Sacha Faust has published a great article on some of the security checking functionality in Visual Studio. From the article "Anyone doing ASP.NET development probably admits, openly or not, to introducing or stumbling upon a security issue at some point during their career. Developers are often pressured to deliver code as quickly...
CGISecurity Turns 10!: Summary of the more interesting site posts throughout the years
To commemorate this site turning 10 I've created a list of my top 10 thought provoking/innovate posts that people who haven't been following this site may be unaware of. The Cross-site Scripting FAQ (2001) In 2001 someone informed me of this new threat involving the injection of HTML/Javascript into a site's response...
New Site Addressing Python Security
For you python developers out there, Craig Younkins sent the following to The Web Security Mailing List (which I moderate) this morning. "I'd like to invite you to a new community - http://www.pythonsecurity.org/ - which is now the central hub for security in Python. We're writing articles on security topics and how...
A reminder that CSRF affects more than websites
Maksymilian Arciemowicz has published an advisory outlining how one can perform CSRF attacks against FTP services, in this case Sun Solaris 10 ftpd. An attacker could embed a payload such as the following to execute commands on ftpd. <img src="ftp://.....////SITE%20CHMOD%20777%20FILENAME";> The NetBSD team addressed this issue by failing on large commands. The...
Announcement: WASC Threat Classification v2 is Out!
I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is...
Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC
Microsoft has published a paper on its ASP.NET MVC framework, how to use it, and how utilization of an SDL eliminates the potential to introduce vulnerabilities such as XSRF. From the paper "On the Microsoft platform, most Web applications are based on ASP.NET and the Microsoft®.NET Framework. ASP.NET MVC is a new...
Announcing the Web Application Security Scanner Evaluation Criteria v1
"The Web Application Security Consortium is pleased to announce the release of version 1 of the Web Application Security Scanner Evaluation Criteria (WASSEC). The goal of the WASSEC project is to create a vendor-neutral document to help guide information security professionals during web application scanner evaluations. The document provides a comprehensive list...
Hacking Short CSRF Tokens using CSS History Hack
Securethoughts has posted an entry on combining CSS history theft hacking to brute force short CSRF tokens and has created a POC demonstrating it. While not fast this is certainly achievable (assuming the token is still valid/hasn't expired once identified) on short CSRF token values, and has the advantage in that it...
Amazon CSRF "hack" in detail?
UPDATE: According to an updated Wired news story this is a sham and no hacker was involved. RSnake recently posted an entry linking to the write up on how a Cross-Site Request Forgery flaw in amazon was used to get Gay and Lesbian books banned from amazon's site via their reputation system....
New Gmail Flaw Lets Attacker Control 'Change Password' Function
"A researcher today released a proof-of-concept for a vulnerability he discovered in Google Gmail that lets an attacker change a Gmail user's password, wage a denial-of-service attack on the account, or even access other Gmail users' email. The cross-site request forgery (CSRF) flaw -- which researcher Vicente Aguilera Diaz from Madrid-based Internet...
Protect Your Site With URL Rewriting
Bryan Sullivan over at Microsoft has published a lengthy article on the advantages of URL writing to prevent certain types of attacks. "Tim Berners-Lee once famously wrote that "cool URIs don't change." His opinion was that broken hyperlinks erode user confidence in an application and that URIs should be designed in such...
The security industry needs to re-align its training expectations for QA
I've been involved in the security community for over 10 years and have worked for small, medium, and large companies. I have also worked in Quality Assurance and base my comments here on my experiences being a QA tester, and speaking with them as an outsider. I've seen advice in articles, and...
Web Application Scanners Comparison
anantasec posted a scanner comparison to the web security mailing list today. "In the past weeks, I've performed an evaluation/comparison of three popular web vulnerability scanners.This evaluation was ordered by a penetration testing company that will remain anonymous. The vendors were not contacted during or after the evaluation. The applications (web scanners)...
Researchers from Princeton University Publish vulnerabilities in unpatched sites
Yesterday a couple of 'researchers' published that a couple of major sites were vulnerable to CSRF. A general rule of thumb is that unless you are explicitly protecting against CSRF, or are accidentally protected, then you're vulnerable. CSRF in 2008 is what XSS was in 2002, somewhat understood and rarely protected against...
Checking for ViewStateUserKey using FxCop
An anonymous user writes "ASP.NET has had a mitigation to prevent against CSRF/One-Click attacks since 1.1 with the use of Page.ViewStateUserKey property. You can now make sure that the property is being used using FxCop." Link: https://blogs.msdn.com/sfaust/archive/2008/09/25/checking-for-viewstateuserkey-using-fxcop.aspx
ViewStateUserKey Doesn’t Prevent Cross-Site Request Forgery
"ViewStateUserKey is not a completely effective mitigation against Cross-Site Request Forgery. It doesn't work for non post-backs (I.e. GET requests), and it doesn't work if the ViewState MAC is turned off. In several different places, we see a piece of advice repeated - use the ViewStateUserKey property to prevent One-Click Attacks. Often,...
