Archive for category Web Security
Cross-site scripting on YouTube
Posted by Mourad Ben Lakhoua in News, Vulnerabilities, Vulnerabilities & attacks, Web Security on July 4, 2010
XSS vulnerability in YouTube comments processing allows an attacker to execute arbitrary scripts in the security context.
Go on youtube. Choose any video. Add the following script:
<script>IF_HTML_FUNCTION?<h1><marquee><font color="red"><u>add your comment here<script>
Update (1): It is better to stay away from YouTube until they fix the vulnerability or at least logging out of YouTube if you use it.
Update (2): Google has informed that the vulnerability has now been fixed:
We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.
you can find the statement here.
make sure you subscribe to my RSS feed!
Mozilla Fixes 9 vulnerabilities & adds a Crash Protection to Firefox
Posted by Mourad Ben Lakhoua in Vulnerabilities, Vulnerabilities & attacks, Web Security on June 24, 2010
A new release has been issued by Mozilla. Firefox 3.6.4 is the first open source web browser that integrates the plugins functionality in the main process of the navigator. This release comes to decrease the number of Firefox crashes.
As usual you can find two versions for both Linux and Windows operating systems.
Mike Beltzner wrote on the company’s blog that during beta testing the new feature has significantly reduced the number of freezing that users face while watching online videos or playing online games. At the same time this new release supports a functionality to protect users against plugin failures such as Adobe Flash, Apple Quicktime and Microsoft Silverlight.
All these functionalities comes with fixing 9 vulnerabilities, six are critical and allows and attacker to compromise the system and run a malicious software on the machine.
It is time to upgrade your browser and check if you have any update missed.
make sure you subscribe to my RSS feed!
Detecting & Bypassing Web Application Firewalls (part 2)
Posted by Mourad Ben Lakhoua in Vulnerabilities, Vulnerabilities & attacks, Web Security on May 30, 2010
There is no single ideal system in the world, and this applies to Web application firewalls too (WAF’s).
While the advantages and positive features far outweigh the negative in WAF’s, one major problem is there are only a few action rules allowed. The white list is expanding, and requires more development efforts because it is very important to clearly establish allowed parameters.
The second major problem is that sometimes WAF vendors fail to update their signature definitions, or do not develop the required security rule on time, and this can put the web server at risk of attacks.
The first vulnerability is (http://www.security-database.com/detail.php?alert=CVE-2009-1593), which allows the inserting extra characters in the JavaScript close tag to bypass the XSS protection mechanisms. An example is shown below: http://testcases/phptest/xss.php?var=%3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3
Another example (http://www.security-database.com/detail.php?alert=CVE-2009-1594) also allows remote attackers to bypass certain protection mechanisms via a %0A (encoded newline), as demonstrated by a %0A in a cross-site scripting (XSS) attack URL.
HTTP Parameter Pollution (HPP)
HPP was first developed by two Italian network experts, Luca Carettoni and Stefano diPaola. HPP provides an attacker the ability to submit new HTTP-parameters (POST, GET) with multiple input parameters (query string, post data, cookies, etc.) with same name.
The application may react in unexpected ways and open up new avenues of server-side and client-side exploitation. The most outstanding example is a vulnerability in IIS + ModSecurity which allows SQL-injection based attacks on two features:
1. IIS HTTP parameters submit the same name. for Example:
POST /index.aspx?a=1&a=2 HTTP/1.0
Host: www.example.com
Cookie: a=5;a=6
Content-type: text/plain
Content-Length: 7
Connection: close
a=3&a=4
If such a request to IIS/ASP.NET setting a (Request.Params["a"]) is equal to 1,2,3,4,5,6.
