Monday, January 28, 2008

Technology helps, but people matter most

The other day a friend called me up asking what the best scanner (web application vulnerability) is these days because he hadn’t been following the field closely. He recently left a consulting role and signed on as an InfoSec manager at a large organization. His first action was to roll out a website security initiative. He knew of course that I would be highly biased towards Software-as-a-Service. Apparently he would have gone that route, but the company had a policy against outsourcing. No one could quite remembered why. Anyway, before answering his question, I wanted to know more about his environment.

I asked if he had a website asset inventory prepared. He didn’t since he just landed although was diligently working on it, but estimated roughly 200 websites. Then I asked how many people were allocated towards managing whatever scanner he bought. 1 Full Time Employee (FTE). I stopped short and said, “That’s never going to work!” A little stunned he asked, “Why not?”

I explained by asking from his experience as a consultant how much time they typically allocated for a vulnerability assessment per website, with or without the use of a commercial scanner. He said usually 2 weeks for something comprehensive (consistent with most firms). We figured then to perform just a scan using a commercial scanner (no business logic testing) would require about 1 week to set-up, fine tune, wait, and analyze the results (removing false positives, duplicates, and properly assigning priority) per website. That meant they’d need 4-5 FTEs, not 1!

Remember that’s just to scan the websites, to say nothing of identifying business logic flaws, addressing ongoing application changes, or spending time working with developers on remediation. Is VA worth anything if you got no time to work on fixing the issues found? He didn’t want to think about how many FTE’s that would require.

I then asked if his new employer had the open head count for the project ready. He coughed and then quickly laughed, but the answer was no, not even close. He started to see the writing on the wall, so I finished the conversation by candidly saying then it didn’t really matter what commercial scanner he bought. No one was going to be around to manage it and was destined for life as shelfware. He appreciated the frankness saying said he’d have a chat with upper management and get back to me. :)

Thursday, January 24, 2008

Top Ten Web Hacks of 2007 (Official)

The polls are closed, votes are in, and we have ten winners making up the Top Ten Web Hacks of 2007! The competition was fierce. The information security community put 80 of the newest and most innovative Web hacking techniques to the test. The voting process saw even some attempts at ballot stuffing, but to no avail, and very few techniques received zero votes. The winners though stood head and shoulders above the rest. Thanks to everyone who helped building the list of links, took the time to vote, and especially the researchers whose work we all rely upon. Congratulations!

Top Ten
  1. XSS Vulnerabilities in Common Shockwave Flash Files
  2. Universal XSS in Adobe’s Acrobat Reader Plugin
  3. Firefox’s JAR: Protocol issues
  4. Cross-Site Printing (Printer Spamming)
  5. Hiding JS in Valid Images
  6. Firefoxurl URI Handler Flaw
  7. Anti-DNS Pinning ( DNS Rebinding )
  8. Google GMail E-mail Hijack Technique
  9. PDF XSS Can Compromise Your Machine
  10. Port Scan without JavaScript
Honorable Mention:
Microsoft ASP.NET Request Validation Bypass Vulnerability (POC)


