Last 50 'Commentary' Tagged Posts

20 years of CGISecurity: What appsec looked like in the year 2000

Just realized that 20 years have passed since I started this site to learn more about web security threats. What 'appsec' looked like in 2000 OWASP didn't exist yet, nor did WASC Vulnerability disclosure was the wild west. Rain forest puppy (RFP) (that guy who discovered sqli) had just created the first...

My experience coleading purple team

I've been fortunate enough to manage a red team program for several years and since it's inception it has gone through many changes. What started out as adhoc engagements trying to see how far we could get/what problems we could find, turned into a mechanism to work more closely, and regularly with...

Google's intentions are good, but implementation leave MORE users vulnerable to hacking than before

In 2010 I wrote an article about a flaw Google discovered, and published working exploit code when no fix or mitigation existed. This allowed attackers to immediately start using the flaw to hack Google's own users (in this case, the world). Since then Google has announced a new program 'Project Zero' which...

My experience with developer security training

I've been busy this past year which has resulted in almost no updates to this site. Consider this one of many rants/posts of my experience/s in the industry during this time. This post covers a topic I think many people implement poorly, which is security training targeting developers. How most people implement...

Malicious CA's continue to cause headaches

Google published today that yet another CA has been caught generating certs for Google's domains. This problem is likely occuring on a much larger scale and seems to be detected by chance. Some have suggested crawling the internet and starting a DB, and while this may detect some issues it's limited for...

Five pieces of advice for those new to the infosec industry

I've worked in the security field in various roles (script kiddie, security researcher, incident response, application security engineer, security consultant, strategy, etc..) and thought I'd share a few points to those of you starting out in the security industry. Things are worse than you expect The reality is that companies, even large...

Security Industry Plagiarism: Finding 3 examples in 5 minutes with Google

UPDATE: One of the authors has posted two responses including an apology (accepted). I was taught in grade school that if you plan on writing something, never plagiarize. If you want to republish portions of existing content ensure you properly quote/reference them, and never represent this content as your own original work....

NIST publishes 50kish vulnerable code samples in Java/C/C++, is officially krad

NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++. From the README "This archive contains test cases intended for use by organizations and individuals...

CGISecurity.com Turns 10!: A short appsec history of the last decade

Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP nor WASC had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started...

A reminder that CSRF affects more than websites

Maksymilian Arciemowicz has published an advisory outlining how one can perform CSRF attacks against FTP services, in this case Sun Solaris 10 ftpd. An attacker could embed a payload such as the following to execute commands on ftpd. <img src="ftp://.....////SITE%20CHMOD%20777%20FILENAME";> The NetBSD team addressed this issue by failing on large commands. The...

2010 SANS Top 25 Most Dangerous Programming Errors Released

I was luck enough to assist in this project and I must say that a lot of great discussions took place. Unlike many other top x security lists, SANS/MITRE's methodology is fairly extensive and well documented giving you insight into how decisions were made. I do want to point out that top...

Potential risks of using Google's free DNS service?

Google has announced that they are offering a free DNS service to anyone wanting to use it. Unfortunately the motivations/privacy concerns aren't being discussed in as much detail as I'd like, and people aren't asking the important question of why google is offering such a free service. Several points to consider Google...

Months later, more products identified using exploitable transparent proxy architecture

It's been more than 3 months since I published my paper on abusing transparent proxies with flash, and 4 months since CERT's Advisory (VU#435052). Since that time additional products have been identified as being exploitable. Still Vulnerable Squid http://www.squid-cache.org/ Astaro http://www.astaro.org/astaro-gateway-products/web-security-http-https-ftp-im-p2p-web-filtering-antivirus/24916-socket-capable-browser-plugins-result-transparent-proxy-abuse.html QBik Wingate http://www.securityspace.com/smysecure/catid.html?ctype=cve&id=CVE-2009-0802 Tiny Proxy? https://packetprotector.org/forum/viewtopic.php?id=4018 Smoothwall, SchoolGuardian, and NetworkGuardian http://www.kb.cert.org/vuls/id/MAPG-7M6SM7...

PayPal Software Security Podcast

Gary McGraw posted the following to the secure coding mailing list today. "Episode 6 of the Reality Check security podcast features our own Andy Steingruebl chatting with me about Paypal's software security initiative. This was a fun episode for me, because though I have known Andy for a while I had little...

