Category Archives: Surviving The Week

Weekly collection of the top news/stories/articles/blog_posts related to application security. These may not always be the big headlines or directly focused on application security, but they will be the items that interested me the most, and hopefully will be of interest to my readers. Great replacement for Jeremiah’s defunct “Best of Application Security” series.

hacks everywhere

Surviving the Week 11/9/12, NBC and Coca Cola hacked this week

Couple of Major hacks this week – NBC and Coca Cola

A number of NBC sites were hacked this week. There is no official news on what attacks has been used. Test your application with NTOSpider to find possible vulnerabilities to avoid downtime –
NBC Hack – http://www.theverge.com/2012/11/4/3598998/nbc-snl-hacked
Coca Cola Hack – http://www.networkworld.com/community/node/81739

Barnes & Noble Customers File Lawsuits After Breach

Another instance of lawsuits after hacking incident. Victims of a PIN pad tampering incident, which compromised customer information at dozens of Barnes & Noble stores, have filed three class-action lawsuits against the nation’s largest book retailer.
http://www.scmagazine.com/barnes-noble-customers-file-lawsuits-after-breach/article/267227/

Experts Find DOM XSS Flaw in “+1” Button of Google Plus

Security researchers from Minded Security have identified a DOM-based cross-site scripting (XSS) vulnerability in the +1 button of the Google Plus social network. Test your application with NTOSpider to find possible security vulnerabilities.
http://news.softpedia.com/news/Experts-Find-DOM-XSS-Flaw-in-1-Button-of-Google-Plus-Video-304533.shtml

Singaporeans Get Hard Token Baked Into Credit Card

Standard Chartered Bank’s local outfit teamed with MasterCard to offer account-holders a credit card that is also a one-time-password-generating hard token. MasterCard calls the device a ‘Display Card’ and says it includes “an embedded LCD display and touch-sensitive buttons”.
http://www.theregister.co.uk/2012/11/08/hard_token_in_credit_card/

nullcrew

Surviving the Week 11/2/12, Ford website hacked by NullCrew

We’re a bit late this week on our Surviving the Week post, because we’ve been busy with our recent product launch of NTOSpider 6.

During the month of October, I spoke at HouSecCon, ToorCon and OWASP AppSec USA with an emphasis on why newer technologies,  like REST, AJAX, JSON and GWT create challenges for modern web scanners and how security professional can determine if scanners are effectively scanning and attacking them.

18 of 24 Major Federal Agencies Have Reported Inadequate Information Security Controls – GAO Report

The U.S. Government Accountability Office (GAO) found in its August 2012 report that “18 of 24 major federal agencies have reported inadequate information security controls,” and “inspectors general at 22 of these agencies identified information security as a major management challenge for their agency.” And in its September 2012 report on mobile security, GAO found that malware aimed at mobile devices alone has risen 185% in less than a year. Talk about scary.

The newest version of our web application security scanner, NTOSpider 6, includes Universal Translator Technology which has the ability to understand the new formats, protocols and development technologies being used in today’s mobile and modern browser-based applications.
http://gov.aol.com/2012/10/22/gao-report-cybersecurity/

Ford Website Hacked by NullCrew, User Credentials Leaked Online

nullcrew

The hackers claim to have leveraged a SQL Injection vulnerability in order to gain access to the databases behind the social.ford.com subdomain. As a result of the breach, database and table names, customer usernames – represented by email addresses – and encrypted passwords have been leaked. Test your application with NTOSpider to find security vulnerabilities including SQL Injection.

http://news.softpedia.com/news/Ford-Website-Hacked-by-NullCrew-User-Credentials-Leaked-Online-302688.shtml

To test SQL Injection further, You can use our free tool, SQL Invader. Details of NTO SQL Invader can be found at
http://www.ntobjectives.com/go/nto-sql-invader-free-download/

South Carolina Hit in Massive Cyberattack – 3.6 Million Tax Payers Exposed

On October 10, the S.C. Division of Information Technology informed the S.C. Department of Revenue of a potential cyber attack involving the personal information of taxpayers. Six days later, investigators uncovered two attempts to probe the system in early September, as well as a previous attempt that was made in late August. In mid-September, two other intrusions occurred that authorities believe were the first times the intruder or intruders obtained data. No other intrusions have been uncovered at this time, and on Oct. 20, the vulnerability in the system was closed, according to the DOR.
http://www.securityweek.com/south-carolina-hit-massive-cyberattack