The Big List
Cross-Site Printing (Printer Spamming)
Stealing Pictures with Picasa
HScan Redux
ISO-8895-1 Vulnerable in Firefox to Null Injection
MITM attack to overwrite addons in Firefox
Microsoft ASP.NET Request Validation Bypass Vulnerability (POC)
Non-Alpha-Non-Digit 3
Steal History without JavaScript
Pure Java™, Pure Evil™ Popups
Google Adsense CSRF hole
There’s an OAK TREE in my blog!?!?!
BK for Mayor of Oak Tree View
Google Docs puts Google Users at Risk
All Your Google Docs are Belong To US…
Java Applets and DNS Rebinding
Scanning internal Lan with PHP remote file opening.
Firefox File Handling Woes
Firefoxurl URI Handler Flaw
Bugs in the Browser: Firefox’s DATA URL Scheme Vulnerability
Multiviews Apache, Accept Requests and free listing
Optimizing the number of requests in blind SQL injection
Bursting Performances in Blind SQL Injection - Take 2 (Bandwidth)
Port Scan without JavaScript
Favorites Gone Wild
Cross-Browser Proxy Unmasking
Spoofing Firefox protected objects
Injecting the script tag into XML
Login Detection without JavaScript
Anti-DNS Pinning ( DNS Rebinding ) : Online Demonstration
Username Enumeration Timing Attacks (Sensepost)
Google GMail E-mail Hijack Technique
Recursive Request DoS
Exaggerating Timing Attack Results Via GET Flooding
Initiating Probes Against Servers Via Other Servers
Effects of DNS Rebinding On IE’s Trust Zones
Paper on Hacking Intranets Using Websites (Not Web Browsers)
More Port Scanning - This Time in Flash
HTTP Response Splitting and Data: URI scheme in Firefox
Res:// Protocol Local File Enumeration
Res Timing Attack
IE6.0 Protocol Guessing
IE 7 and Firefox Browsers Digest Authentication Request Splitting
Hacking Intranets Via Brute Force
Hiding JS in Valid Images
Internet Archiver Port Scanner
Noisy Decloaking Methods
Code Execution Through Filenames in Uploads
Cross Domain Basic Auth Phishing Tactics
Additional Image Bypass on Windows
Detecting users via Authenticated Redirects
Passing Malicious PHP Through getimagesize()
Turn Any Page Into A Greasemonkey Popup
Enumerate Windows Users In JS
Anti-DNS Pinning ( DNS Rebinding ) + Socket in FLASH
Iframe HTTP Ping
Read Firefox Settings (PoC)
Stealing Mouse Clicks for Banner Fraud
(Non-Persistent) Untraceable XSS Attacks
Inter Protocol Exploitation
Detecting Default Browser in IE
Bypass port blocking in Firefox, Opera and Konqueror.
LocalRodeo Detection
Image Names Gone Bad
IE Sends Local Addresses in Referer Header
PDF XSS Can Compromise Your Machine
Universal XSS in Adobe’s Acrobat Reader Plugin
Firefox Popup Blocker Allows Reading Arbitrary Local Files
IE7.0 Detector
overwriting cookies on other people’s domains in Firefox.
Embeding SVG That Contains XSS Using Base64 Encoding in Firefox
Firefox Header Redirection JavaScript Execution
More URI Stuff… (IE’s Resouce URI)
Hacking without 0days: Drive-by Java
Google Urchin password theft madness
Username Enumeration Vulnerabilities
Client-side SQL Injection Attacks
Content-Disposition Hacking
Flash Cookie Object Tracking
Java JAR Attacks and Features
Severe XSS in Google and Others due to the JAR protocol issues
Web Mayhem: Firefox’s JAR: Protocol issues (bugzilla)
0DAY: QuickTime pwns Firefox
Exploiting Second Life

WhiteHat hosting regional luncheons in NY & NJ

As we did last year, 2008 will see WhiteHat Security host several regional luncheons around the U.S. - the soonest held in New Jersey and New York on February 6 & 7 respectively. Registered guests are treated to some tasty food, an entertaining show (timely stuff about web application security), a bit of company promotion, but best of all an opportunity to interact with industry peers. The groups are kept small, maybe 30 people at the most, and they’re really a lot of fun! This event will feature yours truly and Randy Morrison (V.P. of technology, SecurView), who we’re excited to have with us.

Mr. Grossman will open the program with "Top Ten Hacks of 2007 and What They Bode for 2008." This reflection on 2007's most innovative and dangerous methods of attack provides the foundation for what issues corporate security professionals should address in 2008. He will discuss attack techniques that compromise both customer and corporate information including cross site request forgery, javascript malware and browser-based attacks.

Randy follows with "The Business Case for Managed Security Services." Due to compliance mandates and recent high profile security breaches, organizations clearly understand the importance of a robust security program, and have invested heavily in security technology to address everything from network security to securing applications and data. However, getting return on this investment requires similar investments in process, people, and skills. Managed security solutions represent a cost effective way to gain the expertise necessary to defend the organization from threat, demonstrate compliance, and continuously optimize security posture.

Hope to see some of you there!

Wednesday, January 23, 2008

Intranet Hacking attacks found in the Wild

As covered by Dark Reading, CSO, and also Slashdotted: Its been 18 months since I presented “Hacking Intranet Websites from the Outside” (RSnake heavily credited) at Black Hat USA 2006 and coined the term “JavaScript Malware”, for the Symantec named variant “Drive-by Pharming” to be witnessed in the wild. Drive-by Pharming is an CSRF attack targeting a home user’s DSL router and updating its DNS settings. From then on all of the users traffic could basically be controlled by the attacker. Great for Phishing because its simple and effective. Apparently the bad guys thought so to. The Drive-by-Pharming attack has been spotted in an email e-card campaign targeting popular Mexican bank and where the router didn’t even have a password.

