tag:blogger.com,1999:blog-24426886237591782202024-03-05T03:56:19.830-08:00Hacker's e-Mag[leave comments for topic want to be covered]
old/new tools, breaches, exploits, bugs...
how to do... what not to do...
some video... some text... some audio...
'n the best part... all legalabionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.comBlogger33125tag:blogger.com,1999:blog-2442688623759178220.post-12995807945028608542013-10-30T16:32:00.001-07:002013-10-30T16:32:30.513-07:00HTTP Referer Spoofing, don't get confused, don't worry, Block or Avoid<div dir="ltr" style="text-align: left;" trbidi="on">
<a href="http://tools.ietf.org/html/rfc2616#section-14.36" target="_blank"><b>HTTP Referer</b></a>?<br />
It's an optional HTTP Request Header which can be set to URI to inform the WebServer the source URI which led the client to current URI.<br />
<br />
<b><i>Analytics Benefit:</i></b><br />
It's useful for Web content publishers for analysis sake as per which are the web portals that are attractive more visitors to that URI.<br />
<br />
<b><i>Security Benefit:</i></b><br />
It has also been seen to be used as an extra layer of check by WebApps to confirm if the requested URI has been accessed via proper channels and respond accordingly.<br />
<br />
<b><span style="font-size: large;">HTTP Referer Spoofing </span></b>?<br />
<br />
As other popular <b><a href="http://en.wikipedia.org/wiki/Spoofing_attack" target="_blank">spoofing attack</a></b> this doesn't involve attacker trying to hide their identity.<br />
<br />
Here attacker will actually retain and embed their identity into the HTTP Request made to your WebServer. The spoofing in this case happens of is forging a custom HTTP Request with a fake HTTP Referer header added to make the WebServer believe some user is visiting their service by getting the link from attacker's injected referrer URI.<br />
<br />
For past sometime I've been viewing a flood of spoofed HTTP referers on the user statistics page.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjheFgidfmBGnlAL9D-MzcZdG4SsHccm_Zv8GOP5dZ2g0F9XNehUkGTCoL1U5jLdSd-LwrdXaQ8EqiHcsBN5CeJfnNN2GEVmEa-URuFek6-KRQ81fJI3vbJT_MVB22VAKsWJRuHPnOS8-E/s1600/tekwalk_http_referer_spam.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="177" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjheFgidfmBGnlAL9D-MzcZdG4SsHccm_Zv8GOP5dZ2g0F9XNehUkGTCoL1U5jLdSd-LwrdXaQ8EqiHcsBN5CeJfnNN2GEVmEa-URuFek6-KRQ81fJI3vbJT_MVB22VAKsWJRuHPnOS8-E/s320/tekwalk_http_referer_spam.png" width="320" /></a></div>
Here is a screenshot of web statistics page from one of my other <a href="http://tekwalk.blogspot.com/" target="_blank">blog</a> for span of a month on one of the date-ranges. These are top-chart statistics for reported traffic referrals.<br />
<br />
As you can notice... among top 10 referring URLs 5 are spammers, namely<br />
<br />
<ol style="text-align: left;">
<li>http://r-e-f-e-r-e-r.com/(target-specific-uri)</li>
<li>http://adfoc.us/(some-numeric-id)</li>
<li>http://www.googlecorrection.com/</li>
<li>http://justforlaughsgags.tv</li>
<li>http://smarts-loans.com/</li>
</ol>
<div>
<br /></div>
<div>
<span style="font-size: large;"><b>Threat</b></span> ?</div>
<div>
<br /></div>
<div>
There are potential 2 types of threats which arise from it:</div>
<div>
<ol style="text-align: left;">
<li><b>Opening an Infected Website</b><br />Most of these referer spoofing happens to trick the website admin/publisher into thinking a new/dis-respected portal is referring to their content. In some of those cases, out of curosity the site admin/publisher tend to visit the URI mentioned as referer.<br />Now if the URI leads to an infected portal, the visit is as safe as the attempt to click on an untrusted link. It might be just an advertisement portal or a generously malware spreading service.<br /></li>
<li><b>Indirectly triggering WebApp Vulnerability</b><br />This is more of an indirect attack where the site-admin/publisher doesn't need to visit the referer URI but just view it on a weak web-application responsible to show the analytics.<br />Now, since anything can be injected into the HTTP Referer Header. Any web-view dealing with the rendering of it or any backend application/database dealing with processing it can fall pray to a cleverly designed referer entry. The attacks possible here have a wide range and depend on the components involved at site-admin/publisher end to analyze it.</li>
</ol>
<div>
<br /></div>
</div>
<div>
<span style="font-size: large;"><b>Solution</b></span> ?</div>
<div>
<br /></div>
<div>
Don't be curious of unknown referers.</div>
<div>
<br /></div>
<div>
If building something yourself to analyze these, make sure your own code is safe enough.</div>
</div>
abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0tag:blogger.com,1999:blog-2442688623759178220.post-47951373383894971442012-05-01T13:50:00.002-07:002012-05-13T02:39:26.369-07:00Snoop internal network data without breaking in, Info is already breaking out.<div dir="ltr" style="text-align: left;" trbidi="on">
One day when I was creating a pastie for some DevOps related discussion, and filtering out the organization related data..... it just occurred to what all internal information just gets added with the long logs getting pasted online for help.<br />
<br />
<div>
someone pasted this on 20-Mar-2012 at pastebin.com<br />
<div style="height: 100px; overflow: scroll;">
<script src="http://pastebin.com/embed_js.php?i=5pMzVFnp">
</script></div>
says nothing much except probably '<b>assanka.com</b>' uses <i>Puppet</i> with PuppetMaster at <b>puppetmaster.virtual.office.assanka.com</b> with <b>192.168.30.147</b> as internal IP.
</div>
<br />
<div>
There are loads of paste-ies like it adding to recon for easy latched rooms behind the huge lock web entry gates.</div>
<br />
<div>
Now, like this pastebin-scrap says hints being generated at some internal machine of Qualigaz's network
<br />
<div style="height: 100px; overflow: scroll;">
<script src="http://pastebin.com/embed_js.php?i=qJ5jQMK3">
</script></div>
so some information about internal network of Qualigaz floating wild in open
<br />
<div>
[+] <i>Internal IPs in range of 192.168.30.x</i><br />
[+] <i>is a XEN Virtual Machine</i><br />
[+] <i>with SELinux Not Enforced</i><br />
[+] <i>running Debian GNU/Linux 5.0.2 (lenny)</i><br />
[+] <i>sshrsakey=> AAAAB3NzaC1yc2E.......==</i><br />
[+] <i>sshdsakey=> AAAAB3NzaC1kc3M.......==</i></div>
</div>
<br />
<div>
could have a look at <a href="http://pastebin.com/haiqVHCN">http://pastebin.com/haiqVHCN</a>, <a href="http://pastebin.com/iFMsYiwC">http://pastebin.com/iFMsYiwC</a> for some funny more out-bursting data.
</div>
<br />
<div>
This was just from very few <a href="http://www.google.co.in/search?sourceid=chrome&ie=UTF-8&q=puppet+error+site%3Apastebin.com#hl=en&sclient=psy-ab&q=puppet+ipaddress+site:pastebin.com&oq=puppet+ipaddress+site:pastebin.com&aq=f&aqi=&aql=1&gs_l=serp.3...33935.36443.1.36594.9.9.0.0.0.2.398.1641.0j7j1j1.9.0.erf1.1.0.0.OfIV4YDzWQo&psj=1&bav=on.2,or.r_gc.r_pw.r_qf.,cf.osb&fp=c5dfe9ee54666a8f&biw=1278&bih=715">google search-ed pastebin.com</a> results. Think what a full blown pastebin scrapper would do.<br />
<br />
To be safe from such accidents, try to use service like <a href="http://sebsauvage.net/paste/">ZeroBin</a> {<span style="font-size: x-small;">with 256 bits AES encrypted pastie at server</span>}.</div>
</div>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com1tag:blogger.com,1999:blog-2442688623759178220.post-30992527668806547872012-03-31T12:07:00.002-07:002012-03-31T12:27:13.191-07:00facebook blocks spam URLs, but there method looks useless<div dir="ltr" style="text-align: left;" trbidi="on">
Facebook has a user-security service checking for the spam/malicious nature of URLs posted by its users and blocking those if they belong to Facebook's blacklisted list.<br />
More about it at <a href="http://blog.facebook.com/blog.php?post=403200567130">http://blog.facebook.com/blog.php?post=403200567130</a>
<br />
<br />
Some important text from the link above:<br />
<blockquote class="tr_bq">
<i><span style="background-color: white; color: #333333; font-family: 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 12px; line-height: 18px;">These automated systems don't just prevent spam and other annoyances. They also protect against dangerous websites that damage your computer or try to steal your information. ..........</span></i></blockquote>
<blockquote class="tr_bq">
<i><span style="background-color: white; color: #333333; font-family: 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 12px; line-height: 18px;">Sometimes, spammers try to hide their malicious links behind URL shorteners like<a href="http://www.blogger.com/goog_1842732887"> </a></span><span style="color: #3b5998; font-family: 'lucida grande', tahoma, verdana, arial, sans-serif;"><span style="background-color: white; cursor: pointer; font-size: 12px; line-height: 18px;">Tiny URL</span></span><span style="background-color: white; color: #333333; font-family: 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 12px; line-height: 18px;"> or </span><span style="color: #3b5998; font-family: 'lucida grande', tahoma, verdana, arial, sans-serif;"><span style="background-color: white; cursor: pointer; font-size: 12px; line-height: 18px;">bit.ly</span></span><span style="background-color: white; color: #333333; font-family: 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 12px; line-height: 18px;">, and in rare cases, we may temporarily block all use of a specific shortener. If you hit a block while using a URL shortener, try a different one or just use the original URL for whatever you're trying to share.</span></i></blockquote>
<blockquote class="tr_bq">
<i><span style="background-color: white; color: #333333; font-family: 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 12px; line-height: 18px;">These systems are so effective .......... </span></i></blockquote>
In my very recent post on Facebook, I was just trying to post the very awesome Google search link displaying the 3D Graph as a heart<br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"><i><a href="https://www.google.co.in/search?ix=seb&sourceid=chrome&ie=UTF-8&q=sqrt(cos(3*x))*cos(100*y)%2B1.5*sqrt(abs(x))+%2B+0.8+x+is+from+-1+to+1%2C+y+is+from+-1+to+1%2C+z+is+from+0.01+to+2.5">https://www.google.co.in/search?ix=seb&sourceid=chrome&ie=UTF-8&q=sqrt(cos(3*x))*cos(100*y)%2B1.5*sqrt(abs(x))+%2B+0.8+x+is+from+-1+to+1%2C+y+is+from+-1+to+1%2C+z+is+from+0.01+to+2.5</a></i></span><br />
and facebook denied accepting my link saying it belongs to the <b><i>'spammy link'</i></b> section of link url <i style="font-family: Georgia, 'Times New Roman', serif;"><a href="https://www.google.co.in/search">https://www.google.co.in/search</a>.</i><br />
<span style="font-family: Georgia, 'Times New Roman', serif;">so actually,</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif;">initially just without thinking it from security perspective I converted it to a goo.gl short url</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif;"><a href="http://goo.gl/Xwhff"><i>http://goo.gl/Xwhff</i></a></span><br />
<span style="font-family: Georgia, 'Times New Roman', serif;">and tried that up, and yeah..... it works (<i>that's why I'm writing about it, obviously</i>).</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"><br /></span><br />
<span style="font-family: Georgia, 'Times New Roman', serif;"><b><i>So, how it works </i></b></span><br />
<span style="font-family: Georgia, 'Times New Roman', serif;">the way I could think it works is plainly by matching the URL (except for the GET parameter passed on to it) from the blacklist of the URLs that Facebook maintains for it.</span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7Dqw0qc-L7bJsNHuEDVKAjtYTxlOM-J0RVWc6IWLvViCUi7AjTE9bak8_YfyhxfFjy5JryC_P2uB0ZLbszdN5XTrI1Djl11xrQP3bx5UA950Cfx-2zXk4uQmZG87lDNppK2VImSCHvGk/s1600/fb_linkWork.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="43" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7Dqw0qc-L7bJsNHuEDVKAjtYTxlOM-J0RVWc6IWLvViCUi7AjTE9bak8_YfyhxfFjy5JryC_P2uB0ZLbszdN5XTrI1Djl11xrQP3bx5UA950Cfx-2zXk4uQmZG87lDNppK2VImSCHvGk/s320/fb_linkWork.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"><br /></span><br />
