It was a whirlwind trip, but I just returned from RSACon. It was a fun trip and I had a lot of meetings while I was there. I had very little time to stop and relax, but there’s no rest for the wicked, or so they say. Anyway, here’s an ultra abbreviated version of the highlights (there will be more posts to follow, this is just a summary for those who couldn’t make it).

Before I even took off, I got a call from a friend of mine who did a search in Google for “RSACon” to get some more information. It turns out that I am ranked number 1 and number 2 for “RSACon” on the search results (randomly). So before I even took off he knew I was coming into town even though I hadn’t told him. How weird!

I landed and within 30 seconds I got a page from Arian Evans asking if I was in town. What, am I wearing an RFID tag?

I meet up with id and we roll down to the XYZ for a late night meeting with some high powered infosec guys and then called it a night around 1:30. I slept on his floor, trying to ignore the jet engine sound of his walk-in-closet/data center - it was not glamorous.

I woke up early and went to a Dark Reading meeting. Met with some good folks, had a technical round table discussion and bailed to go to the con. I’ll probably have to post about what we talked about in the not too distant future.

I arrived to find they didn’t start until 11 - giving me a few hours to kill. I met up with Billy Hoffman. Later I met up with Jeremiah Grossman and we had a quick chat with Jeff Moss (DarkTangent) about some future talks that Jeremiah and I are thinking of doing - we’ll see.

The con itself started and I hit the floor hard, seeing as much as I could in an hour or so. I’ll probably write something up about some of the scanner stuff I was looking at. There’s a lot good and a lot bad about what I saw. This one deserves another post. For the most part the theme this year was scanning, blocking and identity theft. There were a lot more web application security companies this year than last year though. No one really knew who I was (I wasn’t traveling under the RSnake moniker) so I got the raw skinny on a lot of technology. People try to sell me too much when they know who I am.

So then it was about that time to go to the WASC meetup. Wow. Talk about a turnout - it was at least 30 people (compared to the 11 that showed the year before). A shout out to the Danes (Tate and Soren) that showed - I wish I could have chatted with you guys a little more. They were the first ones to come up to us and say, “Okay, which one of you is RSnake?”

Zeno showed, Arian showed, Billy Hoffman, Michael Sutton, Anurag Argawal showed, some ex co-workers, etc… It was quite a powerhouse! Here’s where the apologies begin:

• MicroSoft - Where to begin?
• A friend of mine, Erik shows up to the WASC meet-up who I hadn’t seen in years. He and I chit-chat and he has been to my site. Oh, he works for Adobe now and he didn’t tell me. Yah, sorry about that.
• Daniel Veditz shows up from Mozilla to talk to me. Oooh… yah, sorry about that.

So yah, I don’t think I’ve ever apologized so much in one 24 hour period. I had a really interesting conversation with Billy Hoffman that I’ll have to write about (it’s way too long to include here) about another unique way to detect CSRF.

At some point I got accosted by someone who works for an ubercorp who was giving me the third degree on me setting up my own company. Too much competition, tough to get in, what do I bring to the table? “I run this site called ach ay dot cee kay ee are ess dot org” “No, I don’t think I’ve heard of it.” “ha.ckers.org?” “Oh! Yes! Are you RSnake?”

Later we packed it up and left to go back to the convention. I ran into someone who outed Jeremiah almost immediately but didn’t know who I was until Jeremiah said “If you know who I am you know who he is.” At which point he said, “Are you RSnake?”

What a day. Anyway, it was a rip roaring good time, lots of tech, lots of talk, and I promise to go into depth on more of the tech stuff as I know that will interest more people. Plus there are some photos floating around, I’ll have to see if I can get my hands on some of them and throw them up in the pics section.

So I finally broke down and bought Flash 8.0, and I noticed that a number of issues that had previously allowed for header spoofing are now fixed. Namely, if you have a header that already exists (like Host: or Referer: you can no longer overwrite it). That has huge impacts for referer spoofing as well as for anti-DNS pinning attacks.

You can still write headers that don’t exist, force POST requests, and other fun stuff (I’m still in the early stages of looking at the binary socket support). But I think the folks at Adobe probably saw how big an issue their software was creating and they reacted by closing down several of the issues. I’m not sure if there is logic about when you can and can’t overwrite the fields, but so far I haven’t had any luck in overwriting anything that exists. Adobe made a smart move by keeping these fields off limits.

I was wondering how long it would take for someone to make the suggestion, and a few days ago it finally happened - someone made the suggestion that I write a book on XSS. The idea would be to write a book that anyone could pick up and use as a reference to understand and combat XSS attacks. Whelp, as it turns out, I’ve been doing just that for months now. Yup, the people on the forum outed us.

