Category Archives: Surviving The Week

Weekly collection of the top news/stories/articles/blog_posts related to application security. These may not always be the big headlines or directly focused on application security, but they will be the items that interested me the most, and hopefully will be of interest to my readers. Great replacement for Jeremiah’s defunct “Best of Application Security” series.

ruby on rails

Surviving the Week 2/1/13 – Ruby on Rails – JSON Parser Vulnerability

Ruby on Rails – JSON Parser Vulnerability

ruby on rails

The JSON parser which converts JSON into YAML and in turn hands over to the YAML parser is buggy. The fix delivered replaces the YAML backend (yaml.rb) which was allowing foo strings. This is far too similar to the previous vulnerabilities for the 156 bug, meaning far more exploits in the wild. http://viamsec.com/blog/2013/01/ruby-on-rails-json-parser-vulnerability/

XSS Attacks Spike in Q4 2012

FireHost, a secure cloud hosting company, released statistics on Q4 2012 Web application attacks last week. The attack details both the type and number of attacks hitting its servers in the U.S. and Europe between October and December 2012.

Firehost reports statistics like these quarterly with a focus on what they call “The Superfecta.” The Superfecta are the four most dangerous cyber attacks:

Firehost reported that Cross-Site Scripting and SQL Injection attacks became more prevalent since the third quarter of 2012 with Cross-Site Scripting (XSS) leading the way in terms of attack types

http://www.securityweek.com/xss-attacks-spike-q4-2012-firehost

Test your application with NTOSpider to find out all possible vulnerabilities. NTOSpider produces separate report for XSS that enables you to drill into the report and reproduce the vulnerability.

Unicode Security Testing Library

Chris Weber announced on his blog last week that he has released a small utility library, unicode-hax that is now available on Github.  When it comes to testing string input to find bugs, or vulnerabilities, Unicode can be a tester’s best friend.  Strings are not simple things for software engineers – they require a lot of planning – buffers, encodings, transmission, and storage are just a few concerns. Chris wanted to answer some of the common questions people ask like:

  • What characters should I use for testing?
  • Which ones flip text around?
  • Which ones cause problems?
  • Which one maps to an apostrophe for SQL injection, or a less-than sign for XSS?

As Chris said, “Happy Bug Hunting!”

http://web.lookout.net/2013/01/unicode-security-testing-library.html

To avoid pain of these permutations, use NTOSpider. NTOSpider will fuzz the application not only with Unicode characters but several other encoding as well.

Multiple Vulnerabilities

CurvyCorners Cross Site Scripting – http://packetstormsecurity.com/files/119814
gpEasy 3.5.2 Cross Site Scripting – http://packetstormsecurity.com/files/119805
ImageCMS 4.0.0b SQL Injection – http://packetstormsecurity.com/files/119806
SonicWALL GMS 6 Arbitrary File Upload – http://packetstormsecurity.com/files/119808
Kohana Framework 2.3.3 Directory Traversal – http://packetstormsecurity.com/files/119870

xss-threat3

Surviving the Week 1/18/13

A Lesser Cross-Site Scripting Attack Greater Than Your Regex Security

A lot of developers rely on regex to protect against XSS. The following article demonstrates different mechanisms on how developers use regex and how they can be bypassed.
http://deadliestwebattacks.com/2013/01/14/a-lesser-xss-attack-greater-than-your-regex-security/

Our web application security scanner, NTOSpider, reports accurate and actionable results that are designed to assist in remediation efforts and to help users quickly get to the data that matters most.
http://www.ntobjectives.com/security-software/ntospider-application-security-scanner/

New Java Exploit

Bootleggers were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java less than 24 hours after Oracle patched a dangerous security hole in it’s Java software that was being used to seize control over Windows PCs.
http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/

Multiple Vulnerabilities Detected

Drupal Core 6.x / 7.x Cross Site Scripting / Access Bypass – http://packetstormsecurity.com/files/119598
PHP Chart 1.0 Code Execution – http://packetstormsecurity.com/files/119582
Cydia Repo Manager Cross Site Request Forgery – http://packetstormsecurity.com/files/119584
Drupal RESTful Web Services 7.x Cross Site Request Forgery – http://packetstormsecurity.com/files/119585
Drupal Live CSS 6.x / 7.x PHP Code Execution – http://packetstormsecurity.com/files/119589
Drupal Mark Complete 7.x Cross Site Request Forgery – http://packetstormsecurity.com/files/119590
SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root – http://packetstormsecurity.com/files/119638

the-us-army-funds-an-armed-reconnaissance-helicopter-program-pic

Surviving the Week 1/4/13

SSNs, Salary Information Exposed In Breach of Army Servers

Salary-Information-Exposed-In-Breach of-Army-Servers

Computer hackers have illegally gained access to personal information of more than 36,000 people connected to Army commands formerly based at Fort Monmouth. An Army spokeswoman says the information includes names, birth dates, Social Security numbers, addresses and salaries.
http://www.darkreading.com/database-security/167901020/security/attacks-breaches/240145376/ssns-salary-information-exposed-in-breach-of-army-servers.html