<span style="font-family: Georgia, 'Times New Roman', serif;"><b><i>The Problem</i></b></span><br />
<span style="font-family: Georgia, 'Times New Roman', serif;">to bypass such a system is real real easy... just get a link redirected from any in the batch of URL Shorteners, Page Translaters, Proxy or..... Simple get up a new machine on cloud and get it to bounce the URL back to desired URL.<br /><br />Even if FB's awesome team succeeds in blacklisting in ever growing services of proxy and url-shorteners.</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif;">This technique of theirs wouldn't be able to catch your newly specially launched service before you a some decent response time.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkJNd28VaMo9sVkzA4BoD6MLJCJTrBGEwnFcsoyO2Nd4C7hs-gEapniBBcNxcFAOmyCEP_jyeTvoOUWVaN6ZkNcZvsjR09da94zIPcQhyphenhyphenQaRHMB1kD8DwcjvOCfA6kGSPiO67dGAnHJxI/s1600/fb_linkProblem.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="36" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkJNd28VaMo9sVkzA4BoD6MLJCJTrBGEwnFcsoyO2Nd4C7hs-gEapniBBcNxcFAOmyCEP_jyeTvoOUWVaN6ZkNcZvsjR09da94zIPcQhyphenhyphenQaRHMB1kD8DwcjvOCfA6kGSPiO67dGAnHJxI/s320/fb_linkProblem.jpg" width="320" /></a></div>
<br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"><br /></span><br />
<div style="text-align: left;">
<span style="font-family: Georgia, 'Times New Roman', serif;"><b><i>What I think, would solve it</i></b></span></div>
<div style="text-align: left;">
<span style="font-family: Georgia, 'Times New Roman', serif;">An intelligent security facilitator like Facebook would keep send that blacklist list on client side for several reasons.</span></div>
<div style="text-align: left;">
<span style="font-family: Georgia, 'Times New Roman', serif;">So they must be checking the URL post request at their FB-Servers and then responding back with any concerns related to it.</span></div>
<div style="text-align: left;">
<span style="font-family: Georgia, 'Times New Roman', serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Georgia, 'Times New Roman', serif;">In such a scenario WHY don't they simple get the URL's crawled back to the last URL responding without any HTTP referrer.</span></div>
<div style="text-align: left;">
<span style="font-family: Georgia, 'Times New Roman', serif;">Say, the same method I use in <a href="http://webhoudini.appspot.com/">webhoudini.appspot.com</a> to fetch the final URL from a short-ened or redirected URL for people requiring validation of a suspicious link.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5YiWvig2We7Me__miAmhz99msjGAlgaBkCE12zZNVwL_7hTRzNI_sMrel1VAVITQujZA681EsDfUTZRedURIZ_zBQUoCjtuAEcJB8F_SvBCpFSZjuT1m_3bFJPzk0ETZUbw9vjntL8d4/s1600/fb_linkSolution.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="36" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5YiWvig2We7Me__miAmhz99msjGAlgaBkCE12zZNVwL_7hTRzNI_sMrel1VAVITQujZA681EsDfUTZRedURIZ_zBQUoCjtuAEcJB8F_SvBCpFSZjuT1m_3bFJPzk0ETZUbw9vjntL8d4/s320/fb_linkSolution.jpg" width="320" /></a></div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"><br /></span><br />
<span style="font-family: Georgia, 'Times New Roman', serif;"><br /></span><br />
<span style="font-family: Georgia, 'Times New Roman', serif;"><b><i>This way they will never have to blacklist the URL Shortener services or any other valid URL bases for that matter, just to avoid their chance of redirection to malicious links.</i></b></span></div>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com2tag:blogger.com,1999:blog-2442688623759178220.post-88607659927932415842011-11-20T22:49:00.001-08:002012-04-10T14:24:57.377-07:00(Adios Censorship, Hola ODDNS) Internet Censorship: state & solution<div dir="ltr" style="text-align: left;" trbidi="on">
We are (and have been) living in a dark era of corrupted & controlled information, not because of hackers or e-criminals but due to white collared, bureaucratic Legal Organizations trying to control Internet.<br />
<br />
They used to control books in old ages; newspapers since several numerous years and news channels for past few decades. This control was over information available to public.<br />
The more informant they are, the less power Legal Agencies have to guide them on their determined decision.<br />
<br />
They started with shutting down (supposed to be) bothering web portals, forcing them to change content and even leak information about their users.<br />
When they found out they can't (without any controversy) dominate all web services around the globe. They started taking DNS servers under control.<br />
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-large;"><b><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> <s>Inte<span class="Apple-style-span" style="color: red;">X</span>net Censo<span class="Apple-style-span" style="color: red;">X</span>ship</s></span></b></span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Now just for those unsure how controlling <a href="http://en.wikipedia.org/wiki/Domain_Name_System">DNS servers help</a>.</span></span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">In easy words... dns server is the service to which you tell the web portal name and guides you with the address format that all networking devices understand and help you reach the destination web server.</span></span></div>
<br />
So, the problem why DNS Servers can be controlled currently is because of their structure.<br />
DNS Servers have a tree-like hierarchical set-up.<br />
It has few Root DNS Servers at the top, which contain the entire Internet Domain Name registration database and its relative IP. These are maintained by independent agencies, but maximum of those reside in U.S. and few others distributed over globe.<br />
Then there are lower level DNS Servers maintained by Internet Service Providers, some Universities and also some IT organizations. These DNS servers contain a more specific subset of DNS entries specific to the domain requests they mostly serve.<br />
If the queried lower DNS server doesn't have reply to an entry it contacts daddy DNS, retrieves the address and replies.<br />
<br />
The thing is, these network address resolvers are very concentrated and dependent. So if these Legal Organization face threat from any newer (or even older) web portal, say www.wiki-still-leaks.org.<br />
Only thing they need to do is block address resolution of that particular (and many more as per required) web portal name.<br />
As you wouldn't be able to resolve network address for that particular website, you would find it offline.<br />
<br />
Currently, how non government liked sites (as thePirateBay) handles it is <b><a href="http://torrentfreak.com/the-pirate-bay-shows-futility-of-domain-and-dns-blocks-120109/">making multiple</a> <a href="http://www.blogger.com/goog_473108447">dns entries</a></b><a href="http://www.pcworld.com/article/241270/pirate_bay_website_circumvents_belgian_blocking.html">.</a><br />
Recently there was a <b><a href="https://addons.mozilla.org/en-US/firefox/addon/mafiaafire-piratebay-dancing/">firefox plug-in ThePirateBayDancing</a></b> released by <a href="http://www.mafiaafire.com/download.php">mafiaafire</a>, which makes available portal jumping randomly over proxies.<br />
<br />
In late 2010, when U.S. blocked WikiLeaks..... ThePirateBay <a href="http://arstechnica.com/tech-policy/news/2010/11/fed-up-with-icann-pirate-bay-cofounder-floats-p2p-dns-system.ars">floated around</a> the idea <a href="http://tech.slashdot.org/story/11/10/18/1247228/continuing-the-distributed-dns-system">of P2P DNS</a>.<br />
Peter Sunde (PirateBay co-founder) gathered coders to work on it. <a href="https://github.com/cjdelisle">Cjd</a> working on it, shifted his operations to <a href="irc://irc.efnet.nl:6667/cjdns">cjd#irc</a>.<br />
<br />
This idea of P2P DNS was <a href="http://www.bluishcoder.co.nz/2011/05/12/namecoin-a-dns-alternative-based-on-bitcoin.html">picked upon</a> by <a href="https://github.com/vinced">vinced</a> and put down as <a href="https://github.com/vinced/namecoin">namecoin</a>. A decentralized dns service based on <a href="http://www.bitcoin.org/">Bitcoin</a>. <b><i>Now, that is the main problem with this..... its based on a money exchange system architecture</i></b>. You either <a href="http://www.weusecoins.com/mining-guide.php">mine</a> namecoins for a domain name or <a href="http://dot-bit.org/HowToBuyNamecoins">buy</a> them.<br />
<br />
<a href="http://torrentfreak.com/oddns-decentralized-and-open-dns-to-defeat-censorship-120407/">Jimmy Rudolf</a> is out with <a href="http://oddns.org/en/">ODDNS : Decentralized and Open DNS</a>. It removes intermediaries dns servers from the scene removing their crippled dns resolutions.<br />
<br />
<br /></div>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0tag:blogger.com,1999:blog-2442688623759178220.post-3218081849838421252011-10-03T09:09:00.000-07:002011-10-03T09:11:19.574-07:00Social Engineering [from Eden Guide to Hacking >> Active Recon]<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span><span style="font-family: "Courier New",Courier,monospace; font-size: large;"><span style="font-size: x-small;">Eden Guide To Hacking</span><b><span style="font-size: x-small;"> : <a href="https://github.com/abhishekkr/eden_guide_to_hacking">https://github.com/abhishekkr/eden_guide_to_hacking</a></span></b></span></span><br />
<span style="font-size: small;"><span style="font-family: "Courier New",Courier,monospace; font-size: large;"><b><span style="font-size: x-small;"> </span> </b></span></span><br />
<span style="font-size: small;"><span style="font-family: "Courier New",Courier,monospace; font-size: large;"><b>Social Engineering</b></span><br style="font-family: Arial,Helvetica,sans-serif;" /><a href="https://github.com/abhishekkr/eden_guide_to_hacking/blob/master/part1_Hacking_Cycle/chapter4_Reconnaissance/section1_Active_Recon/article2_Social_Engineering.txt"><span style="font-family: Arial,Helvetica,sans-serif;"></span><span style="font-family: Arial,Helvetica,sans-serif;">direct link : https://github.com/abhishekkr/eden_..... ineering.txt</span></a></span><br />
<br />
<i><b><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Most creative non-technical hacker practice known to mankind.</span></span></b></i><br />
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"> </span><br style="font-family: Arial,Helvetica,sans-serif;" /><span style="font-family: Arial,Helvetica,sans-serif;"> a.) </span><span style="font-family: Arial,Helvetica,sans-serif;">It's Art of Communication with People for '<b>Information Leakage</b>'.</span><br style="font-family: Arial,Helvetica,sans-serif;" /><span style="font-family: Arial,Helvetica,sans-serif;"> </span></span><br />
<ul style="text-align: left;">
<li><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">You have a 'Victim' identified by now and wanna collect more</span> <span style="font-family: Arial,Helvetica,sans-serif;">and more available information related to them.</span></span></li>
<li><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span><span style="font-family: Arial,Helvetica,sans-serif;"> Not just any relevant information, but sensitive details, that</span><span style="font-family: Arial,Helvetica,sans-serif;"> Victim or related people handover to you in confidence.</span></span></li>
<li><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span><span style="font-family: Arial,Helvetica,sans-serif;"> You think like a con-artist, assess weakness of your victim &</span><span style="font-family: Arial,Helvetica,sans-serif;"> the possibilities of make-believe for them.</span></span></li>
