Author Archive for travis

XSS-Me tool & html frames

Published by
travis
at July 15, 2008 in XSS and SQL injection. Comments

Security Compass has created a series of Firefox add-ons that aid in performing web application assessment. These tools are a great convenient way of finding vulnerabilities within web applications. I do want to point out that even though these tools are useful there is no guarantee all vulnerabilities will be found.

XSS-Me is one of the tools in the series that helps to find cross site scripting (XSS) vulnerabilities within web applications. The tool works by locating forms within a web page then tries various inputs into those forms to see if the inputs on that page are vulnerable. A screen shot of how the tool should look inside Firefox can be seen below.

How XSS-Me should look inside Firefox

 

Now all you have to do is click “Run all tests” and let XSS-Me do its thing. Keep in mind that XSS-Me will also find any hidden forms within a page as well. So this is how things are suppose to work but you’ll eventually come across a page that has forms but XSS-Me doesn’t detect them, this is because the page you are viewing has frames. A good example of this is Chris Rohlf’s site seen below.

XSS-Me doesn’t detect the search form

From the screen shot you can see there is a search form at the top of the page but XSS-Me doesn’t detect its presence. This is because the search form is wrapped inside of a frame. A quick little tip to get around this problem is to open the frame in another tab/window. All you have to do in Firefox is right click on the frame then select “This Frame > Open Frame in New Tab”. A screen shot can be seen below.

Right click to open frame

Once you have the frame in a new tab XSS-Me will detect the form as normal. This can be seen in the screen shot below.

Frame in new tab

This same technique will apply to the SQL Inject Me tool from Security Compass as well because it also tries to search for forms within a web page.

This tip was passed along to me by Sahba Kazerooni who works at Security Compass. I have no affiliation with Security Compass but I met Sahba and some other Security Compass employees at a conference and they were all down to earth guys who had great knowledge and experience when it came to information security. So thanks for the tip Sahba and hopefully this tip will help others secure their web applications as well.

 

Nessus not free anymore :-(

Published by
travis
at May 23, 2008 in Uncategorized. Comments

Well that’s not entirely true, they will still offer the “engine” for free just not all of the plugins (maybe?). The current but soon to be old model had two types of subscriptions,

  1. Direct feed ($1,200 per year)
  2. Registered feed (free but plugins were 7 days old)

Come the end of July they will switch to a different model,

  1. Professional feed = Direct feed
  2. Home feed (only personal plugins, whatever that means?)

The press release was some what cryptic and I couldn’t decipher what exactly this “Home feed” will be. It could be all the plugins minus the compliance stuff but the proof is in the pudding.

So it’s a sad day but I guess we all knew this was coming. In fact I’m all for Tenable getting paid for their valuable service I just hope they don’t go the next step and raise the price of the plugins feed to something outrageous. I think $1,200 is a reasonable price especially is you’re an independent contractor like I used to be. Let’s just hope the “Professional feed” remains a reasonable price. Tenable could always introduce a 3rd tier geared towards large organizations to get even more capital, but maybe that won’t be necessary with their new model. If for some reason the 2 tier model doesn’t work I hope they will entertain the 3 tier model, I can only hope (cross fingers). They could be shooting themselves in the foot with this move, which is essentially shooting their user base in the foot as well.

I’m not a hater, I like love Nessus and think it’s bottom line the best vulnerability scanner on the market period. I remember not too long ago (~ 4 years?) when Nessus had around 1,000 plugins, now there are over 21,000 so they have definitely grown over the years. I hope this move will help them to keep growing, just don’t forget the little guy.

Widespread SQL injection & Javascript malware

Published by
travis
at May 15, 2008 in malware and SQL injection. Comments

This is the first time I have ever seen SQL injection this widespread and in an automated fashion. Before it’s all said and done this could be !!! HUGE !!!. News of this has been trickling out since the end of April with the first hint of it at the beginning of the year.

Basically what’s happening is attackers are using SQL injection, in some sort of automated fashion, to insert Javascript malware into databases of some popular websites, the United Nations for example. Once a user visits an infected website (un.org) they will unknowingly be sent to a malicious site where attackers try numerous exploits to see if they succeed. Keep in mind the user will remain on un.org as if everything is fine and dandy but in the background exploits are being launched.

What’s so scary about these widespread infections is that the Javascript malware will remain on the database until the webmaster removes it. Even then the websites will still be vulnerable to SQL injection so attackers could reinsert malware until the vulnerability is fixed. Also attackers could easily update the location of their malicious site through SQL injection. For example lets say attackers are using http://evilattacker.com for launching their exploits but this URL gets blacklisted, they could then update infected databases with a new URL, say http://maliciousattacker.com. So this type of widespread epidemic is the gift that keeps on giving.

