Sunday, September 26, 2010

XSSed Orkut after Twitter after Facebook <xss/>

'Are you social?'
ohhh... let me rephrase it 'Are you net-social?'
yeah... then how much socially secure are you when the plain-text attacks are htting millions.

2 months back with Facebook
now almost treated as synonym of Social Networking, and more than 400 million active users... Facebook was exposed to be vulnerable of a XSS vulnerability instead of proper implementation of HTTPOnly cookie protection as that doesn't count for XSS. The PoC video is being linked below along with article.
Article: http://www.acunetix.com/blog/news/cross-site-scripting-xss-facebook/
Video: http://www.youtube.com/watch?v=iTddmr_JRYM&hl&fmt=22

Last Week with Twitter
the microblogging favorite of masses, and offering a newer promising UX... Twitter accidently resurfaced the XSS hole while site update procedure. Famous as 'onMouseOver' flaw simply injected the XSS code as tweet to execute the function on mouse hover event by victim
Article: http://blog.twitter.com/2010/09/all-about-onmouseover-incident.html

Previous Day with Orkut
previous day was a 'Good Saturday' (i.e. what 'Bom Sabado' means in Portugese) 'scrapping' off the privacy of Orkut Users. This attack is supposed to originate from Brazil and compromised enormous Orkut accounts in a span of few hours. The code with details can be viewed at the link below.
Article: http://antrix.net/posts/2007/orkut-xss/

Monday, September 6, 2010

Problem with IEEE 802.1x implementation's fallback option

Problem with IEEE 802.1x implementation's fallback option
---------------------------------------------------------
I was just looking over some gyan for 802.1x implementation on Cisco's Portal.
They have a very nice guide over Phase Deployment Model for Identity Based Network Services.
While learning a bit, I saw mention of fallback option for IEEE 802.1x. Then I checked whether Juniper has it or not and it supports it too.

MAB i.e. MAC Authnetication Bypass porviding support for Legacy Devices (say Printers) which are not capable of IEEE 802.1x and hence require some other method of authentication.
And the method provided to them is adding the incapable device's MAC Address to a static (or even dynamic based on implementation) MAC list on 802.1x provider.

There goes the cocroach surviving Nuclear Attack. The super-strong 802.1x bypassed by a MAC ...are they really having faith on this, or have it implemented in super-man style. Though currently I can't think of any super-man for MAC Authentication. All I see is Sipper-Man :( sipping my security away.

Attacker just have to DUPLICATE allowed MAC, and enjoy the falling security.

Seriously, I'm afraid... if anyone know the manner of its implementation hidden to me till now, which makes it secure. Please, let me know asap.


If you want their support to make your environment vulnerable:
Cisco Support: http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/standalone_mab.html
Juniper Support: http://kb.juniper.net/KB11429

XSS Defeating PoC : if have any time for Experimentation


It's still in experimental state, if you find some time please try it and let me know of your experience.

Video Demo of the same PoC: http://www.youtube.com/watch?v=ENiiAccY1v0


I was working on a XSS-Patch PoC, which I now feel works proper enough to prove its point.
This neither require Web-Developers for any Filtering/Validation, nor any javascript blocking add-on on user's browser.

I'm not good at explaining still I've tried to do that in the above linked WhitePaper.

And the ZIP file can be extracted, having 'StartDemo.bat' to be executed to start the server already patched with XSS Subverting Module.
Then browse, 'http://localhost/tweet.htm' in any browser... and it lets you Submit any text to Server w/o validation which is as it is saved there. But when retrieved on 'Read...' remains inactive for any