Avoid critical hacks and scan your applications with NTOSpider (DAST) or our SaaS solution, NTOSpider On-Demand.

Researchers Find Malware Targeting Java HTTP Servers

Security researchers from antivirus vendor Trend Micro have uncovered a piece of backdoor-type malware that infects Java-based HTTP servers and allows attackers to execute malicious commands on the underlying systems. The threat, known as BKDR_JAVAWAR.JG, comes in the form of a JavaServer Page (JSP), a type of Web page that can only be deployed and served from a specialized Web server with a Java servlet container, such as Apache Tomcat.
http://www.computerworld.com/s/article/9235079/Researchers_find_malware_targeting_Java_HTTP_servers

Multiple Vulnerabilities

Guru Auction 2.0 SQL Injection – http://packetstormsecurity.com/files/119110
Polycom HDX Video End Points Cross Site Scripting – http://packetstormsecurity.com/files/119125
Log Analyzer 3.6.0 Cross Site Scripting – http://packetstormsecurity.com/files/119130
SonicWall Email Security 7.4.1.x Cross Site Scripting – http://packetstormsecurity.com/files/119131
WordPress Asset-Manager PHP File Upload – http://packetstormsecurity.com/files/119133

UN Site Hacked

United Nations website was recently hacked.
http://www.un.org.sn/tmp/x.htm

Microsoft Releases Fix It Tool to Address IE Security Zero-Day

The Fix It tool is aimed at addressing a vulnerability discovered in the wild roughly a week ago. According to Microsoft, the issue affects IE versions 6, 7 and 8. Internet Explorer 9 and 10 are not impacted.
http://www.securityweek.com/microsoft-releases-fix-it-tool-address-ie-security-zero-day

anonymous real

Surviving the Week 12/28/12

The 2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition

The business logic abuse scenarios presented by the Ponemon Institue are web scraping, account hijacking, click fraud, botnets causing denial of service, electronic wallet exploitation, coupon abuse, testing stolen credit cards, mobile device malware to take over customer accounts, app store/marketplace fraud, and mass registration.
http://www.clerkendweller.com/2012/12/14/Protection-Against-Business-Logic-Attacks

NT OBJECTives provides a white paper on “Attacking and Exploiting the Top 10 Business Logic Attack Vectors” at – http://www.ntobjectives.com/go/business-logic-attack-vectors-white-paper/

Tool to Decrypt TruCrypt and PGP

ElcomSoft has built a utility that combs for encryption keys in snapshots of a PC’s memory to decrypt PGP and TrueCrypt-protected data.

ElcomSoft’s gear can extract these decryption keys from a copy of the computer’s memory, typically captured using a forensic tool or acquired over Firewire.
http://www.theregister.co.uk/2012/12/20/elcomsoft_tool_decrypts_pgp/

Croatian Banks Hacked by Anonymous

anonymous realAnonymous Croatia hacking crew defaced the websites of two Croatian Banks: Karlovacka Banka and Samoborska Banka.

The hackers left a message saying: “We are Anonymous. We don’t forgive. We don’t forget. You were stealing enough from people. Soon the other banks will fall”.
http://thehackernews.com/2012/12/croatian-banks-hacked-by-anonymous.html

 

Security Researchers Identify Malware Infecting U.S. Banks

Security researchers from Symantec have identified an information-stealing Trojan program that was used to infect computer servers belonging to various U.S. financial institutions.

