Hosting generously provided by
|
|
Attacking PHP weak PRNGs: mt_srand and not so random numbers
|
Posted 8/17/08 by Robert from the 'rand() 4 lyfe' department
"Stefan Esser has written a great article on attacking php PRNG's. "PHP comes with two random number generators named rand() and mt_rand(). The first is just a wrapper around the libc rand() function and the second one is an implementation of the Mersenne Twister pseudo random number generator. Both of these..."
Link to this Story:
Attacking PHP weak PRNGs: mt_srand and not so random numbers
Link:
News RSS Feed: Web
|
|
|
|
Tools: Grendel Scanner a new Web Application Security Scanner
|
Posted 8/12/08 by Robert from the 'new tools' department
While attending defcon I got to check out a talk on a new web application security scanner called Grendel scanner.
For those of you who don't know I used to work at spi dynamics on the webinspect product (now part of HP) and I got to say it is one of the more impressive looking open source options out there.
Article Link:
Link to this Story:
Tools: Grendel Scanner a new Web Application Security Scanner
Link:
News RSS Feed: Web
|
|
|
|
Affiliate Programs Vulnerable to Cross-site Request Forgery Fraud
|
Posted 8/4/08 by Robert from the 'sitting on shit sucks' department
After a long wait I have published a CSRF attack use case I've been sitting on for awhile. This entry
can be located on our new beta site . From the post
"The following describes a long-standing and common implementation flaw in online affiliate programs allowing for fraud. For those unfamiliar affiliate programs, they provide a way for companies to allow 3rd parties/website owners to direct traffic to their site in exchange for a share of the profits of user purchases. Most view affiliate programs as a great way to monetize their traffic by strategically placing a few links on their sites.
Affiliate programs generally operate by associating a web visitor with a particular affiliate when the visitor has followed a custom link provided by the affiliate. This custom link will contain some sort of identifier that instructs the site how traffic was directed towards them. After visiting the link an association is made (typically via a cookie) with that users session on the destination site. This association might last for a few minutes to a month depending on the business requirement of the program. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Site News: New Design and beta site!
|
Posted 7/30/08 by Robert from the 'romain's elite design skills' department
The time has finally come to switch hosters as well as site designs. I have setup a new
beta site at
and thanks to we have a new kickass
site design. Below is an outline of the changes between the two.
- Added RSS descriptions (previously we only supported the titles)
- Added Atom and RSS2.0 Feed support
- Ability to post comments
- Tagging
- Cleaner UI
- Scrolling recent posts
I expect the site to be fully migrated sometime in august. If the site seems buggy or you have some feedback .
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
DNS Vulnerability Leaked By Matasano Security After Being Asked Not To By Vulnerability Discoverer
|
Posted 7/16/08 by Robert from the 'Biting the hand that feeds it' department
"Two weeks ago, when security researcher Dan Kaminsky announced a devastating flaw in the internet's address lookup system, he took the unusual step of admonishing his peers not to publicly speculate on the specifics. The concern, he said, was that online discussions about how the vulnerability worked could teach black hat hackers how to exploit it before overlords of the domain name system had a chance to fix it.
That hasn't stopped researcher Halvar Flake from posting a hypothesis that several researchers say is highly plausible. It describes a simple method for tampering with DNS name servers that get queried when a user tries to visit a specific website. As a result, attackers would redirect someone trying to visit a site such as bankofamerica.com to an impostor site that steals their credentials." The Register
Halvar's guess is located at
Reading more
"It would also demonstrate the difficulty researchers like Kaminsky face in trying to keep the specifics of a vulnerability quiet. While Flake is highly respected in security circles, he admits his knowledge of DNS is limited. He had to spend time reading a "DNS-for-dummies" text to get up to speed.
If a few weeks was enough for him to come up with an attack scenario, plenty of less scrupulous hackers almost certainly will be able to do the same thing, calling into question whether it's realistic to limit vulnerability disclosure in the way Kaminsky has proposed.
"It's the universal opinion of the research community that it's not a reasonable request," said Thomas Ptacek, a researcher at Matasano who is critical of the admonition against other researchers publicly discussing the flaw. Ptacek and several other researchers have received a briefing from Kaminsky in exchange for a promise not to discuss it publicly, a condition he says is perfectly OK." TheReg
Shortly after Halvar's posting Matasano Chargen's Tomas Ptacek (the guy quoted above by theregister) leaks the details to his
site then removed it shortly after as discussed at . Luckily a friendly slashdot viewer mirrored this post at .
I guess Thomas (having violated the trust of someone he knows) felt bad for disclosing Dan's researcha fter Dan asked him not to
that he posted a response to leaking the vuln details (. If you enjoy security drama/theater I'd suggest reading the replies.
TheRegister Entry:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Spring Framework vulnerabilities
|
Posted 7/16/08 by Robert from the 'sprung' department
Michelle let us know about the following story on techtarget
"A recent security assessment of an application by Ounce Labs has resulted in the discovery of two vulnerabilities that can affect Java Web applications that use the Spring Framework.
Spring has been downloaded more than 5 million times to date, which means the security vulnerabilities identified could affect countless companies that use this framework.
on its site to help users determine if they're at risk and what to do to prevent exploitation.
"
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
GRSecurity Author Outlines Lack of Full Vulnerability Disclosure by Linux Kernel Developers
|
Posted 7/16/08 by Robert from the 'If you don't know, now you know, !@#$!' department
The following email was sent to the full disclosure mailing list today by Brad Spengler, the author of .
"I doubt many of you are following the "discussions" (if they can be
called that) that have been going on on LWN for the past couple weeks
regarding security fixes being intentionally covered up by the Linux
kernel developers and -stable maintainers. Here are some references:
The Linux kernel has a formal policy in Documentation/SecurityBugs which
states under Section 2 Disclosure:
"We prefer to fully disclose the bug as soon as possible."
However, their policy in reality is quite different, as you can see for
yourself in the "discussion" going on now on LKML:
Some choice quotes from Linus that reflect how sad the current state is:
(on commenting about what he would allow to be included in a commit message)
"I literally draw the line at anything that is simply greppable for. If
it's not a very public security issue already, I don't want a simple
"git log + grep" to help find it."
(when talking about the security backports Linux vendors provide for customers)
"And they mostly do a crap job at it, only focusing on a small
percentage (the ones that were considered to be "big issues")"
They seem to have the impression that people who find an exploit kernel
vulnerabilities rely on the commit messages fixing the vulnerability
including some mention of security. As it should be clear to anyone
actually involved in the security community, or anyone who has ever
written an exploit (particularly for the myriad silently fixed
vulnerabilities in Linux), this is far from reality. The people who
*do* rely on these messages and announcements however are the smaller
distributions and individual users. Yet Linus et al believe they're
helping you by pulling the wool over your eyes regarding the exploitable
vulnerabilities in their OS.
To illustrate the point, in the 2.6.25.10 kernel, the following fix was
included with the commit message of:
Roland McGrath (1):
x86_64 ptrace: fix sys32_ptrace task_struct leak
The kernel was released with no mention of security vulnerabilities in
the announcement, only "assorted bugfixes".
Put simply, it only took about an hour or so to develop a PoC for this
exploitable vulnerability which affects 64bit x86_64 kernels since
January. So since the time of the fix itself (or even before that if
someone spotted it before the kernel developers did themselves) users
have been at risk. Yet in the imaginary world they live in, these
kernel developers think they're protecting you from that risk by not
telling you what you're vulnerable to.
Please let them know what you think of their policy of non-disclosure
and coverups. I hope someone also educates them on their ridiculous
notion of "untrusted local users" like Greg uses in his announcement of
the 2.6.25.11 kernel:
If you remain complacent about the state of affairs, you're only
enabling them to continue their current misguided foolishness.
-Brad"
Email Thread Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
|
Posted 7/15/08 by Robert from the 'dollars and cents' department
"This paper draws attention to how the use of common programming APIs and
practices could lead to flaws in the processing of numeric data, which
could in-turn allow attackers to manipulate the outcome of transactions
or otherwise interfere with the accuracy of calculations.
It discusses the technical vulnerabilities typically observed in both
the validation and processing of numeric data that could expose an
organisation to unmanaged risk. It is intended for a technically
literate audience involved in developing or testing financial
applications, and to provide technical insight to those responsible for
their management.
The vulnerabilities are presented with source code examples, suggestions
on how to identify the flaws during the testing phases and
recommendations for mitigating the risk.
"
Article Link:
Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
Link:
News RSS Feed: Web
|
|
|
|
Fallout From the Fall of CAPTCHAs
|
Posted 7/15/08 by Robert from the 'trashed captcha's' department
"CAPTCHA went from relatively obscure security measure perfected in 2000 by researchers at Carnegie Mellon University to deployment by most of the major Web e-mail sites and many other Web sites by 2007. Sites such as Yahoo Mail, Google's Gmail and Microsoft's Hotmail all used -- and, for that matter, continue to use -- CAPTCHA to make sure that only human beings, not bots, could get accounts or make postings.
Those days are long gone.
By January 2008, Yahoo Mail's CAPTCHA had been cracked. Gmail was ripped open in April. Hotmail's top got popped during the same month.
And then things got bad. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
OWASP/WASC Party at Blackhat in Las Vegas
|
Posted 7/10/08 by Robert from the 'drinking beers and talking shop' department
WASC and OWASP are throwing a party this year during blackhat at the shadow bar which is being sponsored by Breach.
This will be the 3rd party at the shadow bar, and 2nd joint WASC/OWASP conference. If you want to chat appsec this is where
everyone in appsec will be.
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Widescale DNS flaw discovered
|
Posted 7/8/08 by Robert from the 'UDP 4 lyfe' department
A pretty nasty DNS vulnerability has been discovered in 81 products by Dan Kaminsky. This vulnerability type
seems to be the same described by Amit Klein and involves abusing the PRNG involved in transactions on DNS queries. Long story short
if you run a vulnerable caching DNS server you can have your cache poisoned. From CERT
"The DNS protocol specification includes a transaction ID field of 16 bits. If the specification is correctly implemented and the transaction ID is randomly selected with a strong random number generator, an attacker will require, on average, 32,768 attempts to successfully predict the ID. Some flawed implementations may use a smaller number of bits for this transaction ID, meaning that fewer attempts will be needed. Furthermore, there are known errors with the randomness of transaction IDs that are generated by a number of implementations. Amit Klein researched several affected implementations in 2007."
Dshield has a .
Article Link:
CERT Advisory with list of affected vendors:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Most Corporations Lack Proper SDLC
|
Posted 7/8/08 by Robert from the 'SDLC 4 lyfe' department
"The current state of secure software development by corporations both large and small is a mess.
Software vendors need to realize that they must begin exercising due diligence when producing their software products. Microsoft dedicated itself to secure development practices some years ago, yet its developers are still taking months to fix reported vulnerabilities. If an industry giant like Microsoft cannot get a grip, it really does not bode well for the rest of the industry.
While many companies make a passing attempt at improving their software products all too often other pressures win out. Software companies that will delay a products launch for the sake of a code audit, third-party threat testing, or an extended quality-assurance (QA) cycle are few and far between. Sadly, the secure development life cycle (SDLC) is not always adhered to by the software vendors, and the first casualty in this process is typically quality assurance." - Securityfocus
Part of my job involves creating an SDLC for the company I work for. Having spoke with many companies both large and small I agree
with this article that most companies haven't figured out proper integration of security testing in development and QA. I consider
this sort of initiative to still be fairly new to the industry with lots of room for improvement. The real challenge is finding
the right balance for your specific development organization, and understanding that one approach does not fit all even within
the same company.
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Jason Taylor on Security Testing
|
Posted 7/7/08 by Robert from the 'security testing' department
Microsoft has a decent article on security testing for worth checking out.
"Tester Question: What is a cross-site request forgery attack? How do I test our website to see if it is vulnerable to this attack?"
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Sony PlayStation's site SQL injected, redirecting to rogue security software
|
Posted 7/3/08 by Robert from the 'pwned like a noob' department
"The latest high trafficked web site to fall victim into the continuing waves of massive SQL injection attacks courtesy of
Sony PlayStation's site copycats and the ASProx botnet, is Sony's PlayStation U.S site according to a recent
post at SophosLabs's blog" - ZDNet
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Firefox 2.0.0.15 Addresses Multiple Security Issues
|
Posted 7/3/08 by Robert from the 'patch your shit' department
Firefox 2.0.0.15 was released addressing the following security issues.
Ensure you to to your help menu and 'Check for Updates' to ensure you're protected.
Download Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Cloudsecurity.org Interviews Guido van Rossum: Google App Engine, Python and Security
|
Posted 7/2/08 by Robert from the 'eating linux zealots alive' department
"In this interview, cloudsecurity.org talks to Guido van Rossum about Python, Google App Engine and security.
Guido is the creator of the Python programming language and more recently, Google App Engine team member. His involvement with
the App Engine project was pretty late - the code "was almost ready for release" when he get involved. The security architect of App Engine was primarily project lead, Kevin Gibbs, supported by the rest of the App Engine crew and the Google Security Team."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Microsoft outlines extensive IE8 security improvements
|
Posted 7/2/08 by Robert from the 'eating linux zealots alive' department
Microsoft has posted a very extensive article outling the security improvements to IE8. Improvements have
been made to the following area's.
- Defenses
- Safer Mashups (HTML and JSON Sanitization)
- MIME-Handling Changes (Restrict Upsniff and Sniffing Opt-Out)
- Add-on Security
- Protected Mode
- Application Protocol Prompt
- File Upload Control
- Social Engineering Defenses
- Address Bar Improvements
-
From the blog
"Hi! I'm Eric Lawrence, Security Program Manager for Internet Explorer. Last Tuesday, Dean wrote about our principles for
delivering a trustworthy browser; today, I'm excited to share with you details on the significant investments we've made in
Security for Internet Explorer 8. As you might guess from the length of this post, we've done a lot of security work for
this release. As an end-user, simply upgrade to IE8 to benefit from these security improvements. As a domain administrator,
you can use Group Policy and the IEAK to set secure defaults for your network. As web-developer, you can build upon some of
these new features to help protect your users and web applications.
As we were planning Internet Explorer 8, our security teams looked closely at the common attacks in the wild and the trends that
suggest where attackers will be focusing their attention next. While we were building new Security features, we also worked hard
to ensure that powerful new features (like Activities and Web Slices) minimize attack surface and don't provide attackers with
new targets. Out of our planning work, we classified threats into three major categories: Web Application Vulnerabilities, Browser & Add-on Vulnerabilities, and Social Engineering Threats. For each class of threat, we developed a set of layered mitigations to provide defense-in-depth protection against exploits."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Today's the day! PCI DSS section 6.6 is required
|
Posted 6/30/08 by Robert from the 'out of time' department
"Today, June 30, marks the start of new revisions on the PCI DSS specs. Section 6.6 is now required, specifically companies
who deal with credit or debit cards online must use an application layer firewall or have a complete website audit code review
to remain PCI compliant.
With all the stolen and lost data in the news recently, the beef up of section 6.6 addresses one of the growing causes for PCI
compliance failure. “PCI DSS Requirement 6.6 provides two options that are intended to address common threats to cardholder
data and ensure that input to web applications from untrusted environments is inspected “top to bottom.” The details of
how to meet this requirement will vary depending on the specific implementation supporting a particular application. Forensic
analyses of cardholder data compromises have shown that web applications are frequently the initial point of attack upon
cardholder data, through in particular,” The PCI Security Standards Council stated." - TheTechHerald
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Tools: Microsoft Announces Three Tools to help prevent SQL Injection
|
Posted 6/25/08 by Robert from the 'Prepared Statements 4 lyfe' department
"On Tuesday, Microsoft issued new tools to assist Microsoft ASP and ASP.NET technologies against recent Web-based attacks.
In April attackers went after Microsoft SQL sites by injecting malicious JavaScript onto legitimate sites. The JavaScript would direct a browser to a server hosting malicious software infecting the desktop with a variety of exploits. At the time Microsoft insisted it was not the result of a vulnerability, but lack of best practices on the sites themselves.
The tools released Tuesday are designed to help Web developers mitigate against such attacks. "
There is on discussing these tools.
HP Scrawlr Download:
URLScan Version 3.0 beta Download:
MSCASI SQL Source Code Analysis Tool Download:
Article Link:
Additional Info Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Ruby creators warn of serious flaws
|
Posted 6/24/08 by Robert from the 'vulnerabilities on rails' department
"The Ruby programming language, which has become popular as the basis for web 2.0 sites such as Twitter, contains serious security flaws that could allow attackers to take over an organization's web server, according to the Ruby development team.
The "disturbing" flaws, which were disclosed on Friday, could affect nearly any typical Ruby-based web application, according to Thomas Ptacek, founder of security firm Matasano.
The five bugs affect Ruby version 1.8 up to 1.8.7-p21 and version 1.9 up to 1.9.0-1, according to the Ruby development team.
Users can remedy the problem by upgrading to a patched version of Ruby, developers said, with patches available on the . "
Ruby Website:
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Securityfocus interview with Mozilla security team
|
Posted 6/23/08 by Robert from the 'Q&A' department
"Mozilla released its latest browser, Firefox 3.0, this week. SecurityFocus contributor Federico Biancuzzi tracked down two key members of Mozilla's security team, Window Snyder and Johnathan Nightingale, to learn more about the security features included in this major release.
They discussed the protection against phishing and the new malware protection, the new update mechanism for add-ons, Mozilla's security policies and processes, and the hardening of their Javascript implementation."
Interview Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
My current stance on Web Application Firewalls
|
Posted 6/19/08 by Robert from the 'WAF rants' department
Andre Gironda has posted on 'what web application security really is'. I agree with some of his points
however one in particular I'm going to have to disagree with and that related to using . For many years
I've been anti Web application firewall and as a general rule I do not promote using them. To provide you with some context
I worked on a product at SPI Dynamics (now HP) () that ended up never being released. Part of my job was writing signatures and
finding ways to abuse it.
I have warmed up to the idea that WAF's can be good in very specific situations only. I've always been the first to bark
'Don't block the problem fix the problem!' whenever WAF's had been discussed and as far as I'm concerned using a
WAF generically to protect your site isn't a good security solution. The one use case for WAF's that I do see
involves using a WAF to block *specific known attacks* against specific parameters until the proper fix is rolled out.
Unfortunately I can see many people not fixing the issue and relying on the WAF rule entirely to 'address the issue'
and I completely disagree with this approach. It is also important to understand that WAFs will not be able to block
many attack types and it is important to understand this.
If you want to roll out a WAF at your company you're going to have to set appropriate expectations as to what WAFs are and
aren't, as well as when you should use them. Don't just buy them because PCI says if you buy one you'll be compliant and ignore
the real problem.
To be clear I'm saying that
- WAFs are a temporary band-aid to a known issue and not a long term solution.
- Depending on the vuln/site it may take hours to track down the issue and provide a solid fix. For larger sites it isn't
always as simple as editing a single ASP/JSP/PHP file.
- Until it is fixed you have two options, shutting down that part of the site, or applying a temporary filter
against the known bad parameter. I'm not going to tell you which approach to take as this depends on your specific
case.
- If you wish to use a WAF filter chances are you're not always going to be able to use a generic signature. You need the expertise
available to rewrite rules and beat on proposed filters to ensure evasion use cases don't creep up.
- WAF's will not block all attack types (See the for a decent sized list. Note: This list will double in size once Version 2 is released)
Anyhow check out Andre's post below.
"I wanted to do a post about “what web application security really is” because plenty of people out there don’t get it. They understand that “security attacks are moving from hosts to the Web”, but they have no idea what that means. To most people, web application security is the same thing as website security. I see people trying to approach web application security in the same way that they have tried host security in the past: penetrate (web application security scanner) and patch (web application firewall) — which won’t work."
Rant Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
JavaScript Code Flow Manipulation, and a real world example advisory - Adobe Flex 3 Dom-Based XSS
|
Posted 6/19/08 by Robert from the 'Long news story title' department
"We recently researched an interesting DOM-based XSS vulnerability in Adobe Flex 3 applications that exploits a scenario in which two frames (parent & son) interact with each other, without properly validating their execution environment.
In our research, we have seen that in some cases, it is possible to manipulate JavaScript code flow, by controlling the environment in which it runs. Specifically, we managed to return hacker-controlled boolean values to conditional statements, and by that force the application to be vulnerable to an existing DOM-based XSS, which was otherwise unexploitable.
The advisory presented herein, is a real world example of the research mentioned above, and contains two XSS variants. The second of which, makes use of the JavaScript Flow Manipulation technique. "
Advisory Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Paper: The Extended HTML Form attack revisited
|
Posted 6/18/08 by Robert from the 'everything old is new again' department
"HTML forms (i.e. <form>) are one of the features in HTTP that allows users to send data to HTTP servers. An often
overlooked feature is that due to the nature of HTTP, the web browser has no way of identifying between an HTTP server
and one that is not an HTTP server. Therefore web browsers may send this data to any open port, regardless of whether the
open port belongs to an HTTP server or not. Apart from that, many web browsers will simply render any data that is returned
from the server. One thing to keep in mind is that HTML forms can be hosted on one website (attacker’s website) and send
data to an open port on a victim server.
When an attacker can control what is returned by the server, the victim becomes vulnerable to security issues such as Cross
Site Scripting. In the case of HTTP servers, this is a well known issue and therefore modern web servers do not exhibit this
behavior by default. However this is not the case with other kinds of servers such as SMTP (Simple Mail Transfer Protocol) or
FTP (File Transfer Protocol) servers, often these servers will echo back error messages containing user input. When this user
input can be controlled by the attacker, bad things can happen."
Paper Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
Older News
The oldest application security website. Providing Web Security news since 2000.
Information contained on this website may not be copied without explicit permission.
Best Viewed with telnet.
Additional Site Sections:
|
|
|
Subscribe to CGISecurity.com
|
|
|
|
|
|
The Web Security Mailing List
|
|
|
|
|
Contact us
|
Post News, get linkage!
|
|
|
|
