The Good, The Bad and the Insecure

I’ve been recently reading Michal Zalewski’s “The Tangled Web”, a book which tries to map the whole security landscape around browsers and Web applications in about 300 pages… it does a pretty good job

Now, in Chapter 9, he talks about “Content Isolation Logic” and in one specific section he touches on the document.domain property of the DOM of a page. So, in short, when two pages, foo.example.com and bar.example.com want to communicate through JavaScript, by default they cannot since the Same Origin Policy allows accesses only when the protocol, domain and port fully match. Since, “foo.example.com” !== “bar.example.com” the check fails and thus the domains can’t communicate. Since this is somewhat too rigid, a developer can choose to relax the domain of his page from foo.example.com to example.com. In JavaScript, this is a simple assignment to the document.domain property: Continue reading →

Did you know that if you use a popular cheap web hosting product and you haven’t changed the default error pages of your sites, you are most likely hosting an open redirect? If not, read on

Suppose for a second that you are a loyal customer of babyhow.com, an eshop selling stuff for your baby. One beautiful day you receive an email letting you know that babyhow.com has moved its business and providing you with a link to read more:

Continue reading →

Two years ago I decided to get a personal site. I was after two things: flexibility and low cost. I didn’t want to get a VPS but I also didn’t want the hosting packages of one domain and 350MB of space. So I found IPage.com a shared hosting provider that was giving me unlimited hosted sites, unlimited databases, unlimited bandwidth and unlimited disk space for about 35 euros for a year… that in my book was a great deal! So I went ahead and bought it. In that year I was generally happy with them. My pages where occasionally a bit slow but still fast enough for my sites’ needs. The problem was that the 35 euro price was an introductory price and the next year IPage asked me for triple that amount… Since I didn’t feel like that was a good thing (now that you are a customer we’ll suck you dry) I decided to look elsewhere. A colleague at work recommended Bluehost.com. Bluehost offered me the same things as IPage plus SSH access for about 50 euros per year. I went for that and I was quite happy…. until this week… Continue reading →

Stored XSS on popular Web statistics framework Statcounter. Log yourselves out of Statcounter and if possible disable JavaScript for the domain (possible in Chrome, not sure about Firefox)…  Will give more details when Statcounter fixes it. The only reason I am saying it here is because my Statcounter logs just started popping alert boxes!

Joke I just made up:

What do you call a woman who first says to you “I love you” but ten minutes later she adds “I actually don’t, but don’t feel bad because I say that to all men”?

Continue reading →

I still remember the good old days when I would just write “javascript:alert(document.cookie)” in my address bar and the browser would happily show me the JavaScript-accessible cookie values for the current domain. These were simpler days…

Mid-2011 the developers of Firefox decided that allowing the “javascript” directive in the URL bar was being abused by attackers to conduct self-XSS attacks more than it was being used for legitimate purposes. If you are not familiar with self-XSS fear not… they are quite easy to explain. Continue reading →

Since the beginning of October I’ve been following the online AI course from Standford, taught by Sebastian Thrun and Peter Norvig. In the last two months, I’ve given up a great part of my free time to look at videos, do quizzes, read clarifications on the AI page on Reddit and complete assignments. I will not say it was not worth it. It definitely was. I’ve
learned so much and I already have ideas on how to use Artificial Intelligence (specifically Machine Learning) in my own field (Computer Security).

Last night, I noticed a link on the course website that lead me to a YouTube video
of the latest Google+ Hangout where two AI professors, along with Sal Khan, the founder
of Khan Academy and a handful of students from some universities in the US where talking about the future of education and how these new ways of teaching are “reinventing education”.

I was listening to their  discussion when the following comment by Prof. Thrun really jumped out of the page and hit me on the head…

Continue reading →

Its been a while since my last post so I decided to make it worthwhile . I was recently checking a friend’s site for the classic Web application vulnerabilities, when I found a reflected XSS attack. While I was investigating the bug, I noticed that while the bug worked on Mozilla’s Firefox, it didn’t work on Google’s Chrome. As it turns out, Chrome uses an Anti-XSS filter, based on static analysis, which attempts to detect XSS. If it detects such an attempt, it filters out the injected code, and effectively stops the on-going attack.

In order to demonstrate this, I made a vulnerable page at http://securitee-playground.co.cc/files/chrome_xss.php. This page simply reads two GET parameters, namely a and b, which it then prints out in the resulting page.

To show that injection is possible, I start by injecting some HTML which is indeed rendered as part of the HTML page.

http://securitee-playground.co.cc/files/chrome_xss.php?
a=<u>HTML_INJECTION</u>&b=bar

Continue reading →

This article is not written by me. I found it online, but only in one place so this is effectively a mirror for it. Enjoy

///////////////////////////////////////////////////////////////////////////////
/************************************************** ***************************/
/* Tutorial: How to write a backdoor for OpenSSH. */
/* Date: June 29, 2005 */
/* Author: pikah (rvdwesten@gmail.com) */
/* Website: http://w4ck1ng.net */
/* */

Continue reading →

You have to love phpinfo() . This simple PHP function prints out a truck-load of information regarding all kinds of configuration details of your Apache + PHP installation. It is very helpful to a Web administrator who is trying to debug his installations and also very “helpful” to attackers who can get a quite good peak of what
goes on inside your installation, such as:

• PHP Version running on the machine (cough*exploits*cough)
• Operating System
• Paths to your Web applications
• All modules installed
• …

Continue reading →