2. ModSecurity analyzes the request after that it has been already processed by webserver. And reject it: http://testcases/index.aspx?id=1+UNION+SELECT+username,password+FROM+users
However the query submitted:
POST /index.aspx?a=-1%20union/*&a=*/select/* HTTP/1.0
Host: www.example.com
Cookie: a=*/from/*;a=*/users
Content?Length: 21
a=*/name&a=password/*
The database as a result will do the correct query:
SELECT b, c FROM t WHERE a =- 1 /*,*/ UNION /*,*/ SELECT /*,*/ username, password /*,*/ FROM /*,*/ users
XSS
Cross Site Scripting (XSS) is probably the best method for exploiting the Web application firewall (WAF). This is due to JavaScript’s flexibility. At the BlackHat conference, there were a large number of methods to trick filters. For example:
object data=”javascript:alert(0)”
isindex action=javascript:alert(1) type=image
img src=x:alert(alt) onerror=eval(src) alt=0
x:script xmlns:x=”http://www.w3.org/1999/xhtml” alert (‘xss’); x: script
More XSS information can be found on the following links:
– http://ha.ckers.org/xss.html
– http://sla.ckers.org/forum/list.php?24
– http://maliciousmarkup.blogspot.com/
New developments in Web Application Firewalls is forthcoming. However, sometimes it seems that everything has already been discovered, and that it makes no sense to search for something new, but there is always room for new research.
It is very important to look at all details of the WAF to ensure you have a clear vision of your security assets.
make sure you subscribe to my RSS feed!
Detecting & Bypassing Web Application Firewalls (part 1)
Posted by Mourad Ben Lakhoua in Vulnerabilities, Vulnerabilities & attacks, Web Security on May 23, 2010
When we hear the term firewall, most people think of the network filtering solution. But have you heard about the web application firewall (WAF)?
Web applications have some serious vulnerabilities, and WAF provides a very important extra protection layer to the web solution. Hackers can find access points through errors in code, and we find that having a WAF in front of our web application is very important for security.
WAF acts as a special mechanism governing the interaction between the server and client while processing the HTTP-packets. It also provides a way to monitor the data as it is received from the outside. The solution is based on a set of rules that exposes if there is an attack targeting the server. Usually, the web application firewall aims to protect large websites like banks, online retailers, social networks, large companies… But now anyone can use it now that we have some open-source solutions available.
WAF can be implemented in two ways, via hardware or software, and in three forms:
1. Implemented as a reverse proxy server.
2. Implemented in routing mode / bridge.
3. Integrated in the Web application.
The first form can be as mod_security , Barracuda , nevisProxy . These types of WAF Automatically block or redirect the request to the web server without any changes or editing data.
The second category consists mainly of hardware WAF. For example, Impreva SecureSphere (impervaguard.com). These solutions require additional configuration on the internal network, but eventually the option gains in productivity.
And finally, the third type implies the existence in the Web application like integrating the WAF in the CMS.
WAF rules contain a Blacklist (compared with a list of unacceptable actions) and Whitelist (accepted and permitted actions), for example we can find in the black list strings like: «UNION SELECT», «< script>», «/ etc / passwd» while whitelist rules may contain a number parameters value (from0 to 65535).
We will now look at how pentesting can detect the WAF server, and more importantly how to bypass it.
Each firewall has a special method in responding that helps in identifying the type of WAF implemented (fingerprint) for example:
• HTTP-response cookies parameters.
• Modifying HTTP-headers to mask the server
• The way of responding to a special data and queries
• The way in closing connection under not authorized actions.
For example, when we launch an attack on mod_security we get 501 error code; WebKnight – the code 999; Barracuda on cookie-parameter barra_counter_session.
This can certainly help in identifying the WAF, and there are some scanners that can automate the operation so you will be able to get the information like w3af a framework plug-in WAF_fingerprint and wafw00f. These tools are important for the pentesting operation.
Next part will be looking at different technics to bypass web application firewall and exploit most popular vulnerabilities.
make sure you subscribe to my RSS feed!
Google to Encrypt Search Engine to protect Wi-Fi users
Posted by Mourad Ben Lakhoua in News, Web Security on May 17, 2010
Google intends to offer this week encryption to their search engine services; this is according to a new blog post.
“Earlier this year, we encrypted Gmail for all our users, and next week we will start offering an encrypted version of Google Search. For other services users can check that pages are encrypted by looking to see whether the URL begins with “https”, rather than just “http”; browsers will generally show a lock icon when the connection is secure.” A part from Google post, more details on this will be demonstrated at Google I / O Google’s Largest Developer Event.