Socket Capable Browser Plug-ins Result In Transparent Proxy Abuse

For over a year in my spare time I've been working on a abuse case against transparent proxies at my employer, and have just released my latest paper '"Socket Capable Browser Plugins Result In Transparent Proxy Abuse". When certain transparent proxy architectures are in use an attacker can achieve a partial Same...

The security industry needs to re-align its training expectations for QA

I've been involved in the security community for over 10 years and have worked for small, medium, and large companies. I have also worked in Quality Assurance and base my comments here on my experiences being a QA tester, and speaking with them as an outsider. I've seen advice in articles, and...

Security metrics on flaws detected during architectural review?

I recently attended a private event where there was a talk on security metrics. Security metrics can be used to determine if action x is reducing risk y. Software security metrics typically involve counting the number of defects discovered over time to see if things are getting better. Most of these metrics...

Rant: Mac user's security arrogance clouds common sense

F-Secure has posted the following blog entry at securityfocus. "There has been a lot of talk (link 1, link 2, link 3) during the last few days about a support article that seemingly appeared on the Apple website. In the article, Apple advised users to install an anti-virus software to make sure...

Dave Aitel on Static Analysis Tools

Dave Aitel has posted to dailydave with his thoughts on Static Analysis Industry. From his email "So OWASP was dominated by lots of talk from and about static code analysis tools. I wandered around with a friend of mine at the various booths (CodeSecure [1], Fortify[2], IBM AppScan[3], Ounce Labs) and tried...

Dealing with UI redress vulnerabilities inherent to the current web

Michal Zalewski of google has posted a proposal on browser security enhancements to the whatwg mailing list. "I am posting here on the advice of Ian Hickson; I'm new to the list, so please forgive me if any of this brings up long-dismissed concepts; hopefully not. For a couple of months now,...

The Palin Hack: Why most question recovery systems suck

Motley fool wrote an article blaming Yahoo! for the Palin Hack. Computerworld has pointed out Gmail, Yahoo, and Hotmail as being vulnerable as well. To be clear any site supporting answering of common questions as a way to restore account access is vulnerable. The issue is not that these sites are vulnerable...

Affiliate Programs Vulnerable to Cross-site Request Forgery Fraud

Intro The following describes a long-standing and common implementation flaw in online affiliate programs allowing for fraud. For those unfamiliar with affiliate programs, they provide a way for companies to allow 3rd parties/website owners to direct traffic to their site in exchange for a share of the profits of user purchases. Most...

My current stance on Web Application Firewalls

Andre Gironda has posted an interesting take on 'what web application security really is'. I agree with some of his points however one in particular I'm going to have to disagree with and that related to using Web application firewalls. For many years I've been anti Web application firewall and as a...

Bots Use SQL Injection Tool in Web Attack and Rant

"The Asprox botnet, a relatively small botnet known mainly for sending phishing emails, has been spotted in the last few days installing an SQL injection attack tool on its bots. The bots then Google for .asp pages with specific terms -- and then hit the sites found in the search return with...

Performing Distributed Brute Forcing of CSRF vulnerable login pages

Update: Apparently this is described in a paper by sensepost that I wasn't aware of. Check out there paper at http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf. We know that CSRF is bad, and that if your application is performing an important action to utilize a random token associated with the users session. I started thinking a bit...

Browser Security: I Want A Website Active Content Policy File Standard!

UPDATE Before reading on any further I want to prefix that the purpose of this post is to begin a discussion on the ways a website can communicate to a browser to instruct it of what its behavior should be on that site. The example below is a "sample implementation" and isn't...

5 amusing security vendor moments

This list was created based off of real security vendor interactions that I and a friend have experienced. 1.Customer: Have you had a security evaluation of your product? Vendor: Yes, Kevin Mitnick has performed a pen test against our product. (sorry kevin! :) 2. The vendor comes to your office and pitches...

Cenzic Patent Case Worries Web Researchers, Vendors

"A patent infringement lawsuit recently filed by Cenzic against SPI Dynamics has Web application security companies and researchers on edge. If successful, the suit -- which centers around Cenzic's patent on a Web application vulnerability scanning technology -- could mean trouble for other scanner vendors, as well as researchers who develop scanning...

Cenzic Patents the obvious: Fault Injection!

I monitor google news for anything application security related and found the following announced today by Cenzic. "the U.S. Patent and Trademark Office (PTO) has issued the company U.S. Patent No. 7,185,232, focused on fault injection technology, which is commonly used by most security assessment scanners." - Cenzic Cenzic is not the...

5 Ways People Screw Up AJAX

I had noticed that not many articles existed on the negative aspects/implementation of ajax so came up with this top 5 list of things people screw up when using ajax. 1. No back button!: One of the most annoying things to a user is the inability to go backwards. They may visit...

Ad networks tracking users without cookies

I read Jeremiah's post about tracking users without cookies and had a conversation with him about it and how ad services companies could track users when cookies are not available. While the Basic auth method works it will only work with firefox since IE has disabled this ability after years of being...

A Software Call To Arms: Where are source control repository security scanning tools?

<rant> We've heard of source code analysis tools, and blackbox scanning tools and they have value to help secure your application. Unfortunately they have a major downside, they require the discipline of using them. If your developers don't run them they can still check in vulnerable code to your source code repository....

The bug disclosure debate continues

"Software makers are at the mercy of bug hunters when it comes to flaw disclosure, Mozilla's security chief said Saturday. The software industry for years has pushed guidelines for vulnerability disclosure. Those "responsible disclosure" efforts have had some effect, but security researchers maintain control over the process, Mozilla security chief Window Snyder...

Cross-site Request Forgery and Blackhat SEO

I research whitehat and blackhat SEO in my spare time (however not on this domain :), and was thinking about some additional uses for Cross-site Request forgery from the blackhat SEO perspective. * Publishing/Spamming links: People spamming forums with links is nothing new. By utilizing CSRF on the otherhand you could force...

Backdooring UIML's and Existing JavaScript Applications

One of the more interesting aspects of so called 'Rich Internet Applications' involves User Interface Markup Languages such as XUL (By Mozilla, been around awhile) and XAML/XBAP (.NET 3.0 the new kid on the block). Essentially these languages allow you to 'paint' buttons, menu bars, grids, forms, messageboxes, and other GUI components...

Wikipedia's search engine will spell trouble for the SEO market

Wikipedia's founder has announced a search engine allowing users to control the search results in a way similar to how digg works. I dabble in Search Engine Optimization (SEO) and I expect a huge shift if the other major search engines such as google and yahoo adopt similar models. Typically people will...

The lack of security enabled frameworks is why we're vulnerable

We've been stating for years 'developers need to learn to code securely' sure this is great, however is essentially limited to skilled professionals. This isn't to say we shouldn't keep teaching however rather than simply focusing on those paying attention we should start babysitting the remaining majority. So how do you watch...

Application Security Predictions of 2007

Ok I know I'm a little early but here's my yearly list of application security predictions. Admittedly I may be a year or two early on a few of them, however read them over and give them some thought. Rich Internet Applications (RIA) .net 3.0 WPF and Adobe Flex The next big...

Attacking Permalinks

Everyone has seen urls such as http://site/2006/02/02 and you know that there's an application in the backend somewhere but figuring out how to attack those urls can be tricky. A few of you have probably tried attacking them by sending requests such as http://site/2006'>/02/02 and received a 404 page. I started thinking...

Article: Challenges faced by automated web application security assessment tools

If you're in the position of evaluating a web application security scanner, or use one to fulfill a compliance scanning requirement then you may want to check out an article I wrote describing some of the challenges these products face. Article Link: http://www.cgisecurity.com/articles/scannerchallenges.shtml

Flash + JS + crossdomain.xml = phun

I was browsing Jeremiah Grossman's Blog and found an interesting post talking about a file named crossdomain.xml and extended uses of it in regards to cross site scripting. In a nutshell there's this file called crossdomain.xml used by flash to say 'I am www.domainb.com and I will allow users of www.domaina.com to...

More fun with CSS history

There's been a big fuss that with CSS you can identify if someone has visited a certain link. I started to think about expanding this and came up with a neat little trick you can do involving online advertising. You run www.sitea.com and www.siteb.com and www.sitec.com are competitors of yours. Now you...

Top 5 signs you've selected a bad web application package

5. The vendor's idea of a patch process involves you editing line X and replacing it with new code 4. The amount of total downloads is less than the application's age 3. It isn't running on the vendors homepage 2. The readme file states that you need to chmod a certain file...

Application Security Predictions For The Year 2006

In 2005 published application security vulnerabilities have exploded. If you're subscribed to mailing lists such as bugtraq you know just how often Cross Site Scripting, SQL Injection, or Remote Command Execution vulnerabilities are discovered and exploited. I've prepared a prediction outline for the year 2006 exclusively covering the threats that the web...