The NTO team keeps growing and the demands of running the business and supporting our customers is keeping me busy… and its a blast. But now its good to be getting back to these weekly postings.
On to the news, so I can help keep you all informed about the important news in web app security.
- Will a standardized system for verifying Web identity ever catch on? – Maybe the question is “Do we even want a standardized system for verifying Web Identity?” I for one see stuff like this everyday, and if the FBI’s site can be hacked, who is going to promise the security of OpenID? It will just become the single place an attacker has to attack to get access to everyone’s confidential/private data.
- CSRF with upload – XHR-L2, HTML5 and Cookie replay – XHR-Level 2 calls embedded in an HTML5 browser can open a cross domain socket and deliver an HTTP request. Cross-domain calls will abide by CORS, but browsers end up generating preflight requests to check policy and based on that, will allow cookie replay. Interestingly, multi-part/form-data requests will go through without the preflight check and “withCredentials” allow cookie replay. This is how some new cutting edge attacks are going to be performed.
- Vote Now! Top Ten Web Hacking Techniques of 2011 – This is an incredibly useful survey that they do each year. So, please vote to help the community get an idea of what is interesting and important to you.
- Twitter Enables HTTPS By Default – As sites like Google, Facebook and now Twitter start pushing all traffic to HTTPS, I fear that users will mistake this for real security. “Oh, I can put all my information on Facebook/Twitter/etc now because they are ‘secure’. See there is even a little padlock icon in my browser when I go to those sites, just like the bank.” – FAIL
Sorry I missed last week, this one will cover the last two weeks.
- NT OBJECTives Releases SQL Invader – NTO SQL Invader finally makes it easy to exploit a SQL Injection vuln from a clean graphical interface. Check out the video demonstration.
- Santa’s CISO failed him! – Another major data leak for 2011
- MySQL.com Once again Compromised using Sql Flaw – The article says it well “MySql website is pretty embarrassed for not securing its own database’s properly”.
- It’s ba-ack. Exploit revives slain browser history bug – Im glad to see this type of research being done, because sometimes we assume one style of change will fix a thing, but thats rarely the case in the end.
- OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection – Great write up on making sure the transport layer is secured, and how to recognize when its not.
- Critical Zero-day Vulnerability in Adobe Reader – Another week, another critical flow in adobe.
- Yahoo Messenger 0-Day Exploit allow status message hijacking – This is cool because its basically an XSS attack against the yahoo messenger.
- Millions of printers open to devastating hack attack – Said best by Steve Tornio on twitter “My HP all-in-one printer barely even works. Asking them to code securely is not likely to end well.”
- Cross-Site Scripting vulnerabilities in HP Network Node Manager i 9.10 – While on the topic of HP, heres an Interesting application XSS filter in the GET request evaded by new line characters %0D%0A and XSS filter didn’t exist for POST request. Good bypass!!
- DNS cache poisoning attack on Google, Gmail, YouTube, Yahoo, Apple – Nothing new, but a reminder of how much we trust in DNS and how easy it is to screw with.
This week was a busy one for me, as I’m finally done traveling for awhile and and got back to working on NTOSpider6 and our growing team. I should be able to keep up with this weekly post again, and will keep you all informed about the important news in web app security.
- Larry Suto study of WAF Effectiveness has finally gotten out, and received some attention.
- I presented Not Your Granddad’s Web App @ HouSecCon 2011 – The conference was great this year. My talk went well and I had lots of response and good conversations as a result.
- Reviews of SOPA/PROTECT IP – Forcing honesty on the internet… ha!
- Cloud Security at HouSecCon 2011 – (MJ Keith’s technical preso)
- Imperva Announces Pricing of Initial Public Offering – Imperva going public tells me that WAF’s have hit the big time
- Fighting 0days With Fundamentals (DarkReading) – A bit of a counter-argument to signature based solutions, and all good points. I think Vinnie is right that developers need to continue to focus on security coding practices to avoid creating the security issues in the first place, but once the baby is born and running amok on the internet, we need to use solutions (DAST, SAST, WAF, IPS) to help protect them. Its never going to be either/or, its going to require both.
