http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2010-01-09 20:17:18 - Aditya K Sood's 0kn0ck Blog : Just a few days ago I talked about the complexity issue with the NoScript author and the false positives encountered I released a document on the below mentioned link http secnicheorg papers noscript_xss_chk_comp_flawpdf Read it for the issue in action Soon after that there were some build versions and finally 19935 is out but seems like this complexity issue still persists This time it worked with more stealthier JavaScript and Injection Checker raises the false positive The complex links are from addoubleclicknet and are presented below http wwwlinkedincom html addineyeV2html strBanner gEbServerDatapourcents3Dpourcents271pourcents3Apourcents3A1225342pourcents3Apourcents3A2272675pourcents3Apourcents3ASite-20936 Type-11 2272675_e0b24616-1ae2-4643-baee-12ebdd7a1647jspourcents3Apourcents3AExpBannerpourcents3Apourcents3A0pourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3A0pourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3A1pourcents3Apourcents3A94684pourcents3Apourcents3A0pourcents3Apourcents3A0pourcents3Apourcents3Apourcents3Apourcents3Apourcents27pourcents3BgEbBannerDatapourcents3Dpourcents2715264925553351627pourcents3Apourcents3A1pourcents3Apourcents3A300pourcents3Apourcents3A250pourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3A1pourcents3Apourcents3A0pourcents3Apourcents3A30pourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3A0pourcents3Apourcents3A0pourcents3Apourcents3Atruepourcents3Apourcents3Apourcents3Apourcents3Afalsepourcents27pourcents3BgEbInteractionspourcents3Dpourcents27pourcents5B_eyeblasterpourcents2Chttppourcents253A addoubleclicknet clickpourcents253Bhpourcents253Dv8 391c 3 0 vpourcents253B221038779pourcents253B0-0pourcents253B11pourcents253B40521440pourcents253B4307-300 250pourcents253B34909454 34927284 1pourcents253Bupourcents253D18348940pourcents253Bpourcents257Eaoptpourcents253D2 0 ff 0pourcents253Bpourcents257Esscspourcents253Dpourcents253Fpourcents2Cpourcents5Dpourcents27pourcents3BebSrcpourcents3Dpourcents27httppourcents253A dsserving-syscom BurstingCachedScripts ebExpBanner_3_0_67jspourcents27pourcents3BebResourcePathpourcents3Dpourcents27httppourcents253A dsserving-syscom BurstingRes pourcents27pourcents3Bpourcents3BebOpourcents3Dnewpourcents20Objectpourcents28pourcents29pourcents3BebOsmspourcents3Dpourcents27dsserving-syscom BurstingScript pourcents27pourcents3BebObspourcents3Dpourcents27bsserving-syscompourcents27pourcents3BebOfvppourcents3Dpourcents27Res pourcents27pourcents3BebOrpvpourcents3Dpourcents27_2_5_1pourcents27pourcents3BebOpvpourcents3Dpourcents27_3_0_3pourcents27pourcents3BebOpipourcents3D0pourcents3BebOwvpourcents3Dpourcents27_3_0_1pourcents27pourcents3BebPtclpourcents3Dpourcents27httppourcents3A pourcents27pourcents3BebObtpourcents3D2pourcents3BebObvpourcents3D3pourcents3BebOpltpourcents3D8pourcents3BgEbDbgLvlpourcents3D0pourcents3BgnEbLowBWLimitpourcents3D120pourcents3B Another sanitized one http addoubleclicknet adi linkedindart home_nn optout false lang en v 1 u 18348940 ue 1utcdckqzgglwtt4uqu6ap title o title ic func null co_id 233588 co_id 376101 co_id 3027 co_id 60837 ind 96 ind 82 ind 121 ind 118 csize d csize a csize h csize c csize_num 1 csize_num 50 csize_num 7000 zip 110005 gdr u cntry sg reg 0 grp 3120 grp 54384 grp 113049 grp 115855 grp 742197 grp 894157 grp 1485107 grp 1613377 grp 1777141 grp 1805569 grp 1848637 edu 13494-2008 jobs 1 sub 0 con j age a age_num 24 seg 190 seg 218 tile 2 sz 300x250 extrapourcents3Dnull ord 41888994 Sanitized URL http wwwlinkedincom html addineyeV2html strBanner gEbServerDatapourcents20pourcents201pourcents3Apourcents3A1225342pourcents3Apourcents3A2272675pourcents3Apourcents3ASite-20936pourcents2FType-11pourcents2F2272675_e0b24616-1ae2-4643-baee-12ebdd7a1647jspourcents3Apourcents3AExpBannerpourcents3Apourcents3A0pourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3A0pourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3A1pourcents3Apourcents3A94684pourcents3Apourcents3A0pourcents3Apourcents3A0pourcents3Apourcents3Apourcents3Apourcents3Apourcents20pourcents3BgEbBannerDatapourcents20pourcents2015264925553351627pourcents3Apourcents3A1pourcents3Apourcents3A300pourcents3Apourcents3A250pourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3A1pourcents3Apourcents3A0pourcents3Apourcents3A30pourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3Apourcents3A0pourcents3Apourcents3A0pourcents3Apourcents3Atruepourcents3Apourcents3Apourcents3Apourcents3Afalsepourcents20pourcents3BgEbInteractionspourcents20pourcents20pourcents20_eyeblasterpourcents2Chttppourcents253Apourcents2Fpourcents2Faddoubleclicknetpourcents2Fclickpourcents253Bhpourcents253Dv8pourcents2F391cpourcents2F3pourcents2F0pourcents2F pourcents2Fvpourcents253B221038779 pourcents253B0-0pourcents253B11pourcents253B40521440pourcents253B4307-300pourcents2F250pourcents253B34909454pourcents2F34927284pourcents2F1pourcents253Bupourcents25 3D18348940pourcents253Bpourcents257Eaoptpourcents253D2pourcents2F0pourcents2Fffpourcents2F0pourcents253Bpourcents257Esscspourcents253Dpourcents253Fpourcents2Cpourcents20pourcents20pourcents3BebSrcpourcents20pourcents20httppourcents253Apourcents2Fpourcents2Fdsserving-syscompourcents2FBurstingCachedScriptspourcents2FebExpBanner_3_0_67jspourcents20pourcents3BebResourcePathpourcents20pourcents20httppourcents253Apourcents2Fpourcents2Fdsserving-syscompourcents2FBurstingRespourcents2Fpourcents2Fpourcents20pourcents3Bpourcents3BebOpourcents20newpourcents20Objectpourcents20pourcents20pourcents3BebOsmspourcents20pourcents20dsserving-syscompourcents2FBurstingScriptpourcents2Fpourcents20pourcents3BebObspourcents20pourcents20bsserving-syscompourcents20pourcents3BebOfvppourcents20pourcents20Respourcents2Fpourcents20pourcents3BebOrpvpourcents20pourcents20_2_5_1pourcents20pourcents3BebOpvpourcents20pourcents20_3_0_3pourcents20pourcents3BebOpipourcents200pourcents3BebOwvpourcents20pourcents20_3_0_1pourcents20pourcents3BebPtclpourcents20pourcents20httppourcents3Apourcents2Fpourcents2Fpourcents20pourcents3BebObtpourcents202pourcents3BebObvpourcents203pourcents3BebOpltpourcents208pourcents3BgEbDbgLvlpourcents200pourcents3BgnEbLowBWLimitpourcents20120pourcents3B 20340333708575276684 On further discussion with NoScript author the complexity in this issue is more versatile due to the presence of JavaScript in a more stealthier manner It looks like as gEbServerData 1 1225342 2272675 Site-20936 Type-11 2272675_e0b24616-1ae2-4643-baee-12ebdd7a1647js ExpBanner 0 0 1 94684 0 0 gEbBannerData 15264925553351627 1 300 250 1 0 30 0 0 true false gEbInteractions eyeblaster,httppourcents3A addoubleclicknet clickpourcents3Bhpourcents3Dv8 391c 3 0 vpourcents3B221038779pourcents3B0-0pourcents3B11pourcents3B40521440pourcents3B4307-300 250pourcents3B34909454 34927284 1pourcents3Bupourcents3D18348940pourcents3Bpourcents7Eaoptpourcents3D2 0 ff 0pourcents3Bpourcents7Esscspourcents3Dpourcents3F, ebSrc httppourcents3A dsserving-syscom BurstingCachedScripts ebExpBanner_3_0_67js ebResourcePath httppourcents3A dsserving-syscom BurstingRes ebO new Object ebOsms dsserving-syscom BurstingScript ebObs bsserving-syscom ebOfvp Res ebOrpv 2_5_1 ebOpv 3_0_3 ebOpi 0 ebOwv 3_0_1 ebPtcl http ebObt 2 ebObv 3 ebOplt 8 gEbDbgLvl 0 gnEbLowBWLimit 120 The author seems like not interested in this layout because the scripts can not be allowed in this complex part This means False Positive persists in the NoScript XSS Injection Checker You are going to accompany it as This can lead to ambiguity whether there is a XSS attempt in real or not and can impact the user experience to some extent All on users acceptance 0kn0ck's Blog http://www.secuobs.com/revue/news/179924.shtmlhttp://www.secuobs.com/revue/news/179924.shtml Secuobs.com : 2010-01-08 15:56:56 - Aditya K Sood's 0kn0ck Blog - Google Chrome, right from the start has shown some stringency in tab crashing But crashing tabs or full browser crash is becoming more smoother than the previously reported cases On playing around with Google Chrome and Chrome Frame direct tab crashing has been reloaded The specific points are mentioned below 1 Scripts are checked against memory allocation part and raises a warning 2 In recent versions playing around with JavaScript based conversion of Unicode values to characters and rendering it directly leads to tab crashing 3 It has become more smoother and direct in the functionality The software tested against this rule set is mentioned below 1 Google Chrome Browser 2 Google Chrome Frame IE8 Both are installed on x64 systems running windows vista and IE8 The test is based on the script code designed to show the tab crashing in controlled manner Video - Google Chrome 3019538 Chrome Frame - Reloading Memory Allocation based Tab Crashing IE8 directly raises a warning as IE8 functionality is hampered The crash produces a register state as mentioned below EAX 00000000 ECX 3F800000 EDX 00000005 EBX 1FC00000 ESP 013DED00 EBP 013DED1C ESI 0FDFFFF7 EDI 00CDEA00 EIP 6A28FCAA chrome_16A28FCAA C 0 ES 002B 32bit 0 FFFFFFFF P 1 CS 0023 32bit 0 FFFFFFFF A 0 SS 002B 32bit 0 FFFFFFFF Z 1 DS 002B 32bit 0 FFFFFFFF S 0 FS 0053 32bit 7EFDA000 FFF T 0 GS 002B 32bit 0 FFFFFFFF D 0 O 0 LastErr ERROR_NOT_ENOUGH_MEMORY 00000008 EFL 00000246 NO,NB,E,BE,NS,PE,GE,LE ST0 empty 00 ST1 empty 00 ST2 empty 23600000000000000000 ST3 empty 00 ST4 empty 00 ST5 empty 1000000000000000000 ST6 empty 30968300000000000000 ST7 empty 00747806972940452397 3 2 1 0 E S P U O Z D I FST 0020 Cond 0 0 0 0 Err 0 0 1 0 0 0 0 0 GT FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 The issue presented in this post shows the advancement in execution of scripts and silently crashing the tabs This issue has been designed as a controlled layout for showing the possibilities of crashing in Chrome Note This is designed for educational purposes and improving the functionality of open source software 0kn0ck's Blog http://www.secuobs.com/revue/news/179616.shtmlhttp://www.secuobs.com/revue/news/179616.shtml Secuobs.com : 2010-01-05 15:21:57 - Aditya K Sood's 0kn0ck Blog - Recently with an outcome of Owasp RC1 top 10 exploited vulnerability list , redirection issues have already made a mark up in that Even the WASC has included the URL abusing as one of the stringent attacks Well to be ethical in this regard these are not the recent attacks but persisted long time ago The only difference is the exploitation ratio has increased from bottom to top So that the reason it has been included in the web application security benchmarks This post is not about explaining the basics of redirection issues It is more about the design vulnerabilities in browsers that can lead to potential persistent redirection vulnerabilities We will implement this attack as an example scenario against the long persisted vulnerability in Google Chrome released long back by me The details of this vulnerability can be found at below mentioned links 1 Google Chrome URL Obfuscation Vulnerability 2 Milw0rm Database 3 Securityfocus The issue has been notified to Google Chrome Security team many times but it is still persisting and can be effectively exploited Considering other browsers such as Mozilla , IE8 below mentioned restrictions have already been implemented as 1 Mozilla has implemented an alert check when ever rogue link is clicked informing the user for the malicious operation in process 2 IE8 has completely changed the link interpretation behavior The attack scenario 1 A vulnerable website prone to redirection 2 Browser vulnerability in interpreting injected links Google Chrome The video can be seen here Link Injection Redirection Attack - Exploiting Google Chrome Design Flaw Regards 0kn0ck's Blog http://www.secuobs.com/revue/news/178341.shtmlhttp://www.secuobs.com/revue/news/178341.shtml Secuobs.com : 2010-01-04 16:36:55 - Aditya K Sood's 0kn0ck Blog - This paper sheds light on the technique of bypassing the iPaper platform for launching a number of web attacks This iPaper platform is a new document format that is used for online document viewing and is comparatively easy to manage It is used by a large number of websites The best example is the Scribd network which hosts a large number of documents online Extensive testing shows that this platform is vulnerable to a number of web attacks Read the paper at Whitepaper 0kn0ck's Blog http://www.secuobs.com/revue/news/177909.shtmlhttp://www.secuobs.com/revue/news/177909.shtml Secuobs.com : 2010-01-03 16:09:12 - Aditya K Sood's 0kn0ck Blog - The NoScript has shown some stringent false positive in dealing with complex URL pattern and escaping it appropriately Please check the document Fetch the Doc For effective development of community based software 0kn0ck's Blog http://www.secuobs.com/revue/news/177632.shtmlhttp://www.secuobs.com/revue/news/177632.shtml Secuobs.com : 2010-01-01 14:49:44 - Aditya K Sood's 0kn0ck Blog - The frame injection flaw discussed previously has lot of impacts and can be exploited in the wild in a diversified manner Primarily the two basic checks are missing in the applied online translation strategy opted by the Yahoo Babelfish and Systran The Systran is the base software used by yahoo for translating contents online Primarily the application is desktop based but has another form of online translation On scrutinizing the Systran service the design looks similar that is used by the Yahoo Babelfish Even if anybody want to opt the same design there should be some type of notifications provided with that Basically with this type of translation design following checks should be followed 1 Priavcy statement or content verification notification should be mentioned in the base message bar 2 The translation source and destination should be mentioned 3 Its a good solution to randomize the source URL and appends a differential URLID parameter that cannot be guessed The third solution is quite good because direct reference cannot be made and source check is maintained when a malicious translation request is issued Both these adequate steps are missing in Yahoo Babelfish and Systran Microsoft, in this case has a upper hand by deploying both these notifications even after following the same translation design At least user is always aware of fact that the content should not be considered as trusted The prototype looks like as presented below While loading the Yahoomail URL for translation the translation server gives the below mentioned error The only point to look into this translation is to check the three benchmark artifacts listed above Lets try another part It is noticed that Systran online translation engine fetches the URL pattern as mentioned below http sysurlsystranetcom systrangui wwwsystrancoukpourcents3B snetcom web systranbanner 1 systranuid aHR0cC13d3cueWFob28uY29tL2VuX2Zy The first tow notifications s discussed above is not followed But yes to some extent he URL randomization point is applied I am not saying that it is an appropriate solution but if every time a new ID is being provided it can be considered as a good solution to some extent Ofcourse it it The overall scenario is in front The applied solution is our choice If Yahoo Babelfish has opted the base pattern then good practices should be followed too 0kn0ck's Blog http://www.secuobs.com/revue/news/177398.shtmlhttp://www.secuobs.com/revue/news/177398.shtml Secuobs.com : 2009-12-28 09:09:41 - Aditya K Sood's 0kn0ck Blog - Google Chrome including customized webkit has shown unethical behavior in implementing an embedded object with CLSID parameter The design bug is presented in the execution of the object element directly in the context of browser The bug proliferates when a CLSID of certain object is passed and specific