I've been fortunate enough to manage a red team program for several years and since it's inception it has gone through many changes. What started out as adhoc engagements trying to see how far we could get/what problems we could find, turned into a mechanism to work more closely, and regularly with...
CGISecurity.com Turns 10!: A short appsec history of the last decade
Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP nor WASC had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started...
WASC Threat Classification 2.0 Sneak Peek
Here is a sneak peek at the WASC Threat Classification v2.0. We've been working on this for more than a year and it's been a very challenging, educational experience to say the least. Sections that are gray are currently in peer review and are not completed. Mission statement "The Threat Classification v2.0...
Announcing month of new security buzzwords
In the tradition of Month of Bugs we're pleased to announce the month of security buzzwords, complete with abbreviations. #1 Remote Command Injection (RCI) #2 Remote Filestream Inclusion (RFSI) #3 Cam Jacking (CJ) #4 Cross-Port Request Forgery (XPRF) #5 Cross-Site Fixation (XSF) #6 HTTP Gerbiling (HTTP-Gerbil) #7 Host Request Splitting (HRS) #8...
Proxy Attack Stupid Buzzword Contest
I just released a paper on an attack vector against certain transparent proxy architectures via the use of client side plugins with sockets support. If you've been reading this site for awhile you can probably tell that I frown upon new industry buzzwords and often make fun of new silly sounding terms....
Microsoft Fixes Clickjacking in IE8?
"Microsoft has introduced a release client version of its latest browser, Internet Explorer 8 (IE8), and the new iteration of the application includes several security improvements, including a noteworthy attempt to address the emerging problem of clickjacking attacks. For those who don't recall, clickjacking is a relatively new technique -- first detailed...
Load Jacking latest buzzword
I hate promoting new buzzwords but found this one amusing. "So what do you do when you’re a couple of bored Russian immigrants with some cool hacking skills and you want to make some money the easy way? Well, if you are Nicholas Lakes and Vaiachelav Berkovich you set yourself up as...
Details of Clickjacking Attack Revealed With Online Spying Demo
"A researcher has “hacked” the mysterious clickjacking attack and today posted a demonstration in his blog on how the Web-borne attack works. Details of the dangerous clickjacking attack have been closely held by the two researchers who discovered it -- Jeremiah Grossman and Robert “RSnake” Hansen -- at the request of Adobe,...
Adobe yanks speech exposing critical 'clickjacking' vulns
"In another event for the "internet is broken" files, two prominent security researchers have pulled a scheduled talk that was to demonstrate critical holes affecting anyone who uses a browser to surf the web. Jeremiah Grossman and Robert "RSnake" Hansen say they planned to demonstrate serious "clickjacking" vulnerabilities involving every major browser...
Same Site Scripting Paper Released
An email sent to bugtraq by Travis Ormandy outlines a new attack dubbed same site scripting. "It's a common and sensible practice to install records of the form "localhost. IN A 127.0.0.1" into nameserver configurations, bizarrely however, administrators often mistakenly drop the trailing dot, introducing an interesting variation of Cross-Site Scripting (XSS)...
Coined Buzzword of the week: Cross Site Printing
Aaron Weaver has published a whitepaper describing how you can utilize 'intranet hacking' tricks to send spam to printers. Pretty amusing. "Many network printers listen on port 9100 for a print job (RAW Printing or Direct IP printing). You can telnet directly to the printer port and enter text. Once you disconnect...
Cross-build injection attacks
" Injection-based attacks have proven effective, yielding access to private data or possible control over a compromised machine. Software vendors are in a continual race to fix the holes that allow these attacks to succeed. But what if a hacker could inject malicious code when a program is actually compiled and created?...
JSON, Ajax & Web 2.0: Sounds like a classical reinvention, but this volatile trio opens the door to serious vulnerabilities
"Now that Web 2.0 hype is at full tilt, much ado's being made over Ajax framework vulnerabilities and other new-fangled bugs. A prime example of this phenomenon is the spectacular Javascript hijacking vulnerability discovered by Fortify Software (login required). Every security bug like this deserves some ink, but too much focus on...
Anti DNS Pinning/DNS Rebinding is the new industry buzz(word)
Anti-DNS Pinning/DNS Rebinding is the new security hot topic lately and I wouldn't expect the marketingfest to end anytime soon. "While previous attacks using JavaScript could send data to a network, the attack investigated by Stanford -- known as domain-name service (DNS) rebinding -- could send and receive data from the local...
