Just realized that 20 years have passed since I started this site to learn more about web security threats. What 'appsec' looked like in 2000 OWASP didn't exist yet, nor did WASC Vulnerability disclosure was the wild west. Rain forest puppy (RFP) (that guy who discovered sqli) had just created the first...
I've been fortunate enough to manage a red team program for several years and since it's inception it has gone through many changes. What started out as adhoc engagements trying to see how far we could get/what problems we could find, turned into a mechanism to work more closely, and regularly with...
In 2010 I wrote an article about a flaw Google discovered, and published working exploit code when no fix or mitigation existed. This allowed attackers to immediately start using the flaw to hack Google's own users (in this case, the world). Since then Google has announced a new program 'Project Zero' which...
I've been busy this past year which has resulted in almost no updates to this site. Consider this one of many rants/posts of my experience/s in the industry during this time. This post covers a topic I think many people implement poorly, which is security training targeting developers. How most people implement...
Google published today that yet another CA has been caught generating certs for Google's domains. This problem is likely occuring on a much larger scale and seems to be detected by chance. Some have suggested crawling the internet and starting a DB, and while this may detect some issues it's limited for...
I've worked in the security field in various roles (script kiddie, security researcher, incident response, application security engineer, security consultant, strategy, etc..) and thought I'd share a few points to those of you starting out in the security industry. Things are worse than you expect The reality is that companies, even large...
UPDATE: One of the authors has posted two responses including an apology (accepted). I was taught in grade school that if you plan on writing something, never plagiarize. If you want to republish portions of existing content ensure you properly quote/reference them, and never represent this content as your own original work....
NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++. From the README "This archive contains test cases intended for use by organizations and individuals...
Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP nor WASC had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started...
Maksymilian Arciemowicz has published an advisory outlining how one can perform CSRF attacks against FTP services, in this case Sun Solaris 10 ftpd. An attacker could embed a payload such as the following to execute commands on ftpd. <img src="ftp://.....////SITE%20CHMOD%20777%20FILENAME";> The NetBSD team addressed this issue by failing on large commands. The...
I was luck enough to assist in this project and I must say that a lot of great discussions took place. Unlike many other top x security lists, SANS/MITRE's methodology is fairly extensive and well documented giving you insight into how decisions were made. I do want to point out that top...
Google has announced that they are offering a free DNS service to anyone wanting to use it. Unfortunately the motivations/privacy concerns aren't being discussed in as much detail as I'd like, and people aren't asking the important question of why google is offering such a free service. Several points to consider Google...
It's been more than 3 months since I published my paper on abusing transparent proxies with flash, and 4 months since CERT's Advisory (VU#435052). Since that time additional products have been identified as being exploitable. Still Vulnerable Squid http://www.squid-cache.org/ Astaro http://www.astaro.org/astaro-gateway-products/web-security-http-https-ftp-im-p2p-web-filtering-antivirus/24916-socket-capable-browser-plugins-result-transparent-proxy-abuse.html QBik Wingate http://www.securityspace.com/smysecure/catid.html?ctype=cve&id=CVE-2009-0802 Tiny Proxy? https://packetprotector.org/forum/viewtopic.php?id=4018 Smoothwall, SchoolGuardian, and NetworkGuardian http://www.kb.cert.org/vuls/id/MAPG-7M6SM7...
Gary McGraw posted the following to the secure coding mailing list today. "Episode 6 of the Reality Check security podcast features our own Andy Steingruebl chatting with me about Paypal's software security initiative. This was a fun episode for me, because though I have known Andy for a while I had little...
For over a year in my spare time I've been working on a abuse case against transparent proxies at my employer, and have just released my latest paper '"Socket Capable Browser Plugins Result In Transparent Proxy Abuse". When certain transparent proxy architectures are in use an attacker can achieve a partial Same...
I've been involved in the security community for over 10 years and have worked for small, medium, and large companies. I have also worked in Quality Assurance and base my comments here on my experiences being a QA tester, and speaking with them as an outsider. I've seen advice in articles, and...
I recently attended a private event where there was a talk on security metrics. Security metrics can be used to determine if action x is reducing risk y. Software security metrics typically involve counting the number of defects discovered over time to see if things are getting better. Most of these metrics...
F-Secure has posted the following blog entry at securityfocus. "There has been a lot of talk (link 1, link 2, link 3) during the last few days about a support article that seemingly appeared on the Apple website. In the article, Apple advised users to install an anti-virus software to make sure...
Dave Aitel has posted to dailydave with his thoughts on Static Analysis Industry. From his email "So OWASP was dominated by lots of talk from and about static code analysis tools. I wandered around with a friend of mine at the various booths (CodeSecure [1], Fortify[2], IBM AppScan[3], Ounce Labs) and tried...
Michal Zalewski of google has posted a proposal on browser security enhancements to the whatwg mailing list. "I am posting here on the advice of Ian Hickson; I'm new to the list, so please forgive me if any of this brings up long-dismissed concepts; hopefully not. For a couple of months now,...
Motley fool wrote an article blaming Yahoo! for the Palin Hack. Computerworld has pointed out Gmail, Yahoo, and Hotmail as being vulnerable as well. To be clear any site supporting answering of common questions as a way to restore account access is vulnerable. The issue is not that these sites are vulnerable...
Intro The following describes a long-standing and common implementation flaw in online affiliate programs allowing for fraud. For those unfamiliar with affiliate programs, they provide a way for companies to allow 3rd parties/website owners to direct traffic to their site in exchange for a share of the profits of user purchases. Most...
