Monday, August 28, 2006

So much web application security research, so little time

The amount of research going on in web application security and especially JavaScript Malware is simply astounding. I'm having a difficult time keeping up with what people are releasing and dedicating time to my own research. I wish I could give the following links more background information, but these are some things that have popped up over the last week that I'll be reading into. They should be of interest to others as well.


Backdooring Web Pages
IMHO, there are three types of web page backdoors: non-persistent, persistent and global persistent. Non-persistent backdoors occur on a single XSS vulnerable page (hit). Persistent backdoors a bit better because they can occur on one or more XSS vulnerable pages most probably coming from the same domain (site). Global persistent backdoors occur on all domains (sites) and in theory they can last forever.

XSS in CBNEWS and BBC
George Bush appoints a 9 year old to be the chairperson of the Information Security Deportment

Stealing History (Part 2)
Cody Swann has a modified version of the exploit using prototype that works in IE and has support for AJAX requests:

Response Splitting Filter Evasion
While playing with a redirection issue on a pretty major website I found a pretty weird HTTP response splitting issue, where forward slashes were not allowed (or rather, once you entered a forward slash it caused the whole redirection to be removed). Clearly the website was trying to protect itself from something, although I’m not exactly sure how or why. Here’s what I ended up doing.

US-ASCII and EUC-JP Character Injection
I spent a little time this weekend playing with my XSS fuzzer, which I am trying to get to a point where I can release it, for other researchers to play with. In doing some preliminary testing I’ve found a number of issues worth mentioning to anyone doing this form of research. Cheng Pang Su and I have been working on some of the more advanced variable width encoding, and I’ll release more on that later, as I’ve found a number of additional issues. In doing that, I have expanded the fuzzer to look at additional character encoding methods, which is how I began finding these.

AttackAPI
Provides simple and intuitive web programmable interface for composing attack vectors.

Scan for HTML Injection
This little tool scans a page for common XSS/HTML injection vulnerabilities.

BeEF
BeEF is the browser exploitation framework. Its purposes in life is to provide an easily integratable framework to demonstrate the impact of browser and cross-site scripting issues in real-time. The modular structure has focused on making module development a trivial process with the intelligence existing within BeEF.

CSRF Adds Your Feed To my.yahoo.com
In all the recent waves of RSS hacks, I thought I’d toss in another. This isn’t breaking in using RSS, but it is a method to get people to add your feed automatically. Yahoo is vulnerable to cross site request forgeries (CSRF) for logged in users to automatically add your RSS feed to their page:

Warhol Worm Becomes Spam Gateway
Our innocent little Warhol worm has begun making it’s rounds. There are some serious additional implications that have not been thought through completely. One thing that unsticky brought to my attention was the use of a Warhol work for spamming. He correctly diagnoses a problem in myyearbook.com but takes it to the next step and describes what it would take to build a Warhol XSS worm.

Stealing User Information Via Automatic Form Filling
One of the most annoying things for many users is filling in form fields on websites. It’s tedious for them to type the same information over and over again, especially when it’s something a simple as a their personal information like name, phone number, address, credit card number, expiration date, and the like. Unfortunately this can spell trouble for many users who use websites that are vulnerable to XSS.


See what I mean? A LOT!

No comments: