Yesterday a couple of 'researchers' published that a couple of major sites were vulnerable to CSRF. A general rule of thumb is that unless you are explicitly protecting against CSRF, or are accidentally protected, then you're vulnerable. CSRF in 2008 is what XSS was in 2002, somewhat understood and rarely protected against...
Insecure Mag #18 published
Insecure magazine #18 was just released. Here are a list of some of the articles within it. Network and information security in Europe today Browser security: bolt it on, then build it in Passive network security analysis with NetworkMiner Lynis - an introduction to UNIX system auditing Windows driver vulnerabilities: the METHOD_NEITHER...
Checking for ViewStateUserKey using FxCop
An anonymous user writes "ASP.NET has had a mitigation to prevent against CSRF/One-Click attacks since 1.1 with the use of Page.ViewStateUserKey property. You can now make sure that the property is being used using FxCop." Link: https://blogs.msdn.com/sfaust/archive/2008/09/25/checking-for-viewstateuserkey-using-fxcop.aspx
Dealing with UI redress vulnerabilities inherent to the current web
Michal Zalewski of google has posted a proposal on browser security enhancements to the whatwg mailing list. "I am posting here on the advice of Ian Hickson; I'm new to the list, so please forgive me if any of this brings up long-dismissed concepts; hopefully not. For a couple of months now,...
Humor: Worldwide SQL Protocol Advisory
The full disclosure mailing list is usually 95% junk but every once in awhile an amusing/informative post gets through. Today an amusing post came through regarding a 'Worldwide SQL Protocol Advisory'. That's not to say this post isn't junk, but I found it amusing :) Here's a peek "II. Problem description The...
Off Topic: The Thirteen Greatest Error Messages of All Time
Slashdot linked to a top 13 list of amusing error messages. Check them out at: http://technologizer.com/2008/09/18/errormessage/
Firefox 3.0.2 released to address multiple security flaws
Firefox 3.0.2 has been released which addresses the following security flaws. MFSA 2008-44 resource: traversal vulnerabilities MFSA 2008-43 BOM characters stripped from JavaScript before execution MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17) MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution MFSA 2008-40 Forced mouse drag Read more at : http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.2
W3C Working Draft for Access Control for Cross-Site Requests Published
"This document defines a mechanism to enable client-side cross-site requests. Specifications that want to enable cross-site requests in an API they define can use the algorithms defined by this specification. If such an API is used on http://example.org resources, a resource on http://hello-world.example can opt in using the mechanism described by this...
Mark Russinovich on the Future of Security
"Windows IT people everywhere owe thanks to Dr. Mark Russinovich, now a technical fellow at Microsoft and his less-famous partner Bryce Cogswell. Russinovich is famous both as an author, making the technical details of Windows accessible to the rest of us who dare to think we are technical, and as a programmer,...
Fxcop HtmlSpotter - Spotting ASP.NET XSS using Fxcop and Html encoding document
An anonymous user writes "In his previous blog post, Sacha provided an updated list of the asp.net control html encoding information. He now integrated the content into FXCop to help quickly identify spots in asp.net binaries that should be reviewed for XSS issues." Read more: http://blogs.msdn.com/sfaust/archive/2008/09/18/fxcop-htmlspotter-spotting-asp-net-xss-using-fxcop-and-html-encoding-document.aspx
The Palin Hack: Why most question recovery systems suck
Motley fool wrote an article blaming Yahoo! for the Palin Hack. Computerworld has pointed out Gmail, Yahoo, and Hotmail as being vulnerable as well. To be clear any site supporting answering of common questions as a way to restore account access is vulnerable. The issue is not that these sites are vulnerable...
ViewStateUserKey Doesn’t Prevent Cross-Site Request Forgery
"ViewStateUserKey is not a completely effective mitigation against Cross-Site Request Forgery. It doesn't work for non post-backs (I.e. GET requests), and it doesn't work if the ViewState MAC is turned off. In several different places, we see a piece of advice repeated - use the ViewStateUserKey property to prevent One-Click Attacks. Often,...
Off Topic: Hackers claim break-in to Palin's e-mail account
While this is off topic for this site I do find it amusing :) "Hackers broke into the Yahoo! e-mail account that Republican vice presidential candidate Sarah Palin used for official business as Alaska's governor, revealing as evidence a few inconsequential personal messages she has received since John McCain selected her as...