<li><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span><span style="font-family: Arial,Helvetica,sans-serif;"> Then you come up with an entire scenario to pose yourself a </span><span style="font-family: Arial,Helvetica,sans-serif;">reliable savior for your Victim to be saved; a benefactor.</span></span></li>
<li><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span><span style="font-family: Arial,Helvetica,sans-serif;"> And you will find them revealing such discreet and sensitive</span><span style="font-family: Arial,Helvetica,sans-serif;"> information so that they can encash the situation to its max.</span><span style="font-family: Arial,Helvetica,sans-serif;"> And let you gather all sensitive information that you can.</span></span></li>
</ul>
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"><br style="font-family: Arial,Helvetica,sans-serif;" /><span style="font-family: Arial,Helvetica,sans-serif;"> b.) <b>Example</b>: "The pretend employee loosing access at critical time"</span><br style="font-family: Arial,Helvetica,sans-serif;" /><span style="font-family: Arial,Helvetica,sans-serif;"> </span></span><br />
<ul style="text-align: left;">
<li><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">You are a management personnel on client location in middle of</span><span style="font-family: Arial,Helvetica,sans-serif;"> a very life-changing deal.</span><span style="font-family: Arial,Helvetica,sans-serif;"> </span></span></li>
<li><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">You need to get some files from your organization's machine or</span><span style="font-family: Arial,Helvetica,sans-serif;"> file-share; but can't access them due to firewall policies on </span><span style="font-family: Arial,Helvetica,sans-serif;">either side.</span></span></li>
<li><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">If you can't seal the deal, the failure will take away your job</span><span style="font-family: Arial,Helvetica,sans-serif;"> and the person refusing you such crucial-moment help.</span></span></li>
<li><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span><span style="font-family: Arial,Helvetica,sans-serif;"> And there are many chances that you'll get the data fetched from</span><span style="font-family: Arial,Helvetica,sans-serif;"> your pretended 'Employee', mailed to you.</span></span></li>
</ul>
<br />
<br />
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"> </span><br style="font-family: Arial,Helvetica,sans-serif;" /><span style="font-family: Arial,Helvetica,sans-serif;"> c.) <b>Example</b>: "I'm here to check your Network from Agency"</span><br style="font-family: Arial,Helvetica,sans-serif;" /><span style="font-family: Arial,Helvetica,sans-serif;"> </span></span><br />
<ul style="text-align: left;">
<li><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">You are at home of your Victim when some family member, hopefully</span><span style="font-family: Arial,Helvetica,sans-serif;"> not much security aware is in-charge and pose as the Network Guy</span><span style="font-family: Arial,Helvetica,sans-serif;"> from the Telecom Agency they use.</span></span></li>
<li><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Offering new organization customer satisfaction mumble-jumble,</span><span style="font-family: Arial,Helvetica,sans-serif;"> you try to get access to check health status of network devices</span><span style="font-family: Arial,Helvetica,sans-serif;"> installed there, and more computing devices if possible.</span></span></li>
<li><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Now, if the devices are tweakable without any credential request</span><span style="font-family: Arial,Helvetica,sans-serif;"> from the family member there... try that first.</span><span style="font-family: Arial,Helvetica,sans-serif;"> </span></span></li>
<li><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">If it doesn't work and even they don't have access, then pose as</span><span style="font-family: Arial,Helvetica,sans-serif;"> attempting the 'Master Password' so they don't inform the Victim.</span></span></li>
</ul>
<br />
<br />
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">d.) </span><span style="font-family: Arial,Helvetica,sans-serif;">For ultimate case studies, read "<b>Art of Deception</b>" </span><span style="font-family: Arial,Helvetica,sans-serif;">by "Kevin Mitnick", the most famous Social Engineering </span><span style="font-family: Arial,Helvetica,sans-serif;">Hacker 'known'.</span></span><br />
<span style="font-size: small;"><br style="font-family: Arial,Helvetica,sans-serif;" /><span style="font-family: Arial,Helvetica,sans-serif;">~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span></span></div>
abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com2tag:blogger.com,1999:blog-2442688623759178220.post-11170419530819169772011-09-23T09:25:00.000-07:002011-09-26T14:11:06.441-07:00BEAST beating SSL & TLS :: What You Can do to be Secured<div dir="ltr" style="text-align: left;" trbidi="on">
<b>B.E.A.S.T.?</b><br />
Browser Exploit Against SSL/TLS Tool [B.E.A.S.T.], is the new Javscript utility created by J. Rizzo & T. Duong capable of breaking SSL3.0 & TLS1.0 level protection for HTTPS connections and deciphering the secure connection data.<br />
<br />
<b>What It Does?</b><br />
There have been previous mention of cryptanalysis attacks over<br />
+ SSL3.0 <br />
| <span style="font-size: x-small;"><i>(a Paper 'Analysis of SSL3.0 Protocol' by D.Wagner & B.Schneier in 1999 )</i></span>, &<br />
+ TLS1.0<br />
| <span style="font-size: x-small;"><i>(a Paper 'Renegotitating TLS' by Marsh Ray in 2009)</i></span>.<br />
B.E.A.S.T. is a pure exploit tool built over these (or similar) visions.<br />
B.E.A.S.T. is based upon <i style="font-family: "Trebuchet MS",sans-serif;"><a href="http://en.wikipedia.org/wiki/Chosen-plaintext_attack"><b>blockwise-adaptive chosen-plaintext</b></a> </i>attack approach exploited on victim's end via <b><i style="font-family: "Trebuchet MS",sans-serif;"><a href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle</a></i></b> attack.<br />
<br />
<b>Point-to-Note!</b><br />
It's a MitM over Browser, javascript injected does all harvesting of plaintext attack (which currently takes around 30 minutes for useful data) and then enables you to break the encrypted session.<br />
<br />
<b>Security Measures until F!XED</b><br />
<ol style="text-align: left;">
<li>Use a different browser (totally different, i.e. just not a new instance of same browser but a new browser, as in FireFox & Chrome are different) for browsing your Secured Connection. And a different browser for you general web surfing experience, even any external links from your secured session used browser should be copied and opened in the general web-surfing browser.</li>
<li>It's better if the browser used for secured session is used in Private Browsing Mode.</li>
<li>Don't keep log-in active in any service if you are not using it currently.</li>
</ol>
<br />
<b>Something you should already be doing, if not start now...</b><br />
Use browser extensions like <a href="https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/"><i style="font-family: "Trebuchet MS",sans-serif;"><b>AdBlock</b></i></a> & <a href="http://noscript.net/"><i style="font-family: "Trebuchet MS",sans-serif;"><b>NoScript</b></i></a>, to protect your browser from injected IFrames and infected AdServices which are the major source channel for BEAST also.<br />
<br />
<b><i>To get a more detailed insight at the exploit Paper & Code, get your hands over</i></b><br />
<span class="Apple-style-span" style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 15px; line-height: 19px;"><a href="http://www.insecure.cl/Beast-SSL.rar">http://www.insecure.cl/Beast-SSL.rar</a></span><br />
<br />
<b><i>What to do at Server Side</i></b><br />
<a href="http://isc.sans.edu/diary/SSL+TLS+part+3+/11635">http://isc.sans.edu/diary/SSL+TLS+part+3+/11635</a></div>
abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0Pune, Maharashtra, India18.5204303 73.856743718.3999798 73.6988152 18.6408808 74.014672199999993tag:blogger.com,1999:blog-2442688623759178220.post-39708921990911559242011-09-13T09:00:00.000-07:002011-09-13T09:02:51.874-07:00Open Intelligence Gathering FOR Passive Reconnaissance FROM "Eden Guide To Hacking"<div dir="ltr" style="text-align: left;" trbidi="on">
<span class="Apple-style-span" style="background-color: white;"></span><br />
<pre style="font: normal normal normal 12px/normal 'Bitstream Vera Sans Mono', Courier, monospace; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><div class="line" id="LC2" style="background-color: transparent; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 1em; padding-right: 0px; padding-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Bitstream Vera Sans Mono', 'Courier New', monospace;"><span class="Apple-style-span" style="line-height: 16px;"><b>Open Intelligence Gathering</b> : </span></span><a href="https://github.com/abhishekkr/eden_guide_to_hacking/blob/b00ef1502b9f91953f5d734efd4a03c3a0f04002/part1_Hacking_Cycle/chapter4_Reconnaissance/section0_Passive_Recon/article0_Open_Intelligence_Gathering.txt">github.com/abhishekkr.....Open_Intelligence..</a></div>
<div class="line" id="LC2" style="background-color: transparent; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 1em; padding-right: 0px; padding-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Bitstream Vera Sans Mono', 'Courier New', monospace;"><span class="Apple-style-span" style="line-height: 16px;">FOR </span></span></div>
<div class="line" id="LC2" style="background-color: transparent; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 1em; padding-right: 0px; padding-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Bitstream Vera Sans Mono', 'Courier New', monospace;"><span class="Apple-style-span" style="line-height: 16px;"><b>Passive Reconnaissance</b> : <a href="https://github.com/abhishekkr/eden_guide_to_hacking/tree/b00ef1502b9f91953f5d734efd4a03c3a0f04002/part1_Hacking_Cycle/chapter4_Reconnaissance/section0_Passive_Recon">github.com/abhishekkr.....section0_Passive_Recon</a></span></span></div>
<div class="line" id="LC2" style="background-color: transparent; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 1em; padding-right: 0px; padding-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Bitstream Vera Sans Mono', 'Courier New', monospace;"><span class="Apple-style-span" style="line-height: 16px;">FROM </span></span></div>
<div class="line" id="LC2" style="background-color: transparent; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 1em; padding-right: 0px; padding-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Bitstream Vera Sans Mono', 'Courier New', monospace;"><span class="Apple-style-span" style="line-height: 16px;">"<b>Eden Guide To Hacking</b>" : <a href="https://github.com/abhishekkr/eden_guide_to_hacking">github.com/abhishekkr/eden_guide_to_hacking</a></span></span></div>
<div class="line" id="LC2" style="background-color: transparent; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 1em; padding-right: 0px; padding-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Bitstream Vera Sans Mono', 'Courier New', monospace;"><span class="Apple-style-span" style="line-height: 16px;">
</span></span></div>
<span class="Apple-style-span" style="font-size: small;"><b>The following content structure is discussed in detail</b></span> @</pre>
<pre style="font: normal normal normal 12px/normal 'Bitstream Vera Sans Mono', Courier, monospace; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="https://github.com/abhishekkr/eden_guide_to_hacking/blob/b00ef1502b9f91953f5d734efd4a03c3a0f04002/part1_Hacking_Cycle/chapter4_Reconnaissance/section0_Passive_Recon/article0_Open_Intelligence_Gathering.txt">https://github.com/abhishekkr/eden_guide_to_hacking/blob/b00ef1502b9f91953f5d734efd4a03c3a0f04002/part1_Hacking_Cycle/chapter4_Reconnaissance/section0_Passive_Recon/article0_Open_Intelligence_Gathering.txt</a>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[+] Open Intelligence Gathering
|
|[+] What Is Open Intelligence?
|
|[+] Legal Documents Got Them
|
|[+] Search Engines Sort Them
|
|[+] Web Activity Caught Them
| |
| |[+] You Blog/Comment
| |[+] You Socialize
| |[+] You Subscribe
| |[+] You Show/Click Ads
| |[+] Even If You Surf Web
| |_
|
|[+] Automating the Act
| |
| |[+] Paterva Maltego CE
| | |[+] URL
| | |[+] What it does?
| | |[+] Example Usage
| | |_
| |
| |[+] The Harvester
| | |[+] URL
| | |[+] What it does?
| | |[+] Example Usage
| | |_
| |_
|_
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</pre>
</div>
abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0tag:blogger.com,1999:blog-2442688623759178220.post-5620916106713353202011-08-29T05:47:00.000-07:002011-08-29T05:47:20.414-07:00"DevOps with SecOps" ~ short intro to Security Implications in DevOps Process<div dir="ltr" style="text-align: left;" trbidi="on">It's a <i><b>short introduction to Security Implications in</b></i> the new emerging & highly required <i><b>domain of DevOps</b></i>.<br />
<br />
<div id="__ss_9052938" style="width: 340px;"><b style="display: block; margin: 12px 0pt 4px;"><a href="http://www.slideshare.net/AbhishekKr/devops-with-secops" target="_blank" title="DevOps with Sec-ops">DevOps with Sec-ops</a></b> <iframe frameborder="0" height="284" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/9052938" width="340"></iframe> <br />
<div style="padding: 5px 0pt 12px;">View more <a href="http://www.slideshare.net/" target="_blank">presentations</a> from <a href="http://www.slideshare.net/AbhishekKr" target="_blank">Abhishek Kumar</a><br />
<br />
</div></div><div><br />
As currently, the major <i><b>concern around</b></i> DevOps world is <i><b>'The Mantra of Automation'</b></i> at the level of<br />
+ System/Environments <b>Provisioning</b><br />
(easy & fast using Cloud Support)<br />
+ Idempotent <b>Configuration</b><br />
(using Automated Configuration Services)<br />
+ Logging & <b>Analytics</b><br />
(using automated detailed logging and clever analysis )<br />
<br />
This presentation just mentions the <i><b>security considerations related to all these 3 DevOps processes</b></i>...<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;"><b>+ Provisioning being affected by</b></div><div style="font-family: "Courier New",Courier,monospace;"><b> |=+ Non-Robust Cloud Frameworks,</b></div><div style="font-family: "Courier New",Courier,monospace;"><b> |=+ Vulnerable Service APIs, &</b></div><div style="font-family: "Courier New",Courier,monospace;"><b> |=+ Virtualization BreakOuts</b></div><div style="font-family: "Courier New",Courier,monospace;"><b> |</b></div><div style="font-family: "Courier New",Courier,monospace;"><b>+ Configuration Management threatened by</b></div><div style="font-family: "Courier New",Courier,monospace;"><b> |=+ Non-Robust Services, &</b></div><div style="font-family: "Courier New",Courier,monospace;"><b> |=+ Non-preferred storage of sensitive</b></div><div style="font-family: "Courier New",Courier,monospace;"><b> | configuration data</b></div><div style="font-family: "Courier New",Courier,monospace;"><b> | </b></div><div style="font-family: "Courier New",Courier,monospace;"><b>+ Analytics</b></div><div style="font-family: "Courier New",Courier,monospace;"><b> |=+ Log Analysis frameworks have been </b></div><div style="font-family: "Courier New",Courier,monospace;"><b> | several times attacked by infecting </b></div><div style="font-family: "Courier New",Courier,monospace;"><b> | the received logs resulting in service</b></div><div style="font-family: "Courier New",Courier,monospace;"><b> | level non-sanitized input attacks. </b></div><div style="font-family: "Courier New",Courier,monospace;"><b> |_ </b></div></div></div>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0tag:blogger.com,1999:blog-2442688623759178220.post-1010096809886475122011-08-11T15:37:00.000-07:002011-08-11T15:37:21.236-07:00howto check for safety of Shorten URLs before opening them in your browsers<div dir="ltr" style="text-align: left;" trbidi="on">Short URLs were in fashion a while back and now they are in requirement.<br />
No matter which social, professional or public web portal you browse, you get to see short url.<br />
<br />
But Short URLs from so many sources are not secure as a carefully planted short url redirecting (sometimes single redirection and sometimes multiple) to an infected web portal.<br />
So, all the short links from non-reliable sources must be first traced back to original links and only visited if they cross-check successfully.<br />
<br />
So, how to know the actual portal to be visited without using that URL and following it to final location.<br />
<br />
[] <b><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">from your shell</span></b><br />
<b><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">$ curl --head -L <i>http://short.en/url</i> | grep Location:</span></b><br />
so, place the short url to be checked in place of "<i><b>http://short.en/url</b></i>" in the command provided above and then you can see the entire url trace and the final url to be visited...<br />
~~~~~~~~~~~~~~~~~~~~<br />
<br />
[] <b><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">from the web-app</span></b><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">Link: <b><a href="http://webhoudini.appspot.com/">http://webhoudini.appspot.com/</a></b></span><br />
<div class="separator" style="clear: both; text-align: left;"></div>At this portal paste in the link in Short URL text box and click the 'Unshorten' button to see the actual redirected URL.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://webhoudini.appspot.com/"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbr5LJjEADoK3rc05RH4TfC-OSIvLlnxtg-umx01J3eM1Cm7vP_-QzTLJ5qLrvRON21il8jRVV7Qz1cBhEWy2pmA5VJAFgBk5WQQMLvw2g62NiN2TfZ_7jkJHmO3MJJeiOuu-IlOxZseg/s1600/webhoudini_screenie1.jpg" /></a></div>~~~~~~~~~~~~~~~~~~~~<br />
<br />
</div>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com2tag:blogger.com,1999:blog-2442688623759178220.post-33680744731045691722011-07-28T01:24:00.000-07:002011-07-28T01:27:02.957-07:00[Eden Guide to Hacking] 'Hacking Philosophy' ~ from Rig Veda and Sun Tzu's Art of War<div dir="ltr" style="text-align: left;" trbidi="on">This is a part of "Eden Guide to Hacking" which is my writing attempt for a quick to read, broadway guide to HACKING ~ for anyone to have grasp of important concepts and skills which makes up the knowledge base of a hacker.<br />
W.I.P. @ <a href="https://github.com/abhishekkr/eden_guide_to_hacking/">https://github.com/abhishekkr/eden_guide_to_hacking/</a><br />
<blockquote><span class="Apple-style-span" style="color: lime; font-family: Verdana; font-size: 13px;"></span><br />
<table border="0" cellpadding="0" cellspacing="0"><tbody style="background-color: black;">
<tr><td style="font-family: Verdana; font-size: 10pt;"><span class="Apple-style-span" style="color: lime;"><br />
</span></td><td class="title" style="font-family: Verdana; font-size: 10pt;"><a href="https://github.com/abhishekkr/eden_guide_to_hacking/blob/master/part0_Fundamentals/chapter2_Hacking_Philosophy/article1_Art_of_Hacking.txt" rel="nofollow" style="text-decoration: none;"><span class="Apple-style-span" style="color: lime;"><b>'<i>Hacking Philosophy</i>' ~ </b>from <b>Rig Veda </b>and<b> Sun Tzu's Art of War</b></span></a></td></tr>
</tbody></table></blockquote><pre style="white-space: pre-wrap; word-wrap: break-word;">~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Art of Hacking
|
|[+] from 'Rig Veda'
| |
| |[+] "Who so would kill us,
| | whether he be a strange foe or one of us."
| | Means: "The security parameters could be defeated by
| | (un/mis)-handled feature or an already compromised
| | component present within an un-breakable system."
| |
| |[+] "Loosed from the Bowstring fly away, thou arrow,
| | sharpened by our Prayer.
| | Go to the foemen, strike them home, and let not one
| | be left alive."
| | Means: "Make an exploit robust, accurate, infectious
| | and untraceable."
| |_
|
|[+] skills could be seen as 13 chapters of Sun Tzu's
| | 'Art of War' ~
| |
| |[+] Laying Plans
| | |
| | |[+] Exploit the parameter never thought to be a
| | | part of the security implications of the system.
| | |_
| |
| |[+] Waging War
| | |
| | |[+] Don't overburden yourself with complex routes,
| | | if there exist less techie but more easy options.
| | |_
| |
| |[+] Strategic Attack Planning
| | |
| | |[+] Exploit the parameter never thought to be a
| | | part of the security implications of the system.
| | |_
| |
| |[+] Tactical Disposition
| | |
| | |[+] First secure your own location & technologies,
| | | then you are in safe & stronger place to attack.
| | |_
| |
| |[+] Directed Energy
| | |
| | |[+] Attacking a complex security infrastrucure is
| | | no different than a simple one. Break it down.
| | |_
| |
| |[+] Weaknesses & Strengths
| | |
| | |[+] Analyze the system well to aim its vulnerability
| | | and leave it's alarm system untouched.
| | |_
| |
| |[+] Engaging the Force
| | |
| | |[+] One can't defeat an opponent without knowledge
| | | of opponent's security & service design.
| | |_
| |
| |[+] Variations & Adaptability
| | |
| | |[+] The system, service & security could be set up
| | | with any kind of tweaking and hence makes the
| | | pre-analysis for attack a failure.
| | | Attacker must be always ready to amend its ways.
| | |_
| |
| |[+] The Army on the March
| | |
| | |[+] When to attack, and when to wait.
| | | Instincts to stay out of trap & sense enemies.
| | |_
| |
| |[+] Situational Positioning
| | |
| | |[+] Access, attack & safety parameters involved.
| | |_
| |
| |[+] The 9 Battlegrounds
| | |
| | |[+] Different types of security parameters lead to
| | | different attack or sometimes no attack practices.
| | |_
| |
| |[+] 5 Ways of Attacking with Fire
| | |
| | |[+] Break-in target's system with deception
| | |[+] Starve the resources powering security
| | |[+] Attack availability of service
| | |[+] Defeat the implemented security system
| | |[+] Infect reachable systems related to target
| | |_
| |
| |[+] Intelligence & Espionage
| | |
| | |[+] Gather as much information possible and
| | | try attacks like spear phishing to have a slave.
| | |_
| |_
|
|[+] It's your Dharma to Hack, if you are a Geek.
|
|[+] & it all starts in following part of this Eden Guide
|_
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</pre><div style="text-align: left;"><br />
</div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">Link: <a href="https://github.com/abhishekkr/eden_guide_to_hacking/blob/master/part0_Fundamentals/chapter2_Hacking_Philosophy/article1_Art_of_Hacking.txt">https://github.com/abhishekkr/eden_guide_to_hacking/blob/master/part0_Fundamentals/chapter2_Hacking_Philosophy/article1_Art_of_Hacking.txt</a></div></div>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0tag:blogger.com,1999:blog-2442688623759178220.post-4950527973237129032011-06-30T09:19:00.000-07:002011-06-30T09:19:06.718-07:00User Authentication & Authorization [AT] Google AppEngine<div dir="ltr" style="text-align: left;" trbidi="on"><div><b>AppEngine</b>, a <b>PaaS</b> provided with a '<b>limited free</b>' version to all GMail users (<i>Google Account Owners</i>). So, you can host your WebContent their making use of Python, Java or Go.<br />
<br />
AppEngine enables you to use existing Google A/c of your Web-App users to be used for their authentication & authorization at your AppEngine-hosted Web-App also.<br />
<br />
So, there are two main ways to acieve that:<br />
<ol style="text-align: left;"><li>to import google.appengine.api.<a href="http://code.google.com/appengine/docs/python/users/"><b>users</b></a> <br />
this <a href="http://code.google.com/appengine/docs/python/users/">USERS module</a> from AppEngine APIs enables your Web-App to identify the users on the basis of their Google A/c ID (GMail ID) and then make the decision of routing the user to secured Resource or forbidden resource error message. <br />
[ <a href="http://code.google.com/appengine/docs/python/users/loginurls.html">An Example on Usage</a> ]<br />
</li>
<li>to specify '<a href="http://code.google.com/appengine/docs/python/config/appconfig.html#Requiring_Login_or_Administrator_Status"><b>login</b></a>' under '<a href="http://code.google.com/appengine/docs/python/config/appconfig.html"><b>app.yaml</b></a>'<br />
so the major basic configuration about your Web-App and routing configuration reside in 'app.yaml' file which has default location of Web-App root location.<br />
So, you can specify at secured '<b>url</b>' specifications to enforce user for a Google A/c (GMail) login. <br />
[ <a href="http://code.google.com/appengine/docs/python/config/appconfig.html#Requiring_Login_or_Administrator_Status">An Example Of Usage</a> ]</li>
</ol></div>In, both of these implementations whenever a user tries to visit a 'secured url' on your Web-App, they are automatically redirected to Google A/c Log-In page further redirecting them back to your Web-App on succesful log-in.<br />
<blockquote><br />
<br />
<div style="font-family: Verdana,sans-serif;"><span style="font-size: large;"><b>The <i>Curious Case</i> of </b><b><a href="http://www.blogger.com/post-edit.g?blogID=2442688623759178220&postID=495052797323712903">static_dir</a> </b></span></div><br />
Initially while working for my newly initiated opensource project 'py-gae-legs',<b> I added entire 'secure URL' logic by method#1</b> i.e. using 'users' api.<br />
It was all working fine & secured until I added some <a href="http://code.google.com/appengine/docs/python/gettingstarted/staticfiles.html">static-content using static_dir</a> and tried securing it's url using the same tactic.<br />
<br />
But, there was a thing about '<a href="http://code.google.com/appengine/docs/python/gettingstarted/staticfiles.html">static_dir</a>' which I investigated after my <b>supposed-to-be secure</b> static_dir's content <b>was all publicly availabl</b>e if someone could enumerate/know the complete url.<br />
<i><span style="font-family: Georgia,"Times New Roman",serif;">{I'm in the category of people who keep their learning pace up along with working over it... and anyway I wasn't gonna read the entire #^(</span></i><br />
<br />
The thing about it was... the <b>directories marked to be 'static_dir'</b> in 'app.yaml' are <b>no more located</b> on the AppEngine Server <b>in the same location after you update your Web-App</b>.<br />
So, the entire directory structure would remain same... it's just that the <b>'static_dir' marked locations</b> would somehow <b>vanish from</b> it on your <b>Web-App's location at AppEngine </b>and <b>served from some other provision</b> made by Google which maps back to the location.<br />
<br />
<b>So, to secure</b> the 'static_dir' located urls... the only way ( that I know of ) is to implement it at the very core of Web-App configurations i.e. in 'app.yaml' <b>using the Method#2</b>.<br />
<br />
So, you can enforce Google Login to be mandatory by setting 'login:required' for that 'url' setting. If you want only a selected Users to see that, then you'll have to add all those Google A/c (GMail) IDs by doing following<br />
<span style="font-family: "Courier New",Courier,monospace;">[a.] <b>goto Dashboard of your GoogleAppEngine Web-App</b>,</span><br />
<span style="font-family: "Courier New",Courier,monospace;">the URL-Box link would look like: </span><br />
<span style="font-family: "Courier New",Courier,monospace;"> <span style="color: yellow;">https://appengine.google.com/permissions?app_id=s%7E$GAE_APPLICATION_NAME</span></span><br />
<span style="font-family: "Courier New",Courier,monospace;">[b.] <b>click the link 'Permission'</b> from Right-Menu-Column,</span><br />
<span style="font-family: "Courier New",Courier,monospace;">[c.] now, <b>invite all those user's by providing their e-mail ID </b>and changing their role to 'Viewer'</span>and at app.yaml provide '<b>login:admin</b>' instead of '<b>login:required</b>'.</blockquote><br />
<br />
<div>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <br />
Lately, I've been involved at starting an <b>OpenSource</b> project '<b><a href="https://github.com/abhishekkr/py-gae-legs" title="created a basic architecture, wokring on automated generation part">py-gae-legs</a></b>'.<br />
<br />
It's a very <i><b>basic subset</b></i> of <i><b>WebApp-Framework</b></i> <b>for the lovers of <a href="http://rubyonrails.org/" title="Ruby On Rails">RoR</a></b> (have been working on it for past few months, love the ease it gives but hate the convention being the soul) style of web-app creation.<br />
<br />
This project just aims web-development <b>specifically aimed to be hosted over AppEngine</b> (<i>currently</i>).<br />
Almost done with <b>it's basic starters</b> to look at:<br />
[] <b><a href="https://github.com/abhishekkr/gae-flat-web">gae-flat-web</a></b> : to create an architecture hosting your already created static website, <a href="http://gae-flat-web.appspot.com/">http://gae-flat-web.appspot.com</a><br />
[] <b><a href="https://github.com/abhishekkr/gae-private-web">gae-private-web</a></b> : [<b>W.I.P.</b>] to host all your private content hosted securely (by Google) in an by-invite only website</div></div>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com1tag:blogger.com,1999:blog-2442688623759178220.post-63957719971111519382011-05-25T16:05:00.000-07:002011-05-25T16:05:42.102-07:00How I got "2 Time Life-Time Banned" From Google Adsense<div dir="ltr" style="text-align: left;" trbidi="on"><b><span class="Apple-style-span" style="font-size: large;">A Life-Time</span> Ban from Google Adsense</b><br />
<i><br />
</i><br />
<i>I kin'of registered for Google Adsense service on my portal [ http://www.alwayspost.cjb.net/ (it's dead now, no more belongs to me) ] in very initial days, probably starting 2004</i>.<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3DtWdxwbWJ_OZa1SBZFFdIhlMC3U_yFrv8EwbV-lKv2YyCu3yjiAvnml7C2zuFyanEIhhCCVvp7F-yNEVZtdGqTO3YKlIsECyGMhAR3gexRgpMuvet5mbVZqirPUoofa5R_utHKHhXFM/s1600/1banned.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3DtWdxwbWJ_OZa1SBZFFdIhlMC3U_yFrv8EwbV-lKv2YyCu3yjiAvnml7C2zuFyanEIhhCCVvp7F-yNEVZtdGqTO3YKlIsECyGMhAR3gexRgpMuvet5mbVZqirPUoofa5R_utHKHhXFM/s1600/1banned.jpg" /></a>I used to have <b>few newbie blogs</b> (not these, other newbie blogs) on blogger related to movies, wallpapers & technology.<br />
<b><i>So, in a very honest way I added the provided AdSense code to my blogs and started posting regularly. </i></b>It was working at a sloooow rate but I was Ok with it.<br />
<br />
I recently moved over from C++ to play <b>with VB6</b> and was <b>trying all fun stuff </b>I could get my hands on.<br />
One of the fun things I found was making mouse-clicks at desired locations.<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><b>& zooom~click~drag~code~drag~adjust~code... </b></span><br />
there was an<b> ie-ocx-control</b> in a <b>form</b>,<b> loading</b> all my <b>blogs</b> one-by-one <b>and code</b> (pre-loaded with specific locations of X-Y locations of Ads on the pages)<b> forging mouse-left-clicks on all Ads</b>... all <b>repeated with</b> a simple <b>Timer</b>.<br />
<i><br />
</i><br />
<i>Just left it on for a night... had LOADS of Ad Clicks and never tried it again.</i><br />
<i>One week later, there was a mail from AdSense in my GMail A/c <b>stating I've been banned for life-time </b>from Google's AdSense service<b>.</b></i><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">~~~~~~~~~~~</span><br />
<br />
<b><span class="Apple-style-span" style="font-size: large;">'Second Life'</span> in Google AdSense</b><br />
<br />
I signed-up for a <b>new e-mail address and</b> tried registering with<b> a new mailing address</b>, and there it <b>was... my new AdSense account</b>.<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvr8neMjrCYEGVz4dlp5OMm0-oV_cXDGFosqllzOapsfByBpyZGRkSIJVneIdgedFYJBQ9MEaJdubaAftzKlmC7ZCwEQa-6a-3Ab_ukJMHr9AOBC7p4MwVrF1NRgdHQhkukjQUh1mGQo0/s1600/2banned.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvr8neMjrCYEGVz4dlp5OMm0-oV_cXDGFosqllzOapsfByBpyZGRkSIJVneIdgedFYJBQ9MEaJdubaAftzKlmC7ZCwEQa-6a-3Ab_ukJMHr9AOBC7p4MwVrF1NRgdHQhkukjQUh1mGQo0/s1600/2banned.jpg" /></a><i>This time I did nothing against the rules</i>.<br />
<br />
Google released Page Creator (which is closed now) and I <i>registered a new portal </i>on my mailing-address at [ http://abhikumar163.googlepages.com ] <i>and start linking it on forums with nice technological content to get valid page hits.</i><br />
<i><br />
</i><br />
<b>And, I made a mistake.</b> I placed <i>a link to my old-&-no-more-existing-portal [ http://www.alwayspost.cjb.net/ ] </i>which was the portal registered with my earlier AdSense account.<br />
<br />
<b>Google</b>'s Crawler & Staff <b>noticed it after I attained some amount</b> in my account, <b>and</b> blocked my account and <b>banned me for life-time <i>Second time</i></b>.<br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">~~~~~~~~~~~</span><br />
<b><i><br />
</i></b><br />
<b><i>Currently, I'm on my Second Life-time Ban... and don't wanna Third Play, may be when I get bored again.</i></b></div>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0tag:blogger.com,1999:blog-2442688623759178220.post-19878974253296048702011-03-30T04:28:00.000-07:002011-03-30T04:40:03.285-07:00Full site SSL-ification is not an option, need to make SSL secure first<div dir="ltr" style="text-align: left;" trbidi="on">I have heard (Recently and in past) security aware lives wasting a lot of their potential over the argument like <br />
+ '<b>Basic HTTP is insecure</b>' {sometimes in novice past} <br />
+ '<b>SSL-ify entire web service</b>' {still a lot push is there} <br />
<br />
Now, '<b>Basic HTTP</b>' being insecure is not a flaw by design... but a flaw by choice.<br />
First of all, when foundation of HTTP were laid attackers were not in the scene. The only concern was ultra productive usability and that is not possible putting all kind of security checks on the service.<br />
Secondly, HTTP wasn't meant to be secure, it was just meant to transfer data in adhering to a protocol which can be used by web-services to recieve user's requests and deliver requested content, that's all.<br />
Cryptography mixed into it will destroy the ease and speed it has. Cryptography over it is instead a necessary (in some cases) and correct (design) option.<br />
Though it has been haunting the websites by attacks like<br />
+[] <i><b>SSL Stripping</b></i><br />
<blockquote><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_p3XIipv981Y/S88RVdmcG1I/AAAAAAAAAEA/g3d5W2XJFFs/s1600/MITM.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="150" src="http://3.bp.blogspot.com/_p3XIipv981Y/S88RVdmcG1I/AAAAAAAAAEA/g3d5W2XJFFs/s200/MITM.jpg" width="200" /></a></div>It's due to a flaw in the way Security is implemented in a web application. For example, you visit Facebook Login page at facebook.com which have a HTTPS link in its unprotected page-content to send over the credentials in a protected manner. But what if some attacker using Monkey-in-the-Middle strategy changed that HTTPS link to a HTTP link and sniff your sent credentials... w00t right.</blockquote>+[] <i><b>Sidejacking</b></i><br />
<blockquote>It occurs due to web-application sending cookie information over non-ssl links. This allows any Man-in-the-Middle to sniff the cookie then replicate in his/her own browser and use the service identifying user just on basis of cookie information... it pwn3d services like GMail, Y!Mail, Hotmail, etc. until Q1-2010.</blockquote><br />
Then, '<b>Full Site SSL-ification</b>' is a good choice from theoretical security point-of-view, but just in theory. <br />
Different SSL-Defeating attacks involving <br />
+[] <i><b>Flaws in Libraries like NSS</b></i><br />
<blockquote>There was a (earlier exploited, later) famous flaw in libraries with the case of NULL inclusion in URLs used for Domain name on which SSL Certificate is being issued. Mozilla Engine used NSS Cryptography libraries purely written in C and using basic insecure string functions for comparisons were tricked by certificates for domain name like <<www.paypal.com\0innocent.com>> stopping at first null after <<www.paypal.com>>. Webkit, Opera used null-stripping but they were tricked in just reversed attack using certificates for domain-name like <<www.pay\0pal.com>> stripping out usefull null.</blockquote><a href="http://static.technorati.com/11/03/24/29977/comodo-hack.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="168" src="http://static.technorati.com/11/03/24/29977/comodo-hack.jpg" width="200" /></a>+[] <i><b>Fake SSL Certificate generation</b></i><br />
<blockquote>Not a flaw in SSL, neither in its implementation but in the authorities enforcing it. <br />
In a recent disclosure, Comodo Inc (a major issuer of SSL Certificate) accepted that an attacker was able to get credentials of 'Comodo Registration Authority' based in Southern Europe. <br />
An Iranian attacker used the privilege to issue 9 fraud SSL certificates to 7 web domains including those for Google, Yahoo and Skype.</blockquote><br />
<div style="background-color: #cccccc; color: purple; font-family: Verdana,sans-serif;"><br />
<span style="font-size: small;"> So, if you will look deeper into serial-murder case file of <br />
SSL Certificates, you'll see it ain't safe... </span><br />
<span style="background-color: #cccccc; color: purple; font-size: small;"> and so there is no point in argument over its mixed/full <br />
implementation.</span></div></div>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0tag:blogger.com,1999:blog-2442688623759178220.post-50873509402063739582011-03-15T23:16:00.000-07:002011-03-15T23:16:17.509-07:00Indian Airport Internet ~ Hacking Policies Not Tweaking Systems<div dir="ltr" style="text-align: left;" trbidi="on">Few Indian Airport avail WiFi Internet Connectivity to Customers... and what I'm going to discuss about is<b> not hacking the WiFi Network but</b> a simple naive way to hack the <b>Service Scheme instead</b> and gain much more free access than provided little i.e. 30min<br />
<br />
I found it in two cities (Delhi, Bengaluru among visited Indian Airports) till now. Both have different hardware supporting it but the same service scheme.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpJG3rKcQEWLYIaXAc7EQrPFCNB6xbvuxTCT9om6pvhyphenhyphenK4_ABym3EY9ri7rz_3Y2IHzethvpHF73803yHxgGraEXfDxbRid11I9x5LMxb_YwElLlWNSGB65rvndjr43k6zkSJmTo9DjWg/s1600/weakpoliciesWifi.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpJG3rKcQEWLYIaXAc7EQrPFCNB6xbvuxTCT9om6pvhyphenhyphenK4_ABym3EY9ri7rz_3Y2IHzethvpHF73803yHxgGraEXfDxbRid11I9x5LMxb_YwElLlWNSGB65rvndjr43k6zkSJmTo9DjWg/s1600/weakpoliciesWifi.gif" /></a></div><br />
<span class="Apple-style-span" style="font-size: large;"><i><b>The Service Acts in following way:</b></i></span><br />
<b>Step.1:</b><br />
You'll get an Open WiFi Network by the name of Airport which lets you to connect without any credentials.<br />
Connect to it.<br />
<b>Step.2:</b><br />
Open web-browser and hit any URL; this will redirect you to a single page provided by Service Provider with details of how you can get credentials for free-demo WiFi-access.<br />
Here, you'll have to submit your Mobile Phone number, which will receive SMS of credentials for demo access.<br />
Get the credentials.<br />
<b>Step.3:</b><br />
Use those credentials on the same page, under login section.<br />
You are connected to WiFi for internet access until demo-time (30 minutes) pass.<br />
<br />
<i><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif; font-size: large;"><b>Loopholes in Service Scheme:</b></span></i><br />
<b><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[] Continuous Access For Longer Duration</span></b><br />
The more mobile numbers you can have access to...<br />
<br />
<ul style="text-align: left;"><li> give your friends/family/personal/official Mobile Numbers to gain more demo credentials... </li>
<li> and simply ask them to forward respective SMS to you</li>
</ul><br />
...the more duration you can have demo WiFi access.<br />
<br />
Now, the system don't check your MAC Address for earlier demo privileged machines...<br />
so you don't even require anything as simple as mac-changer.<br />
<br />
<b><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[] Parallel Access For Same Credential Set</span></b><br />
As, I already said MAC is not checked... so suppose you have multiple WiFi enabled devices.<br />
You can use the same credentials on all devices at the same time.<br />
Just need to consider what is the time-frame for that credential to expire.</div>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com2tag:blogger.com,1999:blog-2442688623759178220.post-25504906972712045732011-03-04T07:23:00.000-08:002011-03-04T07:24:18.274-08:00Presentation on "XSS Defeating Concept in (secure)SiteHoster" : 'nullcon-2011'<div dir="ltr" style="text-align: left;" trbidi="on">this is the work that I presented in 'nullcon - 2011' an security conference held at Goa by an emerging Security Community of India known as 'null'<br />
it's mainly regarding preventing XSS Attacks with an entire new Concept based on 'Bug-As-A-Service' and 'Attacking-The-Attacker'...<br />
any views/questions/comments/critics/confusions<br />
----------<br />
<b>Presentation:</b><br />
<div id="__ss_7147884" style="width: 595px;"><b style="display: block; margin: 12px 0pt 4px;"><a href="http://www.slideshare.net/AbhishekKr/null-con2tiya" title="Presentation on "XSS Defeating Concept in (secure)SiteHoster" : 'nullcon-2011'">Presentation on "XSS Defeating Concept in (secure)SiteHoster" : 'nullcon-2011'</a></b> <br />
<object height="497" id="__sse7147884" width="595"> <param name="movie" /><param name="allowFullScreen" value="true" /><param name="allowScriptAccess" value="always" /><embed width="430" height="340" src="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=nullcon2tiya-110304063235-phpapp02&stripped_title=null-con2tiya&userName=AbhishekKr" name="__sse7147884" type="application/x-shockwave-flash" allowfullscreen="true"></embed> </object><br />
<div style="padding: 5px 0pt 12px;">View more <a href="http://www.slideshare.net/">presentations</a> from <a href="http://www.slideshare.net/AbhishekKr">Abhishek Kumar</a> </div></div>----------<br />
<b>Concept-Part-1 WhitePaper:</b><br />
<div id="__ss_5137259" style="width: 382px;"><b style="display: block; margin: 12px 0pt 4px;"><a href="http://www.slideshare.net/AbhishekKr/whitepaper-abktrick-to-subvert-xss" title="XSS Defeating Trick ~=ABK=~ WhitePaper">XSS Defeating Trick ~=ABK=~ WhitePaper</a></b> <br />
<object height="408" id="__sse5137259" width="382"> <param name="movie" /><param name="allowFullScreen" value="true" /><param name="allowScriptAccess" value="always" /><embed width="382" height="408" src="http://static.slidesharecdn.com/swf/doc_player.swf?doc=whitepaperabktricktosubvertxss-100906042821-phpapp02&stripped_title=whitepaper-abktrick-to-subvert-xss&userName=AbhishekKr" name="__sse5137259" type="application/x-shockwave-flash" allowfullscreen="true"></embed> </object><br />
<div style="padding: 5px 0pt 12px;">View more <a href="http://www.slideshare.net/">documents</a> from <a href="http://www.slideshare.net/AbhishekKr">Abhishek Kumar</a> </div></div>----------<br />
<b>Concept-Part-2 WhitePaper:</b><br />
<div id="__ss_6822045" style="width: 382px;"><b style="display: block; margin: 12px 0pt 4px;"><a href="http://www.slideshare.net/AbhishekKr/xss-defeating-conceptpart2" title="XSS Defeating Concept - Part 2">XSS Defeating Concept - Part 2</a></b> <br />
<object height="408" id="__sse6822045" width="382"> <param name="movie" /><param name="allowFullScreen" value="true" /><param name="allowScriptAccess" value="always" /><embed width="382" height="408" src="http://static.slidesharecdn.com/swf/doc_player.swf?doc=xssdefeatingconcept-part2-110205085203-phpapp02&stripped_title=xss-defeating-conceptpart2&userName=AbhishekKr" name="__sse6822045" type="application/x-shockwave-flash" allowfullscreen="true"></embed> </object><br />
<div style="padding: 5px 0pt 12px;">View more <a href="http://www.slideshare.net/">documents</a> from <a href="http://www.slideshare.net/AbhishekKr">Abhishek Kumar</a> </div></div>----------</div>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0tag:blogger.com,1999:blog-2442688623759178220.post-76202858465648371002011-02-18T11:14:00.000-08:002011-02-18T11:14:20.328-08:00Apache SOLR ~ a talented yet careless server<div dir="ltr" style="text-align: left;" trbidi="on"><b><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">SOLR</span></b>... what it is?<br />
link: <a href="http://wiki.apache.org/solr/FAQ#What_is_Solr.3F">http://wiki.apache.org/solr/FAQ#What_is_Solr.3F</a><br />
in short... <span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;">it's an enterprise class search server</span><br />
<br />
<b><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">SOLR Security Consideration</span></b>... are clearly stated<br />
link: <a href="http://wiki.apache.org/solr/SolrSecurity">http://wiki.apache.org/solr/SolrSecurity</a><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;">[] Solr does not concern itself with security either at the document level or the communication level.</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;">[] It strongly recommends that the application server containing Solr be firewalled such that the only clients with access to Solr are your own</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;">[] Default installation of Solr allows any client with access to it to add, update, and delete documents (and of course search/read too), including access to the Solr configuration and schema files and the administrative user interface.</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;">[] Even if firewalled, it might be vulnerable to CSRF because Solr's basic behavior is to receive updates and deletes via HTTP...</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;">So if you restricted Solr's /update handler to accept connections from approved hosts/clients... then also approved clients can be tricked to open another page with malicious script while they are authenticated at Solr.</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;">[] Basic technique to mitigate this risk is to configure Servlet Container to server speicifc IPs or with HTTP-Authentication.</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;">[] Solr doesn't aim to for Document Level Security, recommended way is through Apache Lucene Connector Framework.</span><br />
