Posts
awesome paper written by Mario Heiderich
Abstract
The Internet has developed to an exchange medium for a wide range of transactions involving personal and sensitive data - while still relying on simple plain-text protocols such as the Hyper Text Transfer Protocol (HTTP). The user agents and browsers capable of requesting and rendering information and transaction results gained complexity, extended the list of provided features to gratify the needs of their users and slowly morphed from simple document renderers into complex operation system like information brokers.
With complexity comes complication and complication often yields security problems and con icts of interest. The Internet - because of its essential role in various use cases became a highly anticipated playground for criminals, helping them to generate illegitimate profit and damage with good chances for anonymity and timely delivery of their malicious intents. Attacks are carried out in numerous ways and almost arbitrary extent, including compromised servers and networks, attacks against website users and their browsers, information disclosure, denial of service attacks and Phishing.
A lot of these activities and attacks occur on a speci c playground: the user agents and browsers. This work dedicates on elaborating on these types of attacks, thoroughly discuss the anatomy and speci cs of client-side attacks delivered via Internet and similar media. Furthermore, this work discusses existing mitigation and attack prevention techniques and outline obvious as well as less obvious weaknesses and bypass strategies.Ultimately, this thesis introduces a novel way of encountering and approaching web based browser and user agent targeted attacks and provide a lever to thrive towards elimination of scripting web attacks and web malware while being in harmony with latest draft spe -ciation additions to ECMA Script 6 (ES6). This is accomplished by de ning a technique we call pre-flight inspection (PFI) and combine it with ECMA Script 5 (ES5) object sealing to control and limit DOM object capabilities to be able to expose a trusted and attack resilient document interface retaining interoperability with modern Rich Internet
Download PDF: http://heideri.ch
Thursday, May 31, 2012
Adaptive User Interface Randomization As An Anti-Clickjacking Strategy
Abstract
Clickjacking, a subclass of “User Interface Redressing” attacks, is a threat against web applications arising from the combination of ambient authority and multiple browsing contexts available in many web user agent programs. Users can be tricked into clicking on obscured user interface elements of an application and in so doing initiate actions against their will, such as adding an attacker to a victim’s social graph, promoting the attacker’s content on a social network, or sending a payment to the attacker. Some technical countermeasures exist in web browsers, but offer incomplete protection or prohibit useful and legitimate constructs such as IFRAMEs in third-party browsing contexts.
This paper describes a method for combining randomization of user interface elements with statistical analysis of first click success rates across a population to provide an effective and adaptive method of detecting and responding to clickjacking campaigns. Though not a general purpose solution to clickjacking, the method requires no modifications to existing web user agents and is applicable to many of the most widely deployed and commonly attacked use cases for which no other mitigations currently exist. The technique can also be effectively combined with client-side approaches to enhance the effectiveness of both.
Download PDF: http://www.thesecuritypractice.com
Clickjacking, a subclass of “User Interface Redressing” attacks, is a threat against web applications arising from the combination of ambient authority and multiple browsing contexts available in many web user agent programs. Users can be tricked into clicking on obscured user interface elements of an application and in so doing initiate actions against their will, such as adding an attacker to a victim’s social graph, promoting the attacker’s content on a social network, or sending a payment to the attacker. Some technical countermeasures exist in web browsers, but offer incomplete protection or prohibit useful and legitimate constructs such as IFRAMEs in third-party browsing contexts.
This paper describes a method for combining randomization of user interface elements with statistical analysis of first click success rates across a population to provide an effective and adaptive method of detecting and responding to clickjacking campaigns. Though not a general purpose solution to clickjacking, the method requires no modifications to existing web user agents and is applicable to many of the most widely deployed and commonly attacked use cases for which no other mitigations currently exist. The technique can also be effectively combined with client-side approaches to enhance the effectiveness of both.
Download PDF: http://www.thesecuritypractice.com
Thursday, May 24, 2012
Off-Path TCP Sequence Number Inference Attack
How Firewall Middleboxes Reduce Security
Abstract
In this paper, we report a newly discovered “offpath TCP sequence number inference” attack enabled by firewall middleboxes. It allows an off-path (i.e., not man-inthe-middle) attacker to hijack a TCP connection and inject malicious content, effectively granting the attacker write-only permission on the connection. For instance, with the help of unprivileged malware, we demonstrate that a successful attack can hijack an HTTP session and return a phishing Facebook login page issued by a browser. With the same mechanisms, it is also possible to inject malicious Javascript to post tweets or follow other people on behalf of the victim. The TCP sequence number inference attack is mainly enabled by the sequence-number-checking firewall middleboxes. Through carefully-designed and well-timed probing, the TCP sequence number state kept on the firewall middlebox can be leaked to an off-path attacker. We found such firewall middleboxes to be very popular in cellular networks — at least 31.5% of the 149 measured networks deploy such firewalls. Finally, since the sequence-number-checking feature is enabled by design, it is unclear how to mitigate the problem easily.
Download PDF http://web.eecs.umich.edu
http://web.eecs.umich.edu/~zhiyunq/tcp_sequence_number_inference
Abstract
In this paper, we report a newly discovered “offpath TCP sequence number inference” attack enabled by firewall middleboxes. It allows an off-path (i.e., not man-inthe-middle) attacker to hijack a TCP connection and inject malicious content, effectively granting the attacker write-only permission on the connection. For instance, with the help of unprivileged malware, we demonstrate that a successful attack can hijack an HTTP session and return a phishing Facebook login page issued by a browser. With the same mechanisms, it is also possible to inject malicious Javascript to post tweets or follow other people on behalf of the victim. The TCP sequence number inference attack is mainly enabled by the sequence-number-checking firewall middleboxes. Through carefully-designed and well-timed probing, the TCP sequence number state kept on the firewall middlebox can be leaked to an off-path attacker. We found such firewall middleboxes to be very popular in cellular networks — at least 31.5% of the 149 measured networks deploy such firewalls. Finally, since the sequence-number-checking feature is enabled by design, it is unclear how to mitigate the problem easily.
Download PDF http://web.eecs.umich.edu
http://web.eecs.umich.edu/~zhiyunq/tcp_sequence_number_inference
Thursday, May 17, 2012
Web Application Penetration testing with Google Chrome Browser
Just found some interesting and useful extensions that can help many of us when we are doing an penetration test...
XSS Rays
Complete XSS reversing/scanner tool. Find how a site is filtering code, check for injections and inspect objects.
XSS Rays is a security tool to help pen test large web sites. It's core features include a XSS scanner, XSS Reverser and object inspection. Need to know how a certain page filters output? Don't have the source? No problem. XSS Rays will blackbox reverse a XSS filter without needing the source code.
Google Hack Data Base
Google Hack Data Base - application to work with GHDB.
Google Hack Data Base - application to work with GHDB. Choose a category and click on the necessary query. To find description vulnerability, click "Search on www.exploit-db.com". Application provides possibility to search vulnerabilities on the specified site. Just click on the search button and enter the site name. This application allows a better understanding of the basis web security.
Websecurify Scanner
Websecurify is a powerful cross-platform web security testing technology designed from the ground up with simplicity in mind.
Websecurify is an advanced testing solution built to quickly and accurately identify web application security issues.Websecurify saves you time and money by automating a tiresome and very technical process used by experts to find scary security vulnerabilities.
HPP Finder
Detect potential HPP attack vectors.
HTTP Parameter Pollution (HPP) is a recently discovered web exploitation technique. Please read the NDSS 2010 paper for more details about the technique. HPP Finder is a Chrome extension designed for detecting HPP attempts. HPP Finder can detect URLs and HTML forms that might be susceptible of parameter pollution, but it is not a complete solution against HPP.
Form Fuzzer
HTML form fuzz tester.
This is a fuzz testing, utility created to assist in populating web forms with some random data.
Site Spider
Website Crawler
Use this extension to spider a website looking for dead links. One can restrict the spidering to a directory, a domain, or any other regular expression. The spider can also follow one link beyond this restriction, allowing one to find broken external links.
XSS ChEF
Chrome Extension Exploitation Framework
This is a Chrome Extension Exploitation Framework - think BeEF for Chrome extensions. Whenever you encounter a XSS vulnerability in Chrome extension, ChEF will ease the exploitation.
That's all...Cheers!
XSS Rays
Complete XSS reversing/scanner tool. Find how a site is filtering code, check for injections and inspect objects.
XSS Rays is a security tool to help pen test large web sites. It's core features include a XSS scanner, XSS Reverser and object inspection. Need to know how a certain page filters output? Don't have the source? No problem. XSS Rays will blackbox reverse a XSS filter without needing the source code.
Google Hack Data Base
Google Hack Data Base - application to work with GHDB.
Google Hack Data Base - application to work with GHDB. Choose a category and click on the necessary query. To find description vulnerability, click "Search on www.exploit-db.com". Application provides possibility to search vulnerabilities on the specified site. Just click on the search button and enter the site name. This application allows a better understanding of the basis web security.
Websecurify Scanner
Websecurify is a powerful cross-platform web security testing technology designed from the ground up with simplicity in mind.
Websecurify is an advanced testing solution built to quickly and accurately identify web application security issues.Websecurify saves you time and money by automating a tiresome and very technical process used by experts to find scary security vulnerabilities.
HPP Finder
Detect potential HPP attack vectors.
HTTP Parameter Pollution (HPP) is a recently discovered web exploitation technique. Please read the NDSS 2010 paper for more details about the technique. HPP Finder is a Chrome extension designed for detecting HPP attempts. HPP Finder can detect URLs and HTML forms that might be susceptible of parameter pollution, but it is not a complete solution against HPP.
Form Fuzzer
HTML form fuzz tester.
This is a fuzz testing, utility created to assist in populating web forms with some random data.
Site Spider
Website Crawler
Use this extension to spider a website looking for dead links. One can restrict the spidering to a directory, a domain, or any other regular expression. The spider can also follow one link beyond this restriction, allowing one to find broken external links.
XSS ChEF
Chrome Extension Exploitation Framework
This is a Chrome Extension Exploitation Framework - think BeEF for Chrome extensions. Whenever you encounter a XSS vulnerability in Chrome extension, ChEF will ease the exploitation.
That's all...Cheers!
Tuesday, May 15, 2012
Updates: Autoruns v 11.3, LiveKd v 5.2 and Strings v 2.5
Autoruns v11.3: This update to Autoruns, a utility that shows the executables, drivers, and DLLs configured to autostart, adds several new autostart locations, sets a file association for its log file extension, reports the target of Rundll32 and other host executables, and fixes several bugs.
LiveKd v5.2: LiveKd, a command-line utility for performing live read-only debugging of the local system and virtual machines, now includes an option that has it generate a fully-consistent kernel dump file of a running system.
LiveKd v5.2: LiveKd, a command-line utility for performing live read-only debugging of the local system and virtual machines, now includes an option that has it generate a fully-consistent kernel dump file of a running system.
Strings v2.5: Strings, a command-line utility that dumps a file’s printable UNICODE and ASCII strings, adds an option to specify the starting offset in the file from where it will scan for strings.
source: http://blogs.technet.com
Sunday, May 13, 2012
WebVulScan - Web Application Vulnerability Scanner
WebVulScan is a web application vulnerability scanner. It is a web application itself written in PHP and can be used to test remote, or local, web applications for security vulnerabilities. As a scan is running, details of the scan are dynamically updated to the user. These details include the status of the scan, the number of URLs found on the web application, the number of vulnerabilities found and details of the vulnerabilities found.
After a scan is complete, a detailed PDF report is emailed to the user. The report includes descriptions of the vulnerabilities found, recommendations and details of where and how each vulnerability was exploited.
The vulnerabilities tested by WebVulScan are:
- Reflected Cross-Site Scripting
- Stored Cross-Site Scripting
- Standard SQL Injection
- Broken Authentication using SQL Injection
- Autocomplete Enabled on Password Fields
- Potentially Insecure Direct Object References
- Directory Listing Enabled
- HTTP Banner Disclosure
- SSL Certificate not Trusted
- Unvalidated Redirects
- Crawler: Crawls a website to identify and display all URLs belonging to the website.
- Scanner: Crawls a website and scans all URLs found for vulnerabilities.
- Scan History: Allows a user to view or download PDF reports of previous scans that they performed.
- Register: Allows a user to register with the web application.
- Login: Allows a user to login to the web application.
- Options: Allows a user to select which vulnerabilities they wish to test for (all are enabled by default).
- PDF Generation: Dynamically generates a detailed PDF report.
- Report Delivery: The PDF report is emailed to the user as an attachment.
PS: installed and tested it on XAMPP,works fine :)
Friday, May 11, 2012
sqlcake v.1.1 Released
Automatic dump database & interactive sql shell tool dumps the current database structure including tables and columns and turns into an interactive mysql prompt with extra features
- sqlcake is an automatic SQL injection exploitation kit written in Ruby. It's designed for system administration and penetration testing.
- sqlcake offers a few useful functions to gather database information easily by sql injection usage.
- sqlcake also allows you to bypass magic quotes, dump tables and columns and gives you the possibility to run an interactive MySQL shell.
- sqlcake supports union stacked queries for real fast processing and blind injections with logarithmic techniques for saving time.
Download: http://sourceforge.net
Subscribe to:
Posts (Atom)