Monday, January 21, 2008

Quick Links

Things I don’t have time to blog about, but worthy of a post, and in no particular order.

1) How did I not know about a conference in a Hawaii that invites information security speakers!?! - HAWAII INTERNATIONAL CONFERENCE ON SYSTEM SCIENCES (HICSS)

2) Mike Andrews, application security powerhouse and all around cool guy, has started blogging! Welcome to the sphere and your second job. :)

3) An XSS vulnerability in the MySpace API. Interesting example, fortunately for them its not wormable.

4) Perl.com was briefly redirected to a porn website due to the third-party JavaScript of an advertiser being taken over by a pornographer. Apparently the advertisers domain lapsed and the new porn owner replaced the JS content. The same type attack that Tom Stripling warned about in his AppSec 2007 presentation.

5) The RIAA’s website wiped out by a SQL Injection attack

6) IE 7 forced update coming Feb. 12

Sunday, January 20, 2008

ScanAlert - XSS is not our problem

Update 01.21.2008: Jericho from Attrition takes issue as well and says many of the same things.

This weekend someone directed me to another negative ScanAlert article, beyond Geeks.com, about their dubious “Hacker Safe” website badge. According to the story, Kevin Fernandez and Dimitris Pagkalos of XSSed.com provided InformationWeek with a list of 62 popular brand websites vulnerable to XSS who proudly display the logo. Also Russ McRee, another security researcher, notified Toastmasters.org about the same problem – an XSS vulnerability under the auspices of being Hacker Safe. The story forgot to mention all the websites on sla.ckers.org too, but you get the idea.

On any other day this would have been old news, we know their reputation, but company representatives from ScanAlert (acquired by McAfee) and Symantec made some rather peculiar statements.

“Joseph Pierini, director of enterprise services for the ScanAlert "Hacker Safe" program, maintains that XSS vulnerabilities can't be used to hack a server.”


Mr. Pierini misses the point entirely, which I thought was to prevent user data from falling into the hacker’s hands. It makes no difference if the hacker can’t penetrate the server (database) directly - they can still use XSS to compromise users while they shop on the “Hacker Safe” website.

"XSS vulnerabilities do present a serious risk. However, to date their real-world use has been limited," said Oliver Friedrichs, director of Symantec Security Response in an e-mail."

What the!?! “Real world use has been limited”? In comparison to what!? Wait, don’t tell me. Malware right!? I guess the millions of exploited users between MySpace, Google’s Orkut, PayPal, Italian Banks and many others out there don’t count. Neither does being the most reported issue according to Mitre, #1 on the OWASP Top Ten, #1 on WASC Statistics, and listed on the SANS 20.

"XSS vulnerabilities can result in the theft of session cookies, Web site login credentials, and exploitation of trust. XSS vulnerabilities are site-specific, and therefore their life cycle is limited; they become extinct once they're discovered and repaired by the Web site owners."


This makes no sense. On one hand Mr. Friedrichs seems to be saying everything the hacker needs to own a users account is compromised. Then on the other that’s OK because each XSS issue is unique and fixed immediately once the website owner knows about it. Does that happen before or after the website is scanned by ScanAlert or they get notified by XSSed.com? Seesh.

“Pierini maintains that XSS vulnerabilities aren't material to a site's certification.”

I guess so, it is your certification after all, but for PCI-DSS it matters. And its not like your website claims to identify XSS? Oh wait!? It does! Perhaps the website list was generated from crazy complicated RSnake cheat sheet XSS issues, uhhh maybe not, they seem to be the plain vanilla and easy-to-find-in-a-few-minutes variety.

"Cross-site scripting can't be used to hack a server," he said. "You may be able to do other things with it. You may be able to do things that affect the end-user or the client.”

You mean like hack the user and compromise their data when they click a link?

“But the customer data protected with the server, in the database, isn't going to be compromised by a cross-site scripting attack, not directly."

Yep, safe and sound in the database, and safe in the hacker’s DB too!