Several months ago Syngress Publishing asked a few people to help contribute to a book on XSS. The contributing authors are Jeremiah Grossman, Anton Rager, Seth Fogie and yours truly. We are still several months away from completing the book, but we are well on our way. Sorry I didn’t tell you all earlier, but I was just finally allowed to start talking about it.

I’ll let you all know as the date gets closer. But if I’m not super quick on the posts and answering email, that’s part of what’s going on - too many irons in the fire these days!

I got this email from a client today and I burst out laughing. When Mythbusters is teaching you about access controls you know you need help:

So probably best to not install a world facing thumb scanner after a TV show about how simple it is to defeat. I was watching TV and as it would turn out you can just take a finger print lift off the face of the scanner which more often than not would be a valid user. Then you can scan that in to a computer, print it, lick it, put it on your finger and your in. It is in too noticeable a place and I know that is something I would want to test out if i saw it. I actually kinda do. I am shocked that I didn’t know you could do that. Better safe than sorry we wouldn’t want the data center to become a club house for some dungeons and dragons gang.

The origins of this attack were the gummi bear attack that was proven to work in certain scenarios. A scanner and some paper is far easier. Why not?

Whelp, it’s that time of year again. Time for vendors to show us what they are made of, and for us to punch holes in everything they worked on all year. No, but seriously, I try to make it a point to get to every RSACon I can. Vendors have a lot of interesting things to say, even if I tend to find lots of issues. Also the people walking the floor incognito tend to be pretty interesting security folk. Not to mention the real reason I want to go, which is the WASC (web application security consortium) meetup:

Place: Jillian’s (Walking distance from the conference) 101 4th Street, Suite 170 San Francisco, CA 94103 Phone: 415.369.6100. Time: Wed, Feb. 7 @ 12:30pm. I’m actually only going for one day (that day) just for the meet and greet. Yup, it’s worth it.

If you’ve never gone to a WASC meetup think of it as the Web application luncheon meet and greet. Unlike the OWASP meetings there’s not a lot of tech-talk, but usually 20 or so good people and you get to meet the people behind the names face to face. If you happen to be at RSACon on Wednesday, check it out. Let Jeremiah know if you plan on making it, so he can make the right sized reservations. If you can’t, don’t worry, I’ll probably blog about it when I get back.

Hereafter I am turning my back on the OSI model. Yes, you heard me, it’s outdated crap. I was having a meaningful discussion with someone today about how you can route other things over other protocols (basically for tunneling purposes) and we got caught up on the semantics of the stupid layering of the OSI model. It’s completely outdated. As a recap, here’s how it reads:

1) Physical, 2) Data Link 3) Network 4) Transport 5) Session 6) Presentation 7) Application. Okay, pop quiz, can you tell me where HTTP lives? Now a reasonable human being understanding the semantics of the English language would say that HTTP lives on top of transport. It’s closer to telnet then it is SSL for instance, but noooo… no, my friend. Wrong. Because you are wrong and some guy in the 70’s who has no concept of how HTTP works wrote a model and now you must understand and adhere to it. It is in fact layer 7. Application. Because HTTP is an application…. or something.

Let’s look at some of the other madness. We have network and transport that are… uhm… both packets. We have SSL sitting in the session category, because… it can maintain state and TCP can’t… or something… And again, HTTP can’t either. So… this leaves nothing for actual presentation. If HTTP is to presentation as HTML is to _____ That’s right… HTML and Java and Flash and ActiveX and AJAX and all these wonderful things we’ve since come up with have no place in the OSI model. And if you tell me they are HTTP I’m going to punch you in the face. The data: directive is exactly why it isn’t HTTP. It is in fact not HTTP, it is in fact it’s own directive. And where does our friend FTP live? You guessed it… it’s presentation too. Why didn’t I notice this before? It’s not like I haven’t had to spend hours looking at it… odd.

Why is HTTP presentation layer but telnet isn’t? They are closer together than SSL is. Okay, this OSI business has got me all worked up, I’m going to stop blathering on about it. Just in case you’re wondering where we go from here id made a good suggestion that we move to the internet protocol suite which correctly bundles HTTP, telnet and SSL all together as they rightfully should be. OSI is nonsense I tell you.

Jeremiah Grossman put together this year’s top 10 web hacks and boy is it fun. Zeno, and I had our hands in throwing our favorites into the pot but the list turned out to be pretty similar for all of us. So although it took countless emails to get threw the few discrepancies I think we all agreed on the top 10. Here’s his list:

Web Browser Intranet Hacking / Port Scanning - (with JavaScript and with HTML-only and the improved model). This was really a huge breakthrough in the web app sec space. I was dying to find a way to do server sweeps in Java to circumvent Firewalls. Jeremiah took it to that next place and holy crap did it shake things up when he did. I don’t think people are going to look at their firewall the same way again.

