My Security Planet » Items by Disenchant

Feeds

6078 items (0 unread) in 72 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

• Opensourcetesting.org News

Items by Disenchant

Disenchant's Blog

• 

  Certified Secure Web

  Posted: December 25th, 2008, 1:29pm CST by Disenchant

  Tags:  Security   [edit]

  Hi everyone out there, I know that it was a long time since I wrote my last blog posting but as most of you know, time is always rare. Anyway, I’ll try to write more in the feature, especially because there is really stuff, I think it’s worth to write about. So today I’d like to talk about one big project, I was involved during about the last year at my workplace at Dreamlab Technologies, it’s the CSW certification.

  You might ask yourself now: What the hell is CSW? CSW is short for Certified Secure Web, which is a security certification framework for the web. Actually we’ve got two certification types, the CSWT where T is short for Technology which means certification of web applications and we’ve got also a CSWD, which’s thought to stand for Developers. Before I go more into more details, I have to say that the CSW certification framework is thought to be open and not just for Dreamlab Technologies. We’re only a part of the CSW, the real certification is done by an independent party which is in our case a backend, built of educational organizations like for example universities, combined with partners like us. So this is not just poor advertising, we’re really looking for people/companies who’re interested in this all over the world.

  Normally I would say, go to [https:], where you can find all the information you need but unfortunately, the site is still only available in German, even if the English version is afaik ready.

  So, what is CSW: “Certified Secure Web is an initiative to increase the overall security of web applications and also to provide a certification for Technology (Applications) and Developers.” (A free translation of the text on the CSW website, from German into English). It’s based on the OSSTMM by ISECOM, the Threat Classification of the WASC and on different resources, provided by the OWASP. With these different resources we think, that we can really provide a certification, which is worth the paper it’s printed on, even if we know that also the CSW certification can’t be perfect at all. Something which is also special on CSW is, that we don’t want to say that an application is secure and “hacker safe” (oops, sorry guys ) but we would like to certify a security baseline for web applications and help companies getting a more secure application.

  I could go on with this for hours but I think it’s better to write my next two postings directly on CSWT and CSWD because it will say much more on what we’d like to achieve and in which way.

  For specific questions or if you’d like to get involved, please just contact me or leave a comment

  … and of course merry Christmas and a happy new year

• 

  I’ve got a backlink from example.com - RFC 2606

  Posted: October 23rd, 2008, 11:00pm CDT by Disenchant

  Tags:  Security   [edit]

  Many of my readers will know, that example.com, example.net and example.org are reserved for use in documentation, according to RFC 2606. If you surf to any of these sites, there will be just the same information I wrote before and also a link to the RFC 2606. So it’s quiet interesting, why according to my statistics, example.com has a link on it, pointing to my website. I don’t no why this happened but it’s quiet interesting an if somebody can tell me what happened, I’m glad to know.

  Here’s a proof (even if it only a line of text ):

  

• 

  hackIt.js - A hidden Phishing Method

  Posted: October 21st, 2008, 3:22pm CDT by Disenchant

  Tags:  Security   [edit]

  It’s much later than I wanted to post this but finally here is my demonstration I’ve done for the Security-Zone 2008. Because there are so much resources about XSS and SQL Injections out there already, this posting is just about the hidden phishing method.

  How it works:

  1. Attacker needs a XSS vulnerability at example.com
  2. Configuration of the hackIt.js and include it to example.com by inserting it through a script-Tag
  3. hackIt.js knows because of it’s configuration where the login page of example.com is
  4. The script replaces the content of the infected page at example.com with a copy of the login page which will be loaded through a XML HTTP Request
  5. hackIt.js will automatically find the login form and it’s input fields in “faked” login page
  6. The submit button of the login form will become a normal button without it’s submit functionality but it will now have a onclick-function
  7. As soon as the user clicks on the submit button to login, an image will become dynamically added to the DOM tree, which points to a server side script at evil.com, including the values of the login fields as attributes.
  8. Because of as soon as an image becomes loaded, a HTTP GET request will be sent to the image’s location, the attacked user’s login credentials will be sent to evil.com in cleartext, where an attacker can now store it
  9. Last but not least, the hackIt.js normally submits the login form to it’s originally thought location.
  10. If the user has no Proxy or other tamper mechanism in place, he/she will never find out, that the login credentials have been sent to evil.com

  I know it sounds quiet complex but it’s really easy if you get the point. If there are any questions, I’m glad to answer these as a comment or in an email

  Because of I’m not sure if it’s a good idea to post the source code (even if it’s really easy to write it on your own), I decided to not make it available through my blog but if you’d like to receive the code, just let me know directly. Anyway, below you can watch a small video which demonstrates the attack, performed by the script.

  

• 

  Security-Zone 2008 - Let’s call it a Success

  Posted: October 1st, 2008, 12:58pm CDT by Disenchant

  Tags:  OWASP   [edit]

  The Security-Zone is as far as I know, the most important and biggest security event in Switzerland and like last year I was there to present some stuff. Also like the last time, I wasn’t alone, there where Pascal Mittner from Astalavista IT Engineering and Pascal C. Kocher from Defcon Switzerland (I’ll write something about this very soon ). It was the first time, that there was a workshop at a Security-Zone and so we where quiet exited but we also thought, that this would be easy stuff. First, a 20min slot for each of us three to just talk and afterwards, about three hours of really presenting stuff and also let people getting some hand-on experience. Unfortunately, the first part about how to write an exploit for an FTP server by Pascal C. Kocher failed because something I still don’t know about. There where just a few lines of Perl code but for any reason, the final exploit didn’t work. Also the last part about using a security management system to identify and track risks on your systems failed because of the participants weren’t able to test the virtual machines Pascal Mittner brought to the security zone. Even there we’re not sure what was the problem but we think it could have been a problem of by switch or some crappy Ethernet wires. Anyway, this means, that my part was the only one, that worked without any problems (thanks at this point to the FSM ). I was first presenting a simple XSS but not only the standard alert(123) no, I wanted to show the attending people, that you can do much more an so I decided to show a website defacement. Afterwards, I bypassed a login mechanism by a standard SQL Injection and last but not least, I presented something which was quiet a bit complicated (a combination of XSS and CSRF) but I’ll write another blog posting (hopefully) during the next days about this demo.