“Pierini dismisses the suggestion that certifying a site as "Hacker Safe" when it remains vulnerable to XSS attacks could be confusing to consumers. “

Nah, it’s not confusing to users who don’t know any better, just to the security experts.

“He insists that the meaning of the certification is clear and notes that his company's scanning service reports the XSS flaws it finds to its clients.”

If you say so.

“Cross-site scripting can be used to do a variety of things, but it's all on the client side. And that's an area that we don't have control over."

It’s funny because most security experts, industry bodies, and respected website owners believe XSS is a serious problem *FOR THE WEBSITE AS WELL AS THE USER*. OWASP, WASC, Mitre, SANS, Google, Yahoo, Microsoft, and on and on. All except ScanAlert apparently, maybe they know something we don’t.

Ahhh its Monday, sounds like the beginning of an interesting week.

Roxer - the easiest way to make a web page

I’m excited to let everyone know about a brand new Web-based technology (non-webappsec related) Lex Arquette and I have been developing over the last several years – mainly as a late night side project. It’s called Roxer and represents what we believe is the future of Web page design (screen shots). Targeted mostly for novices, where with Roxer anyone can build just about any Web page they want using a Web browser (no plug-ins) and without a single line of code (example sites). Think Visio, MS Word, or OmniGraffle, but extremely simple and completely on Web-based. I also have a page I treat as a personal playground.


Roxer beta-testers are using it primarily for personal and small business sites. The deal is they get free Web space and access to a cool toy - we get great feedback, a chance to quash bugs, and some insights to how people REALLY want to develop Web pages. Later we thought the readers here, even if all infosec related, might be interested and want to get in on the action. So we opened up beta testing to public registration.

There are a lot of cool features in Roxer, including cross-tab copy/paste, which were extremely difficult to implement. It’s only due to a background in JavaScript hacking were we successful. Other Web 2.0 / Ajax’ish stuff like Drag & Drop, Rich Text Editing, and Edit-in-Place were zip zap after that. Since WhiteHat Security is my responsibility during the day, and often night to, Lex (the one man army) does most/all the Roxer coding these days. Basically my job is helping solve some of the harder architectural problems and overcome the things that browsers were never really designed to do. BTW, The Dojo Toolkit totally kicks ass.



Now I know some reading this blog are probably going to try and hack Roxer to pieces. Nah, not you guys. :) Some may expect a 100% secure system since its been written by Web security experts. Fair enough, have at it, not like we can stop you anyway. But let me first say that we’re not perfect programmers (if only). The code is brand new, considered beta, and largely untested by outsiders. Our primary mission was just to make Roxer functional and we’re sure vulnerabilities exist. So if you find something, whether on purpose or accident, let us know and we’ll fix it. Just please don’t break the website. ;)

Other than that, have fun!

Friday, January 18, 2008

Let's talk Web Application Firewalls (WAFs)

Over the last month the level of chatter about Web Application Firewalls (WAFs) has increased significantly. At the end of last year I’d receive 1-2 emails per week with questions, but over the last month its up to 2 per day - not to mention all the mailing list chatter. I like to stay up-to-date on the WAF market, even though I’m not in that business, because the value proposition is complementary to mine (website vulnerability assessment). Just like network security with perimeter firewalls, patch management, and vulnerability scanning each is important and fills a unique niche. At first I thought the WAF interest up tick was mainly due to the looming PCI 6.6 deadline (June 30, 2008), not so much, the reasons are more fundamental.

You see, the InfoSec people responsible for Web security were usually not on the job when their employers’ websites were developed (insecurely). They were later hired in after the fact to solve the problem, typically once identified by a VA solution or maybe an incident, when preventative software security measures required massive code rewrites. Most of them first attempt an awareness program, a noble pursuit with long-term benefits, but doesn’t solve the immediate problems. The problems are too many websites, with too many vulnerabilities, developers who don’t work for them, and probably don’t care about Web application security anyway. In that position WAFs sound like pretty darn good option since it provides them with direct control.

