Normally I don’t like to do advertisement in my blog, especially not for companies. This time I’ll do it as an exception because Dreamlab Technologies Ltd., the company I’m working for has released a good paper about the next ten big security problems, we’ll probably run into in the near feature. I also gave my input to the paper like everyone did at Dreamlab’s “Audit Department”. Unfortunately the paper was just released in German and so I started to do a translation of it, even when I think that I’ll never finish it because of too much other stuff where I really think I should work on because the outcome is much higher. So, if you can understand even a little bit German, it’s perhaps an interesting paper for you or also for example for your CEO, CTO or CIO and so on.

You can download the paper here:
Download

As a small additional information, I wrote, that my paper about XSIO (yes nobody out there knows what it is about yet) is finished and this is true but I was now able to get even some money from Dreamlab for it even if I keep all rights on it, they can just also publish it with their logo on it and so on, as long as they don’t change it and give me the full credits. So everyone will be happy and now it can be published during the next few days. Also if I can make some similar deals in the future, I’ll be able to write even more papers and do stuff for the community

In my posting “Article on the OWASP Top 10 (in German)” I wrote, that there is an article/translation on/of the OWASP Top 10 in German of mine in the newsletter of the Security-Zone, which is the most important IT security event we’ve got here in Switzerland. Now I get a request from the well known Swiss IT magazine Netzwoche, that they would like to also publish this article. Of course I agreed because my goal with this article was it to introduce the OWASP to as many people in Switzerland, Germany and also Austria as possible. Since today, the magazine with the article inside is available.

You can of course download the article here:
Download Now

Below you’ll find some of the actual projects I’m working on:

Developing Firefox Extensions (70%) – Paper
Because even most of the developers I know have no clue on how to build extensions for the Firefox web browser and because I don’t know of any easy and basic level tutorial, I started to write a paper in tutorial form about how to do this. Until now it has 30 DIN-A4 pages so it really has some content. It will cover just the basics on this topic, so that even non-programmers can learn how to develop Firefox extensions and also there are introductions on XUL, Javascript and even CSS.

Social Engineering – Let’s do it (0%) – Paper
Only a few people know, that I’m not just interested in web application security and web technologies security at all, I’m also very interested in Social Engineering. There exist already some papers on this topic but I’ll write one which goes into practical experience so that you really can get some social engineering skills and not just a basic knowledge on the topic.

XSIO (95%) – Paper
This is a paper about a “new” attack type but I don’t want to say more at the moment As you can see, it’s nearly finished (95%) or better say it’s finished but it will be reviewed by someone else before I release it to the public.

Fix your PHP Code without changing it (80%) – Paper
Out of a situation was in during my work, I think it would be helpful for some people when I write a paper about what I’ve done. The main problem discussed in this paper is, that you have a PHP application, you’re not allowed to change anything on the code but you have to fix security holes in it. It’s not about black magic but I think some people out there will be interested in it.

Wedowapi (65%) – Firefox Extension
This is a new approach on how to defend phishing attacks. It doesn’t need to connect to any server and it works for 100% of all standard phishing attacks (this means no XSS stuff and so on). It already works but now I’ve to build a GUI so that normal users can use and configure it. By the way, “Wedowapi” stands for “We Don’t Want Phishing” and yes I know it should be Wedowaphi but that looks ugly to me

As you can see, I’ve enough to do and there are even some more projects in the pipeline, so you can expect some stuff from me in the near future.

PS: You might wonder why I’m writing papers, it’s just because I started working with LaTeX and it’s great

Today I came across the user profile of Foz at the wiki of the Chaos Communication Camp 2007. He’s done a really nice way of hiding his mail address from spam bots (I’ve done it now with my own address):

ruby -e 'puts "h!c!.!t!n!a!h!c!n!e!s!i!d!@!h!c!s!t!e!v!.!n!e!v!s".split("!").join.reverse'

Of course no normal or better say “non-geek” person will be able to contact you anymore but I think it’s a cool idea and of course you can rewrite it for your favorite programming language just like Python or Perl

Btw. sorry to everyone that I’m not writing that much at the moment but I’ve really much to do. Don’t worry, I’m working on some nice stuff and as soon as possible I’ll inform you on what you can expect from me in the near future.