- “FIX IT!” Ain’t Gonna Cut It: Kicking Off a Software Security Remediation Project – A fantastic post from the Denim Group on how to improve the process of moving from “just fix it” to a well thought out development process with integrated security.
- The Twelve Web Security Truths – Nice little summary from my buddy Mike Shema
- Amex clueless about security–so what else is new? (Securiteam) – Amex under scrutiny, doesn’t inspire confidence with their lack of responsiveness
- Study of next-generation firewall deployments (Help Net Security) – I still don’t understand what qualifies a technology as a “Next-Generation Firewall (NGFW)” but if more than 50% of users are using NGFW’s doesnt that make them no longer “Next-Generation” as they are now the “Current” or “Modern” generation firewalls. Oh well, I guess that’s just me.
- Healthcare most breached industry in 2011 – Includes statement that life or death systems account for 5% but are on the rise.
- WYSINWYX: What You See Is Not What You eXecute – I’m still trying to dig through this 79 page paper, but it does go into some of the details about why source code scanning tools face some inherit limitations caused when compiled machine code behaves differently than expected. Every C/C++ developer out there has experience debugging these issues and fighting with that special form of hell. I bet Veracode liked this one due to their ability to work against the compiled code.
- WhiteHat Security Adds Common Vulnerability Scoring System to Sentinel Website Security Product – I think this is a great move, which we have done as well for our upcoming release of NTOSpider 6.0 (scheduled for release in Q1 2012).
- Joomla! security bypass weakness and XSS vulnerability (Help Net Security) – Not that important really, but a reminder that these things will continue to pop up with any popular framework
As as spend more time using twitter, I understand the need for shortened URL’s and make heavy use of them. But, when I am viewing a tweet I always hesitate before clicking on those links knowing that they could be easily used to hide some sort of XSS or SQL Injection payload in the redirect.
It would be a great way to target accounts of twitter followers to even attack Intranet sites as well as public facing sites. Maybe some good proof of concept hacks will need to be created to demonstrate. Will leave that for another day.
I am sure some of these link shortening providers have put some effort into blocking XSS payloads from the URL’s they shorten, but its easy enough to have the short URL point to a page on the bad guys site which will perform a 302 with the payload in the Location header. This story/video on Help Net Security from a couple years ago tried to warn us.
I wish links didn’t count against the 140 char limit on twitter so these shortened URLs wouldn’t be as needed. Oh well, looks like another instance where features trump security.
(Now time to use bit.ly to make a short link of this blog post so I can tweet it)
Web application security news from the last couple weeks.
[I guess I didn't figure out how to keep going with this weekly post when Im traveling, but now I'm done traveling for a couple months, so should be able to keep up with the news]
The hacks are continuing to take place on more and more critical sites.
Sorry for the missing posts the last couple of weeks, I need to figure out how to manage these weekly posts during travel periods. So this week will include a couple items from the missing weeks.
Welcome to “Surviving the Week”!
Each week I will be collecting the top news/stories/articles/blog_posts related to application security. These may not always be the big headlines or directly focused on application security, but they will be the items that interested me the most, and hopefully will be of interest to my readers. Great replacement for Jeremiah’s defunct “Best of Application Security” series.
- Google SSL Cert Compromise: Info and fallout details here, here, here, here and here.
- Kernel.org Hacked – Geek community attacks itself, <sarcasm>Real nice<sarcasm>.
- This week on Celebrity Deathmatch: Battle of CSO’s
Oracle CSO Mary Ann Davidson vs Veracode CSO Chris Wysopal
- WAF != Firewall – Yes, that’s right. I’m self promoting, deal with it.
- Most security pros don’t think a breach will happen to them – Title says it all… oh, and the security pros are wrong.
- The Good, Bad, and Ugly of Technology Acquisitions – Amrit Williams explains his thoughts and experiences from his time during the IBM acquisition of BixFix.
- Sometimes Input MUST be validated Client-Side: o_O – After watching Matt Johansen‘s Hacking Google Chrome talk at B-Sides LA, I think this is a very serious issue to be watching in the months/years ahead.
- DDos attack using Google Plus Servers – Nothing earth shattering here, but props on the clever attack.
- Kevin Mitnick on Colbert Report – I know this is 2 weeks old, but very cool to have a “hacker” as a guest on Colbert.