URL is allowed to execute as parameter value in it Before jumping into all aspect of this unexpected and chaotic behavior , let's have a brief look at the W3 specification ELEMENT OBJECT - - PARAM pourcentsflow -- generic embedded object -- ATTLIST OBJECT pourcentsattrs -- pourcentscoreattrs, pourcentsi18n, pourcentsevents -- declare declare IMPLIED -- declare but don't instantiate flag -- classid pourcentsURI IMPLIED -- identifies an implementation -- codebase pourcentsURI IMPLIED -- base URI for classid, data, archive-- data pourcentsURI IMPLIED -- reference to object's data -- type pourcentsContentType IMPLIED -- content type for data -- codetype pourcentsContentType IMPLIED -- content type for code -- archive CDATA IMPLIED -- space-separated list of URIs -- standby pourcentsText IMPLIED -- message to show while loading -- height pourcentsLength IMPLIED -- override height -- width pourcentsLength IMPLIED -- override width -- usemap pourcentsURI IMPLIED -- use client-side image map -- name CDATA IMPLIED -- submit as part of form -- tabindex NUMBER IMPLIED -- position in tabbing order -- classid uri CT This attribute may be used to specify the location of an object's implementation via a URI It may be used together with, or as an alternative to the data attribute, depending on the type of object involved data uri CT This attribute may be used to specify the location of the object's data, for instance image data for objects defining images, or more generally, a serialized form of an object which can be used to recreate it If given as a relative URI, it should be interpreted relative to the codebase attribute 0kn0ck's Blog http://www.secuobs.com/revue/news/176084.shtmlhttp://www.secuobs.com/revue/news/176084.shtml Secuobs.com : 2009-12-25 09:17:17 - Aditya K Sood's 0kn0ck Blog - Google site provide services to the users for hosting their websites on Google I was going through the privacy column of this website due to an issue that pop up in front of me The policy is presented below There is an excerpt in this privacy policy of Google Sites You may permanently delete any content you create in Google Sites Because of the way we maintain this service, residual copies of your files and other information associated with your account may remain on our servers for three weeks http wwwgooglecom sites privacyhtml This is completely not true The policy point is quite okay but considering the real time functionality this is not applicable in an appropriate manner The time period for residual copies is set for three weeks , I suppose not more than a month I personally tested the stuff six months back I have noticed even after the duration of six months , the file which was deleted a PDF file which I do not want anybody to look into six months back, it is still recoverable from the Google site , a quite unacceptable fact because a deleted content should not reside more than three weeks User thinks that content is deleted but its not like that Things work differently Let's see So there is an ambiguity in the applied policy of Google sites Is the policy being implemented in right way Ofcourse , Google owns web 0kn0ck's Blog http://www.secuobs.com/revue/news/175774.shtmlhttp://www.secuobs.com/revue/news/175774.shtml Secuobs.com : 2009-12-25 07:57:07 - Aditya K Sood's 0kn0ck Blog - Google translate services provide and efficient way of translating content The web is as a playground of attackers and everyday new bug or flaw is noticed in the web services provided by major giants There is another web based design issue in applicability of user generated content On discussion with Google about this problem , the issues is treated as design by default The problem or web bug persist in the file uploading feature on Google translate website and translating content into requisite choice Malicious content such as XSS payload , Iframes etc is executed and rendered into the another domain of user On discussion with Google it was stated that With JavaScript is executed on the translategoogleusercontentcom domain,rather than translategooglecom This is by design as files uploaded to the translate service are regarded as untrusted content There are two features provided by Google translate service which are mentioned below 1 Translation through file uploading 2 Direct translation of content online If the Google does this be default like mentioned earlier then the content translated directly online should be considered as untrusted too The frame injection attacks are not conducted in a stealth manner in Google translate services because toolbar displays the source and conversion languages directly That's an attack scenario Question Why users consider translation services as secure What If somebody is doing some monetary transaction or some other issues like that The question and answer in itself is hard to answer But one thing is sure for any critical work the translate services should not be used especially online services Let's have a look at the attack point Step 1 Uploading a malicious content file through Google Translate service Step 2 Executing Content Another layout Looking at the different domains 1 translategooglecom Name www3lgooglecom Addresses 20985231102 20985231100 20985231101 Aliases translategooglecom 2 translategoogleusercontentcom Name googlehostedlgooglecom Address 20985231132 Aliases translategoogleusercontentcom Both the googlecom and googleusercontentcom serves the same google search functionality The specific user content server can be used for differential purposes because content on it is not trusted Looking for the different perspectiveIt would be great if a small message is being displayed on the Google translate service bar as mentioned below Google does not assure the integrity of source of the content After considering this as a notification I checked the Bing Translation which already have applied this notification message Great May be its not a solution but a good step in visualizing your concern about content Well , that's some of the Microsoft solutions are really good to save your own ethics and business 0kn0ck's Blog http://www.secuobs.com/revue/news/175768.shtmlhttp://www.secuobs.com/revue/news/175768.shtml Secuobs.com : 2009-12-19 18:44:42 - Aditya K Sood's 0kn0ck Blog - Yahoo Babel-fish online service for translating content to different languages The stringent design bug leads to the possibility of conducting IFRAME attacks in the context of yahoo domain there by resulting in third party attacks The issues has been demonstrated in some of my recent conferences The flaw can be summed up as 1 There is no referrer check on the origin ie the source of request 2 Direct links can be used to send requests 2 Iframes can be loaded directly into the context of domain Points to Ponder 1 Yahoo login Page perform certain checks , authorized ones 2 Yahoo implements FRAME Bursting in the main login Page It is possible to remove that small piece of code and design a similar page with same elements that can be used further Attacker can conduct a IFRAME attack by following below mentioned steps 1 Remove the above stated entities code from the main Login Page 2 Design the fake domain Load in the context of Yahoo domain 3 Inline IFRAME provides a familiar fake Login page 4 Set the backdoor in the Login input boxes for stealing credentials 5 Trap the victims by diversifying the manipulated URL s on the WebOne can use dedicated spamming 6 The attack is all set to work 0kn0ck's Blog http://www.secuobs.com/revue/news/174294.shtmlhttp://www.secuobs.com/revue/news/174294.shtml Secuobs.com : 2009-12-06 13:39:08 - Aditya K Sood's 0kn0ck Blog - CSRF attacks have been used quite often in attacking small edge routers which are having web interfaces on port 80 Recently I presented the same attack using Microsoft EOT Embedded Open Type font technology As part of it , EOT fonts can be included in the web page and loaded dynamically It has been discussed quite often about the nature of CSRF attacks and stringency of basic authentication As I re tested the CSRF through EOT again and discovered that browser plays a critical role in flourishing these attacks with the same nature as discussed The attack works nicely With lot of changes in IE8 , the stealth part is not happening It shows the error popup and even background image tag does not work the same way it is supposed to be IE7 and IE8 has plethora of working differentiability in their functionality The EOT can be used to launch authentication error free CSRF prior to version IE8 But it shows variation with IE running on different platforms As a result of it conducting stealth CSRF have become quite hard Microsoft has completely transformed the base pattern by incorporating secure design features Good work Guys There are some point that are need to be looked upon 1 IE8 and Mozilla 3x has has completely changed the working because the execution of http username password examplecom is not allowed 2 Any CSRF attack based on above mentioned scenario will no take place as no request is being sent to the server directly 3 There is an appropriate chance of conducting the CSRF attacks through SAFARI with the same syntax as discussed before It perfectly works fine The variation occurs in conducting the stealth free CSRF which is not that easy to trigger because of differential nature of browsers The browser interpretation of different tags have dramatic impact on the attacks to happen successfully in real time environment 0kn0ck's Blog http://www.secuobs.com/revue/news/169086.shtmlhttp://www.secuobs.com/revue/news/169086.shtml Secuobs.com : 2009-11-25 05:43:32 - Aditya K Sood's 0kn0ck Blog - Recently I was reading news headline at security-focus http wwwsecurityfocuscom news 11565 about the flaw in Microsoft XSS filter implementation and Google's view over it We have conducted extensive research on this part in understanding the limitations of the design filter and all The point to think over this part is even Google has taken some steps to leverage this functionality and considering it as a negative process Things are quite repulsive looking at the ongoing scenario The terminology states that HTTP has X Factor protection considering the protection parameters implemented at the HTTP base level Steps are taken to improve the functionality by inculcating the HTTP headers and applying it at the real time environment Looking at this scenario , I triggered my emulator with perl as base to write some lines of code to check the GWS server by Google at port 80 Google Check C Perl binperl http_X_enumpl googlecom http_X_enumpl - HTTP X protection enumerator enumerates clickjacking,mime sniffing,xss protection, content download , csp etc applied defense web application security assessment script written by 0kn0ck at secnicheorg checking the state of server through icmp requests googlecom is subjected to be alive Server gws checking for applied defense on domain googlecom detected possible X-XSS-Protection 0 xss protection parameter X-XSS-Protection 0 - http parameter X-XSS-Protection 1 defense is not applied at domain - http parameter X-FRAME-OPTIONS DENY clickjacking defense is not applied - http parameter X-FRAME-OPTIONS SAMEORIGIN clickjacking defense is not applied - http parameter X-CONTENT-TYPE-OPTIONS NOSNIFF mime handling-sniffing opt out is not applied - http parameter X-DOWNLOAD-OPTIONS NOOPEN mime handling- download force save is not applied - http parameter X-CONTENT-SECURITY-POLICY ALLOW SELF content policy is not applied - http parameter X-CONTENT-SECURITY-POLICY ALLOW https self content policy is not applied - http parameter ACCESS-CONTROL-ALLOW-ORIGIN csrf origin access is not applied DEBUG HTTP 11 301 Moved Permanently Location http wwwgooglecom Content-Type text html charset UTF-8 Date Wed, 25 Nov 2009 02 38 09 GMT Expires Fri, 25 Dec 2009 02 38 09 GMT Cache-Control public, max-age 2592000 Server gws Content-Length 219 X-XSS-Protection 0 DEBUG execution success Lets see Yahoo C Perl binperl http_X_enumpl yahoocom http_X_enumpl - HTTP X protection enumerator enumerates clickjacking,mime sniffing,xss protection, content download , csp etc applied defense web application security assessment script written by 0kn0ck at secnicheorg checking the state of server through icmp requests yahoocom is subjected to be alive checking for applied defense on domain yahoocom - http parameter X-XSS-Protection 0 not detected - http parameter X-XSS-Protection 1 defense is not applied at domain - http parameter X-FRAME-OPTIONS DENY clickjacking defense is not applied - http parameter X-FRAME-OPTIONS SAMEORIGIN clickjacking defense is not applied - http parameter X-CONTENT-TYPE-OPTIONS NOSNIFF mime handling-sniffing opt out is not applied - http parameter X-DOWNLOAD-OPTIONS NOOPEN mime handling- download force save is not applied - http parameter X-CONTENT-SECURITY-POLICY ALLOW SELF content policy is not applied - http parameter X-CONTENT-SECURITY-POLICY ALLOW https self content policy is not applied - http parameter ACCESS-CONTROL-ALLOW-ORIGIN csrf origin access is not applied DEBUG HTTP 11 301 Moved Permanently Date Wed, 25 Nov 2009 02 42 40 GMT Location http wwwyahoocom Cache-Control private Connection close Transfer-Encoding chunked Content-Type text html charset utf-8 95 The document has moved here 0 DEBUG execution success The script posed the appropriate results looking at the two different domains But one thing is sure that Google is not at all in coherence with Microsoft steps 0kn0ck's Blog http://www.secuobs.com/revue/news/165073.shtmlhttp://www.secuobs.com/revue/news/165073.shtml Secuobs.com : 2009-09-28 21:53:25 - Aditya K Sood's 0kn0ck Blog - Hakin9 has released an extended edition which features the some of the best articles that are chosen by the readers and the team itself Two articles have been placed in it 1 Auditing Oracle in Production Environment 2 Reverse Engineering Binaries You can look some of the papers at http hakin9org magazine article Enjoy 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/145245.shtmlhttp://www.secuobs.com/revue/news/145245.shtml Secuobs.com : 2009-09-20 01:15:49 - Aditya K Sood's 0kn0ck Blog - InfoSecurity has published a new article on the on going industry trends of ethical hacking and its differential behavior in business world This article reflects a thoughtful process of ongoing security practices and business dependency considering the feasibility of core technology The security jargon is stemming up with a high pace compromising all the barriers The business sphere is getting increasingly dependent on the automation processes All the monetary transactions and high end functionality is based on computers But the positive side is always accompanied with the negative side too For more visit http fanaticmediacom infosecurity archive Sep09 Ethicalpourcents20Hackinghtm 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/142606.shtmlhttp://www.secuobs.com/revue/news/142606.shtml Secuobs.com : 2009-08-07 08:37:15 - Aditya K Sood's 0kn0ck Blog - A new article on Security breaches in vendor websites have been released in Elsevier's Computer Fraud and Security Journal The security business model revolves around security entities and those security service providers that ensure implementation of secured mechanisms in every aspect of deployment But how mature are those businesses' own security models We will evaluate various instances of breaches in security companies and how they occur The world has seen a number of cases like Kaspersky, F-Secure, a reseller for BitDefender, and so on There are a number of cases that have not been released publicly Why is this happening, and what is the root cause More LINK Regards 