I found the following blog posting and like to share it with all of you. It has some really crazy examples of CAPTCHAS there and my favorite is definitely the one with the CAPTCHA string in the image’s URI

Craziest Captchas on the Web

Attention: If Acunetix is an OWASP member but for any reasons is not listed on the OWASP website, everything’s OK from my point of view and this posting is irrelevant at all. But I found no information about an OWASP membership by Acunetix on the Net. Also I’m not a lawyer so the following posting is just about my own thoughts.

When I was in Milan at this years OWASP Application Security Conference in Europe, there was much discussion about companies which are abusing the OWASP brand. Myself I also saw some abuses by some companies but nothing was really some kind of “hey everyone we’ve got OWASP in our product” and also after I’ve talked to them, they removed the things which weren’t OK, so that everything is legal again. Now today I came across the website of Acunetix and I’ve seen that they’ve got a new version of their web vulnerability scanner, so I was looking at the new features they’ve implemented. Because of this, I came also to the page here where Acunetix wrote:

Acunetix Web vulnerability scanner includes an extensive reporting module which can generate reports that show whether your web applications meet the new VISA PCI Data Compliance requirements or whether OWASP top 10 vulnerabilities are present.

OK, they have implemented something like an “OWASP Top 10 – Check” to see if an application is compliant to the Payment Card Industry Data Security Standard (PCI DSS). The first thing which I’ve asked myself then was: Why do these guys check that stuff from outside because if I remember right, the OWASP Top 10 will really become a requirement in 2008 for this standard but only for source code reviews and this is not a source code vulnerability scanner. Anyway, let them test that stuff from outside, this might also be helpful. But then immediately it came to my mind: The have implemented the OWASP Top 10 into their product but hey, have I ever seen the Acunetix logo on the OWASP members website? The answer is of course no, there’s no Acunetix logo at all which means that it seems that this company haven’t got a membership and let’s have a look in the OWASP wiki and look at the membership page to see, what this means.

Benefits unique to members

• A OWASP Commercial License to use the materials within your organization without the restrictions associated with the various open source licenses used by the OWASP projects.
• Visibility for your organization’s tangible commitment to application security through its inclusion in the members list on the OWASP website and promotional materials.
• The right to use the OWASP name and membership mark to show that you are an OWASP Member. Note that the mark must not be used in any way that might indicate that OWASP supports a commercial product or service.
• Discounts to the OWASP AppSec and other security conferences and events. See the OWASP Member Offers page for the most current discounts available to OWASP Members. NOTE: Some of these discounts are greater than or equal to the cost of an individual OWASP Membership.

Benefits that also apply to all OWASP participants (even non-members)

• An active voice in the development of OWASP Materials that are becoming widely accepted as an application security standard for all organizations.
• Timely electronic notification of updates to the OWASP Materials.
• Collaboration with other highly skilled people from organizations around the world, both virtually and in person during periodic OWASP AppSec conferences and chapter meetings.
• Authorization to create an account and edit pages on the www.owasp.org website (WIKI based)

OK, so have a look at the sceenshot they’ve got on their website:

For me at least this looks like a proof that they’ve directly implemented the OWASP Top 10 which is an Open Source Document (by it’s license) in their proprietary product. And now look at the first point of the list of “Benefits unique to members”:

“A OWASP Commercial License to use the materials within your organization without the restrictions associated with the various open source licenses used by the OWASP projects.”. This means, that Aconetix as a non-member is not allowed to use the OWASP Top 10 in their product because it’s proprietary.