US and Canada Launch Joint Cybersecurity Plan

Canada and the United States announced Friday they were launching a joint cybsersecurity plan to protect their digital infrastructure from online threats. The action plan, under the auspices of the US Department of Homeland Security and Public Safety Canada, aims to better protect critical digital infrastructure and improve the response to cyber incidents.
http://www.securityweek.com/us-canada-launch-joint-cybersecurity-plan

On Cybersecurity, Small Businesses Flirting with Disaster

U.S. small businesses are hiding behind the belief they have done enough to secure themselves against hackers and malware when in reality many are vulnerable to attacks that could doom their businesses, according to a recent survey. The survey, sponsored by the National Cyber Security Alliance (NCSA) and Symantec, found that 77% of 1,015 small businesses think they are safe from cyber attacks. The survey defines small business as a company with less than 250 employees. Use NTOSpider on-demand to test your application. NTOSpider on-demand allows small and medium business to scan their applications effectively without requiring any security staff. Our consulting team can help you verify the scan results
http://www.zdnet.com/on-cybersecurity-small-businesses-flirting-with-disaster-survey-finds-7000005891/

Number of XSS, SQL Injection, File include and other high risk vulnerabilities in some of the very commonly used platform/applications

Drupal Time Spent 6.x / 7.x XSS / CSRF / SQL Injection – http://packetstormsecurity.org/files/117660

Drupal MailChimp 7.x Cross Site Scripting – http://packetstormsecurity.org/files/117666 WordPress GRAND Flash Album Gallery SQL Injection / Disclosure / File Overwrite – http://packetstormsecurity.org/files/117665

WordPress Easy Webinar Blind SQL Injection – http://packetstormsecurity.org/files/117706

WordPress FoxyPress 0.4.2.5 XSS / CSRF / SQL Injection – http://packetstormsecurity.org/files/117768

NASA Tri-Agency Climate Education (TrACE) 1.0 XSS – http://packetstormsecurity.org/files/117692

NASA Tri-Agency Climate Education (TrACE) 1.0 SQL Injection – http://packetstormsecurity.org/files/117693

Joomla Quiz Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/117770

Oracle Java Font Processing “maxPointCount” Heap Overflow – http://packetstormsecurity.org/files/117659

VaM Shop 1.69 Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/117649

ClanSphere 2011.3 Local File Inclusion / Remote Code Execution – http://packetstormsecurity.org/files/117655

Inout Article Base Ultimate SQL Injection / CSRF – http://packetstormsecurity.org/files/117656

Bitweaver 2.8.1 Cross Site Scripting / Local File Inclusion – http://packetstormsecurity.org/files/117668

Inventory 1.0 SQL Injection – http://packetstormsecurity.org/files/117682

Layton Helpbox 4.4.0 SQL Injection – http://packetstormsecurity.org/files/117684

Layton Helpbox 4.4.0 Stored Cross Site Scripting – http://packetstormsecurity.org/files/117688

Layton Helpbox 4.4.0 Cross Site Scripting – http://packetstormsecurity.org/files/117690

VicBlog Path Disclosure / SQL Injection – http://packetstormsecurity.org/files/117709

Gramophone 0.01b1 Cross Site Scripting – http://packetstormsecurity.org/files/117710

TP-LINK TL-WR841N Local File Inclusion – http://packetstormsecurity.org/files/117749

NetCat CMS 5.0.1 Cross Site Scripting / HTTP Parameter Pollution – http://packetstormsecurity.org/files/117772

Citrix XenServer 6.0.2 Privilege Escalation – http://packetstormsecurity.org/files/117767

PG Dating Pro CMS 1.0 Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/117771

Endpoint Protector 4.0.4.2 Cross Site Scripting – http://packetstormsecurity.org/files/117765

 

android

Surviving the Week 10/26/12, XSS reported as most frequent attack type

Redirect flaw on .gov sites leaves open door for phishers

At least 20,000 users have fallen victim to a spam campaign that uses shortened links to legitimate government sites to carry out a hoax. In the scams, users receive emails containing “1.usa.gov” short links and are redirected twice upon clicking — first, immediately past a legitimate government site, then, to websites that looks like a CNBC news articles touting “$4,000 a month” home-based business opportunities. NTOSpider reports on external resources shows how many external URL your application is pointing to. Scan your application with NTOSpider to find all possible vulnerabilities in the application –
http://www.scmagazine.com/redirect-flaw-on-gov-sites-leaves-open-door-for-phishers/article/264520/

FireHost Q3 Web Application Report — XSS Attacks Lead Pack As Most Frequent Attack Type

Cloud hosting company, FireHost, has announced the findings of its latest web application attack report which provides statistical analysis of the 15 million cyber-attacks blocked by its servers in the US and Europe during Q3 2012. The report looks at attacks from web applications, databases and websites of FireHost’s customers between July and September and offers an impression of the current internet security climate as a whole. The top 4 attacks that come out of the reports are Cross-site Scripting (XSS), Directory Traversal, SQL Injection, and Cross-site Request Forgery (CSRF). One of the most significant changes in attack traffic seen by FireHost between Q2 and Q3 2012 was a considerable rise in the number of cross-site attacks, in particular XSS and CSRF attacks rose to represent 64% of the group in the third quarter (a 28% increased penetration). XSS is now the most common attack type in the Superfecta, with CSRF now in second. FireHost’s servers blocked more than one million XSS attacks during this period alone, a figure which rose 69%, from 603,016 separate attacks in Q2 to 1,018,817 in Q3. CSRF attacks reached second place on the Superfecta at 843,517. Test your application with NTOSpider to find possible vulnerabilities in your application –
http://www.darkreading.com/security/news/240009508/firehost-q3-web-application-report-xss-attacks-lead-pack-as-most-frequent-attack-type.html

Adobe Pushes Security Updates For Shockwave Player

Adobe updated Adobe Shockwave Player 11.6.7.637 and earlier versions on Windows and Mac OS X to close vulnerabilities that could allow an attacker to run malicious code on the affected system. The patch fixed five buffer overflow vulnerabilities and an array out of bounds vulnerability in the software. Adobe generally does not provide a lot of information in its bulletins about the vulnerabilities beyond CVE numbers (CVE-2012-4172, CVE-2012-4173, CVE-2012-4174, CVE-2012-4175, CVE-2012-4176, CVE-2012-5273).
http://www.securityweek.com/adobe-pushes-security-updates-shockwave-player

snuck – Another tool to automate XSS Filter bypass

snuck is an automated tool that may definitely help in finding XSS vulnerabilities in web applications. It is based on Selenium and supports Mozilla Firefox, Google Chrome and Internet Explorer. The approach, it adopts, is based on the inspection of the injection’s reflection context and relies on a set of specialized and obfuscated attack vectors for filter evasion. In addition, XSS testing is performed in-browser, a real web browser is driven for reproducing the attacker’s behavior and possibly the victim’s.
http://code.google.com/p/snuck/

Andriod Developers – How Much Can We Trust?

android

A team of German academics have published a very detailed paper about web security on the Andriod platform.  The paper is titled, Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security and can be found at http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf.

The paper is well worth the read for a much better description of their study.  To summarize some of the findings.  The authors downloaded 13,500 apps from the Google Play store, those with top download counts.  Then they looked at apps that use HTTPS.  Of those, 790 apps implemented SSL but would accept any certificate.  284 of the apps would accept a certificate is if was signed by any approved CA but did not take into consideration of the site it was issued for.  Another noted problem with certificate acceptance, is that the apps generally provided no visual indication that SSL was being used.

All in all, the cumulative install base of confirmed vulnerable apps within this 13,500 sample lies between 39.5 and 185 million devices.  Take the time to read the paper in it’s entirety.

housseccon

Surviving the Week 10/19/12

Security Flaw Found in Steam

Hackers could have a new means of accessing your computer through a browser command that uses Valve’s software distribution system Steam. When your browser accesses a URL that begins with the command “steam://”, it will prompt your copy of steam to launch and perform some operation. Usually, such an operation would be to launch a game, or install or uninstall software. http://revuln.com/files/ReVuln_Steam_Browser_Protocol_Insecurity.pdf

Pacemaker Hacker Says Worm Could Possibly ‘Commit Mass Murder’

At Ruxcon BreakPoint security conference in Melbourne, Barnaby Jack showed how an attacker with a laptop, located up to 50 feet from a victim, could remotely hack a pacemaker and deliver an 830-volt shock. In the talk named “mass murder, Windows exploits, hacking Apple and owning spy agencies.” He was just one presenter and he showed a video that he doesn’t want released to the public since the manufacturer would be named. http://blogs.computerworld.com/cybercrime-and-hacking/21163/pacemaker-hacker-says-worm-could-possibly-commit-mass-murder