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/128861.shtmlhttp://www.secuobs.com/revue/news/128861.shtml Secuobs.com : 2009-08-07 08:37:15 - Aditya K Sood's 0kn0ck Blog - The security is termed to be as a closed asset for any organization It has been noticed in recent times that many of the business vendor allows certain anonymous access to the services running on their server The concern of this post is not restricted to one part but looking at the diversified impact Apparently the issue seems small but the resultant impact is high Anything with a default or anonymous access is potentially critical For example - the most common issue is FTP open access Many of the organizations allow anonymous access without understanding the consequences that may hamper the normal functioning There are certain facts 1 A vendor has to restrict the open services 2 A vendor has to provide a standard access to the clients even for the simple download Now days, it is not considered as an appropriate solution for providing open access to services Even for the business perspective restricted access should be taken into consideration Why open FTP Why not a credential based access 3 If the services has to be given then scrutinize the deployment strategy whether it has to be applied at internet or intranet 4 Why not to put these services on VPN considering the business need 5 The configuration against these deployed services Why not to use the organization specific policy based password for FTP access Why anonymous 6 Open services are tactically exploited to gain information and reconnaissance 7 These can be used to scan third party targets too Question Is Security a Prime Target or Business Answer Individualistic and Organizational Decision Diversified impacts Let's consider a case and a risk emanating from it For example - an organization is providing an open access to FTP services We will be considering specific functions from security point of view 1 Passive Mode 2 Glob Global Most FTP daemon implementations provide server-side globbing functionality that performs pattern expansion on these pathnames The actual glob implementation is often located in the FTP daemon itself,though some FTP servers use an underlying libc implementation glob - Toggle file name globbing When file name globbing is enabled, ftp expands csh 1 metacharacters in file and directory names These characters are , , , , , , and The server host expands remote file and directory names Globbing metacharacters are always expanded for the ls and dir commands If globbing is enabled, metacharacters are also expanded for the multiple-file commands mdelete, mdir, mget, mls, and mput If an FTP server provides anonymous access with a passive mode on are more vulnerable toFTP Bounce Attacks Glob function can be tested against number of buffer overflow issues The ability of a remote or local user to deliver input patterns to glob implementations allows risk of exploitation once the vulnerability is exploited Let s have a look at the real world scenario Analysis of uptime software A complete thought oriented and for knowledge purposes Administrator TopGun ftp uptimesoftwarecom Connected to uptimesoftwarecom 220 uptime software FTP services Name uptimesoftwarecom Administrator anonymous 331 Please specify the password Password 230 Login successful Remote system type is UNIX Using binary mode to transfer files ftp passive Passive mode on ftp debug Debugging on debug 1 ftp glob Globbing off ftp glob on Globbing on ftp dir --- PASV 227 Entering Passive Mode 216,220,63,213,73,192 --- LIST 150 Here comes the directory listing -rw-rw-r-- 1 501 501 148181 Feb 07 2008 BMO and uptime softwarepdf drwxrwxr-x 2 501 501 4096 Jun 23 19 08 CVS lrwxrwxrwx 1 501 501 33 Dec 02 2008 ReleaseNotes_uptime5pdf - pdfs ReleaseNotes_uptime5p df lrwxrwxrwx 1 501 501 37 Dec 02 2008 ReleaseNotes_uptime5_SP1pdf - pdfs ReleaseNotes_uptim So its easy to look at the rights configured for different user groups Administrator TopGun cygdrive c scripts perl pasvaggpl uptimesoftwarecom connected to uptimesoftwarecom 220 uptime software FTP services logging into server as anonymous 331 Please specify the password 230 Login successful 227 Entering Passive Mode 216,220,63,213,89,62 server ready for passive attack sampling passive port selection passive connection rate 62597 sec passive command latency 04 seconds starting the reaper engine starting port 17200 The only point in presenting these facts with an example is to show the risks posed and the impact on security At last Why not a mature business with hardened security 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/128860.shtmlhttp://www.secuobs.com/revue/news/128860.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - The web is a platform for launching number of attacks in different environment It is not so easy to directly trigger the pattern of insecurity and exploit the dynamic entities The web itself holds tremendous information This information should be managed and tackled in a right way Again the administration is a big problem Well it is While pen testing Apache tomcat it is undertaken that the security is implemented in a worst way Most of the time weak passwords and poorly generated modules and misconfigurations lead to control Note 50 pourcents of Apache Tomcat servers can be hacked in easy manner if security is slithered A brief analysis after a collection of dumps is discussed Have a look CERA Arena Regards 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122471.shtmlhttp://www.secuobs.com/revue/news/122471.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - With the advent of new technology entities and objects , the face of world has changed Ever since the development takes place there is always a forefather adhere to it Not even a single discovery can be made without the originator When it comes to nature, god is there When it comes to machines the answer really gets hard to find God resides in Machine Is it possible A little sarcastic question to ask but still it holds a abstract truth which one can not deny A very generic views have been presented Fetch here and think of your own God Dwells in Machine Regards 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122470.shtmlhttp://www.secuobs.com/revue/news/122470.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - Recently I was going through the Web application List and found a post on JSON Hijacking The issue of spreadsheet was briefly discussed The prime target to hit the Callback Pattern working functionality which is also undertaken as JSON Padding which is considered insecureSo here are some of the papers and discussion which will explore this concept at max 1 http wwwsecnicheorg papers Exploiting_JSON_7_Attack_Shotspdf 2 http wwwsecnicheorg papers Ser_Insec_Bisonpdf 3 HP Blog Regards 0kn0ck 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122469.shtmlhttp://www.secuobs.com/revue/news/122469.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - This project is dedicated to hacker way of writing The aim is to present the creative thinking of hacker over social layout The art resides everywhere So its a duty to craft it and to present in front of comunnity Hackonic - Leveraging the Hidden thinking process HACKONIC Regards 0kn0ck 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122468.shtmlhttp://www.secuobs.com/revue/news/122468.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - This research deals with insecurities in designing FLEX based applications from a developer perspective The application's behavior depends on code written at the backend It has been noticed that most of an application's flaws are the outcome of insecure or bad code http hakin9org prt view about-the-mag issue 893html Regards 0kn0ck 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122467.shtmlhttp://www.secuobs.com/revue/news/122467.