  For me it was good to see once more, that still many people are interested in the basic stuff and it makes me very happy if I’ve got the chance just like at the Security-Zone to help people to understand, what web application security is about and why it’s important.

• 

  Counter-Terrorism advertising campaign launched

  Posted: September 26th, 2008, 2:20am CDT by Disenchant

  Tags:  Security   [edit]

  I totally forgot to click publish for this blog posting but better now then never

  The Metropolitan Police Service launched a Counter-Terrorism campaign and unfortunately it seems to be real and not just a joke.

  The following is copied from here:

  The five-week campaign asks members of the public to report any suspicious behaviour in confidence to the Anti-Terrorist Hotline on 0800 789 321.

  Press advertising will appear in London’s major newspapers and on the City’s main commercial radio stations.

  Camera posterThe press ads seek to raise awareness of some of the items/activities which may be needed by, or be of use to, terrorists. It asks the public to consider whether they have seen any activity connected with them which may have made them suspicious.

  Radio advertising has been devised to complement the press ads and features an individual thinking out loud about concerns she has around some suspicious behaviour. She is reassured that she should call the confidential Anti-Terrorist Hotline on 0800 789 321 and that any information will be considered by specialist officers.

  Advertising will also run in the Greater Manchester, West Yorkshire and the West Midlands.

  

  At least there is already an alternative poster:

  

• 

  Nice new SPAM Trick

  Posted: September 11th, 2008, 4:57am CDT by Disenchant

  Tags:  Security   [edit]

  This morning I’ve received the following spam mail:

  Hi,

  I am basically interested for business reasons. I had written to you about
  the offer a few days back. Perhaps you never got the mail in the first
  place. Anyhow, here is the deal. I found your site
  http://www.disenchant.ch/ really enchanting and would like to buy a
  number of text-links on your site.

  Let me know if you would like to hear more of this.

  Best regards,

  Susan.

  OK, the idea seems to be not that bad. You have a normal crawler for e-mail addresses and if you found one, change the message of your mail by mentioning the domain name. I think many people will notice this and think that it can’t be a spam mail because there’s a specific part in in which is not correct for most people. Also the name of the sender at the end of the mail is interesting because it’s Susan and the sender’s e-mail address was susan.[a last name]@gmail.com. This means, that also this seems to be correct and I think that many people will answer to this mail.

  PS: Of course it’s also possible that it’s not a spam but then the company behind it will become bankrupt very soon

• 

  Let’s Crash Google’s Chrome Browser

  Posted: September 2nd, 2008, 5:19pm CDT by Disenchant

  Tags:  Fun   [edit]

  As you might know, today Google released it’s own web browser called Chrome. I just had to have a look at it and have to say, it’s really not that bad but I just wanted to know if I’m able to crash it

  Here’s my result after a few minutes:

  

  The movie is that long because I always had to check if my string is already long enough. The indicator for it was the mouse over effect (highlighting) of the button.

• 

  Swiss Post owned by Terrorists

  Posted: August 28th, 2008, 4:16am CDT by Disenchant

  Tags:  Fun   [edit]

  My sister had her birthday a few days ago and she got a lot of cards from all over Switzerland. One of them was very interesting because it was a letter, sent from our aunts who’re living in Zurich Kloten which is where also the Zurich Airport is. Now remember 9/11 and have a look at the official post stamp on the letter:

  

  

• 

  Swiss Post owned by Terrorists

  Posted: August 28th, 2008, 4:16am CDT by Disenchant

  Tags:  Fun   [edit]

  My sister had her birthday a few days ago and she got a lot of cards from all over Switzerland. One of them was very interesting because it was a letter, sent from our aunts who’re living in Zurich Kloten which is where also the Zurich Airport is. Now remember 9/11 and have a look at the official post stamp on the letter:

  

  

• 

  Data Aggregation - The hidden Thread

  Posted: August 25th, 2008, 4:00am CDT by Disenchant

  Tags:  Security   [edit]

  If you talk to security people all over the world, you’ll notice, that stuff like XSS or SQL Injections aren’t of that much interest anymore because everyone knows what the problems are and how to prevent it, even if I’m not sure that they really know enough on it. Anyway, I was thinking of how we can get data out of things like for example a database even if it’s protected against attacks just as mentioned at the beginning. I came up with something, that I’ve never seen before or at least not in the context of a security thread to data. Today it’s very important to aggregate and mix data, to get new information out of it but have you ever thought of what happens if you can reconstruct sensible data out of let’s say public data.

  Let’s have a look at an example in which we’re a student, who has access to the schools Intranet but there he can just have a look at news and also his grades as well as the average of a group of people like his class mates, people with the same age and such.

  The number in brackets is the amount of people who’s data are affected and in this example our name is Peter Miller, who wants to know the grades of his class mate called Paul Svenson.

  In the following tables, you’ll see the result of different requests to the school information system.

  

  Now let’s check our whole class (3b):

  

  Now we can calculate the worst possible grades of “Lisa Wilson” (born in 1980 and one of the two females in class 3b) out of the information in table “Average grades of females in class 3b”.

  

  With this information we’ve got two of three peoples grades (Lisa’s grades are as already written the worst possible) who where born in 1980. This means we can now calculate the last persons grades (of course this will also be the worst possible), who’s Paul Svenson, our final target.

  

  I hope you understood what I mean and also why this is really something we should pay more attention to in the future.

• 

  I’m back :)

  Posted: August 24th, 2008, 5:03pm CDT by Disenchant

  Tags:  Security   [edit]

  It’s now about two months ago since I wrote my last blog posting but this was just because I had summer holidays (the only good thing about being a student). I was on different openairs in Switzerland and also went to visit Bulgaria with some friends, which was very nice.