Another interesting thing about WAF technology is that it’s been around for roughly 10 years, still their market really hasn’t taken off (roughly 1,000 deployments by my estimates), but it hasn’t gone away either. That’s probably because the idea of website security without having to fix the code is extremely compelling. Of course there are WAF detractors who say it’s because WAFs don’t do what they promise, are difficult to manage, and people shouldn’t use them anyway because their approach just serves as a band-aid. The fact is the WAF industry has a lot of baggage they must overcome originating from the early days, much of which does not hold true today. A lot has improved over the last several years and I’ve had the benefit of demo’ing these products personally. They have some serious power and flexibility.

Here’s the deal, nothing in security is a silver bullet. Everyone knows and gets that. So when a WAF isn’t perfect at something, doesn’t block every attack all the time, and can’t be plugged in and forgotten. That’s to be expected! And that’s what its all about, properly setting expectations. We really need to know what they can and can’t do and how well. Because from where I sit, we NEED WAFs to work, if nothing else but to provide development groups at least a few days of breathing room. I mean, consider the thousands of issues posted on sla.ckers.org, or XSSed.com, or in the WhiteHat Sentinel database. Is anyone really under the impression these will get fixed one at a time or anytime soon? And we’re just talking about the XSS. What about the rest?

I like WAFs because they provide Web security experts one more option to get their job done. Dozens of open source and commercial WAFs are available, the most prominent names being Breach, Citrix, F5, and Imperva. Each has its own strong points and better at doing something depending on the current situation. Navigating that environment is the tough part and the more VA solutions deployed like WhiteHat Sentinel, the more we’ll understand that remediation is going to be a huge issue to tackle in the years to come.

Movie Review: The New Face of Cybercrime

When I go to the movies, which is extremely rare, my only expectation is to be entertained. That was my mindset last night when I went with Arian and Anurag up to see the Fortify Documentary, “The New Face of Cybercrime.” I wasn’t expecting to learn anything new or earth shattering, just wanted to enjoy myself and see what they came up with. So when the film opened up with RSnake being interview demo’ing XSS, the crowd roared with laughter, and I was on cloud 9. For much of the audience who is familiar with webappsec and its industry personalities, it was really exciting to see someone we know and love on the big screen in flick made by an academy nominated director.

The film itself was a little fluffy, not much technical detail, and something you’d show your parents or boss who hasn’t been exposed to the infosec industry. They tried to convey how the world is interconnected via networks, completely reliant upon software, and how the bad guys are able to penetrate systems with ease. Again, think of a PBS or History Channel special. That was the feel I got. The film seemed somewhat short on a call to action. They probably did that so it didn’t come cross as a marketing piece, which they pulled very nicely. For myself, the time was well spent and glad I went.

Then in a bold move, Roger Thorton (CTO of Fortify) and director Fredric Golding (with the 3 other panelists), opened things up to the audience to comment and ask questions. Right when they did that I was thinking to myself, OMG, these guys are crazy asking an infosec what they thought! To their credit they were very patient and professional in dealing with the many inane “constructive” criticisms voiced. The stand out of the panelists was Grant Bourzikas, CISO of Scottrade, who was able to answer pointed question masterfully from “business” interest perspective. Clearly he has been around the block once or twice when it comes to web application security in the real world.

During the after party I got to talking with Robert McMillan, Senior Writer, IDG News. He was remarking about how the J.C. Penning CEO, Mike Ullman, who was featured as an application security authority in the film is going to react when they get hacked sometime down the road. And doncha just love the irony, 2 hours later when I got home, Business Week posts a story about “Data lost on 650,000 credit card holders” in J.C. Penney. I guess the bright side is loss was due to a lost tape, in which J.C. Penney was one of 230 retailer impacted, and not some SQL Injection issue. That would have been hard to explain.

All in all I want to thank Fortify for inviting us to a great event and the tasty eats, and also congratulate them on the film.

Thursday, January 17, 2008

The Polls are Open: Top 10 Web Hacks of 2007

Thank you to everyone who helped out with compiling the list of Web hacking techniques for the last year. It took a lot of time and effort scouring the Internet for all the new tricks and reading through the material to understand what was what. I did my best to sanitize the list, find the best references, and remove duplicates (probably still some left). I am confident though that the best of the best are in there to make a meaningful Top Ten for 2007.

There way the voting process works is each voter get 10 votes to distribute among their favorites. The suggested criteria is cleverness, severity, and overall impact. The polls will close on January 24, at which time the numbers will be tabulated and those with the most votes will rise to the top. With over 80 on the list, surpassing the number for 2006, competition is going to be fierce. GO VOTE!

The List
Cross-Site Printing (Printer Spamming)
XSS Vulnerabilities in Common Shockwave Flash Files
Stealing Pictures with Picasa
HScan Redux
ISO-8895-1 Vulnerable in Firefox to Null Injection
MITM attack to overwrite addons in Firefox
Microsoft ASP.NET Request Validation Bypass Vulnerability (POC)
Non-Alpha-Non-Digit 3
Steal History without JavaScript
Pure Java™, Pure Evil™ Popups
Google Adsense CSRF hole
There’s an OAK TREE in my blog!?!?!
BK for Mayor of Oak Tree View
Google Docs puts Google Users at Risk
All Your Google Docs are Belong To US…
Java Applets and DNS Rebinding
Scanning internal Lan with PHP remote file opening.
Firefox File Handling Woes
Firefoxurl URI Handler Flaw
Bugs in the Browser: Firefox’s DATA URL Scheme Vulnerability
Multiviews Apache, Accept Requests and free listing
Optimizing the number of requests in blind SQL injection
Bursting Performances in Blind SQL Injection - Take 2 (Bandwidth)
Port Scan without JavaScript
Favorites Gone Wild
Cross-Browser Proxy Unmasking
Spoofing Firefox protected objects
Injecting the script tag into XML
Login Detection without JavaScript
Anti-DNS Pinning ( DNS Rebinding ) : Online Demonstration
Username Enumeration Timing Attacks (Sensepost)
Google GMail E-mail Hijack Technique
Recursive Request DoS
Exaggerating Timing Attack Results Via GET Flooding
Initiating Probes Against Servers Via Other Servers
Effects of DNS Rebinding On IE’s Trust Zones
Paper on Hacking Intranets Using Websites (Not Web Browsers)
More Port Scanning - This Time in Flash
HTTP Response Splitting and Data: URI scheme in Firefox
Res:// Protocol Local File Enumeration
Res Timing Attack
IE6.0 Protocol Guessing
IE 7 and Firefox Browsers Digest Authentication Request Splitting
Hacking Intranets Via Brute Force
Hiding JS in Valid Images
Internet Archiver Port Scanner
Noisy Decloaking Methods
Code Execution Through Filenames in Uploads
Cross Domain Basic Auth Phishing Tactics
Additional Image Bypass on Windows
Detecting users via Authenticated Redirects
Passing Malicious PHP Through getimagesize()
Turn Any Page Into A Greasemonkey Popup
Enumerate Windows Users In JS
Anti-DNS Pinning ( DNS Rebinding ) + Socket in FLASH
Iframe HTTP Ping
Read Firefox Settings (PoC)
Stealing Mouse Clicks for Banner Fraud
(Non-Persistent) Untraceable XSS Attacks
Inter Protocol Exploitation
Detecting Default Browser in IE
Bypass port blocking in Firefox, Opera and Konqueror.
LocalRodeo Detection
Image Names Gone Bad
IE Sends Local Addresses in Referer Header
PDF XSS Can Compromise Your Machine
Universal XSS in Adobe’s Acrobat Reader Plugin
Firefox Popup Blocker Allows Reading Arbitrary Local Files
IE7.0 Detector
overwriting cookies on other people’s domains in Firefox.
Embeding SVG That Contains XSS Using Base64 Encoding in Firefox
Firefox Header Redirection JavaScript Execution
More URI Stuff… (IE’s Resouce URI)
Hacking without 0days: Drive-by Java
Google Urchin password theft madness
Username Enumeration Vulnerabilities
Client-side SQL Injection Attacks
Content-Disposition Hacking
Flash Cookie Object Tracking
Java JAR Attacks and Features
Severe XSS in Google and Others due to the JAR protocol issues
Web Mayhem: Firefox’s JAR: Protocol issues (bugzilla)
0DAY: QuickTime pwns Firefox
Exploiting Second Life

Wednesday, January 09, 2008

Fortify Documentary: The New Face of Cybercrime

I just came across a Fortify Software press release announcing the premier of their new documentary, “The New Face of Cybercrime”. I had remembered their CTO Brian Chess told me about it months ago, but really forgot all about it since. This could be really cool and nicely timed to fill the void left by Tiger Team. So I fired up the YouTube Trailer to see what this is all about. To my utter amazement the video appeared exceptionally well done, like a special you’d see on PBS or the History Channel. Some familiar industry faces appeared including Howard Schmidt, Gary McGraw, and Marcus Ranum providing their quality sound bites. Then all of a sudden RSnake shows up on screen demonstrating a XSS vulnerability on domains.aol.com! I nearly fell outta my chair! *LOL* OK, I gotta see the rest of this. Screenings are being held in San Francisco, New York, and London. I could theoretically make the S.F. one since I'm local, if I can manage to score an invite *hint*. :)

Cross-Site Printing (Printer Spamming)

Update 01.10.2008: Story picked up by Dark Reading and C-Net.

Aaron Weaver has been doing a lot of intranet hacking research since late last year, especially in the area of printers and fax machines. He’s figure out a clever way using CSRF to issue PostScript commands (via port 9100) and print out custom ascii art. Fun, fun! Imagine visiting some random Web page and your network printer starts going off on its own. Cross-Site Printing.

Tuesday, January 08, 2008

Geeks.com compromised, but relax, its still "Hacker Safe"

As reported by ComputerWorld, Geeks.com was hacked and consumer data was lost – the volume of which remains undisclosed. What we do know is the names, addresss, telephone numbers, email addresses, credit card numbers, expiration dates, and card verification numbers on the eCommerce website has the potential of being in unauthorized hands. And right now if you view their Web page it’s ironic to see that they’re still “Hacker Safe” (acquired by McAfee). Oh well, just the continuance of a trend.

Anurag also posed a good question about the Geeks.com incident related to PCI, “Should ScanAlert be revoked of their PCI Scanning abilities?” A fair question and probably one we won’t know the answer to for some time – which in and of itself is an answer. We also don’t know if Geeks.com was “PCI Certified” at the time of the incident, who their auditor was, or anything like that. What we do know is they automatically become a Tier-1 merchant, which carries a certain cost impact with it.

Once Geeks.com gets done with the incident response fire drill (expensive), PCI compliance is going to cost a lot more. Before it was just a quick quarterly scan and a questionnaire. Now their going to have to do a lot more and get it all signed off by a QSA. Incidents like these are going to bite more and more small to midsized merchants hard in the pocket book - especially since PCI compliance really doesn't make a website harder to hack. I don’t think anyone has really done an analysis on the PCI costs after the fact have they?

Calling all Web Hacks of 2007

As RSnake, Robert Auger, and I released in 2006, we’ll be putting together a Top 10 Web Hacks for 2007. The difference this time will be it’ll open to a public vote! Everyone will get a chance to weigh in on what they think the Top Ten for this year should be. Hey why not, it is an election year. :) To be clear the “hacks” we’re interested in are the new techniques released over the last year - we’re not talking compromises or “incidents”, but the real research behind it all.

The hardest part is collecting a rather complete list of references to vote on, they’re all over the place, so that’s the reason for this post. Below is what I’ve gathered so far, and if you know of others, please comment them in with the title and link and I’ll add them. In the next few days the list will be compiled and I’ll create an open survey.


