Well the old trick still works but I just wasn’t satisfied with that. I really like to break Privoxy for some reason. I have nothing against it, it just seems like a kludge to me. A Kludge that needs to be broken. So I decided to come up with another way to do the exact same thing, only in a trickier way. This time I used a technique stolen right out of Jeremiah’s handbook. I used CSS and JavaScript to detect if an embedded CSS file works or not.

Click here with Privoxy and JavaScript turned on to have it detect you. That’s right, I noticed that Privoxy had it’s own custom style sheet. It embeds it whenever it gives you an error message (which is relatively often). That style sheet overwrites a particular class called “warning”. So I created an EM tag with a warning class, and then wrote a little peice of JavaScript stolen almost word for word from Jeremiah’s CSS history hack and poof.

You can now (again) detect if users are using Privoxy, which might tell you something about them, or may cause you to take different actions based on that fact. Privoxy isn’t so private after all.

I got an email this morning from dw1de talking about the data directive. As you probably remember, I’ve had that on the cross site scripting cheat sheet for about a year. But dw1de took it to a place I hadn’t thought of before. He started changing the charset around. He took a standard UTF-7 vector and injected it like so (this will only work in Netscape 8.0+ in the Gecko rendering engine mode, Firefox and Opera):

data:text/html;charset=UTF-7,+ADw-script+AD4-alert('XSS')+ADsAPA-/script+AD4-

See the charset? Clever, huh? Now let’s take it to the next logical place by modifying it to be Base64 encoded, like the example on the cheat sheet:

data:text/html;charset=UTF-7;base64,K0FEdy1zY3JpcHQrQUQ0LWFsZXJ0KCdYU1MnKStBRHNBUEEtL3NjcmlwdCtBRDQt

As dw1de said, there is probably more here. I took a cursory pass at trying to get US-ASCII working but then I realized it wouldn’t because that vector works only in Internet Explorer (even the best of us can get confused about the interaction between these vectors). But yes, there is probably more here. Thanks, dw1de!

I found a clever paper by Stefano Di Paola written back in July about how to implement HTTPOnly in JavaScript for Firefox. This is a pretty clever solution to Firefox’s aggravatingly slow adoption of Microsoft’s proprietary standard to protect cookies from theft by JavaScript.

To paraphrase there is a function to overwrite the cookie prototype in Firefox (sounding like a dangerous idea if you ask me but there you have it). Click here to see a demonstration. This could be a better solution than Stefan Esser’s HTTPOnly Firefox extention since very few people use that.

Gerv also mentioned the technique on his site as well (Gerv works for Mozilla). Cool technique in a pinch but I’d MUCH rather see someone just fix Firefox. Yes HTTPOnly suffers from other issues including breaking things like WebTV (yes there are still WebTV users out there). But I’d rather break a few very non-standard users and upgrade the entire Internet in the process (either that or whitelist their browsers in your webserver to omit the HTTPOnly tag).

Luny wrote me a really good email the other day, that I think deserves posting here as it really shows a lot of the issues with Java applications and how they aren’t as secure as I think a lot of people think they are. Luny does a good job showing some of the decompiling necessary to figure out what there holes are:

Hey Rsnake its Luny. I’m writing you this email in regards to trying to learn a little more about website anaylsis and security in general. I thought about trying this on a website called anywebcam.com. The site uses java applets to communicate with the cams and users. Theres more info below on what i’ve found.

My dissection of anywebcam.com and their broadcaster.exe software.

Tools used:

Wireshark
PEiD
W32DASM

First used http://www.youfucktard.com/tool-awcsignup.php to create a quick and easy dummy account.