Dubbed Stabuniq, the Trojan program was found on mail servers, firewalls, proxy servers, and gateways belonging to U.S. financial institutions, including banking firms and credit unions, Symantec software engineer Fred Gutierrez said Friday in a blog post.
http://www.pcworld.com/article/2023253/security-researchers-identify-malware-infecting-u-s-banks.html

3,000,000 Verizon Wireless Accounts Leaked

A report surfaced this week that Verizon Wireless, a premier mobile carrier in the United States has been breached, with a result of three million customers being compromised. While the number may seem large, it represents a small fraction of the company’s user base.
http://betanews.com/2012/12/23/3-million-verizon-accounts-stolen-qa-with-the-person-claiming-to-be-behind-it/

verizon

html5 i am the future i am the browser

Surviving the Week 12/21/12

HTML5 Definition Complete, W3C Moves to Interoperability Testing and Performance

html5 i am the future i am the browser

The 5th revision of HTML is regarded as the future of web markup language. The long awaited specs for HTML5 have been finalized. This week, W3C published the complete definition of the HTML5 and Canvas 2D specifications. – http://www.w3.org/2012/12/html5-cr

Multiple Vulnerabilities During the Week

Joomla ZtAutoLink Local File Inclusion – http://packetstormsecurity.org/files/118944
Kiwi Syslog Web Access 1.4.4 SQL Injection – http://packetstormsecurity.org/files/118945
Free Hosting Manager 2.0.2 Cross Site Scripting – http://packetstormsecurity.org/files/118934
Banana Dance B.2.6 Inclusion / Access Control / SQL Injection – http://packetstormsecurity.org/files/118964
Elite Bulletin Board 2.1.21 SQL Injection – http://packetstormsecurity.org/files/118962
Drupal Core 6.x / 7.x Access Bypass / Code Execution – http://packetstormsecurity.org/files/118960
SurgeFTP Remote Command Execution – http://packetstormsecurity.org/files/118958
Cerberus FTP Server Cross Site Scripting – http://packetstormsecurity.org/files/118956
TWiki 5.1.2 Command Execution – http://packetstormsecurity.org/files/118856
D-Link DCS-9xx Password Disclosure – http://packetstormsecurity.org/files/118850
Centreon 2.3.x SQL Injection – http://packetstormsecurity.org/files/118830
phpwcms 1.5.4.6 Remote Code Execution – http://packetstormsecurity.org/files/118890

health care breaches

Surviving the Week 12/14/12, Most Healthcare Organizations Suffered Data Breaches

health care breachesMost Healthcare Organizations Suffered Data Breaches

Two separate reports released this week show the critical condition of U.S. healthcare organizations and hospitals when it comes to data breaches, with 94 percent of healthcare organizations hit by at least one data breach and close to half suffering more than five breaches in the past two years.
Use NTOSpider (DAST) or our SaaS solution, NTOSpider On-Demand, to scan your applications.

http://www.darkreading.com/risk-management/167901115/security/attacks-breaches/240144006/most-healthcare-organizations-suffered-data-breaches.html

 

Tutorial on SQLi Labs

SQL Injection has been one of the most deadliest attack one can have. This tutorial seems to be a nice start to understand SQL Injection.
http://resources.infosecinstitute.com/tutorial-on-sqli-labs/

SQL Injection cheat sheet – http://www.ntobjectives.com/go/sql-injection-cheat-sheet/
Also, our free tool, NTO SQL Invader, will help exploit SQLi vulnerabilities. http://www.ntobjectives.com/research/free-application-security-tools/

 

Microsoft Security Bulletin Summary for December, 2012

It was the final patch Tuesday for Microsoft in 2012 which fixes 5 critical vulnerabilities. Patch your Microsoft products. Details can be found at: http://packetstormsecurity.org/files/118772

 

Multiple Vulnerabilities

Splunk 5.0 Custom App Remote Code Execution – http://packetstormsecurity.org/files/118697
Achievo 1.4.5 Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/118673
ClipBucket 2.6 Revision 738 SQL Injection – http://packetstormsecurity.org/files/118672
IBM System Director Agent DLL Injection – http://packetstormsecurity.org/files/118669
Maxthon / Avant Browser XCS / Same Origin Bypass – http://packetstormsecurity.org/files/118668
m0n0wall 1.33 Cross Site Request Forgery – http://packetstormsecurity.org/files/118652

paypal

Surviving the Week 12/7/12, PayPal Fixes Trio of Remote-Access Vulnerabilities

Detecting Successful XSS Testing with JS Overrides with ModSecurity

The following link demonstrate a proof of concept that uses ModSecurity to add defensive Javascript to response pages that will identify when web browsers execute certain code and then; will send back a beacon alert to the web server. NTODefend helps you generate rules for the vulnerabilities detected with NTOSpider.
http://blog.spiderlabs.com/2012/11/detecting-successful-xss-testing-with-js-overrides.html

