Archive Page 3



Big XSS Presentation

On the 26. March this year, I gave a quiet special guest lecture. I was teaching students at the Bern University of Applied Sciences Engineering and Information Technology which are all studying the same as me (computer science) but they are nearly finished with their studies. This means I was once more the young and long-haired guy who came to talk about security or to be more specific web application security. Of course it was a special situation for me and I think also for the other students. Anyway, it was interesting to work with them and I think that my presentation and also the demos I made, helped them to understand the topic I was talking about: XSS.

Unfortunately it’s not that easy to upload the demos I made but I’d like to make my presentation available to the public because I think, that people can learn out of it and also if someone needs to give a lecture on XSS he/she can probably use some stuff out of my presentation.

Download the XSS presentation now

Hope you enjoy the presentation :)

Touchscreens vs. Biometrics

A few days ago I was cleaning the screen of my notebook, which’s a Lenovo X61 Tablet. I’m using it everyday and especially for my studies I’m working in tablet-mode, which means that I have to clean up the screen about every two weeks. During cleaning I recognized, that there are many fingerprints of mine on the touchscreen. Whoops… haven’t we seen more than enough how to fake fingerprints? I think we have and did you see that there is a built in fingerprint reader in the X61. Let’s think about this. We’ve got more and more devices which have a touchscreen and at the same time, more devices allow you to log in with your fingerprint. This means, that in the near future an attacker don’t need any password of you, he just steals a device and then build his key (the fingerprint) right from the touchscreen.

To make this more visible to you, I’ve made a photo of my screen:

As you can see, this is really a good enough fingerprint to copy it.

PS: I smudged three lines on the picture because it’s my own fingerprint ;)

Global OWASP Week 2008 – Switzerland

As some of you might know, during the last week we had the Global OWASP Week 2008. As I’m the actual leader of the OWASP Switzerland Local Chapter, I organized a meeting during this week. Because we needed some more space, we went to the ETH Zurich where we had a room for 46 people. From my point of view it was a huge success for the OWASP in Switzerland because we’ve got about 30 attendees at this meeting (normally we’ve got about 20). For me it was also a little bit of stress because we didn’t received a beamer so we had to organize one and another stress factor for my was, that because of all the OWASP book I put into my bag to give them away, I forgot to put the walkthrough for my demonstration in it which means, that I had to do it out of my mind. Anyway, just as I already said, it was a success for the OWASP and I’m sure that we’ll have some new faces at our next meeting.

For the people who’re interested in what we’ve done, here’s the invitation mail I’ve sent out:

Dear Receiver,
in the name of the OWASP (http://owasp.org) I’d like to invite you to
our next event, which is part of the Global OWASP Week 2008. If you’re
interested in web application security, this is something for you.

Date and time:
1.April 2008 -> WebAppSec Is No Joke
18:00 – ca. 21:00

Where:
The event takes place at the ETH Zurich, in the main building, room
HG F26.5

Who:
As at all of our meetings, everyone is welcome. If you know someone
who could also be interested in this event, ask him/her to come too.

Content:
We’ll have three interesting Talks.

– Taking Apache access logs to the next level: Complying to PCI DSS
for fun and profit
(Christian Folini – Technical Consultant at netnea)

The PCI DSS is rather vague, when it comes to logfiles. It does
make clear, that writing logfiles and reading them is a
requirement though. But it leaves it up to you to define your
setup and your processes. Apache brings numerous logging
possibilities, but they are rarely used in practice. Based on a
sample enterprise setup, I will discuss key items of a
revision-proof architecture. System components and methods will be
examined and a few interesting techniques presented.

– Implementing an Application Security Lifecycle programme
(Alessandro Moretti – Executive director for IT security risk
management at UBS Investment Bank)

Topic:
A case study at UBS Investment Bank – how the Application Security
Lifecycle Programme aims to implement proactive and reactive IT
security management and promote application security across the
global UBS IT community.

Short description:
UBS IT Security Risk Management will provide an overview of the
risk strategy, and an insight into the strategic initiative, based
partly on OWASP, to enhance the application security with each
phase of the software development lifecycle. The presentation will
provide details on the vision, the overall programme approach and
on selected deliverables as part of the programme. Topics include,
security education, risk management, source code testing,
penetration testing and web application firewalls. A question and
answer session will follow.

– WebAppSec the Big Picture
(Sven Vetsch – Security Tester at Dreamlab Technologies)

Most of the actual vulnerabilities which security researchers and
also bad guys (doesn’t) report every day, are related to web
applications. Even if this is the case, the security community
didn’t get the big picture of what security related problems we’ve
got through web applications. In this demonstration, we will show
you an overview of the most important web vulnerabilities like SQL
Injections, XSS, CSRF, Path Traversal, Session Fixation and much
more. The focus in this demonstration is not to show you the
latest research results in webappsec, it’s to show you the big
picture of this topic.

If there are any further questions, don’t hesitate to contact me at:
sven.vetsch _at_ disenchant.ch

Regards,
Sven Vetsch
Leader OWASP Switzerland

About one year ago, I’ve created a bundle which contained several different extensions for Firefox related to web application security testing. Today I’d like to release version 3.0 of the Firefox Security Tool Kit or short FSTK, which will make your browser a (nearly) full-fledged webappsec pentesting tool.

Download and/or Install the FSTK v3.0 now

By installing it to your Firefox, you’ll get all of the following extensions:

allcookies
Version: 1.2
By: Bernard Maison
dumps ALL cookies to cookies.txt file
For Firefox versions 1.5 to 2.0.0.*
Homepage: http://allcookies.mozdev.org

Cert Viewer Plus
Version: 1.2
By: Kaspar Brand
Certificate viewer enhancements: PEM format view, file export
For Firefox versions 1.5.0.4 to 3.0.0.*
Homepage: https://addons.mozilla.org/addon/1964/

Firebug
Version: 1.05
By: Joe Hewitt
Web Development Evolved
For Firefox versions 1.5 to 2.0.0.*
Homepage: http://www.getfirebug.com/

Firecookie
Version: 0.0.5
By: Jan Odvarko
Cookie manager for Firebug. Firebug has to be installed in order to use this extension.
For Firefox versions 2.0 to 3.0b5pre
Homepage: http://www.janodvarko.cz/firecookie

Fire Encrypter
Version: 3.0
By: Ronald van den heetkamp
Encryption, Decryption, and Hashing program.
For Firefox versions 1.5 to 2.0.0.*
Homepage: http://www.jungsonnstudios.com/Mozilla/

FoxyProxy
Version: 2.7.1
By: LeahScape, Inc.
Premier proxy management for Firefox
For Firefox versions 1.5 to 3.0b4pre
Homepage: http://foxyproxy.mozdev.org

Live HTTP Headers
Version: 0.13.1
By: Daniel Savard
View HTTP headers of a page and while browsing.
For Firefox versions 0.8 to 2.0.0.*
Homepage: http://livehttpheaders.mozdev.org/

Selenium IDE
Version: 1.0b1
By: Shinya Kasatani
Record, edit and play Selenium tests
For Firefox versions 1.5 to 3.0b3
Homepage: http://www.openqa.org/selenium-ide/

Smart Middle Click
Version: 0.5
By: spiers
Middle click for javascript links.
For Firefox versions 1.5 to 2.0.0.*
Homepage: http://spiers.free.fr/

Tamper Data
Version: 9.8.1
By: Adam Judson
View and modify HTTP/HTTPS headers etc.
For Firefox versions 1.0 to 2.0.0.*
Homepage: http://tamperdata.mozdev.org

User Agent Switcher
Version: 0.6.10
By: Chris Pederick
Adds a menu and a toolbar button to switch the user agent of the browser.
For Firefox versions 1.0 to 2.0.0.*
Homepage: http://chrispederick.com/work/user-agent-switcher/