The opened URL to awc’s main java applet in a new browser and viewed source.

http://www.anywebcam.com/awc/servlet/dispatch?CMD=cmd.applet

applet info on page source:
[script type=”text/javascript” language=”javascript”]

var height = ‘100%’;
var width = ‘100%’;
var browser = ”;
var bc = ‘4000′;
var bcb = ‘Y’;
var u = ‘Perv36166′;
var debug = ‘0′;
var i = ‘3660667′;
var sp = ‘N’;
var op = ”;
var y = ‘1′;
var x = ‘0′;
var d = ‘1′;
var s = ‘ayLEAfEQqQZa’;
var cam = ”;
var t = ‘N’;
var f = ‘N’;
var m = ‘N’;
var ap = ‘N’;
var type = ‘application/x-java-applet’;
var l = ‘EN’;
var cp = ‘8080′;
var fi = ”;
var si = ‘10000′;
var sites = ‘ANYwebcam.com 10000,Popular.com.br 10001,ANYwebcam.de 10002,Italian 10003,Dutch 10004,Français 10005,German 10006,Português 10007,Spanish 10008,Chinese 10009,Japanese 10010,Greek 10011,Danish 10012,Norweigan 10013,Swedish 10014,’; var version = ‘awc40040′; [/script][script language=”javascript” type=”text/javascript” src=”/awc/html/common/include/prototype/prototype-1.3.1.js”][/script][script language=”javascript” type=”text/javascript” src=”/awc/html/common/include/applet.js”][/script]

((the var sites is set so that if a user tried to run the applet from any other domain then those listed, the applet would come back with a auth error. I’ve decompiled the jar archive before using Decafe and then went over the class files. ))

Using Wireshark to monitor packets from the url http://www.anywebcam.com/awc/servlet/dispatch?CMD=cmd.applet we find several packets of interest:

GET /awc/html/common/include/prototype/prototype-1.3.1.js HTTP/1.0..Accept: */*..Referer: http://www.anywebcam.com/awc/servlet/dispatch?CMD=cmd.applet..Accept-Language: en-us..If-Modified-Since: Thu, 17 Nov 2005 23:57:32 GMT..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)..Host: www.anywebcam.com..Connection: Keep-Alive..Cookie: style=null; user=Perv63556; password=Perv63556; save=true; domainid=10000; JSESSIONID=ayLEAfEQqQZaSC0ox_; __utma=185107961.63224804.1166436330.1166441978.1166473462.8; __utmb=185107961; __utmz=185107961.1166436330.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmc=185107961…. =

TTP/1.1 304 Not Modified..Server: Zeus/4.2..Date: Mon, 18 Dec 2006 20:25:22 GMT..Accept-Ranges: bytes..Connection: Keep-Alive..

PASS f7LA5r5etl3xoA..NICK Perv36166..USER 3660667^01 8 * :ayLEAfEQqQZa..

GET /res/camstest.gz?0.7875709682863306 HTTP/1.1..Cache-Control: no-cache..Pragma: no-cache..User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.5.0_06..Host: www.anywebcam.com..Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2..Connection: keep-alive..Content-type: application/x-www-form-urlencoded..Cookie: style=null; user=Perv63556; password=Perv63556; save=true; domainid=10000; JSESSIONID=ayLEAfEQqQZaSC0ox_; __utma=185107961.63224804.1166436330.1166441978.1166473462.8; __utmb=185107961; __utmz=185107961.1166436330.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmc=185

GET /res/imlive.gz?0.6335720412131307 HTTP/1.1..Cache-Control: no-cache..Pragma: no-cache..User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.5.0_06..Host: www.anywebcam.com..Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2..Connection: keep-alive..Content-type: application/x-www-form-urlencoded..Cookie: style=null; user=Perv63556; password=Perv63556; save=true; domainid=10000; JSESSIONID=ayLEAfEQqQZaSC0ox_; __utma=185107961.63224804.1166436330.1166441978.1166473462.8; __utmb=185107961; __utmz=185107961.1166436330.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmc=185107961..