  This was our hotel:
  

  

  So, I’m back and have much stuff to write about which is related to web security and other interesting stuff

• 

  Firefox Security Tool Kit - Now FF v3 compatible

  Posted: June 21st, 2008, 10:06am CDT by Disenchant

  Tags:  Programming   [edit]

  I’ve been asked to make my Firefox Security Tool Kit (FSTK) compatible to the new Firefox version 3 and here it is

  Download and/or Install the FSTK v3.1 now

  Additionally to the new version compatibility changes, I replaced the Extension “User Agent Switcher” with “Modify Headers“. All other extensions are the same as described here.

• 

  Hacking Coffee Makers

  Posted: June 18th, 2008, 5:49am CDT by Disenchant

  Tags:  Fun   [edit]

  Yesterday, Craig Wright has sent an email to the BugTraq mailing list and because it’s a funny story, I’d like to share it with my readers.

  Hi All,
  I have a Jura F90 Coffee maker with the Jura Internet Connection Kit. The idea is to:

  “Enable the Jura Impressa F90 to communicate with the Internet, via a PC.
  Download parameters to configure your espresso machine to your own personal taste.
  If there’s a problem, the engineers can run diagnostic tests and advise on the solution without your machine ever leaving the kitchen.”

  Guess what - it can not be patched as far as I can tell It also has a few software vulnerabilities.

  Fun things you can do with a Jura coffee maker:
  1. Change the preset coffee settings (make weak or strong coffee)
  2. Change the amount of water per cup (say 300ml for a short black) and make a puddle
  3. Break it by engineering settings that are not compatible (and making it require a service)

  The connectivity kit uses the connectivity of the PC it is running on to connect the coffee machine to the internet. This allows a remote coffee machine “engineer” to diagnose any problems and to remotely do a preliminary service.

  Best yet, the software allows a remote attacker to gain access to the Windows XP system it is running on at the level of the user.

  Compromise by Coffee.

  Regards,
  Craig Wright GSE-Compliance

  PS: I’m really looking forward to a coffee maker with a web interface

• 

  Big XSS Presentation

  Posted: May 2nd, 2008, 4:46am CDT by Disenchant

  Tags:  Security   [edit]

  On the 26. March this year, I gave a quiet special guest lecture. I was teaching students at the Bern University of Applied Sciences Engineering and Information Technology which are all studying the same as me (computer science) but they are nearly finished with their studies. This means I was once more the young and long-haired guy who came to talk about security or to be more specific web application security. Of course it was a special situation for me and I think also for the other students. Anyway, it was interesting to work with them and I think that my presentation and also the demos I made, helped them to understand the topic I was talking about: XSS.

  Unfortunately it’s not that easy to upload the demos I made but I’d like to make my presentation available to the public because I think, that people can learn out of it and also if someone needs to give a lecture on XSS he/she can probably use some stuff out of my presentation.

  Download the XSS presentation now

  Hope you enjoy the presentation

• 

  Touchscreens vs. Biometrics

  Posted: April 11th, 2008, 12:58pm CDT by Disenchant

  Tags:  Security   [edit]

  A few days ago I was cleaning the screen of my notebook, which’s a Lenovo X61 Tablet. I’m using it everyday and especially for my studies I’m working in tablet-mode, which means that I have to clean up the screen about every two weeks. During cleaning I recognized, that there are many fingerprints of mine on the touchscreen. Whoops… haven’t we seen more than enough how to fake fingerprints? I think we have and did you see that there is a built in fingerprint reader in the X61. Let’s think about this. We’ve got more and more devices which have a touchscreen and at the same time, more devices allow you to log in with your fingerprint. This means, that in the near future an attacker don’t need any password of you, he just steals a device and then build his key (the fingerprint) right from the touchscreen.

  To make this more visible to you, I’ve made a photo of my screen:

  

  As you can see, this is really a good enough fingerprint to copy it.

  PS: I smudged three lines on the picture because it’s my own fingerprint

• 

  Global OWASP Week 2008 - Switzerland

  Posted: April 7th, 2008, 3:55am CDT by Disenchant

  Tags:  OWASP   [edit]

  As some of you might know, during the last week we had the Global OWASP Week 2008. As I’m the actual leader of the OWASP Switzerland Local Chapter, I organized a meeting during this week. Because we needed some more space, we went to the ETH Zurich where we had a room for 46 people. From my point of view it was a huge success for the OWASP in Switzerland because we’ve got about 30 attendees at this meeting (normally we’ve got about 20). For me it was also a little bit of stress because we didn’t received a beamer so we had to organize one and another stress factor for my was, that because of all the OWASP book I put into my bag to give them away, I forgot to put the walkthrough for my demonstration in it which means, that I had to do it out of my mind. Anyway, just as I already said, it was a success for the OWASP and I’m sure that we’ll have some new faces at our next meeting.

  For the people who’re interested in what we’ve done, here’s the invitation mail I’ve sent out:

  Dear Receiver,
  in the name of the OWASP (http://owasp.org) I’d like to invite you to
  our next event, which is part of the Global OWASP Week 2008. If you’re
  interested in web application security, this is something for you.

  Date and time:
  1.April 2008 -> WebAppSec Is No Joke
  18:00 - ca. 21:00

  Where:
  The event takes place at the ETH Zurich, in the main building, room
  HG F26.5

  Who:
  As at all of our meetings, everyone is welcome. If you know someone
  who could also be interested in this event, ask him/her to come too.

  Content:
  We’ll have three interesting Talks.

  - Taking Apache access logs to the next level: Complying to PCI DSS
  for fun and profit
  (Christian Folini - Technical Consultant at netnea)

  The PCI DSS is rather vague, when it comes to logfiles. It does
  make clear, that writing logfiles and reading them is a
  requirement though. But it leaves it up to you to define your
  setup and your processes. Apache brings numerous logging
  possibilities, but they are rarely used in practice. Based on a
  sample enterprise setup, I will discuss key items of a
  revision-proof architecture. System components and methods will be
  examined and a few interesting techniques presented.

  - Implementing an Application Security Lifecycle programme
  (Alessandro Moretti - Executive director for IT security risk
  management at UBS Investment Bank)

  Topic:
  A case study at UBS Investment Bank - how the Application Security
  Lifecycle Programme aims to implement proactive and reactive IT
  security management and promote application security across the
  global UBS IT community.