Andre Gironda has posted an interesting take on 'what web application security really is'. I agree with some of his points however one in particular I'm going to have to disagree with and that related to using Web application firewalls. For many years I've been anti Web application firewall and as a...
"The Asprox botnet, a relatively small botnet known mainly for sending phishing emails, has been spotted in the last few days installing an SQL injection attack tool on its bots. The bots then Google for .asp pages with specific terms -- and then hit the sites found in the search return with...
Update: Apparently this is described in a paper by sensepost that I wasn't aware of. Check out there paper at http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf. We know that CSRF is bad, and that if your application is performing an important action to utilize a random token associated with the users session. I started thinking a bit...
UPDATE Before reading on any further I want to prefix that the purpose of this post is to begin a discussion on the ways a website can communicate to a browser to instruct it of what its behavior should be on that site. The example below is a "sample implementation" and isn't...
This list was created based off of real security vendor interactions that I and a friend have experienced. 1.Customer: Have you had a security evaluation of your product? Vendor: Yes, Kevin Mitnick has performed a pen test against our product. (sorry kevin! :) 2. The vendor comes to your office and pitches...
"A patent infringement lawsuit recently filed by Cenzic against SPI Dynamics has Web application security companies and researchers on edge. If successful, the suit -- which centers around Cenzic's patent on a Web application vulnerability scanning technology -- could mean trouble for other scanner vendors, as well as researchers who develop scanning...
I monitor google news for anything application security related and found the following announced today by Cenzic. "the U.S. Patent and Trademark Office (PTO) has issued the company U.S. Patent No. 7,185,232, focused on fault injection technology, which is commonly used by most security assessment scanners." - Cenzic Cenzic is not the...
I had noticed that not many articles existed on the negative aspects/implementation of ajax so came up with this top 5 list of things people screw up when using ajax. 1. No back button!: One of the most annoying things to a user is the inability to go backwards. They may visit...
I read Jeremiah's post about tracking users without cookies and had a conversation with him about it and how ad services companies could track users when cookies are not available. While the Basic auth method works it will only work with firefox since IE has disabled this ability after years of being...
<rant> We've heard of source code analysis tools, and blackbox scanning tools and they have value to help secure your application. Unfortunately they have a major downside, they require the discipline of using them. If your developers don't run them they can still check in vulnerable code to your source code repository....
"Software makers are at the mercy of bug hunters when it comes to flaw disclosure, Mozilla's security chief said Saturday. The software industry for years has pushed guidelines for vulnerability disclosure. Those "responsible disclosure" efforts have had some effect, but security researchers maintain control over the process, Mozilla security chief Window Snyder...
I research whitehat and blackhat SEO in my spare time (however not on this domain :), and was thinking about some additional uses for Cross-site Request forgery from the blackhat SEO perspective. * Publishing/Spamming links: People spamming forums with links is nothing new. By utilizing CSRF on the otherhand you could force...
One of the more interesting aspects of so called 'Rich Internet Applications' involves User Interface Markup Languages such as XUL (By Mozilla, been around awhile) and XAML/XBAP (.NET 3.0 the new kid on the block). Essentially these languages allow you to 'paint' buttons, menu bars, grids, forms, messageboxes, and other GUI components...
Wikipedia's founder has announced a search engine allowing users to control the search results in a way similar to how digg works. I dabble in Search Engine Optimization (SEO) and I expect a huge shift if the other major search engines such as google and yahoo adopt similar models. Typically people will...
We've been stating for years 'developers need to learn to code securely' sure this is great, however is essentially limited to skilled professionals. This isn't to say we shouldn't keep teaching however rather than simply focusing on those paying attention we should start babysitting the remaining majority. So how do you watch...
Ok I know I'm a little early but here's my yearly list of application security predictions. Admittedly I may be a year or two early on a few of them, however read them over and give them some thought. Rich Internet Applications (RIA) .net 3.0 WPF and Adobe Flex The next big...
Everyone has seen urls such as http://site/2006/02/02 and you know that there's an application in the backend somewhere but figuring out how to attack those urls can be tricky. A few of you have probably tried attacking them by sending requests such as http://site/2006'>/02/02 and received a 404 page. I started thinking...
If you're in the position of evaluating a web application security scanner, or use one to fulfill a compliance scanning requirement then you may want to check out an article I wrote describing some of the challenges these products face. Article Link: http://www.cgisecurity.com/articles/scannerchallenges.shtml
I was browsing Jeremiah Grossman's Blog and found an interesting post talking about a file named crossdomain.xml and extended uses of it in regards to cross site scripting. In a nutshell there's this file called crossdomain.xml used by flash to say 'I am www.domainb.com and I will allow users of www.domaina.com to...
There's been a big fuss that with CSS you can identify if someone has visited a certain link. I started to think about expanding this and came up with a neat little trick you can do involving online advertising. You run www.sitea.com and www.siteb.com and www.sitec.com are competitors of yours. Now you...
5. The vendor's idea of a patch process involves you editing line X and replacing it with new code 4. The amount of total downloads is less than the application's age 3. It isn't running on the vendors homepage 2. The readme file states that you need to chmod a certain file...
In 2005 published application security vulnerabilities have exploded. If you're subscribed to mailing lists such as bugtraq you know just how often Cross Site Scripting, SQL Injection, or Remote Command Execution vulnerabilities are discovered and exploited. I've prepared a prediction outline for the year 2006 exclusively covering the threats that the web...
