Fiddler HTTP Debugger - A free web debugging tool

For those who want a transparent proxy extensible using .NET (rather than Java or BeanShell for WebScarab), here's Fiddler.

Web Security: ratproxy tool

Interesting reporting done by this tool. May be worth checking out when this goes out of beta.

Google Code page
Screenshot
Source Code

Edit: Seems that Google uses it themselves

Vulnerability counting revisited: a hypothetical example

Quoting the article:

The lesson to take from this hypothetical example is that counting vulnerability reports is as likely to lead you to the wrong conclusion as to the right conclusion. Find more information before making a decision. Think through the implications of any metric you have available.

Don’t buy the easy interpretation just because it’s easy.

Link: http://blogs.techrepublic.com.com/security/?p=472

BackTrack 3 Final

BackTrack 3 final version is out, get it at remote-exploit! More security tools to play with in a nice package! =D

Assessment Methodology

Done by hitechpo on House of Hackers blog.

[Parts 1, 2, 3, 4 and 5]

Introduction to reverse engineering

Done by n2u in House of Hackers blog.

[Part 1]
[Part 2]

Cool hack: Man exploits random deposit verification flows to steal $50,000

This is really really impressive, though on a serious note it's not that funny for a system to be so poorly designed and implemented.

Link: http://www.cgisecurity.com/2008/05/12

Click Crime

I seldom write about articles that I read, preferring to share them in my Google Reader or put the link in my Twitter. But I'll make an exception here:

http://www.securityfocus.com/columnists/471

Mark Rasch gives a very good description on "criminal honeypots" some of it's possible implications worldwide if implemented on a larger scale. The difference between setting up a trap and entrapment is talked about here also.

From the web application security perspective, it would be possible to frame someone else not only by using social engineering, but also even attacks like this:

1. Create javascript code in a site that you control that exploits CSRF weaknesses in the criminal honeypot. Wait for the target to access your site and "click" the link automatically.
2. Create a site that's linked to your target somehow, and get many many people to click on the link (to the criminal honeypot) that you put in the site. The FBI sees the referrals from that site, and traces it to your victim.

[WEB SECURITY] A New Class of Vulnerability in Oracle: Lateral SQL Injection

Hey all,
I've just released some research that demonstrates a new class of
vulnerability in Oracle and how it can be exploited by an attacker. You can
grab the paper from here:

http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf

Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
http://www.davidlitchfield.com/blog

--
E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402

------------------------------

----------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Google XSS

Billy Rios has published one that he found in Google. Pretty exciting eh (not in the wrong way!) =O

Netcraft has a shorter version of the details also. Quoted below:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

An interesting cross-site scripting (XSS) vulnerability found in the Google Spreadsheets service would have allowed attackers to gain unauthorised access to other Google services, including Gmail and Google Docs.

The vulnerability was discovered by security engineer Billy Rios, and takes advantage of nuances in the way Internet Explorer handles Content-Types for webpages.

When a spreadsheet is saved and downloaded in CSV format, the Content-Type is set to "text/plain", thereby instructing the client's browser that the document should be treated as plain text. However, if HTML tags are entered into the first cell of the spreadsheet, Internet Explorer detects these tags near the start of the CSV document and instead deduces that it should be treated as HTML. This essentially allowed arbitrary HTML webpages to be served from spreadsheets.google.com, which in turn allowed JavaScript to be executed in the context of the spreadsheets.google.com site. A remote attacker could exploit this weakness by stealing the user's session cookies and hijacking their session.

Rios points out that Google cookies are valid for all google.com sub domains. This means that when a user logs in to Gmail, the Gmail cookie is also valid for other Google services, such as Google Code, Google Docs, Google Spreadsheets, and more. Cross-site scripting vulnerabilities in any of these sub domains can allow an attacker to hijack a user's session and access other Google services as if they were that user.

Google has fixed the vulnerability discovered by Rios and there have been no reports of the vulnerability being exploited by attackers.

Reviewing Practical PHP Exploitation Techniques

Good presentation here, for those who'd want to know. How some security vulnerabilities occur in (PHP) code.
PHP Code Analysis - Real World Examples

Taken from GNUCITIZEN.

File Download Injection

Taken from this mailing list post.

• From: "Jeff Williams"
• Subject: [WEB SECURITY] Attack Technique: File Download Injection
• Date: Mon, 7 Apr 2008 15:22:15 -0400

---

File Download Injection
=======================

Affects most web application platforms, including Java, .NET, PHP, Cold
Fusion.

This attack involves the use of header injection, particularly the
Content-Disposition header, to subvert HTTP responses from trusted
domains. Attackers can use this technique to inject a malicious file
download with an arbitrary filename (.html, .exe, .swf, .mov, .msi,
.vbs, etc...) and arbitrary file content. Since the attack subverts an
existing HTTP request, both the URL and the downloaded file use a
trusted domain.