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - A new Google Chrome memory exhaustion bug has been release at SecNiche Security Fidn the detail here http secnicheorg gcrdshtml Additional Links and News http blogszdnetcom security p 1975 http wwwchromepluginsorg chrome chrome-memory-exaustion-dos-vulnerability http milw0rmcom exploits 6554 http wwwheisede security DoS-Schwachstelle-bringt-Googles-Chrome-zu-Fall-- news meldung 116526 and so Regards 0kn0ck 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122466.shtmlhttp://www.secuobs.com/revue/news/122466.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - Windows Secret portal has published a new article on Improve Security by Running Applications in Isolation The article describes the positive functionality of running applications in isolation The released Mozilla vulnerability has taken as one of the specific browser issue in it Read paper at READ Regards 0kn0ck 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122465.shtmlhttp://www.secuobs.com/revue/news/122465.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - Hi The secniche security has presented two talks on china's most efficient hacking and security conferences The XCON is prime conference organized by XFOCUS group This year there are very good talks which enlightens up the crowd with new techniques on security The xcon talk has been made online at http wwwsecnicheorg eventshtml The xkungfoo has not been released due to some reasons XCON http xconxfocusorg Xkungfoo http wwwxkungfooorg Enjoy 0kn0ck 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122464.shtmlhttp://www.secuobs.com/revue/news/122464.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - Secniche security has presented on client side hacking at clubhack 2008 security conference you can find all info at http wwwclubhackcom 0kn0ck 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122463.shtmlhttp://www.secuobs.com/revue/news/122463.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - The new paper related to Hacking IM encryption Flaws have been published in Hakin9 issue This paper sheds a light on encryption problems in Instant Messaging client s primary memory which lead to hacking The IM clients have been used extensively all over the world to exchange messages between different parties For more details http hakin9org prt view about-the-mag issue 959html Regards 0kn0ck 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122462.shtmlhttp://www.secuobs.com/revue/news/122462.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - The British Computer Society has published a new article on business logic written by secniche The article revolves around The vulnerability pattern is shifting more towards application level and attackers are concentrating more on exploiting web applications rather system level insecurities The high end attacks used to start with XSS and SQL injections, but the paradigm has shifted more towards business logic flaws For detailed article http wwwbcsorg serverphp show ConWebDoc24009 changeNav 8265 Regards 0kn0ck 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122461.shtmlhttp://www.secuobs.com/revue/news/122461.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - Clickjacking You will find number of definitions about this attack In generalized manner it is a kind of attack that simulate not only MOUSE EVENTS, while performing malicious operations but also hijacking of user interface components that are displayed by a specific site Usually, the aim is to trap the handling of hidden events, when a mouse is clicked over the user interface component such as buttonsI am considering all types of web based variants that can be triggered through browsers The point of dissemination about clickjacking is to scrutinize the behavior of user interfaces buttons The events can be generated dynamically or manually When an user interface is clicked , a hidden event is executed at the back A recent simple POC which was released based on this concept The proof of concept revolves around the activation of a code div through a generic mouse event that binds to hidden structure with div tags We are not actually sticking to general JavaScript call ie locationhref It is used as a one part but what is more interesting, is the pure use of hidden event through mouse clicking, which triggers it The proof of concept clearly defines that The clickjacking POC is a very simple variant to just show the browser request handling More devastated actions can be performed where user authentication is required Well it is quite view specific here The major trend revolves around 1 Execution of hidden frames by triggering mouse interface with components buttons 2 Mouse coordinates play even a critical role to match the positions The coordinates function function clickjack_armor evt clickjack_mouseX evtpageX evtpageX evtclientX clickjack_mouseY evtpageY evtpageY evtclientY documentgetElementById 'mydiv' styleleft clickjack_mouseX-1 documentgetElementById 'mydiv' styletop clickjack_mouseY-1 When we are talking about hidden, we use DIV tags or other manually drafted codes to generate hidden frames 3 The victims has to be trapped If we consider this definition of clickacking A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer The user thinks he is clicking the visible buttons, while he she is actually performing actions on the hidden page Clickjacking is based on a similar principle to convince the end user to provide information that does not seem to have any value to the user, but factually has power over the user's assets or ID, if applied in a particular context Again I think real issue behind clickjacking have been clearly on the cardsI sincerely feel that the SecTheory has given a clear explanation here ClickJacking Paper Rest its a browser issue and the events can be triggered in a number of ways Browser interaction with users always at the verge of exploitation So this is a threat and we have to collaborate in working against it Security is a prime motive so lets drive by it Cheers 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122460.shtmlhttp://www.secuobs.com/revue/news/122460.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - Fingerprinting of web servers can be done in different ways It has been noticed that the HTTP methods are not interpreted in an appropriate manner by number of web servers It can be seen while fuzzing web servers if the particular HTTP method is included With the advent of new scripting languages number of different web servers are in a race Let's first look at the some of the web servers which are in use now a days The list is under mentioned - Zope Web Server Zope is an open source application server for building content management systems, intranets, portals, and custom applications The Zope community consists of hundreds of companies and thousands of developers all over the world, working on building the platform and Zope applications Zope is written in Python, a highly-productive, object-oriented scripting language Mongrel Web Server Mongrel is a fast HTTP library and server for Ruby that is intended for hosting Ruby web applications of any kind using plain HTTP rather than FastCGI or SCGI Jetty Jetty is an open-source, standards-based, full-featured web server implemented entirely in Java These are number of web servers which are used in open source development extensively The IIS and Apache different variants are always on the role The point that needs to be scrutinized is the request acceptance by the web server and the ability of open source web servers to understand the HTTP method properly The IIS and Apache are efficient in handling rogue requests But other web servers fail to instantiate this kind of behavior interpreting HTTP requests efficiently This talk serves over two basic principles 1 