Internet Explorer 7 “mhtml:” Redirection Information Disclosure. If you want complete cross domain leakage for the price of using Internet Explorer this is your one stop shop. I’m really surprised this hasn’t been closed down yet. Sure there are hacks to stop it, but no one is doing them, so for all intents and purposes this hole is open and will stay that way until Microsoft issues a patch. Don’t hold your breath on that patch though. It’s been months and it’s still open.

Anti-DNS Pinning and Circumventing Anti-Anti DNS pinning. This was something I had tried and failed to do on a number of attempts. But smarter people than I figured out ways to do it by combining tricks and by shutting down connections (never thought of that one). Very cool stuff.

Web Browser History Stealing - (with CSS, evil marketing, JS login-detection, and authenticated images). I think we’ve barely scratched the surface on this one. There are many scary things that could be done here by all sorts of different people for all sorts of motives. Why wouldn’t you want to know where people had been? It’s a profiling dream!

Backdooring Media Files (QuickTime, Flash, PDF, Images, Word [2], and MP3′. I had a very funny conversation today with one of my readers. He basically said he’s going back to notepad. Yes, it’s that bad. And the more interesting part is - it’s getting worse by the day.

Forging HTTP request headers with Flash. I can’t tell you how many servers were affected by the Expect vulnerability but it’s in the millions and every one of them needs to be patched. This issue won’t be gone for a while yet and I think there is still a lot more to be done here.

Exponential XSS. This is the next evolution in XSS in my mind. So far we’ve stuck to horizontal XSS worms, that affect every user a little. Why not go vertical and affect every user a lot? Especially for targeted attacks this has a lot of scary potential.

Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII). I’ll be the first to admit I haven’t done nearly enough research beyond what I’ve been able to accomplish with my fuzzer. Thanks to Cheng Peng Su for opening all of our eyes to how powerful this could be for filter evasion. I just can’t wait to see what the next big issue is.

Web Worms - (AdultSpace, MySpace, Xanga). We can all say we were here when it first happened. It’s only going to get worse, folks.

Hacking RSS Feeds. Attacking rich applications that go out of the traditional boundaries of browsers is the wave of the future. As more devices and programs become web enabled you’re going to see a lot more of this stuff and a lot more newcomers in the space with mistakes of their own to make.

Can you believe all of that happened in one year? And that’s nowhere near everything. We didn’t even start talking about all the PHP stuff floating around (complete access to servers is bad - real bad) or any SQL injection stuff, etc… So love it or hate it, that’s our top 10!

The title of this post was going to be “we weren’t slashdotted again” but I thought that was just a little too sarcastic. Yesterday Slashdot ran an article on password theft via XSS. If this looks familiar it’s because it is. We have been talking about this for a few months here and here. I’m not bitter, but the information on slashdot is incorrect. The first example of this was actually built in a lab environment nearly two years ago and we’ve been talking about this since August. But who’s counting?

That’s the annoying news. The good news is that apparently Firefox has now decided it’s a problem (I guess it isn’t a problem when I say it but it is when Myspace gets attacked with it… go figure). The real problem here is that this isn’t a Firefox only issue. This is indicative of many types of password/form managers, and not just a single browser. So while they can protect their customers from this issue they can’t protect their customers from other third party tools that do the same.

So yes, old news, but new that Firefox has filed a bug on it. I wish I had better news, but I don’t think id would like it too much if we got slashdotted again. We’ve had enough server woes over the last few weeks, we don’t need any more.

I guess there is a first time for everything. We have gotten our first legitimate death threat by way of blog comments. Last night at Wed, 15 Nov 2006 20:54:51 -0800 (PST) we got many threatening posts. Don’t worry, I’m not running for the hills, but I thought you should all know about it, as I do try to be full-disclosure about events like this. Here is a choice snippet for your enjoyment:

IP: 211.144.105.161
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
…non threatening babble snipped…
IM GONNA SET FIRE TO UR FUCKING HOUSE AND DANCE ON UR FUCKING CORPSE!!! ( IM NOT A MENTAL PATIENT!!)

If I had a house I might be more worried, I guess, but if I’m dead why would I care if someone was dancing on me? Clearly he is not a mental patient as he says, although perhaps that should change as a result of this post. No, but seriously, at first I thought it was a joke, a la fthe.net: “No death threats or poetry please. Just Kidding. No Poetry please.” But after looking at his traffic and seeing the huge volley of posts talking about what I should suck and where I should shove things, I kinda doubt it. Not that I think he would actually come after me and dance on my corpse, but I still don’t take things like this lightly.

This is a user who has been on the site off and on for quite some time, so it is not in regard to any of the near recent past events, and in fact found me through a link talking about the imagecrash script. So I’m not exactly sure what the impetus was other than perhaps there is some clue in the post he looked at immediately before going crazy - the click fraud post. I can’t really see why click fraud would burn this user up, but there you have it.