WASC Announcement: 2007 Web Application Security Statistics Published
The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are...
Article: SDL Embraces The Web
Bryan Sullivan from Microsoft has posted an article on SDL use to secure web applications. "The Security Development Lifecycle (SDL) team recently released details of the SDL process that has been so successful in helping to make Microsoft products more secure. You can find these documents at microsoft.com/sdl. As you read through...
Cross-site hacks and the art of self defence
Generally, browsers stop cross-site communication by following the "same-origin policy". This rule is pretty simple: if your site has a different origin - protocol, domain, and port don't all match - you aren't allowed to access information from or send requests to the other site. Without this simple rule, there would be...
Tools: Grendel Scanner a new Web Application Security Scanner
While attending defcon I got to check out a talk on a new web application security scanner called Grendel scanner. For those of you who don't know I used to work at spi dynamics on the webinspect product (now part of HP) and I got to say it is one of the...
Affiliate Programs Vulnerable to Cross-site Request Forgery Fraud
Intro The following describes a long-standing and common implementation flaw in online affiliate programs allowing for fraud. For those unfamiliar with affiliate programs, they provide a way for companies to allow 3rd parties/website owners to direct traffic to their site in exchange for a share of the profits of user purchases. Most...
Rich data: the dark side to Web 2.0 applications
"All web applications allow some form of rich data, but that rich data has become a key part of Web 2.0. Data is "rich" if it allows markup, special characters, images, formatting, and other complex syntax. This richness allows users create new and innovative content and services. Unfortunately, richness affords attackers an...
Jason Taylor on Security Testing
Microsoft has a decent article on security testing for CSRF worth checking out. "Tester Question: What is a cross-site request forgery attack? How do I test our website to see if it is vulnerable to this attack?" Article Link: http://msdn.microsoft.com/en-us/testing/cc664492.aspx
Orkut Worm v2.0
"The Scrapkut worm uses active code injection to spread between victims and their friends on Orkut. The malicious code appears on a victim’s scrapbook, containing a link to a supposed YouTube video. People who click on the link are redirected to an external site hosting malware that's disguised as a Flash upgrade....
Performing Distributed Brute Forcing of CSRF vulnerable login pages
Update: Apparently this is described in a paper by sensepost that I wasn't aware of. Check out there paper at http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf. We know that CSRF is bad, and that if your application is performing an important action to utilize a random token associated with the users session. I started thinking a bit...
Security details of the upcoming Rails 2.0 release
"Making it even easier to create secure applications out of the box is always a pleasure and with Rails 2.0 we’re doing it from a number of fronts. Most importantly, we now ship we a built-in mechanism for dealing with CRSF attacks. By including a special token in all forms and Ajax...
Google Fixes Gmail Cross-site Request Forgery Vulnerability
"Google has fixed a vulnerability in their Gmail web based email service which would have allowed internet attackers to steal mail messages from users without being noticed. The attack works by forcing a logged-in user to add a mail filter to their Gmail account, thereby allowing their mail to be forwarded to...
Second life URI Handler vulnerability
PDP has a good example of when the non web world can be exploited by web world functionality. In his writeup he described how second life's URI handler can be used to steal the encrypted password hash that can be replayed and used to login to a users account. "Keep in mind...
Big trouble if PCI-DSS requires CSRF
Jeremiah Grossman has a post asking the question 'what if PCI-DSS requires CSRF protection?'. Short answer, just about everybody is vulnerable (more than XSS) and making people be compliant to it is going to be almost unrealistic. Article Link: http://jeremiahgrossman.blogspot.com/2007/03/big-trouble-if-pci-dss-requires-csrf.html
Cross-site Request Forgery and Blackhat SEO
I research whitehat and blackhat SEO in my spare time (however not on this domain :), and was thinking about some additional uses for Cross-site Request forgery from the blackhat SEO perspective. * Publishing/Spamming links: People spamming forums with links is nothing new. By utilizing CSRF on the otherhand you could force...
Same-Origin Policy Part 1: Why we're stuck with things like XSS and XSRF/CSRF
"The last few years have seen a constant rise in vulnerabilities like cross-site scripting (XSS), HTTP response splitting, and cross-site request forgery (XSRF or CSRF). While the vectors and exploit of each of these vulnerability classes vary, they all have one common thread. Each of these vulnerabilities exploits trust shared between a...
CGISecurity Article: The Cross-Site Request Forgery FAQ
The Cross-site Request Forgery FAQ has been released to address some of the common questions and misconceptions regarding this commonly misunderstood web flaw. This paper serves as a living document for Cross-Site Request Forgery issues and will be updated as new information is discovered. If you have any suggestions or comments please...