Effectiveness and Pervasiveness of Web servers in interpreting the HTTP Call Method 2 Type of response send by the server 3 The type of exceptions occur There are number of tools that fingerprint web servers There is no doubt that 70pourcents of web servers deployed globally can be traced by fetching banners But our aim is to perform fingerprinting with minimum information That's where fuzzing becomes really critical We have critically examined the behavior of under mentioned entities and their collective use to fingerprint web servers 1 Rogue HTTP Method Call Invocation 2 Long String of Expression We have used back slash character According to regular expression and pattern matching theory the backslash character can be used for following purposes 1 stand for itself, 2 quote the next character, 3 introduce an operator, 4 do nothing It depends a lot in the context in which backslash character is used We will see the behavior of number of web servers when a specific request is sent nc wwwexamplecom 80 JAG HTTP 10 HTTP 11 404 Not Found Date Tue, 24 Feb 2009 13 48 37 GMT Server Mongrel 113 Status 404 Not Found Cache-Control no-cache Content-Type text html charset utf-8 Content-Length 708 Set-Cookie _session_id 5537174372e814e02fee588aa67c4a2a path Connection close It responds with HTTP 11 specification and 404 The server has not found anything matching the URI given Not Found That's right Another point that should not be neglected in Mongrel web servers is that it adds a Status parameter in a response This behavior is only shown by the Mongrel web server On the contrary the server does not point out the HTTP method used for call invocation nc exampleorg 80 JAG HTTP 10 HTTP 11 405 Method Not Allowed Date Tue, 24 Feb 2009 13 53 29 GMT Server Jetty 5114 SunOS 510 x86 java 160_03 Expires Thu, 01 Jan 1970 00 00 00 GMT Set-Cookie xn_visitor 4537fb13-e021-4cdb-bb50-4e3a8bfbb6fa Path Domain z1014 baningopscom Expires Fri, 22-Feb-19 13 53 29 GMT X-XN-Trace-Token 8702916f-3dbd-4d51-978c-06abbe2adf73 Allow GET, HEAD, POST, PUT, DELETE, MOVE, OPTIONS, TRACE Content-Type text html Content-Length 1246 Connection close The Jetty web server responds back 405 the client has tried to use a request method that the server does not allowThe method specified in the Request-Line is not allowed for the resource identified by the Request-URI The response MUST include an Allow header containing a list of valid methods for the requested resource As Jetty is written in Java the HTTP methods are always configured most of the time which are allowed to be executed For Zope server we will consider two cases as structured below nc examplecom 80 JAG HTTP 10 HTTP 11 200 OK Date Tue, 24 Feb 2009 14 11 37 GMT Server Zope Zope 296-final, python 244, linux2 ZServer 11 Plone 251 Content-Length 59 Content-Type text plain charset iso-8859-15 Via 10 wwwexamplecom Connection close webdavNullResourceNullResource object at 0x2aaaacda0b18 The server responds back with 200 the request is fulfilled OK response code There is an null pointer exception too at the end Let's look at the different layout nc exampleorg 80 JAG HTTP 10 HTTP 11 404 Not Found Date Tue, 24 Feb 2009 14 03 42 GMT Server Zope Zope 296-final, python 244, linux2 ZServer 11 Plone 251 Bobo-Exception-Line 66 Content-Length 1403 Bobo-Exception-Value See the server error log for details Bobo-Exception-File NullResourcepy Bobo-Exception-Type NotFound Content-Type text html charset iso-8859-15 Via 10 wwwexamplecom Connection close We are not considering the exceptions here You can see the server responds back with 404 This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable The response is different with string manipulation The ambiguity is there or the code does not handle the request effectively Let's try this behavior for Microsoft IIS and Apache nc microsoftcom 80 JAG HTTP 10 HTTP 11 501 Not Implemented Content-Length 0 Server Microsoft-IIS 60 P3P CP 'ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo C NT COM INT NAV ONL PHY PRE PUR UNI' X-Powered-By ASPNET X-UA-Compatible IE EmulateIE7 Date Tue, 24 Feb 2009 14 06 06 GMT Connection close The response code is 501 The server does not support the functionality required to fulfill the request This is the appropriate response when the server does not recognize the request method and is not capable of supporting it for any resource It is quite perfect as per the desired logic nc apacheorg 80 JAG HTTP 10 HTTP 11 501 Method Not Implemented Date Tue, 24 Feb 2009 14 50 58 GMT Server Apache 229 Unix Allow GET,HEAD,POST,OPTIONS,TRACE Vary Accept-Encoding Content-Length 337 Connection close Content-Type text html charset iso-8859-1 The same result is returned by Apache as 501 The differential pattern is under mentioned as IIS Server Response String -- HTTP 11 501 Not Implemented Apache Server Response String -- HTTP 11 501 Method Not Implemented The word method is not present in the IIS response This is a generic behavior The most widely used web servers track down the HTTP method invocation check which is quite missing in other web servers Two points arise - 1 Do web server implements a check on HTTP Method Call Invocation 2 Are web servers processing request based on URI only This all depends on the web server development Lets try this logic on proxies nc exampleorg 80 JAG HTTP 10 HTTP 10 400 Bad Request Server squid 27STABLE6 Date Tue, 24 Feb 2009 14 00 52 GMT Content-Type text html Content-Length 1207 X-Squid-Error ERR_INVALID_REQ 0 X-Cache MISS from cache5zmhzopenet Via 10 cache5zmhzopenet 8300 squid 27STABLE6 Connection close The proxy server responds back with 400 Bad Request with same HTTP 10 The proxy intercepts and scrutinize the HTTP method and URI request at the perimeter level The behavior is again different if compared to web servers This analysis lay stress on the HTTP Method call check which is required to prune down the fingerprinting process based on this factor If all web servers responds back with 501 code then it should be consider as a unanimous behavior among different web browsers Regards 0kn0ck 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122459.shtmlhttp://www.secuobs.com/revue/news/122459.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - Its matter of immense pleasure that researchers all over the world are getting collaborated together for the cause of charity Be a part of it Its a very good initiative by Johnny Long We appreciate his concern and Secniche will be a pure part of it This is a sincere request for all talent all around to play your part in it About Informer The Informer is a fund raising effort run by Hackers For Charity It is designed to give subscribers a backstage pass to the world of Information Security Informer - Why Hackers for Charity Get on the same boat for a great cause Regards 0kn0ck 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122458.shtmlhttp://www.secuobs.com/revue/news/122458.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - Hakin9 has published a new paper This paper discusses the generic approach of detecting the HTTP interface of embedded devices These devices perform a number of different functions based on the infrastructural need Check Regards 0kn0ck 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122457.shtmlhttp://www.secuobs.com/revue/news/122457.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - This paper sheds light on the hyper linking issues observed during penetration testing of web based enterprise applications This concept can be used to bypass standard XSS filters by creating a malicious Microsoft word document Download the Paper at HERE Regards 0kn0ck 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122456.shtmlhttp://www.secuobs.com/revue/news/122456.