Archive Page 2



It’s much later than I wanted to post this but finally here is my demonstration I’ve done for the Security-Zone 2008. Because there are so much resources about XSS and SQL Injections out there already, this posting is just about the hidden phishing method.

How it works:

  1. Attacker needs a XSS vulnerability at example.com
  2. Configuration of the hackIt.js and include it to example.com by inserting it through a script-Tag
  3. hackIt.js knows because of it’s configuration where the login page of example.com is
  4. The script replaces the content of the infected page at example.com with a copy of the login page which will be loaded through a XML HTTP Request
  5. hackIt.js will automatically find the login form and it’s input fields in “faked” login page
  6. The submit button of the login form will become a normal button without it’s submit functionality but it will now have a onclick-function
  7. As soon as the user clicks on the submit button to login, an image will become dynamically added to the DOM tree, which points to a server side script at evil.com, including the values of the login fields as attributes.
  8. Because of as soon as an image becomes loaded, a HTTP GET request will be sent to the image’s location, the attacked user’s login credentials will be sent to evil.com in cleartext, where an attacker can now store it
  9. Last but not least, the hackIt.js normally submits the login form to it’s originally thought location.
  10. If the user has no Proxy or other tamper mechanism in place, he/she will never find out, that the login credentials have been sent to evil.com

I know it sounds quiet complex but it’s really easy if you get the point. If there are any questions, I’m glad to answer these as a comment or in an email :)

Because of I’m not sure if it’s a good idea to post the source code (even if it’s really easy to write it on your own), I decided to not make it available through my blog but if you’d like to receive the code, just let me know directly. Anyway, below you can watch a small video which demonstrates the attack, performed by the script.

Get the Flash Player to see this player.

The Security-Zone is as far as I know, the most important and biggest security event in Switzerland and like last year I was there to present some stuff. Also like the last time, I wasn’t alone, there where Pascal Mittner from Astalavista IT Engineering and Pascal C. Kocher from Defcon Switzerland (I’ll write something about this very soon :) ). It was the first time, that there was a workshop at a Security-Zone and so we where quiet exited but we also thought, that this would be easy stuff. First, a 20min slot for each of us three to just talk and afterwards, about three hours of really presenting stuff and also let people getting some hand-on experience. Unfortunately, the first part about how to write an exploit for an FTP server by Pascal C. Kocher failed because something I still don’t know about. There where just a few lines of Perl code but for any reason, the final exploit didn’t work. Also the last part about using a security management system to identify and track risks on your systems failed because of the participants weren’t able to test the virtual machines Pascal Mittner brought to the security zone. Even there we’re not sure what was the problem but we think it could have been a problem of by switch or some crappy Ethernet wires. Anyway, this means, that my part was the only one, that worked without any problems (thanks at this point to the FSM :P ). I was first presenting a simple XSS but not only the standard alert(123) no, I wanted to show the attending people, that you can do much more an so I decided to show a website defacement. Afterwards, I bypassed a login mechanism by a standard SQL Injection and last but not least, I presented something which was quiet a bit complicated (a combination of XSS and CSRF) but I’ll write another blog posting (hopefully) during the next days about this demo.

For me it was good to see once more, that still many people are interested in the basic stuff and it makes me very happy if I’ve got the chance just like at the Security-Zone to help people to understand, what web application security is about and why it’s important.

Counter-Terrorism advertising campaign launched

I totally forgot to click publish for this blog posting but better now then never :)

The Metropolitan Police Service launched a Counter-Terrorism campaign and unfortunately it seems to be real and not just a joke.

The following is copied from here:

The five-week campaign asks members of the public to report any suspicious behaviour in confidence to the Anti-Terrorist Hotline on 0800 789 321.

Press advertising will appear in London’s major newspapers and on the City’s main commercial radio stations.

Camera posterThe press ads seek to raise awareness of some of the items/activities which may be needed by, or be of use to, terrorists. It asks the public to consider whether they have seen any activity connected with them which may have made them suspicious.

Radio advertising has been devised to complement the press ads and features an individual thinking out loud about concerns she has around some suspicious behaviour. She is reassured that she should call the confidential Anti-Terrorist Hotline on 0800 789 321 and that any information will be considered by specialist officers.

Advertising will also run in the Greater Manchester, West Yorkshire and the West Midlands.

At least there is already an alternative poster:

Nice new SPAM Trick

This morning I’ve received the following spam mail:

Hi,

I am basically interested for business reasons. I had written to you about
the offer a few days back. Perhaps you never got the mail in the first
place. Anyhow, here is the deal. I found your site
http://www.disenchant.ch/ really enchanting and would like to buy a
number of text-links on your site.