Attacks – in 2012 & 2013

10 Top Government Data Breaches Of 2012
SQL injection, post-phishing privilege escalation, and poorly secured back-up information all played their part in exposing sensitive government data stores this year.

http://www.darkreading.com/database-security/167901020/security/news/240142846/10-top-government-data-breaches-of-2012.html

Here is a list of the expected “Top 5 security threats for 2013″
http://www.net-security.org/secworld.php?id=14033

PayPal Fixes Trio of Remote-Access Vulnerabilities

paypal

PayPal has repaired three remote-access vulnerabilities found in different areas of its website, including a cross-site scripting (XSS) flaw on its PayPal Community Forum. All three flaws were submitted to PayPal’s Bug Bounty Program.
https://threatpost.com/en_us/blogs/paypal-fixes-trio-remote-access-vulnerabilities-112912

bits and bytes

Surviving the Week 11/30/12, Multiple Instances of Hacking

bits and bytes

In the United Kingdom, hackers attempted to alter the value of goods before trying to buy the items with a stolen credit card. Multiple online companies were able to prevent these attacks. Law enforcement is urging businesses to ensure that their online security is up to date.
http://www.itv.com/news/granada/update/2012-11-21/website-hacked-changing-online-prices-to-1p/

Google.pk, Yahoo.pk, Apple.pk, Microsoft.pk and 275 other Pakistan websites were hacked.
http://techcrunch.com/2012/11/24/hacking-for-the-sake-of-it-eboz-downed-google-apple-300-other-pakistani-sites-and-many-more-just-to-show-it-can/

DreamHost, the popular web hosting company was breached over the long holiday weekend.
https://www.novainfosec.com/2012/11/26/dreamhost-breached/

Test your application with NTOSpider. NTOSpider uses Universal Translator technology that can automatically crawl, detect and attack vulnerabilities that were previously only discoverable by manual testing.

Half of Companies Unaware of Most Current Threats

As per the survey by Kaspersky, half of companies are not knowledgeable about the potential security threats they may face. Some 31 percent of respondents admitted they had never heard of any of the cyberepidemics that recently pose direct threats to their organizations, the study says. Our NTOSpider On-Demand helps companies scanning their application with experts verifying results of the scan.
http://www.kaspersky.com/downloads/pdf/kaspersky_global_it-security-risks-survey_report_eng_final.pdf

Multiple Vulnerabilities

Greenstone XSS / Password Disclosure / Log Forging – http://packetstormsecurity.org/files/118323
PRADO PHP Framework 3.2.0 File Read – http://packetstormsecurity.org/files/118348
SmartCMS SQL Injection – http://packetstormsecurity.org/files/118349
EMC Smarts Network Configuration Manager Bypass – http://packetstormsecurity.org/files/118358
Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack Buffer Overflow – http://packetstormsecurity.org/files/118359

PCI Security Standards

Surviving the Week 11/23/12, PCI Security Standards Council Adds Guidelines

PCI Security Standards Council Adds Guidelines for Data Security Standards Risk Assessment

PCI Security Standards

PCI Security Standards Council released guidelines for DSS risk assessment. There are three key recommendations:

  1. Organizations should implement a formalized risk assessment methodology that best suits the culture and requirements of the organization.
  2. A continuous risk assessment process enables ongoing discovery of emerging threats and vulnerabilities, allowing an organization to mitigate such threats and vulnerabilities in a proactive and timely manner.
  3. Risk assessments must not be used as a means of avoiding or bypassing applicable PCI DSS requirements (or related compensating controls).

NTOSpider with Universal Translator Technology generates reports according to the PCI Data Security Standards to help you find security vulnerabilities which violate PCI controls. Test your application with NTOSpider. Request a free trial today.

Full PCI DSS guidelines can be accessed at: https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf

 

New Version of Chrome is Released

Google released Chrome version 23.0.1271.64 for Windows, Mac, Linux, and Chrome Frame this week. Some interesting new features for Privacy and Security in the release along with some security fixes.
http://thehackernews.com/2012/11/chrome-23-released-14-vulnerabilities.html

 

Interesting Stats on Cyber Attacks

A couple of studies are showing an increase in cyber security attacks. The NCC Group estimates more than 1 billion hacking attempts to take place in the final quarter of 2012.
http://thenextweb.com/insider/2012/11/12/hacking-attempts-to-pass-one-billion-in-final-quarter-of-2012-claims-information-assurance-firm/