“White Hat” Hackers Gathered in Houston to Talk Strategy

The 3rd annual HouSecCon took place a week ago. With attendance up 40% from 2011, it was exciting to be a part of this growing event. I was invited to speak again this year. “Get off your AMF and don’t REST on JSON”. My mobile web app sec related talk happened to go over real well at the conference. So good in fact, that the local FOX 26 network highlighted the current state of mobile web application security in their 5 o clock broadcast. http://www.myfoxhouston.com/story/19799259/2012/10/11/white-hat-hackers-gather-in-houston-to-talk-strategy

housseccon

Can Science Stop Crime?

University of Washington computer scientist, Tadayoshi Kohno (@yoshi_kohno), was featured in PBS’s NOVA scienceNOW on Wednesday (October 17) for his work that shows how easy it is for a bad guy to highjack not just your laptop but your kids’ toys, medical devices, even your car. http://www.pbs.org/wgbh/nova/tech/can-science-stop-crime.html

The Cloud is a Scary Place

Security lapses in XSS, CSRF, SQLi, or authentication bypass are not always easy to uncover for cloud companies such as Paypal, Facebook, Mozilla, Google, and Twitter. With bug bounties in place, the opportunity to discover security vulnerabilities can offer significant gain for white hats. http://www.zdnet.com/hacking-google-the-three-israeli-white-hats-rooting-out-the-webs-security-holes-7000005542/

the cloud

Surviving the Week 10/12/12, The cloud is a scary place

The Cloud is a Scary Place

the cloud

Security lapses in XSS, CSRF, SQLi, or authentication bypass are not always easy to uncover for cloud companies such as Paypal, Facebook, Mozilla, Google, and Twitter. But with bug bounties in place, the opportunity to discover security vulnerabilities can offer significant gain for white hats all over the world.

SQL Invader is a free tool from NT OBJECTives that gives you the ability to quickly and easily exploit or demonstrate SQL Injection vulnerabilities in web applications.

http://www.zdnet.com/hacking-google-the-three-israeli-white-hats-rooting-out-the-webs-security-holes-7000005542/

“White Hat” Hackers Gather in Houston to Talk Strategy

The 3rd annual HouSecCon took place this week. With attendance up 40% from 2011, it was exciting to be a part of this growing event. I was invited to speak again this year. My topic, “Get off your AMF and don’t REST on JSON”.

My mobile web app sec related talk happened to go over real well at the conference. So good in fact, that the local FOX 26 News highlighted the current state of mobile web application security in their 5 o clock broadcast.
http://www.myfoxhouston.com/story/19799259/2012/10/11/white-hat-hackers-gather-in-houston-to-talk-strategy

Can Science Stop Crime?

University of Washington computer scientist, Tadayoshi Kohno (@yoshi_kohno), will be featured in PBS’s NOVA scienceNOW on Wednesday (October 17) for his work that shows how easy it is for someone to highjack not just your laptop but your kids’ toys, medical devices, even your car.
http://www.pbs.org/wgbh/nova/tech/can-science-stop-crime.html

 

Surviving the Week 10/5/12, Enterprises Struggle With Business Logic Attacks, Survey Finds

Enterprises Struggle With Business Logic Attacks, Survey Finds

A new survey emphasizes how business logic attacks can slip under the radar of development teams and cost enterprises time and money. More than 600 IT professionals were included in the survey. According to the survey, 88 percent said business logic abuse is equally or more important than any other security issues facing their company today
http://www.securityweek.com/enterprises-struggle-business-logic-attacks-survey-finds

NT OBJECTives recently addressed the top 10 business logic flaws in this helpful white paper, “Attacking and Exploiting the Top 10 Business Logic Attack Vectors”.
http://www.ntobjectives.com/go/business-logic-attack-vectors-white-paper

TypeScript Is Microsoft’s Attempt At Making JavaScript Application Development Easier

JavaScript has been one of the core technologies of HTML5. Microsoft has been aggressively pushing HTML5 in Internet Explorer 10. So what happens when you take Microsoft’s desire to create another proprietary programming language and their insistence on HTML5? You get TypeScript, the company’s own version of JavaScript.
http://www.webpronews.com/typescript-is-microsofts-answer-to-javascript-2012-10