Let me know if you would like to hear more of this.

Best regards,

Susan.

OK, the idea seems to be not that bad. You have a normal crawler for e-mail addresses and if you found one, change the message of your mail by mentioning the domain name. I think many people will notice this and think that it can’t be a spam mail because there’s a specific part in in which is not correct for most people. Also the name of the sender at the end of the mail is interesting because it’s Susan and the sender’s e-mail address was susan.[a last name]@gmail.com. This means, that also this seems to be correct and I think that many people will answer to this mail.

PS: Of course it’s also possible that it’s not a spam but then the company behind it will become bankrupt very soon ;)

As you might know, today Google released it’s own web browser called Chrome. I just had to have a look at it and have to say, it’s really not that bad but I just wanted to know if I’m able to crash it ;)

Here’s my result after a few minutes:

Get the Flash Player to see this player.

The movie is that long because I always had to check if my string is already long enough. The indicator for it was the mouse over effect (highlighting) of the button.

Swiss Post owned by Terrorists

My sister had her birthday a few days ago and she got a lot of cards from all over Switzerland. One of them was very interesting because it was a letter, sent from our aunts who’re living in Zurich Kloten which is where also the Zurich Airport is. Now remember 9/11 and have a look at the official post stamp on the letter:

Data Aggregation – The hidden Thread

If you talk to security people all over the world, you’ll notice, that stuff like XSS or SQL Injections aren’t of that much interest anymore because everyone knows what the problems are and how to prevent it, even if I’m not sure that they really know enough on it. Anyway, I was thinking of how we can get data out of things like for example a database even if it’s protected against attacks just as mentioned at the beginning. I came up with something, that I’ve never seen before or at least not in the context of a security thread to data. Today it’s very important to aggregate and mix data, to get new information out of it but have you ever thought of what happens if you can reconstruct sensible data out of let’s say public data.

Let’s have a look at an example in which we’re a student, who has access to the schools Intranet but there he can just have a look at news and also his grades as well as the average of a group of people like his class mates, people with the same age and such.

The number in brackets is the amount of people who’s data are affected and in this example our name is Peter Miller, who wants to know the grades of his class mate called Paul Svenson.

In the following tables, you’ll see the result of different requests to the school information system.

Now let’s check our whole class (3b):

Now we can calculate the worst possible grades of “Lisa Wilson” (born in 1980 and one of the two females in class 3b) out of the information in table “Average grades of females in class 3b”.

With this information we’ve got two of three peoples grades (Lisa’s grades are as already written the worst possible) who where born in 1980. This means we can now calculate the last persons grades (of course this will also be the worst possible), who’s Paul Svenson, our final target.

I hope you understood what I mean and also why this is really something we should pay more attention to in the future.

I’m back :)

It’s now about two months ago since I wrote my last blog posting but this was just because I had summer holidays (the only good thing about being a student). I was on different openairs in Switzerland and also went to visit Bulgaria with some friends, which was very nice.

This was our hotel:

So, I’m back and have much stuff to write about which is related to web security and other interesting stuff :)

I’ve been asked to make my Firefox Security Tool Kit (FSTK) compatible to the new Firefox version 3 and here it is :)

Download and/or Install the FSTK v3.1 now

Additionally to the new version compatibility changes, I replaced the Extension “User Agent Switcher” with “Modify Headers“. All other extensions are the same as described here.

Hacking Coffee Makers

Yesterday, Craig Wright has sent an email to the BugTraq mailing list and because it’s a funny story, I’d like to share it with my readers.

Hi All,
I have a Jura F90 Coffee maker with the Jura Internet Connection Kit. The idea is to:

“Enable the Jura Impressa F90 to communicate with the Internet, via a PC.
Download parameters to configure your espresso machine to your own personal taste.
If there’s a problem, the engineers can run diagnostic tests and advise on the solution without your machine ever leaving the kitchen.”

Guess what – it can not be patched as far as I can tell ;) It also has a few software vulnerabilities.

Fun things you can do with a Jura coffee maker:
1. Change the preset coffee settings (make weak or strong coffee)
2. Change the amount of water per cup (say 300ml for a short black) and make a puddle
3. Break it by engineering settings that are not compatible (and making it require a service)

The connectivity kit uses the connectivity of the PC it is running on to connect the coffee machine to the internet. This allows a remote coffee machine “engineer” to diagnose any problems and to remotely do a preliminary service.

Best yet, the software allows a remote attacker to gain access to the Windows XP system it is running on at the level of the user.

Compromise by Coffee.

Regards,
Craig Wright GSE-Compliance

PS: I’m really looking forward to a coffee maker with a web interface :P