Myself, I was visiting London with my girlfriend during new year’s eve and we really enjoyed it (everything beside waiting 2.5 hours in the cold to see a 10min firework).

PS: Next time I will also visit the OWASP guys in London but I wanted also my girlfriend to have some holidays and not just hear me talking to people on how to break stuff

For me it was good to see once more, that still many people are interested in the basic stuff and it makes me very happy if I’ve got the chance just like at the Security-Zone to help people to understand, what web application security is about and why it’s important.

For the people who’re interested in what we’ve done, here’s the invitation mail I’ve sent out:

Dear Receiver,
in the name of the OWASP (http://owasp.org) I’d like to invite you to
our next event, which is part of the Global OWASP Week 2008. If you’re
interested in web application security, this is something for you.

Date and time:
1.April 2008 -> WebAppSec Is No Joke
18:00 – ca. 21:00

Where:
The event takes place at the ETH Zurich, in the main building, room
HG F26.5

Who:
As at all of our meetings, everyone is welcome. If you know someone
who could also be interested in this event, ask him/her to come too.

Content:
We’ll have three interesting Talks.

– Taking Apache access logs to the next level: Complying to PCI DSS
for fun and profit
(Christian Folini – Technical Consultant at netnea)

The PCI DSS is rather vague, when it comes to logfiles. It does
make clear, that writing logfiles and reading them is a
requirement though. But it leaves it up to you to define your
setup and your processes. Apache brings numerous logging
possibilities, but they are rarely used in practice. Based on a
sample enterprise setup, I will discuss key items of a
revision-proof architecture. System components and methods will be
examined and a few interesting techniques presented.

– Implementing an Application Security Lifecycle programme
(Alessandro Moretti – Executive director for IT security risk
management at UBS Investment Bank)

Topic:
A case study at UBS Investment Bank – how the Application Security
Lifecycle Programme aims to implement proactive and reactive IT
security management and promote application security across the
global UBS IT community.

Short description:
UBS IT Security Risk Management will provide an overview of the
risk strategy, and an insight into the strategic initiative, based
partly on OWASP, to enhance the application security with each
phase of the software development lifecycle. The presentation will
provide details on the vision, the overall programme approach and
on selected deliverables as part of the programme. Topics include,
security education, risk management, source code testing,
penetration testing and web application firewalls. A question and
answer session will follow.

– WebAppSec the Big Picture
(Sven Vetsch – Security Tester at Dreamlab Technologies)

Most of the actual vulnerabilities which security researchers and
also bad guys (doesn’t) report every day, are related to web
applications. Even if this is the case, the security community
didn’t get the big picture of what security related problems we’ve
got through web applications. In this demonstration, we will show
you an overview of the most important web vulnerabilities like SQL
Injections, XSS, CSRF, Path Traversal, Session Fixation and much
more. The focus in this demonstration is not to show you the
latest research results in webappsec, it’s to show you the big
picture of this topic.

If there are any further questions, don’t hesitate to contact me at:
sven.vetsch _at_ disenchant.ch

Regards,
Sven Vetsch
Leader OWASP Switzerland

(click to enlarge)

Hope you enjoy solving this “advanced” exercise and no, it’s not the only advanced exercise we’ve done

Last weekend, I went snowboarding in the Swiss mountains and the weather including the snow was just perfect. Because the winter sport season hasn’t started yet, there wasn’t much going on in the evening and so I was using one of the public Hotspots of the hotel. As you can think, I had to make some security related stuff and so I surfed to the Hotel’s website. There are SQL injections, XSS, Local File Inclusions and much more but I don’t want to talk more about it because there was something much more interesting. Normally when you offer a Hotspot as a hotel or any other company, you should separate it from your internal LAN but don’t even think of anyone is really doing this unless they have to for any reason. So, my IP address was now 192.168.44.36 which’s an internal IP address. The next step was of course to use our all friend nmap and let’s see what I’ve got:

Interesting ports on 192.168.1.5:
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft ESMTP 5.0.2195.6713
80/tcp open http Microsoft IIS webserver 5.0

Jackpot, I’ve got a Microsoft IIS 5.0 webserver on the standard HTTP port 80 and this means hopefully an internal web application

I connected to 192.168.1.5 with my favorite web browser and wow, amazing security measures there. No sorry, I’m just joking. There where no security measures at all. I simply get a menu, where I could choose a “console”. I took the first one because the others seemed to be offline. Oh my god (who’s by the way the FSM), I was now having control over more or less the whole hotel (don’t ask me why this is the case with the product of a company describing itself as “OTRUM is a leading provider of interactive TV solutions and content to the hospitality industry.”).

Let’s have a look at who’re my neighbors:

(Click the image to enlarge)

Cool stuff, with this I even know in which language I can say good morning to my neighbors

There where much more information than just the things for the reception. When you clicked on “Main Menu”, you had several other options than just “Reception”. For example you where able to create new rooms, new employers, new TV channels, have a look at a whole bunch of statistics or define even a room’s temperature and much more. The funniest thing I found (which wasn’t used by the hotel I was in), was a statistic, checking if the mini bar has been opened and how many times. My advice if you want to make the guys at the reception looking strange at you would be to open your mini bar at least one hundred times a day

As you can think, it was fun to see all this stuff and an evil guy (or girl) could have done nasty stuff there but hey, I never had to authenticate myself so it was open to everyone and because of this it’s not illegal to just surf this “website”.

For sure this application was the most interesting thing for me but there where even more security problems like:

http://192.168.1.5/cgi-bin/thrusocket.pl?&gltemplatefile=../../../../../boot.ini

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT=”Microsoft Windows 2000 Server” /fastdetect

OK, anyone can read your data on the server but who want’s to read files if you can make an automated wake up call at 5 o’clock in the morning to every guest in the whole hotel?

There was also a Directory Listing at http://192.168.1.5/cgi-bin/ and some other not really interesting things. I can say, that I enjoyed the stay in this hotel for sure.

Lesson learned here: Don’t let security guys into your hotel if you don’t want them to have a look at your infrastructure

Hallo,
das warst doch du, der unser Sprachportal (MobiLingua, Uni Passau) über das Forum gehackt hat und mir damit einen gehörigen Schrecken eingejagt hat, oder?
Jedenfalls danke für den Hinweis – das ist halt der Nachteil von CMS: Man kann zwar mit relativ wenig Hintergrundwissen ein Layout anpassen und Inhalte bereitstellen, denkt aber in der Regel nicht an Sicherheitsaspekte (in der Hoffnung, dass das System das schon macht )

LG, [name of the sender]

In English this means, that someone of the University of Passau thinks, that I’ve hacked their online platform called MobiLingua. Of course I didn’t hack their page and also I never heard about this MobiLingua before. Because of this, I answered the following:

Hallo,
ich beschäftige mich zwar beruflich sowie privat mit der Sicherheit von Webanwendungen, doch habe ich noch nie von genanntem Portal (MobiLingua, Uni Passau) gehört, geschweige denn habe ich dieses angegriffen.

Ich würde mich sehr darüber freuen, wenn Sie mich so schnell als möglich darüber informieren könnten, wie Sie auf mich kommen in diesem Zusammenhang.

Freundliche Grüsse und ein schönes Wochenende,
Sven Vetsch

This means, that I just wanted to know, why they think that I have attacked their site because it’s true that I have to deal with web application security every day but why they think I’ve done something when I know, that I didn’t do anything? The next mail I get answered this question:

Hallo,
bitte entschuldigen Sie, wenn ich mit meiner Vermutung falsch lag. Jemand hatte ein Online-Portal mit einem Foreneintrag gehackt, in dem HTML und Javascript untergebracht worden war. Dies war ein nett gemeinter Hinweis, auf eine bestehende Sicherheitslücke, offensichtlich ohne böse Absichten. Jedenfalls wurde dadurch in mein Layout statt dem üblichen Logo ein “Hacked”-Logo eingebaut, bei dem die URL auf Ihre Domain verwies. Ein Blick auf die Inhalte dieser Seite hat gezeigt, dass Sie sich mit eben solchen Sicherheitslücken auseinandersetzen und ich glaubte den “Verursacher” gefunden zu haben.

Ich entschuldige mich deshalb vielmals für meinen Fehler..