In another report, Websense Security Labs predicts the top 7 cyber security attacks of 2013.

http://www.equities.com/news/headline-story?cat=tech&dt=2012-11-13&val=702635

 

Multiple Vulnerabilities

ManageEngine ServiceDesk 8.0 Cross Site Scripting – http://packetstormsecurity.org/files/118277
dotProject 2.1.6 Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/118274
Yii Framework 1.1.8 Search SQL Injection – http://packetstormsecurity.org/files/118252
TP-LINK TL-WR841N 3.13.9 Cross Site Scripting – http://packetstormsecurity.org/files/118237
SonicWALL CDP 5040 6.x Cross Site Scripting – http://packetstormsecurity.org/files/118233
WordPress FireStorm Real Estate 2.06.08 SQL Injection – http://packetstormsecurity.org/files/118232
Apple QuickTime 7.7.2 Buffer Overflow – http://packetstormsecurity.org/files/118231
Manage Engine Exchange Reporter 4.1 Cross Site Scripting – http://packetstormsecurity.org/files/118203
Omni-Secure 5 / 6 / 7 Remote File Disclosure – http://packetstormsecurity.org/files/118202
Skype Account Service Session Token Bypass – http://packetstormsecurity.org/files/118199

password protection

Surviving the Week 11/16/12, Not a Great Week for Password Protection

Not a Great Week for Password Protection

password protectionEarlier in the week, we saw Twitter forcing users to change their password due to some password loss. Later in the week, a password vulnerability was disclosed in the most famous messenger – Microsoft’s Skype. The vulnerability allowed an attacker to change username and password of a victim’s Skype account by just knowing their email address. Early Friday, Microsoft informed that vulnerability has been resolved.

Information about the attack description – http://thenextweb.com/microsoft/2012/11/14/security-hole-allows-anyone-to-hijack-your-skype-account-using-only-your-email-address
Information about the patch – http://abcnews.go.com/Technology/skype-fixes-password-reset-security-hole/t/story?id=17718868

ModSecurity Rules Are Out

ModSecurity, one of the biggest open source web application firewall, released their updated rules. Download rules at – http://www.modsecurity.org/download/

One of the unique feature of NTOSpider is, it allows user to generate rules for different WAF including ModSecurity, Snort and Imperva. One can use this feature to import rules in WAF to temporary block all the vulnerabilities detected by NTOSpider.

Multiple Vulnerabilities

Vulnerabilities have been detected in some of the major applications incuding WordPress, Drupal and Oracle. The following list contains patches to the vulnerabilities detected in the past week.

WordPress Kakao Theme SQL Injection – http://packetstormsecurity.org/files/118008
WordPress Eco-Annu SQL Injection – http://packetstormsecurity.org/files/118007
WordPress 3.3.1 swfupload.swf Cross Site Scripting – http://packetstormsecurity.org/files/118009
netOffice Dwins 1.4p3 SQL Injection – http://packetstormsecurity.org/files/118010
BananaDance Wiki b2.2 Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/118027
Java Applet JAX-WS Remote Code Execution – http://packetstormsecurity.org/files/118040
MYREphp Vacation Rental Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/118088
dotProject 2.1.6 Remote File Inclusion – http://packetstormsecurity.org/files/118101
Narcissus Remote Command Execution – http://packetstormsecurity.org/files/118102
ReciPHP 1.1 SQL Injection – http://packetstormsecurity.org/files/118103
BabyGekko 1.2.2e XSS / LFI / SQL Injection  – http://packetstormsecurity.org/files/118104
MYRE Realty Manager XSS / SQL Injection – http://packetstormsecurity.org/files/118105
Bugzilla Informartion Leak / Cross Site Scripting – http://packetstormsecurity.org/files/118106
Drupal RESTful Web Services 7.x Cross Site Request Forgery – http://packetstormsecurity.org/files/118108
Drupal Smiley / Smileys 6.x Cross Site Scripting – http://packetstormsecurity.org/files/118109
Friendsinwar FAQ Manager XSS / SQL Injection – http://packetstormsecurity.org/files/118110
iDev Rentals 1.0 Cross Site Scripting – http://packetstormsecurity.org/files/118111
Drupal Chaos Tool Suite 6.x Cross Site Scripting – http://packetstormsecurity.org/files/118114
Drupal Table Of Contents 6.x Access Bypass – http://packetstormsecurity.org/files/118115
Oracle Database Client System Analyzer Arbitrary File Upload – http://packetstormsecurity.org/files/118119