Web Developer
Version: 1.1.4
By: Chris Pederick
Adds a menu and a toolbar with various web developer tools.
For Firefox versions 1.0 to 2.0.0.*
Homepage: http://chrispederick.com/work/web-developer/

Hope you enjoy it :)

Youtube has got Code Monkeys

We all know the “500 Internal Server Error” but have you ever seen it on youtube.com:
http://m.youtube.com/index?warned=1&session=%

It says:

Sorry, something went wrong.
A team of highly trained monkeys has been dispatched to deal with this situation. Please report this incident to customer service.

You guys made my day :P

PS: For some reason you sometimes have to click on the link twice until you get the message.

Selenium Remote Control

A working colleague of mine showed me a tool, which I think is really cool for automating tasks during web application security test, even if it’s not made especially for that. The tool I’m talking about is called Selenium Remote Control and licensed under the Apache 2.0 License. Let’s have a look at the description of Selenium:

Selenium Remote Control (RC) is a test tool that allows you to write automated web application UI tests in any programming language against any HTTP website using any mainstream JavaScript-enabled browser.

This is exactly what Selenium is/does :)

I can especially recommend the Selenium IDE, which’s a Firefox extension that can record all actions of your browser, replay them and also export the whole thing into HTML, Java, C#, Perl, PHP, Python and Ruby.

This is, how the Selenium IDE looks like:

Selenium IDE

I don’t want to say more on this, just give it a try and have fun :)

Torrent Injection

A colleague of mine asked me a few days ago, what he can do with an XSS on a BitTorrent Tracker site. The most obvious thing was of course to steal a logged in user’s session ID to get access to his account data which contains for example his “Private Tracker” login credentials and so on. The XSS he found was just a reflecting one so it’s good for him because he just started with WebAppSec stuff but for me it was nothing more than the XSS we can find in most of the websites on the whole Internet. You might ask, why I’m writing about this because then I can also write about any other XSS vulnerability but this one make me thinking of another way of injecting a persistent XSS on BitTorrent Trackers. Every BitTorrent Tracker allows users to upload their new *.torrent files and everyone can then download it over the link in the tracker, which contains all needed information about it. Now let’s have a look at the information such a tracker picks out of the uploaded files, which will then be displayed to the user.

BTorrent1

Additionally, below there’s also a list of all the files which are “in” this Torrent.

Now let’s think about input filtering. Normally, there are more or less effective input filters in place for bigger web applications but when you have to deal with the content of uploaded files, you should perhaps also check the content of them. I think you’ve got the point ;)

The only thing you have to do now, is to create a Torrent file which contains script code for example as a comment. When we upload such a file to a Torrent Tracker, it should be checked but this isn’t as easy as it sounds and normally programmers don’t do this because there can also be binary data in this files and so you don’t want to check all that stuff and anyway, who can make a Torrent file by hand? *joking*

Now let’s see what happens if I upload my Torrent file which contains <script>alert(document.cookie);</script> in the comment field.

BTorrent2

As you can see, our script was executed :)

This is not just a vulnerability we can find here, it’s more of a global problem we’ve got in applications, where users can upload files, which will become parsed and at this time, this includes heavily BitTorrent Trackers as shown here.

Once more a message to the developers out there: Please implement sufficient filtering mechanisms ;)

Advanced English?

As you might know, I’m actually studying computer science at the Bern University of Applied Sciences Engineering and Information Technology. Yesterday we had English lessons and I’m in the advanced group, which is the highest level we can attend in this semester. So let’s have a look at an exercise we’ve done in this lesson and I really think, that anyone who can read my blog should ask my school if they can give you a certificate in English Advanced because you really should be able to solve the following. At least for me the word advanced means something completely different :P

Advanced English
(click to enlarge)

Hope you enjoy solving this “advanced” exercise and no, it’s not the only advanced exercise we’ve done ;)

A Native “JavaScript” Speaker?

