Last month, I presented at Source Seattle conference. The slides are available for download from Cigital's website here. I also wrote some views about different cases of collecting information here. The detection of hidden devices such as WAF's , protection against advanced attacks are very much important. I discussed different cases in my presentation about collecting information from HTTP response headers. I thought to just move on and verify the state of some social networking websites.
The Facebook response header dump looks like as follows
(Status-Line) HTTP/1.1 200 OK
Cache-Control private, no-cache, no-store, must-revalidate
Expires Sat, 01 Jan 2000 00:00:00 GMT
P3P CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma no-cache
Set-Cookie reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
Set-Cookie wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Encoding gzip
Content-Type text/html; charset=utf-8
X-FB-Server 10.54.249.30
X-Cnection close
Transfer-Encoding chunked
Date Fri, 29 Jul 2011 02:39:59 GMT
The highlighted part in the dump suggests that Facebook is running under the shadow of NetScaler [WAF + Load Balancer] device. On continuous observing and validating certain functions, I extracted some combinations of URL's and related HTTP header sent with it i.e. X-FB-Server
https://www.facebook.com/login.php?login_attempt=1
X-FB-Server 10.36.129.112
http://www.facebook.com/home.php?sfrm=1
X-FB-Server 10.36.252.123
http://static.ak.fbcdn.net/rsrc.php/v1/yn/r/l2REPOIm5eD.css
X-FB-Server 10.138.17.184
http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/uRff5za-w5e.css
X-FB-Server 10.138.64.186
http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/cWd6w4ZgtPx.png
X-FB-Server 10.30.147.194
http://www.facebook.com/ajax/chat/buddy_list.php?__a=1
X-FB-Server 10.42.74.73
http://www.facebook.com/ajax/chat/buddy_list.php?__a=1
X-FB-Server 10.43.50.79
http://www.facebook.com/ajax/hovercard/user.php?id=1036258667&__a=1
X-FB-Server 10.42.174.47
http://www.facebook.com/ajax/ufi/modify.php?__a=1
X-FB-Server 10.42.108.21
http://www.facebook.com/?ref=logo&__a=20&ajaxpipe=1&quickling[version]=412753%3B0
X-FB-Server 10.42.118.79
The X-FB-Server header value was changing with different responses. However, one thing remains same is the combination of X-FB-Server with X-Cnection. This simply projects that WAF + Load Balancer is playing a role.
However, Facebook does not reveal the web server information in Server header. Additionally, Facebook responses contain the "X-Backend :" header with different values. For informational purposes, the X-Backend header is sent by 3 different servers : nginx , Apache-Coyote and lighttpd primarily.
The point is HTTP response headers reveals a lot of information which can be potentially useful for testing purposes.
Thursday, July 28, 2011
Saturday, April 30, 2011
Tuesday, March 22, 2011
Google Chrome - Security Issues Reported So Far
I have enumerated the list of Google Chrome bugs given to Chrome security team.
Issue 2632:Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos
Issue 2877:Google Chrome Window Object Suppressing Denial of Service
Issue 4739: Google Chrome MetaCharacter URI Obfuscation Vulnerability
Issue 5978: Google Chrome FTP PASV IP Malicious Port Scanning Vulnerability
Issue 7099: Google Chrome 1.0.154.43 ClickJacking Vulnerability
Issue 11158: Google Chrome document.write/throw exception DOM causes NULL ptr DoS
Issue 30972: Google Chrome XSS through MS Word Script Execution Object
Issue 53096: Google Chrome: HTTP AUTH Dialog Spoofing through Realm
Issue 75937: Google Chrome 10.0.648.133 XSS Filter Bypass
Issue 2632:Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos
Issue 2877:Google Chrome Window Object Suppressing Denial of Service
Issue 4739: Google Chrome MetaCharacter URI Obfuscation Vulnerability
Issue 5978: Google Chrome FTP PASV IP Malicious Port Scanning Vulnerability
Issue 7099: Google Chrome 1.0.154.43 ClickJacking Vulnerability
Issue 11158: Google Chrome document.write/throw exception DOM causes NULL ptr DoS
Issue 30972: Google Chrome XSS through MS Word Script Execution Object
Issue 53096: Google Chrome: HTTP AUTH Dialog Spoofing through Realm
Issue 75937: Google Chrome 10.0.648.133 XSS Filter Bypass
Monday, November 15, 2010
Responsible Disclosure - Oracle.com Redirection Vulnerability Video
The issue was reported to Oracle and was patched. This video simply shows the vulnerability.