  Short description:
  UBS IT Security Risk Management will provide an overview of the
  risk strategy, and an insight into the strategic initiative, based
  partly on OWASP, to enhance the application security with each
  phase of the software development lifecycle. The presentation will
  provide details on the vision, the overall programme approach and
  on selected deliverables as part of the programme. Topics include,
  security education, risk management, source code testing,
  penetration testing and web application firewalls. A question and
  answer session will follow.

  - WebAppSec the Big Picture
  (Sven Vetsch - Security Tester at Dreamlab Technologies)

  Most of the actual vulnerabilities which security researchers and
  also bad guys (doesn’t) report every day, are related to web
  applications. Even if this is the case, the security community
  didn’t get the big picture of what security related problems we’ve
  got through web applications. In this demonstration, we will show
  you an overview of the most important web vulnerabilities like SQL
  Injections, XSS, CSRF, Path Traversal, Session Fixation and much
  more. The focus in this demonstration is not to show you the
  latest research results in webappsec, it’s to show you the big
  picture of this topic.

  If there are any further questions, don’t hesitate to contact me at:
  sven.vetsch _at_ disenchant.ch

  Regards,
  Sven Vetsch
  Leader OWASP Switzerland

• 

  Firefox Security Tool Kit - FSTK v3.0

  Posted: April 1st, 2008, 5:50am CDT by Disenchant

  Tags:  Programming   [edit]

  About one year ago, I’ve created a bundle which contained several different extensions for Firefox related to web application security testing. Today I’d like to release version 3.0 of the Firefox Security Tool Kit or short FSTK, which will make your browser a (nearly) full-fledged webappsec pentesting tool.

  Download and/or Install the FSTK v3.0 now

  By installing it to your Firefox, you’ll get all of the following extensions:

  allcookies
  Version: 1.2
  By: Bernard Maison
  dumps ALL cookies to cookies.txt file
  For Firefox versions 1.5 to 2.0.0.*
  Homepage: [allcookies.mozdev.org]

  Cert Viewer Plus
  Version: 1.2
  By: Kaspar Brand
  Certificate viewer enhancements: PEM format view, file export
  For Firefox versions 1.5.0.4 to 3.0.0.*
  Homepage: [https:]

  Firebug
  Version: 1.05
  By: Joe Hewitt
  Web Development Evolved
  For Firefox versions 1.5 to 2.0.0.*
  Homepage: [www.getfirebug.com]

  Firecookie
  Version: 0.0.5
  By: Jan Odvarko
  Cookie manager for Firebug. Firebug has to be installed in order to use this extension.
  For Firefox versions 2.0 to 3.0b5pre
  Homepage: [www.janodvarko.cz]

  Fire Encrypter
  Version: 3.0
  By: Ronald van den heetkamp
  Encryption, Decryption, and Hashing program.
  For Firefox versions 1.5 to 2.0.0.*
  Homepage: [www.jungsonnstudios.com]

  FoxyProxy
  Version: 2.7.1
  By: LeahScape, Inc.
  Premier proxy management for Firefox
  For Firefox versions 1.5 to 3.0b4pre
  Homepage: [foxyproxy.mozdev.org]

  Live HTTP Headers
  Version: 0.13.1
  By: Daniel Savard
  View HTTP headers of a page and while browsing.
  For Firefox versions 0.8 to 2.0.0.*
  Homepage: [livehttpheaders.mozdev.org]

  Selenium IDE
  Version: 1.0b1
  By: Shinya Kasatani
  Record, edit and play Selenium tests
  For Firefox versions 1.5 to 3.0b3
  Homepage: [www.openqa.org]

  Smart Middle Click
  Version: 0.5
  By: spiers
  Middle click for javascript links.
  For Firefox versions 1.5 to 2.0.0.*
  Homepage: [spiers.free.fr]

  Tamper Data
  Version: 9.8.1
  By: Adam Judson
  View and modify HTTP/HTTPS headers etc.
  For Firefox versions 1.0 to 2.0.0.*
  Homepage: [tamperdata.mozdev.org]

  User Agent Switcher
  Version: 0.6.10
  By: Chris Pederick
  Adds a menu and a toolbar button to switch the user agent of the browser.
  For Firefox versions 1.0 to 2.0.0.*
  Homepage: [chrispederick.com]

  Web Developer
  Version: 1.1.4
  By: Chris Pederick
  Adds a menu and a toolbar with various web developer tools.
  For Firefox versions 1.0 to 2.0.0.*
  Homepage: [chrispederick.com]

  Hope you enjoy it

• 

  Youtube has got Code Monkeys

  Posted: March 29th, 2008, 7:47am CDT by Disenchant

  Tags:  Fun   [edit]

  We all know the “500 Internal Server Error” but have you ever seen it on youtube.com:
  [m.youtube.com]

  It says:

  Sorry, something went wrong.
  A team of highly trained monkeys has been dispatched to deal with this situation. Please report this incident to customer service.

  You guys made my day

  PS: For some reason you sometimes have to click on the link twice until you get the message.

• 

  Selenium Remote Control

  Posted: March 26th, 2008, 3:14pm CDT by Disenchant

  Tags:  Programming   [edit]

  A working colleague of mine showed me a tool, which I think is really cool for automating tasks during web application security test, even if it’s not made especially for that. The tool I’m talking about is called Selenium Remote Control and licensed under the Apache 2.0 License. Let’s have a look at the description of Selenium:

  Selenium Remote Control (RC) is a test tool that allows you to write automated web application UI tests in any programming language against any HTTP website using any mainstream JavaScript-enabled browser.

  This is exactly what Selenium is/does

  I can especially recommend the Selenium IDE, which’s a Firefox extension that can record all actions of your browser, replay them and also export the whole thing into HTML, Java, C#, Perl, PHP, Python and Ruby.