Tools: Scalp - Apache log analyzer for security
Romain Gaucher posted the following email to The Web Security Mailing List today announcing a handy tool he authored. "I remember reading here a couple of emails about how to analyze the apache log in order to look for potential attacks. Since I needed to do exactly the same few times ago,...
Adobe yanks speech exposing critical 'clickjacking' vulns
"In another event for the "internet is broken" files, two prominent security researchers have pulled a scheduled talk that was to demonstrate critical holes affecting anyone who uses a browser to surf the web. Jeremiah Grossman and Robert "RSnake" Hansen say they planned to demonstrate serious "clickjacking" vulnerabilities involving every major browser...
Mozilla security chief: Apple should open up
"Mozilla's security chief said Apple should disclose more information about the steps it takes to protect customers from malware and other computer-born threats. At a security conference on Monday, Window Snyder said open communication about recently reported vulnerabilities and ongoing processes for locking down products is a core responsibility of security departments...
Real World XSS Vulnerabilities in ASP.NET Code
Microsoft has posted an article on what real world XSS vulnerable code looks like in ASP.NET applications. Handy if you develop asp.net or audit it for issues. "From couple of weeks we have been seeing some XSS vulnerabilities in asp.net code. Today I wanted to show you guys some real world examples...
WASC Threat Classification v2 Project - Call for Participants
In addition to running CGISecurity I also participate heavily in The Web Application Security Consortium and its projects. I sent the following email to The Web Security Mailing List seeking participants for v2 of the WASC Threat Classification document. "I'm sending this email to the list seeking people to contribute towards The...
CGISecurity turns 8!
I'm happy to announce CGISecurity's 8th year providing website, and application security news as of today. What started out as an excuse to learn about web based vulnerabilities has really evolved. Here are a few things to put into perspective - The following terms hadn't been coined yet - CSRF/XSRF/Cross-site Request Forgery...
Google Chrome criticised over lack of security
"Users should wait to use Google Chrome after its vulnerabilities were exposed. Randy Abrams, director of Technical Education at ESET, claimed that as vulnerable code was used users should only use Chrome when they are not viewing sensitive pages. He claimed that the oversight by Google is indicative of either a lack...
Microsoft IE8 and Google Chrome - Processes are the New Threads
"I happened to install Google Chrome (Alpha) the same day I installed Internet Explorer 8 (Beta). I noticed immediately, as I'm sure many of you have, that both browsers isolate tabs in different processes. Unix folks have known about the flexibility of forking a process forever. In Unix, fork() is just about...
Samurai Web Testing Framework
" As live CD's have become more popular, specialized distributions have begun to emerge. One such specialty live CD is Samurai, a distribution squarely focused on web application penetration and vulnerability testing. Samurai is dubbed a "web testing framework" in much the same way that Metasploit is termed a framework. Samurai is...
WASC Announcement: 2007 Web Application Security Statistics Published
The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are...
How To: Detect Cross Site Scripting Vulnerabilities using XSSDetect
"Last time we saw how to fix a cross site scripting (XSS) vulnerability. This time we look at how we can detect cross site scripting vulnerabilities using automated tools. Being the most common vulnerability found in web applications, it is very important to detect and mitigate XSS vulnerabilities early in development cycle....
Google releases Chrome Web browser
UPDATED: Yet another issue is discovered, this time a DOS. UPDATED: 3 hours later a vulnerability has been published. Google has just released an open sourced browser based on Apple's Webkit. I'm guessing it will be less than 48 hours before the first vulnerability is discovered. Since Safari uses Webkit it will...
Article: SDL Embraces The Web
Bryan Sullivan from Microsoft has posted an article on SDL use to secure web applications. "The Security Development Lifecycle (SDL) team recently released details of the SDL process that has been so successful in helping to make Microsoft products more secure. You can find these documents at microsoft.com/sdl. As you read through...
Which ASP.NET Controls Automatically HTML Entity Output Encodes?
Sacha Faust has just published a grid mapping which asp.net controls automatically perform html entity output encoding when used. Link: http://blogs.msdn.com/sfaust/archive/2008/09/02/which-asp-net-controls-automatically-encodes.aspx Grid: http://blogs.msdn.com/sfaust/attachment/8918996.ashx