Mit freundlichen Grüßen und ein schönes Wochenende,
[name of the sender]

First it was written, that they’re sorry for suspecting me and afterwards it was described, why they think that I’ve done the hack on their platform and also what happened. Someone has inserted a “Hacked”-logo through a HTML- and Javascript-Injection (today aka. XSS) and on request I get the injected code:

<script>
alert('Ihre Festplatte wird formatiert wenn Sie OK klicken. Schalten Sie Ihren Rechner aus um abzubrechen.');
document.getElementsByTagName("body")[0].style.backgroundColor = "fuchsia";
document.getElementById("site-logo").src = "http://www.disenchant.ch/blog/images/entries/hacked.gif";
document.getElementById("page").lastChild.innerHTML += '<br>Defacement: Da 3v1l H4X0rZ 2007 ;) lol';
for(i = 0; i < 50; i++){
document.getElementsByTagName("div")[i].style.backgroundColor = "fuchsia";
}
</script>

Now it was clear what happened. The image (http://www.disenchant.ch/blog/images/entries/hacked.gif) which was used for the hack or better call it now a defacement, was the one I’ve uploaded for my blog posting “owasp.org hacked“, where I wrote about someone who “hacked” the OWASP website/Wiki. When the people from the University of Passau checked the code, they found out, that the image was hosted on my domain and that I’ve got something to do with web application security. Now everything is clear and life goes on but this story really make me think of what can happen by just linking to or on the other side hosting images, even if it’s just mistake. It really shows, how easy someone can become a suspect in our so called information century.

PS: I really have to translate the alert message of the used payload to English. “Ihre Festplatte wird formatiert wenn Sie OK klicken. Schalten Sie Ihren Rechner aus um abzubrechen.” means “Your hard disk will be formatted when you click OK. Turn off your computer to cancel.”. And I thought that at least these idiots became extinct years ago

Because I’m not sure how much time I’ve got to work on it during the next month(s) I’ll offer also the *.tex documents to everyone who would like to do further work on the paper.

To say a few words about the paper itself, it’s simply a (at the moment) 31 pages long how-to with examples on how to develop your own extensions for Mozilla Firefox and with some additional work, I think it could be also interesting for schools to use it as teaching material.

Download

I hope some of you enjoy the paper, even if it’s not finished

Developing Firefox Extensions (70%) – Paper
Because even most of the developers I know have no clue on how to build extensions for the Firefox web browser and because I don’t know of any easy and basic level tutorial, I started to write a paper in tutorial form about how to do this. Until now it has 30 DIN-A4 pages so it really has some content. It will cover just the basics on this topic, so that even non-programmers can learn how to develop Firefox extensions and also there are introductions on XUL, Javascript and even CSS.

Social Engineering – Let’s do it (0%) – Paper
Only a few people know, that I’m not just interested in web application security and web technologies security at all, I’m also very interested in Social Engineering. There exist already some papers on this topic but I’ll write one which goes into practical experience so that you really can get some social engineering skills and not just a basic knowledge on the topic.

XSIO (95%) – Paper
This is a paper about a “new” attack type but I don’t want to say more at the moment As you can see, it’s nearly finished (95%) or better say it’s finished but it will be reviewed by someone else before I release it to the public.

Fix your PHP Code without changing it (80%) – Paper
Out of a situation was in during my work, I think it would be helpful for some people when I write a paper about what I’ve done. The main problem discussed in this paper is, that you have a PHP application, you’re not allowed to change anything on the code but you have to fix security holes in it. It’s not about black magic but I think some people out there will be interested in it.

Wedowapi (65%) – Firefox Extension
This is a new approach on how to defend phishing attacks. It doesn’t need to connect to any server and it works for 100% of all standard phishing attacks (this means no XSS stuff and so on). It already works but now I’ve to build a GUI so that normal users can use and configure it. By the way, “Wedowapi” stands for “We Don’t Want Phishing” and yes I know it should be Wedowaphi but that looks ugly to me

As you can see, I’ve enough to do and there are even some more projects in the pipeline, so you can expect some stuff from me in the near future.

PS: You might wonder why I’m writing papers, it’s just because I started working with LaTeX and it’s great