  This is, how the Selenium IDE looks like:

  

  I don’t want to say more on this, just give it a try and have fun

• 

  Torrent Injection

  Posted: March 9th, 2008, 2:11pm CDT by Disenchant

  Tags:  Security   [edit]

  A colleague of mine asked me a few days ago, what he can do with an XSS on a BitTorrent Tracker site. The most obvious thing was of course to steal a logged in user’s session ID to get access to his account data which contains for example his “Private Tracker” login credentials and so on. The XSS he found was just a reflecting one so it’s good for him because he just started with WebAppSec stuff but for me it was nothing more than the XSS we can find in most of the websites on the whole Internet. You might ask, why I’m writing about this because then I can also write about any other XSS vulnerability but this one make me thinking of another way of injecting a persistent XSS on BitTorrent Trackers. Every BitTorrent Tracker allows users to upload their new *.torrent files and everyone can then download it over the link in the tracker, which contains all needed information about it. Now let’s have a look at the information such a tracker picks out of the uploaded files, which will then be displayed to the user.

  

  Additionally, below there’s also a list of all the files which are “in” this Torrent.

  Now let’s think about input filtering. Normally, there are more or less effective input filters in place for bigger web applications but when you have to deal with the content of uploaded files, you should perhaps also check the content of them. I think you’ve got the point

  The only thing you have to do now, is to create a Torrent file which contains script code for example as a comment. When we upload such a file to a Torrent Tracker, it should be checked but this isn’t as easy as it sounds and normally programmers don’t do this because there can also be binary data in this files and so you don’t want to check all that stuff and anyway, who can make a Torrent file by hand? *joking*

  Now let’s see what happens if I upload my Torrent file which contains <script>alert(document.cookie);</script> in the comment field.

  

  As you can see, our script was executed

  This is not just a vulnerability we can find here, it’s more of a global problem we’ve got in applications, where users can upload files, which will become parsed and at this time, this includes heavily BitTorrent Trackers as shown here.

  Once more a message to the developers out there: Please implement sufficient filtering mechanisms

• 

  Advanced English?

  Posted: February 27th, 2008, 6:14pm CST by Disenchant

  Tags:  Fun   [edit]

  As you might know, I’m actually studying computer science at the Bern University of Applied Sciences Engineering and Information Technology. Yesterday we had English lessons and I’m in the advanced group, which is the highest level we can attend in this semester. So let’s have a look at an exercise we’ve done in this lesson and I really think, that anyone who can read my blog should ask my school if they can give you a certificate in English Advanced because you really should be able to solve the following. At least for me the word advanced means something completely different

  
  (click to enlarge)

  Hope you enjoy solving this “advanced” exercise and no, it’s not the only advanced exercise we’ve done

• 

  A Native “JavaScript” Speaker?

  Posted: February 11th, 2008, 1:01am CST by Disenchant

  Tags:  Fun   [edit]

  I just found a website, where you can let a bot read an article to you. You might say that this isn’t special but there was this parameter called “id” which I had to play with. When I used id=8838 it was some kind of special because it was reading the code of it’s own JavaScript function vh_sceneLoaded(). It says:

  loadText('. .drucken {display: none;}.senden {display: none;}.quelle {display: none;}.artboxbottom2sp {height: 15px;width: 465;background: url(/_images_/hg_spitzmarke_2sp_bottom.gif);} Webwww.espace.ch',2,3,2);

  Who knows, perhaps JavaScript will become the first natively spoken programming language. At least it would be really easy to speak for me because it seems that in “JavaScriptish”, the spelling is the same as in German

  Meet the native Javascript Speaker

• 

  How was the Hotel? - Vulnerable!

  Posted: January 23rd, 2008, 4:08am CST by Disenchant

  Tags:  Fun   [edit]

  (According to the following blog posting, be aware of that I’ve never bypassed any authorization mechanism, nor did I break, access or change anything I was not allowed to.)

  Last weekend, I went snowboarding in the Swiss mountains and the weather including the snow was just perfect. Because the winter sport season hasn’t started yet, there wasn’t much going on in the evening and so I was using one of the public Hotspots of the hotel. As you can think, I had to make some security related stuff and so I surfed to the Hotel’s website. There are SQL injections, XSS, Local File Inclusions and much more but I don’t want to talk more about it because there was something much more interesting. Normally when you offer a Hotspot as a hotel or any other company, you should separate it from your internal LAN but don’t even think of anyone is really doing this unless they have to for any reason. So, my IP address was now 192.168.44.36 which’s an internal IP address. The next step was of course to use our all friend nmap and let’s see what I’ve got:

  Interesting ports on 192.168.1.5:
  PORT STATE SERVICE VERSION
  25/tcp open smtp Microsoft ESMTP 5.0.2195.6713
  80/tcp open http Microsoft IIS webserver 5.0

  Jackpot, I’ve got a Microsoft IIS 5.0 webserver on the standard HTTP port 80 and this means hopefully an internal web application

  I connected to 192.168.1.5 with my favorite web browser and wow, amazing security measures there. No sorry, I’m just joking. There where no security measures at all. I simply get a menu, where I could choose a “console”. I took the first one because the others seemed to be offline. Oh my god (who’s by the way the FSM), I was now having control over more or less the whole hotel (don’t ask me why this is the case with the product of a company describing itself as “OTRUM is a leading provider of interactive TV solutions and content to the hospitality industry.”).

  Let’s have a look at who’re my neighbors:
  
  (Click the image to enlarge)

  Cool stuff, with this I even know in which language I can say good morning to my neighbors

  There where much more information than just the things for the reception. When you clicked on “Main Menu”, you had several other options than just “Reception”. For example you where able to create new rooms, new employers, new TV channels, have a look at a whole bunch of statistics or define even a room’s temperature and much more. The funniest thing I found (which wasn’t used by the hotel I was in), was a statistic, checking if the mini bar has been opened and how many times. My advice if you want to make the guys at the reception looking strange at you would be to open your mini bar at least one hundred times a day

  As you can think, it was fun to see all this stuff and an evil guy (or girl) could have done nasty stuff there but hey, I never had to authenticate myself so it was open to everyone and because of this it’s not illegal to just surf this “website”.