Some variants of the attack are surprisingly simple:

http://yourcompany.com/download?fn=attack.bat%0d%0a%0d%0awordpad

When the response for this attack arrives at the victim's browser, the
malicious file is named "attack.bat" and contains the command "wordpad"
inside. The injected file is opened as if it was a legitimate download
from the trusted domain. The attacker can inject any filename (.exe,
.bat, .html, .pdf, .sh, etc...) with any file content, and the browser
just opens it as it normally would - sometimes with a "run", "save",
"cancel" dialog and sometimes not.

Susceptible header injection vulnerabilities are frequently found in
file download pages, but could be anywhere a web application uses
untrusted input in a response header. This type of vulnerability can
exist in virtually any web application environment, including Java, .NET
and PHP.

This research builds on previous work in header injection and malicious
file execution, and adds the ability to make the attack come from
trusted domains. Although file download injection attacks are sent
through the vulnerable application on their way to the browser for
execution, they go beyond cross site scripting (XSS) as any file type
can be injected. The attack is also different from HTTP response
splitting as no second response is generated. Instead, the content of
the original response is replaced.

The paper examines various aspects of the attack, including both stored
and hidden variants and issues related to Content-Length. Some advanced
techniques for bypassing naive defenses are discussed. Finally, the
requirements for a strong defense are presented. Organizations are
encouraged to find and eliminate header injection vulnerabilities based
on the severity of this attack.

Full details in the white paper here:
http://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.pdf

--Jeff

Jeff Williams
Aspect Security

Intel unveils new remote lock-out technology for stolen laptops

[From TechRepublic blogs]

Interesting technology to have, but I wonder how long before someone manages to use it for a DOS attack?

DefCon 15 - T112 - No-Tech Hacking

A really good presentation, both in terms of content, and delivery ;) Johnny Long's talk on hacking without the use of "technology". The book is available on Amazon also (Kevin Mitnick's the series editor for this)

Microblogging

First blogging took the (inter-webs) world by storm, and it was one of the contributing forces towards the change in how the internet is used.

Next up: micro-blogging. Where you can blog even easier, wherever you are. I'm trying out Twitter if you noticed, but don't expect me to put on it stuff like where I am, or the time I go to the toilet, etc etc etc. (sorry stalkers)

It'd be interesting to see alternative uses for it though, one I can think of is for it to be a command and control channel for botnets (coming from the idea that social bookmarking sites can be used for such nefarious purposes also; I can't remember where I read that from..). ;)

TR: Up to one billion RFID access cards could be affected by hack

From TechRepublic blogs.

Mas Selamat is everywhere

If terrorists craved attention, I think Mas Selamat would have entered into their textbooks as a case study.

Even the Wireless @ SG login page has his picture on it! Heh.

G-Archiver Harvesting Google Mail Passwords

This is proof why you shouldn't trust blindly all the software you use =|

Thwomp writes
"It appears that a popular Gmail backup utility, G-Archiver, has been harvesting users' Gmail passwords. This was discovered when a developer named Dustin Brooks took a look at the code using a decompiler. He discovered a Gmail account name and password embedded in the source code. Brooks logged in and found over 1,700 emails all with user account information — with his own at the top. According to a story in Informationweek, he deleted the emails, changed the account password, and notified Google. The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in the product."

Physical attacks using Firewire

It seems that Firewire's specs allow for direct memory access, which is really really bad for security...given the right tools...

Well, it seems that one such tool has been released some time ago, along with the presentation slides on it ;) This one bypasses the Windows XP password lock screen to give you access...

Project page

Presentation slides

Code

Broadband over mobile isn't exactly "safer"

Have been using and playing around with mobile broadband for the past few months. =D

If anyone says that mobile broadband is safer (in the sense that we're less exposed to the internet), let me highlight some things here (though these should be pretty logical/obvious) :

It's true that the IP addresses given are for "private addresses", meaning that the clients are in a segregated "protected" network. This is seen by the fact that the IP address leases are in the 10.0.0.0 Class A network, but it does not stop other clients from accessing your computer directly, which is the important thing of note here.

Attached is the screenshot of my firewall events log, which has been showing similar hits all the time. First of all it shows that various clients have been trying to access my computer, though I've yet to figure out how do they know about my IP address, nor who are these clients.

The other thing of note is the frequency and range of ports that were logged. Tallied with the list of TCP/UDP ports...

• 137-139 TCP/UDP, NetBIOS related services (not shown in the screenshot).
• 1433 TCP/UDP, Microsoft SQL database system.
• 135 TCP/UDP, Microsoft RPC Locator Service.
• 445 TCP, Microsoft-DS (used for Active Directory; the channel for some Windows worms to propagate like Sasser)
• 2967 TCP, Symantec AntiVirus Corporate Edition. (I'm not even running this! Unless the other client is?)

The bottomline (at the bottom of this post) is: If other network clients can access your computer directly, it is still possible for attacks to occur over the network. Running a (properly configured) client-side firewall would be a worthy investment of your time and effort ;)