<div><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><b>SOLR is a very capable search server, but if you need to use it... be sure to make it unreachable.</b></span></div></div>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0tag:blogger.com,1999:blog-2442688623759178220.post-61564900623499524832010-12-29T05:09:00.000-08:002010-12-29T05:09:00.722-08:00Weak Excuses after Weak Security :: Mozilla's user a/c on Public Server<div style="font-family: Georgia,"Times New Roman",serif;">now this year has been filled with loads of news related to user-data getting leaked from different websites... but it wasn't much disturbing as web-vulnerabilities in Facebook are well known and accepted as cons of the deal and neither 1.3m a/c details leaked from Gawker came as a shock (it was more of a Tweet-Flood)</div><span style="font-family: Georgia,"Times New Roman",serif;">but</span><br />
<b>On </b><b><span style="font-family: Times,"Times New Roman",serif;">Dec-17-2010</span>, Mozilla was reported about availability of its user-accounts (<span style="font-size: x-small;"><i>partially, which were used on addons.mozilla.org</i></span>) over a public server.</b><br />
<span style="font-family: Georgia,"Times New Roman",serif;">They have projects like Firefox (super famous web-browser), NSS (one of the most famous libraries for developing secured client-server application), and more... if an organization like them do a mistake like this, oh yeah... hackers paradise</span><br />
<br />
<b>it's how they defend themselves...</b><br />
<ul><li>database included 44,000 inactive accounts using older<br />
<blockquote><span style="font-size: x-small;"><b><i>but don't you think... </i></b><i><span style="font-family: Georgia,"Times New Roman",serif; font-size: small;">even inactive users on a site deserve their privacy, and if they were inactive and not important then better purge the information pertaining to account... why keep it instead</span></i></span></blockquote></li>
<li>md5-based password hashes<br />
<blockquote><span style="font-size: x-small;"><b><i>they don't use it now... </i></b><span style="font-size: small;"><i style="font-family: Georgia,"Times New Roman",serif;">for active users they support SHA-512 per-user-salt mechanism; now that's good</i></span><b><i><br />
</i></b></span></blockquote></li>
<li>current addons.mozilla.org users and accounts are not at risk<blockquote><span style="font-size: x-small;"><b><i>so if I don't use Mozilla anymore... </i></b><i><span style="font-family: Georgia,"Times New Roman",serif; font-size: small;">they wouldn't respect my a/c details anymore and still keep it... so that in future they could 'arrrrgh sorrry' me, brutally nice</span></i></span></blockquote></li>
<li>incident did not impact any of Mozilla’s infrastructure<blockquote><span style="font-size: x-small;"><b><i>it was available on a public server and not a hacked-n-fetched... </i></b><span style="font-family: Georgia,"Times New Roman",serif; font-size: small;"><i>bravo</i></span></span></blockquote></li>
<li><span id="intelliTxt">only outsider who accessed the data was the security researcher that reported the mistake to Mozilla</span> <blockquote><span style="font-size: x-small;"><b><i>how are they so sure... </i></b><i><span style="font-family: Georgia,"Times New Roman",serif; font-size: small;">if none else reported it doesn't mean that none else saw it, and it is not necessary that everyone accessing it will 'remain in' logs.</span></i></span></blockquote></li>
</ul><br />
<b><span style="font-size: x-small;">References:</span></b><br />
<span style="font-size: x-small;"><a href="http://blog.mozilla.com/security/2010/12/27/addons-mozilla-org-disclosure/">http://blog.mozilla.com/security/2010/12/27/addons-mozilla-org-disclosure/</a></span> <br />
<span style="font-size: x-small;"><a href="http://www.thetechherald.com/article.php/201052/6620/Mozilla-password-disclosure-a-non-event">http://www.thetechherald.com/article.php/201052/6620/Mozilla-password-disclosure-a-non-event</a></span>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0tag:blogger.com,1999:blog-2442688623759178220.post-41619351830687104492010-12-21T00:59:00.000-08:002010-12-21T01:02:58.505-08:00bypass of user level restrictions, a case of bug in 'Scribd.com'http://www.youtube.com/watch?v=g-ETsFjRhqsFew weeks back, saw <b>Scribd.com</b> <b>offering me to buy/upload something for downloading a Document uploaded on it. </b>Second time when I opened some document, in another browser <b>it shows disabled 'download', 'print', and 'mobile' option.</b><br />
<br />
As I didn't get that Document to download, I didn't felt like reading it online also... <b>so just thought why not try to download it and if I succeed, then I'll read it online.</b><br />
And I read it online :)<br />
<br />
<div style="font-family: "Trebuchet MS",sans-serif;"><i><b>So, here is a bug (which has now been fixed) in Scribd.com... that allowed users to get a local copy of documents which were devoid of download and print options.</b></i></div><br />
<b style="background-color: #f1c232; color: #990000; font-family: Verdana,sans-serif;">It's how layered limitation can be broken, and why restrictions must be implemented root-level-up and not just as user-level module.</b><br />
<br />
<a href="http://www.youtube.com/watch?v=g-ETsFjRhqs">@<b>YouTube</b>: http://www.youtube.com/watch?v=g-ETsFjRhqs</a><br />
<b><span class="Apple-style-span" style="font-size: x-large;"><span style="font-size: large;">How-To</span> </span></b><b>[ <span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">download the not-allowed ]</span></b><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">example: Bypass Scribd.com disabling Downloading/Print/Mobile on some links</span><b><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"> </span></b><br />
<iframe frameborder="0" height="225" src="http://player.vimeo.com/video/18020569" width="400"></iframe><br />
<a href="http://vimeo.com/18020569">Example Website Bug : a bug of Scribd.com (reported & got fixed)</a> from <a href="http://vimeo.com/abionic">aBionic@Vimeo</a><br />
<br />
so, now you can either Print the document or create a PDF/image printing this document using softwares like PDFCreator.abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0tag:blogger.com,1999:blog-2442688623759178220.post-33214861491398019512010-12-17T05:08:00.000-08:002010-12-17T05:16:52.802-08:00only '.org' and '.net' domains under DNSSEC protection till now, WHAT ABOUT YOUAre you protected with DNSSEC:<br />
[] in mid-2010, DNSSEC got deployed over 'root-DNS-server' and '.org' domain<br />
[] on 10-Dec-2010, Verisign deployed DNSSEC in '.net' zone too<br />
<i> {securing more than 13million registrations online}</i><br />
[] preparations are up to sign the '.com' zone in first quarter of 2011<br />
<div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="background-color: #fff2cc; color: #134f5c; font-family: Georgia,"Times New Roman",serif;"><span style="font-size: small;">Verisign has even launched a cloud based DNSSEC implementation service to ease its implementation in organisations.</span></div><b style="background-color: #fff2cc; color: #134f5c;"><span style="font-family: Georgia,"Times New Roman",serif; font-size: x-small;">Refer to <a href="http://www.securityweek.com/verisign-launches-new-dnssec-signing-service">http://www.securityweek.com/verisign-launches-new-dnssec-signing-service </a></span></b><br />
For those who are not much familiar with DNSSEC, its a security layer standardized to be implemented over traditional DNS services... it will help the users counter DNS vulnerabilities exposed by researchers like 'Dan Kaminsky' including DNS poisoning attacks. <br />
<b>Refer to <a href="http://www.dnssec.net/">http://www.dnssec.net</a> </b><br />
<br />
Its implementation would require more processing power, bandwidth usage and more storage needs as it uses intensive encryption mechanism over all DNS traffic.<br />
<br />
Though, I was surprised hearing initially of its implementation over root DNS server as its alterantive DNSCURVE (suggested by Dan Kaminsky) was conceptually better in security and easy on resources too. Don't know it was fair selection or just another political/community-biased decision.<br />
<br />
<div style="background-color: #0b5394; color: #cfe2f3; font-family: Georgia,"Times New Roman",serif;"><i><span style="font-size: x-small;">=begin :footer</span></i></div><div style="background-color: #0b5394; color: #cfe2f3; font-family: Georgia,"Times New Roman",serif;"><i><span style="font-size: x-small;">#</span></i><span style="font-size: x-small;"> waited about a week to have time doing this post in detail... </span></div><div style="background-color: #0b5394; color: #cfe2f3; font-family: Georgia,"Times New Roman",serif;"><span style="font-size: x-small;"># but more delay would deny its usability... so its here</span></div><div style="background-color: #0b5394; color: #cfe2f3;"><i><span style="font-family: Georgia,"Times New Roman",serif; font-size: x-small;">=end :footer </span></i></div>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0tag:blogger.com,1999:blog-2442688623759178220.post-71177910706509547752010-09-26T12:49:00.000-07:002010-09-26T12:49:04.900-07:00XSSed Orkut after Twitter after Facebook <xss/>'<b><i>Are you social?</i></b>'<br />
ohhh... let me rephrase it '<b><i>Are you net-social?</i></b>'<br />
yeah... <b><i>then how much socially secure are you when the plain-text attacks are htting millions</i></b>.<br />
<br />
<b><span class="Apple-style-span" style="font-size: x-large;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">2 months back with Facebook</span></span></b><br />
now almost treated as synonym of Social Networking, and more than 400 million active users... Facebook was exposed to be vulnerable of a XSS vulnerability instead of proper implementation of HTTPOnly cookie protection as that doesn't count for XSS. The PoC video is being linked below along with article.<br />
<b><i><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">Article:</span> </i></b>h<a href="ttp://www.acunetix.com/blog/news/cross-site-scripting-xss-facebook/">ttp://www.acunetix.com/blog/news/cross-site-scripting-xss-facebook/</a><br />
<b><i>Video: </i></b><a href="http://www.youtube.com/watch?v=iTddmr_JRYM&hl&fmt=22">http://www.youtube.com/watch?v=iTddmr_JRYM&hl&fmt=22</a><br />
<br />
<b><span class="Apple-style-span" style="font-size: x-large;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">Last Week with Twitter</span></span></b><br />
the microblogging favorite of masses, and offering a newer promising UX... Twitter accidently resurfaced the XSS hole while site update procedure. Famous as 'onMouseOver' flaw simply injected the XSS code as tweet to execute the function on mouse hover event by victim<br />
<b><i><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">Article:</span></i></b><a href="http://blog.twitter.com/2010/09/all-about-onmouseover-incident.html"> http://blog.twitter.com/2010/09/all-about-onmouseover-incident.html</a><br />
<br />
<span class="Apple-style-span" style="font-size: x-large;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><b>Previous Day with Orkut</b></span></span><br />
previous day was a 'Good Saturday' (i.e. what 'Bom Sabado' means in Portugese) 'scrapping' off the privacy of Orkut Users. This attack is supposed to originate from Brazil and compromised enormous Orkut accounts in a span of few hours. The code with details can be viewed at the link below.<br />
<b><i><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">Article:</span></i></b> <a href="http://antrix.net/posts/2007/orkut-xss/">http://antrix.net/posts/2007/orkut-xss/</a>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0tag:blogger.com,1999:blog-2442688623759178220.post-30450748190686186382010-09-06T06:45:00.000-07:002010-09-06T06:45:42.878-07:00Problem with IEEE 802.1x implementation's fallback option<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-OwDct9-aAGdxvU6D_3mgshJ4drxvRecy00jXzw8IoZ_BABH_xVEkjaO0HxpQhUMhJRkgm5qvhVSZcCAj9ktbJ1D5lq6VlUVtouXDVREKIlEKNJiQdS10N5KQhcGgxXYL0r_kwempq6o/s1600/IEEE802.1x_MAB.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="46" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-OwDct9-aAGdxvU6D_3mgshJ4drxvRecy00jXzw8IoZ_BABH_xVEkjaO0HxpQhUMhJRkgm5qvhVSZcCAj9ktbJ1D5lq6VlUVtouXDVREKIlEKNJiQdS10N5KQhcGgxXYL0r_kwempq6o/s320/IEEE802.1x_MAB.jpg" width="320" /></a></div><span style="font-size: large;">Problem with IEEE 802.1x implementation's fallback option</span><br />
---------------------------------------------------------<br />
I was just looking over some gyan for 802.1x implementation on Cisco's Portal.<br />
They have a very nice guide over Phase Deployment Model for Identity Based Network Services.<br />
While learning a bit, I saw mention of fallback option for IEEE 802.1x. Then I checked whether Juniper has it or not and it supports it too.<br />
<br />
<b>MAB i.e. MAC Authnetication Bypass</b> porviding support for Legacy Devices (say Printers) which are not capable of IEEE 802.1x and hence require some other method of authentication.<br />
And the method provided to them is adding the incapable device's MAC Address to a static (or even dynamic based on implementation) MAC list on 802.1x provider.<br />
<br />
There goes the cocroach surviving Nuclear Attack. The super-strong 802.1x bypassed by a MAC ...are they really having faith on this, or have it implemented in super-man style. Though currently I can't think of any super-man for MAC Authentication. All I see is Sipper-Man :( sipping my security away.<br />
<br />
<b>Attacker just have to DUPLICATE allowed MAC, and enjoy the falling security.</b><i><b><br />
<br />
Seriously, I'm afraid... if anyone know the manner of its implementation hidden to me till now, which makes it secure. Please, let me know asap. </b></i><br />
<br />
<i><b>If you want their support to make your environment vulnerable:</b></i><br />
Cisco Support: <a href="http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/standalone_mab.html">http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/standalone_mab.html</a><br />
Juniper Support: <a href="http://kb.juniper.net/KB11429">http://kb.juniper.net/KB11429</a>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0tag:blogger.com,1999:blog-2442688623759178220.post-23761062991980442592010-09-06T02:54:00.000-07:002010-09-06T03:08:00.691-07:00XSS Defeating PoC : if have any time for Experimentation<span class="Apple-style-span" style="border-collapse: separate; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="border-collapse: collapse; font-family: arial,sans-serif; font-size: 13px;"><span style="border-collapse: collapse; font-family: arial,sans-serif; font-size: 13px;"></span></span></span><br />
<div><i><b>It's still in experimental state, if you find some time please try it and let me know of your experience.</b></i></div><div><div><b><i><span style="border-collapse: separate; font-family: arial; font-size: small; font-style: normal; font-weight: normal;"><br />
</span></i></b></div><div>Video Demo of the same PoC: <a href="http://www.youtube.com/watch?v=ENiiAccY1v0" style="color: #ed1c24;" target="_blank">http://www.youtube.com/watch?v=ENiiAccY1v0</a><br />
<br />
</div><span style="border-collapse: separate; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="font-family: arial; font-size: small;"></span></span><br />
<div><div><span style="border-collapse: separate; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="font-family: arial; font-size: small;">Project Base: <a href="http://sourceforge.net/downloads/sitehoster/v1.0beta%20RC1/" style="color: #ed1c24;" target="_blank">http://sourceforge.net/downloads/sitehoster/v1.0beta%20RC1/</a></span></span></div><div><span style="border-collapse: separate; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="font-family: arial; font-size: small;"><br />
</span></span></div><div><span style="border-collapse: separate; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="font-family: arial; font-size: small;">WhitePaper is also available at SourceForge link above</span></span></div><div><span style="border-collapse: separate; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="font-family: arial; font-size: small;"> and at : <a href="http://www.slideshare.net/AbhishekKr/whitepaper-abktrick-to-subvert-xss" style="color: #ed1c24;" target="_blank">http://www.slideshare.net/AbhishekKr/whitepaper-abktrick-to-subvert-xss</a></span></span></div></div><div><span style="border-collapse: separate; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="font-family: arial; font-size: small;">I was working on a XSS-Patch PoC, which I now feel works proper enough to prove its point.</span></span></div><div><span style="border-collapse: separate; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="font-family: arial; font-size: small;"><b>This neither require Web-Developers for any Filtering/Validation, nor any javascript blocking add-on on user's browser.</b></span></span></div><div><span style="border-collapse: separate; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="font-family: arial; font-size: small;"><br />
</span></span></div><div><span style="border-collapse: separate; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="font-family: arial; font-size: small;">I'm not good at explaining still I've tried to do that in the above linked WhitePaper.</span></span></div><div><span style="border-collapse: separate; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="font-family: arial; font-size: small;"><br />
</span></span></div><div><span style="border-collapse: separate; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="font-family: arial; font-size: small;">And the ZIP file can be extracted, having 'StartDemo.bat' to be executed to start the server already patched with XSS Subverting Module.</span></span></div><div><span style="border-collapse: separate; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="font-family: arial; font-size: small;">Then browse, '<a href="http://localhost/tweet.htm" style="color: #ed1c24;" target="_blank">http://localhost/tweet.htm</a>' in any browser... and it lets you Submit any text to Server w/o validation which is as it is saved there. But when retrieved on 'Read...' remains inactive for any <script>
inserted.</div><div>
</div><div>
It would be great if any expert advice/comment could be given... Usable, Waste, Failure, etc.</div><div>
</div><blockquote style="margin: 0px 0px 0px 40px; border-style: none; padding: 0px;">
<div>
<b>NOTE:</b><span> </span>for PoC to execute properly it requires 'PYTHON' to be installed and added to SYSTEM PATH</div><div>
as server-side logic is coded in Python</div><div>
If you don't have Python installed, then too you can check it by, opening '<a href="http://localhost/test1.htm" target="_blank" style="color: rgb(237, 28, 36);">http://localhost/test1.htm</a>' which would make the <SCRIPT/> injected in it's <BODY/> inactive. Or, you can yourself write any quick HTML+JS, where none of the JS injected in BODY would work when browsed over this Server.
The Server Side Scripting implementation currently is not standard CGI, its a quick approach to achieve script execution at server based on GET Request Variables and get MarkUp Output.<br clear="all"></div></blockquote></span></span><br clear="all"></div><span style="font-family: arial,sans-serif; font-size: 13px; border-collapse: collapse;"><b><i>Note: its there to subvert user-level JS functions</i></b></span><div>
<font><span style="border-collapse: collapse;"><b><i>
</i></b></span></font></div><div>
<font><span style="border-collapse: collapse;"><b><i>Once this completes, I'll be implementing my SQL-Injection Counter-measure to the server.</i></b></span></font></div></script></span></span></div></div>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0tag:blogger.com,1999:blog-2442688623759178220.post-4554446783324770502010-08-26T17:20:00.000-07:002010-08-27T11:53:35.088-07:00hrberry.com :: php flaw self-inviting DoS, leaked framework and server info [by, ABK]<a href="https://sites.google.com/site/abklabs/home/secured/posts.xml">Posted@ https://sites.google.com/site/abklabs/home/secured/posts.xml</a><br />
<br />
<b>[]Patched: </b><br />
Yes <br />
<br />
<b>[]Product Name:</b><br />
http://www.hrberry.com<br />
Payroll Helpdesk, serving several prestigious companies <br />
<br />
<b>[]Victim Name:</b><br />
Ascent Consulting Services Pvt. Ltd. <br />
[http://ascent-online.com]<br />
<br />
<b>[]Vuln Summary:</b><br />
There were validation flaws for GET Request Parameters sent to CAPTCHA image generating PHP script on the Portal.<br />
This allowed attacker to trick the app to generate any number of characters consuming processing power.<br />
It had a timout after 30 seconds (too much) and generated error message with full PATH of PHP file.<br />
Also worked on older un-patched version of OpenSSL.<br />
<br />
<a href="https://sites.google.com/site/abklabs/home/secured/hrberrycom">to read detailed Description... click here</a>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0tag:blogger.com,1999:blog-2442688623759178220.post-71042084184859544772010-06-19T13:31:00.000-07:002010-08-03T04:16:44.498-07:00Rapid7's neXpose<span class="Apple-style-span" style="font-size: x-large;"><b><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="color: yellow;">Rapid7's neXpose</span></span></b></span><br />
<a href="http://www.rapid7.com/vulnerability-scanner.jsp">http://www.rapid7.com/vulnerability-scanner.jsp</a><br />
<br />
You can download the Community Edition of this famous and highly efficient Network Vulnerability Scanner by Rapid7.<br />
<br />
[] NeXpose Community Edition provides users with:<br />
> vulnerability scanning for up to 32 IPs at a time<br />
{limited, but for free it's nice}<br />
> Regular vulnerability updates<br />
{everytime I start it, updates get checked}<br />
> Accurate scan results<br />
{it gives real detailed analysis of flaws found}<br />
> Prioritized risk assessment<br />
{though its priorities don't match mine most of times}<br />
> Remediation guidance<br />
{yeah it's good, with required tweaks}<br />
> Out-of-the box Metasploit integration<br />
{from the Metasploit v3.31 it can be fully integrated with NeXpose}<br />
Link:<a href="http://www.metasploit.com/redmine/projects/framework/wiki/NeXpose_Plugin"> http://www.metasploit.com/redmine/projects/framework/wiki/NeXpose_Plugin</a><br />
> Extensive community support at http://community.rapid7.com<br />
{it's so easy, you wouldn't require it}<br />
> Simple deployment<br />
{if you can browse through a new website, you can use it}<br />
> No cost start-up security solution<br />
{Community edition afterall}abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0tag:blogger.com,1999:blog-2442688623759178220.post-61417229637578028222010-02-18T22:11:00.000-08:002010-08-03T04:19:53.616-07:00on 18-Feb-2010 :: NetWitness reported 'Kneber Botnet' {CRITICAL}<span style="color: #ffd966; font-size: large;">On <b>18-Feb-2010</b>; <b>NetWitness</b> has reported of new <b>malware 'Kneber botnet'</b>; </span><br />
<br />
its a<b> variant of Zeus </b>and mainly target <b>stealing Credentials, Key-logging, etc.</b><br />
<i style="font-family: Verdana,sans-serif;"><b><br />
</b>... has affected more than 2500 organizations;<br />
<br />
... currently no IPS/IDS have adequate signatures detecting it.<br />
<br />
... it can also act with other malwares, fav noticed is Waledac (a P2P Trojan)</i><br />
<br />
<br />
<b>[] A try to check if Machine is infected by a Kneber (Zeus Variant)</b>, is<br />
<br />
The registry key can be found by following this path, he said:<br />
<br />
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit<br />
<br />
normally will have an entry like "C:\WINDOWS\system32\userinit.exe,"<br />
ZeuS will add itself to the list, typically as 'ntos.'<br />
But could always change its name; so if any un-relevant entries found here... may be machine is infected.<br />
<br />
If any more entries found, or suspicion is there scan the file listed here.<br />
<br />
<br />
<b>[] Its suggested to patch all latest MS10-* and Adobe releases on all the machines;</b><br />
and as always not open suspicious e-mails<br />
<br />
<br />
<b>[]NetWitness said that Kneber was primarily found on corporate and government computers</b>, however home users are likely to attract the infestation as well.<br />
<br />
<br />
<br />
<br />
[] more details @<br />
<br />
*** <a href="http://www.netwitness.com/resources/pressreleases/feb182010.aspx">http://www.netwitness.com/resources/pressreleases/feb182010.aspx</a> ***<br />
<br />
<a href="http://www.networkworld.com/news/2010/021810-kneber-botnet-faq.html?hpg1=bn">http://www.networkworld.com/news/2010/021810-kneber-botnet-faq.html?hpg1=bn</a><br />
<br />
<a href="http://www.nytimes.com/2010/02/19/technology/19cyber.html?em">http://www.nytimes.com/2010/02/19/technology/19cyber.html?em</a><br />
<br />
<a href="http://www.technewsworld.com/rsstory/69372.html">http://www.technewsworld.com/rsstory/69372.html</a>abionichttp://www.blogger.com/profile/06276198262605731980noreply@blogger.com0