  For sure this application was the most interesting thing for me but there where even more security problems like:

  http://192.168.1.5/cgi-bin/thrusocket.pl?&gltemplatefile=../../../../../boot.ini

  [boot loader]
  timeout=30
  default=multi(0)disk(0)rdisk(0)partition(1)WINNT
  [operating systems]
  multi(0)disk(0)rdisk(0)partition(1)WINNT=”Microsoft Windows 2000 Server” /fastdetect

  OK, anyone can read your data on the server but who want’s to read files if you can make an automated wake up call at 5 o’clock in the morning to every guest in the whole hotel?

  There was also a Directory Listing at http://192.168.1.5/cgi-bin/ and some other not really interesting things. I can say, that I enjoyed the stay in this hotel for sure.

  Lesson learned here: Don’t let security guys into your hotel if you don’t want them to have a look at your infrastructure

• 

  Teaching John The Ripper how to Crack MD5 Hashes

  Posted: January 17th, 2008, 5:33am CST by Disenchant

  Tags:  Linux   [edit]

  Today I was playing around with the well known password cracking tool John the Ripper (JtR) and was looking forward to crack some MD5 hashes. Unfortunately, John still not supports raw-MD5 out of the box and so I was searching the web for a solution. It took me some minutes until I found out, that there are unofficial patches for John’s source code and so I simply patched it and tried to compile. For any reason, I run into problems (doesn’t matter now what problems ) and even after about half an hour searching the web for a solution I didn’t find anything. Then a few minutes later I found a simple howto for how to patch and compile John so that you won’t have any problems. The site which solved my problem was gurx.net and I couldn’t find it faster because it’s not written in English nor German. Now of course I’ll show you how to do it the gurx.net-way but with support for even many more algorithms than just MD5.

  mkdir john
  cd john
  wget http://www.openwall.com/john/f/john-1.7.2.tar.bz2
  tar -xvf john-1.7.2.tar
  cd john-1.7.2
  wget ftp://ftp.openwall.com/pub/projects/john/contrib/john-1.7.2-all-9.diff.gz
  gzip -d john-1.7.2-all-9.diff.gz
  patch -p1 cd src
  make
  make clean linux-x86-any

  Now you can use John out of the “run” directory.

  ./john -format=raw-MD5 /home/disenchant/md5_hashes_to_crack.txt

  raw-MD5 means that you’ve got an input file (/home/disenchant/md5_hashes_to_crack.txt) like the following:

  Alice:5f4dcc3b5aa765d61d8327deb882cf99
  Bob:1c0b76fce779f78f51be339c49445c49
  …

  PS: My machine’s a Xubuntu Edgy but this should work with any Linux box

• 

  Downloading Videos of spiegel.de

  Posted: December 28th, 2007, 4:48am CST by Disenchant

  Enclosure: [download]

  Tags:  howto   [edit]

  Because of the sister of a friend needed to download videos of spiegel.de for school, I searched for a possibility to do that. It took just a few minutes (or even seconds) to find what I was looking for by analyzing the HTTP traffic, sent to the server by the Movie-Player of SPIEGEL ONLINE, which is completely in Flash. This showed me once again that I can’t just destroy stuff with my knowledge, I can also help people. Because someone else could also be interested in how to do this and it’s more or less the same thing everywhere you’ve got a similar situation on the web, I’ve created a small video HowTo.

  Download/Watch HowTo (830 kB)

  You’ll find the movies at [www.spiegel.de], the Firefox extension I’m using is Firebug and of course at the end you see Wget and VLC.

• 

  Fix your PHP Code without changing it

  Posted: December 27th, 2007, 2:03am CST by Disenchant

  Tags:  Programming   [edit]

  What is it about?
  This blog posting describes a way on how you can patch security problems and real vulnerabilities in your PHP code, when you’re not allowed to change the code or for example if this is just not possible for any reason. What you’ll learn here is something like virtual patching, as we know it from web application firewalls but we don’t change the code of the already existing application in any way and we don’t even need new components like such an application firewall. Does this this sounds like black magic to you? Don’t worry, it’s not complicated at all

  What is it not about?
  This blog posting will not show you for example how to fix all vulnerabilities you can expect in your PHP code nor is the described technique working against every kind of security problem. If you have the possibility to change the existing code, this is for sure the way to go and not what I’m writing in this posting. This is really only a technique which you can use when you can’t change the existing code.

  Please also be aware, that I don’t give you any guarantee, that your PHP web applications are secure after you’ve done what’s written in this posting.

  Skills you need
  I tried to write everything as clear as possible but it’s good if you’ve got some basic knowledge of the PHP programming language because I won’t describe my simple code examples.

  So let’s start with the main content

  The php.ini
  First we should talk about the so called php.ini, which will be our interface between the fixes and the already existing source code. The php.ini is the configuration file for PHP and you can see it’s actual configuration by simply have a look at the file or by creating a PHP script like the following:

  <?php
  phpinfo();
  ?>

  Get your own php.ini on shared Servers
  (If you’ve got your own dedicated server, this might not be relevant to you)
  This subsection now shows you, how you can work with the php.ini even if you’re application is hosted on a shared server and you don’t have access to the main php.ini file. As a first step, you have to create a file with the name .htaccess, which means that it’s a htaccess file. Under Unix like systems this is not a problem at all but under Windows systems you’ll get an error when you try to rename a file to “.htaccess”, so with the following two steps, you can also create such a file under Windows:

  1. Open Notepad or any other text editor.
  2. Go to Save As, and chose “.htaccess” for the file name including the quotes.

  Now you can upload the file into your wwwroot directory and add the following line to the .htaccess file, when your php.ini file can be found at /home/disenchant/php.ini:

  suPHP_ConfigPath /home/disenchant

  Now, the new defined php.ini will be used instead of the one, your web hoster has set up globally.

  The auto_prepend_file Option
  So let’s go into the part of the php.ini which is interesting for us, it’s the auto_prepend_file option. Just add a line to your php.ini like the following, so that it points for example to the PHP file we made before to display the PHP info page or just create a smaller file with just <?= "test" ?> in it.

  auto_prepend_file = /abc/xyz.php

  As you can see, if you now have a look at any of your PHP scripts in your web browser, the auto_prepend_file option in our php.ini has included our script at the beginning of every file. This is exactly what we need because this way, we can interact with the existing code, even if we never changed something in the original source code. So let’s go on and fix some vulnerable code.