NOTICE AUTH :*** Checking Ident.
(Ahh, we see it logging on a irc server)

HTTP/1.1 200 OK..Server: Zeus/4.2..Date: Mon, 18 Dec 2006 20:25:26 GMT..Content-Length: 9172..Accept-Ranges: bytes..Content-Type: application/octet-stream..Last-Modified: Mon, 18 Dec 2006 20:25:01 GMT………..E..channels10000.dat..|Iw.8..]~……Wa.%;….h.%[…p.-…!..I…2…..^.6w.gzQ…M.j….A..3″3.A.. p……….’…t.{/2Lt …….7..C.&..Q.H../…….ol.Q…’..l……….d*:…0.L…xW…i..K.[.i….h……S……”……Q.e*…d$xK.:.M…x’…L*…ON….MV.&^n..9..#…….[…\~]^….f.B……..^..](..)……f.Z..{..;.Q..’l………f=6}.v.6.LF….=v.0.N.s….C..i[a..a..y..0g7..3g-.~0..d;.g…..f….io2.b.gN.?..ME(\%….*..~.n/……|#….6.P.7|&…..h#.D”L…..[.-[$..vZ{L.L.@.c..}……..Y^_1…..ia……………….]K:.=i..Nt.d…A.%9E]…Sm.E…..V2.t… .Al..-..F.wB….H..+….D.(.m..q..m……NA7}…S.H…..W…$C{4…..zRz:T..|…….4[..-……….6.E.U..t….”……*._..#|l.F..-….Q.V..Y.k);..7..W…….h1..k2kO..y..”F.;:…..E].N.4.n.E…….;…..5.uZ…bh{2b….l]……../b.{……d.H.s../..[N..W..’..G.=(A…=j|..g..@6….LL.L………e…Dl…”E….b……..SU…..H_x….\-E.).u&……..1[m]u..P……hA;0b$.i.9.k….K… .Lo……g..l…”X.I\S.A..|….7..u0.e.F..\..J…r.z…[|]…U9(}…$..L…:.FB#..T…..Ce!j……….|…^..U..z..f.^I..Ia2…..[………C…B’e..o4.`%.]” …g.\…\………@…v.j..q…4..f.(t\…0j\..V..Pz.U…W0.VY..O..`.Y@…S..;.B.Y…,..G*2.+.d..m.J..^…[.Q]……*.q,f………r….1ojG..i.7……..L…q..k.[(.’]lu.*..i..zs.]pM..Ej.BH\2D….x…a..[..B.da.^..Yv|…C….4}…..]..p.z.S.`..hMv..]…S…….*.2.4A%.V..(on..A.j…x7..RW……..[].q.v……….8…g….L….|….R8d.7..h7.-…;{U.Wn……F.g=..6.v.h..1…..~….hiw..|….G.q.bv3….l..L.=_..L.-…E”…”….}\YU.[…Vh…..?J/…P.Ho……Z.9….k…F..W.7…..=….|…..’.z….O..av….UN.’..D…E.*(Y[…ea…M……..G]………..O.]..a../…………..Yn[..P…]…..]…..*.]a…….^….4…..W…../….$I…….#}.L7Tr..}.*7…:….e……D.7:.=…Z!^..V..p..a…P…..,.m.v.o…-k-t.1RO……9…..w;…6.8]H…#.|^G..’T..H….2….5..M.e)..J…..`C{….ANK..-X.%.`t..].Cy.o.H…og..2.d…….*?..2…X.].@…%…~…8…o……h^..K.”y..JN..B..t…..B.n..Z#bv….}.i..x.U..F_6……….s&…N….+;g…c.9.^g~.0[gw=.x..k9N……O…..{@…{l…’.y.o…M..I……..?…..^.r.u..`….mh….9…p..H…..^yn.Y…….@.J..*..i.Z..Yg…………R….r…Z~……n4.[………_..t…/_.E…U……..!=……_…….a4-…B….v….”..g./^T……%’..”.I[..V….YP.+B….}…p1…4..0%………….`Z..]..(….0……R .5..ZK].G..Z…..#….V.4…*TR.o1,..`….x.ao.$..[O..( ……..J;..K8.p….i^……B.Z.|”.2..\.w..%nK9-uF1…u2-].{………..FPjZWy.o.%…8^JBr…H.Z….{.Z#_….|.x….x.[.d4.d.0….e7.=…..O.]…V….e……[g…F……d.q#410…..*…A…4….!….:…..l….}…….RU.. .N.|.m..&..’v…\………%W.j……………..,

NOTICE AUTH :*** No Ident response..

hmmm..connecting to IRC?

HTTP/1.1 304 Not Modified..Date: Mon, 18 Dec 2006 20:23:35 GMT..Server: Apache/1.3.37 (Unix) PHP/4.4.4..Connection: Keep-Alive, Keep-Alive..Keep-Alive: timeout=15, max=99..ETag: “1a435b-162-445cc076″….

(Here we see the connect was successful & MOTD. They appear to be using ircd-hybrid 7.0 too)

:chat1.anywebcam.com 001 Perv36166 :Welcome to the ANYWebcam Internet Relay Chat Network Perv36166..:chat1.anywebcam.com 002 Perv36166 :Your host is chat1.anywebcam.com[208.50.46.60/8080], running version hybrid-7.0..:chat1.anywebcam.com 003 Perv36166 :This server was created Fri Apr 15 2005 at 02:07:48 EDT..:chat1.anywebcam.com 004 Perv36166 chat1.anywebcam.com hybrid-7.0 oiwszcerkfydnxbaugl biklmnopstveIha bkloveIh..:chat1.anywebcam.com 005 Perv36166 WALLCHOPS KNOCK EXCEPTS INVEX MODES=4 MAXCHANNELS=50 MAXBANS=100 MAXTARGETS=999 NICKLEN=48 TOPICLEN=120 KICKLEN=120 :are supported by this server..:chat1.anywebcam.com 005 Perv36166 CHANTYPES=#& PREFIX=(ohv)@%+ CHANMODES=eIb,k,l,imnpsta NETWORK=ANYWebcam CASEMAPPING=rfc1459 CALLERID :are supported by this server..:chat1.anywebcam.com 251 Perv36166 :There are 4259 users and 11 invisible on 2 servers..:chat1.anywebcam.com 252 Perv36166 10 :IRC Operators online..:chat1.anywebcam.com 254 Perv36166 87 :channels formed..:chat1.anywebcam.com 255 Perv36166 :I have 4262 clients and 1 servers..:chat1.anywebcam.com 265 Perv36166 :Current local users: 4262 Max: 5353..:chat1.anywebcam.com 266 Perv36166 :Current global users: 4270 Max: 5361..:chat1.anywebcam.com 250 Perv36166 :Highest connection count: 5354 (5353 clients) (781361 connections received)..:chat1.anywebcam.com 375 Perv36166 :- chat1.anywebcam.com Message of the Day - ..:chat1.anywebcam.com 372 Perv36166 :- H300 L3000 P1..:chat1.anywebcam.com 376 Perv36166 :End of /MOTD command…:NickServ!NickServ@Services.Anywebcam.com NOTICE Perv36166 :This nickname is owned by someone else..:NickServ!NickServ@Services.Anywebcam.com NOTICE Perv36166 :If this is your nickname, type /msg NickServ .IDENTIFY. [password]..

PRIVMSG NickServ :REGISTER awc..

GET /awc/servlet/user?u=3660667&a=Perv12464%2CPerv27347%2CPerv36166%2CPerv61441%2CPerv75467%2CPerv9735%2C&p=America%2FChicago_ HTTP/1.1..User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.5.0_06..Host: www.anywebcam.com..Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2..Connection: keep-alive..Content-type: application/x-www-form-urlencoded..Cookie: style=null; user=Perv63556; password=Perv63556; save=true; domainid=10000; JSESSIONID=ayLEAfEQqQZaSC0ox_; __utma=185107961.63224804.1166436330.1166441978.1166473462.8; __utmb=185107961; __utmz=185107961.1166436330.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmc=185107961….

(List of connected users in the channel)

:chat1.anywebcam.com 640 Perv36166 Bethy clogz LadyJoJo satman BLOC Ravyn hoxton doggy34 AussieG synapse neaty kumkee jess Shy sassylady ..:chat1.anywebcam.com 640 Perv36166 Navman dakota1 falcon111 Gillian Ginger_n_TheSkipper isee mustangmike99 Shy sicklizzard Mykey tahoejeff supersk8t roland2 TurkishBen MMS ..:chat1.anywebcam.com 640 Perv36166 SecurityServ Anywebcam2 TriviaBot _Stuart Stuart rolandd synapse_ Jess_ Mailman157 CheesyPoof TurkishBen stuangel AnyWebCam roland ..:NickServ!NickServ@Services.Anywebcam.com NOTICE Perv36166 :Password accepted - you are now recognized..

MemoServ!MemoServ@Services.Anywebcam.com NOTICE Perv36166 :You have no new memos..

Scrolling up some we see that the irc server password is f7LA5r5etl3xoA and my nick is Perv36166

PASS f7LA5r5etl3xoA..NICK Perv36166..USER 3660667^01 8 * :ayLEAfEQqQZa..

So now, lets try and connect to the irc server (I’ll be using mirc).

/server chat.anywebcam.com:6667 f7LA5r5etl3xoA

And we recieve the normal MOTD that was seen in the packets but now with:

You are banned from this server- Temporary K-line 60 min. - INVALID CLIENT (2006/12/18 16.53)
-
[15:54] Closing Link: 70.156.101.76 (Temporary K-line 60 min. - INVALID CLIENT (2006/12/18 16.53))
-
[15:54] * [10053] Software caused connection abort
-
[15:54] * Disconnected

haha oops. Well we can try and get past that invalid client error later.

Noteable url’s found so far (not in any particular order):

http://www.camup.net - it seems anywebcam owns this domain as well and is trying to offer out this service.

http://www.anywebcam.com/res/channels10000.dat - This is a data file that shows all of the irc channels created on the server.

http://www.anywebcam.com//awc/html/common/include/applet.js - url to their java applet. (They have a seperiate viewer on the site located at http://my.anywebcam.com/viewer.jar which lets people put a webcma viewer on their website to view 1 cam.)

http://www.anywebcam.com/res/imlive.gz?0.6335720412131307 - This is a compressed file with all the imlive girls and urls to them in it. Example:

DarlingDevill,4,http://imlive.com/_/247258/247258O1149644703.jpg,http://imlive.com/wmaster.asp?h=3052400010&WID=123658371255
Xallva,4,http://imlive.com/_/224641/224641O1162308865.jpg,http://imlive.com/wmaster.asp?h=2773193145&WID=123658371255
sweetynicky,4,http://linux4.globalmailer.com/vm/inbox/12i155431/inbox@155431O1121257928.jpg,http://imlive.com/wmaster.asp?h=1918795695&WID=123658371255
MISSKITTEN4u,4,http://imlive.com/_/287925/287925O1164834093.jpg,http://imlive.com/wmaster.asp?h=3554434125&WID=123658371255
xCollegegirl,4,http://imlive.com/_/167251/167251O1166427932.jpg,http://imlive.com/wmaster.asp?h=2064713595&WID=123658371255

I think i’ll move onto the broadcaster.exe. Theres 3 exefiles with that package wh9ch are broadcaster.exe PV.exe and Bac.exe All the files were packed with asp 2.11 so using PEiD I unpacked it then dissassembled in W32DASM. I don’t know much assembly language so The ref to text strings weren’t very useful. I did see that they are using a SSL connection tho. Heres a little info on that:
“SSL_CIPHER_get_bits”
“SSL_CIPHER_get_name”
“SSL_CIPHER_get_version”
“SSL_connect”
“SSL_CTX_check_private_key”
“SSL_CTX_free”
“SSL_CTX_get_verify_depth”
“SSL_CTX_get_version_indy”
“SSL_CTX_load_verify_locations”
“SSL_CTX_new”
“SSL_CTX_set_cipher_list”
“SSL_CTX_set_client_CA_list”
“SSL_CTX_set_default_passwd_cb”
“SSL_CTX_set_default_passwd_cb_userdata”
“SSL_CTX_set_default_verify_paths”
“SSL_CTX_set_info_callback_indy”
“SSL_CTX_set_options_indy”
“SSL_CTX_set_session_id_context”
“SSL_CTX_set_verify”
“SSL_CTX_set_verify_depth”
“SSL_CTX_use_certificate_file”
“SSL_CTX_use_PrivateKey_file”
“SSL_free”
“SSL_get_current_cipher”
“SSL_get_error”
“SSL_get_ex_data”
“SSL_get_peer_certificate”
“SSL_get_session”
“SSL_library_init”
“SSL_load_client_CA_file”
“SSL_load_error_strings”
“SSL_new”
“SSL_load_error_strings”
“SSL_new”
“SSL_peek”
“SSL_read”
“SSL_SESSION_get_id_ctx_indy”
“SSL_SESSION_get_id_indy”
“SSL_set_accept_state”
“SSL_set_connect_state”
“SSL_set_ex_data”
“SSL_set_fd”
“SSL_set_shutdown”
“SSL_shutdown”
“SSL_state_string_long”
“SSL_write”

Perhaps if a breakpoint was set on or before “SSL_CTX_check_private_key” and “SSL_CTX_load_verify_locations” maybe somehting would be found. I havent had time to bother with this tho and currently I have no working webcam *laughs*.

Anyways. Is there anything you think I may have missed or overlooked? Anymore info to be found perhaps? I welcome your suggestions and comments. (Not looking for direct answers, but yet to be set on the right path)Rsnake.

- Luny

What can I add to that? Very good writeup. I think the only think I would have followed through with is modifying my signature of my IRC client to match whatever the server was looking for. Without more information about what that IRC client is doing and how it’s communicating it’s difficult to know for sure if there is a hole there but it feels like there might be.

Obviously transmission of passwords in the clear is bad, but it’s not a deal breaker. Anyway, yes, there’s lots more that could be done here, but Luny did a great job in explaining some of the issues faced when attempting to dissect a Java based application when doing a web application security review.

Hereafter I am turning my back on the OSI model. Yes, you heard me, it’s outdated crap. I was having a meaningful discussion with someone today about how you can route other things over other protocols (basically for tunneling purposes) and we got caught up on the semantics of the stupid layering of the OSI model. It’s completely outdated. As a recap, here’s how it reads:

1) Physical, 2) Data Link 3) Network 4) Transport 5) Session 6) Presentation 7) Application. Okay, pop quiz, can you tell me where HTTP lives? Now a reasonable human being understanding the semantics of the English language would say that HTTP lives on top of transport. It’s closer to telnet then it is SSL for instance, but noooo… no, my friend. Wrong. Because you are wrong and some guy in the 70’s who has no concept of how HTTP works wrote a model and now you must understand and adhere to it. It is in fact layer 7. Application. Because HTTP is an application…. or something.

Let’s look at some of the other madness. We have network and transport that are… uhm… both packets. We have SSL sitting in the session category, because… it can maintain state and TCP can’t… or something… And again, HTTP can’t either. So… this leaves nothing for actual presentation. If HTTP is to presentation as HTML is to _____ That’s right… HTML and Java and Flash and ActiveX and AJAX and all these wonderful things we’ve since come up with have no place in the OSI model. And if you tell me they are HTTP I’m going to punch you in the face. The data: directive is exactly why it isn’t HTTP. It is in fact not HTTP, it is in fact it’s own directive. And where does our friend FTP live? You guessed it… it’s presentation too. Why didn’t I notice this before? It’s not like I haven’t had to spend hours looking at it… odd.

Why is HTTP presentation layer but telnet isn’t? They are closer together than SSL is. Okay, this OSI business has got me all worked up, I’m going to stop blathering on about it. Just in case you’re wondering where we go from here id made a good suggestion that we move to the internet protocol suite which correctly bundles HTTP, telnet and SSL all together as they rightfully should be. OSI is nonsense I tell you.

I was following up on some SEO issues the other day and the question was asked what would happen if a spider followed a link that looked like http://whatever.com?blah. My first gut reaction is that most spiders are smart enough to figure out that the slash is missing and will add it in when they make the HTTP request. Then the next obvious question was asked, what would happen if they weren’t smart enough? Hrm… we’ll, let’s look at what happens on a masked Apache server:

$ telnet apache.whatever.com 80
Trying 123.123.123.123…
Connected to apache.whatever.com.
Escape character is ‘^]’.
HEAD ?blah HTTP/1.0
Host: apache.whatever.com

HTTP/1.1 200 OK
Date: Tue, 19 Dec 2006 16:56:11 GMT
Status: 200 OK
Connection: close
Content-Type: text/html; charset=UTF-8

Connection closed by foreign host.

Now let’s try the same thing on an IIS server:

$ telnet iis.whatever.com 80
Trying 123.123.123.123…
Connected to iis.whatever.com.
Escape character is ‘^]’.
HEAD ?blah HTTP/1.0
Host: iis.whatever.com

HTTP/1.1 400 Bad Request
Content-Length: 34
Content-Type: text/html
Date: Tue, 19 Dec 2006 16:58:32 GMT
Connection: close

Connection closed by foreign host.

So it turns out that IIS needs that slash or it will error out with a 400 bad request. I know there are hundreds of ways to fingerprint an IIS server, but here is yet another way with a single request.

I got this link today from Reuters discussing how a 64 year old hacker decided to write a logic bomb to crash his ex company’s stock. Wow, has this guy been watching hackers too much or what? Next people are going to start skateboarding in the office wearing capes! I was really surprised to read this, because a) deleting files never crashes stock, or every virus on the planet would have a high potential of destroying corporate valuations and b) he didn’t attempt to do it publically (and public perception is the only thing that drives stock price).

But this is interesting because it’s a common mis perception amongst people that hackers could completely wipe anything out that they put their minds to. In some cases that’s true, but clearly not in all cases. I think people have sort of focused on the hocus pocus aspect of computer security. I think of it a lot like a magic show. It’s amazing and wonderful until you actually see how it works. Then it’s boring and people are only amazed by the ingenuity of the trick, not by the trick itself. That’s one of the reasons I don’t share a lot of what I know with non-security folks. They are less impressed and it doesn’t actually make them hackers in the process. At best it makes them slightly savvy non-tech types. At worst it makes them feel like they can hack things and then they get caught doing stupid stuff.

Anyway, although this wasn’t web app related, I thought it was interesting enough to share for anyone who missed this in the news.

Jeremiah Grossman put together this year’s top 10 web hacks and boy is it fun. Zeno, and I had our hands in throwing our favorites into the pot but the list turned out to be pretty similar for all of us. So although it took countless emails to get threw the few discrepancies I think we all agreed on the top 10. Here’s his list:

Web Browser Intranet Hacking / Port Scanning - (with JavaScript and with HTML-only and the improved model). This was really a huge breakthrough in the web app sec space. I was dying to find a way to do server sweeps in Java to circumvent Firewalls. Jeremiah took it to that next place and holy crap did it shake things up when he did. I don’t think people are going to look at their firewall the same way again.

Internet Explorer 7 “mhtml:” Redirection Information Disclosure. If you want complete cross domain leakage for the price of using Internet Explorer this is your one stop shop. I’m really surprised this hasn’t been closed down yet. Sure there are hacks to stop it, but no one is doing them, so for all intents and purposes this hole is open and will stay that way until Microsoft issues a patch. Don’t hold your breath on that patch though. It’s been months and it’s still open.

Anti-DNS Pinning and Circumventing Anti-Anti DNS pinning. This was something I had tried and failed to do on a number of attempts. But smarter people than I figured out ways to do it by combining tricks and by shutting down connections (never thought of that one). Very cool stuff.

Web Browser History Stealing - (with CSS, evil marketing, JS login-detection, and authenticated images). I think we’ve barely scratched the surface on this one. There are many scary things that could be done here by all sorts of different people for all sorts of motives. Why wouldn’t you want to know where people had been? It’s a profiling dream!

Backdooring Media Files (QuickTime, Flash, PDF, Images, Word [2], and MP3′. I had a very funny conversation today with one of my readers. He basically said he’s going back to notepad. Yes, it’s that bad. And the more interesting part is - it’s getting worse by the day.

Forging HTTP request headers with Flash. I can’t tell you how many servers were affected by the Expect vulnerability but it’s in the millions and every one of them needs to be patched. This issue won’t be gone for a while yet and I think there is still a lot more to be done here.

Exponential XSS. This is the next evolution in XSS in my mind. So far we’ve stuck to horizontal XSS worms, that affect every user a little. Why not go vertical and affect every user a lot? Especially for targeted attacks this has a lot of scary potential.

Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII). I’ll be the first to admit I haven’t done nearly enough research beyond what I’ve been able to accomplish with my fuzzer. Thanks to Cheng Peng Su for opening all of our eyes to how powerful this could be for filter evasion. I just can’t wait to see what the next big issue is.

Web Worms - (AdultSpace, MySpace, Xanga). We can all say we were here when it first happened. It’s only going to get worse, folks.

Hacking RSS Feeds. Attacking rich applications that go out of the traditional boundaries of browsers is the wave of the future. As more devices and programs become web enabled you’re going to see a lot more of this stuff and a lot more newcomers in the space with mistakes of their own to make.

Can you believe all of that happened in one year? And that’s nowhere near everything. We didn’t even start talking about all the PHP stuff floating around (complete access to servers is bad - real bad) or any SQL injection stuff, etc… So love it or hate it, that’s our top 10!

Today eyeced found that MySpace fixed the most recent non-alpha-non-digit 0-day XSS hole in MySpace, but they did so poorly. That’s right, they haven’t fixed the hole at all. I get the feeling they really aren’t understanding the problem, because this is the third time they’ve tried to fix this and the third time they’ve left a hole there. non-alpha-non-digit means exactly that. I doesn’t mean some characters, it means _ANY_ non-alpha-non-digit characters. If MySpace bothered to look up the definition of that function I think they’d have better success in solving their problems. I guess my site isn’t dynamic enough to catch their attention.

Anyway, D8 (in hex) was the character that eyeced used to bypass the newest restrictions that MySpace put in place. It’s funny because I called MySpace out on this last time - if you don’t know how to fix the problem you should probably go figure it out how it works. This is what happens when people don’t follow my advice. They created a kludge on top of a kludge and it took only a matter of hours to find a way around it. Not that many people would know how to do this, but that’s not the point. But if you are as big a target and a presence as MySpace you absolutely must understand how browsers work.

Anyway, great job, eyeced!

Okay, I didn’t write part I, and really didn’t even know about it until today. Although I invented something like it months and months ago. But the first person to talk about CSRF within Word was Michael Daw. Very interesting concept. In the context that I was using a similar technique I was using it primarily as a web-bug. Michael Daw’s technique is good, but I like mine better, because it’s probably as noisy, however, it leaves no visible queues to the victim.

Michael includes a remote image (I’ve had mixed luck trying this myself). My failures in trying nearly the exact same thing were fixed when I came up with another way to inject embedded files into word. Those files were actually CSS elements that Word will happily go and fetch for you. Click here to get the scoop on how to inject CSS files into Word. Using this same technique you can easily turn this into a complex platform for doing many CSRFs through a single Word file. See what happens when no one tells me about these things? Sheesh! Nice work Michael, I just wish I had seen it when it came out!