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - Elsevier has published a new thought article on From Vulnerability to Patch in Network Security Journal http wwwelsevierscitechcom nl ns homeasp As per the standards this Journal is not available freely , you need to subscribe it Regards 0kn0ck 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122455.shtmlhttp://www.secuobs.com/revue/news/122455.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - With the new features implemented in IE 8, the status address bar has been transformed too The new step taken by Microsoft IE team that is not to show the address of selected link in a status bar can have a serious impact A user will not be able to see the active link in the status bar This looks like to be an implementation of security solution with an obscurity Status bar is required for Link Integrity check that assures a user about the legitimate website We are not considering the ingrained vulnerabilities of status address bar spoofing in browsers at this point of time For more details - http secnicheorg ie_spoof_myth Regards 0kn0ck 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122454.shtmlhttp://www.secuobs.com/revue/news/122454.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - The carriage return and null characters are considered to be as a potential elements of testing behavior of various programs This works efficiently with different browsers too The resultant output is quite stringent in relation to the normal behavior that must be shown by the browsers The Carriage Return CR encompass Line Feed and New Line characters as a basic part As per the standard fact carriage return character, alone or with a line feed, to signal the end of a line of text, but other characters are also used for this function see newline others use it only for a paragraph break a hard return Based on this fact a number of tests have been conducted on different browsers These characters are passed as an argument to javascript windowopen function to notice the behavior of the new window It can be used as one of the fuzzed input for testing browser dependencies Based on this artifact one of the Google Chrome advisory was released The links are mentioned below http wwwsecurityfocuscom bid 31375 http wwwsymanteccom business security_response attacksignatures detailjsp asid 23189 http osvdborg show osvdb 48680 http wwwsecnicheorg gcrdshtml That was the vulnerability noticed in Google Chrome and was patched by the vendor The behavior that is noticed all the time with different browsers are - 1 Mozilla Firefox opens bundle of windows in single stretch 2 Google Chrome open number of windows too Note We are not considering loops here but only carriage return character some stability has been added because presence of Pop UP blockers stops the execution of these child windows We have noticed this differential responses from number of browsers I think the CR is good element to be used for fuzzing The browsers behavior is hard to control considering the issue presented above Regards 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122453.shtmlhttp://www.secuobs.com/revue/news/122453.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - The vulnerability reported to Google is not appropriately understoodThere is more discussion required on it The vulnerability link is provided below - http secnicheorg gcalrthtml The denial of service condition persists efficiently with the reported version When this vulnerability is triggered , following output is undertaken 1 The browser gets in locked state and becomes unresponsive The user can not perform any operation 2 It is not only restricted to single tab but it impacts all the opened windows 3 Process killing is the only solution left This works perfectly fine on Windows XP platform Note The new version of Google Chrome is also Vulnerable All views are welcomed for any type of discussion 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122452.shtmlhttp://www.secuobs.com/revue/news/122452.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - The troopers security conference is the one of the finest conference I have been to Its very nice to have such conference in the heart of Germany a great technical content and nice crew to discuss things and hang around I gave a talk on Browser Design Flaws There were some good talks around rootkits , malware for business purposes and web application firewall stuff All talks were good and it was a great learning environment Visit Troopers09 Personally I liked the Packet Wars Hacking Competition by Bryan It was nicely organized You can look at the stuff at Packet Wars Good hacking games to enjoy If you miss the fun you can have a look at the snaps here Troopers09 fun Regards 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122451.shtmlhttp://www.secuobs.com/revue/news/122451.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - Google docs network was vulnerable to PDF repurposing attacks The vulnerability was disclosed to Google with a discretion This was done to mitigate the risk Google had worked over it and patched it with in a period of 5 days The Google doc has been refined now and the integrated support for adobe plugin is removed The user security was the prime issue because millions of user were at risk if this attack persisted in the open environment Integrated accounts were more susceptible as certain stolen credentials could be used to access accounts The advisory is released here http secnicheorg gmd_hijack gc_hijackxhtml http secnicheorg gmd_hijack advisory_gmail_google_docs_pdf_repurposing_attackpdf Regards 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122450.shtmlhttp://www.secuobs.com/revue/news/122450.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - Elsevier has released a new article as Is your system pwned Article Overview What is the relationship between humans, technology, and fraud They are all linked together in a triangle Most monetary transactions today are carried out using digital technologies, most frauds are monetary, and all frauds are perpetuated by people As fraud prevention experts, we try to break the triangle to ensure that people don t interact with technology to create fraudulent situations Link to Journal Regards 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122449.shtmlhttp://www.secuobs.com/revue/news/122449.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - SyScan is Asia's one of the prime conference This year conference has a great set of talks by most good guys in security field We organized an ICANPWN contest at SyScan this year There were lot of good content and new discoveries by researchers Usually we noticed a indispensable research on virtualization Outspect tool for live memory analysis of virtual machines from host OS Outbound Mr Quynh has created this tool In relation to that there was lot of good stuff on PHP,JAVA , CITRIX, BIOS etc Overall the conference comes out with a great knowledge , thats what it is aim for The CTF stuff was cool and organized by White Wolf SecurityThanks to Thomas for organizing such a conference If you miss the fun , you can watch some stuff here PICS Regards 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122448.shtmlhttp://www.secuobs.com/revue/news/122448.shtml Secuobs.com : 2009-07-20 02:49:01 - Aditya K Sood's 0kn0ck Blog - Hakin9 has published an article on Hacking through Wild Cards This paper sheds light on the usage of wild characters that lead to hacking The wild characters are used effectively in a different sphere The inappropriate use of wild characters can lead to misconfiguration of parameters thereby resulting in a number of attacks In addition to that , An interview has been published in prime Self Exposure section you can look into the issue at http hakin9org prt view about-the-mag issue 1052html Regards 0kn0ck's Blog IMAGE http://www.secuobs.com/revue/news/122447.shtmlhttp://www.secuobs.com/revue/news/122447.shtml