What are the challenges with SAST that don’t need a better engine

Many people and CIOs are under the impression that SAST can solve all the problems in security. Here is a list of problems with SAST engines, which have nothing to do with the core engine –  http://diniscruz.blogspot.in/2012/10/what-are-challenges-with-sast-that-dont.html

Web security protocol HSTS wins proposed standard status

A Web security protocol designed to protect Internet users from Internet hijacking of unencrypted web sites has won approval as a proposed standard. A steering group for the Internet Engineering Task Force (IETF) gave its blessing to a draft of HTTP Strict Transport Security (HSTS), an opt-in security enhancement in which Web sites prompt browsers to always interact over a secure connection.
http://news.cnet.com/8301-1009_3-57524915-83/web-security-protocol-hsts-wins-proposed-standard-status/

A Number of SQL Injection, Code Injection and XSS Posted This Week

It’s another week where a number of SQL Injection, XSS and Code execution vulnerabilities were made public in some of the widely used applications, i.e. WordPress, Oracle Identity Management and Drupal. Here is a list of some of the critical vulnerabilities discovered during this week.

InduSoft Web Studio Arbitrary Upload Remote Code Execution – http://packetstormsecurity.org/files/117113
Oracle Identity Management 10g Cross Site Scripting – http://packetstormsecurity.org/files/117110
Drupal Hostip 6.x / 7.x Cross Site Scripting – http://packetstormsecurity.org/files/117084
WordPress Spider 1.0.1 SQL Injection / XSS – http://packetstormsecurity.org/files/117078
Omnistar Mailer 7.2 SQL Injection / Cross Site Scripting – http://packetstormsecurity.org/files/117079
PHPTax 0.8 Remote Code Execution – http://packetstormsecurity.org/files/117082
Drupal Twitter Pull 6.x / 7.x Cross Site Scripting – http://packetstormsecurity.org/files/117107
phpMyBitTorrent 2.04 SQL Injection / Local File Inclusion – http://packetstormsecurity.org/files/117102
Template CMS 2.1.1 Cross Site Request Forgery / Cross Site Scripting – http://packetstormsecurity.org/files/117104
WordPress Premium Theme XSS Vulnerability – http://www.f-secure.com/weblog/archives/00002438.html

Surviving the Week 9/28/12

Passwords of 100k IEEE members lie bare on FTP server

IEEE uses Akamai for content delivery. A FTP directory server was discovered which contained log files of username, password, IP addresses and HTTP request information.  Surprisingly, an organization like IEEE logs such a sensitive information.  NTOSpider looks for similar log files on systems during a scan, Test your application with NTOSpider to find out if any log file accessible from your webroot.
http://www.scmagazine.com/passwords-of-100k-ieee-members-lie-bare-on-ftp-server/article/260721/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A%20SCMagazineNews%20%28SC%20Magazine%20News%29

Hackers target Windows Update in phishing attack

Thieves have constructed spam messages which claim to originate from privacy@microsoft.com. The messages, which are designed to resemble official alerts from Microsoft, advise users that their systems might be at risk and advises them to visit a supposed “update” page. Upon clicking the link, however, users are directed to a phishing site which attempts to harvest email addresses from webmail services including Gmail and AOL mail.
http://www.v3.co.uk/v3-uk/news/2207737/hackers-target-windows-update-in-phishing-attack

USSD attack not limited to Samsung Android devices, can also kill SIM cards

Ravishankar Borgaonkar, a researcher, recently demonstrated the remote data wiping attack at the Ekoparty security conference. The attack can be launched from a Web page by loading a “tel:” URI (uniform resource identifier) with a special factory reset code inside an iframe. If the page is visited from a vulnerable device, the dialer application automatically executes the code and performs a factory reset. Several Samsung Android devices, including Samsung Galaxy S III, Galaxy S II, Galaxy Beam, S Advance, and Galaxy Ace were reported to be vulnerable because they supported the special factory reset code.
http://m.itworld.com/security/298784/ussd-attack-not-limited-samsung-android-devices-can-also-kill-sim-cards

jQuery 1.8.2 Released

jQuery 1.8.2 is released with fixes to several bugs and performance enhancements.
http://blog.jquery.com/2012/09/20/jquery-1-8-2-released/

SSL Scanner – SSLyze

A python script to test SSL checks has been released.
https://github.com/iSECPartners/sslyze
Documentation can be found at –
http://code.google.com/p/sslyze/w/list

Warrantless snooping by the Feds of email and social networks is on the rise.

Documents released by the American Civil Liberties Union (ACLU) on Thursday show that law enforcement agencies in the U.S. have increased surveillance of Americans’ electronic communications.
http://www.aclu.org/blog/national-security-technology-and-liberty/new-justice-department-documents-show-huge-increase

Java exploited, again !

A new zero-day vulnerability has been discovered in all currently-supported versions of Oracle’s Java software, potentially allowing attackers to install malware on around 1 billion Macs and PCs. Announced on the Full Disclosure mailing list by security researcher Adam Gowdiak on Wednesday, the bug is present in Java 5, Java 6, and Java 7.  The 1 billion figure is taken from installation statistics provided by Oracle.  This vulnerability has serious implications on those business applications that continue to require older Java versions.

Surviving the Week 9/21/12

2012 HouSecCon, 10/11/2012 (in Houston)

HouSecCon is coming up – October 11th in Houston. The agenda is shaping up with a bunch of hot topics and well-known speakers. I’ll (Dan Kuykendall) be speaking on mobile security. At NT OBJECTives, we have been working on how to effectively test mobile service calls. Most of the mobile security focus is on device security. During this talk, we are going beyond device security and into mobile application hacking with several demos and hacking tools. Hope to see you there!

Top Security Threats and Attackers by Country

Web security firm Incapsula this week released the first of what it says will be a monthly report that breaks down the origin of Internet attacks by country. The first survey confirmed that the U.S. and China produce the highest volume of attacks on websites, but they don’t necessarily have the most hackers per capita operating from within their borders.

There are four main types of website attacks, according to Incapsula. Server takeovers by means of Remote File Inclusion, Local File Inclusion, Directory Traversal, and other methods are the most common, in part because they can be easily automated, the company said. Data theft by means of SQL injection and credentials theft through cross-site scripting (XSS) methods are the other main types of directly damaging attacks, while a fourth type, vulnerability scanning, is more akin to “casing” a website for future direct attacks.
http://www.incapsula.com/the-incapsula-blog/item/397-top-security-threats-and-attackers-by-country

Cybercrime-Fest Targets Mobile Devices

The lineup of depressing security stats in a recent report by the Government Accountability Office on mobile devices is growing,

  • The number of variants of malicious software aimed has reportedly risen from about 14,000 to 40,000 in less than a year.
  • New mobile vulnerabilities have been increasing, from 163 in 2010 to 315 in 2011, an increase of over 93%.
  • An estimated half million to one million people had malware on the Android devices in the first half of 2011.
  • Three out of 10 Android owners are likely to encounter a threat on their device each year as of 2011.

Attacks against mobile devices generally occur through four channels of activities.

  • Software downloads
  • Visiting malicious websites
  • Direct attacks
  • Physical attacks

http://www.networkworld.com/community/blog/cybercrime-fest-targets-mobile-devices

iOS, Android Vulnerabilities Found at HP’s Mobile Pwn2Own Event

Both iOS and Android fall to hackers at this Pwn2own event in Amsterdam. HP awarded two sets of researchers with $30,000 for finding and demonstrating their attacks.

The Android attack was built on the Near Field Communications attack demonstrated by Charlie Miller earlier this year at a Black Hat event.

The iOS attack exploited a previously unreported WebKit flaw on an iPhone 4S.  WebKit is the underlying rendering engine used in Apple Safari on iOS / Mac OS, and Google for Chrome on Android.
http://www.esecurityplanet.com/mobile-security/ios-android-vulnerabilities-found-at-hps-mobile-pwn2own-event.html

Simple Cross Site Scripting Vector That Webkit XSS Auditor Ignores

Google Chrome has a lesser known feature called “XSSAuditor” that was added to help mitigate reflective XSS.  It is similar to NoScript and IE built in XSS filter.
This post shows a trivial attack to circumvent this feature on Chrome version 4 and above as well as Safari 5.1.7
http://blog.opensecurityresearch.com/2012/09/simple-cross-site-scripting-vector-that.html

ViewState XSS: What’s the Deal?

Using ASP.Net to provide a detailed example of exploiting an unproperly protected ViewState with reflective XSS.  Even hard coded values can be manipulated.

http://www.jardinesoftware.net/2012/09/17/viewstate-xss-whats-the-deal/

10 Common Mobile Security Problems to Address

Poor security practices of consumers and inadequate technical controls make mobile devices a target waiting to be attacked. The GAO report came up with a list of mobile vulnerabilities it says are common to all mobile platforms and it offered a number of possible fixes for the weaknesses.
http://www.pcworld.com/article/2010278/10-common-mobile-security-problems-to-attack.html

Over Half of Companies Suffered a Web Application Security Breach in the Last 18 Months

Forrester Report published.
The results of “The Software Security Risk Report,” a commissioned study conducted by Forrester Consulting on behalf of Coverity were released this week. This study looked at  application security and testing practices and found that security incidents are becoming more common and expensive. The results included several interesting findings:

  • Most companies experienced at least one breach in the last 18 months and many companies lost hundreds of thousands, if not millions, of dollars.
  • The majority of companies have not implemented secure development practices, “most often citing time-to-market pressures, funding and the lack of appropriate technologies suitable for use during development as their primary roadblocks.”

Read more here: http://www.heraldonline.com/2012/09/18/4270284/over-half-of-companies-suffered.html#storylink=cpy

HoneyMap – Alpha

A real-time world map which visualizes attacks captured by honeypots of the Honeynet Project. Red markers on the map stand for attacks, yellow markers are sensors (honeypots).

This project is highly experimental and should be considered an ALPHA version. So far, current Chrome and Firefox browsers should work fine. Opera, Safari and Internet Explorer probably won’t work.
http://map.honeycloud.net/

Surviving the Week 9/14/12

Surviving SQL Injection (link to free SQL Injection tool)
SQLInjection continues to be in the news each week. Despite the fact that it the most well understood vulnerability, it remains the most popular attack technique and many successful breaches are done with SQLi. This attack method remains a problem even in today’s modern web technologies like AMF and REST based applications.

Here a bunch of good resources that might help:
– Free tool for testing SQLi, SQLInvader. Its very similar to SQLmap, but it has a GUI so its very easy to use.
SQLInjection cheatsheet
Injection cheatsheet

A Number of products with SQL Injection, XSS, OS injection and other high risk security issues were reported this week

This week, some very critical security issues has been discovered in some widely used products including WordPress, Joomla, and Drupal.

WordPress Krea3AllMedias SQL Injection – http://packetstormsecurity.org/files/116476
Knowledge Base EE 4.62.0 SQL Injection – http://packetstormsecurity.org/files/116492
Joomla RokModule Blind SQL Injection – http://packetstormsecurity.org/files/116393
PersianTools SQL Injection / Shell Upload – http://packetstormsecurity.org/files/116395
VICIDIAL Call Center Suite 2.2.1-237 SQL Injection / Cross Site Scripting – http://packetstormsecurity.org/files/116394
Drupal PDFThumb 7.x OS Injection – http://packetstormsecurity.org/files/116498
Drupal Inf08 6.x Cross Site Scripting – http://packetstormsecurity.org/files/116497
Fortigate UTM WAF Appliance Cross Site Scripting – http://packetstormsecurity.org/files/116495
Wordpress Download Monitor 3.3.5.7 Cross Site Scripting – http://packetstormsecurity.org/files/116408
Drupal Mass Contact 6.x Access Bypass – http://packetstormsecurity.org/files/116496
Webify Business Directory Arbitrary File Deletion – http://packetstormsecurity.org/files/116490
Openfiler 2.x NetworkCard Command Execution – http://packetstormsecurity.org/files/116405
Oracle VM VirtualBox 4.1 Denial Of Service – http://packetstormsecurity.org/files/116392

HoneyNet Project Releases SQL Injection Emulator

The HoneyNet Project has released a new version of the Glastopf Web application Honeypot software, which can now replicate SQL Injection attacks.
http://www.securityweek.com/honeynet-project-releases-sql-injection-emulator

Use NTO’s Free SQL Invader to test SQL Injection
http://www.ntobjectives.com/go/nto-sql-invader-free-download/
Use SQL Injection cheat sheet to try stuff manually
http://www.ntobjectives.com/go/sql-injection-cheat-sheet/

Microsoft, Adobe Push out Security Patches

Microsoft has released two security bulletins to address issues in Visual Studio Team Foundation Server and Microsoft System Center Configuration Manager. Adobe released a security hotfix for ColdFusion 10 and earlier versions for Windows, Macintosh and UNIX. Patch your systems if you are attacked –
http://www.securityweek.com/microsoft-adobe-push-out-security-patches

Oracle Confirms Existence of Another Critical Java Flaw

A new security issue has been discovered in Java which allows to achieve a complete JVM sandbox bypass in the environment of latest Java SE 7 Update 7.
http://www.net-security.org/secworld.php?id=13568

BlackHole Exploit kit to release version 2.0

This exploit kit is one of the best known to date.  We don’t yet know all the new exploits that could be added into version 2.0 and it’s authors will have done their best to obfuscate mush of their work.  But it can be assumed that this latest Java exploit would be included.  There are quite a few web based Java applications out there that require users to remain on specific, vulnerable versions of Java client which makes them a high risk target.  If you’re a developer of a Java application you need to ensure that your application will support updated Java versions or take your application offline.

http://nakedsecurity.sophos.com/2012/09/13/new-version-of-blackhole-exploit-kit/

 

Surviving the Week 9/7/12

A Number of Exploits Including SQL Injection, XSS, and Authentication Bypass

This week, researchers found some remarkable vulnerabilities including Remote code execution, SQL Injection, and Cross-Site Scripting within bug tracking systems as well as in security vendor’s products. Test your application with NTOSpider to find all possible vulnerabilities.

GarrettCom Privilege Escalation – http://packetstormsecurity.org/files/download/116278/ICSA-12-243-01.pdf
Symantec Messaging Gateway 9.5 Default SSH Password  – http://packetstormsecurity.org/files/download/116277/symantec_smg_ssh.rb.txt
HP SiteScope Remote Code Execution – http://packetstormsecurity.org/files/download/116276/hp_sitescope_uploadfileshandler.rb.txt
Kayako Fusion 4.40.1148 Cross Site Scripting – http://packetstormsecurity.org/files/download/116274/kayakofusion440-xss.txt
Drupal Exposed Filter Data 6.x Cross Site Scripting – http://packetstormsecurity.org/files/download/116272/DRUPAL-SA-CONTRIB-2012-138.txt
Flogr 2.5.6 Cross Site Scripting – http://packetstormsecurity.org/files/download/116270/flogr256-xss.txt
Web@All CMS 2.0 Shell Upload / Local File Inclusion – http://packetstormsecurity.org/files/download/116260/webatall-lfishell.txt
Ektron CMS 8.5.0 File Upload / XXE Injection – http://packetstormsecurity.org/files/download/116259/SOS-12-009.txt
Barracuda Web Filter 910 5.0.015 Cross Site Scripting – http://packetstormsecurity.org/files/116239
eFront Enterprise 3.6.11 Cross Site Scripting – http://packetstormsecurity.org/files/116238
Support4Arabs Pages 2.0 SQL Injection – http://packetstormsecurity.org/files/download/116201/support4arabspages-sql.txt
Wiki Web Help 0.3.11 Remote File Inclusion – http://packetstormsecurity.org/files/download/116202/wikiwebhelp-rfi.txt
JIRA / GreenHopper Cross Site Scripting – http://packetstormsecurity.org/files/download/116203/jiragreenhopper-xssxsrf.txt
ES Job Search Engine 3.0 SQL Injection – http://packetstormsecurity.org/files/download/116231/VL-675.txt

Database Security on the Cloud for Microsoft SQL Azure

GreenSQL’s software-based solution can be installed as a front-end to SQL Azure. It fully camouflages and secures the Azure database, dynamically masks sensitive and confidential data in real-time, and provides monitoring and auditing of data access and administrative activities. Its caching dramatically increases database performance, reducing latency in cloud environments. By using GreenSQL, companies comply with regulations such as HIPAA, PCI, SOX, and Basel II.
http://www.net-security.org/secworld.php?id=13531

Government Warns Businesses of Cyber Crime Threat

The UK government’s spy agency, GCHQ, launched a program that aims to help business leaders tackle the growing threat of cyber attacks. GCHQ head Lain Lobban will tell business leaders that current confidence in existing security defenses is often misplaced, with potentially major implications for the economy and customers’ trust in online services. He will also ask board members and chief executives how confident they are that their most important corporate information is safe from cyber threats and whether they are aware of the impact on a company’s reputation, share price or even existence if sensitive information is stolen.
http://www.net-security.org/secworld.php?id=13535