It is noted that Google started to encrypt Gmail traffic by default via https in January 2010, before that user can choose to use http or https to check email. While the option of https was firstly introduced on mid-2008. This can make us think that maybe we will find the same case on search engine.
Using a secured http will help in protecting users search at the wireless networks like airports, cafes and other open networks. Up to now the search remains in the non-encrypted form. While I have read this on the news I have remembered a perfect post on Infosecisland by Christopher Hudel : Should SSL be enabled on every website?
And I think that we will find it in real soon.
make sure you subscribe to my RSS feed!
Blackhat Europe: Fireshark – A Tool To Link the Malicious Web
Posted by Mourad Ben Lakhoua in Tools, Vulnerabilities & attacks, Web Security on April 18, 2010
Stephan Chenette has introduced at BlakHat Europe conference in Barcelona a new utility for Firefox, this plugin called Fireshark. Fireshark is a tool, made up of a Firefox plugin and a set of postprocessing scripts that allows you to capture web traffic from the core of your web browser, enabling you to log events and download content to disk for post-process analysis.
Over the past 12 months the number of compromised website has increased by 225%. Inserting a malicious code on website has become very often to infect users machines or redirecting victims to other malicious resource. Stephan Chenette has demonstrated how Fireshark can solve this problem by giving users list of resources that requires study of website source code.
That’s mean after identifying that the source is suspicious using Fireshark. User can start conducting more in depth analysis to on the website to classify and identify the vulnerability or exploit on the site.
The Information gathered by this plugin is stored locally in a folder under the extension .Yml and you can download the plugin here.
make sure you subscribe to my RSS feed!
Adobe Apologized for a 16 month-old-Bug
Posted by Mourad Ben Lakhoua in News, Software Security, Vulnerabilities, Vulnerabilities & attacks, Web Security on February 9, 2010
Adobe Company has officially apologized for the flash player 16 month old vulnerability that is still not fixed.
According to Adobe the bug has been eliminated in the beta flash player 10.1, but there still not yet a stable version for this release.
The bug officially was reported on the 22nd of September 2008 and all Flash player plug-in since the 9th version are affected. Many hackers used this gap to inject malicious code on victim’s machine.
Currently Adobe experts provided a special web page to check this vulnerability. The exploit really work you can test it following this link but before clicking you should make sure that you have another page open on the same browser.
Adobe Product Manager Emmy Huang promised that on the next Flash player 10.1 releases the vulnerability will be fixed without giving any sign on the final version date.
you can install the Adobe Flash Player 10.1 from Here.
make sure you subscribe to my RSS feed!
Donbot Leads a Way To Twitter Spam
Posted by Mourad Ben Lakhoua in News, Social Networking, Web Security on November 21, 2009
One more time major botnets are using social networking websites to spread spam.
Symantec’s MessageLabs warned lately that DonBot are started a new massive spamming message, the Lab detected from 18 November 4% of global Spam traffic.
The spam message includes an offer to work from home with a 100-200 dollars daily salary and to be considered for this opportunity the victim should send an initial payment and wait for the golden ticket.
The message also includes an image with link to redirect victim to twitter page and gives hackers a way to hijack Twitter accounts and spam other users.
This shows that more http links in instant messaging conversations are making a way to “instant malware.”
If you are receiving a message on Twitter try to not click directly on the short link and to check the original URL. By checking on LongURL.org which can helps in expanding the URL and avoid phishing, malware, and viruses by examining short URLs before visiting them and Find out where links really take you.
You can also use on Mozilla firefox Tamper Data plugin that helps to test web application security and track request and responses from the URL Link.
make sure you subscribe to my RSS feed!
Quick Tips to Fight DDoS Attack
Posted by Mourad Ben Lakhoua in Cloud Computing Security, Web Security, cybersecurity on November 21, 2009
On previous post we shared the way to prepare our system to DDoS attack and the way to mitigate the risk. Now it is important to react in the good moment and make an effective action during the attack. Monitoring routers connection can help victim to detect the beginning of the attack.
