Surviving the Week 2/1/13 – Ruby on Rails – JSON Parser Vulnerability

February 7, 2013 Dan Kuykendall Attack Types, JSON, Surviving The Week, XSS 0

Ruby on Rails – JSON Parser Vulnerability

ruby on rails

The JSON parser which converts JSON into YAML and in turn hands over to the YAML parser is buggy. The fix delivered replaces the YAML backend (yaml.rb) which was allowing foo strings. This is far too similar to the previous vulnerabilities for the 156 bug, meaning far more exploits in the wild. http://viamsec.com/blog/2013/01/ruby-on-rails-json-parser-vulnerability/

XSS Attacks Spike in Q4 2012

FireHost, a secure cloud hosting company, released statistics on Q4 2012 Web application attacks last week. The attack details both the type and number of attacks hitting its servers in the U.S. and Europe between October and December 2012.

Firehost reports statistics like these quarterly with a focus on what they call “The Superfecta.” The Superfecta are the four most dangerous cyber attacks:

Firehost reported that Cross-Site Scripting and SQL Injection attacks became more prevalent since the third quarter of 2012 with Cross-Site Scripting (XSS) leading the way in terms of attack types

http://www.securityweek.com/xss-attacks-spike-q4-2012-firehost

Test your application with NTOSpider to find out all possible vulnerabilities. NTOSpider produces separate report for XSS that enables you to drill into the report and reproduce the vulnerability.

Unicode Security Testing Library

Chris Weber announced on his blog last week that he has released a small utility library, unicode-hax that is now available on Github.  When it comes to testing string input to find bugs, or vulnerabilities, Unicode can be a tester’s best friend.  Strings are not simple things for software engineers – they require a lot of planning – buffers, encodings, transmission, and storage are just a few concerns. Chris wanted to answer some of the common questions people ask like:

  • What characters should I use for testing?
  • Which ones flip text around?
  • Which ones cause problems?
  • Which one maps to an apostrophe for SQL injection, or a less-than sign for XSS?

As Chris said, “Happy Bug Hunting!”

http://web.lookout.net/2013/01/unicode-security-testing-library.html

To avoid pain of these permutations, use NTOSpider. NTOSpider will fuzz the application not only with Unicode characters but several other encoding as well.

Multiple Vulnerabilities

CurvyCorners Cross Site Scripting – http://packetstormsecurity.com/files/119814
gpEasy 3.5.2 Cross Site Scripting – http://packetstormsecurity.com/files/119805
ImageCMS 4.0.0b SQL Injection – http://packetstormsecurity.com/files/119806
SonicWALL GMS 6 Arbitrary File Upload – http://packetstormsecurity.com/files/119808
Kohana Framework 2.3.3 Directory Traversal – http://packetstormsecurity.com/files/119870

About Dan Kuykendall 173 Articles
Connect with Dan on Google+

Be the first to comment

Leave a Reply

Your email address will not be published.


*