting factors of web attacks ie where the JSON framework is compromised.The article is consistent in explaining the pros of the web attack related to JSON." Article Link: http://www.zeroknock.metaeye.org/mlabs/expjson.html
-
Crawling Ajax-driven Web 2.0 Applications
Who cares? writes " Crawling web applications is one of the key phases of automated web application scanning. The objective of crawling is to collect all possible resources from the server in order to automate vulnerability detection on each of these resource s. A resource that is overlooked during this discovery phase can mean a…
-
Backdooring UIML’s and Existing JavaScript Applications
One of the more interesting aspects of so called ‘Rich Internet Applications’ involves User Interface Markup Languages such as XUL (By Mozilla, been around awhile) and XAML/XBAP (.NET 3.0 the new kid on the block). Essentially these languages allow you to ‘paint’ buttons, menu bars, grids, forms, messageboxes, and other GUI components associated with HTML…
-
WASC-Announcement: Capturing and Exploiting Hidden Mail Servers
The Web Application Security Consortium is proud to present 'MX Injection: Capturing and Exploiting Hidden Mail Servers' written by Vicente Aguilera Diaz of Internet Security Auditors. In this article Vicente discusses how an attacker can inject additional commands into an online web mail application communicating with an IMAP/SMTP server. Article Link: http://www.webappsec.org/projects/articles/121106.shtml
-
Browser Port Scanning without JavaScript
Jeremiah 'Lord Nikon' Grossman Writes "Since my Intranet Hacking Black Hat (Vegas 2006) presentation, I've spent a lot of time researching HTML-only browser malware since many experts now disable JavaScript. Imagine that! Using some timing tricks, I've discovered a way to perform Intranet Port Scanning with a web browser using only HTML. I ts really…
-
Vulnerability Scanning Web 2.0 Client-Side Components
Shreeraj Shah has written an article outling some of the 'Web 2.0' risks. He covers RSS Security, JSON, Ajax Security, Cross Site Request Forgery and other related issues. Article Link: http://www.securityfocus.com/infocus/1881
-
Finally someone speaking about RIA (Rich Internet Applications)
I was happy to see a post at GNUCITIZEN chatting about RIA and how we should start reading up on this new exciting technology. This is something I'm planning on sticking this in my 2007 risk predictions. XUL and WPF/XAML are some exciting new web technologies I strongly advise you start reading about. Article Link:…
-
Mod Security as an IPS
One of our readers 'J. Oquendo' "got bored" and wrote an article titled 'Securing LAMP and using ModSecurity as an IPS'. "Many times administrators often forget to do security checks from the ground up. They often will rely on simple methods of testing a machine. An NMAP scan here, a Metasploit scan there… Let's build…
-
Detecting Web Application Security Vulnerabilities
An anonymous poster contributes "Web application source code, independent of languages and platforms, is a major source for vulnerabilities. One of the CSI surveys on vulnerability distribution suggests that 64% of the time, a vulnerability crops up due to programming errors and 36% of the time, due to configuration issues. According to IBM labs, there…
-
Flash + JS + crossdomain.xml = phun
I was browsing Jeremiah Grossman's Blog and found an interesting post talking about a file named crossdomain.xml and extended uses of it in regards to cross site scripting. In a nutshell there's this file called crossdomain.xml used by flash to say 'I am http://www.domainb.com and I will allow users of http://www.domaina.com to make requests to…
-
More fun with CSS history
There's been a big fuss that with CSS you can identify if someone has visited a certain link. I started to think about expanding this and came up with a neat little trick you can do involving online advertising. You run http://www.sitea.com and http://www.siteb.com and http://www.sitec.com are competitors of yours. Now you know these companies…
-
Stealing User Information Via Auto Form Filling
Rsnake has an interesting blog entry (yes it's a few days old, I don't read it daily, so whatever) regarding utilizing XSS to steal auto form fill values. "Some (not all) automated input automation tools do so blindly. That is, they don't ask for user input when they input data. In fact they don't really…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack