Romain | Wednesday, August 8 2007 - 18:37 UTC | Vulnerabilities
Protecting against Cross-Site Request Forgery
(CSRF) is something that we tend to see everywhere now.
What we usually see is a solution with a token in the form pdp described this a couple of months ago here: Preventing CSRF. Now, the problem is when you don't have dynamic pages, when you are stuck with static HTML pages but you can use JavaScript! Of course, the first reflex when you want to prevent CSRF is to use only POST variable when you send data, this make the attack a little harder.
I started thinking of this because I had this problem: I had static pages that are using Ajax to send data using POST. I talked with Stefano Di Paola about this (because my problem was not only CSRF, but also parameter tampering...). We both conclude on the following Ajax based solution:
So you need 3 files:
You can find the demo here: anti-csrf/index.html
wwwCall is a very small module for Python (tested under python 2.5 but should be okay for python >= 2.3) which handle the HTTP(S) connection with some special features like proxy, cookies, authentification (basic, digest). This morning, I was working on Grabber and I just realized how ugly the code was, mostly because of how I handled the web connections, so I decided to create a simple module to do the job easily. The idea is to have a single object handling some basic function of the python urllib2.
If you have ever use Python for doing web calls, you'll see that the utilization is damn simple and I think, pretty cool... Example:
# create the object
http = wwwCall('http://rgaucher.info')
# add the features you want (cookies,auth)
http.setCookieFile('./the_path/file.cookie')
# reaching a logging URL and saving the cookie
http.post("http://rgaucher.info/login.php",{'username' : 'foo', 'password' : 'bar'})
# register the username/password for the basic authentification
http.setAuthBasic("romain","mypassword")
# print the content of the protected page
print http.get("http://rgaucher.info/401protected").read()
Download: wwwCall.zip
So, I've been working on Grabber for a couple of months without a release now; it's mainly because I don't have that much time to work on it, but also because I made lots of modification. Today I added a couple of features:
This comes in addition on the previous features I added, mainly:
I cannot give a d-day for the release of the 0.2 version because I really want to have a more stable product and will feed some test suites I made at work the tool, to be sure it's reasonable (I will not give comparison results with commercial products :P). I also want to have a better spider...
Romain | Thursday, July 12 2007 - 14:12 UTC | Information
Coverage is a tool written in Python which allows you to track what functionalities/web pages are reached on your website. I use this tool for in my Web Apps Scanner evaluation methodology in order to know if the web apps scanner was able to scan every pages, every functionalities of my test apps.
Anyway, this tool is pretty easy to use even if it requires a MySQL database to store the EntryPoints of the application. Basically, you setup the database, you insert the entry points into your code and you run the python script which will generate an HTML report with SVG graphs, reporting the coverage of your application.
Here is a report example
The database design I used for storing the needed information is the following:
CREATE TABLE `coverage` ( `CoverageID` int(32) NOT NULL auto_increment, `Apps` varchar(128) character set utf8 collate utf8_unicode_ci NOT NULL, `Date` date NOT NULL, `EntryPoint` varchar(255) character set utf8 collate utf8_unicode_ci NOT NULL, `Origin` varchar(255) character set utf8 collate utf8_unicode_ci NOT NULL, PRIMARY KEY (`CoverageID`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1;
** File Reached:
Touch_ + Name of the file with extension, example, Touch_Index.Php, Touch_Search.Php etc.
** Functionality Reached:
Name of the functionality + _ + Name of the file with extension, example, this sequence of entry points of
the page Login.php of a given application:
<?php
// ...
$origin = md5($_SERVER['HTTP_USER_AGENT']). '|' . date("j-m-y H:i");
?>
So, you will need to add, in your apps code, lots of entry points. I made a PHP source code to do that more easily:
<?php
class Coverage{
private $coverage_id = false;
private $coverage = null;
function __construct() {
$this->coverage_id = true;
$this->coverage = mysql_connect('192.168.1.3:3306', 'test', 'test');
mysql_select_db("test_collect");
}
function send($entryPoint){
if ($this->coverage) {
$origin = "";
$origin .= md5($_SERVER['HTTP_USER_AGENT']);
$origin .= ('|' . date("j-m-y H:i"));
$entryPoint = mysql_real_escape_string($entryPoint);
mysql_query("INSERT INTO coverage VALUES(NULL,'BankApp',NOW(),'$entryPoint','$origin')");
}
}
};
$coverage = new Coverage();
function register_EntryPoint($entryPoint) {
global $coverage, $supportCodeCoverage;
if ($supportCodeCoverage) {
$coverage->send($entryPoint);
}
}
?>
Insert this code in a header or something and call:
register_EntryPoint('Touch_MyFile.Php');
etc. in your code where you have functional difference.
To run the tool, you need to have:
example:
$ python coverage.py 2007-06-28 41942da0293d0b8afcfab4c2d10c2401 $ python coverage.py 2007-04-12
The script must be in the same directory of your files for now... you can download the archive here: coverage.zip
Romain | Wednesday, June 27 2007 - 15:53 UTC | Information
This is a really nice initiative from Christian and Ronald: http://planet-websecurity.org/
This is for now an aggregator for a couple of web security websites (really good ones).
This site will replace 7 rss I already have :)
Thanks guys
Make sure that your test case is correct!!!!!
Damn I'm stupid, I was working on Grabber on the session state management, and of course, I did a small test case with a couple of pages to be sure the spider can reach every pages. But, my test case was just stupid and calling twice my index make my session still alive, but the variables were set to an order just crazy and have the same effect as destroying the session.
Anyway, now it works! At least in the next Grabber release:
I don't know yet when I'm gonna release the version, I need to make sure it works correctly and is stable, I also need to create something to generate nice report (maybe simple XSLT sheets developer/user side) and I want to work more on the hybrid mechanism using different tools (fortify,pixy,php-sat,swaat...)
I already talked about source code scanners for PHP, and even run a simple test between SWAAT and PHP-SAT. Today, a new toy has been released: Pixy, so I decided to make it pass the test. The first test is really basic, having a quite small php source code with a bunch of possible faults: tests.php
So, you find the output of the tool here: out.pixy.result.txt
I first have to say that it's normal that the tool doesn't catch the header injection stuff, os command injection etc. it doesn't claim to do that. Pixy claims to find the Cross-Site Scripting and the SQL Injection. On that point, I would say pretty good job guy!
The tool catch all the possible Cross-Site Scripting in the echo functions, doesn't warn for the persistent XSS (line 34, the bad html injection would be inserted into the SQL database, if there is no output validation, there are Persistent XSS).
Even better on the SQL Injection where it found every thing I tagged as true-positive.
To conclude, I will definitely keep an eye on this tool which looks promising to me, I will also continue working on the PHP-SAT security configuration in order to make a solid vulnerability disclosure system.
Romain | Monday, June 18 2007 - 22:35 UTC | Information
After Watchfire acquired by IBM, it seems like HP would be close to SPI-Dynamics!
So, it will be likely IBM vs. HP vs. Cenzic vs. Acunetix... But Cenzic doesn't care, they have the "Fault Injection" patent ^^
Romain | Monday, June 18 2007 - 19:14 UTC | Information
Google has just released the so called "Safe Browser API" which allows everybody to know if a given url is known as a phishing website or malwares infested page. This service is already working with Firefox.
Romain | Sunday, June 17 2007 - 20:08 UTC | Discussion
As most of expatriate, I'm aware of what are the news in my country (France) by watching news websites, mostly, I'm watching France 24 which claims to be the French CNN... Anyway, I was watching some videos, and at the end, like on some websites I'm going (depending on if I have time etc.) I looked at how it works, if it has vulnerabilities etc.
Of course, it has some, I will not tell here because I didn't tell them yet, but you can find on the most easy way XSS. What's different with other websites? Nothing but they give information, so people trust them.
There are several types of websites, but I could say that their behavior fits in 3 different categories:
While XSS'ing that website, I thought that it could have a huge impact to be able to change information (we could have seen that with the story of Apple and the wrong news on eGadget...) . Of course, everybody reading this blog is aware of this, but I'm pretty sure that most of other people just think that vulnerabilities are used to get information, not to store.
So, nothing much here, just thought about how a simple SQL Injection, Permanent XSS, File Inclusion or even information/credentials disclosure could have a huge impact on the World :/
On that conclusion, I could say that the information websites and others security/integrity, as christian1 said month ago, belongs to theses companies! They must understand that without a real strict management of their security, their information could be stolen, replaced by bad people and they must be responsible of that since they are making lot of money on that...
Romain | Wednesday, June 6 2007 - 11:20 UTC | Information
And they plan to buy it: read the news here
In one of the last post, I made a comparison between two PHP Source Code Security Analyzers: SWAAT and PHP-SAT. The results was close to say that SWAAT was really better than PHP-SAT.
I started working on the configuration of PHP-SAT and it looks to be quite powerful (well, after talking with Eric Bouwers, I'm waiting for the next release) and I think I will be able to have good results with combining a security oriented configuration and some additional bugpatterns.
On the other hand, SWAAT is really limited for now as example, I've made a simple php script with only SQL queries inside: every lines are highlighted as flawed (and with a MEDIUM level)!! This is simply stupid and they would better don't report anything than doing that... just tell that you don't support SQL Injection for now... Anyway, SWAAT is for me the tool to keep an eye on, I will try to develop some features on it, especially for XSS detection and SQL Injection findings...
And I've just received this book this morning:
Here we go, I release the first shot of a tool I start writing months ago... The goal of that tool is to find some strings that are valids and which pass your regular expressions filters. Basically, it was designed for testing IDS regexp.
The tool is not finish yet, I have lots of work to do on this, especially the attack strings dictionary; currently there is only some client-side string patterns.
You can download the tool here: RegFuzzer
For using the tool, you need to enter the regular expression to test into the XML input file, and launch the tool like:
python regFuzzer.py -f input.xml
This will produce an HTML file as output. As I said before, this is the first release the goal is much more to show that tool and see if the idea is interesting for you; if so, I may work more on this. Don't hesitate to drop me a line about the tool if you have some comments.
For quite a long time now, I've been playing with lots of different black-box tools: commercial or not, mine or not. Months ago, I developed Crystal, a plugin for Grabber which does the link between the black-box engine in Grabber and a PHP Source Code Security Analyzer: PHP-SAT . At the time, it was the only advanced PHP SCSA I could find on the web, so I used it without really testings I admit.
That's for the story, few days ago, on #webappsec (irc.freenode.org), Larholm told me about SWAAT a new (at least, for me) PHP SCSA (and not only PHP actually). At the time, I didn't have time to try it; but today, I took the time to compare PHP-SAT and SWAAT with a test which can be view as a quite-exhaustive-basic-flaw-checker (it means that there is maybe 6 different vulnerabilities with variants and false positive/true positive check implementation).
You can see the PHP test file here: tests.php
The result of the two runs can be find here: php-sat-test-output.phps and swaat-output.html
How to read the reports:
I will not spend time to explain the difference of the tools but the tools don't really have the same goal (even if we can use them for the same utilization). Well, with the default configuration of both tools, SWAAT is really better! But as for many Source Code Security Analyzers, the configuration is really important, so I would mitigate my conclusion on these tools, I really need to dive into the configuration of that two tools and redo the tests.
Romain | Tuesday, May 22 2007 - 04:19 UTC | Discussion
It's hard to go away from security news, stuff for a long time, but I did it! I'm still in vacation in France for a couple of days but now, I try to read the news... Too much stuff!!
I've seen good articles from Ronald talking about the Top programmers security mistakes and CSRF.
...keep editing
Romain | Thursday, May 3 2007 - 15:28 UTC | Discussion
It's time for me to go back in France! I'll be in France for almost 3 weeks. If somebody know a good (and cheap) conference in France or even Italy/Switzerland/Spain/UK, drop me a wprd about it. I would really like to attend a OWASP France chapter, but it seems like nobody think about organizing this (what a pity!).
Anyway... I'd love to talk about web security in any way in Europe.
Romain | Tuesday, May 1 2007 - 09:03 UTC | Discussion
After a project, AK gives a short comparison of this two client-side technologies: http://www.akbkhome.com/blog.php/View/135/XUL_or_extjs.html
Today, it reminds me a study from Cmabrigde (http://www.mrc-cbu.cam.ac.uk/~mattd/Cmabrigde/). The idea is that a human needs only few letters in order in a word to understand that word (this is not okay for every word, but it should not be hard to find them).
So the idea is basically to create a captcha as an image with a word, but the word would be disordered in a way that human can read it such as:
CNOTNENT
MANAEGR
KITHCEN
etc.
Okay, based on a current OCR based attack bot, it's doable if you have a dictionary then use something like the levenstein distance
and try to minimize the distance with the current word in the dictionary and the word you found with your OCR.
But well, the captcha has not necessary one word...
The only problem I can see with this method is that the dictionary you use to generate the captcha should be in the language of the targeted human. But well, for most of the websites, you know what readers/users you have...
If I have time I'd try to create a lib for this...
Romain | Wednesday, April 11 2007 - 19:42 UTC | Vulnerabilities
The Web Application Security Consortium (WASC) released yesterday the WAS Stats. You can reach it here:
http://webappsec.org/projects/statistics/
The stats really looks like the CVE/NVD stats but looked more accurate because not based on report etc. but on assessments by companies such as Whitehatsec and data from SPI-Dynamics etc.
Romain | Wednesday, April 11 2007 - 13:13 UTC | Discussion
After the 20 must-have Firefox extensions, computerworld came up with the top 10 firefox extensions to avoid. And in the list you can see:
So what the heck? Are they kidding? I can understand for GreaseMonkey because it's mainly for people who need it, but NoScript is a really good extension which has active protection...
Romain | Wednesday, April 11 2007 - 09:37 UTC | Discussion
I've just found this crawling the web... This is statistics from google on the structure of the web pages:
http://code.google.com/webstats/index.html
FROM THE DESK OF DR AZIZAN COKER BILL AND EXCHANGE MANAGER, BANK OF AFRICA, OUAGADOUGOU BUKINA-FASO.
PLANE CRASH WEB SITE...http://news.bbc.co.uk/1/hi/world/europe/859479.stm
("REMITTANCE OF $25.8 MILLION U.S.A DOLLARS (CONFIDENTIAL IS THE CASE")
Compliment Of The Day,
I am Dr Azizan Coker from burkina faso.I want to seek your assistance after my discovery during auditing in my bank as am the manager of Bill and Exchange at the Foriegn Remittance Department of BANK OF AFRICA,(B.O.A.) In my department we discovered an abandoned sum of USD$25.8million US dollars in an account that belongs to one of our foreign customers who died along with his entire family in plane Crashes 2000,
Since his death, we have been expecting his next of Kin to come over and claim his money because we can not release it unless somebody applies for it as next of Kin or relation to the deceased as indicated in our banking and financial policies but unfortunately all the efforts proved abortive.
IT is therefore upon this discovery that I decided as the head of my department to make this business proposal to you and release the money to you as the next of kin or relation to the deceased for safety and subsequent disbursement since nobody is coming for it and we don't want this money to go into the Bank treasury as unclaimed bills. Do not view this as been illegal but an opportunity for us to help enrich our hope in life instead of the bank converting this much money to the security funds.You should not nurse any atom of fear as all required arrangements have been made for the smooth transfer of this funds and your acceptance is what will crown this effort.
We will conclude this operation within 14 banking days based on the amount of coperation you will contribute.
Thank you for your understanding as i await your urgent response to enable me give you more details don't forget to give me those informations below to enable me know you very well before we can go ahead in this business,
Your International passport or ID card............ Your private telephone number........................ Your profession................................................ Your age........................................................... Your country....................................................
Your’s faithfully Dr Azizan Coker
POST SCRITUM:You have to keep everything secret as to enable the transfer to move very smoothly in to the account you will prove to the bank.
I love firebug, this is something really good for developing web apps. But today, I got an issue which was pretty annoying! First of all, when I develop a small apps, I used to do this under firefox only with firebug and other nice extension loaded.
But today I got an issue when I wanted to overload the XMLHttpRequest
send function to do other things with: Firebug simply do not allow me to do this, but it works well if I want to overload the 'open' function!
Pretty annoying but you cannot do this with firebug activated:
XMLHttpRequest.prototype.send = function(data) {
sData = transformation(data);
this.originalSend(sData);
}
Romain | Thursday, March 29 2007 - 15:28 UTC | Discussion
It has been discussed on ha.ckers.org when the Microsoft Security Response Center started a thread with their new system/email/team/i don't know what. But well, the point is that hackers do not get any reward for the time they spend to disclose some vulnerabilties
And it would be okay if bad guys who buy/sell 0day vulnerabilities.
Today, I received this on the fd mailing list:
We buy and sell 0day vulnerability along with working demostrative exploit. We are interested only in client side exploits. We are interested in Internet Explorer and Microsoft Office. If you have good vulnerability we can pay cash, western union or wire transfer in advance. If you are a motivated researcher and are interested in a full time consultancy let us to know. Please contact to this email address. We own and sell several Microsoft 0day (the one used by a couple of asiatic intelligence agencies) and we buy them from skilled hackers.
So, if you would pay, even few bucks or softwares licences, hardware etc. hackers would rather send you the 0day than going to see that kind of bad guys...
Sven Vetsch/Disenchant has just send me an email with the Vigenere's version of the obfuscation script.
This version is quite cute, but it's true that the public key is not secure enough... let's work on another version with public and private key!.
You can find Disenchant's script here.
Always on the same subject: Spam bots, i was thinking that obfuscation would be a good way to prevent spam bots. Then I first start playing with reverse strings even if it may be obvious for the bots but well, I'm pretty sure it's even more difficult than the previous technique which can almost be passed with an intelligent-but-with-no-javascript-support parser.
So this version is quite simple:
<script>
String.prototype.reverse = function() { return this.split('').reverse().join(''); };
function reverseNames() {
formElement = document.forms[0].elements;
for(var i = 0; i < formElement.length; i++) {
formElement[i].name = formElement[i].name.reverse();
}
formElement.submit();
}
</script>
...
<form method="post" action="check.php" onsubmit="reverseNames()">
<label for="emanresu">‮emanresu‭</label> <input type="text" name="emanresu" /> <br />
You can find the running example: here.
While talking about obfuscation/crypto, since there are few parameters to obfuscate/encrypt maybe a Vigenere
algorithm would be nice...
Note that we do not use the 'username' instance in the HTML page, if you want to print 'username' you can use the character ‮ which reverses the following text.
I used to talk about technique to prevent spam bots for registering or posting somewhere. Even though I think that a good solution for this is to create SessionID with JavaScript, I was a little bit stuck with phpBB2 because of the template engine, I cannot easily dynamically write a JavaScript in the page.
So, the solution I used is to simply create a CAPTCHA which is written in the page with JavaScript such as:
document.write("<input type='hidden' name='persoCaptcha' value='" + generateStaticKeyWord() + "' />");
And then, I had to check for this value in the PHP script.
Fairly simple, but it seems to work without lots of modification of the phpBB2 forum... Here is a list of spam bots that I detected with this technique on a forum. Even if this technique works for now, I will have to use a better one...
This a really nothing to do with web application security, but a friend asked me how to protect a bunch of html files in a directory. He was looking for sessions based solutions but for this he would have to rename the html files in php or whatever and then, implement the protection... pretty boring!
I suggest him a really easy and not perfect solution: checking the referer when accessing the html files (this is the kind of protection as the images anti-thief):
# .htaccess
# -------
RewriteEngine on
RewriteCond %{HTTP_REFERER} !.*yousite.com/.* [NC]
RewriteRule ^(.*)$ /fail.html [NC]
You can find an example here.
PS: this could not be a valid solution for lots of application!
Romain | Friday, March 9 2007 - 10:44 UTC | Discussion
The W3C announced yesterday that a new Working Group was created for working on the HTML language.
I don't know if you think the same way than me about this, but for me, HTML language is such a pain in the ass for security. It allows too much things, modifications, ill-written html... With XHTML we have the opportunity to have a quite strict language which is definitely better...
Please guys, when you are doing the new HTML think with security in mind, thanks.
« previous entries - page 3 of 5 - next entries »
Last comments