First we should monitor the open Syn connections:
# Netstat-na | grep “: 80 \” | grep SYN_RCVD
At the normal situation the number should not pass the three connections. If there is more open connection than you are under attack and you should start by dropping these connections.
This is for the SYN-Flood case but for the HTTP-flood it is more complicated to detect, First you need to count number of Apache processes and number of port 80 connections:
# Ps aux | grep httpd | wc-l
# Netstat-na | grep “: 80 \” | wc-l
Next you need to check the IP-addresses list:
# Netstat-na | grep “: 80 \” | sort | uniq-c | sort-nr | less
To be sure that there is HTTP-flood attack is impossible but you can assume that you are under attack if one address in the list is repeated too many times. Additional evidence can be made using tcpdump:
# tcpdump -n -i < interface > -c 100
the Tcpdump will help you in tracking the source of the attack if a big number of packets targeting a single port / service (cgi-script or web directory).
Finally we have to start to work around the situation by dropping malicious IP-addresses. You can block IP’s directly from the router.
On the FreeBSD we can take some steps to avoid DDoS:
1 – Reduce the packet request time (protection against SYN-flood):
# Sysctl net.inet.tcp.msl = 7500
If an ACK is not received in this time, the segment can be considered “lost” and the network connection is freed.
Move your server in a blackhole when a TCP packet is received on a closed port. When set to ’1′, SYN packets arriving on a closed port will be dropped without a RST packet being sent back
# Sysctl net.inet.tcp.blackhole = 2
# Sysctl net.inet.udp.blackhole = 1
Limits ICMP replies to 50 per second (protection against ICMP-flood):
# Sysctl net.inet.icmp.icmplim = 50
Increase the maximum number of sockets to the server that can be open (protection against all types of DDoS):
# Sysctl kern.ipc.somaxconn = 32768
Finally enable a kernel feature called DEVICE_POLLING (significantly reduces the load on the system during DDoS Attack):
1. Compiling the kernel with option “options DEVICE_POLLING”;
2. Activate the mechanism of polling: “sysctl kern.polling.enable = 1″;
3. Add the entry “kern.polling.enable = 1″ in / etc / sysctl.conf.
These are a well balanced steps to mitigate getting exposed for Distributed Denial of Service Attack.
make sure you subscribe to my RSS feed!
Universal Tips to Avoid DDoS Attack
Posted by Mourad Ben Lakhoua in Cloud Computing Security, Web Security on November 15, 2009
There are some points that can helps to carefully prepare our systems to avoid Distributed Denial of Service:
1- Prepare a simple and fast way to reboot remotely servers exposed to external network (webservers ,mailservers ,application servers..) this can be using SSH, we can also create a second network interface to access the server while the main channel is down.
2- Keeping all software packages up to date, to protect our systems from DoS attacks that exploit bugs in the available services.
3- Restrict access to all admin services to only authorized users, for example using IP restriction for acceding devices like firewalls, routers and network devices so an attacker will not be able to lunch a DoS attack or brute force.
4- Monitor the traffic by installing network analyzing tools (Netflow) on the routers to help identify the attack in an early phase and react to prevent it as soon as detected.
5- Adding to /etc/sysctl.conf the following lines:
# Vi /etc/sysctl.conf
# Protection against spoofing
net.ipv4.conf.default.rp_filter = 1
# Check TCP-connection every minute.
net.ipv4.tcp_keepalive_time = 60
# Repeat the test in ten seconds
net.ipv4.tcp_keepalive_intvl = 10
# Attempts number before closing the connection
net.ipv4.tcp_keepalive_probes = 5
Here it is very important to note that the listed method aims only to reduce the risk of DDoS attack, and can protect against small botnets and you can consider 90% that your server is protected against these attacks. There is more sophisticated ways like load balancing method which is extremely expensive, so if a server fails all new clients will be redirected to a clustered server and provides a very high availability.
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for the Web Security category.
SUBSCRIBE
Latest Comments