Aditya K Sood's (0kn0ck) Blog

The HEAD requests are defined under HTTP/1.0 and HTTP/1.1 specifications.The message body is not returned in HEAD requests. The HEAD request is considered as optimized when the penetration tester has to work around with different type of web servers.I have been dealt with this issue and after testing and analysing a lot I have found different versions of web servers show specific response with crafted HEAD request. We are going to look it into by practical layout and will analyse result based on it.

Reference Statement : Clearly, since HTTP/1.0 clients will not send Host headers, HTTP/1.1 servers cannot simply reject all messages without them. However, the HTTP/1.1 specification requires that an HTTP/1.1 server must reject any HTTP/1.1 message that does not contain a Host header.

You can refer it at:
Link : Key Differences Between HTTP/1.0 and HTTP/1.1

You can see the various responses:
http://cera.secniche.org/fing_web.html

Cheers

The cookies are considered to be as a stringent base for web attacks. The cookies in clear context are undertaken by attacker dynamically via hijacking sessions between two parties. The CSRF attack uses the hijacked cookie to authenticate the attacker to destination website against the victim credentials. One step ahead the XSS injections are used to steal cookies for leveraging more information of the sessions. If a website is vulnerable to XSS a simple script can extract cookie in clear context as:

<script>alert(document.cookie);</script>

This is level one infection and is highly dangerous. The insecure vector in these type of attacks are cookie handling. Here cookies are not encrypted which ia a cause of high insecurity. The server side code in ASP.NET [1.0] /ASP.NET[2.0] or PHP should use this technique to harden the security of cookies. Lets traverse through it.

[Asp.net 1.0] The Encrypted code can be designed through :

1] System.Web.HttpCookieEncryption.Encrypt()
2] System.Web.HttpCookieEncryption.Decrypt()

PHP Standard Encryption/Decryption Codes:


<?php

function encryptCookie($value){
if(!$value){return false;}
$key = 'Patched By SecNiche';
$text = $value;
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
return trim(base64_encode($crypttext)); //encode for cookie
}

function decryptCookie($value){
if(!$value){return false;}
$key = 'Patched By SecNiche';
$crypttext = base64_decode($value); //decode cookie
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$decrypttext = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $crypttext, MCRYPT_MODE_ECB, $iv);
return trim($decrypttext);
}

?>
So if cookies are encrypted in well versatile manner the third party attacks can be circumvented to maximum point.

The OpenRCE server is under maintainence and backup process is going on. I have talked
to Mr. Pedram and the servers wil be up in 1-2 days.

More cool stuff is coming!

Cheers.

As per required standards ar OpenRCE , I have released the paper in my Blog there. You can look into it at OpenRCE Blogging.


http://www.openrce.org/blog/browse/aditya_ks

Regards
Zknk

The paper solely relates to the core internals that build up the Windows XP Svchost. The Svchost internals have not been disseminated into informative elements yet. I have found only one or two analysis but that wont satisfy my views regarding XP Svchost. The anatomy of Svchost has got complexity in its own term. This pushes me to write a specific analysis over it. The analysis provide a structural design with concept wise dissection. The point is to understand the hidden artifacts and how it affects the working aspect of prime service host controller.Every process is disseminated into primary process and secondary process. In terms related to operating system there is a parent process and its child. If one look at the implementation scenario then child processes are undertaken as thread internally. The kernel level implementation is subjugated like this. The XP Svchost runs as threads under services process.

Links:

http://mlabs.secniche.org

I have been watching the mail wars that are going on full disclosure Lists. since I have left my previous group this issue is on fire. People are not pointing out more
of learning but rather trying to throw comments on other people work like me. Even If you look carefully then certianly these people are not doing anything themselves and just commenting.By doing this they have made lists a poor place.

What the hilarious point is the kids are generating mails of their own with different sultry names and using my name everywhere. Its amazing and it shows how free these people are. It straight forward depicts the frustrating element these people possess.
I really dont know anyone in this world is so free to criticise other people work.

The mails are so badly written even crossing the limits. The thing they are sending these mails to themselves first and then using them as forwarded mails.Hilarious again.

I just wanna say what ever the drama that is going on FD , its useless and pure kiddish approach. I appreciate thekids for what ther are doing by wasting their
time in this. My advice to them is to get indulge in their work and dont waste
time in this.

Cheers

Regards
Adi

I have released core research paper on SIP comprising of Payload problems and Attack vectors.

This research paper lays stress on the potential weaknesses present in the SIP which make it vulnerable to stringent attacks. The point of discussion is to understand the weak spots in the protocol. The payloads constitute the request vectors. The protocol inherits well defined security procedures and implementation objects. The security model is hierarchical and is diverged in every working layer of SIP from top to bottom. SIP features can be exploited easily if definitive attack base is subjugated. We will discuss about inherited flaws and methods to combat against predefined attacks. The payloads have to be scrutinized at the network level. It is critical because payloads are considered as infection bases to infect networks . The pros and cons will be enumerated from security perspective.

You can download paper at:

http://mlabs.secniche.org

Regards
Zknk

The throttling of servers are going on. SecNiche is under maintainence.
It take some time to set things right. Will be back soon.

Regards
Adi

The OWASP Live 0 India Chapter Conference completed successfully. My talk was the first talk and it stretched over to one and half hour with blur of questions. But it was awesome to handle all questions and views of different people.

The slides of my talk will be released soon. It has been released at OWASP site.

https://www.owasp.org/images/4/48/Owasp_Live0_Conf_Talk_Aditya_K_Sood_Sec_Niche.pdf

Regards
Aks