Wednesday, November 10, 2010
ISSA Journal - JavaScript Infection Model
Check out my paper on JavaScript Infection Model published in November issue of ISSA journal.
https://www.issa.org/Members/Journal/
HackInThe Box EZine - DataCenter Hacking Paper / My Interview
Check out my interview and our paper on data-center hacking through helpdesk support systems.
http://magazine.hitb.org/issues/HITB-Ezine-Issue-004.pdf
Monday, August 23, 2010
User Interface Security - Google Chrome HTTP AUTH Dialog Spoofing through Realm Manipulation
Google Chrome ( 5.0.375.127 and previous versions) suffers from HTTP Auth Dialog spoofing vulnerability due to possible realm manipulation in the HTTP header. Previously, Google chrome has got a similar bug which can be seen HERE
This bug was actually patched. The issue mentioned in this bug was dialog spoofing due to long sub domain names. The patch worked only for that specific case which was outlined in that bug. There are number of tests have been conducted on Google Chrome
which verifies the inefficiency of Google Chrome to scrutinize the type of realm value set in the header. It can be tampered with double quotes and single quotes used in a definite manner.
Another related scenario: HERE
Note: Different variants have shown that these issues are still open and not patched yet.
As mentioned in RFC 2617: "The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge.The realm value (case-sensitive), in combination with the canonical root URL (the absolute URI for the server whose abs_path is empty;of the server being accessed, defines the protection space. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database.//The realm value is a string,generally assigned by the origin server, which may have additional semantics specific to the authentication scheme. Note that there may be multiple challenges with the same auth-scheme but different realm/s"
So, realm value plays critical role in determining the framework of HTTP Access authentication for a particular resource. It has been analyzed that it is possible to spoof the HTTP Auth dialog by playing around realm values. This attack scenario
can be used to launch phishing attacks and stealing sensitive information from the legitimate websites.
As it has been released before, Google Chrome fails to sanitize the obfuscated URL and redirect it to the different domain. This potential flaw can be combined with the HTTP Auth dialog spoofing to launch attacks against legitimate websites. Looking at this particular point of time, certain solutions can be presented as
1. A new model of HTTP authentication dialog which shows the clarity between realm value and domain.
2. Setting a limit on size of strings to be passed as Realm value. This should not be applied on the string size of domain name.
3. Application of appropriate parameters in scrutinizing the strings passed in double quotes and single quotes.
Further: Tim from Vsecurity notifies about similar work related to HTTP Authentication. A very good paper has been presented HERE which covers lot of issues of HTTP authentication
The video is embedded below
Monday, August 09, 2010
Debugged MZ/PE - Holistic Approach to Analysis of Defective Threads
Abstract: Threads are considered as second level structures used in the process execution. As per semantics, threads run as dynamic entities under processes. Whenever a new process is created in a system a number of threads are initialized. To understand the real cause of infection in processes, one has to traverse along the working procedure of a thread.
Online : http://debuggingexpert.dumpanalysis.org/Debugged_March_2010.htm
The hard cover will be release at Amazon : HERE
Sunday, July 11, 2010
HITB Magazine: MS Office Infection Paper
A new paper has been released in the HITB magazine about infection styles in MS Office files. It projects a pattern of infection used by chinese malware.
Fetch:http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-003.pdf