I’ve seen these attacks come across the IDS (intrusion detection system) where users are visiting infected URL’s. Of course attackers could easily move their operations to different URL’s. Some exploit URL’s I’ve seen so far are nihaorr1.com, nmidahena.com, aspder.com, rirwow.cn, and wowyeye.cn. I performed searches to get an idea of the infection numbers, now doing a search for the offending URL won’t give you a 1 to 1 relationship but it will give you a ballpark figure. Take a look at the “Results” numbers in the following screen shots.

nihaorr1.com Infections

nmidahena.com Infections

aspder.com Infections

Also check out this screen shot from ririwow.cn, you’ll get a laugh from it.

ririwow.cn

So the ballpark infection just from these three URL’s is 500,000, scary isn’t it. Even if this number is 400,000 off that still leaves 100,000 sites infected. There’s no way at this point to verify the number but this is definitely the largest SQL injection campaign I have ever seen. It’s these URL’s along with others that are hosting the Javascript malware. It’s common to see the attackers use Javascript to open zero pixel iframes so the attack appears hidden. The Javascript files I’ve seen so far are short names with either a single letter or number (e.g. m.js, 1.js, jp.js, etc). So the request that happens in the background will look like http://ririwow.cn/jp.js. In order to see the request one would have to use a local web proxy. Without a proxy you would never see the request. So I’m going to keep my eyes peeled in the coming months to see how this epidemic plays out.

Below are some other good articles related to this topic

Internet Storm Center

Websense

ShadowServer

CIFS, Linux, & Windows

Published by
travis
at May 13, 2008 in linux. Comments

I connect to Windows from Linux on almost a daily basis so I wanted to let others know how I connect the two OSes. There are some articles out there that will explain how to access Windows shares from Linux but they don’t explain things as simply as I would like. So first of all there are 2 common ways to connect to a Windows share from Linux.

  1. mount cifs or mount smbfs
  2. smbclient

I prefer the “mount cifs” option because smbfs is no longer supported and smbclient gives you the awkward command prompt look and feel like ftp via the command line. An example of how you would connect to a share via “mount cifs” can be seen below.

prompt:~$ mount -t cifs //machine/folder /mnt/windows -o username=travis

Keep in mind “machine” = machine name and “folder” = shared folder. Also I created the “windows” directory inside the “mnt” directory so that I would have a mount point. If the directory requires authentication you will be prompted for a password. In a medium to large organization this will more than likely be your Active Directory username and password. I’ve been using CIFS since 2007 and I’m never going back to smbfs or smbclient. I know CIFS has been around a while and I’m some what behind the times but I didn’t have a real need for it until last year. CIFS was definitely one of my top finds of last year. If anyone knows of a better solution please hit me up.

================ FYI ================

  • Windows uses the CIFS protocol to share folders
  • You may see it referred to as CIFS/SMB
  • Samba is a free implementation of SMB (both client and server)
  • Smbclient is a client program that comes with the Samba suite
  • CIFS is the latest “variant” of the SMB protocol
  • CIFS/SMB is probably the majority of network traffic in an organization (Windows environment that is)

Carolina Con Presentation

Published by
travis
at April 9, 2008 in SMS, XSS and video. Comments

Get the Flash Player to see the wordTube Media Player.

It’s taken me a couple of days to recover from Carolina Con. I knew it was going to be a riot with all the alcohol in walking distance. Now that I have my equilibrium I can post my presentation on Layer 7 attacks. My laptop and the projector weren’t working well together so I had to borrow Nick Fury’s laptop which didn’t have all the tools I needed for the presentation, so I wasn’t able to present the second half of my talk. I’m hoping this video will compensate. Keep in mind that my total presentation was going to include this video (scenario 1, cross site texting) and my previous video post of analyzing cookies (scenario 2). One thing you won’t see in this screen cast is that during the presentation I used a volunteer from the audience to prove that an attacker could text himself the username and password of an unsuspecting victim. Luckily apples from the HTS crew let me spam his phone with my demo and all he got was a t-shirt, a kick ass Carolina Con t-shirt that is. Well I had a great time and I’ll definitely make it back next year. As always I would love to hear your comments and feedback.

travis:~$ cat BigUpsMuchRespect

  1. nc2600
  2. txs
  3. wxs
  4. Deral Heiland
  5. Sahba & Dan @ Security Compass