I just found a website, where you can let a bot read an article to you. You might say that this isn’t special but there was this parameter called “id” which I had to play with. When I used id=8838 it was some kind of special because it was reading the code of it’s own JavaScript function vh_sceneLoaded(). It says:

loadText('. .drucken {display: none;}.senden {display: none;}.quelle {display: none;}.artboxbottom2sp {height: 15px;width: 465;background: url(/_images_/hg_spitzmarke_2sp_bottom.gif);} Webwww.espace.ch',2,3,2);

Who knows, perhaps JavaScript will become the first natively spoken programming language. At least it would be really easy to speak for me because it seems that in “JavaScriptish”, the spelling is the same as in German :P

Meet the native Javascript Speaker

(According to the following blog posting, be aware of that I’ve never bypassed any authorization mechanism, nor did I break, access or change anything I was not allowed to.)

Last weekend, I went snowboarding in the Swiss mountains and the weather including the snow was just perfect. Because the winter sport season hasn’t started yet, there wasn’t much going on in the evening and so I was using one of the public Hotspots of the hotel. As you can think, I had to make some security related stuff and so I surfed to the Hotel’s website. There are SQL injections, XSS, Local File Inclusions and much more but I don’t want to talk more about it because there was something much more interesting. Normally when you offer a Hotspot as a hotel or any other company, you should separate it from your internal LAN but don’t even think of anyone is really doing this unless they have to for any reason. So, my IP address was now 192.168.44.36 which’s an internal IP address. The next step was of course to use our all friend nmap and let’s see what I’ve got:

Interesting ports on 192.168.1.5:
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft ESMTP 5.0.2195.6713
80/tcp open http Microsoft IIS webserver 5.0

Jackpot, I’ve got a Microsoft IIS 5.0 webserver on the standard HTTP port 80 and this means hopefully an internal web application :)

I connected to 192.168.1.5 with my favorite web browser and wow, amazing security measures there. No sorry, I’m just joking. There where no security measures at all. I simply get a menu, where I could choose a “console”. I took the first one because the others seemed to be offline. Oh my god (who’s by the way the FSM), I was now having control over more or less the whole hotel (don’t ask me why this is the case with the product of a company describing itself as “OTRUM is a leading provider of interactive TV solutions and content to the hospitality industry.”).

Let’s have a look at who’re my neighbors:
Hotel Guest List Small
(Click the image to enlarge)

Cool stuff, with this I even know in which language I can say good morning to my neighbors :)

There where much more information than just the things for the reception. When you clicked on “Main Menu”, you had several other options than just “Reception”. For example you where able to create new rooms, new employers, new TV channels, have a look at a whole bunch of statistics or define even a room’s temperature and much more. The funniest thing I found (which wasn’t used by the hotel I was in), was a statistic, checking if the mini bar has been opened and how many times. My advice if you want to make the guys at the reception looking strange at you would be to open your mini bar at least one hundred times a day :P

As you can think, it was fun to see all this stuff and an evil guy (or girl) could have done nasty stuff there but hey, I never had to authenticate myself so it was open to everyone and because of this it’s not illegal to just surf this “website”.

For sure this application was the most interesting thing for me but there where even more security problems like:

http://192.168.1.5/cgi-bin/thrusocket.pl?&gltemplatefile=../../../../../boot.ini

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT=”Microsoft Windows 2000 Server” /fastdetect

OK, anyone can read your data on the server but who want’s to read files if you can make an automated wake up call at 5 o’clock in the morning to every guest in the whole hotel? :P

There was also a Directory Listing at http://192.168.1.5/cgi-bin/ and some other not really interesting things. I can say, that I enjoyed the stay in this hotel for sure.

Lesson learned here: Don’t let security guys into your hotel if you don’t want them to have a look at your infrastructure ;)