Look, whatever the reason is, I’m not online to make enemies. I don’t care about harming companies, or about posturing in general. I’m really just interested in security as a whole. That doesn’t make me malicious. In fact, if anything I am one of those most level headed business oriented people you’ll ever meet. I’m a consumer advocate and a business advocate almost to a fault. The lab was built for me to test serious flaws that were affecting the company I worked for a the time. Why? Because I was trying to protect all of you. Yes, nearly every single one of you was being protected by me and the team I was on. That’s not a joke, and sooner or later it’ll come out about what I used to do.

My point being, I’m not sitting in a basement thinking of ways to destroy security companies or huge businesses. I’m very much a normal guy, who just has a passion for finding issues that would affect me or my family or good people like you all. I really love the Internet but it’s getting to be a scary place. I don’t feel safe on it (and it’s not just because of the death threat). By shutting people like us up all that will happen is that you end up with a more insecure Internet where only people in the shadows have any clue what’s going on.

I started the web application security lab because there was a huge void in the security space. There were a few good organizations like WASC and OWASP out there. Zeno had CGI Security but even he’ll admit that he wasn’t as free to talk about what he was working on as he would have liked. Frankly very few people were discussing web application security publicly while I was living the business end of it every day. I was dealing with all these issues for real, not as a game and I certainly wasn’t involved in the academics of security theory - at least not while I was on the clock. I had to protect millions of users while making half of it up as I went along, because there were no good resources out there for people like me.

Things have evolved in an odd way and I am sure some people think I am super malicious and out to destroy all that is good and holy. That could not be further from the truth. I have zero interest in vulnerabilities in particular companies. Yes, I like some companies better than others, but I don’t care about the issues in them. I’m a privacy advocate, but that doesn’t mean I live in shadows. I like for people to know what I’m thinking. Even if I’m dead wrong (and I have been wrong before) at least there is an avenue to discuss it, unlike two or three years ago when all we had was the webappsec mailing list, which had perhaps two or three posts a day on it if that. That’s just not enough for how serious an issue web application security actually is.

So I’m speaking both to our friend at the Chinese IP address as well as to any other people who think I am a self-servicing anarchist. I’m here protecting you. I’m a) keeping you people with jobs b) giving you an opportunity to see the issues before the bad guys use them against you and c) I’m attempting to find ways to fix those same holes. There are only a handful of people out there doing this sort of research and being public about it. Frankly, the more we do the closer we’ll get to figuring out the issues.

I’ve been out of the security industry for almost a year now but I think it’s about time to come back. This time on my own terms.

It was a long weekend and sorry for not posting, but id and I were able to get a lot done this weekend. We got 1 1/2 of the machines up and running out of the three that I had hoped to get running. One machine is having some issues but at least it’s turned on where it was pretty much non-functional as of yesterday. One of my stupid laptops needs to be sold at auction so that I can get another one (that’s the last time I buy a cheap Dell laptop). Anyway, the lab is doing quite a bit better than it was before. Once we get all the software up and running we should see better performance, and less downtime in general.

Speaking of downtime we experienced about 45 minutes of downtime on Saturday morning. A few people posted about it on the forum or emailed us about it so I thought I should mention it. No we weren’t hacked, it was just a runaway process that wasn’t behaving nicely and on top of that it wasn’t giving off any of the obvious signals to help us diagnose the issue. id came to the rescue and we got that one resolved in just a few minutes. From the time I noticed until the time it was back up was only about 15 minutes, cuz he rocks. Hopefully with the new server we’ll notice issues like this faster with some monitoring that I’ve been meaning to build. I’ve built that kind of software before, but those machines and that code is long gone, so I need to do it from scratch.

In web app sec news, we were able to ban in excess of 700 IPs programmatically from attempting to do bad things to the site. The firewall is being updated in somewhat-real-time of things I find particularly annoying. Sort of a self defending network (not to get myself sued). It’s not that they have any hope of getting in, but I hate seeing that crap in my logs. It’s an ongoing process so the site should experience less load from the morons and as a result you might see a small increase in page load time until our traffic load grows again to compensate for any good we may have done to reduce it.

Lastly, id found a rather annoying and very reproducible bug in my Netgear WGT624 wireless router, which caused it to stop routing packets every time he did it. I’ve seen it do this sort of thing in the past but could never consistently reproduce it. I’d tell you how to do it, but it wouldn’t help you because we could only reproduce it over SSH (requiring his keys and the exact server in question to be communicating with one another), and we didn’t have enough time to dump the packets and see what was causing it. Needless to say there definitely is some sort of error on those wireless routers and maybe the next time he’s over we’ll try to figure out exactly what it is. Until then I’ll just put up with it crashing on me every once in a while - as annoying as I find that.

So anyway, it was a productive weekend even if I don’t have a lot to say about it. Hopefully in the next few days or so after we get the bugs ironed out of the servers I can get back to the testing.