Tuesday, December 19, 2006

XSRF attack vector with Ajax serialization

Cross-site request forgery (CSRF) is a commonly observed security issue in Web applications, and it can be exploited by an attacker or by a worm. Exploitation of this bug is very easy given there are several HTML tags and embedded JavaScript code snippets that can be leveraged by the browser to initiate a forged request without the consent or knowledge of an end user.

This request hits the vulnerable Web application like a cruise missile charged with the end user's session identity and the attacker's objective is achieved. This objective may be a request for a change of password, performing a financial transaction or sending forged email. A vulnerable Web 2.0 application can be susceptible to such an attack. With Web 2.0, another dimension is being added to this attack vector -- the blissfully unaware end user.


Tuesday, November 28, 2006

Vulnerability Scanning Web 2.0 Client-Side Components

Web 2.0 applications are a combination of several technologies such as Asynchronous JavaScript and XML (AJAX), Flash, JavaScript Object Notation (JSON), Simple Object Access Protocol (SOAP), Representational State Transfer (REST). All these technologies, along with cross-domain information access, contribute to the complexity of the application. We are seeing a shift towards empowerment of an end-user's browser by loading libraries.

All these changes mean new scanning challenges for tools and professionals. The key learning objectives of this article are to understand the following concepts and techniques:

* Scanning complexity and challenges in new generation Web applications
* Web 2.0 client-side scanning objectives and methodology
* Web 2.0 vulnerability detection (XSS in RSS feeds)
* Cross-domain injection with JSON
* Countermeasures and defense through browser-side filtering


Monday, November 27, 2006

Web 2.0 defense with Ajax fingerprinting & filtering

(IN)SECURE magazine contains my article on Ajax fingerprinting and filtering technique. It can help in defending Web 2.0 applications.

Friday, November 10, 2006

Top 10 Ajax Security Holes and Driving Factors

One of the central ingredients of Web 2.0 applications is Ajax encompassed by JavaScripts. This phase of evolution has transformed the Web into a superplatform. Not surprisingly, this transformation has also given rise to a new breed of worms and viruses such as Yamanner, Samy and Spaceflash. Portals like Google, NetFlix, Yahoo and MySpace have witnessed new vulnerabilities in the last few months. These vulnerabilities can be leveraged by attackers to perform Phishing, Cross-site Scripting (XSS) and Cross-Site Request Forgery (XSRF) exploitation.


Thursday, November 02, 2006

[O'reilly Net] Detecting Web Application Security Vulnerabilities

Your web application is only as secure as the data coming in, and how you treat user input determines how secure you are. A little bit of thought and Python programming can help you analyze potential vulnerabilities in your code

Read Here

Monday, October 23, 2006

How safe is Web 2.0?

Technology commentator Bill Thompson says the latest incarnation of the web, dubbed Web 2.0, is prone to the same flaws as its predecessor

[Top 10 Web 2.0 attack vectors are taken as reference]
Read story

Wednesday, October 11, 2006

Hacking Web 2.0 Applications with Firefox

AJAX and interactive web services form the backbone of “web 2.0” applications. This technological transformation brings about new challenges for security professionals.

This article looks at some of the methods, tools and tricks to dissect web 2.0 applications (including Ajax) and discover security holes using Firefox and its plugins. The key learning objectives of this article are to understand the:

* web 2.0 application architecture and its security concerns.
* hacking challenges such as discovering hidden calls, crawling issues, and Ajax side logic discovery.
* discovery of XHR calls with the Firebug tool.
* simulation of browser event automation with the Chickenfoot plugin.
* debugging of applications from a security standpoint, using the Firebug debugger.
* methodical approach to vulnerability detection.


Monday, October 09, 2006

On slashdot you can read reviews on HNS article - Top 10 Web 2.0 Attack Vectors


Top 10 Web 2.0 attack vectors

Web 2.0 is the novel term coined for new generation Web applications. start.com, Google maps, Writely and MySpace.com are a few examples. The shifting technological landscape is the driving force behind these Web 2.0 applications. On the one hand are Web services that are empowering server-side core technology components and on the other hand are AJAX and Rich Internet Application (RIA) clients that are enhancing client-end interfaces in the browser itself.

XML is making a significant impact at both presentation and transport (HTTP/HTTPS) layers. To some extent XML is replacing HTML at the presentation layer while SOAP is becoming the XML-based transport mechanism of choice.


Friday, August 11, 2006

Book - Hacking Web Services

Web Services are an integral part of next generation Web applications. The development and use of these services is growing at an incredible rate, and so too are the security issues surrounding them. Hacking Web Services is a practical guide for understanding Web services security and assessment methodologies. Written for intermediate-to-advanced security professionals and developers, the book provides an in-depth look at new concepts and tools used for Web services security. Beginning with a brief introduction to Web services technologies, the book discusses Web services assessment methodology, WSDL -- an XML format describing Web services as a set of endpoints operating on SOAP messages containing information -- and the need for secure coding. Various development issues and open source technologies used to secure and harden applications offering Web services are also covered. Throughout the book, detailed case studies, real-life demonstrations, and a variety of tips and techniques are used to teach developers how to write tools for Web services. If you are responsible for securing your company's Web services, this is a must read resource!

More information

Wednesday, May 10, 2006

Security Bugs Undercut Mozilla

New flaws leave experts wondering if Mozilla's such a great alternative to Microsoft Internet Explorer and Exchange

Read the story

Friday, February 24, 2006

Auscert 2006 - Web Services Hacking...

AusCERT Asia Pacific
Information Technology Security Conference
21st - 26th May 2006 - Royal Pines Resort - Gold Coast, Australia
More info

Dallascon - Adavanced Web Services Hacking...

Presenting paper at Dallascon in first week of May.

DallasCon Information & Wireless Security conference
May 5-6, 2006
Richardson Hotel

Thursday, February 23, 2006

EUSecWest talk...

It was fun to be at EUSecWest. Talks and presentations were good. Justin made good notes on it. You can read it over here.

Day 1
Day 2

Saturday, January 28, 2006

Releasing wschess 1.5

Following changes are included.

+ Few bugs are solved
+ wspawn is now querying Xmethods. UBRs are closed for Microsoft, IBM etc.
+ wsknight has analysis engine in place. You can supply regex patterns and wsaudit will detect them. It will change color of text. Sample rule file is included.

Get it

Thursday, January 26, 2006

Saturday, January 14, 2006

Advanced Web Hacking - Attacks & Defense (Upcoming talk)


Attacks to web application layer are on the rise and innovative methodologies, attack vectors and exploits are coming into existence. To combat these threats it is imperative to understand its nature, characteristics and risk to application layer. Some of the new attack vectors are XPATH injection, LDAP poisoning and advanced SQL injection. These vectors are getting popular with XML based web applications. At the same time new methodologies for web application foot printing and discovery are coming to existence with rich search engine information provided by Google & MSN. These methodologies are important to have as a tool to web security professionals. Open source exploit framework like Metasploit can be used effectively for web application exploit development for penetration testers. This presentation will encompass new methodologies, tools and techniques on both the aspects - attacks & defense.

Thursday, January 12, 2006

Hacking Web Services: Strategies, Tools, and Methods (Upcoming talk)

Date: Tuesday, 4 April 2006
Time: 3:30pm - 5pm
Track: E-Security

1.)Web services as a new area of attack in the Web application domain
2.)A live demo of a Web services assessment methodology
3.)Understanding the Web protocols UDDI, SOAP and WSDL - the latest means of Web services attacks
4.)Leveraging content filtering and secure coding for Web services
5.)Implementing tools and creating your own tool on the fly while performing your work on Web services, e.g. wsChess

Hacking and Securing .NET (Upcoming talk)

Date: Tuesday, 4 April 2006
Time: 8:30am - 10:45am
Track: Platform Security

1.)Understanding the evolution of Web application from CGI scripts to .Net apps and the security concerns along the way
2.).Net Web application hacking methodology and tools required to perform a thorough assessment.
3.).Net and IIS metabase querying and auditing for overall secure deployment of Web application on the framework
4.)HTTP stack intercept on .Net and leveraging it for application security
5.)Building your own HTTPModule and interface to perform content filtering for Web applications

Wednesday, January 11, 2006

MSNPawn - New tool is coded up.

MSNPawn has been designed and developed on the .Net framework and must be installed on the system. The following utilities have been bundled with MSNPawn.

MSNHostFP - Supply an IP Address or IP Address range to fetch all possible virtual hosts or application running on each IP addresses.

MSNDomainFP - Supply a domain name to fetch the top 50 child domains, considering the supplied domain name as parent.

MSNCrossDomainFP - Supply an application domain to fetch the top 50 domains pointing to this particular domain on the Internet.

MSNCrawler - Supply a domain or application name to fetch all possible links crawled by the search engine.

MSNFetch - Supply a domain and rules file. The tool will run each rule in the file against the domain specified and fetch the first five results of the resultant query. This can help in assessing an application.

Search.MSN - Provides place to run your search against MSN and gather all URLs.

Whitepaper is included for better understanding for all these tools.


[Download paper]