Joanna Rutkowska Pwns challengers at blackhat
"In their presentation, titled "Don't Tell Joanna, The Virtualized Rootkit Is Dead," the researchers detailed how to use counters that are external to a system to detect a virtualized rootkit's pull on CPU resources or other telltale footprints. It's got to be an external counter, given that a virtualized rootkit sits at...
Anti XSS using Ajax
"XSS have became a problem that most web developers still suffering from it tell now, simply because however you try hard to validate every user input it only takes a single line of code that prints out the user input without validation to render your whole application vulnerable to XSS attacks and...
5 Ways People Screw Up AJAX
I had noticed that not many articles existed on the negative aspects/implementation of ajax so came up with this top 5 list of things people screw up when using ajax. 1. No back button!: One of the most annoying things to a user is the inability to go backwards. They may visit...
AJAX: Selecting the Framework that Fits
DDJ has released an article covering the following AJAX frameworks. * Dojo 0.3.1 (dojotoolkit.org). * Prototype and Scriptaculous 1.4 (www.prototypejs.org and script.aculo.us). * Direct Web Reporting 1.0 (getahead.org/dwr). * Yahoo! User Interface Library 0.11.1 (developer.yahoo.com/yui). * Google Web Toolkit 1.0 (code.google.com/webtoolkit). If you're using AJAX or are considering it, check it out....
Ambiguity In Ajax Lockdown Framework
An anonymous user writes "This draft sets focus on the complexities in ajax lockdown for client privacy.The framework is based on the concept of fusing ajax applications with direct web remoting.The stress is laid on the client server communication and t he main point of talk is encrypting the client data and...
Myth-Busting AJAX (In)security
" The hype surrounding AJAX and security risks is hard to miss. Supposedly, this hot new technology responsible for compelling web-based applications like Gmail and Google Maps harbors a dark secret that opens the door to malicious hackers. Not exactly true. Even the most experienced Web application developers and security experts have...
Ajax Security: Stronger than Dirt?
"Ajax allows the development of more feature rich, asynchronous applications, but in doing so opens up new possibilities for attackers. We look at the relevant security issues and their possible solutions. Ajax (Asynchronous JavaScript and XML) lurched into being in 2005 [1]. As a web services model, Ajax is touted as the...
Vulnerability Scanning Web 2.0 Client-Side Components
Shreeraj Shah has written an article outling some of the 'Web 2.0' risks. He covers RSS Security, JSON, Ajax Security, Cross Site Request Forgery and other related issues. Article Link: http://www.securityfocus.com/infocus/1881
Top 10 Ajax Security Holes Post
RSnake provides some much needed insight into the AJAX craze. "However, I'd like to point out, as I have before that really users should not consider AJAX to be another security risk. It is the same old risk that we have always faced, except there is more client side code that can...
Hacking Web 2.0 Applications with Firefox
"AJAX and interactive web services form the backbone of “web 2.0” applications. This technological transformation brings about new challenges for security professionals. This article looks at some of the methods, tools and tricks to dissect web 2.0 applications (including Ajax) and discover security holes using Firefox and its plugins. The key learning...
Top 10 Web 2.0 Attack Vectors
"On the “server-side”, XML based Web services are replacing some of the key functionalities and providing distributed application access through Web services interfaces. These remote capabilities to invoke methods over GET, POST or SOAP from the Web browser itself provide new openings to applications. On other side, RIA frameworks running on XML,...
Ajax Security Basics Article
"Ajax is considered the next step in a progression towards the trumpeted, "Web 2.0." The purpose of this article is to introduce some of the security implications with modern Ajax web technologies. Though Ajax applications can be more difficult to test, security professionals already have most of relevant approaches and tools needed....
Ajax Storage: A Look at Flash Cookies and Internet Explorer Persistance
An Anonymous Employee Writes " Foundstone has an interesting write up on their site about Flash shared objects and other AJAX caching developments from a security angle. The Dojo JavaScript Framework already includes code to make use of this. These "cookies " can save larger amounts of data, can be accessed across...
ALERT: Cross HTTP Response Splitting Session Fixation Smuggling Scripting Vulnerability Discovered
CERT has issued a warning against a new web based threat entitled a "Cross HTTP Response Splitting Session Fixation Smuggling Scripting Vulnerability". According to the founder of DSHIELD Johannes Ullrich "If on April 1st you have specific non default settings in Internet Explorer, visit a serious of 4 specific websites in order...
Application Security Predictions For The Year 2006
In 2005 published application security vulnerabilities have exploded. If you're subscribed to mailing lists such as bugtraq you know just how often Cross Site Scripting, SQL Injection, or Remote Command Execution vulnerabilities are discovered and exploited. I've prepared a prediction outline for the year 2006 exclusively covering the threats that the web...