# backup.sh
echo "Creating patch"
bsdiff disk_of_last_change.tc disk_to_work_with.tc patch.patch
echo "Move patch to server"
mv patch.patch serverSide
cd ./serverSide
echo "Use patch"
bspatch disk_on_the_server.tc disk_on_the_server.tc patch.patch
cd ../
echo "cleanup"
rm ./serverSide/patch.patch
rm disk_of_last_change.tc
cp disk_to_work_with.tc disk_of_last_change.tc

Unfortunately, this is not as fast as it could be, even if it’s much faster than transfering the whole container all the time but I also found a quiet strange way on how to improve the speed of the whole process. You can just use base64 encoding and the normall diff instead of using bsdiff because you can work much faster on plain text files than on binary files. Here’s how an example could look like:

# backup64.sh
#
# run once:
# base64 disk_to_work_with.tc > disk_of_last_change_64.tc
base64 disk_to_work_with.tc > disk_to_work_with_64.tc
echo "Creating patch"
diff disk_of_last_change_64.tc disk_to_work_with_64.tc > patch64.patch
echo "Move patch to server"
mv patch64.patch ./serverSide/
cd ./serverSide
echo "Use patch"
patch disk_on_the_server_64.tc patch64.patch
cd ../
echo "cleanup"
#rm disk_of_last_change.tc
#rm disk_of_last_change_64.tc
rm ./serverSide/patch64.patch
mv disk_to_work_with_64.tc disk_of_last_change_64.tc
base64 -d disk_of_last_change_64.tc > disk_to_work_with.tc

As you’ll see, the patches are slightly bigger than the ones with bsdiff but I think you can accept that when you get such a huge performance improvement by using the base64 version.

I know that I didn’t really explain everything but don’t hesitate to ask me if there are any questions

wget http://www.openwall.com/john/g/john-1.7.3.4.tar.gz
tar xvf john-1.7.3.4.tar.gz
wget http://www.openwall.com/john/contrib/john-1.7.3.4-jumbo-1.diff.gz
gunzip john-1.7.3.4-jumbo-1.diff.gz
cp john-1.7.3.4-jumbo-1.diff ./john-1.7.3.4
cd ./john-1.7.3.4
patch -p1 < john-1.7.3.4-jumbo-1.diff
cd ./src/
make clean linux-x86-any

This patched John the Ripper can attack the following formats:
DES/BSDI/MD5/BF/AFS/LM/NT/XSHA/PO/raw-MD5/IPB2/raw-sha1/md5a/hmac-md5/KRB5/bfegg/nsldap/ssha/openssha/oracle/MYSQL/mysql-sha1/mscash/lotus5/DOMINOSEC/NETLM/NETNTLM/NETLMv2/NETHALFLM/mssql/mssql05/epi/phps/mysql-fast/pix-md5/sapG/sapB/md5ns/HDAA

I hope you enjoy it

You’ll find more information on the FSTK here but the Extensions have changed.

At this point I also wish to thank Kaspar Brand (the developer of Cert Viewer Plus) for letting me know, that there where some licensing problems.

Thanks a lot at this point to Compass Security for the great event.

Here you’ll see the final ranking:

PS: Baboo and me had to create a new user called Disenchant_and_Baboo for the second day. As you can see, my user of the first day (Disenchant) is at the end of the second day still on rank 11

If there are any questions about CSW, don’t hesitate to ask

You might ask yourself now: What the hell is CSW? CSW is short for Certified Secure Web, which is a security certification framework for the web. Actually we’ve got two certification types, the CSWT where T is short for Technology which means certification of web applications and we’ve got also a CSWD, which’s thought to stand for Developers. Before I go more into more details, I have to say that the CSW certification framework is thought to be open and not just for Dreamlab Technologies. We’re only a part of the CSW, the real certification is done by an independent party which is in our case a backend, built of educational organizations like for example universities, combined with partners like us. So this is not just poor advertising, we’re really looking for people/companies who’re interested in this all over the world.

Normally I would say, go to https://www.certifiedsecureweb.com/, where you can find all the information you need but unfortunately, the site is still only available in German, even if the English version is afaik ready.

So, what is CSW: “Certified Secure Web is an initiative to increase the overall security of web applications and also to provide a certification for Technology (Applications) and Developers.” (A free translation of the text on the CSW website, from German into English). It’s based on the OSSTMM by ISECOM, the Threat Classification of the WASC and on different resources, provided by the OWASP. With these different resources we think, that we can really provide a certification, which is worth the paper it’s printed on, even if we know that also the CSW certification can’t be perfect at all. Something which is also special on CSW is, that we don’t want to say that an application is secure and “hacker safe” (oops, sorry guys ) but we would like to certify a security baseline for web applications and help companies getting a more secure application.

I could go on with this for hours but I think it’s better to write my next two postings directly on CSWT and CSWD because it will say much more on what we’d like to achieve and in which way.

For specific questions or if you’d like to get involved, please just contact me or leave a comment

… and of course merry Christmas and a happy new year

Here’s a proof (even if it only a line of text ):

How it works:

1. Attacker needs a XSS vulnerability at example.com
2. Configuration of the hackIt.js and include it to example.com by inserting it through a script-Tag
3. hackIt.js knows because of it’s configuration where the login page of example.com is
4. The script replaces the content of the infected page at example.com with a copy of the login page which will be loaded through a XML HTTP Request
5. hackIt.js will automatically find the login form and it’s input fields in “faked” login page
6. The submit button of the login form will become a normal button without it’s submit functionality but it will now have a onclick-function
7. As soon as the user clicks on the submit button to login, an image will become dynamically added to the DOM tree, which points to a server side script at evil.com, including the values of the login fields as attributes.
8. Because of as soon as an image becomes loaded, a HTTP GET request will be sent to the image’s location, the attacked user’s login credentials will be sent to evil.com in cleartext, where an attacker can now store it
9. Last but not least, the hackIt.js normally submits the login form to it’s originally thought location.
10. If the user has no Proxy or other tamper mechanism in place, he/she will never find out, that the login credentials have been sent to evil.com

I know it sounds quiet complex but it’s really easy if you get the point. If there are any questions, I’m glad to answer these as a comment or in an email

Because of I’m not sure if it’s a good idea to post the source code (even if it’s really easy to write it on your own), I decided to not make it available through my blog but if you’d like to receive the code, just let me know directly. Anyway, below you can watch a small video which demonstrates the attack, performed by the script.

For me it was good to see once more, that still many people are interested in the basic stuff and it makes me very happy if I’ve got the chance just like at the Security-Zone to help people to understand, what web application security is about and why it’s important.

The Metropolitan Police Service launched a Counter-Terrorism campaign and unfortunately it seems to be real and not just a joke.

The following is copied from here:

The five-week campaign asks members of the public to report any suspicious behaviour in confidence to the Anti-Terrorist Hotline on 0800 789 321.

Press advertising will appear in London’s major newspapers and on the City’s main commercial radio stations.

Camera posterThe press ads seek to raise awareness of some of the items/activities which may be needed by, or be of use to, terrorists. It asks the public to consider whether they have seen any activity connected with them which may have made them suspicious.

Radio advertising has been devised to complement the press ads and features an individual thinking out loud about concerns she has around some suspicious behaviour. She is reassured that she should call the confidential Anti-Terrorist Hotline on 0800 789 321 and that any information will be considered by specialist officers.

Advertising will also run in the Greater Manchester, West Yorkshire and the West Midlands.

At least there is already an alternative poster: