SSL Implementation Security FAQ
Günlük Okunma : 47 | 14.05.2008
SSL Implementation Security FAQ is about implementing SSL in web and desktop applications. This FAQ doesn’t cover issues directly related with SSL/TLS. Only covers issues related with implementing SSL in applications. Most of these are common mistakes during the implementation of SSL in the applications. These recommendations are especially critical for e-banking, e-commerce and similar websites. Is it secure switch back to HTTP after login over HTTPS?. Can I put my Login form to HTTP and target my form to HTTPS? What’s the best way to secure an SSL website? How cooki......
SSL Implementation Security FAQ is about implementing SSL in web and desktop applications. This FAQ doesn’t cover issues directly related with SSL/TLS. Only covers issues related with implementing SSL in applications. Most of these are common mistakes during the implementation of SSL in the applications. These recommendations are especially critical for e-banking, e-commerce and similar websites. Is it secure switch back to HTTP after login over HTTPS?. Can I put my Login form to HTTP and target my form to HTTPS? What’s the best way to secure an SSL website? How cooki......
SQL Tunnelling - Exploiting Internal Networks via SQL Injection
Günlük Okunma : 17 | 26.04.2008
We had a chat with Sid of notsosecure.com about his idea of Exploiting Internal Networks with Oracle UTL_HTTP package. As soon as he mentioned about it I thought a clone of XSSTunnel for this purpose which can tunnel any HTTP traffic through SQL Injections. Just setup your browser to use this local proxy and hang around target system's internal network, fire WebInspect and nikto against it! There is another potential issue in here where an attacker can bypass some restrictions by abusing the trust relations and this can lead interesting vulnerabilities. For example accessing local host ......
We had a chat with Sid of notsosecure.com about his idea of Exploiting Internal Networks with Oracle UTL_HTTP package. As soon as he mentioned about it I thought a clone of XSSTunnel for this purpose which can tunnel any HTTP traffic through SQL Injections. Just setup your browser to use this local proxy and hang around target system's internal network, fire WebInspect and nikto against it! There is another potential issue in here where an attacker can bypass some restrictions by abusing the trust relations and this can lead interesting vulnerabilities. For example accessing local host ......
Flawed CSRF Protections
Günlük Okunma : 23 | 13.02.2008
Before going into the details and the vulnerability in WordPress, I need to say all of credit should go to Gareth Heyes, he talked about CSS Overlays before, but shame on me that I missed his point in the first place. When I looked into his new tool PoC for CSRF bypass in delicious, I realised that, this is a big deal. I know the exploitation requires lots of stuff but it's still important and this is something which can be fixed in server-side, therefore it should be fixed. There are two common and wrong implementations of CSRF widely deployed; CSRF Protection which requires confirmation......
Before going into the details and the vulnerability in WordPress, I need to say all of credit should go to Gareth Heyes, he talked about CSS Overlays before, but shame on me that I missed his point in the first place. When I looked into his new tool PoC for CSRF bypass in delicious, I realised that, this is a big deal. I know the exploitation requires lots of stuff but it's still important and this is something which can be fixed in server-side, therefore it should be fixed. There are two common and wrong implementations of CSRF widely deployed; CSRF Protection which requires confirmation......
SQL Injection SubSelects and IF Statements
Günlük Okunma : 20 | 12.12.2007
I found myself in a situation where I can't finis a SQL sentence properly because input was going to multiple different queries and it was not possible to find one injection which can end all of them properly. To able to do some blind tricks I need to use a subselect with somekind of IF statement. Target was SQL Server so following query would be the ideal start: SELECT Members WHERE user_id = 1 AND (IF (1=1) SELECT 1 ELSE SELECT 2) Don't try it, it's not going to work because SQL Server doesn't support IF statemens in subselects. But it's strange you may use CASE statements in a subsel......
I found myself in a situation where I can't finis a SQL sentence properly because input was going to multiple different queries and it was not possible to find one injection which can end all of them properly. To able to do some blind tricks I need to use a subselect with somekind of IF statement. Target was SQL Server so following query would be the ideal start: SELECT Members WHERE user_id = 1 AND (IF (1=1) SELECT 1 ELSE SELECT 2) Don't try it, it's not going to work because SQL Server doesn't support IF statemens in subselects. But it's strange you may use CASE statements in a subsel......
Firefox Master Password Dialog Weakness
Günlük Okunma : 3 | 06.10.2007
In client-side security history we've seen so many badly designed interfaces and technologies which lead to phising and several spoofing attacks (remember chrome window spoofing in IE?). Today I've noticed that Firefox Master Password Dialog is almost identical with Firefox JavaScript Prompt dialog. Potentially an attacker can show a Prompt dialog and capture the master password. Obviously this is not a big deal since this password is useless without password file and if you got the password file you can just brute-force it anyway... And again obviously it's still important bec......
In client-side security history we've seen so many badly designed interfaces and technologies which lead to phising and several spoofing attacks (remember chrome window spoofing in IE?). Today I've noticed that Firefox Master Password Dialog is almost identical with Firefox JavaScript Prompt dialog. Potentially an attacker can show a Prompt dialog and capture the master password. Obviously this is not a big deal since this password is useless without password file and if you got the password file you can just brute-force it anyway... And again obviously it's still important bec......
ORACLE SQL Injection Cheat Sheet
Günlük Okunma : 47 | 02.10.2007
Introduction ORACLE SQL Injection Notes Concatenation Comments Casting Strings without Quotes Getting Stuff Getting Tables Getting Columns Getting Current Database Name Getting Users and Passwords Getting Version Getting Current User Simple Union Query Simulating SQL Server's TOP feature Moving Records one by one Functions useful for Blind SQL Injection Doing outbound connections References, Credits, Thanks & Document History Introduction Quick and Dirty ORACLE SQL Injection Cheat Sheet which will be combined with main SQL Injection Cheat Sheet eventually. This chea......
Introduction ORACLE SQL Injection Notes Concatenation Comments Casting Strings without Quotes Getting Stuff Getting Tables Getting Columns Getting Current Database Name Getting Users and Passwords Getting Version Getting Current User Simple Union Query Simulating SQL Server's TOP feature Moving Records one by one Functions useful for Blind SQL Injection Doing outbound connections References, Credits, Thanks & Document History Introduction Quick and Dirty ORACLE SQL Injection Cheat Sheet which will be combined with main SQL Injection Cheat Sheet eventually. This chea......
Record Locater for SQL Injection
Günlük Okunma : 10 | 07.09.2007
There are cases where we need to find users table within hundreds of tables. While dealing SQL Injection issues like Blind or Full Blind SQL Injections we can't just extract the all schema out of the db within minutes. In a big database it’d take ages and thousands of requests. Let’s assume that we know a username in the system but looking for the table name which store usernames. Instead of playing “guess the table name” we can actually find the table from the record we already got. Basically following SQL Query will search through all tables and all char type columns in the datab......
There are cases where we need to find users table within hundreds of tables. While dealing SQL Injection issues like Blind or Full Blind SQL Injections we can't just extract the all schema out of the db within minutes. In a big database it’d take ages and thousands of requests. Let’s assume that we know a username in the system but looking for the table name which store usernames. Instead of playing “guess the table name” we can actually find the table from the record we already got. Basically following SQL Query will search through all tables and all char type columns in the datab......
Rant and Finding Vulnerabilities in Public Websites
Günlük Okunma : 4 | 28.07.2007
2006 and 2007 in security community came with heavy full disclosure potentially because of the increasing popularity of XSS attacks and Web 2.0, so-called social networking etc. People started to publicly disclose XSS vulnerabilities, SQL Injection issues and even remote code execution issues in public websites. If you check out websites like XSSed - a public XSS database, sqlinject.blogspot - not well known one for public list of SQL Injection vulnerabilities and Full Disclosure forum of sla.ckers and especially famous so it's begin thread, you will see what I mean. There......
2006 and 2007 in security community came with heavy full disclosure potentially because of the increasing popularity of XSS attacks and Web 2.0, so-called social networking etc. People started to publicly disclose XSS vulnerabilities, SQL Injection issues and even remote code execution issues in public websites. If you check out websites like XSSed - a public XSS database, sqlinject.blogspot - not well known one for public list of SQL Injection vulnerabilities and Full Disclosure forum of sla.ckers and especially famous so it's begin thread, you will see what I mean. There......
Attribute-Based XSS, ermm...
Günlük Okunma : 4 | 26.07.2007
Don't get this post wrong, I really like Jeremiah blog and he is obviously good at his stuff so I'm not shooting the messenger. This particular post in his blog shows us the current situation of funny web application security scanner market. In this post Jeremiah gave us some great news(!), WhiteHat Sentinel discovered attribute-Based XSS... From the announcement; Attribute-Based Cross-Site Scripting is one of the hardest types of Cross-Site Scripting to find in an automated fashion. Today, no desktop scanner does a good job at this; most don't even attempt it because false-po......
Don't get this post wrong, I really like Jeremiah blog and he is obviously good at his stuff so I'm not shooting the messenger. This particular post in his blog shows us the current situation of funny web application security scanner market. In this post Jeremiah gave us some great news(!), WhiteHat Sentinel discovered attribute-Based XSS... From the announcement; Attribute-Based Cross-Site Scripting is one of the hardest types of Cross-Site Scripting to find in an automated fashion. Today, no desktop scanner does a good job at this; most don't even attempt it because false-po......
URI Handlers from Hell
Günlük Okunma : 3 | 26.07.2007
About 3 years ago I wrote about how browser integrated 3rd party tools are stupid and exposing users to new attacks (post in Turkish - basically it's talking about Winamp exploit and IE-Winamp integration issue ). Nowadays whole security community is talking about Firefox / IE remote command execution issues and how URI Handlers are bad. If we keep combining and integrating stuff, we will be more vulnerable against these kind of attacks. What I've found quite funny is that these vulnerabilities are perfect examples of well known 'command injection' issues. Escape the m......
About 3 years ago I wrote about how browser integrated 3rd party tools are stupid and exposing users to new attacks (post in Turkish - basically it's talking about Winamp exploit and IE-Winamp integration issue ). Nowadays whole security community is talking about Firefox / IE remote command execution issues and how URI Handlers are bad. If we keep combining and integrating stuff, we will be more vulnerable against these kind of attacks. What I've found quite funny is that these vulnerabilities are perfect examples of well known 'command injection' issues. Escape the m......
XSS Tunnelling Paper and XSS Tunnel Tool
Günlük Okunma : 10 | 26.07.2007
Finally I released XSS Tunnelling paper and the tool about two weeks ago. It was supposed to be released in Italy OWASP 2007 but I couldn't attend because of a stupid visa problem. Thus I released and presented in Web Security Days - OWASP Turkey event. I was playing with this idea for six months or something, finally I got my hands dirty and code it and wrote the brief paper. XSS Tunnelling Paper XSS Tunnel and XSS Shell (source codes and binaries) XSS Tunnelling Video I've got really good reviews so far, please feel free to send your comments. In my humble o......
Finally I released XSS Tunnelling paper and the tool about two weeks ago. It was supposed to be released in Italy OWASP 2007 but I couldn't attend because of a stupid visa problem. Thus I released and presented in Web Security Days - OWASP Turkey event. I was playing with this idea for six months or something, finally I got my hands dirty and code it and wrote the brief paper. XSS Tunnelling Paper XSS Tunnel and XSS Shell (source codes and binaries) XSS Tunnelling Video I've got really good reviews so far, please feel free to send your comments. In my humble o......
About Hotlinking and CSRF
Günlük Okunma : 10 | 16.04.2007
Today GNUCitizen posted a blog : Persistent CSRF and The Hotlink Hell. From GNUCitizen's postIt is not Google’s fault. I am not sure what exactly needs to be done in order to fight against this type of attacks. First of all I don’t know why pdb thinks this is not Google’s fault and I don't know why he thinks there should be a different protection against it. This is definitely Google’s fault and this is a very obvious CSRF issue and protection against it is obviously same. Beside of the all rewrite issue, we all know hotlinking is bad because, - May leak session identifiers, unique ident......
Today GNUCitizen posted a blog : Persistent CSRF and The Hotlink Hell. From GNUCitizen's postIt is not Google’s fault. I am not sure what exactly needs to be done in order to fight against this type of attacks. First of all I don’t know why pdb thinks this is not Google’s fault and I don't know why he thinks there should be a different protection against it. This is definitely Google’s fault and this is a very obvious CSRF issue and protection against it is obviously same. Beside of the all rewrite issue, we all know hotlinking is bad because, - May leak session identifiers, unique ident......
New Version of SQL Injection Cheat Sheet
Günlük Okunma : 12 | 13.04.2007
I released a new version of SQL Injection Cheat Sheet. Generally formatting and a few new stuff. Here is the full change log. 21/03/2007 - v1.2 BENCHMARK() sample changed to avoid people DoS their MySQL Servers More Formatting and Typo Descriptions for some MySQL Function 30/03/2007 v1.3 Niko pointed out PotsgreSQL and PHP supports stacked queries Bypassing second MD5 check login screens description and attack added Mark came with extracting NTLM session idea Detailed Blind SQL Exploitation added 13/04/2007 v1.4 - Release SQL Server 2005 enabling xp_cmdshell added (trick le......
I released a new version of SQL Injection Cheat Sheet. Generally formatting and a few new stuff. Here is the full change log. 21/03/2007 - v1.2 BENCHMARK() sample changed to avoid people DoS their MySQL Servers More Formatting and Typo Descriptions for some MySQL Function 30/03/2007 v1.3 Niko pointed out PotsgreSQL and PHP supports stacked queries Bypassing second MD5 check login screens description and attack added Mark came with extracting NTLM session idea Detailed Blind SQL Exploitation added 13/04/2007 v1.4 - Release SQL Server 2005 enabling xp_cmdshell added (trick le......
HTTP Proxy for XSS Channels
Günlük Okunma : 9 | 22.03.2007
Last week I was reading the brief of Black Hat Europe 2007 Kicking Down the Cross Domain Door (One XSS at a Time) speak. It seems a nice one and there is a very good idea in it, using a proxy for a XSS Proxy like XSS Shell or Beef. Since I’m not quite sure that’s the intention of speakers but for sure they are going to present a very similar concept. Let’s consider this attack scenario, There is a XSS in a website, you exploited XSS vulnerability and gain the admin’s session, but admin folder is protected by IP restrictions or NTLM etc. Of course you able to got it through XSS Shell but the......
Last week I was reading the brief of Black Hat Europe 2007 Kicking Down the Cross Domain Door (One XSS at a Time) speak. It seems a nice one and there is a very good idea in it, using a proxy for a XSS Proxy like XSS Shell or Beef. Since I’m not quite sure that’s the intention of speakers but for sure they are going to present a very similar concept. Let’s consider this attack scenario, There is a XSS in a website, you exploited XSS vulnerability and gain the admin’s session, but admin folder is protected by IP restrictions or NTLM etc. Of course you able to got it through XSS Shell but the......
SQL Injection Cheat Sheet
Günlük Okunma : 557 | 15.03.2007
SQL Injection Cheat Sheet SQL Injection Cheat Sheet, Document Version 1.4 About SQL Injection Cheat Sheet Currently only for MySQL and Microsoft SQL Server, some ORACLE and some PostgreSQL. Most of samples are not correct for every single situation. Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences. Samples are provided to allow reader to get basic idea of a potential attack and almost every section includes a brief information about itself. M : MySQL S : SQL S......
SQL Injection Cheat Sheet SQL Injection Cheat Sheet, Document Version 1.4 About SQL Injection Cheat Sheet Currently only for MySQL and Microsoft SQL Server, some ORACLE and some PostgreSQL. Most of samples are not correct for every single situation. Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences. Samples are provided to allow reader to get basic idea of a potential attack and almost every section includes a brief information about itself. M : MySQL S : SQL S......
Fast way to extract data from Error Based SQL Injections
Günlük Okunma : 15 | 15.03.2007
Fast way to extract data from Error Based SQL Injections What is this? This attack described in Advanced SQL Injection in SQL Server Applications paper by Chris Anley. This page is just a step by step tutorial. Where can you use? If you have found an error based in SQL Injection in SQL Server What is the point? You don’t have to extract every single record one by one. You can get all of them with fewer requests Theory Loop all records and insert in a temporary table (generally all users have create table permission) Read temporary table Drop table and start aga......
Fast way to extract data from Error Based SQL Injections What is this? This attack described in Advanced SQL Injection in SQL Server Applications paper by Chris Anley. This page is just a step by step tutorial. Where can you use? If you have found an error based in SQL Injection in SQL Server What is the point? You don’t have to extract every single record one by one. You can get all of them with fewer requests Theory Loop all records and insert in a temporary table (generally all users have create table permission) Read temporary table Drop table and start aga......
PoC / Exploit for PHP HTML Entity Encoder Heap Overflow Vulnerability - Crash/DoS?
Günlük Okunma : 13 | 07.11.2006
I like Proof of Concepts, so this is a simple PoC for PHP HTML Entity Encoder Heap Overflow Vulnerability. You can supply payload from requets so it's remote. Original Advisory : http://www.securityfocus.com/archive/1/450431<?// PHP 5 <= 5.1.6, PHP 4 <= 4.4.4 $fuzzFixed=""; echo "something... we need this stupid echo or do something else..."; for($pl=0; $pl<64; $pl++) $fuzzFixed .= code2utf(977); htmlentities($fuzzFixed , ENT_NOQUOTES, "utf-8" ); function code2utf($num){ return chr(($num>>6)+192).chr(($num&63)+128); } echo "ehm...";......
I like Proof of Concepts, so this is a simple PoC for PHP HTML Entity Encoder Heap Overflow Vulnerability. You can supply payload from requets so it's remote. Original Advisory : http://www.securityfocus.com/archive/1/450431<?// PHP 5 <= 5.1.6, PHP 4 <= 4.4.4 $fuzzFixed=""; echo "something... we need this stupid echo or do something else..."; for($pl=0; $pl<64; $pl++) $fuzzFixed .= code2utf(977); htmlentities($fuzzFixed , ENT_NOQUOTES, "utf-8" ); function code2utf($num){ return chr(($num>>6)+192).chr(($num&63)+128); } echo "ehm...";......
Productivity Tools for Windows
Günlük Okunma : 4 | 04.09.2006
If you are working in IT or some job related with computers (today most of them is) you spent lots of time with your computer. This is my toolbox for a better computing experience in my daily routine.Executing applications,Who wants to spend 3 clicks to execute an application from programs menu or fill up the desktop with lots of application shortcuts? Just type it and go...There a few applications around doing this like Slickrun, and Find & Run Robot. My personal choice is Colibri. Colibri doesn't have so much cool features but it looks cool and doing the job. ColibriJust type your applic......
If you are working in IT or some job related with computers (today most of them is) you spent lots of time with your computer. This is my toolbox for a better computing experience in my daily routine.Executing applications,Who wants to spend 3 clicks to execute an application from programs menu or fill up the desktop with lots of application shortcuts? Just type it and go...There a few applications around doing this like Slickrun, and Find & Run Robot. My personal choice is Colibri. Colibri doesn't have so much cool features but it looks cool and doing the job. ColibriJust type your applic......
Arşiv
Yeni yazıları RSS ile takip edebilir ya da e-mail adresinize gelmesini sağlayabilirsiniz.
En Çok Okunan 10 Yazı | Toplam En Çok Okunan 10 Yazı | Tüm yazılar ve Makaleler