  The vulnerable Code
  First we need some vulnerable PHP. The following code is vulnerable to an attack type called “Cross-Site Scripting“.

  <?php
  echo $_GET['var'];
  ?>

  We have now to implement an input encoding functionality for the variable called var (of course this can also be done for all variables or just some pre-defined variables). Let’s have a look at how to write a simple patch for this vulnerability.

  The Patch
  If we can change the original source code, we would probably use something like the following:

  <?php
  echo htmlentities($_GET['var'], ENT_QUOTES);
  ?>

  This will replace (all) characters which can be dangerous or better say, can be used for executing malicious script code, with their equivalent HTML entity. This makes this piece of code secure but in our situation, we won’t be able to change the code and that’s why we need the technique I described in this posting, over the php.ini. Instead of modifying the existing source code, we create a new file like this:

  <?php
  $_GET['var'] = htmlentities($_GET['var'], ENT_QUOTES);
  ?>

  Because of the auto_prepend_file option we set in our php.ini, this code will fix our vulnerability

  Final words
  As you’ve seen, this technique can become very helpful under some circumstances and of course I showed you just the basic use of it and you can go much further and for example implement login stuff, session management, white listings and so on through this.

• 

  AJAX is Evil - Demo at Facebook

  Posted: December 5th, 2007, 11:53am CST by Disenchant

  Tags:    [edit]

  Long time ago I said, that we’ll run into the same security problems we already started to fix in our web applications at the point, where we start using AJAX aka. Web 2.0 stuff. For example XSS is well known in the web development since a while and many developer try to avoid such vulnerabilities in their code which could be PHP, JSP, ASP or even others. Now they are confronted with AJAX and everyone should implement it in new and even already existing applications. The problem is now, that the developers aren’t aware of the security risks of sending HTTP requests from a script to their application. To say it more clearly, many developers aren’t aware of the fact, that all the data which will be transfered by Javascript are visible and can be modified by everyone. This means, that everyone can manipulate the requests, which will be sent to your application, even if the target for the requests isn’t thought to be accessible by users. Of course this is always the case but it’s not as clear as in old school web application development.

  I was ill today and so I thought that it would be time to give a proof on what I said long time ago and so I was looking for a target. Because I never had a look at facebook.com anyway and it’s one of the big players in the AJAX world, it was a good place for make the final test of my assertion.

  First I was checking some input fields with basic XSS test but not the crazy decoded stuff or something similar. Of course I found no vulnerabilities this way Then I started analyzing the Javascript stuff aka. AJAX. It took me just about 2 minutes to find the first XSS hole and in the next 5 minutes I found even more. At this point I’ve stopped with my test because this was the proof to me: AJAX is Evil!

  For those of you who would like to test it yourself, login to your facebook.com account, choose one of the following links and replace [uid] with your own uid. These links show four non-persistent (reflected) XSS which aren’t that dangerous on the first view but it shows that using AJAX can lead to new security holes in an application.

  XSS 1
  XSS 2
  XSS 3 (no uid of target needed, just login)
  XSS 4

  PS: If AJAX is Evil (it is!), why is Google using it anyway?

• 

  Become a Suspect

  Posted: November 28th, 2007, 12:05pm CST by Disenchant

  Tags:    [edit]

  A few days ago, I’ve got the following Mail (it’s in German):

  Hallo,
  das warst doch du, der unser Sprachportal (MobiLingua, Uni Passau) über das Forum gehackt hat und mir damit einen gehörigen Schrecken eingejagt hat, oder?
  Jedenfalls danke für den Hinweis - das ist halt der Nachteil von CMS: Man kann zwar mit relativ wenig Hintergrundwissen ein Layout anpassen und Inhalte bereitstellen, denkt aber in der Regel nicht an Sicherheitsaspekte (in der Hoffnung, dass das System das schon macht ;-))

  LG, [name of the sender]

  In English this means, that someone of the University of Passau thinks, that I’ve hacked their online platform called MobiLingua. Of course I didn’t hack their page and also I never heard about this MobiLingua before. Because of this, I answered the following:

  Hallo,
  ich beschäftige mich zwar beruflich sowie privat mit der Sicherheit von Webanwendungen, doch habe ich noch nie von genanntem Portal (MobiLingua, Uni Passau) gehört, geschweige denn habe ich dieses angegriffen.

  Ich würde mich sehr darüber freuen, wenn Sie mich so schnell als möglich darüber informieren könnten, wie Sie auf mich kommen in diesem Zusammenhang.

  Freundliche Grüsse und ein schönes Wochenende,
  Sven Vetsch

  This means, that I just wanted to know, why they think that I have attacked their site because it’s true that I have to deal with web application security every day but why they think I’ve done something when I know, that I didn’t do anything? The next mail I get answered this question:

  Hallo,
  bitte entschuldigen Sie, wenn ich mit meiner Vermutung falsch lag. Jemand hatte ein Online-Portal mit einem Foreneintrag gehackt, in dem HTML und Javascript untergebracht worden war. Dies war ein nett gemeinter Hinweis, auf eine bestehende Sicherheitslücke, offensichtlich ohne böse Absichten. Jedenfalls wurde dadurch in mein Layout statt dem üblichen Logo ein “Hacked”-Logo eingebaut, bei dem die URL auf Ihre Domain verwies. Ein Blick auf die Inhalte dieser Seite hat gezeigt, dass Sie sich mit eben solchen Sicherheitslücken auseinandersetzen und ich glaubte den “Verursacher” gefunden zu haben.

  Ich entschuldige mich deshalb vielmals für meinen Fehler..

  Mit freundlichen Grüßen und ein schönes Wochenende,
  [name of the sender]

  First it was written, that they’re sorry for suspecting me and afterwards it was described, why they think that I’ve done the hack on their platform and also what happened. Someone has inserted a “Hacked”-logo through a HTML- and Javascript-Injection (today aka. XSS) and on request I get the injected code:

  <script>
  alert('Ihre Festplatte wird formatiert wenn Sie OK klicken. Schalten Sie Ihren Rechner aus um abzubrechen.');
  document.getElementsByTagName("body")[0].style.backgroundColor = "fuchsia";
  document.getElementById("site-logo").src = "http://www.disenchant.ch/blog/images/entries/hacked.gif";
  document.getElementById("page").lastChild.innerHTML += '<br>Defacement: Da 3v1l H4X0rZ 2007 ;) lol';
  for(i = 0; i < 50; i++){
  document.getElementsByTagName("div")[i].style.backgroundColor = "fuchsia";
  }
  </script>

  Now it was clear what happened. The image ([www.disenchant.ch]) which was used for the hack or better call it now a defacement, was the one I’ve uploaded for my blog posting “owasp.org hacked“, where I wrote about someone who “hacked” the OWASP website/Wiki. When the people from the University of Passau checked the code, they found out, that the image was hosted on my domain and that I’ve got something to do with web application security. Now everything is clear and life goes on but this story really make me think of what can happen by just linking to or on the other side hosting images, even if it’s just mistake. It really shows, how easy someone can become a suspect in our so called information century.

  PS: I really have to translate the alert message of the used payload to English. “Ihre Festplatte wird formatiert wenn Sie OK klicken. Schalten Sie Ihren Rechner aus um abzubrechen.” means “Your hard disk will be formatted when you click OK. Turn off your computer to cancel.”. And I thought that at least these idiots became extinct years ago

• 

  Developing Firefox Extensions - Paper

  Posted: November 19th, 2007, 11:25am CST by Disenchant

  Tags:    [edit]

  When I started to study computer science, I thought that it would cost me less time than it does now. Because of this I don’t have as much research time as expected. I know, that some people are waiting for my announced papers ans so i decided to release my paper called “Developing Firefox Extensions”, even if it’s not finished and also not reviewed. The reason for this step is, that I hadn’t time to modify the document since the 19. August 2007 and I really think that this is too long to not release any part of it.

  Because I’m not sure how much time I’ve got to work on it during the next month(s) I’ll offer also the *.tex documents to everyone who would like to do further work on the paper.

  To say a few words about the paper itself, it’s simply a (at the moment) 31 pages long how-to with examples on how to develop your own extensions for Mozilla Firefox and with some additional work, I think it could be also interesting for schools to use it as teaching material.

  Download

  I hope some of you enjoy the paper, even if it’s not finished

• 

  Basics are Important

  Posted: November 2nd, 2007, 11:45am CDT by Disenchant

  Tags:    [edit]

  The topic of web application security is definitely a new topic, if we compare it for example to network security or something like cryptography but in all of this thematics, it’s important to give newcomers the basics because if they don’t have them, they’ll never be able to become good in what they’re going to do there. Let’s have a look at network security or better say at man-in-the-middle (MITM) attacks. I would say, that all of the security professionals today, even if their not specialized on network technologies know about this kind of attack but now have a look on web application security. Take the example of Cross Site Scripting (XSS). In the webappsec scene everyone will know about XSS and what you can do with it but are you sure that every network infrastructure pentester will know about it? Now I’d like to point you to a small experiment, if we can call it this way. About two weeks ago, I’ve given a presentation at the 0sec, a small security conference in Switzerland. Of course I spoke about web application security but I asked myself: “Most of the guys (and girls) there are low-level hackers, does it really make sense to talk about my newest research and the latest attack vectors?”. The answer for me was clear, the newest stuff will be the most exciting and if less than 50% of the audience knows what you’ve talked about, after your presentation, it’s was really cool and crazy stuff but from my point of view it’s much more important, to show people the basic possibilities we’ve got so far in hacking web technologies. Because of this, I decided to talk about the big picture of web application security, instead of the latest and greatest webapp hacking stuff and below you’ll find the short abstract for my talk:

  Most of the actual vulnerabilities which security researchers and also bad guys (doesn’t) report every day, are related to web applications. Even if this is the case, the security community didn’t get the big picture of what security related problems we’ve got through web applications. In this demonstration, Sven Vetsch (aka. Disenchant) will show you an overview of the most important web vulnerabilities like SQLi, XSS, CSRF, Path Traversal, Session Fixation and much more. The focus in this demonstration is not to show you the latest research results in webappsec, it’s to show the big picture of this topic to the attendees.

  As I already wrote before, it was some kind of an experiment because I didn’t know if the attending security people really want to hear old stuff but from my point of view it was really a success. I only get positive feedbacks and as I expected, most of the attendees where low-level hackers. Unfortunately I was not allowed to disclose the source code of my demo application, which is a vulnerable social networking platform, where I can simulate most of the web application related security problems we have today and I’d also like to implement even XML and AJAX security stuff. Because of this, it wasn’t that easy to show everything in a clear way but I think the attending people get from the demonstration what I expected, the big picture of web application security.

  This small story showed me, that many people in the security community know about some web application security stuff but even not the basics and at least from my point of view it makes much more sense to start with basic stuff instead of presenting state of the art hacking, only a few people will understand.

  PS: I would really like to create a web application security 101 video training but I have to check some licensing stuff before and in the worst case, I’ve to rewrite my whole demo application.

• 

  I’m alive and working

  Posted: October 28th, 2007, 12:32pm CDT by Disenchant

  Tags:    [edit]

  Yes it’s true, that it’s over a whole month ago since I wrote my last blog entry. This has different reasons, so for example I started studying computer science and had to become familiar with this new situation, especially because I’m still work for Dreamlab Technologies at the same time. Also it took me some time to hold a talk about the OWASP Testing Framework at this years Security-Zone in Zurich and I also spoke at the 0sec like I did last year. Then there is of course also the usual stuff like organizing the next OWASP Switzerland Local Chapter meeting, where we can expect two or three good talks and once again a sponsor for dinner. Some of you might also remember my blog posting called “What I’m Working on“, I already released the XSIO paper and the PHP code fixing paper is nearly ready but needs some small additional corrections. As you can see, I’ve got much to do at the moment anyway and now I’ve also to learn for school. I really hope, that I can again write more blog postings in the near future because there are more then enough interesting things to talk about.

• 

  Security-Zone 2007 Review

  Posted: September 24th, 2007, 11:04am CDT by Disenchant