My conclusion on this story is, that Acunetix has broken the law and so they have to remove the OWASP parts out of their scanner (and eventually pay something to the OWASP because of the license abuse) or they’ll have to put their web vulnerability scanner also under the same license as the OWASP Top 10 which will be AFAIK the GPL. Let’s go for it Acunetix, give us an open source webappsec scanner, the community will love you for that

As I already wrote in my last post “OWASP Switzerland goes Public“, there will be an article of mine about the OWASP Top 10 in the next newsletter of the Security-Zone. It’s more or less a translation of the summary of each point out of the original (English) OWASP Top 10. Today, this newsletter went out to about 18’000 people so at least in Switzerland I’ll push the OWASP in any way I can do that.

You can of course also download the article (which is written in German) for free:
Download Now

And by the way, don’t forget to order your free ticket with the OWASP logo on it for the event here.

As you might know, the OWASP Switzerland Local Chapter (re-)started at the 11. November 2006 and up to then from my point of view it’s a success story. For example we had two slots at the Tweakfest 2007 where we talked about the OWASP at all and also presented the OWASP Top 10. Unfortunately there we’re not really the people who’re interested in security and especially application security but anyway, we were present at this event and were for example also listed on their partner list and the OWASP logo was visible on the Tweakfest. Then it’s also interesting, that we’ve about 12 people on our Local Chapter meetings, even if we didn’t do big announcements until now in the swiss security scene. This sounds like only very few people but when we look at this people, where they work and in what positions, I think we have an incredible high quality of attendees and it’s a great networking platform for security people in Switzerland. Now we go to the next level with our Local Chapter, we’ll be present at Switzerland’s most important security event, the Security-Zone. We get great support from the responsible people of the event and so for example we are present on every single Ticket (which are by the way for free and you can order yours here) with a huge banner and we’re titled as Know-How partner. This tickets will be ordered by thousands of people and AFAIK about 2000 will print it out and come with it to the event, that’s just great.

Here you can see my own ticket (without the bar code ):

(click the image to enlarge)

In collaboration with the Security-Zone we will do also other stuff, so for example we’ll have two slots for talking about OWASP related things (this will be the OWASP Testing Guide and the OWASP Top 10) and also I’ll write an article about the OWASP Top 10 for their next newsletter which will be sent out to about 18’000 people; I can’t think about better publicity and hey, it’s for free

By the way, the next OWASP Switzerland Local Chapter Meeting will take place on the 24. July 2007 and as usual everyone’s welcome. You can find all information here.

Hope to see you on the Security-Zone and on the next OWASP meeting, here in Switzerland.

Today I was surfing the Net and I’ve found something really interesting which I never had the time to have a deeper look on but where I think are many ways of exploiting such stuff, I’m talking about registered URIs in web browsers. For example we all know about http://, ftp://, file:// and some more of these but there are much more of these and under some circumstances you can exploit this so that the browser will access this resources in a malicious way and exploit for example a vulnerability in another piece of software. I don’t want to go deeper into this topic now because Nathan McFeters and Billy Kim Rios wrote a very cool paper on this called “URI Use and Abuse – Accessing System Resources thru Developer Created URIs and XSS Exposures, aka Coming In Thru the Developer’s Back Door” which you can find here and there’s also a “Cross Application Scripting Demo / URI Vulnerabilities Demo” how they call it and this one you can find here. Good work guys and as soon as I’ve got the time I’ll also have a look at that kind of stuff.

Rosario Valotta wrote the first “Cross Webmail Worm” (XWW) as he calls it. This worm let me think back to the Yamanner worm in 2006 which it spread over the Yahoo!-Mail service through a XSS vulnerability in the service. Now, Rosario Valotta did something which’s very similar but he wrote a POC worm called “Nduja” which can spread over different webmail services which have XSS vulnerabilities like in his POC libero.it, tiscali.it, lycos.it and excite.com. I don’t want to write too much about this stuff because Rosario has already done a good writeup on this and published also a video. Even if it’s nothing really special because it’s still normal old XSS stuff, it’s once more a new demonstration on the power of this attack and also this shows us that the connection between all these services (ok e-mail is not a direct “connection” but anyway) can be a serious problem and there’s still much we can do with all this new technologies we’ve got.