HScan Redux
ISO-8895-1 Vulnerable in Firefox to Null Injection
Firefox Save As Complete Issue
MITM attack to overwrite addons in Firefox
Microsoft ASP.NET Request Validation Bypass Vulnerability
Non-Alpha-Non-Digit 3
Steal History without JavaScript
Port Scan without JavaScript
Login Detection without JavaScript
Anti-DNS Pinning ( DNS Rebinding ) : Online Demonstration
Username Enumeration Timing Attacks (Sensepost)
Google GMail E-mail Hijack Technique
Recursive Request DoS
XSS Vulnerabilities in Common Shockwave Flash Files
Anti-DNS Pinning in the News!
Exaggerating Timing Attack Results Via GET Flooding
Initiating Probes Against Servers Via Other Servers
Effects of DNS Rebinding On IE’s Trust Zones
Paper on Hacking Intranets Using Websites (Not Web Browsers)
More Port Scanning - This Time in Flash
Res:// Protocol Local File Enumeration
Res Timing Attack
IE6.0 Protocol Guessing
IE 7 and Firefox Browsers Digest Authentication Request Splitting
Hacking Intranets Via Brute Force
Hiding JS in Valid Images
Internet Archiver Port Scanner
Noisy Decloaking Methods
Code Execution Through Filenames in Uploads
Cross Domain Basic Auth Phishing Tactics
Additional Image Bypass on Windows
Detecting users via Authenticated Redirects
Passing Malicious PHP Through getimagesize()
Turn Any Page Into A Greasemonkey Popup
Enumerate Windows Users In JS
Anti-DNS Pinning ( DNS Rebinding ) + Socket in FLASH
Iframe HTTP Ping
Read Firefox Settings (PoC)
Stealing Mouse Clicks for Banner Fraud
(Non-Persistent) Untraceable XSS Attacks
Inter Protocol Exploitation
Detecting Default Browser in IE
Bypass port blocking in Firefox, Opera and Konqueror.
LocalRodeo Detection
Image Names Gone Bad
IE Sends Local Addresses in Referer Header
PDF XSS Can Compromise Your Machine
Universal XSS in Adobe’s Acrobat Reader Plugin
Firefox Popup Blocker Allows Reading Arbitrary Local Files
IE7.0 Detector
overwriting cookies on other people’s domains in Firefox.
Embeding SVG That Contains XSS Using Base64 Encoding in Firefox
Firefox Header Redirection JavaScript Execution

Saturday, January 05, 2008

New Flash XSS technique (thousands of websites at risk)

This week I spent a good amount of time studying the recent attack technique disclosed about XSS issues in common Shockwave Flash Files. At first I thought, “eh, looks cool, but probably just some theoretical edge case”. Then in working with white paper author Rich Cannings I came to understand that the details are more complex than I originally gave credit. Apparently the scope of the problem is easy to underestimate with potentially hundreds of thousands of websites at risk (right, as if we needed more XSS to deal with). The other thing is that reasonably workable fixes are going to be a long time coming.

In many ways the issue is similar to that of Adobe’s Universal XSS problem from last year. At its simplest, this issue describes that vulnerable Flash files can be used to XSS the hosting domain. The URL would look something like this:

http://example/ FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//

The URL looks a little different than the XSS exploits we’re used to, but still straight forward enough to understand. So I went to test on www.whitehatsec.com since we use some Flash and try to get some of the paper’s PoC working, much of it researched by Flash hacking extraordinaire Stefano Di Paola. I wasn’t having any luck and couldn’t tell if I was doing something wrong or we weren’t vulnerable, so I asked Rich for some assistance. Turn out the latter was true, but I also learned that just because a website is hosting a Flash file doesn’t automatically mean its XSS’able or XSS’able in the same way as another.

Vulnerable Flash files are primarily generated in one of two ways:

1) A Flash authoring tool inserts some generic ActionScript that’ll execute arbitrary JavaScript.

2) Commonly used Flash files design patterns also leave room for the same XSS problem. If you read the white paper, Flash developers need to perform the same input validation as web application developers.

Solutions where things get tricky…

- Patch the Flash authoring tools - a half dozen tool vendors have been notified with fixes available. The challenge is this requires all Flash developers not only patch, but also regenerate their files and update them on the server. Also website owner often to do not develop their own Flash and rely upon third-party marketing firms who must be contacted. As a result, this process will take significantly longer.

- Users update their Flash player – Based on the nature of the issue, I’m not certain of how much benefit to this there is, but might as well patch anyway if there is one available.

- Disable or block Flash content – I think most people reading this probably already do some form of Flash blocking, but for everyone else, there are simply not going to.

- Remove Flash files from the Web – Sure this could work in some cases, in others it’s easier said than done. Some websites are completely reliant upon Flash and removal is out of the question. Others use Flash for simply advertising purposes, those are going to be difficult to just arbitrarily delete as well.

- Move Flash files to a secondary domain – just as is recommended with all third-party / user generated / untrusted content. This solution has promise as it sets up some domain barriers in the event a vulnerable Flash file shows up linked from your website.

Vulnerability identification is another area of significant interest…

Because this issue is NOT a universal XSS as it is the case of the Adobe PDF bug, issues are going to be harder to track down. We’re going to have to figure out ways decompile/reverse engineer Flash files to determine what authoring tool was used and update our vulnerability scanners so that Flash files can be tested in much the same ways as a web application. This is going to be interesting. Welcome to 2008 everyone, Web 2.0 hacking abound.